1 files changed, 13 insertions, 3 deletions

diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
index d49afb2395e5..5f9e689dc8f0 100644
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -19,7 +19,7 @@
  */
 static inline int
 fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
-                   compat_uptr_t __user *head, int *pi)
+                   compat_uptr_t __user *head, unsigned int *pi)
 {
         if (get_user(*uentry, head))
                 return -EFAULT;
@@ -49,7 +49,8 @@ void compat_exit_robust_list(struct task_struct *curr)
 {
         struct compat_robust_list_head __user *head = curr->compat_robust_list;
         struct robust_list __user *entry, *next_entry, *pending;
-        unsigned int limit = ROBUST_LIST_LIMIT, pi, next_pi, pip;
+        unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
+        unsigned int uninitialized_var(next_pi);
         compat_uptr_t uentry, next_uentry, upending;
         compat_long_t futex_offset;
         int rc;
@@ -152,10 +153,19 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
                         goto err_unlock;
                 ret = -EPERM;
                 pcred = __task_cred(p);
+                /* If victim is in different user_ns, then uids are not
+                   comparable, so we must have CAP_SYS_PTRACE */
+                if (cred->user->user_ns != pcred->user->user_ns) {
+                        if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
+                                goto err_unlock;
+                        goto ok;
+                }
+                /* If victim is in same user_ns, then uids are comparable */
                 if (cred->euid != pcred->euid &&
                     cred->euid != pcred->uid &&
-                    !capable(CAP_SYS_PTRACE))
+                    !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
                         goto err_unlock;
+ok:
                 head = p->compat_robust_list;
                 rcu_read_unlock();
         }