1 files changed, 5 insertions, 4 deletions

diff --git a/kernel/futex.c b/kernel/futex.c
index c3a1a55a5214..f6ff0191ecf7 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -66,7 +66,7 @@
 
 #include <asm/futex.h>
 
-#include "rtmutex_common.h"
+#include "locking/rtmutex_common.h"
 
 int __read_mostly futex_cmpxchg_enabled;
 
@@ -251,6 +251,9 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
                 return -EINVAL;
         address -= key->both.offset;
 
+        if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
+                return -EFAULT;
+
         /*
          * PROCESS_PRIVATE futexes are fast.
          * As the mm cannot disappear under us and the 'key' only needs
@@ -259,8 +262,6 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
          *        but access_ok() should be faster than find_vma()
          */
         if (!fshared) {
-                if (unlikely(!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))))
-                        return -EFAULT;
                 key->private.mm = mm;
                 key->private.address = address;
                 get_futex_key_refs(key);
@@ -288,7 +289,7 @@ again:
                 put_page(page);
                 /* serialize against __split_huge_page_splitting() */
                 local_irq_disable();
-                if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) {
+                if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) {
                         page_head = compound_head(page);
                         /*
                          * page_head is valid pointer but we must pin