The interaction between msg_dgm_ref_recv() and msg_dgm_ref_destructor() doesn't allow two references from messaging_dgm_ref() to be free'd during the loop in msg_dgm_ref_recv(). In addition to the global 'refs' list, we also need to have a global 'next_ref' pointer, which can be cleared in msg_dgm_ref_destructor(). As AD DC we hit this when using irpc in auth_winbind.
Fixed by commit 1a9d6ce58939678f88b3081fb91c3309ff3cddb7 in 4.9.0rc1