==================================================================
BUG: KASAN: invalid-access in __kvm_pgtable_visit arch/arm64/kvm/hyp/pgtable.c:163 [inline]
BUG: KASAN: invalid-access in __kvm_pgtable_walk+0x8e4/0xa68 arch/arm64/kvm/hyp/pgtable.c:237
Read of size 8 at addr acf0000014184000 by task syz.2.17/3625
Pointer tag: [ac], memory tag: [fe]

CPU: 0 UID: 0 PID: 3625 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xac/0x288 mm/kasan/report.c:378
 print_report+0x84/0xa0 mm/kasan/report.c:482
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 kasan_tag_mismatch+0x28/0x3c mm/kasan/sw_tags.c:175
 __hwasan_tag_mismatch+0x30/0x60 arch/arm64/lib/kasan_sw_tags.S:55
 __kvm_pgtable_visit arch/arm64/kvm/hyp/pgtable.c:163 [inline]
 __kvm_pgtable_walk+0x8e4/0xa68 arch/arm64/kvm/hyp/pgtable.c:237
 _kvm_pgtable_walk arch/arm64/kvm/hyp/pgtable.c:260 [inline]
 kvm_pgtable_walk+0x294/0x468 arch/arm64/kvm/hyp/pgtable.c:283
 kvm_pgtable_stage2_destroy_range+0x60/0xb4 arch/arm64/kvm/hyp/pgtable.c:1563
 stage2_destroy_range arch/arm64/kvm/mmu.c:924 [inline]
 kvm_stage2_destroy arch/arm64/kvm/mmu.c:935 [inline]
 kvm_free_stage2_pgd+0x198/0x28c arch/arm64/kvm/mmu.c:1112
 kvm_uninit_stage2_mmu+0x20/0x38 arch/arm64/kvm/mmu.c:1023
 kvm_arch_flush_shadow_all+0x1a8/0x1e0 arch/arm64/kvm/nested.c:1113
 kvm_flush_shadow_all virt/kvm/kvm_main.c:343 [inline]
 kvm_mmu_notifier_release+0x48/0xa8 virt/kvm/kvm_main.c:884
 mmu_notifier_unregister+0x128/0x42c mm/mmu_notifier.c:815
 kvm_destroy_vm virt/kvm/kvm_main.c:1295 [inline]
 kvm_put_kvm+0x6a0/0xfa8 virt/kvm/kvm_main.c:1353
 kvm_vm_release+0x58/0x78 virt/kvm/kvm_main.c:1376
 __fput+0x4ac/0x980 fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1bc/0x254 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x1bc/0x270 arch/arm64/kernel/entry-common.c:155
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:173 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:182 [inline]
 el0_svc+0xb8/0x164 arch/arm64/kernel/entry-common.c:880
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x8af0000014185b80 pfn:0x54184
flags: 0x1ffd4c000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x53)
raw: 01ffd4c000000000 ffffc1ffc086ae88 ffffc1ffc0869ec8 0000000000000000
raw: 8af0000014185b80 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 fff0000014183e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 fff0000014183f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>fff0000014184000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                   ^
 fff0000014184100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 fff0000014184200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================
BUG: Bad page state in process syz.2.17  pfn:630ea
page: refcount:0 mapcount:1 mapping:0000000000000000 index:0xffffffff2 pfn:0x630ea
flags: 0x1ffeb8000020808(uptodate|owner_2|swapbacked|node=0|zone=0|lastcpupid=0x7ff|kasantag=0xae)
raw: 01ffeb8000020808 dead000000000100 dead000000000122 0000000000000000
raw: 0000000ffffffff2 0000000000000000 0000000000000000 0000000000000000
page dumped because: nonzero mapcount
Modules linked in:
CPU: 0 UID: 0 PID: 3625 Comm: syz.2.17 Tainted: G    B               syzkaller #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: linux,dummy-virt (DT)
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 bad_page+0x17c/0x19c mm/page_alloc.c:650
 free_page_is_bad mm/page_alloc.c:1083 [inline]
 free_pages_prepare mm/page_alloc.c:1387 [inline]
 __free_frozen_pages+0xecc/0xf24 mm/page_alloc.c:2895
 free_frozen_pages+0x14/0x20 mm/page_alloc.c:2933
 __folio_put+0x314/0x434 mm/swap.c:112
 folio_put include/linux/mm.h:1360 [inline]
 put_page include/linux/mm.h:1429 [inline]
 kvm_s2_put_page+0x2cc/0x3a0 arch/arm64/kvm/mmu.c:264
 stage2_free_walker+0x1b0/0x264 arch/arm64/kvm/hyp/pgtable.c:1549
 kvm_pgtable_visitor_cb arch/arm64/kvm/hyp/pgtable.c:130 [inline]
 __kvm_pgtable_visit arch/arm64/kvm/hyp/pgtable.c:212 [inline]
 __kvm_pgtable_walk+0x7d8/0xa68 arch/arm64/kvm/hyp/pgtable.c:237
 _kvm_pgtable_walk arch/arm64/kvm/hyp/pgtable.c:260 [inline]
 kvm_pgtable_walk+0x294/0x468 arch/arm64/kvm/hyp/pgtable.c:283
 kvm_pgtable_stage2_destroy_range+0x60/0xb4 arch/arm64/kvm/hyp/pgtable.c:1563
 stage2_destroy_range arch/arm64/kvm/mmu.c:924 [inline]
 kvm_stage2_destroy arch/arm64/kvm/mmu.c:935 [inline]
 kvm_free_stage2_pgd+0x198/0x28c arch/arm64/kvm/mmu.c:1112
 kvm_uninit_stage2_mmu+0x20/0x38 arch/arm64/kvm/mmu.c:1023
 kvm_arch_flush_shadow_all+0x1a8/0x1e0 arch/arm64/kvm/nested.c:1113
 kvm_flush_shadow_all virt/kvm/kvm_main.c:343 [inline]
 kvm_mmu_notifier_release+0x48/0xa8 virt/kvm/kvm_main.c:884
 mmu_notifier_unregister+0x128/0x42c mm/mmu_notifier.c:815
 kvm_destroy_vm virt/kvm/kvm_main.c:1295 [inline]
 kvm_put_kvm+0x6a0/0xfa8 virt/kvm/kvm_main.c:1353
 kvm_vm_release+0x58/0x78 virt/kvm/kvm_main.c:1376
 __fput+0x4ac/0x980 fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1bc/0x254 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x1bc/0x270 arch/arm64/kernel/entry-common.c:155
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:173 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:182 [inline]
 el0_svc+0xb8/0x164 arch/arm64/kernel/entry-common.c:880
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x8af0000014185b80 pfn:0x54184
flags: 0x1fff00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xc0)
raw: 01fff00000000000 ffffc1ffc0869cc8 fff0000072d85420 0000000000000000
raw: 8af0000014185b80 7af00000127c9980 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
kernel BUG at ./include/linux/mm.h:1036!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 0 UID: 0 PID: 3625 Comm: syz.2.17 Tainted: G    B               syzkaller #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: linux,dummy-virt (DT)
pstate: 61402009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : put_page_testzero include/linux/mm.h:1036 [inline]
pc : folio_put_testzero include/linux/mm.h:1042 [inline]
pc : folio_put include/linux/mm.h:1359 [inline]
pc : put_page include/linux/mm.h:1429 [inline]
pc : kvm_s2_put_page+0x374/0x3a0 arch/arm64/kvm/mmu.c:264
lr : put_page_testzero include/linux/mm.h:1036 [inline]
lr : folio_put_testzero include/linux/mm.h:1042 [inline]
lr : folio_put include/linux/mm.h:1359 [inline]
lr : put_page include/linux/mm.h:1429 [inline]
lr : kvm_s2_put_page+0x374/0x3a0 arch/arm64/kvm/mmu.c:264
sp : ffff80008e677830
x29: ffff80008e677830 x28: acf0000014184b78 x27: acf0000014184b78
x26: 00000000000000ff x25: ffff80008734e000 x24: ffffc1ffc0000000
x23: ffffc1ffc0506108 x22: 0000000000000000 x21: ffffc1ffc0506134
x20: 0000000000000000 x19: ffffc1ffc0506100 x18: 0000000033a13eee
x17: 0000000004ccf0a7 x16: 00000000339c4af6 x15: 00000000a5627dbd
x14: 00000000000000ef x13: fff000001ef91d88 x12: 0000000000000001
x11: 0000000000000000 x10: 0000000000ff0100 x9 : 771fd69e9c7dcc00
x8 : 771fd69e9c7dcc00 x7 : 0000000000000400 x6 : ffff8000803a03c8
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff8000803915d0
x2 : 0000000000000002 x1 : 0000000100000000 x0 : 000000000000003e
Call trace:
 put_page_testzero include/linux/mm.h:1036 [inline] (P)
 folio_put_testzero include/linux/mm.h:1042 [inline] (P)
 folio_put include/linux/mm.h:1359 [inline] (P)
 put_page include/linux/mm.h:1429 [inline] (P)
 kvm_s2_put_page+0x374/0x3a0 arch/arm64/kvm/mmu.c:264 (P)
 stage2_free_walker+0xdc/0x264 arch/arm64/kvm/hyp/pgtable.c:1546
 kvm_pgtable_visitor_cb arch/arm64/kvm/hyp/pgtable.c:130 [inline]
 __kvm_pgtable_visit arch/arm64/kvm/hyp/pgtable.c:212 [inline]
 __kvm_pgtable_walk+0x7d8/0xa68 arch/arm64/kvm/hyp/pgtable.c:237
 _kvm_pgtable_walk arch/arm64/kvm/hyp/pgtable.c:260 [inline]
 kvm_pgtable_walk+0x294/0x468 arch/arm64/kvm/hyp/pgtable.c:283
 kvm_pgtable_stage2_destroy_range+0x60/0xb4 arch/arm64/kvm/hyp/pgtable.c:1563
 stage2_destroy_range arch/arm64/kvm/mmu.c:924 [inline]
 kvm_stage2_destroy arch/arm64/kvm/mmu.c:935 [inline]
 kvm_free_stage2_pgd+0x198/0x28c arch/arm64/kvm/mmu.c:1112
 kvm_uninit_stage2_mmu+0x20/0x38 arch/arm64/kvm/mmu.c:1023
 kvm_arch_flush_shadow_all+0x1a8/0x1e0 arch/arm64/kvm/nested.c:1113
 kvm_flush_shadow_all virt/kvm/kvm_main.c:343 [inline]
 kvm_mmu_notifier_release+0x48/0xa8 virt/kvm/kvm_main.c:884
 mmu_notifier_unregister+0x128/0x42c mm/mmu_notifier.c:815
 kvm_destroy_vm virt/kvm/kvm_main.c:1295 [inline]
 kvm_put_kvm+0x6a0/0xfa8 virt/kvm/kvm_main.c:1353
 kvm_vm_release+0x58/0x78 virt/kvm/kvm_main.c:1376
 __fput+0x4ac/0x980 fs/file_table.c:468
 ____fput+0x20/0x58 fs/file_table.c:496
 task_work_run+0x1bc/0x254 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x1bc/0x270 arch/arm64/kernel/entry-common.c:155
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:173 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:182 [inline]
 el0_svc+0xb8/0x164 arch/arm64/kernel/entry-common.c:880
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: d0037581 9126fc21 aa1303e0 97f9c9f2 (d4210000) 
---[ end trace 0000000000000000 ]---