2 files changed, 19 insertions, 20 deletions
diff --git a/Documentation/cgroup-v2.txt b/Documentation/cgroup-v2.txt
index 227ce4883720..1d101423ca92 100644
--- a/Documentation/cgroup-v2.txt
+++ b/Documentation/cgroup-v2.txt
@@ -332,14 +332,12 @@ a process with a non-root euid to migrate a target process into a
 cgroup by writing its PID to the "cgroup.procs" file, the following
 conditions must be met.
- The writer's euid must match either uid or suid of the target process.
 - The writer must have write access to the "cgroup.procs" file.
 - The writer must have write access to the "cgroup.procs" file of the
  common ancestor of the source and destination cgroups.
-The above three constraints ensure that while a delegatee may migrate
+The above two constraints ensure that while a delegatee may migrate
 processes around freely in the delegated sub-hierarchy it can't pull
 in from or push out to outside the sub-hierarchy.
@@ -354,10 +352,10 @@ all processes under C0 and C1 belong to U0.
 Let's also say U0 wants to write the PID of a process which is
 currently in C10 into "C00/cgroup.procs".  U0 has write access to the
-file and uid match on the process; however, the common ancestor of the
+file; however, the common ancestor of the source cgroup C10 and the
-source cgroup C10 and the destination cgroup C00 is above the points
+destination cgroup C00 is above the points of delegation and U0 would
-of delegation and U0 would not have write access to its "cgroup.procs"
+not have write access to its "cgroup.procs" files and thus the write
-files and thus the write will be denied with -EACCES.
+will be denied with -EACCES.
 2-6. Guidelines
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index a99b15f9b577..fe374f803b20 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2349,20 +2349,9 @@ static int cgroup_procs_write_permission(struct task_struct *task,
                                         struct cgroup *dst_cgrp,
                                         struct kernfs_open_file *of)
 {
-        const struct cred *cred = current_cred();
-        const struct cred *tcred = get_task_cred(task);
        int ret = 0;
-        /*
+        if (cgroup_on_dfl(dst_cgrp)) {
-         * even if we're attaching all tasks in the thread group, we only
-         * need to check permissions on one of them.
-         */
-        if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
-            !uid_eq(cred->euid, tcred->uid) &&
-            !uid_eq(cred->euid, tcred->suid))
-                ret = -EACCES;
-        if (!ret && cgroup_on_dfl(dst_cgrp)) {
                struct super_block *sb = of->file->f_path.dentry->d_sb;
                struct cgroup *cgrp;
                struct inode *inode;
@@ -2380,9 +2369,21 @@ static int cgroup_procs_write_permission(struct task_struct *task,
                        ret = inode_permission(inode, MAY_WRITE);
                        iput(inode);
                }
+        } else {
+                const struct cred *cred = current_cred();
+                const struct cred *tcred = get_task_cred(task);
+                /*
+                 * even if we're attaching all tasks in the thread group,
+                 * we only need to check permissions on one of them.
+                 */
+                if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
+                    !uid_eq(cred->euid, tcred->uid) &&
+                    !uid_eq(cred->euid, tcred->suid))
+                        ret = -EACCES;
+                put_cred(tcred);
        }
-        put_cred(tcred);
        return ret;
 }