The NFS lock routines (nlmsvc_lock, nlmsvc_testlock, and maybe others) are being called with file_lock structures that contain uninitialized list_head structs. (this as of 2.4.0-test7). The "next" links should be circular chains, but are instead NULL. This causes problems later when they are used. I don't know where they should be initialized, but a INIT_LIST_HEAD() should be done when these file_lock structs are created. For example, fl_wait.task_list not being set shows itself when an NFS SETLK is followed by a GETLK. The result is a dereference of the NULL pointer in locks_free_lock when it tries the list_empty(). I opened another defect (#24) on a similar problem where nlmsvc_lock calls nlmsvc_create_block to create a nlm_block struct and then failed to init these circular chains. The result was that SETLKW operations resulted in the NULL pointer being used if the request blocked. This, however, now appears to be a much more prevelant problem that is happening more than reported in defect #24.
within this report 'defect #24' = bugzilla entry #19267
Thanks for the bug report. However, Red Hat no longer maintains this version of the product. Please upgrade to the latest version and open a new bug if the problem persists. The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, and if you believe this bug is interesting to them, please report the problem in the bug tracker at: http://bugzilla.fedora.us/