------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 4562 Comm: syz.0.185 Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
 ra : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
epc : ffffffff80bcb2ec ra : ffffffff80bcb2ec sp : ffff8f8006a17500
 gp : ffffffff89c9e5c0 tp : ffffaf801bc30000 t0 : ffff8f8006a17d50
 t1 : fffff5ef02685009 t2 : ffffffff86806930 s0 : ffff8f8006a17580
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80bcb2ec a4 : ffff8f800828f6f0
 a5 : 00000000000356f0 a6 : 0000000000000003 a7 : ffffaf801342804b
 s2 : 00000000000b8800 s3 : 0000000000000000 s4 : ffffaf8013428000
 s5 : 0000000000000200 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : fffffffef13b6704 s10: 0000000000000000
 s11: ffffffff89db3820 t3 : 4ec8a26400000000 t4 : fffff5ef02685009
 t5 : fffff5ef0268500a t6 : 0000000000000002
status: 0000000200000120 badaddr: ffffffff80bcb2ec cause: 0000000000000003
[<ffffffff80bcb2ec>] page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
[<ffffffff80bcb870>] __page_table_check_ptes_set+0x218/0x296 mm/page_table_check.c:209
[<ffffffff80b54de8>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
[<ffffffff80b54de8>] set_ptes arch/riscv/include/asm/pgtable.h:563 [inline]
[<ffffffff80b54de8>] __split_huge_pmd_locked mm/huge_memory.c:3045 [inline]
[<ffffffff80b54de8>] split_huge_pmd_locked+0x23b2/0x32d6 mm/huge_memory.c:3063
[<ffffffff80b55f7a>] __split_huge_pmd+0x26e/0x420 mm/huge_memory.c:3077
[<ffffffff80bd8022>] move_pages+0x1d64/0x4c36 mm/userfaultfd.c:1834
[<ffffffff80d99c50>] userfaultfd_move fs/userfaultfd.c:1923 [inline]
[<ffffffff80d99c50>] userfaultfd_ioctl+0x4cc/0x4ede fs/userfaultfd.c:2046
[<ffffffff80c7de48>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff80c7de48>] __do_sys_ioctl fs/ioctl.c:598 [inline]
[<ffffffff80c7de48>] __se_sys_ioctl fs/ioctl.c:584 [inline]
[<ffffffff80c7de48>] __riscv_sys_ioctl+0x180/0x1e4 fs/ioctl.c:584
[<ffffffff8007715e>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
[<ffffffff863c3c76>] do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:343
[<ffffffff863ed596>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Code: 2097 ff93 80e7 7f00 87e3 ba04 3097 ff93 80e7 c9c0 (9002) 3097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff932097          	auipc	ra,0xff932
   4:	7f0080e7          	jalr	2032(ra) # 0xff9327f0
   8:	ba0487e3          	beqz	s1,0xfffffffffffffbb6
   c:	ff933097          	auipc	ra,0xff933
  10:	c9c080e7          	jalr	-868(ra) # 0xff932ca8
* 14:	9002                	ebreak <-- trapping instruction
  16:	97 30             	Address 0x16 is out of bounds.