Merge branch 'for-5.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj...

Pull cgroup fixes from Tejun Heo:

 - Fix for a subtle bug in the recent release_agent permission check
   update

 - Fix for a long-standing race condition between cpuset and cpu hotplug

 - Comment updates

* 'for-5.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
  cpuset: Fix kernel-doc
  cgroup-v1: Correct privileges check in release_agent writes
  cgroup: clarify cgroup_css_set_fork()
  cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug

diff --combined kernel/cgroup/cgroup.c
index 9d05c3c,77702e0..a557eea
--- 1/kernel/cgroup/cgroup.c
--- 2/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@@ -3643,12 -3643,6 +3643,12 @@@ static ssize_t cgroup_pressure_write(st
        cgroup_get(cgrp);
        cgroup_kn_unlock(of->kn);
  
 +      /* Allow only one trigger per file descriptor */
 +      if (ctx->psi.trigger) {
 +              cgroup_put(cgrp);
 +              return -EBUSY;
 +      }
 +
        psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
        new = psi_trigger_create(psi, buf, nbytes, res);
        if (IS_ERR(new)) {
@@@ -3656,7 -3650,8 +3656,7 @@@
                return PTR_ERR(new);
        }
  
 -      psi_trigger_replace(&ctx->psi.trigger, new);
 -
 +      smp_store_release(&ctx->psi.trigger, new);
        cgroup_put(cgrp);
  
        return nbytes;
@@@ -3695,7 -3690,7 +3695,7 @@@ static void cgroup_pressure_release(str
  {
        struct cgroup_file_ctx *ctx = of->priv;
  
 -      psi_trigger_replace(&ctx->psi.trigger, NULL);
 +      psi_trigger_destroy(ctx->psi.trigger);
  }
  
  bool cgroup_psi_enabled(void)
@@@ -6166,6 -6161,20 +6166,20 @@@ static int cgroup_css_set_fork(struct k
        if (ret)
                goto err;
  
+       /*
+        * Spawning a task directly into a cgroup works by passing a file
+        * descriptor to the target cgroup directory. This can even be an O_PATH
+        * file descriptor. But it can never be a cgroup.procs file descriptor.
+        * This was done on purpose so spawning into a cgroup could be
+        * conceptualized as an atomic
+        *
+        *   fd = openat(dfd_cgroup, "cgroup.procs", ...);
+        *   write(fd, <child-pid>, ...);
+        *
+        * sequence, i.e. it's a shorthand for the caller opening and writing
+        * cgroup.procs of the cgroup indicated by @dfd_cgroup. This allows us
+        * to always use the caller's credentials.
+        */
        ret = cgroup_attach_permissions(cset->dfl_cgrp, dst_cgrp, sb,
                                        !(kargs->flags & CLONE_THREAD),
                                        current->nsproxy->cgroup_ns);