> This carsh confuses me a little - if filesystem is unmounted,
> shouldn't all vnodes associated with it be gone?  If so, then how
> comes this particular rogue vnode was still around?

It seems likely to me that the problem is that the vnode *isn't* still
around, but a pointer to it is.  Is there code already in place to
optionally have kernel malloc fill data blocks with junk in free()?
It's a little more expensive, but it's usually effective at turning up
use-after-free bugs like what I speculate this is.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B