kern/60167: assert failed: uio->uio_iovcnt > NUM

["r772577952%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60167
>Category:       kern
>Synopsis:       assert failed: uio->uio_iovcnt > NUM
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 02 08:30:01 +0000 2026
>Originator:     Jiaming Zhang
>Release:        image: NetBSD-10.1; kernel: trunk branch, commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b
>Organization:
>Environment:
NetBSD  11.99.5 NetBSD 11.99.5 (CLOUD) #0: Wed Apr  1 18:34:06 CST 2026  root@ustb520lab-MS-7E07:/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/amd64/compile/obj/CLOUD amd64
>Description:
When fuzzing NetBSD kernel with syzkaller and our generated syscall descriptions, we encountered an issue: assert failed: uio->uio_iovcnt > NUM. This issues is reproducible in a recent version of NetBSD kernel (commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b).

The kernel console output, kernel config, and reproducers are available at: https://drive.google.com/drive/folders/1piVZfvjQM42c_XGOd16fq9h63jg55feN?usp=sharing

The symbolized issue report is also shown below to help with analysis:

```
TITLE: assert failed: uio->uio_iovcnt > NUM
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

login: [  37.8003298] panic: kernel diagnostic assertion "uio->uio_iovcnt > 1" failed: file "/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/subr_copy.c", line 122 
[  37.8003298] cpu1: Begin traceback...
[  37.8003298] asan.module_ctor() at ffffffff81ebbd0e
[  37.8103299] asan.module_ctor() at ffffffff8229fb3e
[  37.8203420] asan.module_dtor() at ffffffff81e81de5
[  37.8203420] asan.module_ctor() at ffffffff81eead5e
[  37.8303261] ktrace_thread() at netbsd:ktrace_thread+0x667 ktrwrite vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_ktrace.c:1359 [inline]
[  37.8303261] ktrace_thread() at netbsd:ktrace_thread+0x667 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_ktrace.c:1428
[  37.8303261] cpu1: End traceback...

[  37.8303261] dumping to dev 168,1 (offset=29361126, size=524159):
[  37.8303261] dump Skipping crash dump on recursive panic
[  38.8702888] panic: atastart: channel 0 busy, xfer not possible
[  38.8702888] cpu1: Begin traceback...
[  38.8702888] asan.module_ctor() at ffffffff81ebbd0e
[  38.8802986] asan.module_ctor() at ffffffff81ebb905
[  38.8902918] atabus_childdetached() at netbsd:atabus_childdetached+0x2af3
[  38.8902918] wd_dumpblocks() at netbsd:wd_dumpblocks+0x27c vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/dev/ata/wd.c:1650
[  38.9002905] asan.module_ctor() at ffffffff82012c60
[  38.9102893] asan.module_dtor() at netbsd:asan.module_dtor+-0x12108fe
[  38.9202904] asan.module_dtor() at netbsd:asan.module_dtor+-0x1210144
[  38.9202904] asan.module_dtor() at netbsd:asan.module_dtor+-0x120f9f0
[  38.9302893] ?() at ffffffff8020d07d
[  38.9302893] asan.module_ctor() at ffffffff81e10ba0
[  38.9402896] asan.module_ctor() at ffffffff81ebbd1e
[  38.9502909] asan.module_ctor() at ffffffff8229fb3e
[  38.9602898] asan.module_dtor() at ffffffff81e81de5
[  38.9602898] asan.module_ctor() at ffffffff81eead5e
[  38.9702867] ktrace_thread() at netbsd:ktrace_thread+0x667 ktrwrite vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_ktrace.c:1359 [inline]
[  38.9702867] ktrace_thread() at netbsd:ktrace_thread+0x667 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_ktrace.c:1428
[  38.9702867] cpu1: End traceback...
[  38.9702867] rebooting...
```
>How-To-Repeat:
The issues can be reproduced by running the C or syz reproducer on the kernel under a specified config.
>Fix: