From nobody Wed Apr 1 09:45:03 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 931E8401A33 for ; Tue, 31 Mar 2026 15:11:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774969885; cv=none; b=TiXRI4XtD/3Hrp8Uqzpd5ThIDuI1OW+zyeof5DEJ4IRYk9LMS5uCRm9t9t2xvEqjwiy/AjahaUmmfO+iCmA98KT4Vu6zN5AXJKNKPDr1KJ0TKGkXqqs2jDfdszenNb16uHOqDQBImXvYLRG4QZGSj6AD7zpNYgtHrMWvAWWR2K4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774969885; c=relaxed/simple; bh=gdTMaxVewZevxekZoWFMV5QbPBw4+0c6ISVvV4ELeaw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pZOlnXccOncuDah1XwYPjBfP7UPQjv7heeW2NaRZ1W/QgVotc8VZ0U+c21tBJGw/hDp/zY2MDCpy43PwX6Kaa1hSzLOwle1RUC4J5SL4Yey5jQ6jC2MXgIQVg847oFVDwe0kTmAz6L5dCk3koC/w6LbiZH+WB6zG31shWJfrYCk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=eC5johSj; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="eC5johSj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774969883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=23vwVawhhdaUlEZbOs+YhGbbQr0Na89/CEeqFQu0cCc=; b=eC5johSjj/uazjGmg2siHJqYOQyww4hhluqTExR8lKFBmjs0H9eOlkOwjdSv5bzp5KdyC/ jVGUOqwlCAxZ2+IHuHdTXs5AiTpKyBJ1k2DFzA1J7O/rV+eYEcHKFsrYMMGcE8XZwDNCQb Z+5zPH9GpWnZUZqF3wxpistmLqdX6uQ= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-547-1Qj2AIuhN5y31-AmD4Qdbg-1; Tue, 31 Mar 2026 11:11:17 -0400 X-MC-Unique: 1Qj2AIuhN5y31-AmD4Qdbg-1 X-Mimecast-MFC-AGG-ID: 1Qj2AIuhN5y31-AmD4Qdbg_1774969875 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C413019560A6; Tue, 31 Mar 2026 15:11:15 +0000 (UTC) Received: from llong-thinkpadp16vgen1.westford.csb (unknown [10.22.80.26]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 75B601954102; Tue, 31 Mar 2026 15:11:14 +0000 (UTC) From: Waiman Long To: Chen Ridong , Tejun Heo , Johannes Weiner , =?UTF-8?q?Michal=20Koutn=C3=BD?= Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, Waiman Long Subject: [PATCH v3 1/2] cgroup/cpuset: Simplify setsched decision check in task iteration loop of cpuset_can_attach() Date: Tue, 31 Mar 2026 11:11:07 -0400 Message-ID: <20260331151108.2771560-2-longman@redhat.com> In-Reply-To: <20260331151108.2771560-1-longman@redhat.com> References: <20260331151108.2771560-1-longman@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" Centralize the check required to run security_task_setscheduler() in the task iteration loop of cpuset_can_attach() outside of the loop as it has no dependency on the characteristics of the tasks themselves. There is no functional change. Signed-off-by: Waiman Long --- kernel/cgroup/cpuset.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index d21868455341..58c5b7b72cca 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -2988,7 +2988,7 @@ static int cpuset_can_attach(struct cgroup_taskset *t= set) struct cgroup_subsys_state *css; struct cpuset *cs, *oldcs; struct task_struct *task; - bool cpus_updated, mems_updated; + bool setsched_check; int ret; =20 /* used later by cpuset_attach() */ @@ -3003,20 +3003,21 @@ static int cpuset_can_attach(struct cgroup_taskset = *tset) if (ret) goto out_unlock; =20 - cpus_updated =3D !cpumask_equal(cs->effective_cpus, oldcs->effective_cpus= ); - mems_updated =3D !nodes_equal(cs->effective_mems, oldcs->effective_mems); + /* + * Skip rights over task setsched check in v2 when nothing changes, + * migration permission derives from hierarchy ownership in + * cgroup_procs_write_permission()). + */ + setsched_check =3D !cpuset_v2() || + !cpumask_equal(cs->effective_cpus, oldcs->effective_cpus) || + !nodes_equal(cs->effective_mems, oldcs->effective_mems); =20 cgroup_taskset_for_each(task, css, tset) { ret =3D task_can_attach(task); if (ret) goto out_unlock; =20 - /* - * Skip rights over task check in v2 when nothing changes, - * migration permission derives from hierarchy ownership in - * cgroup_procs_write_permission()). - */ - if (!cpuset_v2() || (cpus_updated || mems_updated)) { + if (setsched_check) { ret =3D security_task_setscheduler(task); if (ret) goto out_unlock; --=20 2.53.0 From nobody Wed Apr 1 09:45:03 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0269F3FA5D7 for ; Tue, 31 Mar 2026 15:11:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774969886; cv=none; b=f9rkETLKvE6PDAeiC8uhhc9W1lRQRnG66JTnnlQ6AvlURvCgUbHaOp6D52sztU9uQwXINzzccpevRwsxg+mXrPpFaddkHRGvRTGF/TQ5nv9qeh+eO3PwwGn7a8uDWbEO4DeUSkDNVcriSKzOiy6NRhpKs0onX2ufmnCB2Q9jMMc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774969886; c=relaxed/simple; bh=6kYN1yfArpdpANnsQsRCo/XXbIUoswyvKUr/Nj8Lwfw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VfhnEwqYFBDbg0t/wAzt4xKtBIxiyrm0sUpKEXR6XFuICw5+PnYoNx1RTcDZmvkboBU88/ytLuWbSVkSTqnFkFm7ucjqD1I132hbetlUY6RxP9CN2kzpUfLJ04O2ukvhsP6/aFmd7jmoMeCeNLJoakkyU7BGcqrmjiqmbgmHZKY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ZwhcmS4T; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ZwhcmS4T" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774969884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hYeHjIWbLnPYYWY4RAAm9AikWR5jWAoS/OI3HEP/0/A=; b=ZwhcmS4T2/FwXK3IP4UhzRLiK1vi/mMrieRB39RX5h4PANoUoJdMb4ZAMkwgMRxCCeCLFE C0Xf8NpCmgwJgcrX067pTTrcUYFlQaLDWKoRA+PaxeRRyDHNzTK85auW/F42GFnsqVRBkv /IqI/YEK0IQVWXKLcMkmzUCjxfq9XN8= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-642-zS5Sac5hP6SmaSMcAggJpg-1; Tue, 31 Mar 2026 11:11:18 -0400 X-MC-Unique: zS5Sac5hP6SmaSMcAggJpg-1 X-Mimecast-MFC-AGG-ID: zS5Sac5hP6SmaSMcAggJpg_1774969877 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 621881800611; Tue, 31 Mar 2026 15:11:17 +0000 (UTC) Received: from llong-thinkpadp16vgen1.westford.csb (unknown [10.22.80.26]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 0795B1954102; Tue, 31 Mar 2026 15:11:15 +0000 (UTC) From: Waiman Long To: Chen Ridong , Tejun Heo , Johannes Weiner , =?UTF-8?q?Michal=20Koutn=C3=BD?= Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, Waiman Long Subject: [PATCH v3 2/2] cgroup/cpuset: Skip security check for hotplug induced v1 task migration Date: Tue, 31 Mar 2026 11:11:08 -0400 Message-ID: <20260331151108.2771560-3-longman@redhat.com> In-Reply-To: <20260331151108.2771560-1-longman@redhat.com> References: <20260331151108.2771560-1-longman@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Content-Type: text/plain; charset="utf-8" When a CPU hot removal causes a v1 cpuset to lose all its CPUs, the cpuset hotplug handler will schedule a work function to migrate tasks in that cpuset with no CPU to its ancestor to enable those tasks to continue running. If a strict security policy is in place, however, the task migration may fail when security_task_setscheduler() call in cpuset_can_attach() returns a -EACCESS error. That will mean that those tasks will have no CPU to run on. The system administrators will have to explicitly intervene to either add CPUs to that cpuset or move the tasks elsewhere if they are aware of it. This problem was found by a reported test failure in the LTP's cpuset_hotplug_test.sh. Fix this problem by treating this special case as an exception to skip the setsched security check in cpuset_can_attach() when a v1 cpuset with tasks have no CPU left. With that patch applied, the cpuset_hotplug_test.sh test can be run successfully without failure. Signed-off-by: Waiman Long --- kernel/cgroup/cpuset.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index 58c5b7b72cca..1335e437098e 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -3012,6 +3012,16 @@ static int cpuset_can_attach(struct cgroup_taskset *= tset) !cpumask_equal(cs->effective_cpus, oldcs->effective_cpus) || !nodes_equal(cs->effective_mems, oldcs->effective_mems); =20 + /* + * A v1 cpuset with tasks will have no CPU left only when CPU hotplug + * brings the last online CPU offline as users are not allowed to empty + * cpuset.cpus when there are active tasks inside. When that happens, + * we should allow tasks to migrate out without security check to make + * sure they will be able to run after migration. + */ + if (!is_in_v2_mode() && cpumask_empty(oldcs->effective_cpus)) + setsched_check =3D false; + cgroup_taskset_for_each(task, css, tset) { ret =3D task_can_attach(task); if (ret) --=20 2.53.0