Looks like this code: if (!list_empty(&pipe->pipe)) { msg = list_entry(pipe->pipe.next, struct rpc_pipe_msg, list); in rpc_pipe_read(). pipe->pipe.next appears to be NULL. Are you using kerberos for NFS authentication? Are you doing anything else that might be considered "non-standard"? containers? automounts? anything. use-after-free seems most likely to me, but the code looks solid, and there are no upstream patches that might relate to this.