Fix an evil bug that appeared in September 2003. VM86 bios calls use two

of the __pcb_spare longs.  Except that fields were changed and one of the
spare values was used and the __pcb_spare field was reduced from two to one
long.  Now VM86 bios calls can trash the first 4 bytes of the next page
following the kernel stack/pcb.  This Is Bad(TM).  This bug has been
present in 5.2-release and onwards, and is still in RELENG_5.

Instead of tempting fate and trying to use "spare" fields, explicitly
reserve them.

sys/i386/i386/genassym.c

@@ -134,7 +134,7 @@ ASSYM(PCB_PSL, offsetof(struct pcb, pcb_psl));
 ASSYM(PCB_DBREGS, PCB_DBREGS);
 ASSYM(PCB_EXT, offsetof(struct pcb, pcb_ext));
 
-ASSYM(PCB_SPARE, offsetof(struct pcb, __pcb_spare));
+ASSYM(PCB_VM86, offsetof(struct pcb, pcb_vm86));
 ASSYM(PCB_FLAGS, offsetof(struct pcb, pcb_flags));
 ASSYM(PCB_SAVEFPU, offsetof(struct pcb, pcb_save));
 ASSYM(PCB_SAVEFPU_SIZE, sizeof(union savefpu));

sys/i386/i386/vm86bios.s

@@ -38,8 +38,8 @@
 #define SCR_STACK	PCB_ESP
 #define SCR_PGTABLE	PCB_EBX
 #define SCR_ARGFRAME	PCB_EIP
-#define SCR_TSS0	PCB_SPARE
-#define SCR_TSS1	(PCB_SPARE+4)
+#define SCR_TSS0	PCB_VM86
+#define SCR_TSS1	(PCB_VM86+4)
 
 	.data
 	ALIGN_DATA

sys/i386/include/pcb.h

@@ -70,7 +70,7 @@ struct pcb {
 	struct	pcb_ext	*pcb_ext;	/* optional pcb extension */
 	int	pcb_psl;	/* process status long */
 	void	(*pcb_switchout)(void);	/* Special switchout function. */
-	u_long	__pcb_spare[1];	/* adjust to avoid core dump size changes */
+	u_long	pcb_vm86[2];	/* vm86bios scratch space */
 };
 
 #ifdef _KERNEL