After doing some work on an NFS mounted partition (often union-mounting
over it), I'm running into a crash (bad pointer ref) when unmounting
a filesystem--mostly I've seen it when unmounting the union FS, but
tonight I saw it when unmounting the NFS partition.

I've seen it in cache_lookup() and in cache_purgevfs().  One of the
namecache entries has its nc_hash.le_next pointer bashed (usually it
ends up as "0x00000008"), presumably by someone else overrunning its
memory space.

The namecache entry lives in the 64-byte malloc bucket.  In the few
crashes I've had, it looks like the culprit has come and gone, because
the preceding 64-byte block had a valid namecache entry in it.

Does anybody know of some bug in other code that could be overwriting
these buckets?

==John