Ok, I think I finally found it.  The routing changes were acting up --
I was completely off track blaming the vfs changes which just happened
to take place on the same day.  I *think* this is somehow related to
IPsec and that's why people haven't been seeing it.  Kudos to Nick for
his hacks to gdb to make crash dumps readable which enabled me get down
to the right track.

Here's a quick hack which makes the symptoms (i.e. panic) go away for me.
I'll leave it up to the people who actually enjoy the company of this
code to concoct a proper fix.  But looking at ip_output(), it seems like
it's a maze of dead code and a wumpus behind every corner and could use
more than just a superficial scolding.

Index: ip_output.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_output.c,v
retrieving revision 1.173
diff -u -r1.173 ip_output.c
--- ip_output.c	8 Jan 2007 04:14:54 -0000	1.173
+++ ip_output.c	9 Jan 2007 00:21:39 -0000
@@ -211,6 +211,8 @@
 #endif
 	u_int16_t ip_len;
 
+	memset(&iproute, 0, sizeof(iproute));
+
 	len = 0;
 	va_start(ap, m0);
 	opt = va_arg(ap, struct mbuf *);
@@ -965,8 +970,10 @@
 	if (error == 0)
 		ipstat.ips_fragmented++;
 done:
-	if (ro == &iproute && (flags & IP_ROUTETOIF) == 0)
-		rtcache_free(ro);
+	if (iproute.ro_rt != NULL) {
+		printf("XXX freeing iproute\n");
+		rtcache_free(&iproute);
+	}
 
 #ifdef IPSEC
 	if (sp != NULL) {

-- 
Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
http://www.iki.fi/pooka/                          http://www.NetBSD.org/
    "la qualité la plus indispensable du cuisinier est l'exactitude"