bisecting cause commit starting from 5b394b2ddf0347bef56e50c69a58773c94343ff3
building syzkaller on 758cd203cb82b2fd04496478a05650321520c099
testing commit 5b394b2ddf0347bef56e50c69a58773c94343ff3 with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
all runs: crashed: WARNING: bad unlock balance in ucma_destroy_id
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0
all runs: crashed: BUG: bad unlock balance in ucma_destroy_id
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in ucma_destroy_id
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.6
testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.5
testing commit b562e44f507e863c6792946e4e1b1449fbbac85d with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.4
testing commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.3
testing commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
testing release v4.2
testing commit 64291f7db5bd8150a74ad2036f1037e6a0428df2 with gcc (GCC) 5.5.0
all runs: OK
# git bisect start v4.3 v4.2
Bisecting: 6618 revisions left to test after this (roughly 13 steps)
[807249d3ada1ff28a47c4054ca4edd479421b671] Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
testing commit 807249d3ada1ff28a47c4054ca4edd479421b671 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 807249d3ada1ff28a47c4054ca4edd479421b671
Bisecting: 3309 revisions left to test after this (roughly 12 steps)
[26f5d7609f03ad8d6dc552458e4e371a62416b37] list_lru: don't call list_lru_from_kmem if the list_head is empty
testing commit 26f5d7609f03ad8d6dc552458e4e371a62416b37 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 26f5d7609f03ad8d6dc552458e4e371a62416b37
Bisecting: 1663 revisions left to test after this (roughly 11 steps)
[fadb97b089563da69ba326f9fea6399d071462b2] Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit fadb97b089563da69ba326f9fea6399d071462b2 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
# git bisect bad fadb97b089563da69ba326f9fea6399d071462b2
Bisecting: 822 revisions left to test after this (roughly 10 steps)
[daf0e1ed578f65e8395102549e135887e6661860] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
testing commit daf0e1ed578f65e8395102549e135887e6661860 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
# git bisect bad daf0e1ed578f65e8395102549e135887e6661860
Bisecting: 422 revisions left to test after this (roughly 9 steps)
[3af6e98f25d1f68b9c36beee330342944a4e0048] Merge tag 'platform-drivers-x86-v4.3-1' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86
testing commit 3af6e98f25d1f68b9c36beee330342944a4e0048 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 3af6e98f25d1f68b9c36beee330342944a4e0048
Bisecting: 214 revisions left to test after this (roughly 8 steps)
[54283aed90c3cf353e2c01a1d1ca853f5eedf92a] Merge tag 'linux-kselftest-4.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
testing commit 54283aed90c3cf353e2c01a1d1ca853f5eedf92a with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 54283aed90c3cf353e2c01a1d1ca853f5eedf92a
Bisecting: 107 revisions left to test after this (roughly 7 steps)
[5a783956c2b90179b852dd58a2ee668f16dfe980] ib_srpt: Remove ib_get_dma_mr calls
testing commit 5a783956c2b90179b852dd58a2ee668f16dfe980 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 5a783956c2b90179b852dd58a2ee668f16dfe980
Bisecting: 50 revisions left to test after this (roughly 6 steps)
[a794b4f3292160bb3fd0f1f90ec8df454e3b17b3] Merge tag 'for-linus-4.3' of git://git.code.sf.net/p/openipmi/linux-ipmi
testing commit a794b4f3292160bb3fd0f1f90ec8df454e3b17b3 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good a794b4f3292160bb3fd0f1f90ec8df454e3b17b3
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[ce755c9b01e09ee4907cf79bd0f57fa5cf65c4c3] IB/core: Remove unnecessary defines from ib_mad.h
testing commit ce755c9b01e09ee4907cf79bd0f57fa5cf65c4c3 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
# git bisect bad ce755c9b01e09ee4907cf79bd0f57fa5cf65c4c3
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[03c40442a0e66fa52aec6733ea88804fe7d12c77] IB/uverbs: Fix reference counting usage of event files
testing commit 03c40442a0e66fa52aec6733ea88804fe7d12c77 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 03c40442a0e66fa52aec6733ea88804fe7d12c77
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[ba13b5f8f86efa78bc0aaea297b0001b6cbf6c21] IB/sa: Fix rdma netlink message flags
testing commit ba13b5f8f86efa78bc0aaea297b0001b6cbf6c21 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
# git bisect bad ba13b5f8f86efa78bc0aaea297b0001b6cbf6c21
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[036b10635739ffd030246eedde3d67f724800177] IB/uverbs: Enable device removal when there are active user space applications
testing commit 036b10635739ffd030246eedde3d67f724800177 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 036b10635739ffd030246eedde3d67f724800177
Bisecting: 0 revisions left to test after this (roughly 1 step)
[e1c30298ccab87151a0c4241fc5985c591598361] IB/ucma: HW Device hot-removal support
testing commit e1c30298ccab87151a0c4241fc5985c591598361 with gcc (GCC) 5.5.0
all runs: crashed: BUG: bad unlock balance in mutex_unlock
# git bisect bad e1c30298ccab87151a0c4241fc5985c591598361
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ae184ddeca5db6d60ba9067ba1c9e940fa01d400] IB/mlx4_ib: Disassociate support
testing commit ae184ddeca5db6d60ba9067ba1c9e940fa01d400 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good ae184ddeca5db6d60ba9067ba1c9e940fa01d400
e1c30298ccab87151a0c4241fc5985c591598361 is the first bad commit
commit e1c30298ccab87151a0c4241fc5985c591598361
Author: Yishai Hadas <yishaih@mellanox.com>
Date:   Thu Aug 13 18:32:07 2015 +0300

    IB/ucma: HW Device hot-removal support
    
    Currently, IB/cma remove_one flow blocks until all user descriptor managed by
    IB/ucma are released. This prevents hot-removal of IB devices. This patch
    allows IB/cma to remove devices regardless of user space activity. Upon getting
    the RDMA_CM_EVENT_DEVICE_REMOVAL event we close all the underlying HW resources
    for the given ucontext. The ucontext itself is still alive till its explicit
    destroying by its creator.
    
    Running applications at that time will have some zombie device, further
    operations may fail.
    
    Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
    Signed-off-by: Shachar Raindel <raindel@mellanox.com>
    Reviewed-by: Haggai Eran <haggaie@mellanox.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>

:040000 040000 048ce20dfb1685d967eb1614ab7da2ce4aedfd81 1d3e0ffc0f06e539b6c24a4413d9af89cc7ee973 M	drivers
revisions tested: 32, total time: 5h13m7.743603654s (build: 1h31m14.663104668s, test: 3h33m17.322471693s)
first bad commit: e1c30298ccab87151a0c4241fc5985c591598361 IB/ucma: HW Device hot-removal support
cc: ["dledford@redhat.com" "haggaie@mellanox.com" "raindel@mellanox.com" "yishaih@mellanox.com"]
crash: BUG: bad unlock balance in mutex_unlock
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
=====================================
[ BUG: bad unlock balance detected! ]
4.2.0-rc8+ #1 Not tainted
-------------------------------------
syz-executor4/6152 is trying to release lock (&file->mut) at:
[<ffffffff8224e0c9>] mutex_unlock+0x9/0x10 kernel/locking/mutex.c:437
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz-executor4/6152:
 #0:  (&file->mut){+.+.+.}, at: [<ffffffff81c863f9>] ucma_destroy_id+0xf9/0x1d0 drivers/infiniband/core/ucma.c:589

stack backtrace:
CPU: 0 PID: 6152 Comm: syz-executor4 Not tainted 4.2.0-rc8+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffffffff8224e0c9 ffff8800b7857c88 ffffffff82244b96 0000000000000011
 ffff880213efe7c0 ffff8800b7857cb8 ffffffff811b2c60 0000000000000006
 ffff88020f847c60 ffffffff8224e0c9 ffff880213efef38 ffff8800b7857d58
Call Trace:
 [<ffffffff82244b96>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff82244b96>] dump_stack+0x4c/0x65 lib/dump_stack.c:50
 [<ffffffff811b2c60>] print_unlock_imbalance_bug+0xe0/0xf0 kernel/locking/lockdep.c:3259
 [<ffffffff811b7bac>] __lock_release kernel/locking/lockdep.c:3383 [inline]
 [<ffffffff811b7bac>] lock_release+0x36c/0x550 kernel/locking/lockdep.c:3604
 [<ffffffff8224df74>] __mutex_unlock_common_slowpath kernel/locking/mutex.c:735 [inline]
 [<ffffffff8224df74>] __mutex_unlock_slowpath+0x94/0x1e0 kernel/locking/mutex.c:760
 [<ffffffff8224e0c9>] mutex_unlock+0x9/0x10 kernel/locking/mutex.c:437
 [<ffffffff81c8640c>] ucma_destroy_id+0x10c/0x1d0 drivers/infiniband/core/ucma.c:591
 [<ffffffff81c85329>] ucma_write+0x79/0xb0 drivers/infiniband/core/ucma.c:1591
 [<ffffffff812dab83>] __vfs_write+0x23/0xe0 fs/read_write.c:489
 [<ffffffff812db251>] vfs_write+0xa1/0x1a0 fs/read_write.c:538
 [<ffffffff812dbe74>] SYSC_write fs/read_write.c:585 [inline]
 [<ffffffff812dbe74>] SyS_write+0x44/0xa0 fs/read_write.c:577
 [<ffffffff822519f2>] entry_SYSCALL_64_fastpath+0x16/0x7a
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6130 at lib/idr.c:505 idr_remove_warning lib/idr.c:505 [inline]()
WARNING: CPU: 0 PID: 6130 at lib/idr.c:505 idr_remove+0x154/0x240 lib/idr.c:559()
idr_remove called for id=5 which is not allocated.