--- sys/fs/nfsserver/nfs_nfsdstate.c.clnt	2021-05-05 20:14:05.175494000 -0700
+++ sys/fs/nfsserver/nfs_nfsdstate.c	2021-05-05 20:42:04.839216000 -0700
@@ -721,8 +721,8 @@ nfsrv_getclient(nfsquad_t clientid, int opflags, struc
 				    cbprogram, NFSV4_CBVERS);
 			    if (clp->lc_req.nr_client != NULL) {
 				SVC_ACQUIRE(nd->nd_xprt);
-				nd->nd_xprt->xp_p2 =
-				    clp->lc_req.nr_client->cl_private;
+				CLNT_ACQUIRE(clp->lc_req.nr_client);
+				nd->nd_xprt->xp_p2 = clp->lc_req.nr_client;
 				/* Disable idle timeout. */
 				nd->nd_xprt->xp_idletimeout = 0;
 				nsep->sess_cbsess.nfsess_xprt = nd->nd_xprt;
@@ -6463,8 +6463,8 @@ nfsrv_bindconnsess(struct nfsrv_descript *nd, uint8_t 
 				    "backchannel\n");
 				savxprt = sep->sess_cbsess.nfsess_xprt;
 				SVC_ACQUIRE(nd->nd_xprt);
-				nd->nd_xprt->xp_p2 =
-				    clp->lc_req.nr_client->cl_private;
+				CLNT_ACQUIRE(clp->lc_req.nr_client);
+				nd->nd_xprt->xp_p2 = clp->lc_req.nr_client;
 				/* Disable idle timeout. */
 				nd->nd_xprt->xp_idletimeout = 0;
 				sep->sess_cbsess.nfsess_xprt = nd->nd_xprt;
--- sys/rpc/svc_vc.c.clnt	2021-05-05 20:05:38.810625000 -0700
+++ sys/rpc/svc_vc.c	2021-05-06 14:31:10.166944000 -0700
@@ -500,6 +500,7 @@ static void
 svc_vc_destroy(SVCXPRT *xprt)
 {
 	struct cf_conn *cd = (struct cf_conn *)xprt->xp_p1;
+	CLIENT *cl = (CLIENT *)xprt->xp_p2;
 
 	SOCKBUF_LOCK(&xprt->xp_socket->so_rcv);
 	if (xprt->xp_upcallset) {
@@ -508,6 +509,9 @@ svc_vc_destroy(SVCXPRT *xprt)
 			soupcall_clear(xprt->xp_socket, SO_RCV);
 	}
 	SOCKBUF_UNLOCK(&xprt->xp_socket->so_rcv);
+
+	if (cl != NULL)
+		CLNT_RELEASE(cl);
 
 	svc_vc_destroy_common(xprt);
 
--- sys/rpc/clnt_bck.c.clnt	2021-05-05 19:53:05.810323000 -0700
+++ sys/rpc/clnt_bck.c	2021-05-06 14:49:10.706725000 -0700
@@ -566,15 +566,26 @@ clnt_bck_destroy(CLIENT *cl)
 /*
  * This call is done by the svc code when a backchannel RPC reply is
  * received.
+ * For the server end, where callback RPCs to the client are performed,
+ * xp_p2 points to the "CLIENT" and not the associated "struct ct_data"
+ * so that svc_vc_destroy() can CLNT_RELEASE() the reference count on it.
  */
 void
 clnt_bck_svccall(void *arg, struct mbuf *mrep, uint32_t xid)
 {
-	struct ct_data *ct = (struct ct_data *)arg;
+	CLIENT *cl = (CLIENT *)arg;
+	struct ct_data *ct;
 	struct ct_request *cr;
 	int foundreq;
 
+	ct = (struct ct_data *)cl->cl_private;
 	mtx_lock(&ct->ct_lock);
+	if (ct->ct_closing || ct->ct_closed) {
+		mtx_unlock(&ct->ct_lock);
+		m_freem(mrep);
+		return;
+	}
+
 	ct->ct_upcallrefs++;
 	/*
 	 * See if we can match this reply to a request.