This bug is either staring right at me or I am just having a bad hair day.  In vpop_wait() we see VPROC LOCK is used to protect its parent-child-sibling list.  However the ND LIST lock doesn't protect PVP(vo)->pvp_childl from other threads.  Also if I am not wrong the for-loop in vpop_wait() is not SMP-safe since PVP(vc)->pvp_childl is neither protected by VPROC LOCK nor ND LIST lock.


VPROC_LOCK_EXCL(vp, "vpop_wait");
        for (vo = NULL, vc = pvp->pvp_head_childl;
                                vc != NULL;
                                vo = vc, vc = PVP(vc)->pvp_childl) {
                                VPROC_LOCK_ND_LIST_EXCL(vp, "vpop_wait");
                                if (vo == NULL)
                                        pvp->pvp_head_childl = pvc->pvp_childl;
                                        PVP(vo)->pvp_childl = pvc->pvp_childl;
                                pvc->pvp_childl = NULL;
                                VPROC_UNLOCK_ND_LIST_EXCL(vp, "vpop_wait");
VPROC_UNLOCK_EXCL(vp, "vpop_wait");