btrfs send BUG or NULL pointer derefence

When running xfstests btrfs/187, btrfs send will cause a NULL pointer dereference or a BUG.

[ 308.924126] BTRFS error (device xvdb2): did not find backref in send_root. inode=44681, offset=0, disk_byte=3193700352 found extent=3193700352
[ 310.054883] BTRFS info (device xvdb2): found 15529 extents
[ 310.099436] BTRFS info (device xvdb2): relocating block group 4194304 flags 4
[ 310.369359] BTRFS info (device xvdb2): found 473 extents
[ 310.393830] BTRFS info (device xvdb2): relocating block group 0 flags 2
[ 310.420026] BTRFS info (device xvdb2): found 1 extents
[ 311.561421] BTRFS info (device xvdb2): relocating block group 7000293376 flags 2
[ 311.592206] BTRFS info (device xvdb2): relocating block group 6731857920 flags 4
[ 312.268390] BTRFS error (device xvdb2): parent transid verify failed on 6483984384 wanted 25 found 54
[ 312.277947] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 312.285471] IP: [<ffffffffc015aa1f>] read_extent_buffer+0x1f/0x190 [btrfs]
[ 312.285471] PGD 80000000c3509067 PUD c350a067 PMD 0
[ 312.285471] Oops: 0000 [#1] SMP
[ 312.285471] Modules linked in: lkp_Ubuntu_4_4_0_1128_142_aws_83(OE) binfmt_misc serio_raw ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd
[ 312.285471] CPU: 0 PID: 1464 Comm: btrfs Tainted: G OE K 4.4.0-1128-aws #142-Ubuntu
[ 312.285471] Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006
[ 312.285471] task: ffff8800e8f57000 ti: ffff8800c3518000 task.ti: ffff8800c3518000
[ 312.285471] RIP: 0010:[<ffffffffc015aa1f>] [<ffffffffc015aa1f>] read_extent_buffer+0x1f/0x190 [btrfs]
[ 312.285471] RSP: 0018:ffff8800c351bb38 EFLAGS: 00010292
[ 312.285471] RAX: 0000000000000000 RBX: 0000000000000011 RCX: 0000000000000011
[ 312.285471] RDX: 0000000000000065 RSI: ffff8800c351bb97 RDI: 0000000000000000
[ 312.285471] RBP: ffff8800c351bb68 R08: 0000000181400000 R09: 0000000191400000
[ 312.421177] R10: ffffea0002a021c0 R11: 0000000000000000 R12: ffff8800c351bb97
[ 312.421177] R13: ffff8800c351bc45 R14: 0000000000000000 R15: ffff8800c351bc3c
[ 312.421177] FS: 00007fd136bdd8c0(0000) GS:ffff88010b200000(0000) knlGS:0000000000000000
[ 312.421177] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 312.421177] CR2: 0000000000000000 CR3: 00000000c34dc000 CR4: 0000000000160670
[ 312.421177] Stack:
[ 312.421177] 0000000000000674 ffff8800b62d3d80 0000000000000000 ffff8800c351bc45
[ 312.421177] 0000000000000002 ffff8800c351bc3c ffff8800c351bb78 ffffffffc014fba2
[ 312.421177] ffff8800c351bbd8 ffffffffc01088df ffff8800c351bc45 0eff8800c1d2d000
[ 312.421177] Call Trace:
[ 312.421177] [<ffffffffc014fba2>] btrfs_node_key+0x22/0x30 [btrfs]
[ 312.421177] [<ffffffffc01088df>] tree_advance+0x12f/0x1d0 [btrfs]
[ 312.421177] [<ffffffffc0112304>] btrfs_compare_trees+0x264/0x720 [btrfs]
[ 312.492582] BTRFS info (device xvdb2): found 2362 extents
[ 312.421177] [<ffffffffc01a7050>] ? process_all_refs+0x200/0x200 [btrfs]
[ 312.421177] [<ffffffffc01a8b92>] btrfs_ioctl_send+0xf62/0x11c0 [btrfs]
[ 312.421177] [<ffffffff811f5f07>] ? ___slab_alloc+0x207/0x4b0
[ 312.421177] [<ffffffff810ba729>] ? update_curr+0x79/0x170
[ 312.421177] [<ffffffffc016ff2d>] btrfs_ioctl+0x29d/0x26a0 [btrfs]
[ 312.421177] [<ffffffff810ba8f1>] ? update_cfs_shares+0xb1/0xf0
[ 312.530672] BTRFS info (device xvdb2): relocating block group 6463422464 flags 4
[ 312.421177] [<ffffffff810bac3a>] ? check_preempt_wakeup+0xfa/0x220
[ 312.421177] [<ffffffff8122ca5f>] do_vfs_ioctl+0x2af/0x4b0
[ 312.421177] [<ffffffff810838ac>] ? _do_fork+0xec/0x360
[ 312.421177] [<ffffffff8122ccd9>] SyS_ioctl+0x79/0x90
[ 312.421177] [<ffffffff8184905b>] entry_SYSCALL_64_fastpath+0x22/0xd0
[ 312.421177] Code: 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fe 53 49 89 f4 48 89 cb 48 83 ec 08 <48> 8b 3f 49 8b 4e 08 48 89 fe 81 e6 ff 0f 00 00 4c 8d 2c 16 4d
[ 312.421177] RIP [<ffffffffc015aa1f>] read_extent_buffer+0x1f/0x190 [btrfs]
[ 312.421177] RSP <ffff8800c351bb38>
[ 312.421177] CR2: 0000000000000000
[ 312.623966] ---[ end trace 6b9120b9ed5a31b6 ]---