> I take it that it is safe to assume that interrupt code which is interrupting
> the kernel never, under any circumstances, reads or writes userland memory or
> does anything else which could potentially cause a fault.

This is correct, albeit I would say it the other way around:
no interrupt code may access any userland memory, nor may it access any
part of the user structure including data residing on the kernel stack.

Conceptually, the kernel is divided into two parts, the upper part which runs
code on behalf of a user process, and the lower half that essentially consists
of the interrupt handlers and any code run as subroutines of those.
Code in the lower half isn't associated with any process and thus it cannot
sleep. This in turn forbids anything that cannot immediately be serviced, like
e.g. page faults. This includes the user structure and the kernel stack of
the upper half (including e.g. accessing automatic variables of the upper
half via pointers), since those might be paged out (see below).

> All process information used by the kernel is unpageable (but possibly
> swappable).

In fact swapping in 4.4 (or Net2) derived BSD only means to make the user
structure and the per process kernel stack pageable. So the distinction between
these two isn't as big as it seems.

But the implication of your statement is correct. The user structure and
kernel stack should not be accessed while a process is swapped out. I'm not
sure about access to this data by another process from its upper half code
(e.g. by ptrace). At least the current implementation allows that (albeit the
current ptrace code has extra code to swap the process in for that).

Hope it helps,
Wolfgang
--
ws@TooLs.DE     (Wolfgang Solfrank, TooLs GmbH) 	+49-228-985800