evm: stop avoidably reading i_writecount in evm_file_release

mjguzik · mimizohar · commit 699ae6241920 · 2024-10-09T22:49:40.000-04:00
The EVM_NEW_FILE flag is unset if the file already existed at the time of open and this can be checked without looking at i_writecount. Not accessing it reduces traffic on the cacheline during parallel open of the same file and drop the evm_file_release routine from second place to bottom of the profile. Fixes: 75a323e ("evm: Make it independent from 'integrity' LSM") Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Cc: stable@vger.kernel.org # 6.9+ Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
@@ -1084,7 +1084,8 @@ static void evm_file_release(struct file *file)
 	if (!S_ISREG(inode->i_mode) || !(mode & FMODE_WRITE))
 		return;
 
-	if (iint && atomic_read(&inode->i_writecount) == 1)
+	if (iint && iint->flags & EVM_NEW_FILE &&
+	    atomic_read(&inode->i_writecount) == 1)
 		iint->flags &= ~EVM_NEW_FILE;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1084,7 +1084,8 @@ static void evm_file_release(struct file *file)`
`1084`	`1084`	`if (!S_ISREG(inode->i_mode) \|\| !(mode & FMODE_WRITE))`
`1085`	`1085`	`return;`
`1086`	`1086`
`1087`		`- if (iint && atomic_read(&inode->i_writecount) == 1)`
	`1087`	`+ if (iint && iint->flags & EVM_NEW_FILE &&`
	`1088`	`+ atomic_read(&inode->i_writecount) == 1)`
`1088`	`1089`	`iint->flags &= ~EVM_NEW_FILE;`
`1089`	`1090`	`}`
`1090`	`1091`