Index: alpha/locore.s
===================================================================
RCS file: /cvs/src/sys/arch/alpha/alpha/locore.s,v
retrieving revision 1.41
diff -u -p -r1.41 locore.s
--- alpha/locore.s	11 Jun 2015 17:26:17 -0000	1.41
+++ alpha/locore.s	16 Jun 2015 21:02:29 -0000
@@ -1026,7 +1026,7 @@ NESTED(copyin, 3, 16, ra, IM_RA|IM_S0, 0
 	lda	sp, 16(sp)			/* kill stack frame.	     */
 	mov	zero, v0			/* return 0. */
 	RET
-	END(copyin)
+END(copyin)
 
 NESTED(copyout, 3, 16, ra, IM_RA|IM_S0, 0)
 	LDGP(pv)
@@ -1036,27 +1036,48 @@ NESTED(copyout, 3, 16, ra, IM_RA|IM_S0, 
 	/* Note: GET_CURPROC clobbers v0, t0, t8...t11. */
 	GET_CURPROC
 	mov	v0, s0
-	ldiq	t0, VM_MAX_ADDRESS		/* make sure that dest addr  */
-	cmpult	a1, t0, t1			/* is in user space.	     */
-	beq	t1, copyerr			/* if it's not, error out.   */
-	lda	v0, copyerr			/* set up fault handler.     */
 	.set noat
 	ldq	at_reg, 0(s0)
-	ldq	at_reg, P_ADDR(at_reg)
-	stq	v0, U_PCB_ONFAULT(at_reg)
+	ldq	s0, P_ADDR(at_reg)
 	.set at
+	ldiq	t0, VM_MAX_ADDRESS		/* make sure that dest addr  */
+	cmpult	a1, t0, t1			/* is in user space.	     */
+	beq	t1, copyouterr			/* if it's not, error out.   */
+	ldq	v0, U_PCB_ONFAULT(s0)
+	bne	v0, copyout_panic
+	lda	v0, copyouterr			/* set up fault handler.     */
+	stq	v0, U_PCB_ONFAULT(s0)
 	CALL(bcopy)				/* do the copy.		     */
+	stq	zero, U_PCB_ONFAULT(s0)		/* kill the fault handler.   */
+	ldq	ra, (16-8)(sp)			/* restore ra.		     */
+	ldq	s0, (16-16)(sp)			/* restore s0.		     */
+	lda	sp, 16(sp)			/* kill stack frame.	     */
+	mov	zero, v0			/* return 0. */
+	RET
+
+copyout_panic:
+	.set at
+	lda	a0, copyout_panicmsg
+	CALL(panic)
+	call_pal PAL_bugchk
+
+	.data
+copyout_panicmsg:
+	.asciz	"onfault is not NULL"
+	.text
+END(copyout)
+
+LEAF(copyouterr, 0)
+	LDGP(pv)
 	.set noat
-	ldq	at_reg, 0(s0)			/* kill the fault handler.   */
-	ldq	at_reg, P_ADDR(at_reg)
-	stq	zero, U_PCB_ONFAULT(at_reg)
+	stq	zero, U_PCB_ONFAULT(s0)		/* kill the fault handler.   */
 	.set at
 	ldq	ra, (16-8)(sp)			/* restore ra.		     */
 	ldq	s0, (16-16)(sp)			/* restore s0.		     */
 	lda	sp, 16(sp)			/* kill stack frame.	     */
-	mov	zero, v0			/* return 0. */
+	ldiq	v0, EFAULT			/* return EFAULT.	     */
 	RET
-	END(copyout)
+END(copyouterr)
 
 LEAF(copyerr, 0)
 	LDGP(pv)