------------[ cut here ]------------
kernel BUG at [] mm/page_table_check.c:142!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 6067 Comm: syz.4.295 Not tainted syzkaller #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
 ra : __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
epc : ffffffff80bfdcce ra : ffffffff80bfdcce sp : ffff8f80026367d0
 gp : ffffffff89f9df20 tp : ffffaf80137d8000 t0 : ffffffff80ab6042
 t1 : fffff5ef02839809 t2 : ffffffff808da5e0 s0 : ffff8f8002636840
 s1 : ffffaf80141cc048 a0 : 0000000000000005 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80bfdcce a4 : ffff8f80030c9000
 a5 : 0000000000080000 a6 : 0000000000000003 a7 : ffffaf80141cc04b
 s2 : 0000000000000001 s3 : 0000000000000000 s4 : ffffaf80141cc000
 s5 : dfffffff00000000 s6 : 00000000000cdc00 s7 : 0000000000000001
 s8 : 0000000000000000 s9 : 0000000000007fff s10: fffffffef1416bb0
 s11: ffffffff8a0b5d80 t3 : 0000000000000001 t4 : fffff5ef02839809
 t5 : fffff5ef0283980a t6 : 0000000000000002 ssp : 0000000000000000
status: 0000000200000120 badaddr: ffffffff80bfdcce cause: 0000000000000003
[<ffffffff80bfdcce>] __page_table_check_zero+0x396/0x544 mm/page_table_check.c:142
[<ffffffff80a775b6>] page_table_check_free include/linux/page_table_check.h:43 [inline]
[<ffffffff80a775b6>] free_pages_prepare mm/page_alloc.c:1434 [inline]
[<ffffffff80a775b6>] free_unref_folios+0xa22/0x1dc8 mm/page_alloc.c:3030
[<ffffffff808aac84>] folios_put_refs+0x41c/0x61c mm/swap.c:1002
[<ffffffff808ab0e2>] folios_put include/linux/mm.h:1676 [inline]
[<ffffffff808ab0e2>] folio_batch_move_lru+0x25e/0x374 mm/swap.c:179
[<ffffffff808ace86>] __folio_batch_add_and_move+0x2da/0xb9c mm/swap.c:196
[<ffffffff808ad8e2>] folio_add_lru+0x19a/0x274 mm/swap.c:511
[<ffffffff808da5e0>] folio_putback_lru mm/vmscan.c:847 [inline]
[<ffffffff808da5e0>] reclaim_folio_list+0x210/0x7dc mm/vmscan.c:2202
[<ffffffff808eb15e>] reclaim_pages+0x33e/0x4b8 mm/vmscan.c:2235
[<ffffffff80ab4512>] madvise_cold_or_pageout_pte_range+0x16da/0x2400 mm/madvise.c:444
[<ffffffff80a03002>] walk_pmd_range mm/pagewalk.c:130 [inline]
[<ffffffff80a03002>] walk_pud_range mm/pagewalk.c:224 [inline]
[<ffffffff80a03002>] walk_p4d_range mm/pagewalk.c:262 [inline]
[<ffffffff80a03002>] walk_pgd_range+0xcc6/0x1f84 mm/pagewalk.c:303
[<ffffffff80a043f8>] __walk_page_range+0x138/0x7a8 mm/pagewalk.c:410
[<ffffffff80a05cf2>] walk_page_range_vma_unsafe+0x212/0x868 mm/pagewalk.c:714
[<ffffffff80a063a2>] walk_page_range_vma+0x5a/0x84 mm/pagewalk.c:724
[<ffffffff80aaf14e>] madvise_pageout_page_range mm/madvise.c:622 [inline]
[<ffffffff80aaf14e>] madvise_pageout+0x236/0x794 mm/madvise.c:647
[<ffffffff80ab6042>] madvise_vma_behavior+0xb0a/0x251c mm/madvise.c:1366
[<ffffffff80ab7c8e>] madvise_walk_vmas+0x23a/0x970 mm/madvise.c:1721
[<ffffffff80ab85ae>] madvise_do_behavior+0x1ea/0x5c0 mm/madvise.c:1937
[<ffffffff80ab94c6>] do_madvise+0x18a/0x22c mm/madvise.c:2030
[<ffffffff80ab95f0>] __do_sys_madvise mm/madvise.c:2039 [inline]
[<ffffffff80ab95f0>] __se_sys_madvise mm/madvise.c:2037 [inline]
[<ffffffff80ab95f0>] __riscv_sys_madvise+0x88/0xdc mm/madvise.c:2037
[<ffffffff80078192>] syscall_handler+0x92/0x114 arch/riscv/include/asm/syscall.h:112
[<ffffffff86391c0a>] do_trap_ecall_u+0x3d2/0x58c arch/riscv/kernel/traps.c:344
[<ffffffff863bb61e>] handle_exception+0x15e/0x16a arch/riscv/kernel/entry.S:232
Code: 7f80 8526 c0ef ec3f 8a2a b791 6097 ff90 80e7 7e60 (9002) 6097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	7f80                	flw	fs0,56(a5)
   2:	8526                	mv	a0,s1
   4:	ec3fc0ef          	jal	0xffffffffffffcec6
   8:	8a2a                	mv	s4,a0
   a:	b791                	j	0xffffffffffffff4e
   c:	ff906097          	auipc	ra,0xff906
  10:	7e6080e7          	jalr	2022(ra) # 0xff9067f2
* 14:	9002                	ebreak <-- trapping instruction
  16:	9760                	.short	0x6097