------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 1 UID: 0 PID: 3863 Comm: syz.0.6 Tainted: G        W           syzkaller #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0x996/0xc38 mm/page_table_check.c:118
 ra : page_table_check_set+0x996/0xc38 mm/page_table_check.c:118
epc : ffffffff80c6978e ra : ffffffff80c6978e sp : ffff8f800a8c6c20
 gp : ffffffff8a24e5c0 tp : ffffaf801a543580 t0 : ffff8f800a8c7540
 t1 : fffff5ef02725809 t2 : ffffffff86a069f0 s0 : ffff8f800a8c6ca0
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80c6978e a4 : ffff8f80047a35a8
 a5 : 00000000000295a8 a6 : 0000000000000003 a7 : ffffaf801392c04b
 s2 : 00000000000b3c00 s3 : 0000000000000000 s4 : ffffaf801392c000
 s5 : 0000000000000200 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : ffffffff88a50700 s10: 0000000000000000
 s11: ffffffff8a36bc60 t3 : 0000000000000001 t4 : fffff5ef02725809
 t5 : fffff5ef0272580a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80c6978e cause: 0000000000000003
[<ffffffff80c6978e>] page_table_check_set+0x996/0xc38 mm/page_table_check.c:118
[<ffffffff80c69ef8>] __page_table_check_ptes_set+0x264/0x47c mm/page_table_check.c:212
[<ffffffff80bf52a6>] page_table_check_ptes_set include/linux/page_table_check.h:83 [inline]
[<ffffffff80bf52a6>] set_ptes arch/riscv/include/asm/pgtable.h:625 [inline]
[<ffffffff80bf52a6>] __split_huge_pmd_locked mm/huge_memory.c:3358 [inline]
[<ffffffff80bf52a6>] split_huge_pmd_locked+0x1e2a/0x2388 mm/huge_memory.c:3376
[<ffffffff80bf5aae>] __split_huge_pmd+0x2aa/0x3d4 mm/huge_memory.c:3390
[<ffffffff80a15c62>] zap_pmd_range mm/memory.c:1989 [inline]
[<ffffffff80a15c62>] zap_pud_range mm/memory.c:2032 [inline]
[<ffffffff80a15c62>] zap_p4d_range mm/memory.c:2053 [inline]
[<ffffffff80a15c62>] __zap_vma_range+0x1e22/0x49f0 mm/memory.c:2093
[<ffffffff80a1fc34>] zap_vma_range_batched+0x2f8/0x58c mm/memory.c:2204
[<ffffffff80a2030c>] zap_vma_range+0xbc/0x108 mm/memory.c:2231
[<ffffffff80b1cca6>] madvise_guard_install+0x30e/0x6a0 mm/madvise.c:1196
[<ffffffff80b24518>] madvise_vma_behavior+0xed4/0x1ea8 mm/madvise.c:1367
[<ffffffff80b25b78>] madvise_walk_vmas+0x68c/0x978 mm/madvise.c:1679
[<ffffffff80b2604e>] madvise_do_behavior+0x1ea/0x5c0 mm/madvise.c:1929
[<ffffffff80b27196>] do_madvise+0x18a/0x22c mm/madvise.c:2022
[<ffffffff80b272c0>] __do_sys_madvise mm/madvise.c:2031 [inline]
[<ffffffff80b272c0>] __se_sys_madvise mm/madvise.c:2029 [inline]
[<ffffffff80b272c0>] __riscv_sys_madvise+0x88/0xdc mm/madvise.c:2029
[<ffffffff80078f3a>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86482108>] do_trap_ecall_u+0x3dc/0x61c arch/riscv/kernel/traps.c:342
[<ffffffff864ad412>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
Code: 8097 ff8c 80e7 b9a0 83e3 e004 8097 ff8c 80e7 06e0 (9002) 8097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff8c8097          	auipc	ra,0xff8c8
   4:	b9a080e7          	jalr	-1126(ra) # 0xff8c7b9a
   8:	e00483e3          	beqz	s1,0xfffffffffffffe0e
   c:	ff8c8097          	auipc	ra,0xff8c8
  10:	06e080e7          	jalr	110(ra) # 0xff8c807a
* 14:	9002                	ebreak <-- trapping instruction
  16:	9780                	.short	0x8097