Looks like this code:
if (!list_empty(&pipe->pipe)) {
msg = list_entry(pipe->pipe.next,
struct rpc_pipe_msg,
list);
in rpc_pipe_read(). pipe->pipe.next appears to be NULL.
Are you using kerberos for NFS authentication?
Are you doing anything else that might be considered "non-standard"?
containers? automounts? anything.
use-after-free seems most likely to me, but the code looks solid, and there are
no upstream patches that might relate to this.