==================================================================
BUG: KASAN: invalid-access in __kvm_pgtable_visit arch/arm64/kvm/hyp/pgtable.c:161 [inline]
BUG: KASAN: invalid-access in __kvm_pgtable_walk+0x110/0x2d0 arch/arm64/kvm/hyp/pgtable.c:237
Read at addr f1f000000ba20000 by task syz.0.1675/10245
Pointer tag: [f1], memory tag: [fe]

CPU: 0 UID: 0 PID: 10245 Comm: syz.0.1675 Not tainted syzkaller #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Call trace:
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x78/0x90 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x108/0x61c mm/kasan/report.c:482
 kasan_report+0x88/0xac mm/kasan/report.c:595
 report_tag_fault arch/arm64/mm/fault.c:326 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:338 [inline]
 __do_kernel_fault+0x170/0x1c8 arch/arm64/mm/fault.c:380
 do_bad_area+0x68/0x78 arch/arm64/mm/fault.c:480
 do_tag_check_fault+0x34/0x44 arch/arm64/mm/fault.c:853
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:929
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:481
 el1h_64_sync_handler+0x50/0xac arch/arm64/kernel/entry-common.c:597
 el1h_64_sync+0x6c/0x70 arch/arm64/kernel/entry.S:591
 __kvm_pgtable_visit arch/arm64/kvm/hyp/pgtable.c:161 [inline] (P)
 __kvm_pgtable_walk+0x110/0x2d0 arch/arm64/kvm/hyp/pgtable.c:237 (P)
 _kvm_pgtable_walk arch/arm64/kvm/hyp/pgtable.c:260 [inline]
 kvm_pgtable_walk+0xd0/0x164 arch/arm64/kvm/hyp/pgtable.c:283
 kvm_pgtable_stage2_destroy_range+0x3c/0x70 arch/arm64/kvm/hyp/pgtable.c:1563
 stage2_destroy_range arch/arm64/kvm/mmu.c:924 [inline]
 kvm_stage2_destroy+0x74/0xd0 arch/arm64/kvm/mmu.c:935
 kvm_free_stage2_pgd+0x4c/0x84 arch/arm64/kvm/mmu.c:1112
 kvm_uninit_stage2_mmu+0x1c/0x34 arch/arm64/kvm/mmu.c:1023
 kvm_arch_flush_shadow_all+0x6c/0x84 arch/arm64/kvm/nested.c:1113
 kvm_flush_shadow_all virt/kvm/kvm_main.c:343 [inline]
 kvm_mmu_notifier_release+0x30/0x84 virt/kvm/kvm_main.c:884
 mn_hlist_release mm/mmu_notifier.c:321 [inline]
 __mmu_notifier_release+0x74/0x1dc mm/mmu_notifier.c:359
 mmu_notifier_release include/linux/mmu_notifier.h:402 [inline]
 exit_mmap+0x28c/0x2a4 mm/mmap.c:1263
 __mmput+0x3c/0x13c kernel/fork.c:1129
 mmput+0x50/0x5c kernel/fork.c:1152
 exit_mm kernel/exit.c:582 [inline]
 do_exit+0x208/0x934 kernel/exit.c:949
 do_group_exit+0x34/0x90 kernel/exit.c:1102
 copy_siginfo_to_user+0x0/0xec kernel/signal.c:3034
 do_signal+0x94/0x3ec arch/arm64/kernel/signal.c:1618
 do_notify_resume+0xe0/0x16c arch/arm64/kernel/entry-common.c:152
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:173 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:182 [inline]
 el0_svc+0x108/0x10c arch/arm64/kernel/entry-common.c:880
 el0t_64_sync_handler+0xa0/0xe4 arch/arm64/kernel/entry-common.c:898
 el0t_64_sync+0x1a4/0x1a8 arch/arm64/kernel/entry.S:596

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xf6f0000000000000 pfn:0x4ba20
flags: 0x1fff80000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0xe)
raw: 01fff80000000000 ffffc1ffc02ad408 ffffc1ffc02abcc8 0000000000000000
raw: f6f0000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 fff000000ba1fe00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 fff000000ba1ff00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>fff000000ba20000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                   ^
 fff000000ba20100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 fff000000ba20200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================