On Fri, Dec 9, 2016 at 8:20 AM, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Dec 09, 2016 at 12:38:23AM +0100, Andrey Konovalov wrote: >> Hi, >> >> I'm working on a way to extend syzkaller [1] to support fuzzing of the >> USB subsystem. The idea is to be able to emulate various USB devices >> and fuzz communication between the emulated device and the kernel. I'm >> looking for a way to emulate devices from userspace. Similar to how >> tuntap allows to create virtual network interfaces and emit ethernet >> traffic by writing to /dev/net/tun. >> >> While googling for some information on this I found mentions of >> gadgetfs and functionfs. As far as I understand, they allow to turn a >> USB host into a gadget and provide a way to communicate with another >> host from a userspace application running on the gadget machine. > > Not quite. They are to drive a USB "gadget" device (i.e. the thing you > plug into a USB host, like a keyboard). You use that if you are running > Linux inside of that keyboard. Or inside your phone, it uses this > interface when talking to your laptop. > >> There's also usbfs, which allows to communicate with a usb gadget >> directly from a userspace application. > > usbfs is to talk to a USB gadget through the host controller, so you can > use it to fuzz a USB gadget driver, if a host driver is not already > bound to the device. > >> Am I right, that none of the above actually fit my needs? > > No, it should fit your needs just fine. Use the dummy USB gadget > controller driver to set up the USB gadget device, and control it that > way. It is how many people develop their USB gadget drivers directly on > a non-gadget system (like a desktop.) Hi Greg, OK, it's starting to make some sense. Dummy actually means loopback, correct? Right now whenever I mount gadgetfs I see a dummy_udc file. This basically means that I have gadgetfs set up in a loopback mode (since I have CONFIG_USB_DUMMY_HCD=y). Now I can write USB device description to dummy_udc and the kernel will find an appropriate driver and loopback the communication with this driver to the exposed epN files. Is my understanding of this correct? > >> Is there some way to emulate USB devices from a userspace application >> via some kernel interface? > > Yes, use functionfs. As I understand, the way to write gadget drivers with functionfs is to describe something that's called a function by mounting functionfs and writing to the files it provides. Then you need to use configfs to actually compose these functions into a device. Is this correct? What does a function stands for in this context? A USB configuration? How do I enable loopback with functionfs? Are there any advantages of using functionfs over gadgetfs for fuzzing? Thanks! > > have fun! > > greg k-h > > -- > You received this message because you are subscribed to the Google Groups "syzkaller" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@xxxxxxxxxxxxxxxx. > For more options, visit https://groups.google.com/d/optout. -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
