The only caller of kcopy is uiomove. There is no way a function like this can ever work. If you need to rely on your copy function to save you from pointers outside the address space, it means you don't know what garbage you're passing it. Meaning you may well be passing it pointers inside the address space, but to something unexpected, which you will then shit on.
Replace with memcpy. Not shown: the 200 line diff to remove kcopy from sparc64 locore.s. Index: kern/kern_subr.c =================================================================== RCS file: /cvs/src/sys/kern/kern_subr.c,v retrieving revision 1.37 diff -u -p -r1.37 kern_subr.c --- kern/kern_subr.c 19 Oct 2013 09:24:57 -0000 1.37 +++ kern/kern_subr.c 9 Jan 2014 21:00:48 -0000 @@ -88,11 +88,9 @@ uiomove(void *cp, int n, struct uio *uio case UIO_SYSSPACE: if (uio->uio_rw == UIO_READ) - error = kcopy(cp, iov->iov_base, cnt); + memcpy(iov->iov_base, cp, cnt); else - error = kcopy(iov->iov_base, cp, cnt); - if (error) - return(error); + memcpy(cp, iov->iov_base, cnt); } iov->iov_base = (caddr_t)iov->iov_base + cnt; iov->iov_len -= cnt; Index: sys/systm.h =================================================================== RCS file: /cvs/src/sys/sys/systm.h,v retrieving revision 1.100 diff -u -p -r1.100 systm.h --- sys/systm.h 11 Jun 2013 18:15:54 -0000 1.100 +++ sys/systm.h 9 Jan 2014 21:02:04 -0000 @@ -187,10 +187,6 @@ void assertwaitok(void); void tablefull(const char *); -int kcopy(const void *, void *, size_t) - __attribute__ ((__bounded__(__buffer__,1,3))) - __attribute__ ((__bounded__(__buffer__,2,3))); - void bcopy(const void *, void *, size_t) __attribute__ ((__bounded__(__buffer__,1,3))) __attribute__ ((__bounded__(__buffer__,2,3)));