Hi,
  Ok I can recreate the LKM bug. The kernel is dying with a prefetch abort
above the kernel VM data area. This means that it has tried to execute
instructions at an illegal address.

DDB is indicating that there is actually a function call that is calling
the illegal address. This would suggest a possible linker error.

Another thought which I am about to test is that there is a
coherency problem between the caches and memory because the LKM is being
loaded via copyin(). This means that the LKM text is written into memory
via the data cache. Then on completion of the load (which is reached)
the LMREADY ioctl is called and the entry point of the LKM is executed. At
this point the instruction cache is filled from physical
memory which has not yet been sychronised with the data cache and thus
some of the LKM text is still in the data cache rather than main memory
and thus is not used for the Icache fill.
This results in LKM text partially in phys mem along with garbage
instructions and the rest of the text in the data cache and the icache
filling from phy memory ;-)
Not surprising that the execution path stuffs up and ends up executing
from illegal addresses.
Now currently there is no mechanism to allow the caches to be synchronised
after the loading of an LKM and before it's initialisation as this is MI
which is possibly a defect in the current LKM mechanism.

Cheers,
				Mark