Re: [PATCH] cgroup/cpuset: Skip security check for hotplug induced v1 task migration

Next message: Alexei Starovoitov: "Re: [PATCH] arch/arc: bpf_jit: fix missing newline in pr_err messages"
Previous message: Rob Herring (Arm): "Re: [PATCH v3 06/24] dt-bindings: firmware: arm,scmi: Add support for telemetry protocol"
In reply to: Chen Ridong: "Re: [PATCH] cgroup/cpuset: Skip security check for hotplug induced v1 task migration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Waiman Long

Date: Sun Mar 29 2026 - 13:33:09 EST

On 3/27/26 9:39 PM, Chen Ridong wrote:

On 2026/3/28 4:15, Waiman Long wrote:

When a CPU hot removal causes a v1 cpuset to lose all its CPUs, the
cpuset hotplug handler will schedule a work function to migrate tasks
in that cpuset with no CPU to its parent to enable those tasks to
continue running.

If a strict security policy is in place, however, the task migration
may fail when security_task_setscheduler() call in cpuset_can_attach()
returns a -EACCESS error. That will mean that those tasks will have
no CPU to run on. The system administrators will have to explicitly
intervene to either add CPUs to that cpuset or move the tasks elsewhere
if they are aware of it.

This problem was found by a reported test failure in the LTP's
cpuset_hotplug_test.sh. Fix this problem by treating this special case
as an exception to skip the setsched security check as it is initated
internally within the kernel itself instead of from user input. With that
patch applied, the cpuset_hotplug_test.sh test can be run successfully
without failure.

Signed-off-by: Waiman Long <longman@xxxxxxxxxx>

Should we add a Fixes tag?

The call to security_task_setscheduler() was added a long time ago and the cpuset v1 task migration is more like a corner case that shouldn't normally happen. So I don't want to put a fixes tag that will force a backport to earlier stable releases.

Cheers,
Longman