RHEL6 / RHEL7: NFS4 client panic due to kernel bug nfs4_match_stateid or nfs41_match_stateid while returning a delegation

Issue

• We saw what appears to be a kernel panic and reboot on an NFSv4 client. This happened after the client lost communication with the NFS server.
• Server panic due to kernel bug nfs4_match_stateid while returning a delegation

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [<ffffffffa02ced77>] nfs4_match_stateid+0x17/0x20 [nfs]
...
Pid: 4728, comm: nfsv4.0-svc Not tainted 2.6.32-431.23.3.el6.x86_64 #1 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
RIP: 0010:[<ffffffffa02ced77>]  [<ffffffffa02ced77>] nfs4_match_stateid+0x17/0x20 [nfs]
...
Process nfsv4.0-svc (pid: 4728, threadinfo ffff88082fe82000, task ffff88082f7f4040)
...
Call Trace:
 [<ffffffffa02e6e62>] nfs_async_inode_return_delegation+0x52/0xc0 [nfs]
 [<ffffffffa02eb7ef>] nfs4_callback_recall+0x5f/0xf0 [nfs]
 [<ffffffffa02e9e44>] ? decode_recall_args+0x64/0xb0 [nfs]
 [<ffffffffa02ea2ed>] nfs4_callback_compound+0x37d/0x5e0 [nfs]
 [<ffffffffa0213a6d>] svc_process_common+0x56d/0x640 [sunrpc]
 [<ffffffff81061d00>] ? default_wake_function+0x0/0x20
 [<ffffffffa0213e80>] svc_process+0x110/0x160 [sunrpc]
 [<ffffffffa02e91ab>] nfs4_callback_svc+0x5b/0xb0 [nfs]
 [<ffffffffa02e9150>] ? nfs4_callback_svc+0x0/0xb0 [nfs]
 [<ffffffff8109abf6>] kthread+0x96/0xa0
 [<ffffffff8100c20a>] child_rip+0xa/0x20
 [<ffffffff8109ab60>] ? kthread+0x0/0xa0
 [<ffffffff8100c200>] ? child_rip+0x0/0x20
Code: 94 c0 c9 c3 b8 01 00 00 00 c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00 b9 10 00 00 00 48 89 f8 48 89 f7 48 89 c6 <f3> a6 c9 0f 94 c0 c3 66 90 55 48 89 e5 48 83 ec 30 48 89 5d f0 
RIP  [<ffffffffa02ced77>] nfs4_match_stateid+0x17/0x20 [nfs]
 RSP <ffff88082fe83c80>
CR2: 0000000000000020