From: "David P. Quigley" Originally vfs_getxattr would pull the security xattr variable using the inode getxattr handle and then proceed to clobber it with a subsequent call to the LSM. This patch reorders the two operations such that when the xattr requested is in the security namespace it first attempts to grab the value from the LSM directly. If it fails to obtain the value because there is no module present or the module does not support the operation it will fall back to using the inode getxattr operation. In the event that both are inaccessible it returns EOPNOTSUPP. Signed-off-by: David P. Quigley Cc: Stephen Smalley Cc: Chris Wright Cc: James Morris Cc: Serge Hallyn Cc: Casey Schaufler Cc: Al Viro Cc: Christoph Hellwig Signed-off-by: Andrew Morton --- fs/xattr.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff -puN fs/xattr.c~vfs-reorder-vfs_getxattr-to-avoid-unnecessary-calls-to-the-lsm fs/xattr.c --- a/fs/xattr.c~vfs-reorder-vfs_getxattr-to-avoid-unnecessary-calls-to-the-lsm +++ a/fs/xattr.c @@ -145,11 +145,6 @@ vfs_getxattr(struct dentry *dentry, char if (error) return error; - if (inode->i_op->getxattr) - error = inode->i_op->getxattr(dentry, name, value, size); - else - error = -EOPNOTSUPP; - if (!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN)) { const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; @@ -158,9 +153,15 @@ vfs_getxattr(struct dentry *dentry, char * Only overwrite the return value if a security module * is actually active. */ - if (ret != -EOPNOTSUPP) - error = ret; + if (ret == -EOPNOTSUPP) + goto nolsm; + return ret; } +nolsm: + if (inode->i_op->getxattr) + error = inode->i_op->getxattr(dentry, name, value, size); + else + error = -EOPNOTSUPP; return error; } _