============================================
WARNING: possible recursive locking detected
6.12.0-syzkaller-05480-gfcc79e1714e8 #0 Not tainted
--------------------------------------------
syz.1.324/7142 is trying to acquire lock:
ffff88807e920f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffff88807e920f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x18a/0x210 net/hsr/hsr_device.c:234

but task is already holding lock:
ffff888058034f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
ffff888058034f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: send_hsr_supervision_frame+0x27c/0xcc0 net/hsr/hsr_device.c:317

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&hsr->seqnr_lock);
  lock(&hsr->seqnr_lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

10 locks held by syz.1.324/7142:
 #0: ffffffff904138f0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #0: ffffffff904138f0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #0: ffffffff904138f0 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x22/0x250 net/core/rtnetlink.c:555
 #1: ffffffff8fef1388 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #1: ffffffff8fef1388 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:326 [inline]
 #1: ffffffff8fef1388 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0xd04/0x24f0 net/core/rtnetlink.c:4000
 #2: ffffffff8ff872a8 (flowtable_lock){+.+.}-{4:4}, at: nf_flow_table_cleanup+0x23/0xb0 net/netfilter/nf_flow_table_core.c:593
 #3: ffffc90000a18c00 ((&hsr->announce_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x650 kernel/time/timer.c:1790
 #4: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #4: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #4: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: hsr_announce+0xaa/0x3a0 net/hsr/hsr_device.c:406
 #5: ffff888058034f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
 #5: ffff888058034f30 (&hsr->seqnr_lock){+.-.}-{3:3}, at: send_hsr_supervision_frame+0x27c/0xcc0 net/hsr/hsr_device.c:317
 #6: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #6: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #6: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: hsr_forward_skb+0xb6/0x2ac0 net/hsr/hsr_forward.c:723
 #7: ffffffff8eb3c8c0 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #7: ffffffff8eb3c8c0 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:901 [inline]
 #7: ffffffff8eb3c8c0 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x2f4/0x3f50 net/core/dev.c:4359
 #8: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #8: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #8: ffffffff8eb3c860 (rcu_read_lock){....}-{1:3}, at: br_dev_xmit+0x21d/0x1b40 net/bridge/br_device.c:50
 #9: ffffffff8eb3c8c0 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #9: ffffffff8eb3c8c0 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:901 [inline]
 #9: ffffffff8eb3c8c0 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x2f4/0x3f50 net/core/dev.c:4359

stack backtrace:
CPU: 1 UID: 0 PID: 7142 Comm: syz.1.324 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
 check_deadlock kernel/locking/lockdep.c:3089 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
 _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 hsr_dev_xmit+0x18a/0x210 net/hsr/hsr_device.c:234
 __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
 netdev_start_xmit include/linux/netdevice.h:5011 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x27a/0x7e0 net/core/dev.c:3606
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 br_dev_queue_push_xmit+0x726/0x900 net/bridge/br_forward.c:53
 NF_HOOK+0x3a7/0x460 include/linux/netfilter.h:314
 br_forward_finish+0xd8/0x130 net/bridge/br_forward.c:66
 NF_HOOK+0x3a7/0x460 include/linux/netfilter.h:314
 __br_forward+0x489/0x660 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver+0xb3/0x150 net/bridge/br_forward.c:190
 br_flood+0x2e4/0x660 net/bridge/br_forward.c:236
 br_dev_xmit+0x1202/0x1b40
 __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
 netdev_start_xmit include/linux/netdevice.h:5011 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x27a/0x7e0 net/core/dev.c:3606
 __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 hsr_xmit net/hsr/hsr_forward.c:430 [inline]
 hsr_forward_do net/hsr/hsr_forward.c:571 [inline]
 hsr_forward_skb+0x171c/0x2ac0 net/hsr/hsr_forward.c:728
 send_hsr_supervision_frame+0x63b/0xcc0 net/hsr/hsr_device.c:351
 hsr_announce+0x1f8/0x3a0 net/hsr/hsr_device.c:408
 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793
 expire_timers kernel/time/timer.c:1844 [inline]
 __run_timers kernel/time/timer.c:2418 [inline]
 __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430
 run_timer_base kernel/time/timer.c:2439 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449
 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:655
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:flush_work kernel/workqueue.c:4251 [inline]
RIP: 0010:flush_delayed_work+0x150/0x1c0 kernel/workqueue.c:4274
Code: 16 eb a1 00 49 8b b7 98 00 00 00 44 89 f7 4c 89 fa e8 c4 92 ff ff eb 05 e8 4d 3a 37 00 e8 e8 02 3f 00 fb 48 c7 c7 c0 fb 29 8c <be> 9b 10 00 00 e8 06 4a 07 00 2e 2e 2e 31 c0 4c 89 ff 31 f6 e8 37
RSP: 0018:ffffc90004696b60 EFLAGS: 00000286
RAX: 26e52a2ccea2ae00 RBX: 0000000000000001 RCX: ffffffff8171048a
RDX: dffffc0000000000 RSI: ffffffff8c2ad300 RDI: ffffffff8c29fbc0
RBP: ffffc90004696be8 R08: ffffffff94546997 R09: 1ffffffff28a8d32
R10: dffffc0000000000 R11: fffffbfff28a8d33 R12: dffffc0000000000
R13: 1ffff920008d2d6c R14: 0000000000000008 R15: ffff8880237d89e8
 nf_flow_table_gc_cleanup net/netfilter/nf_flow_table_core.c:585 [inline]
 nf_flow_table_cleanup+0x62/0xb0 net/netfilter/nf_flow_table_core.c:595
 flow_offload_netdev_event+0x51/0x70 net/netfilter/nft_flow_offload.c:492
 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2034 [inline]
 call_netdevice_notifiers net/core/dev.c:2048 [inline]
 dev_close_many+0x33c/0x4c0 net/core/dev.c:1589
 unregister_netdevice_many_notify+0x530/0x1da0 net/core/dev.c:11494
 rtnl_newlink_create+0x835/0xa30 net/core/rtnetlink.c:3802
 __rtnl_newlink net/core/rtnetlink.c:3891 [inline]
 rtnl_newlink+0x17dd/0x24f0 net/core/rtnetlink.c:4001
 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911
 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2541
 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
 netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347
 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891
 sock_sendmsg_nosec net/socket.c:711 [inline]
 __sock_sendmsg+0x221/0x270 net/socket.c:726
 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
 ___sys_sendmsg net/socket.c:2637 [inline]
 __sys_sendmsg+0x269/0x350 net/socket.c:2669
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa2a3380809
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa2a411d058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fa2a3545fa0 RCX: 00007fa2a3380809
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 000000000000000e
RBP: 00007fa2a33f393e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa2a3545fa0 R15: 00007ffc7feeaa08
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	eb a1                	jmp    0xffffffa3
   2:	00 49 8b             	add    %cl,-0x75(%rcx)
   5:	b7 98                	mov    $0x98,%bh
   7:	00 00                	add    %al,(%rax)
   9:	00 44 89 f7          	add    %al,-0x9(%rcx,%rcx,4)
   d:	4c 89 fa             	mov    %r15,%rdx
  10:	e8 c4 92 ff ff       	call   0xffff92d9
  15:	eb 05                	jmp    0x1c
  17:	e8 4d 3a 37 00       	call   0x373a69
  1c:	e8 e8 02 3f 00       	call   0x3f0309
  21:	fb                   	sti
  22:	48 c7 c7 c0 fb 29 8c 	mov    $0xffffffff8c29fbc0,%rdi
* 29:	be 9b 10 00 00       	mov    $0x109b,%esi <-- trapping instruction
  2e:	e8 06 4a 07 00       	call   0x74a39
  33:	2e 2e 2e 31 c0       	cs cs cs xor %eax,%eax
  38:	4c 89 ff             	mov    %r15,%rdi
  3b:	31 f6                	xor    %esi,%esi
  3d:	e8                   	.byte 0xe8
  3e:	37                   	(bad)