Description of problem:
When running the NFS regression tests against debug kernel, hit this BUG twice:
====
[ 812.539117] BUG: KASAN: use-after-free in nfsd4_cb_prepare+0x227/0x250 [nfsd]
[ 812.546301] Read of size 8 at addr ff11000129b72cc0 by task kworker/u226:1/26363
[ 812.553704]
[ 812.555204] CPU: 85 PID: 26363 Comm: kworker/u226:1 Kdump: loaded Not tainted 5.14.0-163.el9.x86_64+debug #1
[ 812.565029] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.5.4 12/17/2021
[ 812.572509] Workqueue: rpciod rpc_async_schedule [sunrpc]
[ 812.577969] Call Trace:
[ 812.580427] dump_stack_lvl+0x57/0x81
[ 812.584098] print_address_description.constprop.0+0x1f/0x140
[ 812.589856] ? nfsd4_cb_prepare+0x227/0x250 [nfsd]
[ 812.594689] __kasan_report.cold+0x7f/0x122
[ 812.598888] ? nfsd4_cb_prepare+0x227/0x250 [nfsd]
[ 812.603715] ? __rpc_atrun+0x60/0x60 [sunrpc]
[ 812.608119] kasan_report+0x38/0x50
[ 812.611615] nfsd4_cb_prepare+0x227/0x250 [nfsd]
[ 812.616274] ? __rpc_atrun+0x60/0x60 [sunrpc]
[ 812.620681] __rpc_execute+0x1a4/0xdf0 [sunrpc]
[ 812.625281] rpc_async_schedule+0x9f/0x140 [sunrpc]
[ 812.630206] process_one_work+0x8c8/0x1590
[ 812.634326] ? __lock_acquired+0x209/0x890
[ 812.638429] ? pwq_dec_nr_in_flight+0x230/0x230
[ 812.642973] ? __lock_contended+0x980/0x980
[ 812.647177] ? worker_thread+0x157/0x1010
[ 812.651204] worker_thread+0x59b/0x1010
[ 812.655069] ? process_one_work+0x1590/0x1590
[ 812.659434] kthread+0x361/0x420
[ 812.662670] ? _raw_spin_unlock_irq+0x24/0x50
[ 812.667036] ? set_kthread_struct+0x110/0x110
[ 812.671403] ret_from_fork+0x1f/0x30
[ 812.675017]
[ 812.676517] Allocated by task 19249:
[ 812.680096] kasan_save_stack+0x1e/0x50
[ 812.683936] __kasan_slab_alloc+0x66/0x80
[ 812.687948] kmem_cache_alloc+0x161/0x310
[ 812.691964] nfs4_alloc_stid+0x29/0x430 [nfsd]
[ 812.696575] nfs4_set_delegation+0x260/0x1090 [nfsd]
[ 812.701706] nfs4_open_delegation+0x29c/0x7a0 [nfsd]
[ 812.706837] nfsd4_process_open2+0xeeb/0x1e70 [nfsd]
[ 812.711966] nfsd4_open+0xc5d/0x11c0 [nfsd]
[ 812.716310] nfsd4_proc_compound+0xdbc/0x25a0 [nfsd]
[ 812.721438] nfsd_dispatch+0x4dc/0xcd0 [nfsd]
[ 812.725946] svc_process_common+0x1140/0x1c40 [sunrpc]
[ 812.731321] svc_process+0x38b/0x590 [sunrpc]
[ 812.735923] nfsd+0x281/0x3f0 [nfsd]
[ 812.739650] kthread+0x361/0x420
[ 812.742897] ret_from_fork+0x1f/0x30
[ 812.746484]
[ 812.747983] Freed by task 19247:
[ 812.751216] kasan_save_stack+0x1e/0x50
[ 812.755055] kasan_set_track+0x21/0x30
[ 812.758808] kasan_set_free_info+0x20/0x40
[ 812.762916] __kasan_slab_free+0xec/0x120
[ 812.766929] slab_free_freelist_hook+0xa3/0x1d0
[ 812.771468] kmem_cache_free+0x118/0x4b0
[ 812.775397] nfs4_free_deleg+0x14/0x40 [nfsd]
[ 812.779791] nfs4_put_stid+0x29f/0x430 [nfsd]
[ 812.784184] nfsd4_free_stateid+0x30a/0x570 [nfsd]
[ 812.789012] nfsd4_proc_compound+0xdbc/0x25a0 [nfsd]
[ 812.794012] nfsd_dispatch+0x4dc/0xcd0 [nfsd]
[ 812.798406] svc_process_common+0x1140/0x1c40 [sunrpc]
[ 812.803596] svc_process+0x38b/0x590 [sunrpc]
[ 812.807998] nfsd+0x281/0x3f0 [nfsd]
[ 812.811605] kthread+0x361/0x420
[ 812.814838] ret_from_fork+0x1f/0x30
[ 812.818427]
[ 812.819925] Last potentially related work creation:
[ 812.824805] kasan_save_stack+0x1e/0x50
[ 812.828645] __kasan_record_aux_stack+0xb2/0xc0
[ 812.833185] insert_work+0x47/0x310
[ 812.836678] __queue_work+0x4dd/0xd60
[ 812.840342] queue_work_on+0x7f/0x90
[ 812.843923] nfsd4_run_cb+0x51/0x80 [nfsd]
[ 812.848057] nfsd_break_deleg_cb+0x16d/0x390 [nfsd]
[ 812.852971] __break_lease+0x331/0x10a0
[ 812.856810] do_dentry_open+0x3c8/0xec0
[ 812.860649] do_open+0x69c/0xec0
[ 812.863882] path_openat+0x281/0x680
[ 812.867461] do_filp_open+0x1aa/0x3f0
[ 812.871128] do_sys_openat2+0x126/0x410
[ 812.874968] __x64_sys_openat+0x11f/0x1e0
[ 812.878978] do_syscall_64+0x59/0x90
[ 812.882559] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 812.887620]
[ 812.889119] The buggy address belongs to the object at ff11000129b72be0
[ 812.889119] which belongs to the cache nfsd4_delegations of size 368
[ 812.902147] The buggy address is located 224 bytes inside of
[ 812.902147] 368-byte region [ff11000129b72be0, ff11000129b72d50)
[ 812.913880] The buggy address belongs to the page:
[ 812.918675] page:0000000014fe62d9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x129b70
[ 812.928068] head:0000000014fe62d9 order:2 compound_mapcount:0 compound_pincount:0
[ 812.935546] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 812.942951] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ff110002d6e4de00
[ 812.950699] raw: 0000000000000000 0000000000250025 00000001ffffffff 0000000000000000
[ 812.958443] page dumped because: kasan: bad access detected
[ 812.964018]
[ 812.965517] Memory state around the buggy address:
[ 812.970308] ff11000129b72b80: 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb
[ 812.977530] ff11000129b72c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 812.984756] >ff11000129b72c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 812.991975] ^
[ 812.997290] ff11000129b72d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 813.004507] ff11000129b72d80: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 813.011726] ==================================================================
[ 813.018945] Disabling lock debugging due to kernel taint

Version-Release number of selected component (if applicable):
5.14.0-163.el9.x86_64+debug

How reproducible:
happen occasionally

Steps to Reproduce:
1. clone beaker job: https://beaker.engineering.redhat.com/jobs/7010492
console log: https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2022/09/70104/7010492/12605873/console.log

Beaker job: https://beaker.engineering.redhat.com/recipes/12563945#task149870891
console log: https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2022/09/69839/6983964/12563945/console.log

2.
3.

Actual results:
BUG reported

Expected results:
no BUG in call trace