futex: Handle user space corruption gracefully

[mv-sheeva.git] / kernel / futex.c

diff --git a/kernel/futex.c b/kernel/futex.c
index d9b3a2228f9d8c184719ef5052f37e26b2913195..06e8240d2abe63baeab90d17e028e273fc525767 100644 (file)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -758,6 +758,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
        if (!pi_state)
                return -EINVAL;
 
+       /*
+        * If current does not own the pi_state then the futex is
+        * inconsistent and user space fiddled with the futex value.
+        */
+       if (pi_state->owner != current)
+               return -EINVAL;
+
        raw_spin_lock(&pi_state->pi_mutex.wait_lock);
        new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
 
@@ -1971,7 +1978,7 @@ retry_private:
        /* Unqueue and drop the lock */
        unqueue_me_pi(&q);
 
-       goto out;
+       goto out_put_key;
 
 out_unlock_put_key:
        queue_unlock(&q, hb);