------------[ cut here ]------------ kernel BUG at mm/page_table_check.c:142! Kernel BUG [#1] Modules linked in: CPU: 1 UID: 0 PID: 6943 Comm: syz.1.852 Not tainted 6.16.0-rc1-syzkaller-gfda589c28604 #0 PREEMPT Hardware name: riscv-virtio,qemu (DT) epc : __page_table_check_zero+0x46e/0x6ac mm/page_table_check.c:142 ra : __page_table_check_zero+0x46e/0x6ac mm/page_table_check.c:142 epc : ffffffff80b9f47c ra : ffffffff80b9f47c sp : ffff8f80021b6fa0 gp : ffffffff89c83e20 tp : ffffaf80301f0000 t0 : ffff8f80021b6fe0 t1 : fffff5ef02633409 t2 : ffffaf806ed476c0 s0 : ffff8f80021b70a0 s1 : ffffaf801319a048 a0 : 0000000000000005 a1 : 0000000000000000 a2 : 0000000000000002 a3 : ffffffff80b9f47c a4 : 0000000000000000 a5 : ffffaf80301f1000 a6 : 0000000000000003 a7 : ffffaf801319a04b s2 : 0000000000000000 s3 : ffffaf801319a000 s4 : 00000000000b5200 s5 : dfffffff00000000 s6 : 0000000000000009 s7 : 0000000000000200 s8 : 0000000000007fff s9 : fffffffef13b30ec s10: ffffffff89d98760 s11: 0000000000000001 t3 : a5e4217b00000000 t4 : fffff5ef02633409 t5 : fffff5ef0263340a t6 : 0000000000000002 status: 0000000200000120 badaddr: ffffffff80b9f47c cause: 0000000000000003 [] __page_table_check_zero+0x46e/0x6ac mm/page_table_check.c:142 [] page_table_check_free include/linux/page_table_check.h:43 [inline] [] free_pages_prepare mm/page_alloc.c:1249 [inline] [] free_unref_folios+0x1096/0x1d2c mm/page_alloc.c:2763 [] folios_put_refs+0x418/0x5fa mm/swap.c:992 [] free_pages_and_swap_cache+0x268/0x490 mm/swap_state.c:264 [] __tlb_batch_free_encoded_pages+0x100/0x2b2 mm/mmu_gather.c:136 [] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] [] tlb_flush_mmu_free mm/mmu_gather.c:397 [inline] [] tlb_flush_mmu mm/mmu_gather.c:404 [inline] [] tlb_finish_mmu+0x15e/0x7f0 mm/mmu_gather.c:497 [] exit_mmap+0x39c/0xd00 mm/mmap.c:1297 [] __mmput+0x108/0x3c0 kernel/fork.c:1121 [] mmput+0x74/0x88 kernel/fork.c:1144 [] exit_mm kernel/exit.c:581 [inline] [] do_exit+0x7b4/0x28ca kernel/exit.c:943 [] do_group_exit+0xd4/0x26c kernel/exit.c:1104 [] get_signal+0x207c/0x22fc kernel/signal.c:3034 [] arch_do_signal_or_restart+0x106/0x24c6 arch/riscv/kernel/signal.c:431 [] exit_to_user_mode_loop kernel/entry/common.c:111 [inline] [] exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] [] irqentry_exit_to_user_mode+0x2c6/0x3b6 kernel/entry/common.c:184 [] irqentry_exit+0x10a/0x18c kernel/entry/common.c:287 [] do_page_fault+0x3e/0x56 arch/riscv/kernel/traps.c:376 [] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197 Code: 8526 c0ef f0ff 89aa 0905 bd1d c097 ff94 80e7 59c0 (9002) c097 ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 8526 mv a0,s1 2: f0ffc0ef jal 0xffffffffffffcf10 6: 89aa mv s3,a0 8: 0905 add s2,s2,1 a: bd1d j 0xfffffffffffffe40 c: ff94c097 auipc ra,0xff94c 10: 59c080e7 jalr 1436(ra) # 0xff94c5a8 * 14: 9002 ebreak <-- trapping instruction 16: 97 c0 Address 0x16 is out of bounds.