------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 1 UID: 0 PID: 10546 Comm: syz.3.1437 Not tainted syzkaller #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
 ra : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
epc : ffffffff80bd0b80 ra : ffffffff80bd0b80 sp : ffff8f8002d96ed0
 gp : ffffffff89ea12a0 tp : ffffaf801b2eb480 t0 : ffff8f8002d97478
 t1 : fffff5ef02714009 t2 : ffffffff86a06930 s0 : ffff8f8002d96f50
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80bd0b80 a4 : ffff8f800a5a6868
 a5 : 0000000000031868 a6 : 0000000000000003 a7 : ffffaf80138a004b
 s2 : 00000000000ba000 s3 : 0000000000000000 s4 : ffffaf80138a0000
 s5 : 0000000000000200 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : fffffffef13f6d0c s10: 0000000000000000
 s11: ffffffff89fb6860 t3 : 57e9012a00000000 t4 : fffff5ef02714009
 t5 : fffff5ef0271400a t6 : 0000000000000002
status: 0000000200000120 badaddr: ffffffff80bd0b80 cause: 0000000000000003
[<ffffffff80bd0b80>] page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
[<ffffffff80bd1104>] __page_table_check_ptes_set+0x218/0x296 mm/page_table_check.c:209
[<ffffffff80b5a67c>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
[<ffffffff80b5a67c>] set_ptes arch/riscv/include/asm/pgtable.h:564 [inline]
[<ffffffff80b5a67c>] __split_huge_pmd_locked mm/huge_memory.c:3045 [inline]
[<ffffffff80b5a67c>] split_huge_pmd_locked+0x23b2/0x32d6 mm/huge_memory.c:3063
[<ffffffff80b5b80e>] __split_huge_pmd+0x26e/0x420 mm/huge_memory.c:3077
[<ffffffff80b60b3e>] split_huge_pmd_address mm/huge_memory.c:3090 [inline]
[<ffffffff80b60b3e>] split_huge_pmd_if_needed mm/huge_memory.c:3102 [inline]
[<ffffffff80b60b3e>] split_huge_pmd_if_needed mm/huge_memory.c:3093 [inline]
[<ffffffff80b60b3e>] vma_adjust_trans_huge+0x200/0x458 mm/huge_memory.c:3114
[<ffffffff80a34610>] __split_vma+0x94a/0xee6 mm/vma.c:556
[<ffffffff80a36ab0>] split_vma mm/vma.c:598 [inline]
[<ffffffff80a36ab0>] vma_modify+0xdfe/0x1cbe mm/vma.c:1623
[<ffffffff80a3b178>] vma_modify_flags_uffd+0x226/0x29e mm/vma.c:1697
[<ffffffff80be0c7e>] userfaultfd_register_range+0x33a/0x638 mm/userfaultfd.c:1998
[<ffffffff80d9032a>] userfaultfd_register+0xd8e/0xf6c fs/userfaultfd.c:1381
[<ffffffff80d91c50>] userfaultfd_ioctl+0x8a4/0x41e2 fs/userfaultfd.c:2031
[<ffffffff80c74bc4>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff80c74bc4>] __do_sys_ioctl fs/ioctl.c:598 [inline]
[<ffffffff80c74bc4>] __se_sys_ioctl fs/ioctl.c:584 [inline]
[<ffffffff80c74bc4>] __riscv_sys_ioctl+0x180/0x1e4 fs/ioctl.c:584
[<ffffffff80078130>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
[<ffffffff8643db9a>] do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:343
[<ffffffff864674be>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:198
Code: 2097 ff93 80e7 7740 87e3 ba04 3097 ff93 80e7 c200 (9002) 3097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff932097          	auipc	ra,0xff932
   4:	774080e7          	jalr	1908(ra) # 0xff932774
   8:	ba0487e3          	beqz	s1,0xfffffffffffffbb6
   c:	ff933097          	auipc	ra,0xff933
  10:	c20080e7          	jalr	-992(ra) # 0xff932c2c
* 14:	9002                	ebreak <-- trapping instruction
  16:	97 30             	Address 0x16 is out of bounds.