Index: qemu/linux-user/syscall.c
===================================================================
--- qemu.orig/linux-user/syscall.c	2007-09-17 01:37:05.000000000 -0400
+++ qemu/linux-user/syscall.c	2007-09-17 01:37:26.000000000 -0400
@@ -2040,22 +2040,21 @@
 
 /* XXX: add locking support */
 static int write_ldt(CPUX86State *env,
-                     target_ulong ptr, unsigned long bytecount, int oldmode)
+                     struct target_modify_ldt_ldt_s *target_ldt_info, unsigned long bytecount, int oldmode)
 {
+    long ret = 0;
     struct target_modify_ldt_ldt_s ldt_info;
-    struct target_modify_ldt_ldt_s *target_ldt_info;
     int seg_32bit, contents, read_exec_only, limit_in_pages;
     int seg_not_present, useable;
     uint32_t *lp, entry_1, entry_2;
 
     if (bytecount != sizeof(ldt_info))
         return -EINVAL;
-    lock_user_struct(target_ldt_info, ptr, 1);
+    if( !access_ok(&target_ldt_info,target_ldt_info,sizeof(struct target_modify_ldt_ldt_s)) ) return -EFAULT;
     ldt_info.entry_number = tswap32(target_ldt_info->entry_number);
     ldt_info.base_addr = tswapl(target_ldt_info->base_addr);
     ldt_info.limit = tswap32(target_ldt_info->limit);
     ldt_info.flags = tswap32(target_ldt_info->flags);
-    unlock_user_struct(target_ldt_info, ptr, 0);
    
     if (ldt_info.entry_number >= TARGET_LDT_ENTRIES)
         return -EINVAL;
@@ -2130,10 +2129,10 @@
         ret = read_ldt(ptr, bytecount);
         break;
     case 1:
-        ret = write_ldt(env, ptr, bytecount, 1);
+        ret = write_ldt(env, (struct target_modify_ldt_ldt_s *)ptr, bytecount, 1);
         break;
     case 0x11:
-        ret = write_ldt(env, ptr, bytecount, 0);
+        ret = write_ldt(env, (struct target_modify_ldt_ldt_s *)ptr, bytecount, 0);
         break;
     }
     return ret;