------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 6368 Comm: syz.2.591 Not tainted syzkaller #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
 ra : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
epc : ffffffff80bd0b80 ra : ffffffff80bd0b80 sp : ffff8f8003287210
 gp : ffffffff89ea12a0 tp : ffffaf801c6f3480 t0 : ffff8f80032877b8
 t1 : fffff5ef026ad009 t2 : ffffffff86a06930 s0 : ffff8f8003287290
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80bd0b80 a4 : ffff8f800e8f6af0
 a5 : 000000000002caf0 a6 : 0000000000000003 a7 : ffffaf801356804b
 s2 : 00000000000b4800 s3 : 0000000000000000 s4 : ffffaf8013568000
 s5 : 0000000000000200 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : fffffffef13f6d0c s10: 0000000000000000
 s11: ffffffff89fb6860 t3 : df02f48200000000 t4 : fffff5ef026ad009
 t5 : fffff5ef026ad00a t6 : 0000000000000002
status: 0000000200000120 badaddr: ffffffff80bd0b80 cause: 0000000000000003
[<ffffffff80bd0b80>] page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
[<ffffffff80bd1104>] __page_table_check_ptes_set+0x218/0x296 mm/page_table_check.c:209
[<ffffffff80b5a67c>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
[<ffffffff80b5a67c>] set_ptes arch/riscv/include/asm/pgtable.h:564 [inline]
[<ffffffff80b5a67c>] __split_huge_pmd_locked mm/huge_memory.c:3045 [inline]
[<ffffffff80b5a67c>] split_huge_pmd_locked+0x23b2/0x32d6 mm/huge_memory.c:3063
[<ffffffff80b5b80e>] __split_huge_pmd+0x26e/0x420 mm/huge_memory.c:3077
[<ffffffff80b60b3e>] split_huge_pmd_address mm/huge_memory.c:3090 [inline]
[<ffffffff80b60b3e>] split_huge_pmd_if_needed mm/huge_memory.c:3102 [inline]
[<ffffffff80b60b3e>] split_huge_pmd_if_needed mm/huge_memory.c:3093 [inline]
[<ffffffff80b60b3e>] vma_adjust_trans_huge+0x200/0x458 mm/huge_memory.c:3114
[<ffffffff80a34610>] __split_vma+0x94a/0xee6 mm/vma.c:556
[<ffffffff80a36bae>] split_vma mm/vma.c:598 [inline]
[<ffffffff80a36bae>] vma_modify+0xefc/0x1cbe mm/vma.c:1631
[<ffffffff80a3aa24>] vma_modify_flags+0x1ec/0x260 mm/vma.c:1649
[<ffffffff809da01c>] mprotect_fixup+0x11a/0x8a4 mm/mprotect.c:819
[<ffffffff809dae08>] do_mprotect_pkey.constprop.0+0x662/0xac4 mm/mprotect.c:993
[<ffffffff809db2d6>] __do_sys_mprotect mm/mprotect.c:1014 [inline]
[<ffffffff809db2d6>] __se_sys_mprotect mm/mprotect.c:1011 [inline]
[<ffffffff809db2d6>] __riscv_sys_mprotect+0x6c/0xde mm/mprotect.c:1011
[<ffffffff80078130>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
[<ffffffff8643db9a>] do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:343
[<ffffffff864674be>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:198
Code: 2097 ff93 80e7 7740 87e3 ba04 3097 ff93 80e7 c200 (9002) 3097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff932097          	auipc	ra,0xff932
   4:	774080e7          	jalr	1908(ra) # 0xff932774
   8:	ba0487e3          	beqz	s1,0xfffffffffffffbb6
   c:	ff933097          	auipc	ra,0xff933
  10:	c20080e7          	jalr	-992(ra) # 0xff932c2c
* 14:	9002                	ebreak <-- trapping instruction
  16:	97 30             	Address 0x16 is out of bounds.