------------[ cut here ]------------ kernel BUG at mm/page_table_check.c:142! Kernel BUG [#1] Modules linked in: CPU: 1 UID: 0 PID: 4197 Comm: syz.0.85 Not tainted syzkaller #0 PREEMPT Hardware name: riscv-virtio,qemu (DT) epc : __page_table_check_zero+0x46e/0x6ac mm/page_table_check.c:142 ra : __page_table_check_zero+0x46e/0x6ac mm/page_table_check.c:142 epc : ffffffff80bc4ef0 ra : ffffffff80bc4ef0 sp : ffff8f8005d56f90 gp : ffffffff89e99e80 tp : ffffaf801b600000 t0 : ffffffff8640a952 t1 : fffff5ef02920809 t2 : ffffffff809c2c50 s0 : ffff8f8005d57090 s1 : ffffaf8014904048 a0 : 0000000000000000 a1 : ffffaf801b601000 a2 : 0000000000000001 a3 : ffffffff80bc4da6 a4 : 0000000000000002 a5 : 0000000000000000 a6 : fffff5ef0292080a a7 : ffffaf801490404b s2 : 0000000000000000 s3 : ffffaf8014904000 s4 : 00000000000db400 s5 : dfffffff00000000 s6 : 0000000000000009 s7 : 0000000000000200 s8 : 0000000000007fff s9 : fffffffef13f5f04 s10: ffffffff89faf820 s11: 0000000000000001 t3 : a81fa2cc00000000 t4 : fffff5ef02920809 t5 : fffff5ef0292080a t6 : 0000000000000002 status: 0000000200000120 badaddr: ffffffff80bc4ef0 cause: 0000000000000003 [] __page_table_check_zero+0x46e/0x6ac mm/page_table_check.c:142 [] page_table_check_free include/linux/page_table_check.h:43 [inline] [] free_pages_prepare mm/page_alloc.c:1396 [inline] [] free_unref_folios+0xc3a/0x1c7e mm/page_alloc.c:2952 [] folios_put_refs+0x418/0x5fa mm/swap.c:997 [] free_pages_and_swap_cache+0x268/0x490 mm/swap_state.c:264 [] __tlb_batch_free_encoded_pages+0x100/0x2b2 mm/mmu_gather.c:136 [] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] [] tlb_flush_mmu_free mm/mmu_gather.c:397 [inline] [] tlb_flush_mmu mm/mmu_gather.c:404 [inline] [] tlb_finish_mmu+0x15e/0x7f0 mm/mmu_gather.c:497 [] exit_mmap+0x39c/0xd00 mm/mmap.c:1293 [] __mmput+0x108/0x3ba kernel/fork.c:1130 [] mmput+0x74/0x88 kernel/fork.c:1152 [] exit_mm kernel/exit.c:582 [inline] [] do_exit+0x7c2/0x289e kernel/exit.c:949 [] do_group_exit+0xd4/0x26c kernel/exit.c:1102 [] get_signal+0x208e/0x230e kernel/signal.c:3034 [] arch_do_signal_or_restart+0x106/0x25d6 arch/riscv/kernel/signal.c:431 [] exit_to_user_mode_loop kernel/entry/common.c:40 [inline] [] exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] [] irqentry_exit_to_user_mode+0x2c6/0x3b6 kernel/entry/common.c:73 [] irqentry_exit+0x10a/0x18c kernel/entry/common.c:177 [] do_page_fault+0x3e/0x56 arch/riscv/kernel/traps.c:378 [] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:198 Code: 8526 c0ef f05f 89aa 0905 bd1d 9097 ff93 80e7 43a0 (9002) 9097 ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 8526 mv a0,s1 2: f05fc0ef jal 0xffffffffffffcf06 6: 89aa mv s3,a0 8: 0905 add s2,s2,1 a: bd1d j 0xfffffffffffffe40 c: ff939097 auipc ra,0xff939 10: 43a080e7 jalr 1082(ra) # 0xff939446 * 14: 9002 ebreak <-- trapping instruction 16: 97 90 Address 0x16 is out of bounds.