Index: qemu/linux-user/syscall.c
===================================================================
--- qemu.orig/linux-user/syscall.c	2007-09-16 15:56:47.000000000 -0400
+++ qemu/linux-user/syscall.c	2007-09-16 15:56:49.000000000 -0400
@@ -2436,26 +2436,24 @@
 }
 #endif
 
-static inline void target_to_host_timespec(struct timespec *host_ts,
-                                           target_ulong target_addr)
+static inline long copy_from_user_timespec(struct timespec *host_ts,
+                                           struct target_timespec *target_ts)
 {
-    struct target_timespec *target_ts;
-
-    lock_user_struct(target_ts, target_addr, 1);
+    if( copy_from_user(host_ts,target_ts,sizeof(*target_ts)) ) return -1;
     host_ts->tv_sec = tswapl(target_ts->tv_sec);
     host_ts->tv_nsec = tswapl(target_ts->tv_nsec);
-    unlock_user_struct(target_ts, target_addr, 0);
+
+    return 0;
 }
 
-static inline void host_to_target_timespec(target_ulong target_addr,
+static inline long copy_to_user_timespec(struct target_timespec *target_ts,
                                            struct timespec *host_ts)
 {
-    struct target_timespec *target_ts;
-
-    lock_user_struct(target_ts, target_addr, 0);
+    if( copy_to_user(target_ts, host_ts, sizeof(*target_ts)) ) return -1;
     target_ts->tv_sec = tswapl(host_ts->tv_sec);
     target_ts->tv_nsec = tswapl(host_ts->tv_nsec);
-    unlock_user_struct(target_ts, target_addr, 1);
+
+    return 0;
 }
 
 long do_syscall(void *cpu_env, int num, long arg1, long arg2, long arg3, 
@@ -3102,7 +3100,7 @@
             unlock_user(p, arg1, 0);
             if (arg3) {
                 puts = &uts;
-                target_to_host_timespec(puts, arg3);
+                copy_from_user_timespec(puts, (struct target_timespec *)arg3);
             } else {
                 puts = NULL;
             }
@@ -3997,17 +3995,17 @@
             struct timespec ts;
             ret = get_errno(sched_rr_get_interval(arg1, &ts));
             if (!is_error(ret)) {
-                host_to_target_timespec(arg2, &ts);
+                if( copy_to_user_timespec((struct target_timespec *)arg2, &ts) ) return -EFAULT;
             }
         }
         break;
     case TARGET_NR_nanosleep:
         {
             struct timespec req, rem;
-            target_to_host_timespec(&req, arg1);
+            if( copy_from_user_timespec(&req, (struct target_timespec *)arg1) ) return -EFAULT;
             ret = get_errno(nanosleep(&req, &rem));
             if (is_error(ret) && arg2) {
-                host_to_target_timespec(arg2, &rem);
+                if( copy_to_user_timespec((struct target_timespec *)arg2, &rem) ) return -EFAULT;
             }
         }
         break;
@@ -4615,7 +4613,7 @@
         struct timespec ts;
         ret = get_errno(clock_gettime(arg1, &ts));
         if (!is_error(ret)) {
-            host_to_target_timespec(arg2, &ts);
+            if( copy_to_user_timespec((struct target_timespec *)arg2, &ts) ) return -EFAULT;
         }
         break;
     }
@@ -4626,7 +4624,7 @@
         struct timespec ts;
         ret = get_errno(clock_getres(arg1, &ts));
         if (!is_error(ret)) {
-            host_to_target_timespec(arg2, &ts);
+            if( copy_to_user_timespec((struct target_timespec *)arg2, &ts) ) return -EFAULT;
         }
         break;
     }