============================================
WARNING: possible recursive locking detected
6.15.0-rc5-syzkaller-00136-g9c69f8884904 #0 Not tainted
--------------------------------------------
syz.0.1697/14080 is trying to acquire lock:
ffff888078de8f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffff888078de8f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x19a/0x220 net/hsr/hsr_device.c:234

but task is already holding lock:
ffff88804df40f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffff88804df40f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x19a/0x220 net/hsr/hsr_device.c:234

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&hsr->seqnr_lock);
  lock(&hsr->seqnr_lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

10 locks held by syz.0.1697/14080:
 #0: ffff888027d87118 (&u->iolock){+.+.}-{4:4}, at: __unix_dgram_recvmsg+0x1e2/0xdc0 net/unix/af_unix.c:2417
 #1: ffffc90000a08be0 ((&ndev->rs_timer)){+.-.}-{0:0}, at: call_timer_fn+0xbe/0x5f0 kernel/time/timer.c:1786
 #2: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #2: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #2: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: ndisc_send_skb+0x208/0x1400 net/ipv6/ndisc.c:484
 #3: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #3: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #3: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: ip6_finish_output2+0x701/0x16a0 net/ipv6/ip6_output.c:126
 #4: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #4: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:892 [inline]
 #4: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x27e/0x3a70 net/core/dev.c:4554
 #5: ffff88804df40f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
 #5: ffff88804df40f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x19a/0x220 net/hsr/hsr_device.c:234
 #6: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #6: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #6: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: hsr_forward_skb+0x9e/0x2860 net/hsr/hsr_forward.c:728
 #7: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #7: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:892 [inline]
 #7: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x27e/0x3a70 net/core/dev.c:4554
 #8: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #8: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #8: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: br_dev_xmit+0x185/0x1840 net/bridge/br_device.c:52
 #9: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #9: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:892 [inline]
 #9: ffffffff8df3b8c0 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x27e/0x3a70 net/core/dev.c:4554

stack backtrace:
CPU: 1 UID: 0 PID: 14080 Comm: syz.0.1697 Not tainted 6.15.0-rc5-syzkaller-00136-g9c69f8884904 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_deadlock_bug+0x28b/0x2a0 kernel/locking/lockdep.c:3042
 check_deadlock kernel/locking/lockdep.c:3094 [inline]
 validate_chain+0x1a3f/0x2140 kernel/locking/lockdep.c:3896
 __lock_acquire+0xaac/0xd20 kernel/locking/lockdep.c:5235
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
 _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 hsr_dev_xmit+0x19a/0x220 net/hsr/hsr_device.c:234
 __netdev_start_xmit include/linux/netdevice.h:5204 [inline]
 netdev_start_xmit include/linux/netdevice.h:5213 [inline]
 xmit_one net/core/dev.c:3776 [inline]
 dev_hard_start_xmit+0x2ff/0x880 net/core/dev.c:3792
 __dev_queue_xmit+0x1adf/0x3a70 net/core/dev.c:4629
 dev_queue_xmit include/linux/netdevice.h:3350 [inline]
 br_dev_queue_push_xmit+0x6c5/0x890 net/bridge/br_forward.c:53
 NF_HOOK+0x31d/0x3c0 include/linux/netfilter.h:314
 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66
 NF_HOOK+0x31d/0x3c0 include/linux/netfilter.h:314
 __br_forward+0x41e/0x600 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver+0xb5/0x160 net/bridge/br_forward.c:190
 br_flood+0x31a/0x6a0 net/bridge/br_forward.c:237
 br_dev_xmit+0x11b3/0x1840 net/bridge/br_device.c:108
 __netdev_start_xmit include/linux/netdevice.h:5204 [inline]
 netdev_start_xmit include/linux/netdevice.h:5213 [inline]
 xmit_one net/core/dev.c:3776 [inline]
 dev_hard_start_xmit+0x2ff/0x880 net/core/dev.c:3792
 __dev_queue_xmit+0x1adf/0x3a70 net/core/dev.c:4629
 dev_queue_xmit include/linux/netdevice.h:3350 [inline]
 hsr_xmit net/hsr/hsr_forward.c:430 [inline]
 hsr_forward_do net/hsr/hsr_forward.c:571 [inline]
 hsr_forward_skb+0x158b/0x2860 net/hsr/hsr_forward.c:733
 hsr_dev_xmit+0x1a5/0x220 net/hsr/hsr_device.c:235
 __netdev_start_xmit include/linux/netdevice.h:5204 [inline]
 netdev_start_xmit include/linux/netdevice.h:5213 [inline]
 xmit_one net/core/dev.c:3776 [inline]
 dev_hard_start_xmit+0x2ff/0x880 net/core/dev.c:3792
 __dev_queue_xmit+0x1adf/0x3a70 net/core/dev.c:4629
 neigh_output include/net/neighbour.h:539 [inline]
 ip6_finish_output2+0x11fb/0x16a0 net/ipv6/ip6_output.c:141
 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
 ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:226
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xb47/0x1400 net/ipv6/ndisc.c:513
 addrconf_rs_timer+0x369/0x670 net/ipv6/addrconf.c:4041
 call_timer_fn+0x17b/0x5f0 kernel/time/timer.c:1789
 expire_timers kernel/time/timer.c:1840 [inline]
 __run_timers kernel/time/timer.c:2414 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2426
 run_timer_base kernel/time/timer.c:2435 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2445
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:unix_copy_addr net/unix/af_unix.c:2391 [inline]
RIP: 0010:__unix_dgram_recvmsg+0x502/0xdc0 net/unix/af_unix.c:2452
Code: 00 74 08 48 89 df e8 9d 83 1c f8 41 be 58 05 00 00 4c 03 33 4c 89 f0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 f7 e8 7e 83 1c f8 <49> 8b 1e 48 85 db 0f 84 90 00 00 00 e8 dd 8e ba f7 4c 8d 73 04 4c
RSP: 0018:ffffc9000405f700 EFLAGS: 00000246
RAX: 1ffff11004fb0afb RBX: ffff888053ba5518 RCX: 0000000000080000
RDX: ffffc9000e4b1000 RSI: 000000000007ffff RDI: ffffc9000405fd00
RBP: ffffc9000405f890 R08: ffffffff8f7ed177 R09: 1ffffffff1efda2e
R10: dffffc0000000000 R11: fffffbfff1efda2f R12: 1ffff9200080bfa0
R13: dffffc0000000000 R14: ffff888027d857d8 R15: ffff888053ba5500
 sock_recvmsg_nosec+0x183/0x1c0 net/socket.c:1017
 ____sys_recvmsg+0x3aa/0x460 net/socket.c:2784
 ___sys_recvmsg+0x1b5/0x510 net/socket.c:2828
 do_recvmmsg+0x307/0x760 net/socket.c:2923
 __sys_recvmmsg net/socket.c:2997 [inline]
 __do_sys_recvmmsg net/socket.c:3020 [inline]
 __se_sys_recvmmsg net/socket.c:3013 [inline]
 __x64_sys_recvmmsg+0x190/0x240 net/socket.c:3013
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f700078e969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f700165b038 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f70009b6080 RCX: 00007f700078e969
RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000007
RBP: 00007f7000810ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f70009b6080 R15: 00007f7000adfa28
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 74 08 48          	add    %dh,0x48(%rax,%rcx,1)
   4:	89 df                	mov    %ebx,%edi
   6:	e8 9d 83 1c f8       	call   0xf81c83a8
   b:	41 be 58 05 00 00    	mov    $0x558,%r14d
  11:	4c 03 33             	add    (%rbx),%r14
  14:	4c 89 f0             	mov    %r14,%rax
  17:	48 c1 e8 03          	shr    $0x3,%rax
  1b:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  20:	74 08                	je     0x2a
  22:	4c 89 f7             	mov    %r14,%rdi
  25:	e8 7e 83 1c f8       	call   0xf81c83a8
* 2a:	49 8b 1e             	mov    (%r14),%rbx <-- trapping instruction
  2d:	48 85 db             	test   %rbx,%rbx
  30:	0f 84 90 00 00 00    	je     0xc6
  36:	e8 dd 8e ba f7       	call   0xf7ba8f18
  3b:	4c 8d 73 04          	lea    0x4(%rbx),%r14
  3f:	4c                   	rex.WR