a9627169cd
Subject: Page fault in PTE area fails in copyout Index: sys/i386/i386/trap.c FreeBSD-1.0.2 Description: Reading files of several megabytes into Emacs, or many small files all at once, would fail with "IO error - bad address". Repeat-By: The bug can be exercised by a test program that malloc()'s a 5MB chunk of memory, and then, without accessing the memory first, filling it with data from a file using read(). (I read 64k chunks from /dev/wd0d into successive 64k regions of the 5MB chunk.) The read() will fail with EFAULT at the first virtual address boundary that is a multiple of 0x400000. Fix: The problem was code in sys/i386/i386/trap.c that tries to figure out what kind of trap occurred and to handle it appropriately. It was interpreting any page fault with virtual address >= vm->vm_maxsaddr as being a user stack segment fault. In fact, addresses >= USRSTACK are in the user structure/PTE area, and if they are handled as stack faults, the proper PTE will not be paged in when it is supposed to be. This situation comes up in copyout() and copyoutstr(), if PTE's are accessed for the first time ever. The page fault on accessing the nonexistent PTE is mishandled as a stack fault, and then the fault that occurs on the subsequent access to the page itself causes copyout to fail with EFAULT.