futex_compat: fix list traversal bugs

[linux-2.6-omap-h63xx.git] / kernel / futex_compat.c

diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
index 27478948b318968a052e4b9fad9a27dd881ca67f..7e52eb051f227f557a171e974312d35b9192944a 100644 (file)
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -61,10 +61,10 @@ void compat_exit_robust_list(struct task_struct *curr)
        if (fetch_robust_entry(&upending, &pending,
                               &head->list_op_pending, &pip))
                return;
-       if (upending)
+       if (pending)
                handle_futex_death((void __user *)pending + futex_offset, curr, pip);
 
-       while (compat_ptr(uentry) != &head->list) {
+       while (entry != (struct robust_list __user *) &head->list) {
                /*
                 * A pending lock might already be on the list, so
                 * dont process it twice:
@@ -157,8 +157,7 @@ asmlinkage long compat_sys_futex(u32 __user *uaddr, int op, u32 val,
                        t = ktime_add(ktime_get(), t);
                tp = &t;
        }
-       if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE
-           || cmd == FUTEX_CMP_REQUEUE_PI)
+       if (cmd == FUTEX_REQUEUE || cmd == FUTEX_CMP_REQUEUE)
                val2 = (int) (unsigned long) utime;
 
        return do_futex(uaddr, op, val, tp, uaddr2, val2, val3);