Below another min() -> ulmin() conversion to prevent integer overflow. The size (tmp - buf) passed to uiomovei() is essentially bound by the 'count' variable, thus convert to uiomove().
Index: arch/amd64/amd64/nvram.c =================================================================== RCS file: /cvs/src/sys/arch/amd64/amd64/nvram.c,v retrieving revision 1.3 diff -u -p -r1.3 nvram.c --- arch/amd64/amd64/nvram.c 14 Mar 2015 03:38:46 -0000 1.3 +++ arch/amd64/amd64/nvram.c 9 Apr 2015 17:50:54 -0000 @@ -94,7 +94,7 @@ nvramread(dev_t dev, struct uio *uio, in u_char buf[NVRAM_SIZE]; u_int pos = uio->uio_offset; u_char *tmp; - int count = min(sizeof(buf), uio->uio_resid); + size_t count = ulmin(sizeof(buf), uio->uio_resid); int ret; if (!nvram_initialized) @@ -104,7 +104,7 @@ nvramread(dev_t dev, struct uio *uio, in return (0); #ifdef NVRAM_DEBUG - printf("attempting to read %d bytes at offset %d\n", count, pos); + printf("attempting to read %zu bytes at offset %d\n", count, pos); #endif for (tmp = buf; count-- > 0 && pos < NVRAM_SIZE; ++pos, ++tmp) @@ -114,7 +114,7 @@ nvramread(dev_t dev, struct uio *uio, in printf("nvramread read %d bytes (%s)\n", (tmp - buf), tmp); #endif - ret = uiomovei((caddr_t)buf, (tmp - buf), uio); + ret = uiomove((caddr_t)buf, (tmp - buf), uio); uio->uio_offset += uio->uio_resid; cheers, natano