The BUG_ON trace on this is quite interesting, unless I missed something:
* do_path_lookup calls path_init_rcu, which sets the LOOKUP_RCU in nd->flags
* path_walk_rcu doesn't appear on the trace as it's inline, just link_path_walk appears. So link_path_walk is under path_walk_rcu called from do_path_lookup
* now things get better: inside link_path_walk, it actually checks "if (nd->flags & LOOKUP_RCU)", and only under it it executes nameidata_drop_rcu, so the "BUG_ON(!(nd->flags & LOOKUP_RCU))" inside nameidata_drop_rcu shouldn't happen.
Probably the flag is reset at some point under exec_permission which goes under aufs code, or something else (another concurrent code).
The BUG_ON trace on this is quite interesting, unless I missed something:
* do_path_lookup calls path_init_rcu, which sets the LOOKUP_RCU in nd->flags
* path_walk_rcu doesn't appear on the trace as it's inline, just link_path_walk appears. So link_path_walk is under path_walk_rcu called from do_path_lookup
* now things get better: inside link_path_walk, it actually checks "if (nd->flags & LOOKUP_RCU)", and only under it it executes nameidata_drop_rcu, so the "BUG_ON(!(nd->flags & LOOKUP_RCU))" inside nameidata_drop_rcu shouldn't happen.
Probably the flag is reset at some point under exec_permission which goes under aufs code, or something else (another concurrent code).