The ESGL bit was left uninitialized when executing the REPORT
LUNS ioctl. This could allow a zeroed data buffer to be treated as a
scatter/gather list. The firmware would eventually walk past the end
of the data buffer, potentially find what looked like a valid
address/length pair, and write the result to semi-random memory.
For Isilon folks, this is part of Anton's fix for bug 185562, PR
#2689, including his description above.