>  I'm not sure at all, but this feels incorrect.  The code is passing
>  the m_ext.ext_pgs to the uvm_loanuobjpages function, yet it seems to be
>  uninitialized; at least, M_EXT_PAGES is not set in m->m_flags and
>  ext_pgs[0] is always 0x30000000.  This supposedly-bogus value is later
>  handed off to auo_get, which, seeing that the page pointer is not NULL,
>  assumes it is valid and does not fetch it (see uvm_aobj.c 1.81 around
>  line 1022).  As a result, the rest of the uvm_loanuobjpages handles
>  this invalid pointer and ends up crashing.  Is this a bug?  Note that
>  it will be exposed whenever that NFS code path ends up calling
>  auo_get without PGO_LOCKED (because it will enter step 2).

uao_get, you mean?

>  For now I've been able to workaround the problem by making the
>  nfsrv_read function initialize the mbuf's ext_pgs field to NULL
>  pointers and later passing PGO_ALLPAGES to the pgo_get call in
>  uvm_loanuobjpages.  The former may be fine, but the latter is most
>  likely not.

see PR/32166.

YAMAMOTO Takashi