1 files changed, 19 insertions, 2 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index 06e8240d2abe..e7a35f1039e7 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -530,8 +530,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
                                return -EINVAL;
                        WARN_ON(!atomic_read(&pi_state->refcount));
-                        WARN_ON(pid && pi_state->owner &&
-                                pi_state->owner->pid != pid);
+                        /*
+                         * When pi_state->owner is NULL then the owner died
+                         * and another waiter is on the fly. pi_state->owner
+                         * is fixed up by the task which acquires
+                         * pi_state->rt_mutex.
+                         *
+                         * We do not check for pid == 0 which can happen when
+                         * the owner died and robust_list_exit() cleared the
+                         * TID.
+                         */
+                        if (pid && pi_state->owner) {
+                                /*
+                                 * Bail out if user space manipulated the
+                                 * futex value.
+                                 */
+                                if (pid != task_pid_vnr(pi_state->owner))
+                                        return -EINVAL;
+                        }
                        atomic_inc(&pi_state->refcount);
                        *ps = pi_state;

diff --git a/kernel/futex.c b/kernel/futex.c index 06e8240d2abe..e7a35f1039e7 100644 --- a/kernel/futex.c +++ b/kernel/futex.c
@@ -530,8 +530,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
530	return -EINVAL;	530	return -EINVAL;
531		531
532	WARN_ON(!atomic_read(&pi_state->refcount));	532	WARN_ON(!atomic_read(&pi_state->refcount));
533	WARN_ON(pid && pi_state->owner &&	533
534	pi_state->owner->pid != pid);	534	/*
		535	* When pi_state->owner is NULL then the owner died
		536	* and another waiter is on the fly. pi_state->owner
		537	* is fixed up by the task which acquires
		538	* pi_state->rt_mutex.
		539	*
		540	* We do not check for pid == 0 which can happen when
		541	* the owner died and robust_list_exit() cleared the
		542	* TID.
		543	*/
		544	if (pid && pi_state->owner) {
		545	/*
		546	* Bail out if user space manipulated the
		547	* futex value.
		548	*/
		549	if (pid != task_pid_vnr(pi_state->owner))
		550	return -EINVAL;
		551	}
535		552
536	atomic_inc(&pi_state->refcount);	553	atomic_inc(&pi_state->refcount);
537	*ps = pi_state;	554	*ps = pi_state;