From 2d04a1d79d70676b2bb5f83f154b10909edf7c67 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Wed, 3 Feb 2010 09:33:05 +0100
Subject: [PATCH] --- yaml --- r: 180229 b: refs/heads/master c:
 59647b6ac3050dd964bc556fe6ef22f4db5b935c h: refs/heads/master i:   180227:
 8891726dc1aad9216741f1a1281da46906348d5a v: v3

---
 [refs]               |  2 +-
 trunk/kernel/futex.c | 21 +++++++++++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/[refs] b/[refs]
index 556552684dd1..b1af9f9ca647 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 51246bfd189064079c54421507236fd2723b18f3
+refs/heads/master: 59647b6ac3050dd964bc556fe6ef22f4db5b935c
diff --git a/trunk/kernel/futex.c b/trunk/kernel/futex.c
index 06e8240d2abe..e7a35f1039e7 100644
--- a/trunk/kernel/futex.c
+++ b/trunk/kernel/futex.c
@@ -530,8 +530,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
 				return -EINVAL;
 
 			WARN_ON(!atomic_read(&pi_state->refcount));
-			WARN_ON(pid && pi_state->owner &&
-				pi_state->owner->pid != pid);
+
+			/*
+			 * When pi_state->owner is NULL then the owner died
+			 * and another waiter is on the fly. pi_state->owner
+			 * is fixed up by the task which acquires
+			 * pi_state->rt_mutex.
+			 *
+			 * We do not check for pid == 0 which can happen when
+			 * the owner died and robust_list_exit() cleared the
+			 * TID.
+			 */
+			if (pid && pi_state->owner) {
+				/*
+				 * Bail out if user space manipulated the
+				 * futex value.
+				 */
+				if (pid != task_pid_vnr(pi_state->owner))
+					return -EINVAL;
+			}
 
 			atomic_inc(&pi_state->refcount);
 			*ps = pi_state;