------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:118!
Kernel BUG [#1]
Modules linked in:
CPU: 1 UID: 0 PID: 11140 Comm: syz.6.1230 Not tainted 6.16.0-rc1-syzkaller-gfda589c28604 #0 PREEMPT 
Hardware name: riscv-virtio,qemu (DT)
epc : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
 ra : page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
epc : ffffffff80b9e558 ra : ffffffff80b9e558 sp : ffff8f8002927170
 gp : ffffffff89c7e9c0 tp : ffffaf8019a61a40 t0 : ffff8f8002927718
 t1 : fffff5ef02546009 t2 : ffffffff809dab58 s0 : ffff8f80029271f0
 s1 : 0000000000000001 a0 : 0000000000000001 a1 : 0000000000000000
 a2 : 0000000000080000 a3 : ffffffff80b9e558 a4 : ffff8f80059e9298
 a5 : 000000000002e298 a6 : 0000000000000003 a7 : ffffaf8012a3004b
 s2 : 00000000000a7000 s3 : 0000000000000000 s4 : ffffaf8012a30000
 s5 : 0000000000000200 s6 : 0000000000000001 s7 : dfffffff00000000
 s8 : 0000000000007fff s9 : fffffffef13b26ec s10: 0000000000000000
 s11: ffffffff89d93760 t3 : b3e0abd300000000 t4 : fffff5ef02546009
 t5 : fffff5ef0254600a t6 : 0000000000000002
status: 0000000200000120 badaddr: ffffffff80b9e558 cause: 0000000000000003
[<ffffffff80b9e558>] page_table_check_set+0xb10/0xe7c mm/page_table_check.c:118
[<ffffffff80b9eadc>] __page_table_check_ptes_set+0x218/0x296 mm/page_table_check.c:209
[<ffffffff80b2870a>] page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
[<ffffffff80b2870a>] set_ptes arch/riscv/include/asm/pgtable.h:575 [inline]
[<ffffffff80b2870a>] __split_huge_pmd_locked mm/huge_memory.c:3070 [inline]
[<ffffffff80b2870a>] split_huge_pmd_locked+0x24c8/0x3370 mm/huge_memory.c:3089
[<ffffffff80b29820>] __split_huge_pmd+0x26e/0x420 mm/huge_memory.c:3103
[<ffffffff80b2ec52>] split_huge_pmd_address mm/huge_memory.c:3116 [inline]
[<ffffffff80b2ec52>] split_huge_pmd_if_needed mm/huge_memory.c:3128 [inline]
[<ffffffff80b2ec52>] split_huge_pmd_if_needed mm/huge_memory.c:3119 [inline]
[<ffffffff80b2ec52>] vma_adjust_trans_huge+0x200/0x458 mm/huge_memory.c:3140
[<ffffffff80a05b98>] __split_vma+0x94a/0xee6 mm/vma.c:553
[<ffffffff80a08036>] split_vma mm/vma.c:595 [inline]
[<ffffffff80a08036>] vma_modify+0xe02/0x1d30 mm/vma.c:1632
[<ffffffff80a0bfc4>] vma_modify_flags+0x1ec/0x260 mm/vma.c:1658
[<ffffffff8098e216>] mlock_fixup+0x164/0xb74 mm/mlock.c:483
[<ffffffff8098ee62>] apply_vma_lock_flags+0x23c/0x34e mm/mlock.c:553
[<ffffffff8098f1be>] do_mlock+0x24a/0x816 mm/mlock.c:649
[<ffffffff809985d0>] __do_sys_mlock2 mm/mlock.c:676 [inline]
[<ffffffff809985d0>] __se_sys_mlock2 mm/mlock.c:666 [inline]
[<ffffffff809985d0>] __riscv_sys_mlock2+0xac/0xea mm/mlock.c:666
[<ffffffff800769ae>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:112
[<ffffffff862fcc32>] do_trap_ecall_u+0x396/0x530 arch/riscv/kernel/traps.c:341
[<ffffffff863250ca>] handle_exception+0x146/0x152 arch/riscv/kernel/entry.S:197
Code: d097 ff94 80e7 0140 87e3 ba04 d097 ff94 80e7 4c00 (9002) d097 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ff94d097          	auipc	ra,0xff94d
   4:	014080e7          	jalr	20(ra) # 0xff94d014
   8:	ba0487e3          	beqz	s1,0xfffffffffffffbb6
   c:	ff94d097          	auipc	ra,0xff94d
  10:	4c0080e7          	jalr	1216(ra) # 0xff94d4cc
* 14:	9002                	ebreak <-- trapping instruction
  16:	97 d0             	Address 0x16 is out of bounds.