I'm on the latest 4.1 clone and seem to occasionally run into this crash:
#0 0x00007f7bd49e15ce in update_dlg_timer (tl=0x58, timeout=10) at dlg_timer.c:203 #1 0x00007f7bd49cf35a in dlg_clean_run (ti=73979985) at dlg_hash.c:253 #2 0x00007f7bd49b90ec in dlg_clean_timer_exec (ticks=73979985, param=0x0) at dialog.c:1246 #3 0x0000000000537091 in fork_sync_timer (child_id=-1, desc=0x7f7bd49ec431 "Dialog Clean Timer", make_sock=1, f=0x7f7bd49b90d3 <dlg_clean_timer_exec>, param=0x0, interval=90) at timer_proc.c:232 #4 0x00007f7bd49b5b7b in child_init (rank=0) at dialog.c:733
The address of 'tl' appears to be bogus; that doesn't look like a valid 64 bit vmem address to me.
I'm investigating further to see if I can track it down, but I don't have much more information right now.