>Number:         36303
>Category:       kern
>Synopsis:       ubc write yields zero bytes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 10 15:15:00 +0000 2007
>Originator:     YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
>Release:        NetBSD 4.99.19
>Organization:
	
>Environment:
Architecture: i386
Machine: i386
>Description:
	typical implementations of VOP_WRITE() do the following.
		1. ubc_alloc()
		2. uiomove()
		3. ubc_release()
		4. bump v_size.

	in the case of !PGO_FAULTBUSY, the above uiomove() can involve
	multiple page faults, because:
		- ubc_fault() can fail to map some pages.
		  eg. when pmap_enter() failed.
		- pages can be freed by other threads.  eg. pagedaemon.
		  (cf. PR/33152)

	on 2nd (or later) faults, because we have not bumped v_size yet,
	genfs_getpages can consider valid data copied by uiomove() as
	"tailbytes" and overwrite them with zero.
>How-To-Repeat:
	code inspection.
>Fix:
	check PG_FAKE?

>Unformatted: