audit: type=1400 audit(1546721914.327:12332): avc:  denied  { map } for  pid=7625 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1" ino=2784 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.14.91+ #3 Not tainted
------------------------------------------------------
audit: type=1400 audit(1546721914.357:12333): avc:  denied  { map } for  pid=7625 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0" dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
syz-executor3/7653 is trying to acquire lock:
 (cpu_hotplug_lock.rw_sem){++++}, at: [<ffffffffb0c5b67a>] get_online_cpus include/linux/cpu.h:138 [inline]
 (cpu_hotplug_lock.rw_sem){++++}, at: [<ffffffffb0c5b67a>] lru_add_drain_all+0xa/0x20 mm/swap.c:729

but task is already holding lock:
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<ffffffffb0c7c9db>] inode_lock include/linux/fs.h:715 [inline]
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<ffffffffb0c7c9db>] shmem_add_seals+0x12b/0x1150 mm/shmem.c:2829

which lock already depends on the new lock.

audit: type=1400 audit(1546721914.357:12334): avc:  denied  { map } for  pid=7625 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0" dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1

the existing dependency chain (in reverse order) is:

-> #5 (&sb->s_type->i_mutex_key#10){+.+.}:

-> #4 (ashmem_mutex){+.+.}:

-> #3 (&mm->mmap_sem){++++}:

-> #2 (&cpuctx_mutex){+.+.}:

-> #1 (pmus_lock){+.+.}:

-> #0 (cpu_hotplug_lock.rw_sem){++++}:

other info that might help us debug this:

Chain exists of:
  cpu_hotplug_lock.rw_sem --> ashmem_mutex --> &sb->s_type->i_mutex_key#10

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sb->s_type->i_mutex_key#10);
                               lock(ashmem_mutex);
                               lock(&sb->s_type->i_mutex_key#10);
  lock(cpu_hotplug_lock.rw_sem);

 *** DEADLOCK ***

1 lock held by syz-executor3/7653:
 #0:  (&sb->s_type->i_mutex_key#10){+.+.}, at: [<ffffffffb0c7c9db>] inode_lock include/linux/fs.h:715 [inline]
 #0:  (&sb->s_type->i_mutex_key#10){+.+.}, at: [<ffffffffb0c7c9db>] shmem_add_seals+0x12b/0x1150 mm/shmem.c:2829

stack backtrace:
CPU: 0 PID: 7653 Comm: syz-executor3 Not tainted 4.14.91+ #3
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x10e lib/dump_stack.c:53
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
binder: 7691:7693 ioctl c018620b 0 returned -14
binder: 7691:7693 unknown command 0
binder: 7691:7693 ioctl c0306201 20000100 returned -22
SELinux: ebitmap: map size 1758852527 does not match my size 64 (high bit was 367132672)
SELinux: failed to load policy
SELinux: ebitmap: map size 1758852527 does not match my size 64 (high bit was 367132672)
SELinux: failed to load policy
binder_alloc: binder_alloc_mmap_handler: 7691 20001000-20004000 already mapped failed -16
binder: 7691:7701 ioctl c018620b 0 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7691:7741 ioctl 40046207 0 returned -16
binder_alloc: 7691: binder_alloc_buf, no vma
binder: 7691:7742 transaction failed 29189/-3, size 24-8 line 3135
binder: 7691:7701 BC_INCREFS_DONE u0000000000000000 no match
binder: 7691:7693 unknown command 0
binder: 7691:7693 ioctl c0306201 20000100 returned -22
binder: 7691:7693 BC_ACQUIRE_DONE u0000000000000000 no match
binder: release 7691:7701 transaction 22 out, still active
binder: send failed reply for transaction 22, target dead
binder: 7750:7755 ioctl c018620b 0 returned -14
binder: 7750:7755 unknown command 0
binder: 7750:7755 ioctl c0306201 20000100 returned -22
binder: release 7750:7761 transaction 27 out, still active
binder: send failed reply for transaction 27, target dead
binder: 7788:7794 ioctl c018620b 0 returned -14
binder: 7788:7794 unknown command 0
binder: 7788:7794 ioctl c0306201 20000100 returned -22
binder: send failed reply for transaction 31 to 7788:7799
binder: undelivered TRANSACTION_ERROR: 29189
binder: 7828:7834 ioctl c018620b 0 returned -14
kauditd_printk_skb: 298 callbacks suppressed
audit: type=1400 audit(1546721919.247:12633): avc:  denied  { map } for  pid=7846 comm="blkid" path="/lib/x86_64-linux-gnu/libc-2.13.so" dev="sda1" ino=2784 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
binder: 7853:7855 ioctl c018620b 0 returned -14
audit: type=1400 audit(1546721919.247:12634): avc:  denied  { map } for  pid=7846 comm="blkid" path="/lib/x86_64-linux-gnu/libuuid.so.1.3.0" dev="sda1" ino=2819 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7853:7874 BC_INCREFS_DONE u0000000000000000 no match
binder: 7853:7872 unknown command 0
binder: 7853:7861 ioctl 40046207 0 returned -16
binder: 7853:7872 ioctl c0306201 20000100 returned -22
audit: type=1400 audit(1546721919.297:12635): avc:  denied  { map } for  pid=7853 comm="syz-executor4" path="/dev/binder0" dev="devtmpfs" ino=5417 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1546721919.357:12636): avc:  denied  { map } for  pid=7856 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721919.357:12637): avc:  denied  { map } for  pid=7856 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721919.367:12638): avc:  denied  { map } for  pid=7856 comm="modprobe" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
binder: 7888:7892 ioctl c018620b 0 returned -14
audit: type=1400 audit(1546721919.367:12639): avc:  denied  { map } for  pid=7856 comm="modprobe" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7888:7898 ioctl 40046207 0 returned -16
audit: type=1400 audit(1546721919.377:12640): avc:  denied  { map } for  pid=7856 comm="modprobe" path="/etc/ld.so.cache" dev="sda1" ino=2503 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
binder: 7888:7904 BC_INCREFS_DONE node 42 has no pending increfs request
binder: 7888:7898 unknown command 0
binder: 7888:7898 ioctl c0306201 20000100 returned -22
binder: 7888:7904 BC_ACQUIRE_DONE node 42 has no pending acquire request
binder: release 7888:7892 transaction 41 out, still active
audit: type=1400 audit(1546721919.397:12641): avc:  denied  { map } for  pid=7856 comm="modprobe" path="/lib/x86_64-linux-gnu/libkmod.so.2.1.3" dev="sda1" ino=2811 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721919.397:12642): avc:  denied  { map } for  pid=7856 comm="modprobe" path="/lib/x86_64-linux-gnu/libkmod.so.2.1.3" dev="sda1" ino=2811 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
binder: 7917:7918 ioctl c018620b 0 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7917:7925 ioctl 40046207 0 returned -16
binder: 7917:7918 unknown command 0
binder: 7917:7918 ioctl c0306201 20000100 returned -22
binder: release 7917:7925 transaction 44 out, still active
binder: 7971:7974 ioctl c018620b 0 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7971:7981 ioctl 40046207 0 returned -16
binder: 7971:7974 unknown command 0
binder: 7971:7974 ioctl c0306201 20000100 returned -22
binder: release 7971:7985 transaction 47 out, still active
binder: 8009:8014 ioctl c018620b 0 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8009:8021 ioctl 40046207 0 returned -16
binder: 8009:8014 unknown command 0
binder: 8009:8014 ioctl c0306201 20000100 returned -22
binder: release 8009:8025 transaction 50 out, still active
binder: 8053:8058 ioctl c018620b 0 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8053:8064 ioctl 40046207 0 returned -16
binder: 8053:8058 unknown command 0
binder: 8053:8058 ioctl c0306201 20000100 returned -22
binder: release 8053:8058 transaction 53 out, still active
binder: 8090:8095 ioctl c018620b 0 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8090:8102 ioctl 40046207 0 returned -16
kauditd_printk_skb: 376 callbacks suppressed
audit: type=1400 audit(1546721924.287:13019): avc:  denied  { map } for  pid=8118 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721924.307:13020): avc:  denied  { map } for  pid=8120 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721924.307:13021): avc:  denied  { map } for  pid=8120 comm="blkid" path="/lib/x86_64-linux-gnu/libblkid.so.1.1.0" dev="sda1" ino=2825 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
binder: release 8090:8104 transaction 56 out, still active
audit: type=1400 audit(1546721924.687:13022): avc:  denied  { map_create } for  pid=8123 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
binder: 8126:8132 ioctl c018620b 0 returned -14
audit: type=1400 audit(1546721924.707:13023): avc:  denied  { map } for  pid=8126 comm="syz-executor4" path="/dev/binder0" dev="devtmpfs" ino=5417 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8126:8136 ioctl 40046207 0 returned -16
audit: type=1400 audit(1546721924.717:13024): avc:  denied  { map_read map_write } for  pid=8123 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
audit: type=1400 audit(1546721924.797:13025): avc:  denied  { map } for  pid=8135 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721924.807:13026): avc:  denied  { map } for  pid=8135 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721924.807:13027): avc:  denied  { map } for  pid=8135 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1546721924.807:13028): avc:  denied  { map } for  pid=8135 comm="blkid" path="/lib/x86_64-linux-gnu/ld-2.13.so" dev="sda1" ino=2668 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1