On Tue, Sep 10, 2013 at 11:25:44AM -0700, Linus Torvalds wrote:
>                 nd->flags &= ~LOOKUP_RCU;
>                 if (!(nd->flags & LOOKUP_ROOT))
>                         nd->root.mnt = NULL;
>                 unlock_rcu_walk();
> 
> and my unlazy_walk() essentially terminated the walk _without_
> clearing that nd->root.mnt thing (it did clear the LOOKUP_RCU bit and
> unlock_rcy_walk(). So then later, we'd end up doing an extra
> path_put(). Explaining a zero d_lockref.count.
> 
> The whole damn root.mnt behavior with !LOOKUP_ROOT is a mystery and
> needs more comments. But the attached trivial patch should do the
> missing portion of terminate_walk().
>
> Al, can you walk us through the rules for what "root.mnt == NULL"
> really means? It's basically used as a flag for whether we've gotten
> the root pointer or not. But it's pretty damn esoteric.

LOOKUP_ROOT: the caller has set nd->root and we shouldn't touch that
at all.

!LOOKUP_ROOT: we set nd->root the first time we need / (in the very
beginning if it's an absolute pathname, on the first absolute symlink
otherwise).  In non-RCU mode we hold a reference to it; in RCU mode
we do not.  As the result, leaving RCU mode should either grab
a reference to the damn thing (if we intend to go on) or zero it out.