------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:142!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 4091 Comm: syz.0.53 Tainted: G        W           syzkaller #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: riscv-virtio,qemu (DT)
epc : __page_table_check_zero+0x386/0x534 mm/page_table_check.c:142
 ra : __page_table_check_zero+0x386/0x534 mm/page_table_check.c:142
epc : ffffffff80c6a8b6 ra : ffffffff80c6a8b6 sp : ffff8f800afd6ad0
 gp : ffffffff8a24e5c0 tp : ffffaf801cfb0000 t0 : ffff8f800afd6a80
 t1 : fffff5ef02720809 t2 : ffffffff91627f80 s0 : ffff8f800afd6b40
 s1 : ffffaf8013904048 a0 : 0000000000000005 a1 : 0000000000000000
 a2 : 0000000000000002 a3 : ffffffff80c6a8b6 a4 : 0000000000000000
 a5 : ffffaf801cfb1000 a6 : 0000000000000003 a7 : ffffaf801390404b
 s2 : 0000000000000001 s3 : 0000000000000000 s4 : ffffaf8013904000
 s5 : dfffffff00000000 s6 : 00000000000b3400 s7 : 0000000000000200
 s8 : 0000000000000009 s9 : 0000000000007fff s10: fffffffef146d78c
 s11: ffffffff8a36bc60 t3 : 0000000000000001 t4 : fffff5ef02720809
 t5 : fffff5ef0272080a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80c6a8b6 cause: 0000000000000003
[<ffffffff80c6a8b6>] __page_table_check_zero+0x386/0x534 mm/page_table_check.c:142
[<ffffffff80ae7672>] page_table_check_free include/linux/page_table_check.h:46 [inline]
[<ffffffff80ae7672>] __free_pages_prepare mm/page_alloc.c:1403 [inline]
[<ffffffff80ae7672>] free_unref_folios+0xb1e/0x1ad0 mm/page_alloc.c:3004
[<ffffffff80914374>] folios_put_refs+0x458/0x7c8 mm/swap.c:1008
[<ffffffff80b33b8c>] free_pages_and_swap_cache+0x278/0x3c0 mm/swap_state.c:404
[<ffffffff80a59ce0>] __tlb_batch_free_encoded_pages+0xe4/0x25c mm/mmu_gather.c:138
[<ffffffff80a5b718>] tlb_batch_pages_flush mm/mmu_gather.c:151 [inline]
[<ffffffff80a5b718>] tlb_flush_mmu_free mm/mmu_gather.c:417 [inline]
[<ffffffff80a5b718>] tlb_flush_mmu+0xdc/0x5f8 mm/mmu_gather.c:424
[<ffffffff80a15420>] zap_pte_range mm/memory.c:1957 [inline]
[<ffffffff80a15420>] zap_pmd_range mm/memory.c:2004 [inline]
[<ffffffff80a15420>] zap_pud_range mm/memory.c:2032 [inline]
[<ffffffff80a15420>] zap_p4d_range mm/memory.c:2053 [inline]
[<ffffffff80a15420>] __zap_vma_range+0x15e0/0x49f0 mm/memory.c:2093
[<ffffffff80a1f666>] unmap_vmas+0x24a/0x520 mm/memory.c:2162
[<ffffffff80a56046>] exit_mmap+0x1fa/0xcc0 mm/mmap.c:1300
[<ffffffff80141ed6>] __mmput+0x106/0x3d0 kernel/fork.c:1178
[<ffffffff80142214>] mmput+0x74/0x88 kernel/fork.c:1201
[<ffffffff80162c26>] exit_mm kernel/exit.c:582 [inline]
[<ffffffff80162c26>] do_exit+0x876/0x2a18 kernel/exit.c:964
[<ffffffff801652f6>] do_group_exit+0xca/0x258 kernel/exit.c:1119
[<ffffffff8019efb2>] get_signal+0x1f56/0x2224 kernel/signal.c:3037
[<ffffffff80072e78>] arch_do_signal_or_restart+0x648/0x1e08 arch/riscv/kernel/signal.c:534
[<ffffffff803df0b2>] __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
[<ffffffff803df0b2>] exit_to_user_mode_loop+0x8e/0x9c4 kernel/entry/common.c:98
[<ffffffff86482210>] __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
[<ffffffff86482210>] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
[<ffffffff86482210>] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
[<ffffffff86482210>] do_trap_ecall_u+0x4e4/0x61c arch/riscv/kernel/traps.c:345
[<ffffffff864ad412>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
Code: f580 8526 d0ef 88af 8a2a b7a1 7097 ff8c 80e7 f460 (9002) 7097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	f580                	fsw	fs0,40(a1)
   2:	8526                	mv	a0,s1
   4:	88afd0ef          	jal	0xffffffffffffd08e
   8:	8a2a                	mv	s4,a0
   a:	b7a1                	j	0xffffffffffffff52
   c:	ff8c7097          	auipc	ra,0xff8c7
  10:	f46080e7          	jalr	-186(ra) # 0xff8c6f52
* 14:	9002                	ebreak <-- trapping instruction
  16:	9770                	.short	0x7097