Linux user memory access API change (initial patch by Thayne Harbaugh)


git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@3583 c046a42c-6fe2-441c-8c8c-71466251a162
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 07e84d9..656f78e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -504,12 +504,13 @@
 #endif
 }
 
-static inline void host_to_target_rusage(abi_ulong target_addr,
-                                         const struct rusage *rusage)
+static inline abi_long host_to_target_rusage(abi_ulong target_addr,
+                                             const struct rusage *rusage)
 {
     struct target_rusage *target_rusage;
 
-    lock_user_struct(target_rusage, target_addr, 0);
+    if (!lock_user_struct(VERIFY_WRITE, target_rusage, target_addr, 0))
+        return -TARGET_EFAULT;
     target_rusage->ru_utime.tv_sec = tswapl(rusage->ru_utime.tv_sec);
     target_rusage->ru_utime.tv_usec = tswapl(rusage->ru_utime.tv_usec);
     target_rusage->ru_stime.tv_sec = tswapl(rusage->ru_stime.tv_sec);
@@ -529,28 +530,36 @@
     target_rusage->ru_nvcsw = tswapl(rusage->ru_nvcsw);
     target_rusage->ru_nivcsw = tswapl(rusage->ru_nivcsw);
     unlock_user_struct(target_rusage, target_addr, 1);
+
+    return 0;
 }
 
-static inline void target_to_host_timeval(struct timeval *tv,
-                                          abi_ulong target_addr)
+static inline abi_long target_to_host_timeval(struct timeval *tv,
+                                              abi_ulong target_addr)
 {
     struct target_timeval *target_tv;
 
-    lock_user_struct(target_tv, target_addr, 1);
+    if (!lock_user_struct(VERIFY_READ, target_tv, target_addr, 1))
+        return -TARGET_EFAULT;
     tv->tv_sec = tswapl(target_tv->tv_sec);
     tv->tv_usec = tswapl(target_tv->tv_usec);
     unlock_user_struct(target_tv, target_addr, 0);
+
+    return 0;
 }
 
-static inline void host_to_target_timeval(abi_ulong target_addr,
-                                          const struct timeval *tv)
+static inline abi_long host_to_target_timeval(abi_ulong target_addr,
+                                              const struct timeval *tv)
 {
     struct target_timeval *target_tv;
 
-    lock_user_struct(target_tv, target_addr, 0);
+    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_addr, 0))
+        return -TARGET_EFAULT;
     target_tv->tv_sec = tswapl(tv->tv_sec);
     target_tv->tv_usec = tswapl(tv->tv_usec);
     unlock_user_struct(target_tv, target_addr, 1);
+
+    return 0;
 }
 
 
@@ -567,21 +576,33 @@
     int ok;
 
     if (rfd_p) {
-        target_rfds = lock_user(rfd_p, sizeof(abi_long) * n, 1);
+        target_rfds = lock_user(VERIFY_WRITE, rfd_p, sizeof(abi_long) * n, 1);
+        if (!target_rfds) {
+            ret = -TARGET_EFAULT;
+            goto end;
+        }
         rfds_ptr = target_to_host_fds(&rfds, target_rfds, n);
     } else {
         target_rfds = NULL;
         rfds_ptr = NULL;
     }
     if (wfd_p) {
-        target_wfds = lock_user(wfd_p, sizeof(abi_long) * n, 1);
+        target_wfds = lock_user(VERIFY_WRITE, wfd_p, sizeof(abi_long) * n, 1);
+        if (!target_wfds) {
+            ret = -TARGET_EFAULT;
+            goto end;
+        }
         wfds_ptr = target_to_host_fds(&wfds, target_wfds, n);
     } else {
         target_wfds = NULL;
         wfds_ptr = NULL;
     }
     if (efd_p) {
-        target_efds = lock_user(efd_p, sizeof(abi_long) * n, 1);
+        target_efds = lock_user(VERIFY_WRITE, efd_p, sizeof(abi_long) * n, 1);
+        if (!target_efds) {
+            ret = -TARGET_EFAULT;
+            goto end;
+        }
         efds_ptr = target_to_host_fds(&efds, target_efds, n);
     } else {
         target_efds = NULL;
@@ -606,38 +627,45 @@
             host_to_target_timeval(target_tv, &tv);
         }
     }
-    if (target_rfds)
-        unlock_user(target_rfds, rfd_p, ok ? sizeof(abi_long) * n : 0);
-    if (target_wfds)
-        unlock_user(target_wfds, wfd_p, ok ? sizeof(abi_long) * n : 0);
-    if (target_efds)
-        unlock_user(target_efds, efd_p, ok ? sizeof(abi_long) * n : 0);
+
+end:
+    unlock_user(target_rfds, rfd_p, ok ? sizeof(abi_long) * n : 0);
+    unlock_user(target_wfds, wfd_p, ok ? sizeof(abi_long) * n : 0);
+    unlock_user(target_efds, efd_p, ok ? sizeof(abi_long) * n : 0);
 
     return ret;
 }
 
-static inline void target_to_host_sockaddr(struct sockaddr *addr,
-                                           abi_ulong target_addr,
-                                           socklen_t len)
+static inline abi_long target_to_host_sockaddr(struct sockaddr *addr,
+                                               abi_ulong target_addr,
+                                               socklen_t len)
 {
     struct target_sockaddr *target_saddr;
 
-    target_saddr = lock_user(target_addr, len, 1);
+    target_saddr = lock_user(VERIFY_READ, target_addr, len, 1);
+    if (!target_saddr)
+        return -TARGET_EFAULT;
     memcpy(addr, target_saddr, len);
     addr->sa_family = tswap16(target_saddr->sa_family);
     unlock_user(target_saddr, target_addr, 0);
+
+    return 0;
 }
 
-static inline void host_to_target_sockaddr(abi_ulong target_addr,
-                                           struct sockaddr *addr,
-                                           socklen_t len)
+static inline abi_long host_to_target_sockaddr(abi_ulong target_addr,
+                                               struct sockaddr *addr,
+                                               socklen_t len)
 {
     struct target_sockaddr *target_saddr;
 
-    target_saddr = lock_user(target_addr, len, 0);
+    target_saddr = lock_user(VERIFY_WRITE, target_addr, len, 0);
+    if (!target_saddr)
+        return -TARGET_EFAULT;
     memcpy(target_saddr, addr, len);
     target_saddr->sa_family = tswap16(addr->sa_family);
     unlock_user(target_saddr, target_addr, len);
+
+    return 0;
 }
 
 /* ??? Should this also swap msgh->name?  */
@@ -941,35 +969,56 @@
     return ret;
 }
 
-static void lock_iovec(struct iovec *vec, abi_ulong target_addr,
-                       int count, int copy)
+/* FIXME
+ * lock_iovec()/unlock_iovec() have a return code of 0 for success where
+ * other lock functions have a return code of 0 for failure.
+ */
+static abi_long lock_iovec(int type, struct iovec *vec, abi_ulong target_addr,
+                           int count, int copy)
 {
     struct target_iovec *target_vec;
     abi_ulong base;
-    int i;
+    int i, j;
 
-    target_vec = lock_user(target_addr, count * sizeof(struct target_iovec), 1);
+    target_vec = lock_user(VERIFY_READ, target_addr, count * sizeof(struct target_iovec), 1);
+    if (!target_vec)
+        return -TARGET_EFAULT;
     for(i = 0;i < count; i++) {
         base = tswapl(target_vec[i].iov_base);
         vec[i].iov_len = tswapl(target_vec[i].iov_len);
-        vec[i].iov_base = lock_user(base, vec[i].iov_len, copy);
+        vec[i].iov_base = lock_user(type, base, vec[i].iov_len, copy);
+	if (!vec[i].iov_base) 
+            goto fail;
     }
     unlock_user (target_vec, target_addr, 0);
+    return 0;
+ fail:
+    /* failure - unwind locks */
+    for (j = 0; j < i; j++) {
+        base = tswapl(target_vec[j].iov_base);
+        unlock_user(vec[j].iov_base, base, 0);
+    }
+    unlock_user (target_vec, target_addr, 0);
+    return -TARGET_EFAULT;
 }
 
-static void unlock_iovec(struct iovec *vec, abi_ulong target_addr,
-                         int count, int copy)
+static abi_long unlock_iovec(struct iovec *vec, abi_ulong target_addr,
+                             int count, int copy)
 {
     struct target_iovec *target_vec;
     abi_ulong base;
     int i;
 
-    target_vec = lock_user(target_addr, count * sizeof(struct target_iovec), 1);
+    target_vec = lock_user(VERIFY_READ, target_addr, count * sizeof(struct target_iovec), 1);
+    if (!target_vec)
+        return -TARGET_EFAULT;
     for(i = 0;i < count; i++) {
         base = tswapl(target_vec[i].iov_base);
         unlock_user(vec[i].iov_base, base, copy ? vec[i].iov_len : 0);
     }
     unlock_user (target_vec, target_addr, 0);
+
+    return 0;
 }
 
 /* do_socket() Must return target values and target errnos. */
@@ -1033,7 +1082,12 @@
     struct iovec *vec;
     abi_ulong target_vec;
 
-    lock_user_struct(msgp, target_msg, 1);
+    /* FIXME */
+    if (!lock_user_struct(send ? VERIFY_READ : VERIFY_WRITE,
+                          msgp,
+                          target_msg,
+                          send ? 1 : 0))
+        return -TARGET_EFAULT;
     if (msgp->msg_name) {
         msg.msg_namelen = tswap32(msgp->msg_namelen);
         msg.msg_name = alloca(msg.msg_namelen);
@@ -1050,7 +1104,7 @@
     count = tswapl(msgp->msg_iovlen);
     vec = alloca(count * sizeof(struct iovec));
     target_vec = tswapl(msgp->msg_iov);
-    lock_iovec(vec, target_vec, count, send);
+    lock_iovec(send ? VERIFY_READ : VERIFY_WRITE, vec, target_vec, count, send);
     msg.msg_iovlen = count;
     msg.msg_iov = vec;
 
@@ -1063,6 +1117,7 @@
             host_to_target_cmsg(msgp, &msg);
     }
     unlock_iovec(vec, target_vec, count, !send);
+    unlock_user_struct(msgp, target_msg, send ? 0 : 1);
     return ret;
 }
 
@@ -1137,7 +1192,9 @@
     void *host_msg;
     abi_long ret;
 
-    host_msg = lock_user(msg, len, 1);
+    host_msg = lock_user(VERIFY_READ, msg, len, 1);
+    if (!host_msg)
+        return -TARGET_EFAULT;
     if (target_addr) {
         addr = alloca(addrlen);
         target_to_host_sockaddr(addr, target_addr, addrlen);
@@ -1159,7 +1216,9 @@
     void *host_msg;
     abi_long ret;
 
-    host_msg = lock_user(msg, len, 0);
+    host_msg = lock_user(VERIFY_WRITE, msg, len, 0);
+    if (!host_msg)
+        return -TARGET_EFAULT;
     if (target_addr) {
         addrlen = tget32(target_addrlen);
         addr = alloca(addrlen);
@@ -1381,13 +1440,14 @@
   abi_ulong __unused4;
 };
 
-static inline void target_to_host_ipc_perm(struct ipc_perm *host_ip,
-                                           abi_ulong target_addr)
+static inline abi_long target_to_host_ipc_perm(struct ipc_perm *host_ip,
+                                               abi_ulong target_addr)
 {
     struct target_ipc_perm *target_ip;
     struct target_semid_ds *target_sd;
 
-    lock_user_struct(target_sd, target_addr, 1);
+    if (!lock_user_struct(VERIFY_READ, target_sd, target_addr, 1))
+        return -TARGET_EFAULT;
     target_ip=&(target_sd->sem_perm);
     host_ip->__key = tswapl(target_ip->__key);
     host_ip->uid = tswapl(target_ip->uid);
@@ -1396,15 +1456,17 @@
     host_ip->cgid = tswapl(target_ip->cgid);
     host_ip->mode = tswapl(target_ip->mode);
     unlock_user_struct(target_sd, target_addr, 0);
+    return 0;
 }
 
-static inline void host_to_target_ipc_perm(abi_ulong target_addr,
-                                           struct ipc_perm *host_ip)
+static inline abi_long host_to_target_ipc_perm(abi_ulong target_addr,
+                                               struct ipc_perm *host_ip)
 {
     struct target_ipc_perm *target_ip;
     struct target_semid_ds *target_sd;
 
-    lock_user_struct(target_sd, target_addr, 0);
+    if (!lock_user_struct(VERIFY_WRITE, target_sd, target_addr, 0))
+        return -TARGET_EFAULT;
     target_ip = &(target_sd->sem_perm);
     target_ip->__key = tswapl(host_ip->__key);
     target_ip->uid = tswapl(host_ip->uid);
@@ -1413,32 +1475,37 @@
     target_ip->cgid = tswapl(host_ip->cgid);
     target_ip->mode = tswapl(host_ip->mode);
     unlock_user_struct(target_sd, target_addr, 1);
+    return 0;
 }
 
-static inline void target_to_host_semid_ds(struct semid_ds *host_sd,
-                                          abi_ulong target_addr)
+static inline abi_long target_to_host_semid_ds(struct semid_ds *host_sd,
+                                               abi_ulong target_addr)
 {
     struct target_semid_ds *target_sd;
 
-    lock_user_struct(target_sd, target_addr, 1);
+    if (!lock_user_struct(VERIFY_READ, target_sd, target_addr, 1))
+        return -TARGET_EFAULT;
     target_to_host_ipc_perm(&(host_sd->sem_perm),target_addr);
     host_sd->sem_nsems = tswapl(target_sd->sem_nsems);
     host_sd->sem_otime = tswapl(target_sd->sem_otime);
     host_sd->sem_ctime = tswapl(target_sd->sem_ctime);
     unlock_user_struct(target_sd, target_addr, 0);
+    return 0;
 }
 
-static inline void host_to_target_semid_ds(abi_ulong target_addr,
-                                           struct semid_ds *host_sd)
+static inline abi_long host_to_target_semid_ds(abi_ulong target_addr,
+                                               struct semid_ds *host_sd)
 {
     struct target_semid_ds *target_sd;
 
-    lock_user_struct(target_sd, target_addr, 0);
+    if (!lock_user_struct(VERIFY_WRITE, target_sd, target_addr, 0))
+        return -TARGET_EFAULT;
     host_to_target_ipc_perm(target_addr,&(host_sd->sem_perm));
     target_sd->sem_nsems = tswapl(host_sd->sem_nsems);
     target_sd->sem_otime = tswapl(host_sd->sem_otime);
     target_sd->sem_ctime = tswapl(host_sd->sem_ctime);
     unlock_user_struct(target_sd, target_addr, 1);
+    return 0;
 }
 
 union semun {
@@ -1453,67 +1520,75 @@
 	unsigned short int *array;
 };
 
-static inline void target_to_host_semun(int cmd,
-                                        union semun *host_su,
-                                        abi_ulong target_addr,
-                                        struct semid_ds *ds)
+static inline abi_long target_to_host_semun(int cmd,
+                                            union semun *host_su,
+                                            abi_ulong target_addr,
+                                            struct semid_ds *ds)
 {
     union target_semun *target_su;
 
     switch( cmd ) {
 	case IPC_STAT:
 	case IPC_SET:
-           lock_user_struct(target_su, target_addr, 1);
+           if (!lock_user_struct(VERIFY_READ, target_su, target_addr, 1))
+               return -TARGET_EFAULT;
 	   target_to_host_semid_ds(ds,target_su->buf);
 	   host_su->buf = ds;
            unlock_user_struct(target_su, target_addr, 0);
 	   break;
 	case GETVAL:
 	case SETVAL:
-           lock_user_struct(target_su, target_addr, 1);
+           if (!lock_user_struct(VERIFY_READ, target_su, target_addr, 1))
+               return -TARGET_EFAULT;
 	   host_su->val = tswapl(target_su->val);
            unlock_user_struct(target_su, target_addr, 0);
 	   break;
 	case GETALL:
 	case SETALL:
-           lock_user_struct(target_su, target_addr, 1);
+           if (!lock_user_struct(VERIFY_READ, target_su, target_addr, 1))
+               return -TARGET_EFAULT;
 	   *host_su->array = tswap16(*target_su->array);
            unlock_user_struct(target_su, target_addr, 0);
 	   break;
 	default:
            gemu_log("semun operation not fully supported: %d\n", (int)cmd);
     }
+    return 0;
 }
 
-static inline void host_to_target_semun(int cmd,
-                                        abi_ulong target_addr,
-                                        union semun *host_su,
-                                        struct semid_ds *ds)
+static inline abi_long host_to_target_semun(int cmd,
+                                            abi_ulong target_addr,
+                                            union semun *host_su,
+                                            struct semid_ds *ds)
 {
     union target_semun *target_su;
 
     switch( cmd ) {
 	case IPC_STAT:
 	case IPC_SET:
-           lock_user_struct(target_su, target_addr, 0);
+           if (lock_user_struct(VERIFY_WRITE, target_su, target_addr, 0))
+               return -TARGET_EFAULT;
 	   host_to_target_semid_ds(target_su->buf,ds);
            unlock_user_struct(target_su, target_addr, 1);
 	   break;
 	case GETVAL:
 	case SETVAL:
-           lock_user_struct(target_su, target_addr, 0);
+           if (lock_user_struct(VERIFY_WRITE, target_su, target_addr, 0))
+               return -TARGET_EFAULT;
 	   target_su->val = tswapl(host_su->val);
            unlock_user_struct(target_su, target_addr, 1);
 	   break;
 	case GETALL:
 	case SETALL:
-           lock_user_struct(target_su, target_addr, 0);
+           if (lock_user_struct(VERIFY_WRITE, target_su, target_addr, 0))
+               return -TARGET_EFAULT;
 	   *target_su->array = tswap16(*host_su->array);
            unlock_user_struct(target_su, target_addr, 1);
 	   break;
         default:
            gemu_log("semun operation not fully supported: %d\n", (int)cmd);
     }
+    return 0;
 }
 
 static inline abi_long do_semctl(int first, int second, int third,
@@ -1580,12 +1655,13 @@
   abi_ulong __unused5;
 };
 
-static inline void target_to_host_msqid_ds(struct msqid_ds *host_md,
-                                           abi_ulong target_addr)
+static inline abi_long target_to_host_msqid_ds(struct msqid_ds *host_md,
+                                               abi_ulong target_addr)
 {
     struct target_msqid_ds *target_md;
 
-    lock_user_struct(target_md, target_addr, 1);
+    if (!lock_user_struct(VERIFY_READ, target_md, target_addr, 1))
+        return -TARGET_EFAULT;
     target_to_host_ipc_perm(&(host_md->msg_perm),target_addr);
     host_md->msg_stime = tswapl(target_md->msg_stime);
     host_md->msg_rtime = tswapl(target_md->msg_rtime);
@@ -1596,14 +1672,16 @@
     host_md->msg_lspid = tswapl(target_md->msg_lspid);
     host_md->msg_lrpid = tswapl(target_md->msg_lrpid);
     unlock_user_struct(target_md, target_addr, 0);
+    return 0;
 }
 
-static inline void host_to_target_msqid_ds(abi_ulong target_addr,
-                                           struct msqid_ds *host_md)
+static inline abi_long host_to_target_msqid_ds(abi_ulong target_addr,
+                                               struct msqid_ds *host_md)
 {
     struct target_msqid_ds *target_md;
 
-    lock_user_struct(target_md, target_addr, 0);
+    if (!lock_user_struct(VERIFY_WRITE, target_md, target_addr, 0))
+        return -TARGET_EFAULT;
     host_to_target_ipc_perm(target_addr,&(host_md->msg_perm));
     target_md->msg_stime = tswapl(host_md->msg_stime);
     target_md->msg_rtime = tswapl(host_md->msg_rtime);
@@ -1614,6 +1692,7 @@
     target_md->msg_lspid = tswapl(host_md->msg_lspid);
     target_md->msg_lrpid = tswapl(host_md->msg_lrpid);
     unlock_user_struct(target_md, target_addr, 1);
+    return 0;
 }
 
 static inline abi_long do_msgctl(int first, int second, abi_long ptr)
@@ -1645,7 +1724,8 @@
     struct msgbuf *host_mb;
     abi_long ret = 0;
 
-    lock_user_struct(target_mb,msgp,0);
+    if (!lock_user_struct(VERIFY_READ, target_mb, msgp, 0))
+        return -TARGET_EFAULT;
     host_mb = malloc(msgsz+sizeof(long));
     host_mb->mtype = tswapl(target_mb->mtype);
     memcpy(host_mb->mtext,target_mb->mtext,msgsz);
@@ -1661,18 +1741,30 @@
                                  int msgflg)
 {
     struct target_msgbuf *target_mb;
+    char *target_mtext;
     struct msgbuf *host_mb;
     abi_long ret = 0;
 
-    lock_user_struct(target_mb, msgp, 0);
+    if (!lock_user_struct(VERIFY_WRITE, target_mb, msgp, 0))
+        return -TARGET_EFAULT;
     host_mb = malloc(msgsz+sizeof(long));
     ret = get_errno(msgrcv(msqid, host_mb, msgsz, 1, msgflg));
-    if (ret > 0)
+    if (ret > 0) {
+        abi_ulong target_mtext_addr = msgp + sizeof(abi_ulong);
+        target_mtext = lock_user(VERIFY_WRITE, target_mtext_addr, ret, 0);
+        if (!target_mtext) {
+            ret = -TARGET_EFAULT;
+            goto end;
+        }
     	memcpy(target_mb->mtext, host_mb->mtext, ret);
+        unlock_user(target_mtext, target_mtext_addr, ret);
+    }
     target_mb->mtype = tswapl(host_mb->mtype);
     free(host_mb);
-    unlock_user_struct(target_mb, msgp, 0);
 
+end:
+    if (target_mb)
+        unlock_user_struct(target_mb, msgp, 1);
     return ret;
 }
 
@@ -1693,7 +1785,7 @@
 
     switch (call) {
     case IPCOP_semop:
-        ret = get_errno(semop(first,(struct sembuf *) ptr, second));
+        ret = get_errno(semop(first,(struct sembuf *)g2h(ptr), second));
         break;
 
     case IPCOP_semget:
@@ -1723,13 +1815,14 @@
 
 	case IPCOP_msgrcv:
                 {
+                      /* XXX: this code is not correct */
                       struct ipc_kludge
                       {
                               void *__unbounded msgp;
                               long int msgtyp;
                       };
 
-                      struct ipc_kludge *foo = (struct ipc_kludge *) ptr;
+                      struct ipc_kludge *foo = (struct ipc_kludge *)g2h(ptr);
                       struct msgbuf *msgp = (struct msgbuf *) foo->msgp;
 
                       ret = do_msgrcv(first, (long)msgp, second, 0, third);
@@ -1761,7 +1854,7 @@
                 break;
 	    }
 	}
-	if (put_user(raddr, (abi_ulong *)third))
+        if (put_user(raddr, third, abi_ulong))
             return -TARGET_EFAULT;
         ret = 0;
 	break;
@@ -1883,25 +1976,33 @@
         case IOC_R:
             ret = get_errno(ioctl(fd, ie->host_cmd, buf_temp));
             if (!is_error(ret)) {
-                argptr = lock_user(arg, target_size, 0);
+                argptr = lock_user(VERIFY_WRITE, arg, target_size, 0);
+                if (!argptr)
+                    return -TARGET_EFAULT;
                 thunk_convert(argptr, buf_temp, arg_type, THUNK_TARGET);
                 unlock_user(argptr, arg, target_size);
             }
             break;
         case IOC_W:
-            argptr = lock_user(arg, target_size, 1);
+            argptr = lock_user(VERIFY_READ, arg, target_size, 1);
+            if (!argptr)
+                return -TARGET_EFAULT;
             thunk_convert(buf_temp, argptr, arg_type, THUNK_HOST);
             unlock_user(argptr, arg, 0);
             ret = get_errno(ioctl(fd, ie->host_cmd, buf_temp));
             break;
         default:
         case IOC_RW:
-            argptr = lock_user(arg, target_size, 1);
+            argptr = lock_user(VERIFY_READ, arg, target_size, 1);
+            if (!argptr)
+                return -TARGET_EFAULT;
             thunk_convert(buf_temp, argptr, arg_type, THUNK_HOST);
             unlock_user(argptr, arg, 0);
             ret = get_errno(ioctl(fd, ie->host_cmd, buf_temp));
             if (!is_error(ret)) {
-                argptr = lock_user(arg, target_size, 0);
+                argptr = lock_user(VERIFY_WRITE, arg, target_size, 0);
+                if (!argptr)
+                    return -TARGET_EFAULT;
                 thunk_convert(argptr, buf_temp, arg_type, THUNK_TARGET);
                 unlock_user(argptr, arg, target_size);
             }
@@ -2138,8 +2239,10 @@
     size = TARGET_LDT_ENTRIES * TARGET_LDT_ENTRY_SIZE;
     if (size > bytecount)
         size = bytecount;
-    p = lock_user(ptr, size, 0);
-    /* ??? Shoudl this by byteswapped?  */
+    p = lock_user(VERIFY_WRITE, ptr, size, 0);
+    if (!p)
+        return -EFAULT;
+    /* ??? Should this by byteswapped?  */
     memcpy(p, ldt_table, size);
     unlock_user(p, ptr, size);
     return size;
@@ -2158,7 +2261,8 @@
 
     if (bytecount != sizeof(ldt_info))
         return -EINVAL;
-    lock_user_struct(target_ldt_info, ptr, 1);
+    if (!lock_user_struct(VERIFY_READ, target_ldt_info, ptr, 1))
+        return -EFAULT;
     ldt_info.entry_number = tswap32(target_ldt_info->entry_number);
     ldt_info.base_addr = tswapl(target_ldt_info->base_addr);
     ldt_info.limit = tswap32(target_ldt_info->limit);
@@ -2365,7 +2469,8 @@
 
     switch(cmd) {
     case TARGET_F_GETLK:
-        lock_user_struct(target_fl, arg, 1);
+        if (!lock_user_struct(VERIFY_READ, target_fl, arg, 1))
+            return -TARGET_EFAULT;
         fl.l_type = tswap16(target_fl->l_type);
         fl.l_whence = tswap16(target_fl->l_whence);
         fl.l_start = tswapl(target_fl->l_start);
@@ -2374,7 +2479,8 @@
         unlock_user_struct(target_fl, arg, 0);
         ret = fcntl(fd, cmd, &fl);
         if (ret == 0) {
-            lock_user_struct(target_fl, arg, 0);
+            if (!lock_user_struct(VERIFY_WRITE, target_fl, arg, 0))
+                return -TARGET_EFAULT;
             target_fl->l_type = tswap16(fl.l_type);
             target_fl->l_whence = tswap16(fl.l_whence);
             target_fl->l_start = tswapl(fl.l_start);
@@ -2386,7 +2492,8 @@
 
     case TARGET_F_SETLK:
     case TARGET_F_SETLKW:
-        lock_user_struct(target_fl, arg, 1);
+        if (!lock_user_struct(VERIFY_READ, target_fl, arg, 1))
+            return -TARGET_EFAULT;
         fl.l_type = tswap16(target_fl->l_type);
         fl.l_whence = tswap16(target_fl->l_whence);
         fl.l_start = tswapl(target_fl->l_start);
@@ -2397,7 +2504,8 @@
         break;
 
     case TARGET_F_GETLK64:
-        lock_user_struct(target_fl64, arg, 1);
+        if (!lock_user_struct(VERIFY_READ, target_fl64, arg, 1))
+            return -TARGET_EFAULT;
         fl64.l_type = tswap16(target_fl64->l_type) >> 1;
         fl64.l_whence = tswap16(target_fl64->l_whence);
         fl64.l_start = tswapl(target_fl64->l_start);
@@ -2406,7 +2514,8 @@
         unlock_user_struct(target_fl64, arg, 0);
         ret = fcntl(fd, cmd >> 1, &fl64);
         if (ret == 0) {
-            lock_user_struct(target_fl64, arg, 0);
+            if (!lock_user_struct(VERIFY_WRITE, target_fl64, arg, 0))
+                return -TARGET_EFAULT;
             target_fl64->l_type = tswap16(fl64.l_type) >> 1;
             target_fl64->l_whence = tswap16(fl64.l_whence);
             target_fl64->l_start = tswapl(fl64.l_start);
@@ -2417,14 +2526,15 @@
 		break;
     case TARGET_F_SETLK64:
     case TARGET_F_SETLKW64:
-        lock_user_struct(target_fl64, arg, 1);
+        if (!lock_user_struct(VERIFY_READ, target_fl64, arg, 1))
+            return -TARGET_EFAULT;
         fl64.l_type = tswap16(target_fl64->l_type) >> 1;
         fl64.l_whence = tswap16(target_fl64->l_whence);
         fl64.l_start = tswapl(target_fl64->l_start);
         fl64.l_len = tswapl(target_fl64->l_len);
         fl64.l_pid = tswap16(target_fl64->l_pid);
         unlock_user_struct(target_fl64, arg, 0);
-		ret = fcntl(fd, cmd >> 1, &fl64);
+        ret = fcntl(fd, cmd >> 1, &fl64);
         break;
 
     case F_GETFL:
@@ -2577,23 +2687,25 @@
 }
 #endif
 
-static inline void target_to_host_timespec(struct timespec *host_ts,
-                                           abi_ulong target_addr)
+static inline abi_long target_to_host_timespec(struct timespec *host_ts,
+                                               abi_ulong target_addr)
 {
     struct target_timespec *target_ts;
 
-    lock_user_struct(target_ts, target_addr, 1);
+    if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
+        return -TARGET_EFAULT;
     host_ts->tv_sec = tswapl(target_ts->tv_sec);
     host_ts->tv_nsec = tswapl(target_ts->tv_nsec);
     unlock_user_struct(target_ts, target_addr, 0);
 }
 
-static inline void host_to_target_timespec(abi_ulong target_addr,
-                                           struct timespec *host_ts)
+static inline abi_long host_to_target_timespec(abi_ulong target_addr,
+                                               struct timespec *host_ts)
 {
     struct target_timespec *target_ts;
 
-    lock_user_struct(target_ts, target_addr, 0);
+    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
+        return -TARGET_EFAULT;
     target_ts->tv_sec = tswapl(host_ts->tv_sec);
     target_ts->tv_nsec = tswapl(host_ts->tv_nsec);
     unlock_user_struct(target_ts, target_addr, 1);
@@ -2629,17 +2741,22 @@
         break;
     case TARGET_NR_read:
         page_unprotect_range(arg2, arg3);
-        p = lock_user(arg2, arg3, 0);
+        if (!(p = lock_user(VERIFY_WRITE, arg2, arg3, 0)))
+            goto efault;
         ret = get_errno(read(arg1, p, arg3));
         unlock_user(p, arg2, ret);
         break;
     case TARGET_NR_write:
-        p = lock_user(arg2, arg3, 1);
+        if (!(p = lock_user(VERIFY_READ, arg2, arg3, 1)))
+            goto efault;
         ret = get_errno(write(arg1, p, arg3));
         unlock_user(p, arg2, 0);
         break;
     case TARGET_NR_open:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1))) {
+            return -TARGET_EFAULT;
+            goto fail;
+        }
         ret = get_errno(open(path(p),
                              target_to_host_bitmask(arg2, fcntl_flags_tbl),
                              arg3));
@@ -2647,21 +2764,13 @@
         break;
 #if defined(TARGET_NR_openat) && defined(__NR_openat)
     case TARGET_NR_openat:
-        if (!arg2) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
-        p = lock_user_string(arg2);
-        if (!access_ok(VERIFY_READ, p, 1))
-            /* Don't "goto fail" so that cleanup can happen. */
-            ret = -TARGET_EFAULT;
-        else
-            ret = get_errno(sys_openat(arg1,
-                                       path(p),
-                                       target_to_host_bitmask(arg3, fcntl_flags_tbl),
-                                       arg4));
-        if (p)
-            unlock_user(p, arg2, 0);
+        if (!(p = lock_user_string(arg2)))
+            goto efault;
+        ret = get_errno(sys_openat(arg1,
+                                   path(p),
+                                   target_to_host_bitmask(arg3, fcntl_flags_tbl),
+                                   arg4));
+        unlock_user(p, arg2, 0);
         break;
 #endif
     case TARGET_NR_close:
@@ -2685,7 +2794,8 @@
 #endif
 #ifdef TARGET_NR_creat /* not on alpha */
     case TARGET_NR_creat:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(creat(p, arg2));
         unlock_user(p, arg1, 0);
         break;
@@ -2695,54 +2805,43 @@
             void * p2;
             p = lock_user_string(arg1);
             p2 = lock_user_string(arg2);
-            ret = get_errno(link(p, p2));
+            if (!p || !p2)
+                ret = -TARGET_EFAULT;
+            else
+                ret = get_errno(link(p, p2));
             unlock_user(p2, arg2, 0);
             unlock_user(p, arg1, 0);
         }
         break;
 #if defined(TARGET_NR_linkat) && defined(__NR_linkat)
     case TARGET_NR_linkat:
-        if (!arg2 || !arg4) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
         {
             void * p2 = NULL;
+            if (!arg2 || !arg4)
+                goto efault;
             p  = lock_user_string(arg2);
             p2 = lock_user_string(arg4);
-            if (!access_ok(VERIFY_READ, p, 1)
-                || !access_ok(VERIFY_READ, p2, 1))
-                /* Don't "goto fail" so that cleanup can happen. */
+            if (!p || !p2)
                 ret = -TARGET_EFAULT;
             else
                 ret = get_errno(sys_linkat(arg1, p, arg3, p2, arg5));
-            if (p2)
-                unlock_user(p, arg2, 0);
-            if (p)
-                unlock_user(p2, arg4, 0);
+            unlock_user(p, arg2, 0);
+            unlock_user(p2, arg4, 0);
         }
         break;
 #endif
     case TARGET_NR_unlink:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(unlink(p));
         unlock_user(p, arg1, 0);
         break;
 #if defined(TARGET_NR_unlinkat) && defined(__NR_unlinkat)
     case TARGET_NR_unlinkat:
-        if (!arg2) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
-        p = lock_user_string(arg2);
-        if (!access_ok(VERIFY_READ, p, 1))
-            /* Don't "goto fail" so that cleanup can happen. */
-            ret = -TARGET_EFAULT;
-        else
-            ret = get_errno(sys_unlinkat(arg1, p, arg3));
-        if (p)
-            unlock_user(p, arg2, 0);
-        break;
+        if (!(p = lock_user_string(arg2)))
+            goto efault;
+        ret = get_errno(sys_unlinkat(arg1, p, arg3));
+        unlock_user(p, arg2, 0);
 #endif
     case TARGET_NR_execve:
         {
@@ -2771,7 +2870,10 @@
                 addr = tgetl(gp);
                 if (!addr)
                     break;
-                *q = lock_user_string(addr);
+                if (!(*q = lock_user_string(addr))) {
+                    ret = -TARGET_EFAULT;
+                    goto execve_fail;
+                }
             }
             *q = NULL;
 
@@ -2780,14 +2882,21 @@
                 addr = tgetl(gp);
                 if (!addr)
                     break;
-                *q = lock_user_string(addr);
+                if (!(*q = lock_user_string(addr))) {
+                    ret = -TARGET_EFAULT;
+                    goto execve_fail;
+                }
             }
             *q = NULL;
 
-            p = lock_user_string(arg1);
+            if (!(p = lock_user_string(arg1))) {
+                ret = -TARGET_EFAULT;
+                goto execve_fail;
+            }
             ret = get_errno(execve(p, argp, envp));
             unlock_user(p, arg1, 0);
 
+        execve_fail:
             for (gp = guest_argp, q = argp; *q;
                   gp += sizeof(abi_ulong), q++) {
                 addr = tgetl(gp);
@@ -2801,7 +2910,8 @@
         }
         break;
     case TARGET_NR_chdir:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(chdir(p));
         unlock_user(p, arg1, 0);
         break;
@@ -2816,28 +2926,22 @@
         break;
 #endif
     case TARGET_NR_mknod:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(mknod(p, arg2, arg3));
         unlock_user(p, arg1, 0);
         break;
 #if defined(TARGET_NR_mknodat) && defined(__NR_mknodat)
     case TARGET_NR_mknodat:
-        if (!arg2) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
-        p = lock_user_string(arg2);
-        if (!access_ok(VERIFY_READ, p, 1))
-            /* Don't "goto fail" so that cleanup can happen. */
-            ret = -TARGET_EFAULT;
-        else
-            ret = get_errno(sys_mknodat(arg1, p, arg3, arg4));
-        if (p)
-            unlock_user(p, arg2, 0);
+        if (!(p = lock_user_string(arg2)))
+            goto efault;
+        ret = get_errno(sys_mknodat(arg1, p, arg3, arg4));
+        unlock_user(p, arg2, 0);
         break;
 #endif
     case TARGET_NR_chmod:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(chmod(p, arg2));
         unlock_user(p, arg1, 0);
         break;
@@ -2866,15 +2970,23 @@
 			p = lock_user_string(arg1);
 			p2 = lock_user_string(arg2);
 			p3 = lock_user_string(arg3);
-			ret = get_errno(mount(p, p2, p3, (unsigned long)arg4, (const void *)arg5));
-			unlock_user(p, arg1, 0);
-			unlock_user(p2, arg2, 0);
-			unlock_user(p3, arg3, 0);
+                        if (!p || !p2 || !p3)
+                            ret = -TARGET_EFAULT;
+                        else
+                            /* FIXME - arg5 should be locked, but it isn't clear how to
+                             * do that since it's not guaranteed to be a NULL-terminated
+                             * string.
+                             */
+                            ret = get_errno(mount(p, p2, p3, (unsigned long)arg4, g2h(arg5)));
+                        unlock_user(p, arg1, 0);
+                        unlock_user(p2, arg2, 0);
+                        unlock_user(p3, arg3, 0);
 			break;
 		}
 #ifdef TARGET_NR_umount
     case TARGET_NR_umount:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(umount(p));
         unlock_user(p, arg1, 0);
         break;
@@ -2910,7 +3022,8 @@
             struct utimbuf tbuf, *host_tbuf;
             struct target_utimbuf *target_tbuf;
             if (arg2) {
-                lock_user_struct(target_tbuf, arg2, 1);
+                if (!lock_user_struct(VERIFY_READ, target_tbuf, arg2, 1))
+                    goto efault;
                 tbuf.actime = tswapl(target_tbuf->actime);
                 tbuf.modtime = tswapl(target_tbuf->modtime);
                 unlock_user_struct(target_tbuf, arg2, 0);
@@ -2918,7 +3031,8 @@
             } else {
                 host_tbuf = NULL;
             }
-            p = lock_user_string(arg1);
+            if (!(p = lock_user_string(arg1)))
+                goto efault;
             ret = get_errno(utime(p, host_tbuf));
             unlock_user(p, arg1, 0);
         }
@@ -2935,7 +3049,8 @@
             } else {
                 tvp = NULL;
             }
-            p = lock_user_string(arg1);
+            if (!(p = lock_user_string(arg1)))
+                goto efault;
             ret = get_errno(utimes(p, tvp));
             unlock_user(p, arg1, 0);
         }
@@ -2949,24 +3064,17 @@
         goto unimplemented;
 #endif
     case TARGET_NR_access:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(access(p, arg2));
         unlock_user(p, arg1, 0);
         break;
 #if defined(TARGET_NR_faccessat) && defined(__NR_faccessat)
     case TARGET_NR_faccessat:
-        if (!arg2) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
-        p = lock_user_string(arg2);
-        if (!access_ok(VERIFY_READ, p, 1))
-            /* Don't "goto fail" so that cleanup can happen. */
-    	    ret = -TARGET_EFAULT;
-        else
-            ret = get_errno(sys_faccessat(arg1, p, arg3, arg4));
-        if (p)
-            unlock_user(p, arg2, 0);
+        if (!(p = lock_user_string(arg2)))
+            goto efault;
+        ret = get_errno(sys_faccessat(arg1, p, arg3, arg4));
+        unlock_user(p, arg2, 0);
         break;
 #endif
 #ifdef TARGET_NR_nice /* not on alpha */
@@ -2990,57 +3098,46 @@
             void *p2;
             p = lock_user_string(arg1);
             p2 = lock_user_string(arg2);
-            ret = get_errno(rename(p, p2));
+            if (!p || !p2)
+                ret = -TARGET_EFAULT;
+            else
+                ret = get_errno(rename(p, p2));
             unlock_user(p2, arg2, 0);
             unlock_user(p, arg1, 0);
         }
         break;
 #if defined(TARGET_NR_renameat) && defined(__NR_renameat)
     case TARGET_NR_renameat:
-        if (!arg2 || !arg4) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
         {
-            void *p2 = NULL;
+            void *p2;
             p  = lock_user_string(arg2);
             p2 = lock_user_string(arg4);
-            if (!access_ok(VERIFY_READ, p, 1)
-                || !access_ok(VERIFY_READ, p2, 1))
-                /* Don't "goto fail" so that cleanup can happen. */
+            if (!p || !p2)
                 ret = -TARGET_EFAULT;
             else
                 ret = get_errno(sys_renameat(arg1, p, arg3, p2));
-            if (p2)
-                unlock_user(p2, arg4, 0);
-            if (p)
-                unlock_user(p, arg2, 0);
+            unlock_user(p2, arg4, 0);
+            unlock_user(p, arg2, 0);
         }
         break;
 #endif
     case TARGET_NR_mkdir:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(mkdir(p, arg2));
         unlock_user(p, arg1, 0);
         break;
 #if defined(TARGET_NR_mkdirat) && defined(__NR_mkdirat)
     case TARGET_NR_mkdirat:
-        if (!arg2) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
-        p = lock_user_string(arg2);
-        if (!access_ok(VERIFY_READ, p, 1))
-            /* Don't "goto fail" so that cleanup can happen. */
-            ret = -TARGET_EFAULT;
-        else
-            ret = get_errno(sys_mkdirat(arg1, p, arg3));
-        if (p)
-            unlock_user(p, arg2, 0);
+        if (!(p = lock_user_string(arg2)))
+            goto efault;
+        ret = get_errno(sys_mkdirat(arg1, p, arg3));
+        unlock_user(p, arg2, 0);
         break;
 #endif
     case TARGET_NR_rmdir:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(rmdir(p));
         unlock_user(p, arg1, 0);
         break;
@@ -3069,7 +3166,9 @@
             struct tms tms;
             ret = get_errno(times(&tms));
             if (arg1) {
-                tmsp = lock_user(arg1, sizeof(struct target_tms), 0);
+                tmsp = lock_user(VERIFY_WRITE, arg1, sizeof(struct target_tms), 0);
+                if (!tmsp)
+                    goto efault;
                 tmsp->tms_utime = tswapl(host_to_target_clock_t(tms.tms_utime));
                 tmsp->tms_stime = tswapl(host_to_target_clock_t(tms.tms_stime));
                 tmsp->tms_cutime = tswapl(host_to_target_clock_t(tms.tms_cutime));
@@ -3088,13 +3187,15 @@
         goto unimplemented;
 #endif
     case TARGET_NR_acct:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(acct(path(p)));
         unlock_user(p, arg1, 0);
         break;
 #ifdef TARGET_NR_umount2 /* not on alpha */
     case TARGET_NR_umount2:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(umount2(p, arg2));
         unlock_user(p, arg1, 0);
         break;
@@ -3128,7 +3229,8 @@
         ret = get_errno(umask(arg1));
         break;
     case TARGET_NR_chroot:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(chroot(p));
         unlock_user(p, arg1, 0);
         break;
@@ -3155,7 +3257,8 @@
             struct target_old_sigaction *old_act;
             struct target_sigaction act, oact, *pact;
             if (arg2) {
-                lock_user_struct(old_act, arg2, 1);
+                if (!lock_user_struct(VERIFY_READ, old_act, arg2, 1))
+                    goto efault;
                 act._sa_handler = old_act->_sa_handler;
                 target_siginitset(&act.sa_mask, old_act->sa_mask);
                 act.sa_flags = old_act->sa_flags;
@@ -3167,7 +3270,8 @@
             }
             ret = get_errno(do_sigaction(arg1, pact, &oact));
             if (!is_error(ret) && arg3) {
-                lock_user_struct(old_act, arg3, 0);
+                if (!lock_user_struct(VERIFY_WRITE, old_act, arg3, 0))
+                    goto efault;
                 old_act->_sa_handler = oact._sa_handler;
                 old_act->sa_mask = oact.sa_mask.sig[0];
                 old_act->sa_flags = oact.sa_flags;
@@ -3178,7 +3282,8 @@
 	    struct target_sigaction act, oact, *pact, *old_act;
 
 	    if (arg2) {
-		lock_user_struct(old_act, arg2, 1);
+                if (!lock_user_struct(VERIFY_READ, old_act, arg2, 1))
+                    goto efault;
 		act._sa_handler = old_act->_sa_handler;
 		target_siginitset(&act.sa_mask, old_act->sa_mask.sig[0]);
 		act.sa_flags = old_act->sa_flags;
@@ -3191,7 +3296,8 @@
 	    ret = get_errno(do_sigaction(arg1, pact, &oact));
 
 	    if (!is_error(ret) && arg3) {
-		lock_user_struct(old_act, arg3, 0);
+                if (!lock_user_struct(VERIFY_WRITE, old_act, arg3, 0))
+                    goto efault;
 		old_act->_sa_handler = oact._sa_handler;
 		old_act->sa_flags = oact.sa_flags;
 		old_act->sa_mask.sig[0] = oact.sa_mask.sig[0];
@@ -3209,18 +3315,23 @@
             struct target_sigaction *act;
             struct target_sigaction *oact;
 
-            if (arg2)
-                lock_user_struct(act, arg2, 1);
-            else
+            if (arg2) {
+                if (!lock_user_struct(VERIFY_READ, act, arg2, 1))
+                    goto efault;
+            } else
                 act = NULL;
-            if (arg3)
-                lock_user_struct(oact, arg3, 0);
-            else
+            if (arg3) {
+                if (!lock_user_struct(VERIFY_WRITE, oact, arg3, 0)) {
+                    ret = -TARGET_EFAULT;
+                    goto rt_sigaction_fail;
+                }
+            } else
                 oact = NULL;
             ret = get_errno(do_sigaction(arg1, act, oact));
-            if (arg2)
+	rt_sigaction_fail:
+            if (act)
                 unlock_user_struct(act, arg2, 0);
-            if (arg3)
+            if (oact)
                 unlock_user_struct(oact, arg3, 1);
         }
         break;
@@ -3270,7 +3381,8 @@
                     ret = -TARGET_EINVAL;
                     goto fail;
                 }
-                p = lock_user(arg2, sizeof(target_sigset_t), 1);
+                if (!(p = lock_user(VERIFY_READ, arg2, sizeof(target_sigset_t), 1)))
+                    goto efault;
                 target_to_host_old_sigset(&set, p);
                 unlock_user(p, arg2, 0);
                 set_ptr = &set;
@@ -3280,7 +3392,8 @@
             }
             ret = get_errno(sigprocmask(arg1, set_ptr, &oldset));
             if (!is_error(ret) && arg3) {
-                p = lock_user(arg3, sizeof(target_sigset_t), 0);
+                if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_sigset_t), 0)))
+                    goto efault;
                 host_to_target_old_sigset(p, &oldset);
                 unlock_user(p, arg3, sizeof(target_sigset_t));
             }
@@ -3307,7 +3420,8 @@
                     ret = -TARGET_EINVAL;
                     goto fail;
                 }
-                p = lock_user(arg2, sizeof(target_sigset_t), 1);
+                if (!(p = lock_user(VERIFY_READ, arg2, sizeof(target_sigset_t), 1)))
+                    goto efault;
                 target_to_host_sigset(&set, p);
                 unlock_user(p, arg2, 0);
                 set_ptr = &set;
@@ -3317,7 +3431,8 @@
             }
             ret = get_errno(sigprocmask(how, set_ptr, &oldset));
             if (!is_error(ret) && arg3) {
-                p = lock_user(arg3, sizeof(target_sigset_t), 0);
+                if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_sigset_t), 0)))
+                    goto efault;
                 host_to_target_sigset(p, &oldset);
                 unlock_user(p, arg3, sizeof(target_sigset_t));
             }
@@ -3329,7 +3444,8 @@
             sigset_t set;
             ret = get_errno(sigpending(&set));
             if (!is_error(ret)) {
-                p = lock_user(arg1, sizeof(target_sigset_t), 0);
+                if (!(p = lock_user(VERIFY_WRITE, arg1, sizeof(target_sigset_t), 0)))
+                    goto efault;
                 host_to_target_old_sigset(p, &set);
                 unlock_user(p, arg1, sizeof(target_sigset_t));
             }
@@ -3341,7 +3457,8 @@
             sigset_t set;
             ret = get_errno(sigpending(&set));
             if (!is_error(ret)) {
-                p = lock_user(arg1, sizeof(target_sigset_t), 0);
+                if (!(p = lock_user(VERIFY_WRITE, arg1, sizeof(target_sigset_t), 0)))
+                    goto efault;
                 host_to_target_sigset(p, &set);
                 unlock_user(p, arg1, sizeof(target_sigset_t));
             }
@@ -3351,7 +3468,8 @@
     case TARGET_NR_sigsuspend:
         {
             sigset_t set;
-            p = lock_user(arg1, sizeof(target_sigset_t), 1);
+            if (!(p = lock_user(VERIFY_READ, arg1, sizeof(target_sigset_t), 1)))
+                goto efault;
             target_to_host_old_sigset(&set, p);
             unlock_user(p, arg1, 0);
             ret = get_errno(sigsuspend(&set));
@@ -3361,7 +3479,8 @@
     case TARGET_NR_rt_sigsuspend:
         {
             sigset_t set;
-            p = lock_user(arg1, sizeof(target_sigset_t), 1);
+            if (!(p = lock_user(VERIFY_READ, arg1, sizeof(target_sigset_t), 1)))
+                goto efault;
             target_to_host_sigset(&set, p);
             unlock_user(p, arg1, 0);
             ret = get_errno(sigsuspend(&set));
@@ -3373,7 +3492,8 @@
             struct timespec uts, *puts;
             siginfo_t uinfo;
 
-            p = lock_user(arg1, sizeof(target_sigset_t), 1);
+            if (!(p = lock_user(VERIFY_READ, arg1, sizeof(target_sigset_t), 1)))
+                goto efault;
             target_to_host_sigset(&set, p);
             unlock_user(p, arg1, 0);
             if (arg3) {
@@ -3384,7 +3504,8 @@
             }
             ret = get_errno(sigtimedwait(&set, &uinfo, puts));
             if (!is_error(ret) && arg2) {
-                p = lock_user(arg2, sizeof(target_sigset_t), 0);
+                if (!(p = lock_user(VERIFY_WRITE, arg2, sizeof(target_sigset_t), 0)))
+                    goto efault;
                 host_to_target_siginfo(p, &uinfo);
                 unlock_user(p, arg2, sizeof(target_sigset_t));
             }
@@ -3393,7 +3514,8 @@
     case TARGET_NR_rt_sigqueueinfo:
         {
             siginfo_t uinfo;
-            p = lock_user(arg3, sizeof(target_sigset_t), 1);
+            if (!(p = lock_user(VERIFY_READ, arg3, sizeof(target_sigset_t), 1)))
+                goto efault;
             target_to_host_siginfo(&uinfo, p);
             unlock_user(p, arg1, 0);
             ret = get_errno(sys_rt_sigqueueinfo(arg1, arg2, &uinfo));
@@ -3410,7 +3532,8 @@
         ret = do_rt_sigreturn(cpu_env);
         break;
     case TARGET_NR_sethostname:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(sethostname(p, arg2));
         unlock_user(p, arg1, 0);
         break;
@@ -3420,7 +3543,8 @@
             int resource = arg1;
             struct target_rlimit *target_rlim;
             struct rlimit rlim;
-            lock_user_struct(target_rlim, arg2, 1);
+            if (!lock_user_struct(VERIFY_READ, target_rlim, arg2, 1))
+                goto efault;
             rlim.rlim_cur = tswapl(target_rlim->rlim_cur);
             rlim.rlim_max = tswapl(target_rlim->rlim_max);
             unlock_user_struct(target_rlim, arg2, 0);
@@ -3436,7 +3560,8 @@
 
             ret = get_errno(getrlimit(resource, &rlim));
             if (!is_error(ret)) {
-                lock_user_struct(target_rlim, arg2, 0);
+                if (!lock_user_struct(VERIFY_WRITE, target_rlim, arg2, 0))
+                    goto efault;
                 rlim.rlim_cur = tswapl(target_rlim->rlim_cur);
                 rlim.rlim_max = tswapl(target_rlim->rlim_max);
                 unlock_user_struct(target_rlim, arg2, 1);
@@ -3475,7 +3600,8 @@
             abi_ulong inp, outp, exp, tvp;
             long nsel;
 
-            lock_user_struct(sel, arg1, 1);
+            if (!lock_user_struct(VERIFY_READ, sel, arg1, 1))
+                goto efault;
             nsel = tswapl(sel->n);
             inp = tswapl(sel->inp);
             outp = tswapl(sel->outp);
@@ -3491,31 +3617,26 @@
             void *p2;
             p = lock_user_string(arg1);
             p2 = lock_user_string(arg2);
-            ret = get_errno(symlink(p, p2));
+            if (!p || !p2)
+                ret = -TARGET_EFAULT;
+            else
+                ret = get_errno(symlink(p, p2));
             unlock_user(p2, arg2, 0);
             unlock_user(p, arg1, 0);
         }
         break;
 #if defined(TARGET_NR_symlinkat) && defined(__NR_symlinkat)
     case TARGET_NR_symlinkat:
-        if (!arg1 || !arg3) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
         {
-            void *p2 = NULL;
+            void *p2;
             p  = lock_user_string(arg1);
             p2 = lock_user_string(arg3);
-            if (!access_ok(VERIFY_READ, p, 1)
-                || !access_ok(VERIFY_READ, p2, 1))
-                /* Don't "goto fail" so that cleanup can happen. */
+            if (!p || !p2)
                 ret = -TARGET_EFAULT;
             else
                 ret = get_errno(sys_symlinkat(p, arg2, p2));
-            if (p2)
-                unlock_user(p2, arg3, 0);
-            if (p)
-                unlock_user(p, arg1, 0);
+            unlock_user(p2, arg3, 0);
+            unlock_user(p, arg1, 0);
         }
         break;
 #endif
@@ -3527,32 +3648,27 @@
         {
             void *p2;
             p = lock_user_string(arg1);
-            p2 = lock_user(arg2, arg3, 0);
-            ret = get_errno(readlink(path(p), p2, arg3));
+            p2 = lock_user(VERIFY_WRITE, arg2, arg3, 0);
+            if (!p || !p2)
+                ret = -TARGET_EFAULT;
+            else
+                ret = get_errno(readlink(path(p), p2, arg3));
             unlock_user(p2, arg2, ret);
             unlock_user(p, arg1, 0);
         }
         break;
 #if defined(TARGET_NR_readlinkat) && defined(__NR_readlinkat)
     case TARGET_NR_readlinkat:
-        if (!arg2 || !arg3) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
         {
-            void *p2 = NULL;
+            void *p2;
             p  = lock_user_string(arg2);
-            p2 = lock_user(arg3, arg4, 0);
-            if (!access_ok(VERIFY_READ, p, 1)
-                || !access_ok(VERIFY_READ, p2, 1))
-                /* Don't "goto fail" so that cleanup can happen. */
+            p2 = lock_user(VERIFY_WRITE, arg3, arg4, 0);
+            if (!p || !p2)
         	ret = -TARGET_EFAULT;
             else
                 ret = get_errno(sys_readlinkat(arg1, path(p), p2, arg4));
-            if (p2)
-                unlock_user(p2, arg3, ret);
-            if (p)
-                unlock_user(p, arg2, 0);
+            unlock_user(p2, arg3, ret);
+            unlock_user(p, arg2, 0);
         }
         break;
 #endif
@@ -3562,7 +3678,8 @@
 #endif
 #ifdef TARGET_NR_swapon
     case TARGET_NR_swapon:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(swapon(p, arg2));
         unlock_user(p, arg1, 0);
         break;
@@ -3579,7 +3696,8 @@
         {
             abi_ulong *v;
             abi_ulong v1, v2, v3, v4, v5, v6;
-            v = lock_user(arg1, 6 * sizeof(abi_ulong), 1);
+            if (!(v = lock_user(VERIFY_READ, arg1, 6 * sizeof(abi_ulong), 1)))
+                goto efault;
             v1 = tswapl(v[0]);
             v2 = tswapl(v[1]);
             v3 = tswapl(v[2]);
@@ -3650,7 +3768,8 @@
         break;
 #endif
     case TARGET_NR_truncate:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(truncate(p, arg2));
         unlock_user(p, arg1, 0);
         break;
@@ -3662,18 +3781,10 @@
         break;
 #if defined(TARGET_NR_fchmodat) && defined(__NR_fchmodat)
     case TARGET_NR_fchmodat:
-        if (!arg2) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
-        p = lock_user_string(arg2);
-        if (!access_ok(VERIFY_READ, p, 1))
-            /* Don't "goto fail" so that cleanup can happen. */
-            ret = -TARGET_EFAULT;
-        else
-            ret = get_errno(sys_fchmodat(arg1, p, arg3, arg4));
-        if (p)
-            unlock_user(p, arg2, 0);
+        if (!(p = lock_user_string(arg2)))
+            goto efault;
+        ret = get_errno(sys_fchmodat(arg1, p, arg3, arg4));
+        unlock_user(p, arg2, 0);
         break;
 #endif
     case TARGET_NR_getpriority:
@@ -3690,25 +3801,26 @@
         goto unimplemented;
 #endif
     case TARGET_NR_statfs:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(statfs(path(p), &stfs));
         unlock_user(p, arg1, 0);
     convert_statfs:
         if (!is_error(ret)) {
             struct target_statfs *target_stfs;
 
-            lock_user_struct(target_stfs, arg2, 0);
-            /* ??? put_user is probably wrong.  */
-            put_user(stfs.f_type, &target_stfs->f_type);
-            put_user(stfs.f_bsize, &target_stfs->f_bsize);
-            put_user(stfs.f_blocks, &target_stfs->f_blocks);
-            put_user(stfs.f_bfree, &target_stfs->f_bfree);
-            put_user(stfs.f_bavail, &target_stfs->f_bavail);
-            put_user(stfs.f_files, &target_stfs->f_files);
-            put_user(stfs.f_ffree, &target_stfs->f_ffree);
-            put_user(stfs.f_fsid.__val[0], &target_stfs->f_fsid.val[0]);
-            put_user(stfs.f_fsid.__val[1], &target_stfs->f_fsid.val[1]);
-            put_user(stfs.f_namelen, &target_stfs->f_namelen);
+            if (!lock_user_struct(VERIFY_WRITE, target_stfs, arg2, 0))
+                goto efault;
+            __put_user(stfs.f_type, &target_stfs->f_type);
+            __put_user(stfs.f_bsize, &target_stfs->f_bsize);
+            __put_user(stfs.f_blocks, &target_stfs->f_blocks);
+            __put_user(stfs.f_bfree, &target_stfs->f_bfree);
+            __put_user(stfs.f_bavail, &target_stfs->f_bavail);
+            __put_user(stfs.f_files, &target_stfs->f_files);
+            __put_user(stfs.f_ffree, &target_stfs->f_ffree);
+            __put_user(stfs.f_fsid.__val[0], &target_stfs->f_fsid.val[0]);
+            __put_user(stfs.f_fsid.__val[1], &target_stfs->f_fsid.val[1]);
+            __put_user(stfs.f_namelen, &target_stfs->f_namelen);
             unlock_user_struct(target_stfs, arg2, 1);
         }
         break;
@@ -3717,26 +3829,27 @@
         goto convert_statfs;
 #ifdef TARGET_NR_statfs64
     case TARGET_NR_statfs64:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(statfs(path(p), &stfs));
         unlock_user(p, arg1, 0);
     convert_statfs64:
         if (!is_error(ret)) {
             struct target_statfs64 *target_stfs;
 
-            lock_user_struct(target_stfs, arg3, 0);
-            /* ??? put_user is probably wrong.  */
-            put_user(stfs.f_type, &target_stfs->f_type);
-            put_user(stfs.f_bsize, &target_stfs->f_bsize);
-            put_user(stfs.f_blocks, &target_stfs->f_blocks);
-            put_user(stfs.f_bfree, &target_stfs->f_bfree);
-            put_user(stfs.f_bavail, &target_stfs->f_bavail);
-            put_user(stfs.f_files, &target_stfs->f_files);
-            put_user(stfs.f_ffree, &target_stfs->f_ffree);
-            put_user(stfs.f_fsid.__val[0], &target_stfs->f_fsid.val[0]);
-            put_user(stfs.f_fsid.__val[1], &target_stfs->f_fsid.val[1]);
-            put_user(stfs.f_namelen, &target_stfs->f_namelen);
-            unlock_user_struct(target_stfs, arg3, 0);
+            if (!lock_user_struct(VERIFY_WRITE, target_stfs, arg3, 0))
+                goto efault;
+            __put_user(stfs.f_type, &target_stfs->f_type);
+            __put_user(stfs.f_bsize, &target_stfs->f_bsize);
+            __put_user(stfs.f_blocks, &target_stfs->f_blocks);
+            __put_user(stfs.f_bfree, &target_stfs->f_bfree);
+            __put_user(stfs.f_bavail, &target_stfs->f_bavail);
+            __put_user(stfs.f_files, &target_stfs->f_files);
+            __put_user(stfs.f_ffree, &target_stfs->f_ffree);
+            __put_user(stfs.f_fsid.__val[0], &target_stfs->f_fsid.val[0]);
+            __put_user(stfs.f_fsid.__val[1], &target_stfs->f_fsid.val[1]);
+            __put_user(stfs.f_namelen, &target_stfs->f_namelen);
+            unlock_user_struct(target_stfs, arg3, 1);
         }
         break;
     case TARGET_NR_fstatfs64:
@@ -3839,7 +3952,8 @@
 #endif
 
     case TARGET_NR_syslog:
-        p = lock_user_string(arg2);
+        if (!(p = lock_user_string(arg2)))
+            goto efault;
         ret = get_errno(sys_syslog((int)arg1, p, (int)arg3));
         unlock_user(p, arg2, 0);
         break;
@@ -3880,12 +3994,14 @@
         }
         break;
     case TARGET_NR_stat:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(stat(path(p), &st));
         unlock_user(p, arg1, 0);
         goto do_stat;
     case TARGET_NR_lstat:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(lstat(path(p), &st));
         unlock_user(p, arg1, 0);
         goto do_stat;
@@ -3896,7 +4012,8 @@
             if (!is_error(ret)) {
                 struct target_stat *target_st;
 
-                lock_user_struct(target_st, arg2, 0);
+                if (!lock_user_struct(VERIFY_WRITE, target_st, arg2, 0))
+                    goto efault;
 #if defined(TARGET_MIPS) || (defined(TARGET_SPARC64) && !defined(TARGET_ABI32))
                 target_st->st_dev = tswap32(st.st_dev);
 #else
@@ -3979,7 +4096,8 @@
         break;
 #ifdef TARGET_NR_swapoff
     case TARGET_NR_swapoff:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(swapoff(p));
         unlock_user(p, arg1, 0);
         break;
@@ -3991,8 +4109,8 @@
             ret = get_errno(sysinfo(&value));
             if (!is_error(ret) && arg1)
             {
-                /* ??? __put_user is probably wrong.  */
-                lock_user_struct(target_value, arg1, 0);
+                if (!lock_user_struct(VERIFY_WRITE, target_value, arg1, 0))
+                    goto efault;
                 __put_user(value.uptime, &target_value->uptime);
                 __put_user(value.loads[0], &target_value->loads[0]);
                 __put_user(value.loads[1], &target_value->loads[1]);
@@ -4030,7 +4148,8 @@
         break;
 #endif
     case TARGET_NR_setdomainname:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(setdomainname(p, arg2));
         unlock_user(p, arg1, 0);
         break;
@@ -4039,7 +4158,8 @@
         {
             struct new_utsname * buf;
 
-            lock_user_struct(buf, arg1, 0);
+            if (!lock_user_struct(VERIFY_WRITE, buf, arg1, 0))
+                goto efault;
             ret = get_errno(sys_uname(buf));
             if (!is_error(ret)) {
                 /* Overrite the native machine name with whatever is being
@@ -4124,7 +4244,7 @@
 
 	    dirp = malloc(count);
 	    if (!dirp) {
-                ret = -TARGET_EFAULT;
+                ret = -TARGET_ENOMEM;
                 goto fail;
             }
 
@@ -4138,7 +4258,8 @@
 
 		count1 = 0;
                 de = dirp;
-                target_dirp = lock_user(arg2, count, 0);
+                if (!(target_dirp = lock_user(VERIFY_WRITE, arg2, count, 0)))
+                    goto efault;
 		tde = target_dirp;
                 while (len > 0) {
                     reclen = de->d_reclen;
@@ -4157,8 +4278,8 @@
 		    count1 += treclen;
                 }
 		ret = count1;
+                unlock_user(target_dirp, arg2, ret);
             }
-            unlock_user(target_dirp, arg2, ret);
 	    free(dirp);
         }
 #else
@@ -4166,7 +4287,8 @@
             struct dirent *dirp;
             abi_long count = arg3;
 
-            dirp = lock_user(arg2, count, 0);
+            if (!(dirp = lock_user(VERIFY_WRITE, arg2, count, 0)))
+                goto efault;
             ret = get_errno(sys_getdents(arg1, dirp, count));
             if (!is_error(ret)) {
                 struct dirent *de;
@@ -4193,7 +4315,8 @@
         {
             struct dirent64 *dirp;
             abi_long count = arg3;
-            dirp = lock_user(arg2, count, 0);
+            if (!(dirp = lock_user(VERIFY_WRITE, arg2, count, 0)))
+                goto efault;
             ret = get_errno(sys_getdents64(arg1, dirp, count));
             if (!is_error(ret)) {
                 struct dirent64 *de;
@@ -4229,7 +4352,9 @@
             struct pollfd *pfd;
             unsigned int i;
 
-            target_pfd = lock_user(arg1, sizeof(struct target_pollfd) * nfds, 1);
+            target_pfd = lock_user(VERIFY_WRITE, arg1, sizeof(struct target_pollfd) * nfds, 1);
+            if (!target_pfd)
+                goto efault;
             pfd = alloca(sizeof(struct pollfd) * nfds);
             for(i = 0; i < nfds; i++) {
                 pfd[i].fd = tswap32(target_pfd[i].fd);
@@ -4258,7 +4383,7 @@
             struct iovec *vec;
 
             vec = alloca(count * sizeof(struct iovec));
-            lock_iovec(vec, arg2, count, 0);
+            lock_iovec(VERIFY_WRITE, vec, arg2, count, 0);
             ret = get_errno(readv(arg1, vec, count));
             unlock_iovec(vec, arg2, count, 1);
         }
@@ -4269,7 +4394,7 @@
             struct iovec *vec;
 
             vec = alloca(count * sizeof(struct iovec));
-            lock_iovec(vec, arg2, count, 1);
+            lock_iovec(VERIFY_READ, vec, arg2, count, 1);
             ret = get_errno(writev(arg1, vec, count));
             unlock_iovec(vec, arg2, count, 0);
         }
@@ -4292,7 +4417,8 @@
             struct sched_param *target_schp;
             struct sched_param schp;
 
-            lock_user_struct(target_schp, arg2, 1);
+            if (!lock_user_struct(VERIFY_READ, target_schp, arg2, 1))
+                goto efault;
             schp.sched_priority = tswap32(target_schp->sched_priority);
             unlock_user_struct(target_schp, arg2, 0);
             ret = get_errno(sched_setparam(arg1, &schp));
@@ -4304,7 +4430,8 @@
             struct sched_param schp;
             ret = get_errno(sched_getparam(arg1, &schp));
             if (!is_error(ret)) {
-                lock_user_struct(target_schp, arg2, 0);
+                if (!lock_user_struct(VERIFY_WRITE, target_schp, arg2, 0))
+                    goto efault;
                 target_schp->sched_priority = tswap32(schp.sched_priority);
                 unlock_user_struct(target_schp, arg2, 1);
             }
@@ -4314,7 +4441,8 @@
         {
             struct sched_param *target_schp;
             struct sched_param schp;
-            lock_user_struct(target_schp, arg3, 1);
+            if (!lock_user_struct(VERIFY_READ, target_schp, arg3, 1))
+                goto efault;
             schp.sched_priority = tswap32(target_schp->sched_priority);
             unlock_user_struct(target_schp, arg3, 0);
             ret = get_errno(sched_setscheduler(arg1, arg2, &schp));
@@ -4378,18 +4506,21 @@
 #ifdef TARGET_NR_pread
     case TARGET_NR_pread:
         page_unprotect_range(arg2, arg3);
-        p = lock_user(arg2, arg3, 0);
+        if (!(p = lock_user(VERIFY_WRITE, arg2, arg3, 0)))
+            goto efault;
         ret = get_errno(pread(arg1, p, arg3, arg4));
         unlock_user(p, arg2, ret);
         break;
     case TARGET_NR_pwrite:
-        p = lock_user(arg2, arg3, 1);
+        if (!(p = lock_user(VERIFY_READ, arg2, arg3, 1)))
+            goto efault;
         ret = get_errno(pwrite(arg1, p, arg3, arg4));
         unlock_user(p, arg2, 0);
         break;
 #endif
     case TARGET_NR_getcwd:
-        p = lock_user(arg1, arg2, 0);
+        if (!(p = lock_user(VERIFY_WRITE, arg1, arg2, 0)))
+            goto efault;
         ret = get_errno(sys_getcwd1(p, arg2));
         unlock_user(p, arg1, ret);
         break;
@@ -4400,9 +4531,7 @@
     case TARGET_NR_sigaltstack:
 #if defined(TARGET_I386) || defined(TARGET_ARM) || defined(TARGET_MIPS) || \
     defined(TARGET_SPARC) || defined(TARGET_PPC) || defined(TARGET_ALPHA)
-        ret = do_sigaltstack((struct target_sigaltstack *)arg1,
-                             (struct target_sigaltstack *)arg2,
-                             get_sp_from_cpustate((CPUState *)cpu_env));
+        ret = do_sigaltstack(arg1, arg2, get_sp_from_cpustate((CPUState *)cpu_env));
         break;
 #else
         goto unimplemented;
@@ -4429,7 +4558,8 @@
 	ret = get_errno(getrlimit(arg1, &rlim));
 	if (!is_error(ret)) {
 	    struct target_rlimit *target_rlim;
-            lock_user_struct(target_rlim, arg2, 0);
+            if (!lock_user_struct(VERIFY_WRITE, target_rlim, arg2, 0))
+                goto efault;
 	    target_rlim->rlim_cur = tswapl(rlim.rlim_cur);
 	    target_rlim->rlim_max = tswapl(rlim.rlim_max);
             unlock_user_struct(target_rlim, arg2, 1);
@@ -4439,7 +4569,8 @@
 #endif
 #ifdef TARGET_NR_truncate64
     case TARGET_NR_truncate64:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
 	ret = target_truncate64(cpu_env, p, arg2, arg3, arg4);
         unlock_user(p, arg1, 0);
 	break;
@@ -4451,14 +4582,16 @@
 #endif
 #ifdef TARGET_NR_stat64
     case TARGET_NR_stat64:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(stat(path(p), &st));
         unlock_user(p, arg1, 0);
         goto do_stat64;
 #endif
 #ifdef TARGET_NR_lstat64
     case TARGET_NR_lstat64:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(lstat(path(p), &st));
         unlock_user(p, arg1, 0);
         goto do_stat64;
@@ -4472,52 +4605,53 @@
 #ifdef TARGET_ARM
                 if (((CPUARMState *)cpu_env)->eabi) {
                     struct target_eabi_stat64 *target_st;
-                    lock_user_struct(target_st, arg2, 1);
+
+                    if (!lock_user_struct(VERIFY_WRITE, target_st, arg2, 0))
+                        goto efault;
                     memset(target_st, 0, sizeof(struct target_eabi_stat64));
-                    /* put_user is probably wrong.  */
-                    put_user(st.st_dev, &target_st->st_dev);
-                    put_user(st.st_ino, &target_st->st_ino);
+                    __put_user(st.st_dev, &target_st->st_dev);
+                    __put_user(st.st_ino, &target_st->st_ino);
 #ifdef TARGET_STAT64_HAS_BROKEN_ST_INO
-                    put_user(st.st_ino, &target_st->__st_ino);
+                    __put_user(st.st_ino, &target_st->__st_ino);
 #endif
-                    put_user(st.st_mode, &target_st->st_mode);
-                    put_user(st.st_nlink, &target_st->st_nlink);
-                    put_user(st.st_uid, &target_st->st_uid);
-                    put_user(st.st_gid, &target_st->st_gid);
-                    put_user(st.st_rdev, &target_st->st_rdev);
-                    /* XXX: better use of kernel struct */
-                    put_user(st.st_size, &target_st->st_size);
-                    put_user(st.st_blksize, &target_st->st_blksize);
-                    put_user(st.st_blocks, &target_st->st_blocks);
-                    put_user(st.st_atime, &target_st->target_st_atime);
-                    put_user(st.st_mtime, &target_st->target_st_mtime);
-                    put_user(st.st_ctime, &target_st->target_st_ctime);
-                    unlock_user_struct(target_st, arg2, 0);
+                    __put_user(st.st_mode, &target_st->st_mode);
+                    __put_user(st.st_nlink, &target_st->st_nlink);
+                    __put_user(st.st_uid, &target_st->st_uid);
+                    __put_user(st.st_gid, &target_st->st_gid);
+                    __put_user(st.st_rdev, &target_st->st_rdev);
+                    __put_user(st.st_size, &target_st->st_size);
+                    __put_user(st.st_blksize, &target_st->st_blksize);
+                    __put_user(st.st_blocks, &target_st->st_blocks);
+                    __put_user(st.st_atime, &target_st->target_st_atime);
+                    __put_user(st.st_mtime, &target_st->target_st_mtime);
+                    __put_user(st.st_ctime, &target_st->target_st_ctime);
+                    unlock_user_struct(target_st, arg2, 1);
                 } else
 #endif
                 {
                     struct target_stat64 *target_st;
-                    lock_user_struct(target_st, arg2, 1);
+
+                    if (!lock_user_struct(VERIFY_WRITE, target_st, arg2, 0))
+                        goto efault;
                     memset(target_st, 0, sizeof(struct target_stat64));
-                    /* ??? put_user is probably wrong.  */
-                    put_user(st.st_dev, &target_st->st_dev);
-                    put_user(st.st_ino, &target_st->st_ino);
+                    __put_user(st.st_dev, &target_st->st_dev);
+                    __put_user(st.st_ino, &target_st->st_ino);
 #ifdef TARGET_STAT64_HAS_BROKEN_ST_INO
-                    put_user(st.st_ino, &target_st->__st_ino);
+                    __put_user(st.st_ino, &target_st->__st_ino);
 #endif
-                    put_user(st.st_mode, &target_st->st_mode);
-                    put_user(st.st_nlink, &target_st->st_nlink);
-                    put_user(st.st_uid, &target_st->st_uid);
-                    put_user(st.st_gid, &target_st->st_gid);
-                    put_user(st.st_rdev, &target_st->st_rdev);
+                    __put_user(st.st_mode, &target_st->st_mode);
+                    __put_user(st.st_nlink, &target_st->st_nlink);
+                    __put_user(st.st_uid, &target_st->st_uid);
+                    __put_user(st.st_gid, &target_st->st_gid);
+                    __put_user(st.st_rdev, &target_st->st_rdev);
                     /* XXX: better use of kernel struct */
-                    put_user(st.st_size, &target_st->st_size);
-                    put_user(st.st_blksize, &target_st->st_blksize);
-                    put_user(st.st_blocks, &target_st->st_blocks);
-                    put_user(st.st_atime, &target_st->target_st_atime);
-                    put_user(st.st_mtime, &target_st->target_st_mtime);
-                    put_user(st.st_ctime, &target_st->target_st_ctime);
-                    unlock_user_struct(target_st, arg2, 0);
+                    __put_user(st.st_size, &target_st->st_size);
+                    __put_user(st.st_blksize, &target_st->st_blksize);
+                    __put_user(st.st_blocks, &target_st->st_blocks);
+                    __put_user(st.st_atime, &target_st->target_st_atime);
+                    __put_user(st.st_mtime, &target_st->target_st_mtime);
+                    __put_user(st.st_ctime, &target_st->target_st_ctime);
+                    unlock_user_struct(target_st, arg2, 1);
                 }
             }
         }
@@ -4525,7 +4659,8 @@
 #endif
 #ifdef USE_UID16
     case TARGET_NR_lchown:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(lchown(p, low2highuid(arg2), low2highgid(arg3)));
         unlock_user(p, arg1, 0);
         break;
@@ -4557,7 +4692,9 @@
             grouplist = alloca(gidsetsize * sizeof(gid_t));
             ret = get_errno(getgroups(gidsetsize, grouplist));
             if (!is_error(ret)) {
-                target_grouplist = lock_user(arg2, gidsetsize * 2, 0);
+                target_grouplist = lock_user(VERIFY_WRITE, arg2, gidsetsize * 2, 0);
+                if (!target_grouplist)
+                    goto efault;
                 for(i = 0;i < gidsetsize; i++)
                     target_grouplist[i] = tswap16(grouplist[i]);
                 unlock_user(target_grouplist, arg2, gidsetsize * 2);
@@ -4572,7 +4709,11 @@
             int i;
 
             grouplist = alloca(gidsetsize * sizeof(gid_t));
-            target_grouplist = lock_user(arg2, gidsetsize * 2, 1);
+            target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * 2, 1);
+            if (!target_grouplist) {
+                ret = -TARGET_EFAULT;
+                goto fail;
+            }
             for(i = 0;i < gidsetsize; i++)
                 grouplist[i] = tswap16(target_grouplist[i]);
             unlock_user(target_grouplist, arg2, 0);
@@ -4584,18 +4725,10 @@
         break;
 #if defined(TARGET_NR_fchownat) && defined(__NR_fchownat)
     case TARGET_NR_fchownat:
-        if (!arg2) {
-            ret = -TARGET_EFAULT;
-            goto fail;
-        }
-        p = lock_user_string(arg2);
-        if (!access_ok(VERIFY_READ, p, 1))
-            /* Don't "goto fail" so that cleanup can happen. */
-            ret = -TARGET_EFAULT;
-	else
-            ret = get_errno(sys_fchownat(arg1, p, low2highuid(arg3), low2highgid(arg4), arg5));
-        if (p)
-            unlock_user(p, arg2, 0);
+        if (!(p = lock_user_string(arg2))) 
+            goto efault;
+        ret = get_errno(sys_fchownat(arg1, p, low2highuid(arg3), low2highgid(arg4), arg5));
+        unlock_user(p, arg2, 0);
         break;
 #endif
 #ifdef TARGET_NR_setresuid
@@ -4639,7 +4772,8 @@
         break;
 #endif
     case TARGET_NR_chown:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(chown(p, low2highuid(arg2), low2highgid(arg3)));
         unlock_user(p, arg1, 0);
         break;
@@ -4659,7 +4793,8 @@
 
 #ifdef TARGET_NR_lchown32
     case TARGET_NR_lchown32:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(lchown(p, arg2, arg3));
         unlock_user(p, arg1, 0);
         break;
@@ -4705,7 +4840,11 @@
             grouplist = alloca(gidsetsize * sizeof(gid_t));
             ret = get_errno(getgroups(gidsetsize, grouplist));
             if (!is_error(ret)) {
-                target_grouplist = lock_user(arg2, gidsetsize * 4, 0);
+                target_grouplist = lock_user(VERIFY_WRITE, arg2, gidsetsize * 4, 0);
+                if (!target_grouplist) {
+                    ret = -TARGET_EFAULT;
+                    goto fail;
+                }
                 for(i = 0;i < gidsetsize; i++)
                     target_grouplist[i] = tswap32(grouplist[i]);
                 unlock_user(target_grouplist, arg2, gidsetsize * 4);
@@ -4722,7 +4861,11 @@
             int i;
 
             grouplist = alloca(gidsetsize * sizeof(gid_t));
-            target_grouplist = lock_user(arg2, gidsetsize * 4, 1);
+            target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * 4, 1);
+            if (!target_grouplist) {
+                ret = -TARGET_EFAULT;
+                goto fail;
+            }
             for(i = 0;i < gidsetsize; i++)
                 grouplist[i] = tswap32(target_grouplist[i]);
             unlock_user(target_grouplist, arg2, 0);
@@ -4773,7 +4916,8 @@
 #endif
 #ifdef TARGET_NR_chown32
     case TARGET_NR_chown32:
-        p = lock_user_string(arg1);
+        if (!(p = lock_user_string(arg1)))
+            goto efault;
         ret = get_errno(chown(p, arg2, arg3));
         unlock_user(p, arg1, 0);
         break;
@@ -4843,7 +4987,10 @@
         case TARGET_F_GETLK64:
 #ifdef TARGET_ARM
             if (((CPUARMState *)cpu_env)->eabi) {
-                lock_user_struct(target_efl, arg3, 1);
+                if (!lock_user_struct(VERIFY_READ, target_efl, arg3, 1)) {
+                    ret = -TARGET_EFAULT;
+                    goto fail;
+                }
                 fl.l_type = tswap16(target_efl->l_type);
                 fl.l_whence = tswap16(target_efl->l_whence);
                 fl.l_start = tswap64(target_efl->l_start);
@@ -4853,7 +5000,10 @@
             } else
 #endif
             {
-                lock_user_struct(target_fl, arg3, 1);
+                if (!lock_user_struct(VERIFY_READ, target_fl, arg3, 1)) {
+                    ret = -TARGET_EFAULT;
+                    goto fail;
+                }
                 fl.l_type = tswap16(target_fl->l_type);
                 fl.l_whence = tswap16(target_fl->l_whence);
                 fl.l_start = tswap64(target_fl->l_start);
@@ -4865,7 +5015,10 @@
 	    if (ret == 0) {
 #ifdef TARGET_ARM
                 if (((CPUARMState *)cpu_env)->eabi) {
-                    lock_user_struct(target_efl, arg3, 0);
+                    if (!lock_user_struct(VERIFY_WRITE, target_efl, arg3, 0)) {
+                        ret = -TARGET_EFAULT;
+                        goto fail;
+                    }
                     target_efl->l_type = tswap16(fl.l_type);
                     target_efl->l_whence = tswap16(fl.l_whence);
                     target_efl->l_start = tswap64(fl.l_start);
@@ -4875,7 +5028,10 @@
                 } else
 #endif
                 {
-                    lock_user_struct(target_fl, arg3, 0);
+                    if (!lock_user_struct(VERIFY_WRITE, target_fl, arg3, 0)) {
+                        ret = -TARGET_EFAULT;
+                        goto fail;
+                    }
                     target_fl->l_type = tswap16(fl.l_type);
                     target_fl->l_whence = tswap16(fl.l_whence);
                     target_fl->l_start = tswap64(fl.l_start);
@@ -4890,7 +5046,10 @@
         case TARGET_F_SETLKW64:
 #ifdef TARGET_ARM
             if (((CPUARMState *)cpu_env)->eabi) {
-                lock_user_struct(target_efl, arg3, 1);
+                if (!lock_user_struct(VERIFY_READ, target_efl, arg3, 1)) {
+                    ret = -TARGET_EFAULT;
+                    goto fail;
+                }
                 fl.l_type = tswap16(target_efl->l_type);
                 fl.l_whence = tswap16(target_efl->l_whence);
                 fl.l_start = tswap64(target_efl->l_start);
@@ -4900,7 +5059,10 @@
             } else
 #endif
             {
-                lock_user_struct(target_fl, arg3, 1);
+                if (!lock_user_struct(VERIFY_READ, target_fl, arg3, 1)) {
+                    ret = -TARGET_EFAULT;
+                    goto fail;
+                }
                 fl.l_type = tswap16(target_fl->l_type);
                 fl.l_whence = tswap16(target_fl->l_whence);
                 fl.l_start = tswap64(target_fl->l_start);
@@ -4998,8 +5160,8 @@
 
 #if defined(TARGET_NR_set_tid_address) && defined(__NR_set_tid_address)
     case TARGET_NR_set_tid_address:
-      ret = get_errno(set_tid_address((int *) arg1));
-      break;
+        ret = get_errno(set_tid_address((int *)g2h(arg1)));
+        break;
 #endif
 
 #if defined(TARGET_NR_tkill) && defined(__NR_tkill)
@@ -5028,14 +5190,12 @@
             if (!arg2)
                 ret = get_errno(sys_utimensat(arg1, NULL, ts, arg4));
             else {
-                p = lock_user_string(arg2);
-                if (!access_ok(VERIFY_READ, p, 1))
-                    /* Don't "goto fail" so that cleanup can happen. */
+                if (!(p = lock_user_string(arg2))) {
                     ret = -TARGET_EFAULT;
-                else
-                    ret = get_errno(sys_utimensat(arg1, path(p), ts, arg4));
-                if (p)
-                    unlock_user(p, arg2, 0);
+                    goto fail;
+                }
+                ret = get_errno(sys_utimensat(arg1, path(p), ts, arg4));
+                unlock_user(p, arg2, 0);
             }
         }
 	break;
@@ -5050,11 +5210,14 @@
         ret = -TARGET_ENOSYS;
         break;
     }
- fail:
+fail:
 #ifdef DEBUG
     gemu_log(" = %ld\n", ret);
 #endif
     if(do_strace)
         print_syscall_ret(num, ret);
     return ret;
+efault:
+    ret = -TARGET_EFAULT;
+    goto fail;
 }