From fba6c1ed3bf7db9606ce235e07a3da4c516ac480 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Tue, 2 Feb 2010 11:40:27 +0100
Subject: [PATCH] --- yaml --- r: 180228 b: refs/heads/master c:
 51246bfd189064079c54421507236fd2723b18f3 h: refs/heads/master v: v3

---
 [refs]               | 2 +-
 trunk/kernel/futex.c | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index d9d998b64ed1..556552684dd1 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc
+refs/heads/master: 51246bfd189064079c54421507236fd2723b18f3
diff --git a/trunk/kernel/futex.c b/trunk/kernel/futex.c
index 17828033a639..06e8240d2abe 100644
--- a/trunk/kernel/futex.c
+++ b/trunk/kernel/futex.c
@@ -758,6 +758,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
 	if (!pi_state)
 		return -EINVAL;
 
+	/*
+	 * If current does not own the pi_state then the futex is
+	 * inconsistent and user space fiddled with the futex value.
+	 */
+	if (pi_state->owner != current)
+		return -EINVAL;
+
 	raw_spin_lock(&pi_state->pi_mutex.wait_lock);
 	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);