From: Sean Young <sean@mess.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Hillf Danton <hdanton@sina.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com,
LKML <linux-kernel@vger.kernel.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Subject: Re: [PATCH] media: imon: make send_packet() more robust
Date: Tue, 15 Jul 2025 21:19:18 +0100 [thread overview]
Message-ID: <aHa3xpKfGNqAocIO@gofer.mess.org> (raw)
In-Reply-To: <d6da6709-d799-4be3-a695-850bddd6eb24@rowland.harvard.edu>
Hi Alan,
On Sun, Jul 13, 2025 at 11:21:24AM -0400, Alan Stern wrote:
> On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
> > [loop Alan in]
>
> I assume you're interested in the question of when to avoid resubmitting
> URBs.
>
> > On Sun, 13 Jul 2025 16:50:08 +0900 Tetsuo Handa wrote:
> > > syzbot is reporting that imon has three problems which result in hung tasks
> > > due to forever holding device lock.
> > >
> > > First problem is that when usb_rx_callback_intf0() once got -EPROTO error
> > > after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
> > > resubmits urb after printk(), and resubmitted urb causes
> > > usb_rx_callback_intf0() to again get -EPROTO error. This results in
> > > printk() flooding (RCU stalls).
> > >
> > > Commit 92f461517d22 ("media: ir_toy: do not resubmit broken urb") changed
> > > ir_toy module not to resubmit when irtoy_in_callback() got -EPROTO error.
> > > We should do similar thing for imon.
> > >
> > > Basically, I think that imon should refrain from resubmitting urb when
> > > callback function got an error. But since I don't know which error codes
> > > should retry resubmitting urb, this patch handles only union of error codes
> > > chosen from modules in drivers/media/rc/ directory which handles -EPROTO
> > > error (i.e. ir_toy, mceusb and igorplugusb).
>
> In theory it's okay to resubmit _if_ the driver has a robust
> error-recovery scheme (such as giving up after some fixed limit on the
> number of errors or after some fixed time has elapsed, perhaps with a
> time delay to prevent a flood of errors). Most drivers don't bother to
> do this; they simply give up right away. This makes them more
> vulnerable to short-term noise interference during USB transfers, but in
> reality such interference is quite rare. There's nothing really wrong
> with giving up right away.
>
> As to which error codes drivers should pay attention to... In most
> cases they only look at -EPROTO. According to
> Documentation/driver-api/usb/error-codes.rst, -EILSEQ and -ETIME are
> also possible errors when a device has been unplugged, so it wouldn't
> hurt to check for them too. But most host controller drivers don't
> bother to issue them; -EPROTO is by far the most common error code
> following an unplug.
Thank you for explaining that, very helpful. Would it be useful to have
this in the USB completion handler documentation?
> > > We need to decide whether to call usb_unlink_urb() when we got -EPROTO
> > > error. ir_toy and mceusb call usb_unlink_urb() but igorplugusb does not
> > > due to commit 5e4029056263 ("media: igorplugusb: remove superfluous
> > > usb_unlink_urb()"). This patch calls usb_unlink_urb() because description
> > > of usb_unlink_urb() suggests that it is OK to call.
>
> If the error occurred because the device was unplugged then unlinking
> the outstanding URBs isn't necessary; the USB core will unlink them for
> you after the device's parent hub reports that the unplug took place.
Are you saying there is a case when usb_unlink_urb() is necessary: if the
device was not unplugged and -EPROTO is reported?
> > > Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
> > > before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
> > > resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
> > > hardware after early callbacks"). If some errors should stop resubmitting
> > > urb regardless of whether configuring the hardware has completed or not,
> > > what that commit is doing is wrong. The ictx->dev_present_intf0 test was
> > > introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
> > > until intf configured"), but that commit did not call usb_unlink_urb()
> > > when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
> > > test to immediately before imon_incoming_packet() so that we can call
> > > usb_unlink_urb() as needed, or the first problem explained above happens
> > > without printk() flooding (i.e. hung task).
>
> It seems odd for a driver to set up normal communications with a device
> before the device has been configured, but of course that decision is up
> to the creators and maintainers of the driver.
The usb device has two interfaces, and we need both of them before we can
do anything useful. Badly designed hardware.
I think that is why this driver code is so awkward.
Sean
next prev parent reply other threads:[~2025-07-15 20:19 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-09 14:37 [syzbot] [usb?] INFO: task hung in uevent_show (2) syzbot
2024-11-10 0:59 ` syzbot
2025-07-10 11:05 ` Hillf Danton
2025-07-10 11:59 ` [syzbot] [kernel?] " syzbot
2025-07-10 12:59 ` [syzbot] [usb?] " Hillf Danton
2025-07-10 13:25 ` [syzbot] [kernel?] " syzbot
2025-07-09 4:39 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-09 14:03 ` [syzbot] [kernel?] " syzbot
2025-07-09 14:13 ` Tetsuo Handa
2025-07-09 14:27 ` Alan Stern
2025-07-09 14:44 ` Tetsuo Handa
2025-07-09 15:19 ` Alan Stern
2025-07-09 15:33 ` Tetsuo Handa
2025-07-09 15:41 ` Alan Stern
2025-07-10 10:17 ` Tetsuo Handa
2025-07-10 14:13 ` Alan Stern
2025-07-09 14:15 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-09 14:44 ` [syzbot] [kernel?] " syzbot
2025-07-09 15:01 ` Tetsuo Handa
2025-07-11 11:09 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 11:44 ` [syzbot] [kernel?] " syzbot
2025-07-11 11:52 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 12:13 ` [syzbot] [kernel?] " syzbot
2025-07-11 13:34 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 14:09 ` [syzbot] [kernel?] " syzbot
2025-07-11 15:01 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 15:46 ` [syzbot] [kernel?] " syzbot
2025-07-12 14:40 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-12 15:18 ` [syzbot] [kernel?] " syzbot
2025-07-12 15:41 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-12 17:43 ` [syzbot] [kernel?] " syzbot
2025-07-13 7:50 ` [PATCH] media: imon: make send_packet() more robust Tetsuo Handa
2025-07-13 8:11 ` Hillf Danton
2025-07-13 15:21 ` Alan Stern
2025-07-15 20:19 ` Sean Young [this message]
2025-07-16 1:30 ` Alan Stern
2025-07-16 9:38 ` Sean Young
2025-07-16 10:09 ` Tetsuo Handa
2025-07-16 11:55 ` Hillf Danton
2025-07-16 12:47 ` Sean Young
2025-07-16 14:07 ` [PATCH v2] " Tetsuo Handa
2025-07-16 14:45 ` Alan Stern
2025-07-17 14:21 ` [PATCH v3] " Tetsuo Handa
2025-07-16 14:38 ` [PATCH] " Alan Stern
2025-07-13 8:29 ` [syzbot] [kernel?] INFO: task hung in uevent_show (2) syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aHa3xpKfGNqAocIO@gofer.mess.org \
--to=sean@mess.org \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.