fix(core): avoid blocking THP when send buffer is full

romanz · romanz · commit 42450442630b · 2025-08-22T14:11:17.000+03:00
[no changelog]
diff --git a/core/src/trezor/wire/thp/channel.py b/core/src/trezor/wire/thp/channel.py
@@ -20,7 +20,7 @@
     conditionally_replace_channel,
     is_there_a_channel_to_replace,
 )
-from trezor import protobuf, utils, workflow
+from trezor import loop, protobuf, utils, workflow
 from trezor.loop import Timeout
 
 from ..protocol_common import Message
@@ -51,6 +51,8 @@
 _MAX_RETRANSMISSION_COUNT = const(50)
 _MIN_RETRANSMISSION_COUNT = const(2)
 
+_WRITE_TIMEOUT_MS = const(5_000)
+
 
 class Reassembler:
     def __init__(self, cid: int, read_buf: ThpBuffer) -> None:
@@ -395,16 +397,27 @@ async def write_encrypted_payload(self, ctrl_byte: int, payload: bytes) -> None:
         # ACK is needed before sending more data
         ABP.set_sending_allowed(self.channel_cache, False)
 
+        write_timeout = loop.sleep(_WRITE_TIMEOUT_MS)
+
         for i in range(_MAX_RETRANSMISSION_COUNT):
-            await self.ctx.write_payload(header, payload)
+            res = await loop.race(
+                self.ctx.write_payload(header, payload), write_timeout
+            )
+            if isinstance(res, int):
+                # When using USB, the writer can get stuck if there is no matching reader.
+                # Let's stop retransmission in this case, to allow handling other channels.
+                if __debug__:
+                    self._log("Sending is stuck", logger=log.error)
+                break
+
             # starting from 100ms till ~3.42s
             timeout_ms = round(10200 - 1010000 / (100 + i))
             try:
                 # wait and return after receiving an ACK, or raise in case of an unexpected message.
                 await self.recv_payload(expected_ctrl_byte=None, timeout_ms=timeout_ms)
             except Timeout:
                 if __debug__:
-                    log.warning(__name__, "Retransmit after %d ms", timeout_ms)
+                    self._log(f"Retransmit after {timeout_ms} ms", logger=log.warning)
                 continue
             # `ABP.set_sending_allowed()` will be called after a valid ACK
             if ABP.is_sending_allowed(self.channel_cache):
