So we have called a function pointer which was NULL.

There a lots of function pointers in use in this code.
There is the 'acceptable' function.  There is ->fh_to_dentry
and ->fh_to_parent.  And various inode operations line ->lookup, but

I guess this is where the call came from.
exportfs_decode_fh is never passed NULL for 'acceptable'.  Only
ever 'nfsd_acceptable'.
->fh_to_parent is tested for NULL before being called, and
->fh_to_dentry is called very early in exportfs_decode_fh, where as
the bad call is 0xa8 in to the function.

Is it possible that ->fh_to_parent is being changed immediately after
being tested for NULL and before being dereferenced.  That seems
unlikely.

What filesystem is being exported here?

Can you get an assembly version of exportfs_decode_fh, so we can check
what is happening at 0xa8 (and 0x4c).
Either "disassemble exportfs_decode_fh" in gdb, or 
make fs/exportfs/expfs.i
(I think).

--

[ message continues ]

Dump of assembler code for function exportfs_decode_fh:
0xc015b7cc <exportfs_decode_fh+0>:      mflr    r0
0xc015b7d0 <exportfs_decode_fh+4>:      stw     r0,4(r1)
0xc015b7d4 <exportfs_decode_fh+8>:      bl      0xc0013154 <_mcount>
0xc015b7d8 <exportfs_decode_fh+12>:     stwu    r1,-304(r1)
0xc015b7dc <exportfs_decode_fh+16>:     mflr    r0
0xc015b7e0 <exportfs_decode_fh+20>:     stmw    r22,264(r1)
0xc015b7e4 <exportfs_decode_fh+24>:     mr      r27,r3
0xc015b7e8 <exportfs_decode_fh+28>:     mr      r31,r1
0xc015b7ec <exportfs_decode_fh+32>:     stw     r0,308(r1)
0xc015b7f0 <exportfs_decode_fh+36>:     mr      r25,r7
0xc015b7f4 <exportfs_decode_fh+40>:     mr      r26,r8
0xc015b7f8 <exportfs_decode_fh+44>:     mr      r29,r4
0xc015b7fc <exportfs_decode_fh+48>:     mr      r24,r5
0xc015b800 <exportfs_decode_fh+52>:     mr      r23,r6
0xc015b804 <exportfs_decode_fh+56>:     lwz     r3,20(r3)
0xc015b808 <exportfs_decode_fh+60>:     lwz     r30,48(r3)
0xc015b80c <exportfs_decode_fh+64>:     lwz     r0,4(r30)
0xc015b810 <exportfs_decode_fh+68>:     mtctr   r0
0xc015b814 <exportfs_decode_fh+72>:     bctrl
0xc015b818 <exportfs_decode_fh+76>:     mr.     r28,r3
0xc015b81c <exportfs_decode_fh+80>:     bne+    0xc015b824 <exportfs_decode_fh+88>
0xc015b820 <exportfs_decode_fh+84>:     li      r28,-116
0xc015b824 <exportfs_decode_fh+88>:     li      r22,-4096
0xc015b828 <exportfs_decode_fh+92>:     cmplw   cr7,r28,r22
0xc015b82c <exportfs_decode_fh+96>:     bgt-    cr7,0xc015b9b0 <exportfs_decode_fh+484>
0xc015b830 <exportfs_decode_fh+100>:    lwz     r9,8(r28)
0xc015b834 <exportfs_decode_fh+104>:    lhz     r0,114(r9)
0xc015b838 <exportfs_decode_fh+108>:    rlwinm  r0,r0,0,16,19
0xc015b83c <exportfs_decode_fh+112>:    cmpwi   cr7,r0,16384
0xc015b840 <exportfs_decode_fh+116>:    bne-    cr7,0xc015b880 <exportfs_decode_fh+180>
0xc015b844 <exportfs_decode_fh+120>:    lwz     r0,4(r28)
0xc015b848 <exportfs_decode_fh+124>:    andi.   r9,r0,4
0xc015b84c <exportfs_decode_fh+128>:    beq- ...
[ message continues ]