bisecting fixing commit since ca16eb342ebedbf3bb1d8450048fe428895b0b65 building syzkaller on e30d3b524053cf8d688a1f486a5cde9b67d49e87 testing commit ca16eb342ebedbf3bb1d8450048fe428895b0b65 with gcc (GCC) 8.1.0 kernel signature: 4c711c9fd77f7d1adbe000563a523b8d84e3d8a8 run #0: crashed: KASAN: use-after-free Read in cma_port run #1: crashed: KASAN: use-after-free Read in cma_port run #2: crashed: KASAN: use-after-free Read in cma_alloc_port run #3: crashed: KASAN: use-after-free Read in cma_port run #4: crashed: KASAN: use-after-free Read in cma_port run #5: crashed: KASAN: use-after-free Read in cma_port run #6: crashed: KASAN: use-after-free Read in cma_port run #7: crashed: KASAN: use-after-free Read in cma_port run #8: crashed: KASAN: use-after-free Read in cma_port run #9: crashed: KASAN: use-after-free Read in cma_port testing current HEAD 6794862a16ef41f753abd75c03a152836e4c8028 testing commit 6794862a16ef41f753abd75c03a152836e4c8028 with gcc (GCC) 8.1.0 kernel signature: 73838e4a993e2c79de96797d4d5bc14c59000102 all runs: crashed: WARNING: bad unlock balance in ucma_event_handler revisions tested: 2, total time: 20m47.226795032s (build: 9m28.020449437s, test: 10m25.218890099s) the crash still happens on HEAD commit msg: Merge tag 'for-5.5-rc1-kconfig-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux crash: WARNING: bad unlock balance in ucma_event_handler ===================================== WARNING: bad unlock balance detected! 5.5.0-rc1-syzkaller #0 Not tainted ------------------------------------- kworker/u4:0/7 is trying to release lock (&file->mut) at: [] ucma_event_handler+0x675/0xf90 drivers/infiniband/core/ucma.c:389 but there are no more locks to release! other info that might help us debug this: 4 locks held by kworker/u4:0/7: #0: ffff8881d56a5928 ((wq_completion)ib_addr){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline] #0: ffff8881d56a5928 ((wq_completion)ib_addr){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8881d56a5928 ((wq_completion)ib_addr){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] #0: ffff8881d56a5928 ((wq_completion)ib_addr){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] #0: ffff8881d56a5928 ((wq_completion)ib_addr){+.+.}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff8881d56a5928 ((wq_completion)ib_addr){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:642 [inline] #0: ffff8881d56a5928 ((wq_completion)ib_addr){+.+.}, at: process_one_work+0x76f/0x15d0 kernel/workqueue.c:2235 #1: ffff8881da2ffdf0 ((work_completion)(&(&req->work)->work)){+.+.}, at: process_one_work+0x79f/0x15d0 kernel/workqueue.c:2239 #2: ffff8881c7140390 (&id_priv->handler_mutex){+.+.}, at: addr_handler+0xac/0x300 drivers/infiniband/core/cma.c:3059 #3: ffff8881bcf81260 (&file->mut){+.+.}, at: ucma_event_handler+0xa8/0xf90 drivers/infiniband/core/ucma.c:349 stack backtrace: CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ib_addr process_one_req Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12f/0x187 lib/dump_stack.c:118 print_unlock_imbalance_bug.cold.53+0x114/0x123 kernel/locking/lockdep.c:4008 __lock_release kernel/locking/lockdep.c:4242 [inline] lock_release+0x5f6/0x900 kernel/locking/lockdep.c:4503 __mutex_unlock_slowpath+0x87/0x6a0 kernel/locking/mutex.c:1231 mutex_unlock+0x1b/0x30 kernel/locking/mutex.c:743 ucma_event_handler+0x675/0xf90 drivers/infiniband/core/ucma.c:389 addr_handler+0x23a/0x300 drivers/infiniband/core/cma.c:3092 process_one_req+0xdf/0x610 drivers/infiniband/core/addr.c:643 process_one_work+0x852/0x15d0 kernel/workqueue.c:2264 worker_thread+0x81/0xb80 kernel/workqueue.c:2410 kthread+0x334/0x3f0 kernel/kthread.c:255 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352