==================================================================
BUG: KCSAN: data-race in kick_pool / wq_worker_running

read-write to 0xffff888237d2a524 of 4 bytes by task 3537 on cpu 1:
 wq_worker_running+0x95/0x120 kernel/workqueue.c:1400
 synchronize_rcu_expedited+0x5ef/0x770 kernel/rcu/tree_exp.h:971
 synchronize_rcu+0x35/0x2e0 kernel/rcu/tree.c:3348
 xfrm_state_gc_task+0x98/0x650 net/xfrm/xfrm_state.c:633
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
 worker_thread+0x582/0x770 kernel/workqueue.c:3421
 kthread+0x489/0x510 kernel/kthread.c:463
 ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

read to 0xffff888237d2a524 of 4 bytes by task 4641 on cpu 0:
 need_more_worker kernel/workqueue.c:934 [inline]
 kick_pool+0x49/0x2d0 kernel/workqueue.c:1240
 __queue_work+0x897/0xae0 kernel/workqueue.c:2336
 queue_work_on+0xa9/0x130 kernel/workqueue.c:2386
 queue_work include/linux/workqueue.h:669 [inline]
 schedule_work include/linux/workqueue.h:730 [inline]
 __xfrm_state_destroy net/xfrm/xfrm_state.c:807 [inline]
 xfrm_state_put include/net/xfrm.h:929 [inline]
 xfrm_state_find+0x1a17/0x3070 net/xfrm/xfrm_state.c:1632
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2522 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2573 [inline]
 xfrm_resolve_and_create_bundle+0x575/0x1ef0 net/xfrm/xfrm_policy.c:2871
 xfrm_lookup_with_ifid+0x1da/0x1360 net/xfrm/xfrm_policy.c:3205
 xfrm_lookup net/xfrm/xfrm_policy.c:3336 [inline]
 xfrm_lookup_route+0x3a/0x110 net/xfrm/xfrm_policy.c:3347
 ip_route_output_flow+0xdb/0x110 net/ipv4/route.c:2939
 udp_sendmsg+0x11b0/0x13c0 net/ipv4/udp.c:1450
 inet_sendmsg+0xac/0xd0 net/ipv4/af_inet.c:859
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x102/0x180 net/socket.c:742
 ____sys_sendmsg+0x345/0x4a0 net/socket.c:2592
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2646
 __sys_sendmmsg+0x178/0x300 net/socket.c:2735
 __do_sys_sendmmsg net/socket.c:2762 [inline]
 __se_sys_sendmmsg net/socket.c:2759 [inline]
 __x64_sys_sendmmsg+0x57/0x70 net/socket.c:2759
 x64_sys_call+0x1e28/0x3000 arch/x86/include/generated/asm/syscalls_64.h:308
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x00000000 -> 0x00000001

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 4641 Comm: syz.3.431 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
==================================================================
syz.3.431 (4641) used greatest stack depth: 9720 bytes left