Kernel panic occurs when a Windows client writes a file to a CIFS share on a v28 zpool. The zpool was imported from a Nexenta (Illumos) box. I assume this issue has something to do what how Nexenta (Illumos) does ACLs when compared to FreeBSD.  The issue is resolved by a zpool is upgrade.

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x48
fault code     = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff81ac5970
stack pointer    = 0x28:0xffffff824f2301c0
frame pointer    = 0x28:0xffffff824f230250
code segment     = base rx0, limit 0xfffff, type 0x1b
       = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process     = 1223 (smbd)
trap number     = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xffffffff80925736 at kdb_backtrace+0x66
#1 0xffffffff808eb2fe at panic+0x1ce
#2 0xffffffff80cd28e0 at trap_fatal+0x290
#3 0xffffffff80cd2c41 at trap_pfault+0x211
#4 0xffffffff80cd3243 at trap+0x363
#5 0xffffffff80cbc433 at calltrap+0x8
#6 0xffffffff81ad137c at zfs_freebsd_create+0x6ec
#7 0xffffffff80dd5492 at VOP_CREATE_APV+0x72
#8 0xffffffff8099a01c at vn_open_cred+0x4bc
#9 0xffffffff81ad25d8 at zfs_setextattr+0x1b8
#10 0xffffffff80dd4288 at VOP_SETEXTATTR_APV+0x78
#11 0xffffffff8097ad23 at extattr_set_vp+0x193
#12 0xffffffff8097b082 at sys_extattr_set_file+0x162
#13 0xffffffff80cd208a at amd64_syscall+0x5ea
#14 0xffffffff80cbc717 at Xfast_syscall+0xf7

I have a core dump that's ~30MB, but I'm not sure how I will get to you.

# zfs list tank
NAME  USED  AVAIL  REFER  MOUNTPOINT
tank  251G  290G  44.5K  /mnt/tank

# zpool status tank
      pool: tank
    state: ONLINE
    status: The pool is formatted using a legacy on-disk format.  The pool can
        still be used, but some features are unavailable.
    action: Upgrade the pool using 'zpool upgrade'.  Once this is done, the
        pool will no longer be accessible on software that does not support feature
        flags.
      scan: scrub repaired 0 in 1h3m with 0 errors on Sun Mar  6 01:03:08 2016
    config:
     
        NAME                                            STATE     READ WRITE CKSUM
        tank                                            ONLINE       0     0     0
          mirror-0                                      ONLINE       0     0     0
            gptid/5a0a0323-7921-6964-8e75-d40c5d01776a  ONLINE       0     0     0
            gptid/34ba81da-c021-5acf-da0a-b99b02b81b6d  ONLINE       0     0     0
     
    errors: No known data errors

# zpool get version
NAME  PROPERTY  VALUE  SOURCE
freenas-boot  version  -  default
tank  version  28  local

# zfs get all tank/public
NAME  PROPERTY  VALUE  SOURCE
tank/public  type  filesystem  -
tank/public  creation  Thu Dec 11 11:26 2014  -
tank/public  used  15.8G  -
tank/public  available  289G  -
tank/public  referenced  15.8G  -
tank/public  compressratio  1.06x  -
tank/public  mounted  yes  -
tank/public  quota  none  default
tank/public  reservation  none  default
tank/public  recordsize  128K  default
tank/public  mountpoint  /mnt/tank/public  default
tank/public  sharenfs  off  default
tank/public  checksum  on  default
tank/public  compression  on  inherited from tank
tank/public  atime  on  default
tank/public  devices  on  default
tank/public  exec  on  default
tank/public  setuid  on  default
tank/public  readonly  off  default
tank/public  jailed  off  default
tank/public  snapdir  hidden  default
tank/public  aclmode  passthrough  inherited from tank
tank/public  aclinherit  passthrough  inherited from tank
tank/public  canmount  on  default
tank/public  xattr  off  temporary
tank/public  copies  1  default
tank/public  version  5  -
tank/public  utf8only  off  -
tank/public  normalization  none  -
tank/public  casesensitivity  mixed  -
tank/public  vscan  off  default
tank/public  nbmand  off  default
tank/public  sharesmb  name=public  local
tank/public  refquota  none  default
tank/public  refreservation  none  default
tank/public  primarycache  all  default
tank/public  secondarycache  all  default
tank/public  usedbysnapshots  0  -
tank/public  usedbydataset  15.8G  -
tank/public  usedbychildren  0  -
tank/public  usedbyrefreservation  0  -
tank/public  logbias  latency  default
tank/public  dedup  off  default
tank/public  mlslabel  -
tank/public  sync  standard  default
tank/public  refcompressratio  1.06x  -
tank/public  written  15.8G  -
tank/public  logicalused  16.8G  -
tank/public  logicalreferenced  16.8G  -
tank/public  volmode  default  default
tank/public  filesystem_limit  none  default
tank/public  snapshot_limit  none  default
tank/public  filesystem_count  none  default
tank/public  snapshot_count  none  default
tank/public  redundant_metadata  all  default
tank/public  nms:dedup-dirty  off  local
 
# getfacl /mnt/tank/public
# file: /mnt/tank/public
# owner: root
# group: wheel
group:domain admins:rwxpDdaARWcCos:fd----:allow
  everyone@:rwxp-daARWc--s:fd----:allow
 
# getfacl /mnt/tank/public/Scans
# file: /mnt/tank/public/Scans
# owner: 1002
# group: 10
group:domain admins:rwxpDdaARWcCos:fd----:allow
group:domain admins:rwxpDdaARWcCos:fd----:allow
  everyone@:rwxp-daARWc--s:fd----:allow
 
# getfacl /mnt/tank/public/Scans/Thumbs.db
# file: /mnt/tank/public/Scans/Thumbs.db
# owner: nobody
# group: nobody
group:domain admins:rwxpDdaARWcCos:------:allow
group:domain admins:rwxpDdaARWcCos:------:allow
  everyone@:rwxp-daARWc--s:------:allow

# lspci
00:00.0 Host bridge: Intel Corporation Xeon E5/Core i7 DMI2 (rev 07)
00:01.0 PCI bridge: Intel Corporation Xeon E5/Core i7 IIO PCI Express Root Port 1a (rev 07)
00:02.0 PCI bridge: Intel Corporation Xeon E5/Core i7 IIO PCI Express Root Port 2a (rev 07)
00:02.2 PCI bridge: Intel Corporation Xeon E5/Core i7 IIO PCI Express Root Port 2c (rev 07)
00:03.0 PCI bridge: Intel Corporation Xeon E5/Core i7 IIO PCI Express Root Port 3a in PCI Express Mode (rev 07)
00:03.2 PCI bridge: Intel Corporation Xeon E5/Core i7 IIO PCI Express Root Port 3c (rev 07)
00:04.0 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 0 (rev 07)
00:04.1 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 1 (rev 07)
00:04.2 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 2 (rev 07)
00:04.3 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 3 (rev 07)
00:04.4 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 4 (rev 07)
00:04.5 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 5 (rev 07)
00:04.6 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 6 (rev 07)
00:04.7 System peripheral: Intel Corporation Xeon E5/Core i7 DMA Channel 7 (rev 07)
00:05.0 System peripheral: Intel Corporation Xeon E5/Core i7 Address Map, VTd_Misc, System Management (rev 07)
00:05.2 System peripheral: Intel Corporation Xeon E5/Core i7 Control Status and Global Errors (rev 07)
00:05.4 PIC: Intel Corporation Xeon E5/Core i7 I/O APIC (rev 07)
00:11.0 PCI bridge: Intel Corporation C600/X79 series chipset PCI Express Virtual Root Port (rev 06)
00:16.0 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #1 (rev 05)
00:16.1 Communication controller: Intel Corporation C600/X79 series chipset MEI Controller #2 (rev 05)
00:1a.0 USB controller: Intel Corporation C600/X79 series chipset USB2 Enhanced Host Controller #2 (rev 06)
00:1d.0 USB controller: Intel Corporation C600/X79 series chipset USB2 Enhanced Host Controller #1 (rev 06)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a6)
00:1f.0 ISA bridge: Intel Corporation C600/X79 series chipset LPC Controller (rev 06)
00:1f.2 SATA controller: Intel Corporation C600/X79 series chipset 6-Port SATA AHCI Controller (rev 06)
00:1f.3 SMBus: Intel Corporation C600/X79 series chipset SMBus Host Controller (rev 06)
00:1f.6 Signal processing controller: Intel Corporation C600/X79 series chipset Thermal Management Controller (rev 06)
03:00.0 Serial Attached SCSI controller: LSI Logic / Symbios Logic SAS2308 PCI-Express Fusion-MPT SAS-2 (rev 05)
05:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

This is a 2U Supermicro with 16 GB of RAM.

There is also a workaround without upgrading zpool.

1. Set old dataset to readonly
zfs set readonly=on tank/public

2. Create new dataset via FreeNAS UI with compression: on, share type: Windows, case sensitivity: sensitive, enable atime: on and dedupe: off.

3. Set ACLs
chown nobody:nobody /mnt/tank/new
setfacl -x 'owner@:rwxpD-a-R-c---:------:allow' /mnt/tank/new
setfacl -x 'group@:rwxpD-a-R-c---:------:allow' /mnt/tank/new
setfacl -m 'group:domain admins:rwxpDdaARWcCo-:fd----:allow' /mnt/tank/new

4. Setup CIFS share

5. Copied data from old read only dataset to new dataset using Windows CIFS client

6. Corrected ACLs using Windows CIFS client and applied the ACL recursively

7. Rename old dataset

8. Rename new dataset to replace old dataset

I originally reported this to the FreeNAS forums.  You can view the thread here: https://forums.freenas.org/index.php?threads/zfs-crash.41952/#post-270114.  I was able to reproduce the issue with FreeBSD 9.3, so I decided to report it upstream to the FreeBSD project.