------------[ cut here ]------------ kernel BUG at mm/page_table_check.c:156! Kernel BUG [#1] Modules linked in: CPU: 1 UID: 0 PID: 3998 Comm: syz.0.41 Not tainted 6.14.0-rc1-syzkaller-g245aece3750d #0 Hardware name: riscv-virtio,qemu (DT) epc : __page_table_check_zero+0x308/0x356 mm/page_table_check.c:156 ra : __page_table_check_zero+0x308/0x356 mm/page_table_check.c:156 epc : ffffffff80b17f54 ra : ffffffff80b17f54 sp : ffff8f800d417050 gp : ffffffff89c21d80 tp : ffffaf801cebce00 t0 : 5ac2854d30b315b6 t1 : fffff5ef024cb009 t2 : 0000000000000005 s0 : ffff8f800d4170b0 s1 : ffffaf8012658048 a0 : 0000000000000005 a1 : 0000000000000000 a2 : 0000000000000002 a3 : ffffffff80b17f54 a4 : 0000000000000000 a5 : ffffaf801cebde00 a6 : 0000000000000003 a7 : ffffaf801265804b s2 : ffffaf8012658000 s3 : 0000000000000000 s4 : 0000000000000009 s5 : dfffffff00000000 s6 : 0000000000000200 s7 : fffffffef13a6854 s8 : ffffffff89d342a0 s9 : ffffffff885ce8e0 s10: 0000000000000001 s11: fffff1af000fc001 t3 : ffffaf801cebd8f0 t4 : fffff5ef024cb009 t5 : fffff5ef024cb00a t6 : 0000000000000003 status: 0000000200000120 badaddr: ffffffff80b17f54 cause: 0000000000000003 [] __page_table_check_zero+0x308/0x356 mm/page_table_check.c:156 [] page_table_check_free include/linux/page_table_check.h:41 [inline] [] free_pages_prepare mm/page_alloc.c:1128 [inline] [] free_unref_folios+0x10c0/0x1d28 mm/page_alloc.c:2707 [] folios_put_refs+0x418/0x5fa mm/swap.c:994 [] free_pages_and_swap_cache+0x268/0x490 mm/swap_state.c:331 [] __tlb_batch_free_encoded_pages+0x100/0x2b2 mm/mmu_gather.c:136 [] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] [] tlb_flush_mmu_free mm/mmu_gather.c:389 [inline] [] tlb_flush_mmu mm/mmu_gather.c:396 [inline] [] tlb_finish_mmu+0x156/0x7e4 mm/mmu_gather.c:488 [] exit_mmap+0x394/0xcf4 mm/mmap.c:1297 [] __mmput+0xfe/0x3ac kernel/fork.c:1356 [] mmput+0x74/0x88 kernel/fork.c:1378 [] exit_mm kernel/exit.c:570 [inline] [] do_exit+0x8fc/0x2966 kernel/exit.c:925 [] do_group_exit+0xd4/0x26c kernel/exit.c:1087 [] get_signal+0x1f4e/0x22e0 kernel/signal.c:3036 [] arch_do_signal_or_restart+0xf6/0x207a arch/riscv/kernel/signal.c:431 [] exit_to_user_mode_loop kernel/entry/common.c:111 [inline] [] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] [] irqentry_exit_to_user_mode+0x20a/0x282 kernel/entry/common.c:231 [] irqentry_exit+0x10a/0x174 kernel/entry/common.c:334 [] do_page_fault+0x3e/0x56 arch/riscv/kernel/traps.c:366 [] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197 Code: 6be2 6c42 6ca2 6d02 6125 8082 f097 ff9b 80e7 4120 (9002) f097 ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 6be2 flw fs7,24(sp) 2: 6c42 flw fs8,16(sp) 4: 6ca2 flw fs9,8(sp) 6: 6d02 flw fs10,0(sp) 8: 6125 add sp,sp,96 a: 8082 ret c: ff9bf097 auipc ra,0xff9bf 10: 412080e7 jalr 1042(ra) # 0xff9bf41e * 14: 9002 ebreak <-- trapping instruction 16: 97 f0 Address 0x16 is out of bounds.