I think I found it. It's a bug in zalloc, in vm/vm_zone.c.
fetch http://apollo.backplane.com/DFlyMisc/pmap04.patch
Remove all the other patches and just throw in that one. The pmap
code uses zbootinit() and zinitna(). zbootinit() takes a fixed
item array and uses the structure size as-is. zinitna() rounds-up
the structure size to a 32 byte boundary. The pv_entry structure
is 28 bytes.
That blows up the calculation when the zone is expanded and creates
an overlap, thus corrupting one of the pv_entry's.
I found it when I added another field to pv_entry and suddenly the
panic stopped occuring on my test box.
There are still a few bugs in pmap.c which I will commit from the
other patches. As soon as I verify that the bug is in zalloc
I will clean up the pmap.c patch and commit it along with the zalloc
fix.
OMG this one was hard to find. Of course, I haven't verified that
it's the cause yet but it just has to be it. So if it isn't I will
cry.
-Matt
