Bactrace:
========

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00002aaaaad001f9 in rbthash_key_bucket (tbl=0x2aaab4038270, key=0x71febf, keylen=12) at rbthash.c:272
#2  0x00002aaaaad00324 in rbthash_get (tbl=0x2aaab4038270, key=0x71febf, keylen=12) at rbthash.c:291
#3  0x00002aaaac5a3cae in sp_cache_get_entry (cache=0x2aaab430cd30, name=0x71febf "FASTENER.MDB", 
    entry=0x41400fa0) at stat-prefetch.c:204
#4  0x00002aaaac5a4f17 in sp_lookup (frame=0x66de50, this=0x612070, loc=0x7f4578, xattr_req=0x6654a0)
    at stat-prefetch.c:789
#5  0x00002aaaac7bc17a in fuse_forget (req=0x2aaaac7bbdb7, ino=6741584, nlookup=6365296) at fuse-bridge.c:464
#6  0x00002aaaac7c5581 in fuse_thread_proc (data=0x612900) at fuse-bridge.c:2531
#7  0x00002aaaab144367 in start_thread () from /lib64/libpthread.so.0
#8  0x00002aaaab42cf7d in clone () from /lib64/libc.so.6
(gdb) info thr
  3 process 12491  0x00002aaaab42d368 in epoll_wait () from /lib64/libc.so.6
  2 process 12492  0x00002aaaab3f3761 in nanosleep () from /lib64/libc.so.6
* 1 process 12496  0x0000000000000000 in ?? ()
(gdb) f 3
#3  0x00002aaaac5a3cae in sp_cache_get_entry (cache=0x2aaab430cd30, name=0x71febf "FASTENER.MDB", 
    entry=0x41400fa0) at stat-prefetch.c:204
204                     tmp = rbthash_get (cache->table, name, strlen (name));
(gdb) p *cache
$12 = {table = 0x2aaab4038270, expected_offset = 0, lock = 0, miss = 0, hits = 0}
(gdb) p *cache->table
$13 = {size = 0, numbuckets = 0, entrypool = 0x35, tablelock = 0, buckets = 0x2400000004000000, hashfunc = 0, 
  dfunc = 0}

The cache being used here is already freed. This might've got freed in sp_readdir - sp_readdir frees the cache if the directory is not read at continuous offsets. 

As a fix, sp_readdir should not free the cache. Instead, it can remove all the entries from cache and it will server the same purpose.

A foolproof fix should keep reference counts on cache and it should be freed only reference count hits zero.