netprio_cgroup: Fix obo in get_prioidx

It was recently pointed out to me that the get_prioidx function sets a bit in
the prioidx map prior to checking to see if the index being set is out of
bounds.  This patch corrects that, avoiding the possiblity of us writing beyond
the end of the array

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
CC: Stanislaw Gruszka <sgruszka@redhat.com>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index 3a9fd4826b75da9c6c11157f17db2c4d04f76bd5..9ae183a9a38184c97478017b71b8f5a48f0dd5f5 100644 (file)
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -58,11 +58,12 @@ static int get_prioidx(u32 *prio)
 
        spin_lock_irqsave(&prioidx_map_lock, flags);
        prioidx = find_first_zero_bit(prioidx_map, sizeof(unsigned long) * PRIOIDX_SZ);
+       if (prioidx == sizeof(unsigned long) * PRIOIDX_SZ) {
+               spin_unlock_irqrestore(&prioidx_map_lock, flags);
+               return -ENOSPC;
+       }
        set_bit(prioidx, prioidx_map);
        spin_unlock_irqrestore(&prioidx_map_lock, flags);
-       if (prioidx == sizeof(unsigned long) * PRIOIDX_SZ)
-               return -ENOSPC;
-
        atomic_set(&max_prioidx, prioidx);
        *prio = prioidx;
        return 0;