2 files changed, 8 insertions, 1 deletions

diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index bc5f50799d75..9f157e7c51e7 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -295,6 +295,7 @@ __und_svc_fault:
         bl      __und_fault
 
 __und_svc_finish:
+        get_thread_info tsk
         ldr     r5, [sp, #S_PSR]                @ Get SVC cpsr
         svc_exit r5                             @ return from exception
  UNWIND(.fnend          )
diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index 087acb569b63..5f221acd21ae 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
         mm_segment_t fs;
         long ret, err, i;
 
-        if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
+        if (maxevents <= 0 ||
+                        maxevents > (INT_MAX/sizeof(*kbuf)) ||
+                        maxevents > (INT_MAX/sizeof(*events)))
                 return -EINVAL;
+        if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
+                return -EFAULT;
         kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
         if (!kbuf)
                 return -ENOMEM;
@@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int semid,
 
         if (nsops < 1 || nsops > SEMOPM)
                 return -EINVAL;
+        if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
+                return -EFAULT;
         sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
         if (!sops)
                 return -ENOMEM;