I finally got a clean dump today; I hope to look at it over the next
few days.  Briefly, what appears to be happening is that when I/O
completes, the ohci driver can't find the buffer on which I/O is
complete on its list of active I/O.  When that happens, the kernel
panics.

I don't yet know why this is happening.  Possibly, the close or detach
routines are purging the buffer queue while I/O is still active;
alternatively, there may be a race condition somewhere that's
screwing up the data structures for what is active.  Since the problem
started with the PM branch, perhaps the first theory is more likely; on
the other hand, I'm now seeing I/O queue wedges, which are more
compatible with the second theory.

(Context refresher: this is PPP over ucom/umodem/uhub/ohci (or some
such) on a Cardbus card, on an i386 T42 running -current.)

Theories or analyses welcome; as I said, I hope to look into this soon
myself.