bisecting fixing commit since a35d65bedfbc38cffe2701798cd6810bbdf07892
building syzkaller on 3cd800e43d452c348a66ba475143831d94969a24
testing commit a35d65bedfbc38cffe2701798cd6810bbdf07892
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: edad05d8cb773b5e011f89b46a3a409f7651daed308d221c4ba542dfcb107e54
run #0: crashed: unregister_netdevice: waiting for DEV to become free
run #1: crashed: WARNING: bad unlock balance in mnt_drop_write
run #2: crashed: unregister_netdevice: waiting for DEV to become free
run #3: crashed: WARNING: bad unlock balance in mnt_drop_write
run #4: crashed: unregister_netdevice: waiting for DEV to become free
run #5: crashed: WARNING: bad unlock balance in mnt_drop_write
run #6: crashed: unregister_netdevice: waiting for DEV to become free
run #7: crashed: WARNING: bad unlock balance in mnt_drop_write
run #8: crashed: unregister_netdevice: waiting for DEV to become free
run #9: crashed: unregister_netdevice: waiting for DEV to become free
run #10: crashed: unregister_netdevice: waiting for DEV to become free
run #11: crashed: unregister_netdevice: waiting for DEV to become free
run #12: crashed: unregister_netdevice: waiting for DEV to become free
run #13: crashed: unregister_netdevice: waiting for DEV to become free
run #14: crashed: unregister_netdevice: waiting for DEV to become free
run #15: crashed: unregister_netdevice: waiting for DEV to become free
run #16: crashed: unregister_netdevice: waiting for DEV to become free
run #17: crashed: unregister_netdevice: waiting for DEV to become free
run #18: crashed: unregister_netdevice: waiting for DEV to become free
run #19: crashed: unregister_netdevice: waiting for DEV to become free
testing current HEAD eb045674aab31aa55a4f9aec27cce36e3d946a21
testing commit eb045674aab31aa55a4f9aec27cce36e3d946a21
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 904a682cb260d4afecfb67b324d00aa0845e4388f61175fea8755572f2d98f42
run #0: crashed: WARNING: bad unlock balance in mnt_drop_write
run #1: crashed: WARNING: bad unlock balance in mnt_drop_write
run #2: crashed: WARNING: bad unlock balance in mnt_drop_write
run #3: crashed: unregister_netdevice: waiting for DEV to become free
run #4: crashed: WARNING: bad unlock balance in mnt_drop_write
run #5: crashed: WARNING: bad unlock balance in mnt_drop_write
run #6: crashed: WARNING: bad unlock balance in mnt_drop_write
run #7: crashed: WARNING: bad unlock balance in mnt_drop_write
run #8: crashed: unregister_netdevice: waiting for DEV to become free
run #9: crashed: unregister_netdevice: waiting for DEV to become free
revisions tested: 2, total time: 22m43.710288759s (build: 16m3.691445866s, test: 6m16.424014331s)
the crash still happens on HEAD
commit msg: Linux 4.14.272
crash: unregister_netdevice: waiting for DEV to become free
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
syz-executor.0 (7949) used greatest stack depth: 24280 bytes left
can: request_module (can-proto-0) failed.
can: request_module (can-proto-0) failed.
can: request_module (can-proto-0) failed.
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
overlayfs: failed to create directory ./file1/work (errno: 30); mounting read-only

=====================================
WARNING: bad unlock balance detected!
4.14.272-syzkaller #0 Not tainted
-------------------------------------
syz-executor399/8280 is trying to release lock (sb_writers) at:
[<ffffffff818cc6f6>] sb_end_write include/linux/fs.h:1503 [inline]
[<ffffffff818cc6f6>] mnt_drop_write+0x36/0x40 fs/namespace.c:532
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor399/8280:
 #0:  (&type->s_umount_key#47/1){+.+.}, at: [<ffffffff818684f9>] alloc_super fs/super.c:251 [inline]
 #0:  (&type->s_umount_key#47/1){+.+.}, at: [<ffffffff818684f9>] sget_userns+0x429/0xb40 fs/super.c:516

stack backtrace:
CPU: 0 PID: 8280 Comm: syz-executor399 Not tainted 4.14.272-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x14b/0x1e7 lib/dump_stack.c:58
 print_unlock_imbalance_bug kernel/locking/lockdep.c:3552 [inline]
 print_unlock_imbalance_bug.cold.35+0x114/0x123 kernel/locking/lockdep.c:3529
 __lock_release kernel/locking/lockdep.c:3769 [inline]
 lock_release+0x61c/0x820 kernel/locking/lockdep.c:4017
 percpu_up_read_preempt_enable include/linux/percpu-rwsem.h:102 [inline]
 percpu_up_read include/linux/percpu-rwsem.h:108 [inline]
 __sb_end_write+0xa4/0xd0 fs/super.c:1329
 sb_end_write include/linux/fs.h:1503 [inline]
 mnt_drop_write+0x36/0x40 fs/namespace.c:532
 ovl_workdir_create.cold.6+0xea/0xf6 fs/overlayfs/super.c:546
 ovl_fill_super+0xf88/0x28b0 fs/overlayfs/super.c:988
 mount_nodev+0x48/0xe0 fs/super.c:1180
 ovl_mount+0x13/0x20 fs/overlayfs/super.c:1204
 mount_fs+0x7f/0x270 fs/super.c:1237
 vfs_kern_mount.part.9+0x58/0x3c0 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0x362/0x25b0 fs/namespace.c:2902
 SYSC_mount fs/namespace.c:3118 [inline]
 SyS_mount+0xb1/0xd0 fs/namespace.c:3095
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f2801f95c19
RSP: 002b:0