> I think the worst case is when the thread sees the correct pn_end,
> pn_pins and pn_npins, but pn_start is still zero.  That could
> potentially permit a syscall that shouldn't be allowed.

No.

        if (plibcpin->pn_pins &&
            addr >= plibcpin->pn_start && addr < plibcpin->pn_end)
                pin = plibcpin;

"addr" cannot be zero, because we don't allow mapping the NULL page
in userland.

I wonder if we can change >= to >