bisecting cause commit starting from 73fcb1a370c76b202d406e95d9dabb76eaccf484
building syzkaller on 849705db5cd36907fecfb80a4e3339542033b11e
testing commit 73fcb1a370c76b202d406e95d9dabb76eaccf484 with gcc (GCC) 8.1.0
kernel signature: 767e9e6524007621a2a18b050212b02230429ba1
all runs: crashed: WARNING: bad unlock balance in ucma_event_handler
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
kernel signature: 34b465075b98dc9a78d3ab05444662f21177960b
all runs: crashed: WARNING: bad unlock balance in ucma_event_handler
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
kernel signature: d83d19dd725e5cf3e0528b2bfc190e3a7c90a504
all runs: crashed: WARNING: bad unlock balance in ucma_event_handler
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
kernel signature: d9bcf932a464b210ba5fc4823ce85ed6f5fd9297
all runs: crashed: WARNING: bad unlock balance in ucma_event_handler
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
kernel signature: b8951bf048d3b643188986e89f339ae49e0ee5f2
all runs: crashed: WARNING: bad unlock balance in ucma_event_handler
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
kernel signature: a174bc76cfb72336ce8c85ac05d19809f267a80b
all runs: crashed: WARNING: bad unlock balance in ucma_event_handler
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0
kernel signature: c54cc790c41d599fea77945c433741afb65e1fc7
all runs: crashed: BUG: bad unlock balance in ucma_event_handler
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0
kernel signature: bf7fcc93ca81cf1ee0efa66630f9ff2a40146aca
all runs: crashed: BUG: bad unlock balance in ucma_event_handler
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0
kernel signature: 9e69f8cc18ef518d24b388964e98aebfa7885587
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0
kernel signature: 175e4e76e99cd1304e59412320636f88f95bd0cd
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0
kernel signature: 02100aff88ab58a0ea7705a6cd16343b888f0cc7
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.6
testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0
kernel signature: 028af449b9adb8a1210dc609336b80ffff21f536
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.5
testing commit b562e44f507e863c6792946e4e1b1449fbbac85d with gcc (GCC) 5.5.0
kernel signature: 0645a621d52adedf79e0f94de901c8cf0fd4a030
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.4
testing commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc with gcc (GCC) 5.5.0
kernel signature: 96d43b24da584fb7494fab1e087e6119f3cbc538
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.3
testing commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861 with gcc (GCC) 5.5.0
kernel signature: fb84f3c8cba75e9ff015caa6922233a47e7e963a
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.2
testing commit 64291f7db5bd8150a74ad2036f1037e6a0428df2 with gcc (GCC) 5.5.0
kernel signature: c7d0a6bdf0e32563d4b8bded6847ffd0f3275d70
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.1
testing commit b953c0d234bc72e8489d3bf51a276c5c4ec85345 with gcc (GCC) 5.5.0
kernel signature: 82bc80d02952672d538bd1cf2e91d92a4ccce38d
all runs: crashed: possible deadlock in ucma_migrate_id
revisions tested: 17, total time: 2h2m27.210298877s (build: 1h3m22.398807485s, test: 54m2.345236171s)
the crash already happened on the oldest tested release
commit msg: Linux 4.1
crash: possible deadlock in ucma_migrate_id
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
=============================================
[ INFO: possible recursive locking detected ]
4.1.0-syzkaller #0 Not tainted
---------------------------------------------
syz-executor/5451 is trying to acquire lock:
 (&file->mut){+.+.+.}, at: [<ffffffff81e93de2>] ucma_lock_files drivers/infiniband/core/ucma.c:1370 [inline]
 (&file->mut){+.+.+.}, at: [<ffffffff81e93de2>] ucma_migrate_id+0x1d2/0x250 drivers/infiniband/core/ucma.c:1433

but task is already holding lock:
 (&file->mut){+.+.+.}, at: [<ffffffff81e93dd8>] ucma_lock_files drivers/infiniband/core/ucma.c:1369 [inline]
 (&file->mut){+.+.+.}, at: [<ffffffff81e93dd8>] ucma_migrate_id+0x1c8/0x250 drivers/infiniband/core/ucma.c:1433

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&file->mut);
  lock(&file->mut);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

1 lock held by syz-executor/5451:
 #0:  (&file->mut){+.+.+.}, at: [<ffffffff81e93dd8>] ucma_lock_files drivers/infiniband/core/ucma.c:1369 [inline]
 #0:  (&file->mut){+.+.+.}, at: [<ffffffff81e93dd8>] ucma_migrate_id+0x1c8/0x250 drivers/infiniband/core/ucma.c:1433

stack backtrace:
CPU: 1 PID: 5451 Comm: syz-executor Not tainted 4.1.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffffffff83977040 ffff8800b755bb78 ffffffff8247bc7b 0000000000000011
 ffffffff83977040 ffff8800b755bc48 ffffffff811c0c8d 000000000000c3f0
 ffffffff8388b7b0 ffff8800b755bc68 ffffffff00000000 ffff8802134bf100
Call Trace:
 [<ffffffff8247bc7b>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff8247bc7b>] dump_stack+0x4c/0x65 lib/dump_stack.c:50
 [<ffffffff811c0c8d>] print_deadlock_bug kernel/locking/lockdep.c:1752 [inline]
 [<ffffffff811c0c8d>] check_deadlock kernel/locking/lockdep.c:1796 [inline]
 [<ffffffff811c0c8d>] validate_chain kernel/locking/lockdep.c:2128 [inline]
 [<ffffffff811c0c8d>] __lock_acquire+0x1add/0x1c70 kernel/locking/lockdep.c:3205
 [<ffffffff811c18e0>] lock_acquire+0xe0/0x2f0 kernel/locking/lockdep.c:3623
 [<ffffffff82487bc0>] __mutex_lock_common kernel/locking/mutex.c:518 [inline]
 [<ffffffff82487bc0>] mutex_lock_nested+0x60/0x5c0 kernel/locking/mutex.c:617
 [<ffffffff81e93de2>] ucma_lock_files drivers/infiniband/core/ucma.c:1370 [inline]
 [<ffffffff81e93de2>] ucma_migrate_id+0x1d2/0x250 drivers/infiniband/core/ucma.c:1433
 [<ffffffff81e9361d>] ucma_write+0x6d/0xc0 drivers/infiniband/core/ucma.c:1505
 [<ffffffff812eafd3>] __vfs_write+0x23/0x100 fs/read_write.c:489
 [<ffffffff812eb6e1>] vfs_write+0xa1/0x1c0 fs/read_write.c:538
 [<ffffffff812ec384>] SYSC_write fs/read_write.c:585 [inline]
 [<ffffffff812ec384>] SyS_write+0x44/0xb0 fs/read_write.c:577
 [<ffffffff8248c1f2>] system_call_fastpath+0x16/0x7a
cfg80211: Calling CRDA to update world regulatory domain
cfg80211: Calling CRDA to update world regulatory domain
bridge0: port 2(bridge_slave_1) entered forwarding state
bridge0: port 1(bridge_slave_0) entered forwarding state
cfg80211: Exceeded CRDA call max attempts. Not calling CRDA