DragonFlyBSD Kernel Audit
← dashboard
DF-0116

copyin/copyout/uiomove_nofault clear TDF_NOFAULT unconditionally instead of save/restore

Summary

copyin_nofault(:60-70), copyout_nofault(:72-82), uiomove_nofault(:206-216) use atomic_clear_int(TDF_NOFAULT) unconditionally on exit, unlike uiomove_fromphys(:612-616) which saves/restores. If invoked from a context already holding TDF_NOFAULT set (nested no-fault copy), outer caller loses protection. No unprivileged trigger found. Defense-in-depth.