6.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Guzik mjguzik@gmail.com
commit 699ae6241920b0fa837fa57e61f7d5b0e2e65b58 upstream.
The EVM_NEW_FILE flag is unset if the file already existed at the time of open and this can be checked without looking at i_writecount.
Not accessing it reduces traffic on the cacheline during parallel open of the same file and drop the evm_file_release routine from second place to bottom of the profile.
Fixes: 75a323e604fc ("evm: Make it independent from 'integrity' LSM") Signed-off-by: Mateusz Guzik mjguzik@gmail.com Reviewed-by: Roberto Sassu roberto.sassu@huawei.com Cc: stable@vger.kernel.org # 6.9+ Signed-off-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- security/integrity/evm/evm_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -1084,7 +1084,8 @@ static void evm_file_release(struct file if (!S_ISREG(inode->i_mode) || !(mode & FMODE_WRITE)) return;
- if (iint && atomic_read(&inode->i_writecount) == 1) + if (iint && iint->flags & EVM_NEW_FILE && + atomic_read(&inode->i_writecount) == 1) iint->flags &= ~EVM_NEW_FILE; }