Move the ptrace_may_access() check down, after the nodemask validation.
This is just a preparation to simplify the next patch.

Note that because of this reordering, if the caller passes an invalid
nodemask and also lacks permissions, the syscall will now return -EINVAL
instead of -EPERM. Hopefully, nobody relies on the old error precedence.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 mm/mempolicy.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 2ec14001e4dc..c09ff9f9aa96 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1889,17 +1889,6 @@ static int kernel_migrate_pages(pid_t pid, unsigned long maxnode,
 		goto out;
 	}
 
-	err = -EINVAL;
-
-	/*
-	 * Check if this process has the right to modify the specified process.
-	 * Use the regular "ptrace_may_access()" checks.
-	 */
-	if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
-		err = -EPERM;
-		goto out_put;
-	}
-
 	task_nodes = cpuset_mems_allowed(task);
 	/* Is the user allowed to access the target nodes? */
 	if (!nodes_subset(*new, task_nodes) && !capable(CAP_SYS_NICE)) {
@@ -1908,8 +1897,19 @@ static int kernel_migrate_pages(pid_t pid, unsigned long maxnode,
 	}
 
 	task_nodes = cpuset_mems_allowed(current);
-	if (!nodes_and(*new, *new, task_nodes))
+	if (!nodes_and(*new, *new, task_nodes)) {
+		err = -EINVAL;
 		goto out_put;
+	}
+
+	/*
+	 * Check if this process has the right to modify the specified process.
+	 * Use the regular "ptrace_may_access()" checks.
+	 */
+	if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
+		err = -EPERM;
+		goto out_put;
+	}
 
 	err = security_task_movememory(task);
 	if (err)
-- 
2.52.0