Hi, Andrey Konovalov <andreyknvl@xxxxxxxxxx> writes: > On Fri, Dec 9, 2016 at 8:20 AM, Greg Kroah-Hartman > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: >> On Fri, Dec 09, 2016 at 12:38:23AM +0100, Andrey Konovalov wrote: >>> Hi, >>> >>> I'm working on a way to extend syzkaller [1] to support fuzzing of the >>> USB subsystem. The idea is to be able to emulate various USB devices >>> and fuzz communication between the emulated device and the kernel. I'm >>> looking for a way to emulate devices from userspace. Similar to how >>> tuntap allows to create virtual network interfaces and emit ethernet >>> traffic by writing to /dev/net/tun. >>> >>> While googling for some information on this I found mentions of >>> gadgetfs and functionfs. As far as I understand, they allow to turn a >>> USB host into a gadget and provide a way to communicate with another >>> host from a userspace application running on the gadget machine. >> >> Not quite. They are to drive a USB "gadget" device (i.e. the thing you >> plug into a USB host, like a keyboard). You use that if you are running >> Linux inside of that keyboard. Or inside your phone, it uses this >> interface when talking to your laptop. >> >>> There's also usbfs, which allows to communicate with a usb gadget >>> directly from a userspace application. >> >> usbfs is to talk to a USB gadget through the host controller, so you can >> use it to fuzz a USB gadget driver, if a host driver is not already >> bound to the device. >> >>> Am I right, that none of the above actually fit my needs? >> >> No, it should fit your needs just fine. Use the dummy USB gadget >> controller driver to set up the USB gadget device, and control it that >> way. It is how many people develop their USB gadget drivers directly on >> a non-gadget system (like a desktop.) > > Hi Greg, > > OK, it's starting to make some sense. > Dummy actually means loopback, correct? not really, no. Dummy is a SW-only implementation of a virtual host controller always attached to a virtual peripheral controller. > Right now whenever I mount gadgetfs I see a dummy_udc file. This > basically means that I have gadgetfs set up in a loopback mode (since > I have CONFIG_USB_DUMMY_HCD=y). Now I can write USB device description > to dummy_udc and the kernel will find an appropriate driver and > loopback the communication with this driver to the exposed epN files. > Is my understanding of this correct? kinda, yeah. >>> Is there some way to emulate USB devices from a userspace application >>> via some kernel interface? >> >> Yes, use functionfs. > > As I understand, the way to write gadget drivers with functionfs is to > describe something that's called a function by mounting functionfs and > writing to the files it provides. Then you need to use configfs to > actually compose these functions into a device. > > Is this correct? right > What does a function stands for in this context? A USB configuration? USB CDC ACM, USB Mass Storage, USB NCM, etc. A class. > How do I enable loopback with functionfs? you don't need functionfs for g_zero's loopback. just load g_zero > Are there any advantages of using functionfs over gadgetfs for fuzzing? nope, from your point of view, you can use either. -- balbi
Attachment:
signature.asc
Description: PGP signature
