------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 1 UID: 0 PID: 11216 Comm: syz.0.1754 Not tainted 6.16.0-rc1-syzkaller-gfda589c28604 #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
 ra : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
epc : ffffffff80b9e558 ra : ffffffff80b9e558 sp : ffff8f8003236dd0
 gp : ffffffff89c7e9c0 tp : ffffaf8032811a40 t0 : fffff5ef031e8400
 t1 : fffff5ef0260c809 t2 : ffffffff8098c204 s0 : ffff8f8003236e50
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80b9e558 a4 : ffff8f800a2328a8
 a5 : 00000000000ce8a8 a6 : 0000000000000003 a7 : ffffaf801306404b
 s2 : 00000000000b1400 s3 : 0000000000000000 s4 : ffffaf8013064000
 s5 : 0000000000000200 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : fffffffef13b26ec s10: 0000000000000000
 s11: ffffffff89d93760 t3 : e513e18300000000 t4 : fffff5ef0260c809
 t5 : fffff5ef0260c80a t6 : 0000000000000002
status: 0000000200000120 badaddr: ffffffff80b9e558 cause: 0000000000000003
[<ffffffff80b9e558>] page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
[<ffffffff80b9eadc>] __page_table_check_ptes_set+0x218/0x296 mm/page_table_check.c:209
[<ffffffff80b2870a>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
[<ffffffff80b2870a>] set_ptes arch/riscv/include/asm/pgtable.h:575 [inline]
[<ffffffff80b2870a>] __split_huge_pmd_locked mm/huge_memory.c:3070 [inline]
[<ffffffff80b2870a>] split_huge_pmd_locked+0x24c8/0x3370 mm/huge_memory.c:3089
[<ffffffff80b29820>] __split_huge_pmd+0x26e/0x420 mm/huge_memory.c:3103
[<ffffffff80b2bea6>] copy_huge_pmd+0x24d4/0x2c98 mm/huge_memory.c:1789
[<ffffffff809789de>] copy_pmd_range mm/memory.c:1257 [inline]
[<ffffffff809789de>] copy_pud_range mm/memory.c:1304 [inline]
[<ffffffff809789de>] copy_p4d_range mm/memory.c:1328 [inline]
[<ffffffff809789de>] copy_page_range+0xa4e/0x62fa mm/memory.c:1416
[<ffffffff809a44b4>] dup_mmap+0xd50/0x1fbc mm/mmap.c:1838
[<ffffffff8013de9e>] dup_mm kernel/fork.c:1477 [inline]
[<ffffffff8013de9e>] copy_mm kernel/fork.c:1529 [inline]
[<ffffffff8013de9e>] copy_process+0x5ab0/0x716a kernel/fork.c:2169
[<ffffffff8013f784>] kernel_clone+0x128/0xc9e kernel/fork.c:2599
[<ffffffff801403f8>] __do_sys_clone+0xfe/0x13e kernel/fork.c:2742
[<ffffffff80140a84>] __se_sys_clone kernel/fork.c:2710 [inline]
[<ffffffff80140a84>] __riscv_sys_clone+0xa0/0x10e kernel/fork.c:2710
[<ffffffff800769ae>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
[<ffffffff862fcc32>] do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:341
[<ffffffff863250ca>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Code: d097 ff94 80e7 0140 87e3 ba04 d097 ff94 80e7 4c00 (9002) d097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff94d097          	auipc	ra,0xff94d
   4:	014080e7          	jalr	20(ra) # 0xff94d014
   8:	ba0487e3          	beqz	s1,0xfffffffffffffbb6
   c:	ff94d097          	auipc	ra,0xff94d
  10:	4c0080e7          	jalr	1216(ra) # 0xff94d4cc
* 14:	9002                	ebreak <-- trapping instruction
  16:	97 d0             	Address 0x16 is out of bounds.