--- sys/fs/nfsserver/nfs_nfsdserv.c.crash1	2021-11-25 15:32:41.106870000 -0800
+++ sys/fs/nfsserver/nfs_nfsdserv.c	2021-11-25 15:40:01.207918000 -0800
@@ -4945,6 +4945,12 @@ nfsrvd_layoutreturn(struct nfsrv_descript *nd, __unuse
 		}
 
 		maxcnt = fxdr_unsigned(int, *tl);
+		/*
+		 * There is no fixed upper bound defined in the RFCs,
+		 * but 128Kbytes should be more than sufficient.
+		 */
+		if (maxcnt < 0 || maxcnt > 131072)
+			maxcnt = 0;
 		if (maxcnt > 0) {
 			layp = malloc(maxcnt + 1, M_TEMP, M_WAITOK);
 			error = nfsrv_mtostr(nd, (char *)layp, maxcnt);
--- sys/fs/nfsserver/nfs_nfsdstate.c.crash1	2021-11-25 15:40:26.307224000 -0800
+++ sys/fs/nfsserver/nfs_nfsdstate.c	2021-11-25 15:45:04.509814000 -0800
@@ -7290,7 +7290,7 @@ nfsrv_layoutreturn(struct nfsrv_descript *nd, vnode_t 
 			}
 			NFSDRECALLUNLOCK();
 		}
-		if (layouttype == NFSLAYOUT_FLEXFILE)
+		if (layouttype == NFSLAYOUT_FLEXFILE && layp != NULL)
 			nfsrv_flexlayouterr(nd, layp, maxcnt, p);
 	} else if (kind == NFSV4LAYOUTRET_FSID)
 		nfsrv_freelayouts(&nd->nd_clientid,