------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:142!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 4487 Comm: syz.0.149 Tainted: G        W           syzkaller #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: riscv-virtio,qemu (DT)
epc : __page_table_check_zero+0x386/0x534 mm/page_table_check.c:142
 ra : __page_table_check_zero+0x386/0x534 mm/page_table_check.c:142
epc : ffffffff80c4e466 ra : ffffffff80c4e466 sp : ffff8f800b757390
 gp : ffffffff8a2739c0 tp : ffffaf8013fc4f80 t0 : ffff8f800b757340
 t1 : fffff5ef02735c09 t2 : ffffffff9164ab80 s0 : ffff8f800b757400
 s1 : ffffaf80139ae048 a0 : 0000000000000005 a1 : 0000000000000000
 a2 : 0000000000000002 a3 : ffffffff80c4e466 a4 : 0000000000000000
 a5 : ffffaf8013fc5f80 a6 : 0000000000000003 a7 : ffffaf80139ae04b
 s2 : 0000000000000001 s3 : 0000000000000000 s4 : ffffaf80139ae000
 s5 : dfffffff00000000 s6 : 00000000000b5600 s7 : 0000000000000200
 s8 : 0000000000000009 s9 : 0000000000007fff s10: fffffffef147217c
 s11: ffffffff8a390be0 t3 : 0000000000000001 t4 : fffff5ef02735c09
 t5 : fffff5ef02735c0a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80c4e466 cause: 0000000000000003
[<ffffffff80c4e466>] __page_table_check_zero+0x386/0x534 mm/page_table_check.c:142
[<ffffffff80ad399e>] page_table_check_free include/linux/page_table_check.h:46 [inline]
[<ffffffff80ad399e>] __free_pages_prepare mm/page_alloc.c:1403 [inline]
[<ffffffff80ad399e>] free_unref_folios+0xb1e/0x1adc mm/page_alloc.c:3004
[<ffffffff8090314c>] folios_put_refs+0x458/0x7c8 mm/swap.c:1008
[<ffffffff80b1feb8>] free_pages_and_swap_cache+0x278/0x3c0 mm/swap_state.c:404
[<ffffffff80a4637c>] __tlb_batch_free_encoded_pages+0xe4/0x25c mm/mmu_gather.c:138
[<ffffffff80a48f00>] tlb_batch_pages_flush mm/mmu_gather.c:151 [inline]
[<ffffffff80a48f00>] tlb_flush_mmu_free mm/mmu_gather.c:417 [inline]
[<ffffffff80a48f00>] tlb_flush_mmu mm/mmu_gather.c:424 [inline]
[<ffffffff80a48f00>] tlb_finish_mmu+0x188/0x824 mm/mmu_gather.c:549
[<ffffffff80a428fe>] exit_mmap+0x416/0xcc0 mm/mmap.c:1313
[<ffffffff80142b36>] __mmput+0x106/0x3d0 kernel/fork.c:1178
[<ffffffff80142e74>] mmput+0x74/0x88 kernel/fork.c:1201
[<ffffffff801638d6>] exit_mm kernel/exit.c:582 [inline]
[<ffffffff801638d6>] do_exit+0x876/0x2a18 kernel/exit.c:964
[<ffffffff80165ed0>] __do_sys_exit kernel/exit.c:1086 [inline]
[<ffffffff80165ed0>] __se_sys_exit kernel/exit.c:1084 [inline]
[<ffffffff80165ed0>] __riscv_sys_exit+0x48/0x54 kernel/exit.c:1084
[<ffffffff80078f3a>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86469874>] do_trap_ecall_u+0x3e4/0x638 arch/riscv/kernel/traps.c:342
[<ffffffff86494eb0>] handle_exception+0x168/0x174 arch/riscv/kernel/entry.S:232
Code: c7c0 8526 d0ef 88af 8a2a b7a1 0097 ff8d 80e7 c6a0 (9002) 0097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	c7c0                	sw	s0,12(a5)
   2:	8526                	mv	a0,s1
   4:	88afd0ef          	jal	0xffffffffffffd08e
   8:	8a2a                	mv	s4,a0
   a:	b7a1                	j	0xffffffffffffff52
   c:	ff8d0097          	auipc	ra,0xff8d0
  10:	c6a080e7          	jalr	-918(ra) # 0xff8cfc76
* 14:	9002                	ebreak <-- trapping instruction
  16:	9700                	.short	0x0097