linux-cvs-patches
[Top] [All Lists]

CVS Update@linux-mips.org: linux

To: linux-cvs-patches@linux-mips.org
Subject: CVS Update@linux-mips.org: linux
From: ralf@linux-mips.org
Date: Thu, 17 Mar 2005 21:50:58 +0000
Reply-to: linux-mips@linux-mips.org
Sender: linux-cvs-patches-bounce@linux-mips.org
CVSROOT:        /home/cvs
Module name:    linux
Changes by:     ralf@ftp.linux-mips.org 05/03/17 21:50:49

Modified files:
        include/asm-mips: inventory.h uaccess.h 
        arch/mips/kernel: irixelf.c irixinv.c irixioctl.c irixsig.c 
                          sysirix.c unaligned.c 
        arch/mips/math-emu: dsemul.c 
        arch/mips/mm   : cache.c 

Log message:
        Get rid of all verify_area() calls, this API is about to go away.  The
        lion part is dealing with the megamess the IRIX compat code still is.
        It's now in a state where it's nearly sparse clean and all unprotected
        userspace accesses I was able to find are fixed.

diff -urN linux/include/asm-mips/inventory.h linux/include/asm-mips/inventory.h
--- linux/include/asm-mips/inventory.h  2002/10/31 20:37:22     1.4
+++ linux/include/asm-mips/inventory.h  2005/03/17 21:50:49     1.5
@@ -4,6 +4,8 @@
 #ifndef __ASM_INVENTORY_H
 #define __ASM_INVENTORY_H
 
+#include <linux/compiler.h>
+
 typedef struct inventory_s {
        struct inventory_s *inv_next;
        int    inv_class;
@@ -14,7 +16,9 @@
 } inventory_t;
 
 extern int inventory_items;
-void add_to_inventory (int class, int type, int controller, int unit, int 
state);
-int dump_inventory_to_user (void *userbuf, int size);
+
+extern void add_to_inventory (int class, int type, int controller, int unit, 
int state);
+extern int dump_inventory_to_user (void __user *userbuf, int size);
+extern int __init init_inventory(void);
 
 #endif /* __ASM_INVENTORY_H */
diff -urN linux/include/asm-mips/uaccess.h linux/include/asm-mips/uaccess.h
--- linux/include/asm-mips/uaccess.h    2005/03/17 20:36:06     1.44
+++ linux/include/asm-mips/uaccess.h    2005/03/17 21:50:49     1.45
@@ -252,12 +252,11 @@
 ({                                                                     \
        const __typeof__(*(ptr)) __user * __gu_addr = (ptr);            \
        __typeof__(*(ptr)) __gu_val = 0;                                \
-       long __gu_err;                                                  \
+       long __gu_err = -EFAULT;                                        \
                                                                        \
        might_sleep();                                                  \
                                                                        \
-       __gu_err = verify_area(VERIFY_READ,  __gu_addr, size);          \
-       if (likely(!__gu_err)) {                                        \
+       if (likely(access_ok(VERIFY_READ,  __gu_addr, size))) {         \
                switch (size) {                                         \
                case 1: __get_user_asm("lb", __gu_addr); break;         \
                case 2: __get_user_asm("lh", __gu_addr); break;         \
@@ -283,7 +282,7 @@
        "       "__UA_ADDR "\t1b, 3b                            \n"     \
        "       .previous                                       \n"     \
        : "=r" (__gu_err), "=r" (__gu_val)                              \
-       : "0" (__gu_err), "o" (__m(addr)), "i" (-EFAULT));              \
+       : "0" (0), "o" (__m(addr)), "i" (-EFAULT));                     \
 }
 
 /*
@@ -306,7 +305,7 @@
        "       " __UA_ADDR "   2b, 4b                          \n"     \
        "       .previous                                       \n"     \
        : "=r" (__gu_err), "=&r" (__gu_val)                             \
-       : "0" (__gu_err), "r" (addr), "i" (-EFAULT));                   \
+       : "0" (0), "r" (addr), "i" (-EFAULT));                          \
 }
 
 extern void __get_user_unknown(void);
@@ -342,12 +341,11 @@
 ({                                                                     \
        __typeof__(*(ptr)) __user *__pu_addr = (ptr);                   \
        __typeof__(*(ptr)) __pu_val = (x);                              \
-       long __pu_err;                                                  \
+       long __pu_err = -EFAULT;                                        \
                                                                        \
        might_sleep();                                                  \
                                                                        \
-       __pu_err = verify_area(VERIFY_WRITE, __pu_addr, size);          \
-       if (likely(!__pu_err)) {                                        \
+       if (likely(access_ok(VERIFY_WRITE,  __pu_addr, size))) {        \
                switch (size) {                                         \
                case 1: __put_user_asm("sb", __pu_addr); break;         \
                case 2: __put_user_asm("sh", __pu_addr); break;         \
@@ -372,7 +370,7 @@
        "       " __UA_ADDR "   1b, 3b                          \n"     \
        "       .previous                                       \n"     \
        : "=r" (__pu_err)                                               \
-       : "0" (__pu_err), "Jr" (__pu_val), "o" (__m(ptr)),              \
+       : "0" (0), "Jr" (__pu_val), "o" (__m(ptr)),                     \
          "i" (-EFAULT));                                               \
 }
 
@@ -391,7 +389,7 @@
        "       " __UA_ADDR "   2b, 4b                          \n"     \
        "       .previous"                                              \
        : "=r" (__pu_err)                                               \
-       : "0" (__pu_err), "r" (__pu_val), "r" (ptr),                    \
+       : "0" (0), "r" (__pu_val), "r" (ptr),                           \
          "i" (-EFAULT));                                               \
 }
 
diff -urN linux/arch/mips/kernel/irixelf.c linux/arch/mips/kernel/irixelf.c
--- linux/arch/mips/kernel/irixelf.c    2005/03/14 03:28:17     1.67
+++ linux/arch/mips/kernel/irixelf.c    2005/03/17 21:50:49     1.68
@@ -40,7 +40,7 @@
 
 #include <linux/elf.h>
 
-#undef DEBUG_ELF
+#undef DEBUG
 
 static int load_irix_binary(struct linux_binprm * bprm, struct pt_regs * regs);
 static int load_irix_library(struct file *);
@@ -56,7 +56,7 @@
 #define elf_addr_t unsigned long
 #endif
 
-#ifdef DEBUG_ELF
+#ifdef DEBUG
 /* Debugging routines. */
 static char *get_elf_p_type(Elf32_Word p_type)
 {
@@ -121,7 +121,7 @@
                        print_phdr(i, ep);
        }
 }
-#endif /* (DEBUG_ELF) */
+#endif /* DEBUG */
 
 static void set_brk(unsigned long start, unsigned long end)
 {
@@ -147,20 +147,20 @@
        nbyte = elf_bss & (PAGE_SIZE-1);
        if (nbyte) {
                nbyte = PAGE_SIZE - nbyte;
-               clear_user((void *) elf_bss, nbyte);
+               clear_user((void __user *) elf_bss, nbyte);
        }
 }
 
-unsigned long * create_irix_tables(char * p, int argc, int envc,
-                                  struct elfhdr * exec, unsigned int load_addr,
-                                  unsigned int interp_load_addr,
-                                  struct pt_regs *regs, struct elf_phdr *ephdr)
+static unsigned long * create_irix_tables(char * p, int argc, int envc,
+       struct elfhdr * exec, unsigned int load_addr,
+       unsigned int interp_load_addr, struct pt_regs *regs,
+       struct elf_phdr *ephdr)
 {
        elf_addr_t *argv;
        elf_addr_t *envp;
        elf_addr_t *sp, *csp;
 
-#ifdef DEBUG_ELF
+#ifdef DEBUG
        printk("create_irix_tables: p[%p] argc[%d] envc[%d] "
               "load_addr[%08x] interp_load_addr[%08x]\n",
               p, argc, envc, load_addr, interp_load_addr);
@@ -249,7 +249,7 @@
        last_bss = 0;
        error = load_addr = 0;
 
-#ifdef DEBUG_ELF
+#ifdef DEBUG
        print_elfhdr(interp_elf_ex);
 #endif
 
@@ -290,7 +290,7 @@
                           (char *) elf_phdata,
                           sizeof(struct elf_phdr) * interp_elf_ex->e_phnum);
 
-#ifdef DEBUG_ELF
+#ifdef DEBUG
        dump_phdrs(elf_phdata, interp_elf_ex->e_phnum);
 #endif
 
@@ -306,13 +306,11 @@
            elf_type |= MAP_FIXED;
            vaddr = eppnt->p_vaddr;
 
-#ifdef DEBUG_ELF
-           printk("INTERP do_mmap(%p, %08lx, %08lx, %08lx, %08lx, %08lx) ",
+           pr_debug("INTERP do_mmap(%p, %08lx, %08lx, %08lx, %08lx, %08lx) ",
                   interpreter, vaddr,
                   (unsigned long) (eppnt->p_filesz + (eppnt->p_vaddr & 0xfff)),
                   (unsigned long) elf_prot, (unsigned long) elf_type,
                   (unsigned long) (eppnt->p_offset & 0xfffff000));
-#endif
            down_write(&current->mm->mmap_sem);
            error = do_mmap(interpreter, vaddr,
                            eppnt->p_filesz + (eppnt->p_vaddr & 0xfff),
@@ -324,14 +322,10 @@
                    printk("Aieee IRIX interp mmap error=%d\n", error);
                    break;  /* Real error */
            }
-#ifdef DEBUG_ELF
-           printk("error=%08lx ", (unsigned long) error);
-#endif
+           pr_debug("error=%08lx ", (unsigned long) error);
            if(!load_addr && interp_elf_ex->e_type == ET_DYN) {
              load_addr = error;
-#ifdef DEBUG_ELF
-              printk("load_addr = error ");
-#endif
+              pr_debug("load_addr = error ");
            }
 
            /* Find the end of the file  mapping for this phdr, and keep
@@ -345,17 +339,13 @@
             */
            k = eppnt->p_memsz + eppnt->p_vaddr;
            if(k > last_bss) last_bss = k;
-#ifdef DEBUG_ELF
-           printk("\n");
-#endif
+           pr_debug("\n");
          }
        }
 
        /* Now use mmap to map the library into memory. */
        if(error < 0 && error > -1024) {
-#ifdef DEBUG_ELF
-               printk("got error %d\n", error);
-#endif
+               pr_debug("got error %d\n", error);
                kfree(elf_phdata);
                return 0xffffffff;
        }
@@ -365,16 +355,12 @@
         * that there are zero-mapped pages up to and including the
         * last bss page.
         */
-#ifdef DEBUG_ELF
-       printk("padzero(%08lx) ", (unsigned long) (elf_bss));
-#endif
+       pr_debug("padzero(%08lx) ", (unsigned long) (elf_bss));
        padzero(elf_bss);
        len = (elf_bss + 0xfff) & 0xfffff000; /* What we have mapped so far */
 
-#ifdef DEBUG_ELF
-       printk("last_bss[%08lx] len[%08lx]\n", (unsigned long) last_bss,
-              (unsigned long) len);
-#endif
+       pr_debug("last_bss[%08lx] len[%08lx]\n", (unsigned long) last_bss,
+                (unsigned long) len);
 
        /* Map the last of the bss segment */
        if (last_bss > len) {
@@ -559,7 +545,7 @@
  * process and the system, here we map the page and fill the
  * structure
  */
-void irix_map_prda_page (void)
+static void irix_map_prda_page(void)
 {
        unsigned long v;
        struct prda *pp;
@@ -598,7 +584,7 @@
 
        load_addr = 0;
        has_interp = has_ephdr = 0;
-       elf_ihdr = elf_ephdr = 0;
+       elf_ihdr = elf_ephdr = NULL;
        elf_ex = *((struct elfhdr *) bprm->buf);
        retval = -ENOEXEC;
 
@@ -624,7 +610,7 @@
        if (elf_ex.e_shnum > 20)
                goto out;
 
-#ifdef DEBUG_ELF
+#ifdef DEBUG
        print_elfhdr(&elf_ex);
 #endif
 
@@ -642,7 +628,7 @@
        if (retval < 0)
                goto out_free_ph;
 
-#ifdef DEBUG_ELF
+#ifdef DEBUG
        dump_phdrs(elf_phdata, elf_ex.e_phnum);
 #endif
 
@@ -659,9 +645,8 @@
                        break;
                };
        }
-#ifdef DEBUG_ELF
-       printk("\n");
-#endif
+
+       pr_debug("\n");
 
        elf_bss = 0;
        elf_brk = 0;
@@ -768,18 +753,16 @@
         * IRIX maps a page at 0x200000 which holds some system
         * information.  Programs depend on this.
         */
-       irix_map_prda_page ();
+       irix_map_prda_page();
 
        padzero(elf_bss);
 
-#ifdef DEBUG_ELF
-       printk("(start_brk) %lx\n" , (long) current->mm->start_brk);
-       printk("(end_code) %lx\n" , (long) current->mm->end_code);
-       printk("(start_code) %lx\n" , (long) current->mm->start_code);
-       printk("(end_data) %lx\n" , (long) current->mm->end_data);
-       printk("(start_stack) %lx\n" , (long) current->mm->start_stack);
-       printk("(brk) %lx\n" , (long) current->mm->brk);
-#endif
+       pr_debug("(start_brk) %lx\n" , (long) current->mm->start_brk);
+       pr_debug("(end_code) %lx\n" , (long) current->mm->end_code);
+       pr_debug("(start_code) %lx\n" , (long) current->mm->start_code);
+       pr_debug("(end_data) %lx\n" , (long) current->mm->end_data);
+       pr_debug("(start_stack) %lx\n" , (long) current->mm->start_stack);
+       pr_debug("(brk) %lx\n" , (long) current->mm->brk);
 
 #if 0 /* XXX No fucking way dude... */
        /* Why this, you ask???  Well SVr4 maps page 0 as read-only,
@@ -896,36 +879,36 @@
  * phdrs there are in the USER_PHDRP array.  We return the vaddr the
  * first phdr was successfully mapped to.
  */
-unsigned long irix_mapelf(int fd, struct elf_phdr *user_phdrp, int cnt)
+unsigned long irix_mapelf(int fd, struct elf_phdr __user *user_phdrp, int cnt)
 {
-       struct elf_phdr *hp;
+       unsigned long type, vaddr, filesz, offset, flags;
+       struct elf_phdr __user *hp;
        struct file *filp;
        int i, retval;
 
-#ifdef DEBUG_ELF
-       printk("irix_mapelf: fd[%d] user_phdrp[%p] cnt[%d]\n",
-              fd, user_phdrp, cnt);
-#endif
+       pr_debug("irix_mapelf: fd[%d] user_phdrp[%p] cnt[%d]\n",
+                fd, user_phdrp, cnt);
 
        /* First get the verification out of the way. */
        hp = user_phdrp;
-       retval = verify_area(VERIFY_READ, hp, (sizeof(struct elf_phdr) * cnt));
-       if(retval) {
-#ifdef DEBUG_ELF
-               printk("irix_mapelf: verify_area fails!\n");
-#endif
-               return retval;
+       if (!access_ok(VERIFY_READ, hp, (sizeof(struct elf_phdr) * cnt))) {
+               pr_debug("irix_mapelf: bad pointer to ELF PHDR!\n");
+
+               return -EFAULT;
        }
 
-#ifdef DEBUG_ELF
+#ifdef DEBUG
        dump_phdrs(user_phdrp, cnt);
 #endif
 
-       for(i = 0; i < cnt; i++, hp++)
-               if(hp->p_type != PT_LOAD) {
+       for (i = 0; i < cnt; i++, hp++) {
+               if (__get_user(type, &hp->p_type))
+                       return -EFAULT;
+               if (type != PT_LOAD) {
                        printk("irix_mapelf: One section is not PT_LOAD!\n");
                        return -ENOEXEC;
                }
+       }
 
        filp = fget(fd);
        if (!filp)
@@ -940,29 +923,40 @@
        for(i = 0; i < cnt; i++, hp++) {
                int prot;
 
-               prot  = (hp->p_flags & PF_R) ? PROT_READ : 0;
-               prot |= (hp->p_flags & PF_W) ? PROT_WRITE : 0;
-               prot |= (hp->p_flags & PF_X) ? PROT_EXEC : 0;
+               retval = __get_user(vaddr, &hp->p_vaddr);
+               retval |= __get_user(filesz, &hp->p_filesz);
+               retval |= __get_user(offset, &hp->p_offset);
+               retval |= __get_user(flags, &hp->p_flags);
+               if (retval)
+                       return retval;
+
+               prot  = (flags & PF_R) ? PROT_READ : 0;
+               prot |= (flags & PF_W) ? PROT_WRITE : 0;
+               prot |= (flags & PF_X) ? PROT_EXEC : 0;
+
                down_write(&current->mm->mmap_sem);
-               retval = do_mmap(filp, (hp->p_vaddr & 0xfffff000),
-                                (hp->p_filesz + (hp->p_vaddr & 0xfff)),
+               retval = do_mmap(filp, (vaddr & 0xfffff000),
+                                (filesz + (vaddr & 0xfff)),
                                 prot, (MAP_FIXED | MAP_PRIVATE | 
MAP_DENYWRITE),
-                                (hp->p_offset & 0xfffff000));
+                                (offset & 0xfffff000));
                up_write(&current->mm->mmap_sem);
 
-               if(retval != (hp->p_vaddr & 0xfffff000)) {
+               if (retval != (vaddr & 0xfffff000)) {
                        printk("irix_mapelf: do_mmap fails with %d!\n", retval);
                        fput(filp);
                        return retval;
                }
        }
 
-#ifdef DEBUG_ELF
-       printk("irix_mapelf: Success, returning %08lx\n",
-               (unsigned long) user_phdrp->p_vaddr);
-#endif
+       pr_debug("irix_mapelf: Success, returning %08lx\n",
+                (unsigned long) user_phdrp->p_vaddr);
+
        fput(filp);
-       return user_phdrp->p_vaddr;
+
+       if (__get_user(vaddr, &user_phdrp->p_vaddr))
+               return -EFAULT;
+
+       return vaddr;
 }
 
 /*
@@ -975,9 +969,9 @@
 /* These are the only things you should do on a core-file: use only these
  * functions to write out all the necessary info.
  */
-static int dump_write(struct file *file, const void *addr, int nr)
+static int dump_write(struct file *file, const void __user *addr, int nr)
 {
-       return file->f_op->write(file, addr, nr, &file->f_pos) == nr;
+       return file->f_op->write(file, (const char __user *) addr, nr, 
&file->f_pos) == nr;
 }
 
 static int dump_seek(struct file *file, off_t off)
@@ -1096,7 +1090,7 @@
        /* Count what's needed to dump, up to the limit of coredump size. */
        segs = 0;
        size = 0;
-       for(vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) {
+       for (vma = current->mm->mmap; vma != NULL; vma = vma->vm_next) {
                if (maydump(vma))
                {
                        int sz = vma->vm_end-vma->vm_start;
@@ -1210,9 +1204,9 @@
 
                len = current->mm->arg_end - current->mm->arg_start;
                len = len >= ELF_PRARGSZ ? ELF_PRARGSZ : len;
-               copy_from_user(&psinfo.pr_psargs,
-                              (const char *)current->mm->arg_start, len);
-               for(i = 0; i < len; i++)
+               (void *) copy_from_user(&psinfo.pr_psargs,
+                              (const char __user *)current->mm->arg_start, 
len);
+               for (i = 0; i < len; i++)
                        if (psinfo.pr_psargs[i] == 0)
                                psinfo.pr_psargs[i] = ' ';
                psinfo.pr_psargs[len] = 0;
@@ -1279,8 +1273,10 @@
                phdr.p_memsz = sz;
                offset += phdr.p_filesz;
                phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-               if (vma->vm_flags & VM_WRITE) phdr.p_flags |= PF_W;
-               if (vma->vm_flags & VM_EXEC) phdr.p_flags |= PF_X;
+               if (vma->vm_flags & VM_WRITE)
+                       phdr.p_flags |= PF_W;
+               if (vma->vm_flags & VM_EXEC)
+                       phdr.p_flags |= PF_X;
                phdr.p_align = PAGE_SIZE;
 
                DUMP_WRITE(&phdr, sizeof(phdr));
@@ -1306,7 +1302,7 @@
 #ifdef DEBUG
                printk("elf_core_dump: writing %08lx %lx\n", addr, len);
 #endif
-               DUMP_WRITE((void *)addr, len);
+               DUMP_WRITE((void __user *)addr, len);
        }
 
        if ((off_t) file->f_pos != offset) {
diff -urN linux/arch/mips/kernel/irixinv.c linux/arch/mips/kernel/irixinv.c
--- linux/arch/mips/kernel/irixinv.c    2005/01/07 04:26:49     1.9
+++ linux/arch/mips/kernel/irixinv.c    2005/03/17 21:50:49     1.10
@@ -30,18 +30,19 @@
        inventory_items++;
 }
 
-int dump_inventory_to_user (void *userbuf, int size)
+int dump_inventory_to_user (void __user *userbuf, int size)
 {
        inventory_t *inv  = &inventory [0];
-       inventory_t *user = userbuf;
+       inventory_t __user *user = userbuf;
        int v;
 
-       if ((v = verify_area (VERIFY_WRITE, userbuf, size)))
-               return v;
+       if (!access_ok(VERIFY_WRITE, userbuf, size))
+               return -EFAULT;
 
        for (v = 0; v < inventory_items; v++){
                inv = &inventory [v];
-               copy_to_user (user, inv, sizeof (inventory_t));
+               if (copy_to_user (user, inv, sizeof (inventory_t)))
+                       return -EFAULT;
                user++;
        }
        return inventory_items * sizeof (inventory_t);
diff -urN linux/arch/mips/kernel/irixioctl.c linux/arch/mips/kernel/irixioctl.c
--- linux/arch/mips/kernel/irixioctl.c  2004/03/11 16:46:43     1.12
+++ linux/arch/mips/kernel/irixioctl.c  2005/03/17 21:50:49     1.13
@@ -58,7 +58,7 @@
 {
        struct tty_struct *tp, *rtp;
        mm_segment_t old_fs;
-       int error = 0;
+       int i, error = 0;
 
 #ifdef DEBUG_IOCTLS
        printk("[%s:%d] irix_ioctl(%d, ", current->comm, current->pid, fd);
@@ -73,12 +73,13 @@
 
        case 0x0000540d: {
                struct termios kt;
-               struct irix_termios *it = (struct irix_termios *) arg;
+               struct irix_termios __user *it =
+                       (struct irix_termios __user *) arg;
 
 #ifdef DEBUG_IOCTLS
                printk("TCGETS, %08lx) ", arg);
 #endif
-               if(!access_ok(VERIFY_WRITE, it, sizeof(*it))) {
+               if (!access_ok(VERIFY_WRITE, it, sizeof(*it))) {
                        error = -EFAULT;
                        break;
                }
@@ -87,13 +88,14 @@
                set_fs(old_fs);
                if (error)
                        break;
-               __put_user(kt.c_iflag, &it->c_iflag);
-               __put_user(kt.c_oflag, &it->c_oflag);
-               __put_user(kt.c_cflag, &it->c_cflag);
-               __put_user(kt.c_lflag, &it->c_lflag);
-               for(error = 0; error < NCCS; error++)
-                       __put_user(kt.c_cc[error], &it->c_cc[error]);
-               error = 0;
+
+               error = __put_user(kt.c_iflag, &it->c_iflag);
+               error |= __put_user(kt.c_oflag, &it->c_oflag);
+               error |= __put_user(kt.c_cflag, &it->c_cflag);
+               error |= __put_user(kt.c_lflag, &it->c_lflag);
+
+               for (i = 0; i < NCCS; i++)
+                       error |= __put_user(kt.c_cc[i], &it->c_cc[i]);
                break;
        }
 
@@ -111,14 +113,19 @@
                old_fs = get_fs(); set_fs(get_ds());
                error = sys_ioctl(fd, TCGETS, (unsigned long) &kt);
                set_fs(old_fs);
-               if(error)
+               if (error)
+                       break;
+
+               error = __get_user(kt.c_iflag, &it->c_iflag);
+               error |= __get_user(kt.c_oflag, &it->c_oflag);
+               error |= __get_user(kt.c_cflag, &it->c_cflag);
+               error |= __get_user(kt.c_lflag, &it->c_lflag);
+
+               for (i = 0; i < NCCS; i++)
+                       error |= __get_user(kt.c_cc[i], &it->c_cc[i]);
+
+               if (error)
                        break;
-               __get_user(kt.c_iflag, &it->c_iflag);
-               __get_user(kt.c_oflag, &it->c_oflag);
-               __get_user(kt.c_cflag, &it->c_cflag);
-               __get_user(kt.c_lflag, &it->c_lflag);
-               for(error = 0; error < NCCS; error++)
-                       __get_user(kt.c_cc[error], &it->c_cc[error]);
                old_fs = get_fs(); set_fs(get_ds());
                error = sys_ioctl(fd, TCSETS, (unsigned long) &kt);
                set_fs(old_fs);
@@ -152,7 +159,7 @@
 #ifdef DEBUG_IOCTLS
                printk("rtp->session=%d ", rtp->session);
 #endif
-               error = put_user(rtp->session, (unsigned long *) arg);
+               error = put_user(rtp->session, (unsigned long __user *) arg);
                break;
 
        case 0x746e:
@@ -194,50 +201,32 @@
                break;
 
        case 0x8004667e:
-#ifdef DEBUG_IOCTLS
-               printk("FIONBIO, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
                error = sys_ioctl(fd, FIONBIO, arg);
                break;
 
        case 0x80047476:
-#ifdef DEBUG_IOCTLS
-               printk("TIOCSPGRP, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
                error = sys_ioctl(fd, TIOCSPGRP, arg);
                break;
 
        case 0x8020690c:
-#ifdef DEBUG_IOCTLS
-               printk("SIOCSIFADDR, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
                error = sys_ioctl(fd, SIOCSIFADDR, arg);
                break;
 
        case 0x80206910:
-#ifdef DEBUG_IOCTLS
-               printk("SIOCSIFFLAGS, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
                error = sys_ioctl(fd, SIOCSIFFLAGS, arg);
                break;
 
        case 0xc0206911:
-#ifdef DEBUG_IOCTLS
-               printk("SIOCGIFFLAGS, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
                error = sys_ioctl(fd, SIOCGIFFLAGS, arg);
                break;
 
        case 0xc020691b:
-#ifdef DEBUG_IOCTLS
-               printk("SIOCGIFMETRIC, %08lx) arg=%d ", arg, *(int *)arg);
-#endif
                error = sys_ioctl(fd, SIOCGIFMETRIC, arg);
                break;
 
        default: {
 #ifdef DEBUG_MISSING_IOCTL
-               char *msg = "Unimplemented IOCTL cmd tell linux@engr.sgi.com\n";
+               char *msg = "Unimplemented IOCTL cmd tell 
linux-mips@linux-mips.org\n";
 
 #ifdef DEBUG_IOCTLS
                printk("UNIMP_IOCTL, %08lx)\n", arg);
diff -urN linux/arch/mips/kernel/irixsig.c linux/arch/mips/kernel/irixsig.c
--- linux/arch/mips/kernel/irixsig.c    2005/02/07 02:54:34     1.46
+++ linux/arch/mips/kernel/irixsig.c    2005/03/17 21:50:49     1.47
@@ -79,33 +79,36 @@
 static void setup_irix_frame(struct k_sigaction *ka, struct pt_regs *regs,
                             int signr, sigset_t *oldmask)
 {
+       struct sigctx_irix5 __user *ctx;
        unsigned long sp;
-       struct sigctx_irix5 *ctx;
-       int i;
+       int error, i;
 
        sp = regs->regs[29];
        sp -= sizeof(struct sigctx_irix5);
        sp &= ~(0xf);
-       ctx = (struct sigctx_irix5 *) sp;
+       ctx = (struct sigctx_irix5 __user *) sp;
        if (!access_ok(VERIFY_WRITE, ctx, sizeof(*ctx)))
                goto segv_and_exit;
 
-       __put_user(0, &ctx->weird_fpu_thing);
-       __put_user(~(0x00000001), &ctx->rmask);
-       __put_user(0, &ctx->regs[0]);
+       error = __put_user(0, &ctx->weird_fpu_thing);
+       error |= __put_user(~(0x00000001), &ctx->rmask);
+       error |= __put_user(0, &ctx->regs[0]);
        for(i = 1; i < 32; i++)
-               __put_user((u64) regs->regs[i], &ctx->regs[i]);
+               error |= __put_user((u64) regs->regs[i], &ctx->regs[i]);
 
-       __put_user((u64) regs->hi, &ctx->hi);
-       __put_user((u64) regs->lo, &ctx->lo);
-       __put_user((u64) regs->cp0_epc, &ctx->pc);
-       __put_user(!!used_math(), &ctx->usedfp);
-       __put_user((u64) regs->cp0_cause, &ctx->cp0_cause);
-       __put_user((u64) regs->cp0_badvaddr, &ctx->cp0_badvaddr);
+       error |= __put_user((u64) regs->hi, &ctx->hi);
+       error |= __put_user((u64) regs->lo, &ctx->lo);
+       error |= __put_user((u64) regs->cp0_epc, &ctx->pc);
+       error |= __put_user(!!used_math(), &ctx->usedfp);
+       error |= __put_user((u64) regs->cp0_cause, &ctx->cp0_cause);
+       error |= __put_user((u64) regs->cp0_badvaddr, &ctx->cp0_badvaddr);
 
-       __put_user(0, &ctx->sstk_flags); /* XXX sigstack unimp... todo... */
+       error |= __put_user(0, &ctx->sstk_flags); /* XXX sigstack unimp... 
todo... */
 
-       __copy_to_user(&ctx->sigset, oldmask, sizeof(irix_sigset_t));
+       error |= __copy_to_user(&ctx->sigset, oldmask, sizeof(irix_sigset_t)) ? 
-EFAULT : 0;
+
+       if (error)
+               goto segv_and_exit;
 
 #ifdef DEBUG_SIG
        dump_irix5_sigctx(ctx);
@@ -209,10 +212,11 @@
 asmlinkage void
 irix_sigreturn(struct pt_regs *regs)
 {
-       struct sigctx_irix5 *context, *magic;
+       struct sigctx_irix5 __user *context, *magic;
        unsigned long umask, mask;
        u64 *fregs;
-       int sig, i, base = 0;
+       u32 usedfp;
+       int error, sig, i, base = 0;
        sigset_t blocked;
 
        /* Always make any pending restarted system calls return -EINTR */
@@ -221,8 +225,8 @@
        if (regs->regs[2] == 1000)
                base = 1;
 
-       context = (struct sigctx_irix5 *) regs->regs[base + 4];
-       magic = (struct sigctx_irix5 *) regs->regs[base + 5];
+       context = (struct sigctx_irix5 __user *) regs->regs[base + 4];
+       magic = (struct sigctx_irix5 __user *) regs->regs[base + 5];
        sig = (int) regs->regs[base + 6];
 #ifdef DEBUG_SIG
        printk("[%s:%d] IRIX sigreturn(scp[%p],ucp[%p],sig[%d])\n",
@@ -237,25 +241,31 @@
        dump_irix5_sigctx(context);
 #endif
 
-       __get_user(regs->cp0_epc, &context->pc);
-       umask = context->rmask; mask = 2;
+       error = __get_user(regs->cp0_epc, &context->pc);
+       error |= __get_user(umask, &context->rmask);
+
+       mask = 2;
        for (i = 1; i < 32; i++, mask <<= 1) {
-               if(umask & mask)
-                       __get_user(regs->regs[i], &context->regs[i]);
+               if (umask & mask)
+                       error |= __get_user(regs->regs[i], &context->regs[i]);
        }
-       __get_user(regs->hi, &context->hi);
-       __get_user(regs->lo, &context->lo);
+       error |= __get_user(regs->hi, &context->hi);
+       error |= __get_user(regs->lo, &context->lo);
 
-       if ((umask & 1) && context->usedfp) {
+       error |= __get_user(usedfp, &context->usedfp);
+       if ((umask & 1) && usedfp) {
                fregs = (u64 *) &current->thread.fpu;
+
                for(i = 0; i < 32; i++)
-                       fregs[i] = (u64) context->fpregs[i];
-               __get_user(current->thread.fpu.hard.fcr31, &context->fpcsr);
+                       error |= __get_user(fregs[i], &context->fpregs[i]);
+               error |= __get_user(current->thread.fpu.hard.fcr31, 
&context->fpcsr);
        }
 
        /* XXX do sigstack crapola here... XXX */
 
-       if (__copy_from_user(&blocked, &context->sigset, sizeof(blocked)))
+       error |= __copy_from_user(&blocked, &context->sigset, sizeof(blocked)) 
? -EFAULT : 0;
+
+       if (error)
                goto badframe;
 
        sigdelsetmask(&blocked, ~_BLOCKABLE);
@@ -297,8 +307,8 @@
 #endif
 
 asmlinkage int
-irix_sigaction(int sig, const struct sigaction *act,
-             struct sigaction *oact, void *trampoline)
+irix_sigaction(int sig, const struct sigaction __user *act,
+             struct sigaction __user *oact, void __user *trampoline)
 {
        struct k_sigaction new_ka, old_ka;
        int ret;
@@ -312,12 +322,16 @@
 #endif
        if (act) {
                sigset_t mask;
-               if (verify_area(VERIFY_READ, act, sizeof(*act)) ||
-                   __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
-                   __get_user(new_ka.sa.sa_flags, &act->sa_flags))
+               int err;
+
+               if (!access_ok(VERIFY_READ, act, sizeof(*act)))
                        return -EFAULT;
+               err = __get_user(new_ka.sa.sa_handler, &act->sa_handler);
+               err |= __get_user(new_ka.sa.sa_flags, &act->sa_flags);
 
-               __copy_from_user(&mask, &act->sa_mask, sizeof(sigset_t));
+               err |= __copy_from_user(&mask, &act->sa_mask, sizeof(sigset_t)) 
? -EFAULT : 0;
+               if (err)
+                       return err;
 
                /*
                 * Hmmm... methinks IRIX libc always passes a valid trampoline
@@ -331,32 +345,37 @@
        ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
        if (!ret && oact) {
-               if (verify_area(VERIFY_WRITE, oact, sizeof(*oact)) ||
-                   __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
-                   __put_user(old_ka.sa.sa_flags, &oact->sa_flags))
+               int err;
+
+               if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)))
+                       return -EFAULT;
+
+               err = __put_user(old_ka.sa.sa_handler, &oact->sa_handler);
+               err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
+               err |= __copy_to_user(&oact->sa_mask, &old_ka.sa.sa_mask,
+                              sizeof(sigset_t)) ? -EFAULT : 0;
+               if (err)
                        return -EFAULT;
-               __copy_to_user(&old_ka.sa.sa_mask, &oact->sa_mask,
-                              sizeof(sigset_t));
        }
 
        return ret;
 }
 
-asmlinkage int irix_sigpending(irix_sigset_t *set)
+asmlinkage int irix_sigpending(irix_sigset_t __user *set)
 {
        return do_sigpending(set, sizeof(*set));
 }
 
-asmlinkage int irix_sigprocmask(int how, irix_sigset_t *new, irix_sigset_t 
*old)
+asmlinkage int irix_sigprocmask(int how, irix_sigset_t __user *new,
+       irix_sigset_t __user *old)
 {
        sigset_t oldbits, newbits;
-       int error;
 
        if (new) {
-               error = verify_area(VERIFY_READ, new, sizeof(*new));
-               if (error)
-                       return error;
-               __copy_from_user(&newbits, new, sizeof(unsigned long)*4);
+               if (!access_ok(VERIFY_READ, new, sizeof(*new)))
+                       return -EFAULT;
+               if (__copy_from_user(&newbits, new, sizeof(unsigned long)*4))
+                       return -EFAULT;
                sigdelsetmask(&newbits, ~_BLOCKABLE);
 
                spin_lock_irq(&current->sighand->siglock);
@@ -384,21 +403,19 @@
                recalc_sigpending();
                spin_unlock_irq(&current->sighand->siglock);
        }
-       if(old) {
-               error = verify_area(VERIFY_WRITE, old, sizeof(*old));
-               if(error)
-                       return error;
-               __copy_to_user(old, &current->blocked, sizeof(unsigned long)*4);
-       }
+       if (old)
+               return copy_to_user(old, &current->blocked,
+                                 sizeof(unsigned long)*4) ? -EFAULT : 0;
 
        return 0;
 }
 
 asmlinkage int irix_sigsuspend(struct pt_regs *regs)
 {
-       sigset_t *uset, saveset, newset;
+       sigset_t saveset, newset;
+       sigset_t __user *uset;
 
-       uset = (sigset_t *) regs->regs[4];
+       uset = (sigset_t __user *) regs->regs[4];
        if (copy_from_user(&newset, uset, sizeof(sigset_t)))
                return -EFAULT;
        sigdelsetmask(&newset, ~_BLOCKABLE);
@@ -456,12 +473,13 @@
        return HZ * sec + nsec;
 }
 
-asmlinkage int irix_sigpoll_sys(unsigned long *set, struct irix5_siginfo *info,
-                               struct timespec *tp)
+asmlinkage int irix_sigpoll_sys(unsigned long __user *set,
+       struct irix5_siginfo __user *info, struct timespec __user *tp)
 {
        long expire = MAX_SCHEDULE_TIMEOUT;
        sigset_t kset;
        int i, sig, error, timeo = 0;
+       struct timespec ktp;
 
 #ifdef DEBUG_SIG
        printk("[%s:%d] irix_sigpoll_sys(%p,%p,%p)\n",
@@ -469,31 +487,25 @@
 #endif
 
        /* Must always specify the signal set. */
-       if(!set)
+       if (!set)
                return -EINVAL;
 
-       error = verify_area(VERIFY_READ, set, sizeof(kset));
-       if (error)
-               goto out;
-
-       __copy_from_user(&kset, set, sizeof(set));
-       if (error)
-               goto out;
+       if (copy_from_user(&kset, set, sizeof(set)))
+               return -EFAULT;
 
        if (info && clear_user(info, sizeof(*info))) {
                error = -EFAULT;
                goto out;
        }
 
-       if(tp) {
-               error = verify_area(VERIFY_READ, tp, sizeof(*tp));
-               if(error)
-                       return error;
-               if(!tp->tv_sec && !tp->tv_nsec) {
-                       error = -EINVAL;
-                       goto out;
-               }
-               expire = timespectojiffies(tp)+(tp->tv_sec||tp->tv_nsec);
+       if (tp) {
+               if (copy_from_user(&ktp, tp, sizeof(*tp)))
+                       return -EFAULT;
+
+               if (!ktp.tv_sec && !ktp.tv_nsec)
+                       return -EINVAL;
+
+               expire = timespectojiffies(&ktp) + (ktp.tv_sec || ktp.tv_nsec);
        }
 
        while(1) {
@@ -517,15 +529,14 @@
        if (timeo)
                return -EAGAIN;
 
-       for(sig = 1; i <= 65 /* IRIX_NSIG */; sig++) {
+       for (sig = 1; i <= 65 /* IRIX_NSIG */; sig++) {
                if (sigismember (&kset, sig))
                        continue;
                if (sigismember (&current->pending.signal, sig)) {
                        /* XXX need more than this... */
                        if (info)
-                               info->sig = sig;
-                       error = 0;
-                       goto out;
+                               return copy_to_user(&info->sig, &sig, 
sizeof(sig));
+                       return 0;
                }
        }
 
@@ -551,8 +562,9 @@
 
 #define W_MASK      (W_EXITED | W_TRAPPED | W_STOPPED | W_CONT | W_NOHANG)
 
-asmlinkage int irix_waitsys(int type, int pid, struct irix5_siginfo *info,
-                           int options, struct rusage *ru)
+asmlinkage int irix_waitsys(int type, int pid,
+       struct irix5_siginfo __user *info, int options,
+       struct rusage __user *ru)
 {
        int flag, retval;
        DECLARE_WAITQUEUE(wait, current);
@@ -560,26 +572,22 @@
        struct task_struct *p;
        struct list_head *_p;
 
-       if (!info) {
-               retval = -EINVAL;
-               goto out;
-       }
-       retval = verify_area(VERIFY_WRITE, info, sizeof(*info));
-       if(retval)
-               goto out;
-       if (ru) {
-               retval = verify_area(VERIFY_WRITE, ru, sizeof(*ru));
-               if(retval)
-                       goto out;
-       }
-       if (options & ~(W_MASK)) {
-               retval = -EINVAL;
-               goto out;
-       }
-       if (type != IRIX_P_PID && type != IRIX_P_PGID && type != IRIX_P_ALL) {
-               retval = -EINVAL;
-               goto out;
-       }
+       if (!info)
+               return -EINVAL;
+
+       if (!access_ok(VERIFY_WRITE, info, sizeof(*info)))
+               return -EFAULT;
+
+       if (ru)
+               if (!access_ok(VERIFY_WRITE, ru, sizeof(*ru)))
+                       return -EFAULT;
+
+       if (options & ~W_MASK)
+               return -EINVAL;
+
+       if (type != IRIX_P_PID && type != IRIX_P_PGID && type != IRIX_P_ALL)
+               return -EINVAL;
+
        add_wait_queue(&current->signal->wait_chldexit, &wait);
 repeat:
        flag = 0;
@@ -610,18 +618,20 @@
                        add_parent(p, p->parent);
                        write_unlock_irq(&tasklist_lock);
                        retval = ru ? getrusage(p, RUSAGE_BOTH, ru) : 0;
-                       if (!retval && ru) {
-                               retval |= __put_user(SIGCHLD, &info->sig);
-                               retval |= __put_user(0, &info->code);
-                               retval |= __put_user(p->pid, 
&info->stuff.procinfo.pid);
-                               retval |= __put_user((p->exit_code >> 8) & 0xff,
-                                          
&info->stuff.procinfo.procdata.child.status);
-                               retval |= __put_user(p->utime, 
&info->stuff.procinfo.procdata.child.utime);
-                               retval |= __put_user(p->stime, 
&info->stuff.procinfo.procdata.child.stime);
-                       }
-                       if (!retval) {
-                               p->exit_code = 0;
-                       }
+                       if (retval)
+                               goto end_waitsys;
+
+                       retval = __put_user(SIGCHLD, &info->sig);
+                       retval |= __put_user(0, &info->code);
+                       retval |= __put_user(p->pid, &info->stuff.procinfo.pid);
+                       retval |= __put_user((p->exit_code >> 8) & 0xff,
+                                  &info->stuff.procinfo.procdata.child.status);
+                       retval |= __put_user(p->utime, 
&info->stuff.procinfo.procdata.child.utime);
+                       retval |= __put_user(p->stime, 
&info->stuff.procinfo.procdata.child.stime);
+                       if (retval)
+                               goto end_waitsys;
+
+                       p->exit_code = 0;
                        goto end_waitsys;
 
                case EXIT_ZOMBIE:
@@ -629,16 +639,18 @@
                        current->signal->cstime += p->stime + p->signal->cstime;
                        if (ru != NULL)
                                getrusage(p, RUSAGE_BOTH, ru);
-                       __put_user(SIGCHLD, &info->sig);
-                       __put_user(1, &info->code);      /* CLD_EXITED */
-                       __put_user(p->pid, &info->stuff.procinfo.pid);
-                       __put_user((p->exit_code >> 8) & 0xff,
+                       retval = __put_user(SIGCHLD, &info->sig);
+                       retval |= __put_user(1, &info->code);      /* 
CLD_EXITED */
+                       retval |= __put_user(p->pid, &info->stuff.procinfo.pid);
+                       retval |= __put_user((p->exit_code >> 8) & 0xff,
                                   &info->stuff.procinfo.procdata.child.status);
-                       __put_user(p->utime,
+                       retval |= __put_user(p->utime,
                                   &info->stuff.procinfo.procdata.child.utime);
-                       __put_user(p->stime,
+                       retval |= __put_user(p->stime,
                                   &info->stuff.procinfo.procdata.child.stime);
-                       retval = 0;
+                       if (retval)
+                               return retval;
+
                        if (p->real_parent != p->parent) {
                                write_lock_irq(&tasklist_lock);
                                remove_parent(p);
@@ -671,7 +683,6 @@
        current->state = TASK_RUNNING;
        remove_wait_queue(&current->signal->wait_chldexit, &wait);
 
-out:
        return retval;
 }
 
@@ -691,174 +702,169 @@
 asmlinkage int irix_getcontext(struct pt_regs *regs)
 {
        int error, i, base = 0;
-       struct irix5_context *ctx;
+       struct irix5_context __user *ctx;
        unsigned long flags;
 
        if (regs->regs[2] == 1000)
                base = 1;
-       ctx = (struct irix5_context *) regs->regs[base + 4];
+       ctx = (struct irix5_context __user *) regs->regs[base + 4];
 
 #ifdef DEBUG_SIG
        printk("[%s:%d] irix_getcontext(%p)\n",
               current->comm, current->pid, ctx);
 #endif
 
-       error = verify_area(VERIFY_WRITE, ctx, sizeof(*ctx));
-       if(error)
-               goto out;
-       __put_user(current->thread.irix_oldctx, &ctx->link);
+       if (!access_ok(VERIFY_WRITE, ctx, sizeof(*ctx)));
+               return -EFAULT;
+
+       error = __put_user(current->thread.irix_oldctx, &ctx->link);
 
-       __copy_to_user(&ctx->sigmask, &current->blocked, sizeof(irix_sigset_t));
+       error |= __copy_to_user(&ctx->sigmask, &current->blocked, 
sizeof(irix_sigset_t)) ? -EFAULT : 0;
 
        /* XXX Do sigstack stuff someday... */
-       __put_user(0, &ctx->stack.sp);
-       __put_user(0, &ctx->stack.size);
-       __put_user(0, &ctx->stack.flags);
+       error |= __put_user(0, &ctx->stack.sp);
+       error |= __put_user(0, &ctx->stack.size);
+       error |= __put_user(0, &ctx->stack.flags);
 
-       __put_user(0, &ctx->weird_graphics_thing);
-       __put_user(0, &ctx->regs[0]);
+       error |= __put_user(0, &ctx->weird_graphics_thing);
+       error |= __put_user(0, &ctx->regs[0]);
        for (i = 1; i < 32; i++)
-               __put_user(regs->regs[i], &ctx->regs[i]);
-       __put_user(regs->lo, &ctx->regs[32]);
-       __put_user(regs->hi, &ctx->regs[33]);
-       __put_user(regs->cp0_cause, &ctx->regs[34]);
-       __put_user(regs->cp0_epc, &ctx->regs[35]);
+               error |= __put_user(regs->regs[i], &ctx->regs[i]);
+       error |= __put_user(regs->lo, &ctx->regs[32]);
+       error |= __put_user(regs->hi, &ctx->regs[33]);
+       error |= __put_user(regs->cp0_cause, &ctx->regs[34]);
+       error |= __put_user(regs->cp0_epc, &ctx->regs[35]);
 
        flags = 0x0f;
-       if(!used_math()) {
+       if (!used_math()) {
                flags &= ~(0x08);
        } else {
                /* XXX wheee... */
                printk("Wheee, no code for saving IRIX FPU context yet.\n");
        }
-       __put_user(flags, &ctx->flags);
-       error = 0;
+       error |= __put_user(flags, &ctx->flags);
 
-out:
        return error;
 }
 
-asmlinkage unsigned long irix_setcontext(struct pt_regs *regs)
+asmlinkage void irix_setcontext(struct pt_regs *regs)
 {
-       int error, base = 0;
-       struct irix5_context *ctx;
+       struct irix5_context __user *ctx;
+       int err, base = 0;
+       u32 flags;
 
-       if(regs->regs[2] == 1000)
+       if (regs->regs[2] == 1000)
                base = 1;
-       ctx = (struct irix5_context *) regs->regs[base + 4];
+       ctx = (struct irix5_context __user *) regs->regs[base + 4];
 
 #ifdef DEBUG_SIG
        printk("[%s:%d] irix_setcontext(%p)\n",
               current->comm, current->pid, ctx);
 #endif
 
-       error = verify_area(VERIFY_READ, ctx, sizeof(*ctx));
-       if (error)
-               goto out;
+       if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx)))
+               goto segv_and_exit;
 
-       if (ctx->flags & 0x02) {
+       err = __get_user(flags, &ctx->flags);
+       if (flags & 0x02) {
                /* XXX sigstack garbage, todo... */
                printk("Wheee, cannot do sigstack stuff in setcontext\n");
        }
 
-       if (ctx->flags & 0x04) {
+       if (flags & 0x04) {
                int i;
 
                /* XXX extra control block stuff... todo... */
-               for(i = 1; i < 32; i++)
-                       regs->regs[i] = ctx->regs[i];
-               regs->lo = ctx->regs[32];
-               regs->hi = ctx->regs[33];
-               regs->cp0_epc = ctx->regs[35];
+               for (i = 1; i < 32; i++)
+                       err |= __get_user(regs->regs[i], &ctx->regs[i]);
+               err |= __get_user(regs->lo, &ctx->regs[32]);
+               err |= __get_user(regs->hi, &ctx->regs[33]);
+               err |= __get_user(regs->cp0_epc, &ctx->regs[35]);
        }
 
-       if (ctx->flags & 0x08) {
+       if (flags & 0x08)
                /* XXX fpu context, blah... */
-               printk("Wheee, cannot restore FPU context yet...\n");
-       }
-       current->thread.irix_oldctx = ctx->link;
-       error = regs->regs[2];
+               printk(KERN_ERR "Wheee, cannot restore FPU context yet...\n");
 
-out:
-       return error;
+       err |= __get_user(current->thread.irix_oldctx, &ctx->link);
+       if (err)
+               goto segv_and_exit;
+
+       /*
+        * Don't let your children do this ...
+        */
+       if (current_thread_info()->flags & TIF_SYSCALL_TRACE)
+               do_syscall_trace(regs, 1);
+       __asm__ __volatile__(
+               "move\t$29,%0\n\t"
+               "j\tsyscall_exit"
+               :/* no outputs */
+               :"r" (&regs));
+               /* Unreached */
+
+segv_and_exit:
+       force_sigsegv(SIGSEGV, current);
 }
 
-struct irix_sigstack { unsigned long sp; int status; };
+struct irix_sigstack {
+       unsigned long sp;
+       int status;
+};
 
-asmlinkage int irix_sigstack(struct irix_sigstack *new, struct irix_sigstack 
*old)
+asmlinkage int irix_sigstack(struct irix_sigstack __user *new,
+       struct irix_sigstack __user *old)
 {
-       int error;
-
 #ifdef DEBUG_SIG
        printk("[%s:%d] irix_sigstack(%p,%p)\n",
               current->comm, current->pid, new, old);
 #endif
-       if(new) {
-               error = verify_area(VERIFY_READ, new, sizeof(*new));
-               if(error)
-                       goto out;
+       if (new) {
+               if (!access_ok(VERIFY_READ, new, sizeof(*new)))
+                       return -EFAULT;
        }
 
-       if(old) {
-               error = verify_area(VERIFY_WRITE, old, sizeof(*old));
-               if(error)
-                       goto out;
+       if (old) {
+               if (!access_ok(VERIFY_WRITE, old, sizeof(*old)))
+                       return -EFAULT;
        }
-       error = 0;
 
-out:
-       return error;
+       return 0;
 }
 
 struct irix_sigaltstack { unsigned long sp; int size; int status; };
 
-asmlinkage int irix_sigaltstack(struct irix_sigaltstack *new,
-                               struct irix_sigaltstack *old)
+asmlinkage int irix_sigaltstack(struct irix_sigaltstack __user *new,
+                               struct irix_sigaltstack __user *old)
 {
-       int error;
-
 #ifdef DEBUG_SIG
        printk("[%s:%d] irix_sigaltstack(%p,%p)\n",
               current->comm, current->pid, new, old);
 #endif
-       if (new) {
-               error = verify_area(VERIFY_READ, new, sizeof(*new));
-               if(error)
-                       goto out;
-       }
+       if (new)
+               if (!access_ok(VERIFY_READ, new, sizeof(*new)))
+                       return -EFAULT;
 
        if (old) {
-               error = verify_area(VERIFY_WRITE, old, sizeof(*old));
-               if(error)
-                       goto out;
+               if (!access_ok(VERIFY_WRITE, old, sizeof(*old)))
+                       return -EFAULT;
        }
-       error = 0;
-
-out:
-       error = 0;
 
-       return error;
+       return 0;
 }
 
 struct irix_procset {
        int cmd, ltype, lid, rtype, rid;
 };
 
-asmlinkage int irix_sigsendset(struct irix_procset *pset, int sig)
+asmlinkage int irix_sigsendset(struct irix_procset __user *pset, int sig)
 {
-       int error;
-
-       error = verify_area(VERIFY_READ, pset, sizeof(*pset));
-       if(error)
-               goto out;
+       if (!access_ok(VERIFY_READ, pset, sizeof(*pset)))
+               return -EFAULT;
 #ifdef DEBUG_SIG
        printk("[%s:%d] irix_sigsendset([%d,%d,%d,%d,%d],%d)\n",
               current->comm, current->pid,
               pset->cmd, pset->ltype, pset->lid, pset->rtype, pset->rid,
               sig);
 #endif
-       error = -EINVAL;
-
-out:
-       return error;
+       return -EINVAL;
 }
diff -urN linux/arch/mips/kernel/sysirix.c linux/arch/mips/kernel/sysirix.c
--- linux/arch/mips/kernel/sysirix.c    2005/03/01 03:51:33     1.69
+++ linux/arch/mips/kernel/sysirix.c    2005/03/17 21:50:49     1.70
@@ -233,7 +233,7 @@
 
 #undef DEBUG_PROCGRPS
 
-extern unsigned long irix_mapelf(int fd, struct elf_phdr *user_phdrp, int cnt);
+extern unsigned long irix_mapelf(int fd, struct elf_phdr __user *user_phdrp, 
int cnt);
 extern int getrusage(struct task_struct *p, int who, struct rusage __user *ru);
 extern char *prom_getenv(char *name);
 extern long prom_setenv(char *name, char *value);
@@ -270,22 +270,19 @@
        cmd = regs->regs[base + 4];
        switch(cmd) {
        case SGI_SYSID: {
-               char *buf = (char *) regs->regs[base + 5];
+               char __user *buf = (char __user *) regs->regs[base + 5];
 
                /* XXX Use ethernet addr.... */
-               retval = clear_user(buf, 64);
+               retval = clear_user(buf, 64) ? -EFAULT : 0;
                break;
        }
 #if 0
        case SGI_RDNAME: {
                int pid = (int) regs->regs[base + 5];
-               char *buf = (char *) regs->regs[base + 6];
+               char __user *buf = (char *) regs->regs[base + 6];
                struct task_struct *p;
                char tcomm[sizeof(current->comm)];
 
-               retval = verify_area(VERIFY_WRITE, buf, sizeof(tcomm));
-               if (retval)
-                       break;
                read_lock(&tasklist_lock);
                p = find_task_by_pid(pid);
                if (!p) {
@@ -297,33 +294,28 @@
                read_unlock(&tasklist_lock);
 
                /* XXX Need to check sizes. */
-               copy_to_user(buf, tcomm, sizeof(tcomm));
-               retval = 0;
+               retval = copy_to_user(buf, tcomm, sizeof(tcomm)) ? -EFAULT : 0;
                break;
        }
 
        case SGI_GETNVRAM: {
-               char *name = (char *) regs->regs[base+5];
-               char *buf = (char *) regs->regs[base+6];
+               char __user *name = (char __user *) regs->regs[base+5];
+               char __user *buf = (char __user *) regs->regs[base+6];
                char *value;
                return -EINVAL; /* til I fix it */
-               retval = verify_area(VERIFY_WRITE, buf, 128);
-               if (retval)
-                       break;
                value = prom_getenv(name);      /* PROM lock?  */
                if (!value) {
                        retval = -EINVAL;
                        break;
                }
                /* Do I strlen() for the length? */
-               copy_to_user(buf, value, 128);
-               retval = 0;
+               retval = copy_to_user(buf, value, 128) ? -EFAULT : 0;
                break;
        }
 
        case SGI_SETNVRAM: {
-               char *name = (char *) regs->regs[base+5];
-               char *value = (char *) regs->regs[base+6];
+               char __user *name = (char __user *) regs->regs[base+5];
+               char __user *value = (char __user *) regs->regs[base+6];
                return -EINVAL; /* til I fix it */
                retval = prom_setenv(name, value);
                /* XXX make sure retval conforms to syssgi(2) */
@@ -399,16 +391,16 @@
 
        case SGI_SETGROUPS:
                retval = sys_setgroups((int) regs->regs[base + 5],
-                                      (gid_t *) regs->regs[base + 6]);
+                                      (gid_t __user *) regs->regs[base + 6]);
                break;
 
        case SGI_GETGROUPS:
                retval = sys_getgroups((int) regs->regs[base + 5],
-                                      (gid_t *) regs->regs[base + 6]);
+                                      (gid_t __user *) regs->regs[base + 6]);
                break;
 
        case SGI_RUSAGE: {
-               struct rusage *ru = (struct rusage *) regs->regs[base + 6];
+               struct rusage __user *ru = (struct rusage __user *) 
regs->regs[base + 6];
 
                switch((int) regs->regs[base + 5]) {
                case 0:
@@ -445,7 +437,7 @@
 
        case SGI_ELFMAP:
                retval = irix_mapelf((int) regs->regs[base + 5],
-                                    (struct elf_phdr *) regs->regs[base + 6],
+                                    (struct elf_phdr __user *) regs->regs[base 
+ 6],
                                     (int) regs->regs[base + 7]);
                break;
 
@@ -460,17 +452,13 @@
 
        case SGI_PHYSP: {
                unsigned long addr = regs->regs[base + 5];
-               int *pageno = (int *) (regs->regs[base + 6]);
+               int __user *pageno = (int __user *) (regs->regs[base + 6]);
                struct mm_struct *mm = current->mm;
                pgd_t *pgdp;
                pud_t *pudp;
                pmd_t *pmdp;
                pte_t *ptep;
 
-               retval = verify_area(VERIFY_WRITE, pageno, sizeof(int));
-               if (retval)
-                       return retval;
-
                down_read(&mm->mmap_sem);
                pgdp = pgd_offset(mm, addr);
                pudp = pud_offset(pgdp, addr);
@@ -481,6 +469,7 @@
                        pte_t pte = *ptep;
 
                        if (pte_val(pte) & (_PAGE_VALID | _PAGE_PRESENT)) {
+                               /* b0rked on 64-bit */
                                retval =  put_user((pte_val(pte) & PAGE_MASK) >>
                                                   PAGE_SHIFT, pageno);
                        }
@@ -491,7 +480,7 @@
 
        case SGI_INVENT: {
                int  arg1    = (int)    regs->regs [base + 5];
-               void *buffer = (void *) regs->regs [base + 6];
+               void __user *buffer = (void __user *) regs->regs [base + 6];
                int  count   = (int)    regs->regs [base + 7];
 
                switch (arg1) {
@@ -695,8 +684,8 @@
 }
 
 /* XXX need more than this... */
-asmlinkage int irix_mount(char *dev_name, char *dir_name, unsigned long flags,
-                         char *type, void *data, int datalen)
+asmlinkage int irix_mount(char __user *dev_name, char __user *dir_name,
+       unsigned long flags, char __user *type, void __user *data, int datalen)
 {
        printk("[%s:%d] irix_mount(%p,%p,%08lx,%p,%p,%d)\n",
               current->comm, current->pid,
@@ -711,8 +700,8 @@
        char  f_fname[6], f_fpack[6];
 };
 
-asmlinkage int irix_statfs(const char *path, struct irix_statfs *buf,
-                          int len, int fs_type)
+asmlinkage int irix_statfs(const char __user *path,
+       struct irix_statfs __user *buf, int len, int fs_type)
 {
        struct nameidata nd;
        struct kstatfs kbuf;
@@ -723,9 +712,11 @@
                error = -EINVAL;
                goto out;
        }
-       error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statfs));
-       if (error)
+       if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statfs))) {
+               error = -EFAULT;
                goto out;
+       }
+
        error = user_path_walk(path, &nd);
        if (error)
                goto out;
@@ -734,18 +725,17 @@
        if (error)
                goto dput_and_out;
 
-       __put_user(kbuf.f_type, &buf->f_type);
-       __put_user(kbuf.f_bsize, &buf->f_bsize);
-       __put_user(kbuf.f_frsize, &buf->f_frsize);
-       __put_user(kbuf.f_blocks, &buf->f_blocks);
-       __put_user(kbuf.f_bfree, &buf->f_bfree);
-       __put_user(kbuf.f_files, &buf->f_files);
-       __put_user(kbuf.f_ffree, &buf->f_ffree);
+       error = __put_user(kbuf.f_type, &buf->f_type);
+       error |= __put_user(kbuf.f_bsize, &buf->f_bsize);
+       error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+       error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+       error |= __put_user(kbuf.f_files, &buf->f_files);
+       error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
        for (i = 0; i < 6; i++) {
-               __put_user(0, &buf->f_fname[i]);
-               __put_user(0, &buf->f_fpack[i]);
+               error |= __put_user(0, &buf->f_fname[i]);
+               error |= __put_user(0, &buf->f_fpack[i]);
        }
-       error = 0;
 
 dput_and_out:
        path_release(&nd);
@@ -753,15 +743,17 @@
        return error;
 }
 
-asmlinkage int irix_fstatfs(unsigned int fd, struct irix_statfs *buf)
+asmlinkage int irix_fstatfs(unsigned int fd, struct irix_statfs __user *buf)
 {
        struct kstatfs kbuf;
        struct file *file;
        int error, i;
 
-       error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statfs));
-       if (error)
+       if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statfs))) {
+               error = -EFAULT;
                goto out;
+       }
+
        if (!(file = fget(fd))) {
                error = -EBADF;
                goto out;
@@ -771,16 +763,17 @@
        if (error)
                goto out_f;
 
-       __put_user(kbuf.f_type, &buf->f_type);
-       __put_user(kbuf.f_bsize, &buf->f_bsize);
-       __put_user(kbuf.f_frsize, &buf->f_frsize);
-       __put_user(kbuf.f_blocks, &buf->f_blocks);
-       __put_user(kbuf.f_bfree, &buf->f_bfree);
-       __put_user(kbuf.f_files, &buf->f_files);
-       __put_user(kbuf.f_ffree, &buf->f_ffree);
-       for(i = 0; i < 6; i++) {
-               __put_user(0, &buf->f_fname[i]);
-               __put_user(0, &buf->f_fpack[i]);
+       error = __put_user(kbuf.f_type, &buf->f_type);
+       error |= __put_user(kbuf.f_bsize, &buf->f_bsize);
+       error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+       error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+       error |= __put_user(kbuf.f_files, &buf->f_files);
+       error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+
+       for (i = 0; i < 6; i++) {
+               error |= __put_user(0, &buf->f_fname[i]);
+               error |= __put_user(0, &buf->f_fpack[i]);
        }
 
 out_f:
@@ -807,15 +800,15 @@
        return error;
 }
 
-asmlinkage int irix_times(struct tms * tbuf)
+asmlinkage int irix_times(struct tms __user *tbuf)
 {
        int err = 0;
 
        if (tbuf) {
-               err = verify_area(VERIFY_WRITE,tbuf,sizeof *tbuf);
-               if (err)
-                       return err;
-               err |= __put_user(current->utime, &tbuf->tms_utime);
+               if (!access_ok(VERIFY_WRITE,tbuf,sizeof *tbuf))
+                       return -EFAULT;
+
+               err = __put_user(current->utime, &tbuf->tms_utime);
                err |= __put_user(current->stime, &tbuf->tms_stime);
                err |= __put_user(current->signal->cutime, &tbuf->tms_cutime);
                err |= __put_user(current->signal->cstime, &tbuf->tms_cstime);
@@ -831,13 +824,13 @@
 
        if(regs->regs[2] == 1000)
                base = 1;
-       filename = getname((char *) (long)regs->regs[base + 4]);
+       filename = getname((char __user *) (long)regs->regs[base + 4]);
        error = PTR_ERR(filename);
        if (IS_ERR(filename))
                return error;
 
-       error = do_execve(filename, (char **) (long)regs->regs[base + 5],
-                         (char **) 0, regs);
+       error = do_execve(filename, (char __user * __user *) 
(long)regs->regs[base + 5],
+                         NULL, regs);
        putname(filename);
 
        return error;
@@ -850,12 +843,12 @@
 
        if (regs->regs[2] == 1000)
                base = 1;
-       filename = getname((char *) (long)regs->regs[base + 4]);
+       filename = getname((char __user *) (long)regs->regs[base + 4]);
        error = PTR_ERR(filename);
        if (IS_ERR(filename))
                return error;
-       error = do_execve(filename, (char **) (long)regs->regs[base + 5],
-                         (char **) (long)regs->regs[base + 6], regs);
+       error = do_execve(filename, (char __user * __user *) 
(long)regs->regs[base + 5],
+                         (char __user * __user *) (long)regs->regs[base + 6], 
regs);
        putname(filename);
 
        return error;
@@ -911,23 +904,17 @@
        return sys_socket(family, type, protocol);
 }
 
-asmlinkage int irix_getdomainname(char *name, int len)
+asmlinkage int irix_getdomainname(char __user *name, int len)
 {
-       int error;
-
-       error = verify_area(VERIFY_WRITE, name, len);
-       if (error)
-               return error;
+       int err;
 
        down_read(&uts_sem);
        if (len > __NEW_UTS_LEN)
                len = __NEW_UTS_LEN;
-       error = 0;
-       if (copy_to_user(name, system_utsname.domainname, len))
-               error = -EFAULT;
+       err = copy_to_user(name, system_utsname.domainname, len) ? -EFAULT : 0;
        up_read(&uts_sem);
 
-       return error;
+       return err;
 }
 
 asmlinkage unsigned long irix_getpagesize(void)
@@ -943,12 +930,13 @@
        case 0:
                return sys_msgget((key_t) arg0, (int) arg1);
        case 1:
-               return sys_msgctl((int) arg0, (int) arg1, (struct msqid_ds 
*)arg2);
+               return sys_msgctl((int) arg0, (int) arg1,
+                                 (struct msqid_ds __user *)arg2);
        case 2:
-               return sys_msgrcv((int) arg0, (struct msgbuf *) arg1,
+               return sys_msgrcv((int) arg0, (struct msgbuf __user *) arg1,
                                  (size_t) arg2, (long) arg3, (int) arg4);
        case 3:
-               return sys_msgsnd((int) arg0, (struct msgbuf *) arg1,
+               return sys_msgsnd((int) arg0, (struct msgbuf __user *) arg1,
                                  (size_t) arg2, (int) arg3);
        default:
                return -EINVAL;
@@ -960,12 +948,13 @@
 {
        switch (opcode) {
        case 0:
-               return do_shmat((int) arg0, (char *)arg1, (int) arg2,
+               return do_shmat((int) arg0, (char __user *) arg1, (int) arg2,
                                 (unsigned long *) arg3);
        case 1:
-               return sys_shmctl((int)arg0, (int)arg1, (struct shmid_ds 
*)arg2);
+               return sys_shmctl((int)arg0, (int)arg1,
+                                 (struct shmid_ds __user *)arg2);
        case 2:
-               return sys_shmdt((char *)arg0);
+               return sys_shmdt((char __user *)arg0);
        case 3:
                return sys_shmget((key_t) arg0, (int) arg1, (int) arg2);
        default:
@@ -983,7 +972,7 @@
        case 1:
                return sys_semget((key_t) arg0, (int) arg1, (int) arg2);
        case 2:
-               return sys_semop((int) arg0, (struct sembuf *)arg1,
+               return sys_semop((int) arg0, (struct sembuf __user *)arg1,
                                 (unsigned int) arg2);
        default:
                return -EINVAL;
@@ -1001,15 +990,16 @@
        lock_kernel();
        retval = fn(file, offset, origin);
        unlock_kernel();
+
        return retval;
 }
 
 asmlinkage int irix_lseek64(int fd, int _unused, int offhi, int offlow,
                             int origin)
 {
-       int retval;
        struct file * file;
        loff_t offset;
+       int retval;
 
        retval = -EBADF;
        file = fget(fd);
@@ -1035,18 +1025,18 @@
        return 0;
 }
 
-asmlinkage int irix_sgikopt(char *istring, char *ostring, int len)
+asmlinkage int irix_sgikopt(char __user *istring, char __user *ostring, int 
len)
 {
        return -EINVAL;
 }
 
-asmlinkage int irix_gettimeofday(struct timeval *tv)
+asmlinkage int irix_gettimeofday(struct timeval __user *tv)
 {
        time_t sec;
        long nsec, seq;
        int err;
 
-       if (verify_area(VERIFY_WRITE, tv, sizeof(struct timeval)))
+       if (!access_ok(VERIFY_WRITE, tv, sizeof(struct timeval)))
                return -EFAULT;
 
        do {
@@ -1081,7 +1071,7 @@
 
                        if (max_size > file->f_dentry->d_inode->i_size) {
                                old_pos = sys_lseek (fd, max_size - 1, 0);
-                               sys_write (fd, "", 1);
+                               sys_write (fd, (void __user *) "", 1);
                                sys_lseek (fd, old_pos, 0);
                        }
                }
@@ -1106,7 +1096,7 @@
        return -EINVAL;
 }
 
-asmlinkage int irix_pagelock(char *addr, int len, int op)
+asmlinkage int irix_pagelock(char __user *addr, int len, int op)
 {
        printk("[%s:%d] Wheee.. irix_pagelock(%p,%d,%d)\n",
               current->comm, current->pid, addr, len, op);
@@ -1146,7 +1136,7 @@
        return error;
 }
 
-asmlinkage int irix_systeminfo(int cmd, char *buf, int cnt)
+asmlinkage int irix_systeminfo(int cmd, char __user *buf, int cnt)
 {
        printk("[%s:%d] Wheee.. irix_systeminfo(%d,%p,%d)\n",
               current->comm, current->pid, cmd, buf, cnt);
@@ -1162,14 +1152,14 @@
        char _unused3[257], _unused4[257], _unused5[257];
 };
 
-asmlinkage int irix_uname(struct iuname *buf)
+asmlinkage int irix_uname(struct iuname __user *buf)
 {
        down_read(&uts_sem);
-       if (copy_to_user(system_utsname.sysname, buf->sysname, 65)
-           || copy_to_user(system_utsname.nodename, buf->nodename, 65)
-           || copy_to_user(system_utsname.release, buf->release, 65)
-           || copy_to_user(system_utsname.version, buf->version, 65)
-           || copy_to_user(system_utsname.machine, buf->machine, 65)) {
+       if (copy_from_user(system_utsname.sysname, buf->sysname, 65)
+           || copy_from_user(system_utsname.nodename, buf->nodename, 65)
+           || copy_from_user(system_utsname.release, buf->release, 65)
+           || copy_from_user(system_utsname.version, buf->version, 65)
+           || copy_from_user(system_utsname.machine, buf->machine, 65)) {
                return -EFAULT;
        }
        up_read(&uts_sem);
@@ -1179,7 +1169,7 @@
 
 #undef DEBUG_XSTAT
 
-static int irix_xstat32_xlate(struct kstat *stat, void *ubuf)
+static int irix_xstat32_xlate(struct kstat *stat, void __user *ubuf)
 {
        struct xstat32 {
                u32 st_dev, st_pad1[3], st_ino, st_mode, st_nlink, st_uid, 
st_gid;
@@ -1219,7 +1209,7 @@
        return copy_to_user(ubuf, &ub, sizeof(ub)) ? -EFAULT : 0;
 }
 
-static int irix_xstat64_xlate(struct kstat *stat, void *ubuf)
+static int irix_xstat64_xlate(struct kstat *stat, void __user *ubuf)
 {
        struct xstat64 {
                u32 st_dev; s32 st_pad1[3];
@@ -1269,7 +1259,7 @@
        return copy_to_user(ubuf, &ks, sizeof(ks)) ? -EFAULT : 0;
 }
 
-asmlinkage int irix_xstat(int version, char *filename, struct stat *statbuf)
+asmlinkage int irix_xstat(int version, char __user *filename, struct stat 
__user *statbuf)
 {
        int retval;
        struct kstat stat;
@@ -1295,7 +1285,7 @@
        return retval;
 }
 
-asmlinkage int irix_lxstat(int version, char *filename, struct stat *statbuf)
+asmlinkage int irix_lxstat(int version, char __user *filename, struct stat 
__user *statbuf)
 {
        int error;
        struct kstat stat;
@@ -1322,7 +1312,7 @@
        return error;
 }
 
-asmlinkage int irix_fxstat(int version, int fd, struct stat *statbuf)
+asmlinkage int irix_fxstat(int version, int fd, struct stat __user *statbuf)
 {
        int error;
        struct kstat stat;
@@ -1348,7 +1338,7 @@
        return error;
 }
 
-asmlinkage int irix_xmknod(int ver, char *filename, int mode, unsigned dev)
+asmlinkage int irix_xmknod(int ver, char __user *filename, int mode, unsigned 
dev)
 {
        int retval;
        printk("[%s:%d] Wheee.. irix_xmknod(%d,%s,%x,%x)\n",
@@ -1368,7 +1358,7 @@
        return retval;
 }
 
-asmlinkage int irix_swapctl(int cmd, char *arg)
+asmlinkage int irix_swapctl(int cmd, char __user *arg)
 {
        printk("[%s:%d] Wheee.. irix_swapctl(%d,%p)\n",
               current->comm, current->pid, cmd, arg);
@@ -1384,7 +1374,7 @@
        char    f_fstr[32]; u32 f_filler[16];
 };
 
-asmlinkage int irix_statvfs(char *fname, struct irix_statvfs *buf)
+asmlinkage int irix_statvfs(char __user *fname, struct irix_statvfs __user 
*buf)
 {
        struct nameidata nd;
        struct kstatfs kbuf;
@@ -1392,9 +1382,9 @@
 
        printk("[%s:%d] Wheee.. irix_statvfs(%s,%p)\n",
               current->comm, current->pid, fname, buf);
-       error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs));
-       if (error)
-               goto out;
+       if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs)))
+               return -EFAULT;
+
        error = user_path_walk(fname, &nd);
        if (error)
                goto out;
@@ -1402,27 +1392,25 @@
        if (error)
                goto dput_and_out;
 
-       __put_user(kbuf.f_bsize, &buf->f_bsize);
-       __put_user(kbuf.f_frsize, &buf->f_frsize);
-       __put_user(kbuf.f_blocks, &buf->f_blocks);
-       __put_user(kbuf.f_bfree, &buf->f_bfree);
-       __put_user(kbuf.f_bfree, &buf->f_bavail);  /* XXX hackety hack... */
-       __put_user(kbuf.f_files, &buf->f_files);
-       __put_user(kbuf.f_ffree, &buf->f_ffree);
-       __put_user(kbuf.f_ffree, &buf->f_favail);  /* XXX hackety hack... */
+       error |= __put_user(kbuf.f_bsize, &buf->f_bsize);
+       error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+       error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bavail);  /* XXX hackety 
hack... */
+       error |= __put_user(kbuf.f_files, &buf->f_files);
+       error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+       error |= __put_user(kbuf.f_ffree, &buf->f_favail);  /* XXX hackety 
hack... */
 #ifdef __MIPSEB__
-       __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
 #else
-       __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
 #endif
        for (i = 0; i < 16; i++)
-               __put_user(0, &buf->f_basetype[i]);
-       __put_user(0, &buf->f_flag);
-       __put_user(kbuf.f_namelen, &buf->f_namemax);
+               error |= __put_user(0, &buf->f_basetype[i]);
+       error |= __put_user(0, &buf->f_flag);
+       error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
        for (i = 0; i < 32; i++)
-               __put_user(0, &buf->f_fstr[i]);
-
-       error = 0;
+               error |= __put_user(0, &buf->f_fstr[i]);
 
 dput_and_out:
        path_release(&nd);
@@ -1430,7 +1418,7 @@
        return error;
 }
 
-asmlinkage int irix_fstatvfs(int fd, struct irix_statvfs *buf)
+asmlinkage int irix_fstatvfs(int fd, struct irix_statvfs __user *buf)
 {
        struct kstatfs kbuf;
        struct file *file;
@@ -1439,9 +1427,9 @@
        printk("[%s:%d] Wheee.. irix_fstatvfs(%d,%p)\n",
               current->comm, current->pid, fd, buf);
 
-       error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs));
-       if (error)
-               goto out;
+       if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs)))
+               return -EFAULT;
+
        if (!(file = fget(fd))) {
                error = -EBADF;
                goto out;
@@ -1450,24 +1438,24 @@
        if (error)
                goto out_f;
 
-       __put_user(kbuf.f_bsize, &buf->f_bsize);
-       __put_user(kbuf.f_frsize, &buf->f_frsize);
-       __put_user(kbuf.f_blocks, &buf->f_blocks);
-       __put_user(kbuf.f_bfree, &buf->f_bfree);
-       __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety hack... */
-       __put_user(kbuf.f_files, &buf->f_files);
-       __put_user(kbuf.f_ffree, &buf->f_ffree);
-       __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety hack... */
+       error = __put_user(kbuf.f_bsize, &buf->f_bsize);
+       error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+       error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bavail); /* XXX hackety 
hack... */
+       error |= __put_user(kbuf.f_files, &buf->f_files);
+       error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+       error |= __put_user(kbuf.f_ffree, &buf->f_favail); /* XXX hackety 
hack... */
 #ifdef __MIPSEB__
-       __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
 #else
-       __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
 #endif
        for(i = 0; i < 16; i++)
-               __put_user(0, &buf->f_basetype[i]);
-       __put_user(0, &buf->f_flag);
-       __put_user(kbuf.f_namelen, &buf->f_namemax);
-       __clear_user(&buf->f_fstr, sizeof(buf->f_fstr));
+               error |= __put_user(0, &buf->f_basetype[i]);
+       error |= __put_user(0, &buf->f_flag);
+       error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
+       error |= __clear_user(&buf->f_fstr, sizeof(buf->f_fstr)) ? -EFAULT : 0;
 
 out_f:
        fput(file);
@@ -1491,7 +1479,7 @@
        return -EINVAL;
 }
 
-asmlinkage int irix_truncate64(char *name, int pad, int size1, int size2)
+asmlinkage int irix_truncate64(char __user *name, int pad, int size1, int 
size2)
 {
        int retval;
 
@@ -1524,6 +1512,7 @@
        int len, prot, flags, fd, off1, off2, error, base = 0;
        unsigned long addr, pgoff, *sp;
        struct file *file = NULL;
+       int err;
 
        if (regs->regs[2] == 1000)
                base = 1;
@@ -1533,34 +1522,31 @@
        prot = regs->regs[base + 6];
        if (!base) {
                flags = regs->regs[base + 7];
-               error = verify_area(VERIFY_READ, sp, (4 * sizeof(unsigned 
long)));
-               if(error)
-                       goto out;
+               if (!access_ok(VERIFY_READ, sp, (4 * sizeof(unsigned long))))
+                       return -EFAULT;
                fd = sp[0];
-               __get_user(off1, &sp[1]);
-               __get_user(off2, &sp[2]);
+               err = __get_user(off1, &sp[1]);
+               err |= __get_user(off2, &sp[2]);
        } else {
-               error = verify_area(VERIFY_READ, sp, (5 * sizeof(unsigned 
long)));
-               if(error)
-                       goto out;
-               __get_user(flags, &sp[0]);
-               __get_user(fd, &sp[1]);
-               __get_user(off1, &sp[2]);
-               __get_user(off2, &sp[3]);
+               if (!access_ok(VERIFY_READ, sp, (5 * sizeof(unsigned long))))
+                       return -EFAULT;
+               err = __get_user(flags, &sp[0]);
+               err |= __get_user(fd, &sp[1]);
+               err |= __get_user(off1, &sp[2]);
+               err |= __get_user(off2, &sp[3]);
        }
 
-       if (off1 & PAGE_MASK) {
-               error = -EOVERFLOW;
-               goto out;
-       }
+       if (err)
+               return err;
+
+       if (off1 & PAGE_MASK)
+               return -EOVERFLOW;
 
        pgoff = (off1 << (32 - PAGE_SHIFT)) | (off2 >> PAGE_SHIFT);
 
        if (!(flags & MAP_ANONYMOUS)) {
-               if (!(file = fget(fd))) {
-                       error = -EBADF;
-                       goto out;
-               }
+               if (!(file = fget(fd)))
+                       return -EBADF;
 
                /* Ok, bad taste hack follows, try to think in something else
                   when reading this */
@@ -1570,7 +1556,7 @@
 
                        if (max_size > file->f_dentry->d_inode->i_size) {
                                old_pos = sys_lseek (fd, max_size - 1, 0);
-                               sys_write (fd, "", 1);
+                               sys_write (fd, (void __user *) "", 1);
                                sys_lseek (fd, old_pos, 0);
                        }
                }
@@ -1585,7 +1571,6 @@
        if (file)
                fput(file);
 
-out:
        return error;
 }
 
@@ -1597,7 +1582,7 @@
        return -EINVAL;
 }
 
-asmlinkage int irix_pread(int fd, char *buf, int cnt, int off64,
+asmlinkage int irix_pread(int fd, char __user *buf, int cnt, int off64,
                          int off1, int off2)
 {
        printk("[%s:%d] Wheee.. irix_pread(%d,%p,%d,%d,%d,%d)\n",
@@ -1606,7 +1591,7 @@
        return -EINVAL;
 }
 
-asmlinkage int irix_pwrite(int fd, char *buf, int cnt, int off64,
+asmlinkage int irix_pwrite(int fd, char __user *buf, int cnt, int off64,
                           int off1, int off2)
 {
        printk("[%s:%d] Wheee.. irix_pwrite(%d,%p,%d,%d,%d,%d)\n",
@@ -1638,7 +1623,7 @@
        u32  f_filler[16];
 };
 
-asmlinkage int irix_statvfs64(char *fname, struct irix_statvfs64 *buf)
+asmlinkage int irix_statvfs64(char __user *fname, struct irix_statvfs64 __user 
*buf)
 {
        struct nameidata nd;
        struct kstatfs kbuf;
@@ -1646,9 +1631,11 @@
 
        printk("[%s:%d] Wheee.. irix_statvfs64(%s,%p)\n",
               current->comm, current->pid, fname, buf);
-       error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs64));
-       if(error)
+       if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs64))) {
+               error = -EFAULT;
                goto out;
+       }
+
        error = user_path_walk(fname, &nd);
        if (error)
                goto out;
@@ -1656,27 +1643,25 @@
        if (error)
                goto dput_and_out;
 
-       __put_user(kbuf.f_bsize, &buf->f_bsize);
-       __put_user(kbuf.f_frsize, &buf->f_frsize);
-       __put_user(kbuf.f_blocks, &buf->f_blocks);
-       __put_user(kbuf.f_bfree, &buf->f_bfree);
-       __put_user(kbuf.f_bfree, &buf->f_bavail);  /* XXX hackety hack... */
-       __put_user(kbuf.f_files, &buf->f_files);
-       __put_user(kbuf.f_ffree, &buf->f_ffree);
-       __put_user(kbuf.f_ffree, &buf->f_favail);  /* XXX hackety hack... */
+       error = __put_user(kbuf.f_bsize, &buf->f_bsize);
+       error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+       error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bavail);  /* XXX hackety 
hack... */
+       error |= __put_user(kbuf.f_files, &buf->f_files);
+       error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+       error |= __put_user(kbuf.f_ffree, &buf->f_favail);  /* XXX hackety 
hack... */
 #ifdef __MIPSEB__
-       __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
 #else
-       __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
 #endif
        for(i = 0; i < 16; i++)
-               __put_user(0, &buf->f_basetype[i]);
-       __put_user(0, &buf->f_flag);
-       __put_user(kbuf.f_namelen, &buf->f_namemax);
+               error |= __put_user(0, &buf->f_basetype[i]);
+       error |= __put_user(0, &buf->f_flag);
+       error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
        for(i = 0; i < 32; i++)
-               __put_user(0, &buf->f_fstr[i]);
-
-       error = 0;
+               error |= __put_user(0, &buf->f_fstr[i]);
 
 dput_and_out:
        path_release(&nd);
@@ -1684,7 +1669,7 @@
        return error;
 }
 
-asmlinkage int irix_fstatvfs64(int fd, struct irix_statvfs *buf)
+asmlinkage int irix_fstatvfs64(int fd, struct irix_statvfs __user *buf)
 {
        struct kstatfs kbuf;
        struct file *file;
@@ -1693,9 +1678,10 @@
        printk("[%s:%d] Wheee.. irix_fstatvfs64(%d,%p)\n",
               current->comm, current->pid, fd, buf);
 
-       error = verify_area(VERIFY_WRITE, buf, sizeof(struct irix_statvfs));
-       if (error)
+       if (!access_ok(VERIFY_WRITE, buf, sizeof(struct irix_statvfs))) {
+               error = -EFAULT;
                goto out;
+       }
        if (!(file = fget(fd))) {
                error = -EBADF;
                goto out;
@@ -1704,24 +1690,24 @@
        if (error)
                goto out_f;
 
-       __put_user(kbuf.f_bsize, &buf->f_bsize);
-       __put_user(kbuf.f_frsize, &buf->f_frsize);
-       __put_user(kbuf.f_blocks, &buf->f_blocks);
-       __put_user(kbuf.f_bfree, &buf->f_bfree);
-       __put_user(kbuf.f_bfree, &buf->f_bavail);  /* XXX hackety hack... */
-       __put_user(kbuf.f_files, &buf->f_files);
-       __put_user(kbuf.f_ffree, &buf->f_ffree);
-       __put_user(kbuf.f_ffree, &buf->f_favail);  /* XXX hackety hack... */
+       error = __put_user(kbuf.f_bsize, &buf->f_bsize);
+       error |= __put_user(kbuf.f_frsize, &buf->f_frsize);
+       error |= __put_user(kbuf.f_blocks, &buf->f_blocks);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bfree);
+       error |= __put_user(kbuf.f_bfree, &buf->f_bavail);  /* XXX hackety 
hack... */
+       error |= __put_user(kbuf.f_files, &buf->f_files);
+       error |= __put_user(kbuf.f_ffree, &buf->f_ffree);
+       error |= __put_user(kbuf.f_ffree, &buf->f_favail);  /* XXX hackety 
hack... */
 #ifdef __MIPSEB__
-       __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[1], &buf->f_fsid);
 #else
-       __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
+       error |= __put_user(kbuf.f_fsid.val[0], &buf->f_fsid);
 #endif
        for(i = 0; i < 16; i++)
-               __put_user(0, &buf->f_basetype[i]);
-       __put_user(0, &buf->f_flag);
-       __put_user(kbuf.f_namelen, &buf->f_namemax);
-       __clear_user(buf->f_fstr, sizeof(buf->f_fstr[i]));
+               error |= __put_user(0, &buf->f_basetype[i]);
+       error |= __put_user(0, &buf->f_flag);
+       error |= __put_user(kbuf.f_namelen, &buf->f_namemax);
+       error |= __clear_user(buf->f_fstr, sizeof(buf->f_fstr[i])) ? -EFAULT : 
0;
 
 out_f:
        fput(file);
@@ -1729,15 +1715,14 @@
        return error;
 }
 
-asmlinkage int irix_getmountid(char *fname, unsigned long *midbuf)
+asmlinkage int irix_getmountid(char __user *fname, unsigned long __user 
*midbuf)
 {
        int err;
 
        printk("[%s:%d] irix_getmountid(%s, %p)\n",
               current->comm, current->pid, fname, midbuf);
-       err = verify_area(VERIFY_WRITE, midbuf, (sizeof(unsigned long) * 4));
-       if (err)
-               return err;
+       if (!access_ok(VERIFY_WRITE, midbuf, (sizeof(unsigned long) * 4)))
+               return -EFAULT;
 
        /*
         * The idea with this system call is that when trying to determine
@@ -1745,7 +1730,7 @@
         * fsid of the filesystem to try and make the right decision, but
         * we don't have this so for now. XXX
         */
-       err |= __put_user(0, &midbuf[0]);
+       err = __put_user(0, &midbuf[0]);
        err |= __put_user(0, &midbuf[1]);
        err |= __put_user(0, &midbuf[2]);
        err |= __put_user(0, &midbuf[3]);
@@ -1772,8 +1757,8 @@
 };
 
 struct irix_dirent32_callback {
-       struct irix_dirent32 *current_dir;
-       struct irix_dirent32 *previous;
+       struct irix_dirent32 __user *current_dir;
+       struct irix_dirent32 __user *previous;
        int count;
        int error;
 };
@@ -1781,13 +1766,13 @@
 #define NAME_OFFSET32(de) ((int) ((de)->d_name - (char *) (de)))
 #define ROUND_UP32(x) (((x)+sizeof(u32)-1) & ~(sizeof(u32)-1))
 
-static int irix_filldir32(void *__buf, const char *name, int namlen,
-                          loff_t offset, ino_t ino, unsigned int d_type)
+static int irix_filldir32(void *__buf, const char *name,
+       int namlen, loff_t offset, ino_t ino, unsigned int d_type)
 {
-       struct irix_dirent32 *dirent;
-       struct irix_dirent32_callback *buf =
-                (struct irix_dirent32_callback *)__buf;
+       struct irix_dirent32 __user *dirent;
+       struct irix_dirent32_callback *buf = __buf;
        unsigned short reclen = ROUND_UP32(NAME_OFFSET32(dirent) + namlen + 1);
+       int err = 0;
 
 #ifdef DEBUG_GETDENTS
        printk("\nirix_filldir32[reclen<%d>namlen<%d>count<%d>]",
@@ -1798,25 +1783,26 @@
                return -EINVAL;
        dirent = buf->previous;
        if (dirent)
-               __put_user(offset, &dirent->d_off);
+               err = __put_user(offset, &dirent->d_off);
        dirent = buf->current_dir;
-       buf->previous = dirent;
-       __put_user(ino, &dirent->d_ino);
-       __put_user(reclen, &dirent->d_reclen);
-       copy_to_user(dirent->d_name, name, namlen);
-       __put_user(0, &dirent->d_name[namlen]);
-       ((char *) dirent) += reclen;
+       err |= __put_user(dirent, &buf->previous);
+       err |= __put_user(ino, &dirent->d_ino);
+       err |= __put_user(reclen, &dirent->d_reclen);
+       err |= copy_to_user((char __user *)dirent->d_name, name, namlen) ? 
-EFAULT : 0;
+       err |= __put_user(0, &dirent->d_name[namlen]);
+       dirent = (struct irix_dirent32 __user *) ((char __user *) dirent + 
reclen);
+
        buf->current_dir = dirent;
        buf->count -= reclen;
 
-       return 0;
+       return err;
 }
 
-asmlinkage int irix_ngetdents(unsigned int fd, void * dirent,
-       unsigned int count, int *eob)
+asmlinkage int irix_ngetdents(unsigned int fd, void __user * dirent,
+       unsigned int count, int __user *eob)
 {
        struct file *file;
-       struct irix_dirent32 *lastdirent;
+       struct irix_dirent32 __user *lastdirent;
        struct irix_dirent32_callback buf;
        int error;
 
@@ -1829,7 +1815,7 @@
        if (!file)
                goto out;
 
-       buf.current_dir = (struct irix_dirent32 *) dirent;
+       buf.current_dir = (struct irix_dirent32 __user *) dirent;
        buf.previous = NULL;
        buf.count = count;
        buf.error = 0;
@@ -1869,8 +1855,8 @@
 };
 
 struct irix_dirent64_callback {
-       struct irix_dirent64 *curr;
-       struct irix_dirent64 *previous;
+       struct irix_dirent64 __user *curr;
+       struct irix_dirent64 __user *previous;
        int count;
        int error;
 };
@@ -1878,37 +1864,44 @@
 #define NAME_OFFSET64(de) ((int) ((de)->d_name - (char *) (de)))
 #define ROUND_UP64(x) (((x)+sizeof(u64)-1) & ~(sizeof(u64)-1))
 
-static int irix_filldir64(void * __buf, const char * name, int namlen,
-                         loff_t offset, ino_t ino, unsigned int d_type)
+static int irix_filldir64(void *__buf, const char *name,
+       int namlen, loff_t offset, ino_t ino, unsigned int d_type)
 {
-       struct irix_dirent64 *dirent;
-       struct irix_dirent64_callback * buf =
-               (struct irix_dirent64_callback *) __buf;
+       struct irix_dirent64 __user *dirent;
+       struct irix_dirent64_callback * buf = __buf;
        unsigned short reclen = ROUND_UP64(NAME_OFFSET64(dirent) + namlen + 1);
+       int err = 0; 
 
-       buf->error = -EINVAL;   /* only used if we fail.. */
+       if (!access_ok(VERIFY_WRITE, buf, sizeof(*buf)))
+               return -EFAULT;
+
+       if (__put_user(-EINVAL, &buf->error))   /* only used if we fail.. */
+               return -EFAULT;
        if (reclen > buf->count)
                return -EINVAL;
        dirent = buf->previous;
        if (dirent)
-               __put_user(offset, &dirent->d_off);
+               err = __put_user(offset, &dirent->d_off);
        dirent = buf->curr;
        buf->previous = dirent;
-       __put_user(ino, &dirent->d_ino);
-       __put_user(reclen, &dirent->d_reclen);
-       __copy_to_user(dirent->d_name, name, namlen);
-       __put_user(0, &dirent->d_name[namlen]);
-       ((char *) dirent) += reclen;
+       err |= __put_user(ino, &dirent->d_ino);
+       err |= __put_user(reclen, &dirent->d_reclen);
+       err |= __copy_to_user((char __user *)dirent->d_name, name, namlen)
+              ? -EFAULT : 0;
+       err |= __put_user(0, &dirent->d_name[namlen]);
+
+       dirent = (struct irix_dirent64 __user *) ((char __user *) dirent + 
reclen);
+
        buf->curr = dirent;
        buf->count -= reclen;
 
-       return 0;
+       return err;
 }
 
-asmlinkage int irix_getdents64(int fd, void *dirent, int cnt)
+asmlinkage int irix_getdents64(int fd, void __user *dirent, int cnt)
 {
        struct file *file;
-       struct irix_dirent64 *lastdirent;
+       struct irix_dirent64 __user *lastdirent;
        struct irix_dirent64_callback buf;
        int error;
 
@@ -1928,7 +1921,7 @@
        if (cnt < (sizeof(struct irix_dirent64) + 255))
                goto out_f;
 
-       buf.curr = (struct irix_dirent64 *) dirent;
+       buf.curr = (struct irix_dirent64 __user *) dirent;
        buf.previous = NULL;
        buf.count = cnt;
        buf.error = 0;
@@ -1940,7 +1933,8 @@
                error = buf.error;
                goto out_f;
        }
-       lastdirent->d_off = (u64) file->f_pos;
+       if (put_user(file->f_pos, &lastdirent->d_off))
+               return -EFAULT;
 #ifdef DEBUG_GETDENTS
        printk("returning %d\n", cnt - buf.count);
 #endif
@@ -1952,10 +1946,10 @@
        return error;
 }
 
-asmlinkage int irix_ngetdents64(int fd, void *dirent, int cnt, int *eob)
+asmlinkage int irix_ngetdents64(int fd, void __user *dirent, int cnt, int *eob)
 {
        struct file *file;
-       struct irix_dirent64 *lastdirent;
+       struct irix_dirent64 __user *lastdirent;
        struct irix_dirent64_callback buf;
        int error;
 
@@ -1977,7 +1971,7 @@
                goto out_f;
 
        *eob = 0;
-       buf.curr = (struct irix_dirent64 *) dirent;
+       buf.curr = (struct irix_dirent64 __user *) dirent;
        buf.previous = NULL;
        buf.count = cnt;
        buf.error = 0;
@@ -1989,7 +1983,8 @@
                error = buf.error;
                goto out_f;
        }
-       lastdirent->d_off = (u64) file->f_pos;
+       if (put_user(file->f_pos, &lastdirent->d_off))
+               return -EFAULT;
 #ifdef DEBUG_GETDENTS
        printk("eob=%d returning %d\n", *eob, cnt - buf.count);
 #endif
@@ -2052,14 +2047,14 @@
        return retval;
 }
 
-asmlinkage int irix_utssys(char *inbuf, int arg, int type, char *outbuf)
+asmlinkage int irix_utssys(char __user *inbuf, int arg, int type, char __user 
*outbuf)
 {
        int retval;
 
        switch(type) {
        case 0:
                /* uname() */
-               retval = irix_uname((struct iuname *)inbuf);
+               retval = irix_uname((struct iuname __user *)inbuf);
                goto out;
 
        case 2:
diff -urN linux/arch/mips/kernel/unaligned.c linux/arch/mips/kernel/unaligned.c
--- linux/arch/mips/kernel/unaligned.c  2005/03/01 21:20:47     1.37
+++ linux/arch/mips/kernel/unaligned.c  2005/03/17 21:50:49     1.38
@@ -143,7 +143,7 @@
         * The remaining opcodes are the ones that are really of interest.
         */
        case lh_op:
-               if (verify_area(VERIFY_READ, addr, 2))
+               if (!access_ok(VERIFY_READ, addr, 2))
                        goto sigbus;
 
                __asm__ __volatile__ (".set\tnoat\n"
@@ -176,7 +176,7 @@
                break;
 
        case lw_op:
-               if (verify_area(VERIFY_READ, addr, 4))
+               if (!access_ok(VERIFY_READ, addr, 4))
                        goto sigbus;
 
                __asm__ __volatile__ (
@@ -206,7 +206,7 @@
                break;
 
        case lhu_op:
-               if (verify_area(VERIFY_READ, addr, 2))
+               if (!access_ok(VERIFY_READ, addr, 2))
                        goto sigbus;
 
                __asm__ __volatile__ (
@@ -248,7 +248,7 @@
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (verify_area(VERIFY_READ, addr, 4))
+               if (!access_ok(VERIFY_READ, addr, 4))
                        goto sigbus;
 
                __asm__ __volatile__ (
@@ -292,7 +292,7 @@
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (verify_area(VERIFY_READ, addr, 8))
+               if (!access_ok(VERIFY_READ, addr, 8))
                        goto sigbus;
 
                __asm__ __volatile__ (
@@ -326,7 +326,7 @@
                goto sigill;
 
        case sh_op:
-               if (verify_area(VERIFY_WRITE, addr, 2))
+               if (!access_ok(VERIFY_WRITE, addr, 2))
                        goto sigbus;
 
                value = regs->regs[insn.i_format.rt];
@@ -362,7 +362,7 @@
                break;
 
        case sw_op:
-               if (verify_area(VERIFY_WRITE, addr, 4))
+               if (!access_ok(VERIFY_WRITE, addr, 4))
                        goto sigbus;
 
                value = regs->regs[insn.i_format.rt];
@@ -400,7 +400,7 @@
                 * would blow up, so for now we don't handle unaligned 64-bit
                 * instructions on 32-bit kernels.
                 */
-               if (verify_area(VERIFY_WRITE, addr, 8))
+               if (!access_ok(VERIFY_WRITE, addr, 8))
                        goto sigbus;
 
                value = regs->regs[insn.i_format.rt];
diff -urN linux/arch/mips/math-emu/dsemul.c linux/arch/mips/math-emu/dsemul.c
--- linux/arch/mips/math-emu/dsemul.c   2005/02/28 17:55:57     1.6
+++ linux/arch/mips/math-emu/dsemul.c   2005/03/17 21:50:49     1.7
@@ -92,7 +92,7 @@
        fr = (struct emuframe *) dsemul_insns;
 
        /* Verify that the stack pointer is not competely insane */
-       if (unlikely(verify_area(VERIFY_WRITE, fr, sizeof(struct emuframe))))
+       if (unlikely(!access_ok(VERIFY_WRITE, fr, sizeof(struct emuframe))))
                return SIGBUS;
 
        err = __put_user(ir, &fr->emul);
@@ -125,7 +125,7 @@
         * If we can't even access the area, something is very wrong, but we'll
         * leave that to the default handling
         */
-       if (verify_area(VERIFY_READ, fr, sizeof(struct emuframe)))
+       if (!access_ok(VERIFY_READ, fr, sizeof(struct emuframe)))
                return 0;
 
        /*
diff -urN linux/arch/mips/mm/cache.c linux/arch/mips/mm/cache.c
--- linux/arch/mips/mm/cache.c  2005/03/08 14:39:39     1.18
+++ linux/arch/mips/mm/cache.c  2005/03/17 21:50:49     1.19
@@ -55,7 +55,7 @@
 asmlinkage int sys_cacheflush(unsigned long __user addr,
        unsigned long bytes, unsigned int cache)
 {
-       if (verify_area(VERIFY_WRITE, (void __user *) addr, bytes))
+       if (!access_ok(VERIFY_WRITE, (void __user *) addr, bytes))
                return -EFAULT;
 
        flush_icache_range(addr, addr + bytes);

<Prev in Thread] Current Thread [Next in Thread>