============================================
WARNING: possible recursive locking detected
syzkaller #0 Tainted: G             L     
--------------------------------------------
syz.7.4818/25466 is trying to acquire lock:
ffff88805b842f70 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
ffff88805b842f70 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x237/0x360 net/hsr/hsr_device.c:235

but task is already holding lock:
ffff888037640f70 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
ffff888037640f70 (&hsr->seqnr_lock){+.-.}-{3:3}, at: send_hsr_supervision_frame+0x380/0xcb0 net/hsr/hsr_device.c:330

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&hsr->seqnr_lock);
  lock(&hsr->seqnr_lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

11 locks held by syz.7.4818/25466:
 #0: ffffffff8fbc4d48 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline]
 #0: ffffffff8fbc4d48 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3e/0x1c0 drivers/net/tun.c:3436
 #1: ffff88801b6cd988 (&root->kernfs_rwsem){++++}-{4:4}, at: kernfs_remove_by_name_ns+0x3d/0x130 fs/kernfs/dir.c:1717
 #2: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #2: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #2: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1193 [inline]
 #2: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: kernfs_root+0x1c/0x230 fs/kernfs/kernfs-internal.h:75
 #3: ffffc90000007ce0 ((&hsr->announce_timer)){+.-.}-{0:0}, at: call_timer_fn+0xd4/0x5a0 kernel/time/timer.c:1745
 #4: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: hsr_announce+0x89/0x370 net/hsr/hsr_device.c:419
 #5: ffff888037640f70 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
 #5: ffff888037640f70 (&hsr->seqnr_lock){+.-.}-{3:3}, at: send_hsr_supervision_frame+0x380/0xcb0 net/hsr/hsr_device.c:330
 #6: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #6: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #6: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: hsr_forward_skb+0xb3/0x2860 net/hsr/hsr_forward.c:738
 #7: ffffffff8e75e440 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #7: ffffffff8e75e440 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:903 [inline]
 #7: ffffffff8e75e440 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x274/0x3850 net/core/dev.c:4754
 #8: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #8: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #8: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: br_dev_xmit+0x193/0x1920 net/bridge/br_device.c:52
 #9: ffffffff8e75e440 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #9: ffffffff8e75e440 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:903 [inline]
 #9: ffffffff8e75e440 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x274/0x3850 net/core/dev.c:4754
 #10: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #10: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #10: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: hsr_dev_xmit+0x2d/0x360 net/hsr/hsr_device.c:229

stack backtrace:
CPU: 0 UID: 0 PID: 25466 Comm: syz.7.4818 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <IRQ>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_deadlock_bug+0x279/0x290 kernel/locking/lockdep.c:3041
 check_deadlock kernel/locking/lockdep.c:3093 [inline]
 validate_chain kernel/locking/lockdep.c:3895 [inline]
 __lock_acquire+0x253f/0x2cf0 kernel/locking/lockdep.c:5237
 lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
 _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:347 [inline]
 hsr_dev_xmit+0x237/0x360 net/hsr/hsr_device.c:235
 __netdev_start_xmit include/linux/netdevice.h:5275 [inline]
 netdev_start_xmit include/linux/netdevice.h:5284 [inline]
 xmit_one net/core/dev.c:3864 [inline]
 dev_hard_start_xmit+0x2cd/0x7f0 net/core/dev.c:3880
 __dev_queue_xmit+0x168f/0x3850 net/core/dev.c:4829
 dev_queue_xmit include/linux/netdevice.h:3384 [inline]
 br_dev_queue_push_xmit+0x370/0x4a0 net/bridge/br_forward.c:53
 NF_HOOK+0x360/0x3f0 include/linux/netfilter.h:318
 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66
 NF_HOOK+0x360/0x3f0 include/linux/netfilter.h:318
 __br_forward+0x397/0x540 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver net/bridge/br_forward.c:191 [inline]
 br_flood+0x6ee/0xb80 net/bridge/br_forward.c:238
 br_dev_xmit+0x127a/0x1920 net/bridge/br_device.c:108
 __netdev_start_xmit include/linux/netdevice.h:5275 [inline]
 netdev_start_xmit include/linux/netdevice.h:5284 [inline]
 xmit_one net/core/dev.c:3864 [inline]
 dev_hard_start_xmit+0x2cd/0x7f0 net/core/dev.c:3880
 __dev_queue_xmit+0x168f/0x3850 net/core/dev.c:4829
 dev_queue_xmit include/linux/netdevice.h:3384 [inline]
 hsr_xmit net/hsr/hsr_forward.c:440 [inline]
 hsr_forward_do net/hsr/hsr_forward.c:581 [inline]
 hsr_forward_skb+0x157b/0x2860 net/hsr/hsr_forward.c:743
 send_hsr_supervision_frame+0x731/0xcb0 net/hsr/hsr_device.c:364
 hsr_announce+0x1db/0x370 net/hsr/hsr_device.c:421
 call_timer_fn+0x192/0x5a0 kernel/time/timer.c:1748
 expire_timers kernel/time/timer.c:1799 [inline]
 __run_timers kernel/time/timer.c:2373 [inline]
 __run_timer_base+0x652/0x8b0 kernel/time/timer.c:2385
 run_timer_base kernel/time/timer.c:2394 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2404
 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_acquire+0x221/0x330 kernel/locking/lockdep.c:5872
Code: ff ff ff e8 d1 8a ff 09 f7 44 24 08 00 02 00 00 0f 84 3a ff ff ff 65 48 8b 05 4b 98 77 11 48 3b 44 24 58 75 33 fb 48 83 c4 60 <5b> 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 8d 3d 08 e0 73
RSP: 0018:ffffc9000d337728 EFLAGS: 00000286
RAX: b04812d3a0001d00 RBX: 0000000000000000 RCX: 0000000000000046
RDX: 00000000b7637379 RSI: ffffffff8e15ba22 RDI: ffffffff8c279900
RBP: ffffffff826c4e0c R08: ffffffff826c4e0c R09: ffffffff8e75e3e0
R10: dffffc0000000000 R11: ffffed10036d9b25 R12: 0000000000000002
R13: ffffffff8e75e3e0 R14: 0000000000000000 R15: 0000000000000246
 rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 rcu_read_lock include/linux/rcupdate.h:850 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1193 [inline]
 kernfs_root+0x38/0x230 fs/kernfs/kernfs-internal.h:75
 kernfs_find_ns+0xa9/0x490 fs/kernfs/dir.c:865
 kernfs_remove_by_name_ns+0x4b/0x130 fs/kernfs/dir.c:1719
 kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
 remove_files fs/sysfs/group.c:28 [inline]
 sysfs_remove_group+0xfc/0x2e0 fs/sysfs/group.c:328
 sysfs_remove_groups+0x54/0xb0 fs/sysfs/group.c:352
 device_remove_groups drivers/base/core.c:2843 [inline]
 device_remove_attrs+0x1cb/0x280 drivers/base/core.c:2973
 device_del+0x51f/0x8f0 drivers/base/core.c:3877
 unregister_netdevice_many_notify+0x1e0e/0x2370 net/core/dev.c:12431
 unregister_netdevice_many net/core/dev.c:12459 [inline]
 unregister_netdevice_queue+0x31f/0x360 net/core/dev.c:12273
 unregister_netdevice include/linux/netdevice.h:3408 [inline]
 __tun_detach+0x6d9/0x15d0 drivers/net/tun.c:621
 tun_detach drivers/net/tun.c:637 [inline]
 tun_chr_close+0x10a/0x1c0 drivers/net/tun.c:3436
 __fput+0x44f/0xa70 fs/file_table.c:469
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3b3119bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3b3153fba8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007f3b31417da0 RCX: 00007f3b3119bf79
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f3b31417da0 R08: 0000000000000006 R09: 0000000000000000
R10: 00007f3b31417cb0 R11: 0000000000000246 R12: 0000000000130e04
R13: 00007f3b3141618c R14: 0000000000130bf8 R15: 00007f3b31416180
 </TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	ff                   	ljmp   (bad)
   1:	e8 d1 8a ff 09       	call   0x9ff8ad7
   6:	f7 44 24 08 00 02 00 	testl  $0x200,0x8(%rsp)
   d:	00
   e:	0f 84 3a ff ff ff    	je     0xffffff4e
  14:	65 48 8b 05 4b 98 77 	mov    %gs:0x1177984b(%rip),%rax        # 0x11779867
  1b:	11
  1c:	48 3b 44 24 58       	cmp    0x58(%rsp),%rax
  21:	75 33                	jne    0x56
  23:	fb                   	sti
  24:	48 83 c4 60          	add    $0x60,%rsp
* 28:	5b                   	pop    %rbx <-- trapping instruction
  29:	41 5c                	pop    %r12
  2b:	41 5d                	pop    %r13
  2d:	41 5e                	pop    %r14
  2f:	41 5f                	pop    %r15
  31:	5d                   	pop    %rbp
  32:	c3                   	ret
  33:	cc                   	int3
  34:	cc                   	int3
  35:	cc                   	int3
  36:	cc                   	int3
  37:	cc                   	int3
  38:	48                   	rex.W
  39:	8d                   	.byte 0x8d
  3a:	3d                   	.byte 0x3d
  3b:	08 e0                	or     %ah,%al
  3d:	73                   	.byte 0x73