Re: [syzbot] INFO: task hung in port100_probe

[Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>]

On 21/10/2021 00:05, Alan Stern wrote:
>>
>> The syzkaller reproducer fails if >1 of threads are running these usb
>> gadgets.  When this happens, no "in_urb" completion happens. No this
>> "ack" port100_recv_ack().
>>
>> I added some debugs and simply dummy_hcd dummy_timer() is woken up on
>> enqueuing in_urb and then is looping crazy on a previous URB (some older
>> URB, coming from before port100 driver probe started). The dummy_timer()
>> loop never reaches the second "in_urb" to process it, I think.
> 
> Is there any way you can track down what's happening in that crazy loop?  
> That is, what driver was responsible for the previous URB?
> 
> We have seen this sort of thing before, where a driver submits an URB 
> for a gadget which has disconnected.  The URB fails with -EPROTO status 
> but the URB's completion handler does an automatic resubmit.  That can 
> lead to a very tight loop with dummy-hcd, and it could easily prevent 
> some other important processing from occurring.  The simple solution is 
> to prevent the driver from resubmitting when the completion status is 
> -EPROTO.

Hi Alan,

Thanks for the reply.

The URB which causes crazy loop is the port100 driver second URB, the
one called ack or in_urb.

The flow is:
1. probe()
2. port100_get_command_type_mask()
3. port100_send_cmd_async()
4. port100_send_frame_async()
5. usb_submit_urb(dev->out_urb)
   The call succeeds, the dummy_hcd picks it up and immediately ends the
timer-loop with -EPROTO

The completion here does not resubmit another/same URB. I checked this
carefully and I hope I did not miss anything.

6. port100_submit_urb_for_ack() which sends the in_urb:
   usb_submit_urb(dev->in_urb)
... wait for completion
... dummy_hcd loops on this URB around line 2000:
if (status == -EINPROGRESS)
  continue

Best regards,
Krzysztof