Ok, here is a backport of the patch that went into 2.6.0
to fix the problem where the tmpfs/shmfs dcache could be
oopsed by any user doing a dirseek to offset 2.
This occurs because the when the seek is at the cursor
and then the cursor is deleted, the list_add_tail
tries to attach to the end of the list and gets the
old pointers (poisoned on 2.6) from the list_del.
This fix just deletes the cursor before going over the
list since it can not be a member of the list and should
not be counted, delete it before counting over the list.

--- linux-2.4.23/fs/readdir.c	2002-08-02 17:39:45.000000000 -0700
+++ build-2.4.23-skas/fs/readdir.c	2003-12-23 17:18:37.000000000 -0800
@@ -69,6 +69,7 @@
 			loff_t n = file->f_pos - 2;
 
 			spin_lock(&dcache_lock);
+			list_del(&cursor->d_child);
 			p = file->f_dentry->d_subdirs.next;
 			while (n && p != &file->f_dentry->d_subdirs) {
 				struct dentry *next;
@@ -77,7 +78,6 @@
 					n--;
 				p = p->next;
 			}
-			list_del(&cursor->d_child);
 			list_add_tail(&cursor->d_child, p);
 			spin_unlock(&dcache_lock);
 		}