------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 4417 Comm: syz.0.147 Not tainted syzkaller #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118
 ra : page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118
epc : ffffffff80bfcb7c ra : ffffffff80bfcb7c sp : ffff8f800bfb6df0
 gp : ffffffff89f9df20 tp : ffffaf801ca44f80 t0 : ffff8f800bfb7378
 t1 : fffff5ef026b2009 t2 : ffffffff80a2597e s0 : ffff8f800bfb6e70
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80bfcb7c a4 : ffff8f80048076c0
 a5 : 000000000002e6c0 a6 : 0000000000000003 a7 : ffffaf801359004b
 s2 : 00000000000b5000 s3 : 0000000000000000 s4 : ffffaf8013590000
 s5 : 0000000000000200 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : ffffffff88825fa0 s10: 0000000000000000
 s11: ffffffff8a0b5d80 t3 : 0000000000000001 t4 : fffff5ef026b2009
 t5 : fffff5ef026b200a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80bfcb7c cause: 0000000000000003
[<ffffffff80bfcb7c>] page_table_check_set+0xa74/0xd30 mm/page_table_check.c:118
[<ffffffff80bfd300>] __page_table_check_ptes_set+0x264/0x47c mm/page_table_check.c:212
[<ffffffff80b8b0de>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
[<ffffffff80b8b0de>] set_ptes arch/riscv/include/asm/pgtable.h:640 [inline]
[<ffffffff80b8b0de>] __split_huge_pmd_locked mm/huge_memory.c:3252 [inline]
[<ffffffff80b8b0de>] split_huge_pmd_locked+0x2b0a/0x326c mm/huge_memory.c:3270
[<ffffffff80b8bafa>] __split_huge_pmd+0x2ba/0x3e4 mm/huge_memory.c:3284
[<ffffffff80b8eca6>] split_huge_pmd_address mm/huge_memory.c:3297 [inline]
[<ffffffff80b8eca6>] split_huge_pmd_if_needed mm/huge_memory.c:3309 [inline]
[<ffffffff80b8eca6>] split_huge_pmd_if_needed mm/huge_memory.c:3300 [inline]
[<ffffffff80b8eca6>] vma_adjust_trans_huge+0x15a/0x49c mm/huge_memory.c:3321
[<ffffffff80a51236>] __split_vma+0x97e/0xf6c mm/vma.c:554
[<ffffffff80a519d8>] vms_gather_munmap_vmas+0x1b4/0x1100 mm/vma.c:1402
[<ffffffff80a59744>] do_vmi_align_munmap+0x240/0x6d8 mm/vma.c:1570
[<ffffffff80a59daa>] do_vmi_munmap+0x1ce/0x3bc mm/vma.c:1627
[<ffffffff809e5358>] do_munmap+0xd4/0x10c mm/mmap.c:1065
[<ffffffff809fafd8>] mremap_to+0x1fc/0x3d8 mm/mremap.c:1378
[<ffffffff809fbb5a>] do_mremap+0x9a6/0x1cf0 mm/mremap.c:1941
[<ffffffff809fcfba>] __do_sys_mremap+0x116/0x240 mm/mremap.c:1997
[<ffffffff809fd184>] __se_sys_mremap mm/mremap.c:1965 [inline]
[<ffffffff809fd184>] __riscv_sys_mremap+0xa0/0x124 mm/mremap.c:1965
[<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
[<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
Code: 7097 ff90 80e7 4580 81e3 e004 8097 ff90 80e7 9380 (9002) 8097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff907097          	auipc	ra,0xff907
   4:	458080e7          	jalr	1112(ra) # 0xff907458
   8:	e00481e3          	beqz	s1,0xfffffffffffffe0a
   c:	ff908097          	auipc	ra,0xff908
  10:	938080e7          	jalr	-1736(ra) # 0xff907944
* 14:	9002                	ebreak <-- trapping instruction
  16:	9780                	.short	0x8097