==================================================================
BUG: KASAN: vmalloc-out-of-bounds in irq_work_run_list kernel/irq_work.c:251 [inline]
BUG: KASAN: vmalloc-out-of-bounds in run_irq_workd+0x116/0x190 kernel/irq_work.c:305
Read of size 8 at addr ffffc90005bf0090 by task irq_work/1/26

CPU: 1 UID: 0 PID: 26 Comm: irq_work/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 irq_work_run_list kernel/irq_work.c:251 [inline]
 run_irq_workd+0x116/0x190 kernel/irq_work.c:305
 smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4b9/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to a vmalloc virtual mapping
Memory state around the buggy address:
BUG: unable to handle page fault for address: fffff52000b7dff0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffed067 P4D 23ffed067 PUD 1a2a0067 PMD 26992067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 26 Comm: irq_work/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:kasan_metadata_fetch_row+0x12/0x30 mm/kasan/report_generic.c:186
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f e9 49 56 a9 08 cc
RSP: 0018:ffffc90000a0fb08 EFLAGS: 00010806
RAX: dffffc0000000000 RBX: ffffc90005bf0090 RCX: 60bb3289a2927e00
RDX: 0000000000000000 RSI: 1ffff92000b7dff0 RDI: ffffc90000a0fb30
RBP: ffffc90000a0fb88 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff52000141f65 R12: ffffc90005beff80
R13: ffffc90000a0fb30 R14: ffffc90005bf0080 R15: ffffc90000a0fb10
FS:  0000000000000000(0000) GS:ffff888126ccb000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000b7dff0 CR3: 000000000d5a6000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 print_memory_metadata+0x87/0x400 mm/kasan/report.c:458
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 irq_work_run_list kernel/irq_work.c:251 [inline]
 run_irq_workd+0x116/0x190 kernel/irq_work.c:305
 smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4b9/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: fffff52000b7dff0
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_metadata_fetch_row+0x12/0x30 mm/kasan/report_generic.c:186
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f e9 49 56 a9 08 cc
RSP: 0018:ffffc90000a0fb08 EFLAGS: 00010806
RAX: dffffc0000000000 RBX: ffffc90005bf0090 RCX: 60bb3289a2927e00
RDX: 0000000000000000 RSI: 1ffff92000b7dff0 RDI: ffffc90000a0fb30
RBP: ffffc90000a0fb88 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff52000141f65 R12: ffffc90005beff80
R13: ffffc90000a0fb30 R14: ffffc90005bf0080 R15: ffffc90000a0fb10
FS:  0000000000000000(0000) GS:ffff888126ccb000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff52000b7dff0 CR3: 000000000d5a6000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
   7:	00
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	66 0f 1f 00          	nopw   (%rax)
  1c:	48 c1 ee 03          	shr    $0x3,%rsi
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df
* 2a:	48 8b 0c 06          	mov    (%rsi,%rax,1),%rcx <-- trapping instruction
  2e:	48 8b 44 06 08       	mov    0x8(%rsi,%rax,1),%rax
  33:	48 89 47 08          	mov    %rax,0x8(%rdi)
  37:	48 89 0f             	mov    %rcx,(%rdi)
  3a:	e9 49 56 a9 08       	jmp    0x8a95688
  3f:	cc                   	int3