Re: [syzbot] [mm?] WARNING in swap_cache_get_folio

From: Kairui Song

Date: Tue Nov 11 2025 - 11:18:31 EST

On Tue, Nov 11, 2025 at 11:33 PM syzbot
<syzbot+d7bc9ec4a100437aa7a2@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: ab40c92c74c6 Add linux-next specific files for 20251110
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=17f69a58580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=84a798f69f994783
> dashboard link: https://syzkaller.appspot.com/bug?extid=d7bc9ec4a100437aa7a2
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/34ed0f0c2fd0/disk-ab40c92c.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/a781fa106d0c/vmlinux-ab40c92c.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/367c75242dc9/bzImage-ab40c92c.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d7bc9ec4a100437aa7a2@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> ------------[ cut here ]------------
> WARNING: mm/swap.h:87 at __swap_offset_to_cluster mm/swap.h:87 [inline], CPU#0: swapoff/15184
> WARNING: mm/swap.h:87 at __swap_entry_to_cluster mm/swap.h:93 [inline], CPU#0: swapoff/15184
> WARNING: mm/swap.h:87 at swap_cache_get_folio+0x365/0x530 mm/swap_state.c:94, CPU#0: swapoff/15184
> Modules linked in:
> CPU: 0 UID: 0 PID: 15184 Comm: swapoff Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
> RIP: 0010:__swap_offset_to_cluster mm/swap.h:87 [inline]
> RIP: 0010:__swap_entry_to_cluster mm/swap.h:93 [inline]
> RIP: 0010:swap_cache_get_folio+0x365/0x530 mm/swap_state.c:94
> Code: ff 31 ed e9 2a ff ff ff e8 a8 d5 a2 ff 90 0f 0b 90 e9 3d fd ff ff e8 9a d5 a2 ff 90 0f 0b 90 e9 44 fd ff ff e8 8c d5 a2 ff 90 <0f> 0b 90 e9 6b fd ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 3e
> RSP: 0018:ffffc90003237a40 EFLAGS: 00010293
> RAX: ffffffff821e8784 RBX: 00000000000001ff RCX: ffff88802e633d00
> RDX: 0000000000000000 RSI: 0000000000007a12 RDI: 0003ffffffffffff
> RBP: ffffffff99cad4e0 R08: 0000000000000000 R09: ffffffff82139c79
> R10: dffffc0000000000 R11: fffff9400022a327 R12: ffff8880317bf000
> R13: dffffc0000000000 R14: 0000000000007a12 R15: 0003ffffffffffff
> FS: 00007f3bed90fc80(0000) GS:ffff888125a83000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005640123d7005 CR3: 0000000034d9a000 CR4: 00000000003526f0
> Call Trace:
> <TASK>
> unuse_pte_range mm/swapfile.c:2282 [inline]

Hmm, I think this might be also related to the soft leaf entry changes
recently, unuse_pte_range calls leafent_from_pte and passes the entry
from it to swap_cache_get_folio. In V2/V1 of softleaf (which is being
tested here) leafent_from_pte returns an invalid entry if the process
exit / unmap raced with swapoff.

The recent swap table series added some sanity checks and triggers a
WARN if the entry is invalid so we are seeing this. Softleaf v3 might
have fixed it.

Just guessing now. I'll also try review the code again in case I
missed anything...