On Fri, 9 Dec 2016, Felipe Balbi wrote: > Hi, > > Andrey Konovalov <andreyknvl@xxxxxxxxxx> writes: > > On Fri, Dec 9, 2016 at 8:20 AM, Greg Kroah-Hartman > > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > >> On Fri, Dec 09, 2016 at 12:38:23AM +0100, Andrey Konovalov wrote: > >>> Hi, > >>> > >>> I'm working on a way to extend syzkaller [1] to support fuzzing of the > >>> USB subsystem. The idea is to be able to emulate various USB devices > >>> and fuzz communication between the emulated device and the kernel. I'm > >>> looking for a way to emulate devices from userspace. Similar to how > >>> tuntap allows to create virtual network interfaces and emit ethernet > >>> traffic by writing to /dev/net/tun. > >>> > >>> While googling for some information on this I found mentions of > >>> gadgetfs and functionfs. As far as I understand, they allow to turn a > >>> USB host into a gadget and provide a way to communicate with another > >>> host from a userspace application running on the gadget machine. > >> > >> Not quite. They are to drive a USB "gadget" device (i.e. the thing you > >> plug into a USB host, like a keyboard). You use that if you are running > >> Linux inside of that keyboard. Or inside your phone, it uses this > >> interface when talking to your laptop. > >> > >>> There's also usbfs, which allows to communicate with a usb gadget > >>> directly from a userspace application. > >> > >> usbfs is to talk to a USB gadget through the host controller, so you can > >> use it to fuzz a USB gadget driver, if a host driver is not already > >> bound to the device. > >> > >>> Am I right, that none of the above actually fit my needs? > >> > >> No, it should fit your needs just fine. Use the dummy USB gadget > >> controller driver to set up the USB gadget device, and control it that > >> way. It is how many people develop their USB gadget drivers directly on > >> a non-gadget system (like a desktop.) > > > > Hi Greg, > > > > OK, it's starting to make some sense. > > Dummy actually means loopback, correct? > > not really, no. Dummy is a SW-only implementation of a virtual host > controller always attached to a virtual peripheral controller. It is a loopback, in the sense that data sent by the virtual host controller is received by the virtual peripheral controller on the same physical machine, and vice versa. It's a lot like having a USB peripheral controller, such as a net2280 PCI card, in your computer and connecting it with a normal USB cable to one of the computer's USB host ports. dummy-hcd was written as a development tool. It provides a way to test gadget drivers without the need for setting up a separate computer to be the gadget device and without the need for any special USB-peripheral hardware. On the other hand, dummy-hcd is not perfect. Its biggest weakness is that it does not support isochronous transactions. > > Right now whenever I mount gadgetfs I see a dummy_udc file. This > > basically means that I have gadgetfs set up in a loopback mode (since > > I have CONFIG_USB_DUMMY_HCD=y). Now I can write USB device description > > to dummy_udc and the kernel will find an appropriate driver and > > loopback the communication with this driver to the exposed epN files. > > Is my understanding of this correct? > > kinda, yeah. > > >>> Is there some way to emulate USB devices from a userspace application > >>> via some kernel interface? > >> > >> Yes, use functionfs. > > > > As I understand, the way to write gadget drivers with functionfs is to > > describe something that's called a function by mounting functionfs and > > writing to the files it provides. Then you need to use configfs to > > actually compose these functions into a device. > > > > Is this correct? > > right > > > What does a function stands for in this context? A USB configuration? > > USB CDC ACM, USB Mass Storage, USB NCM, etc. A class. > > > How do I enable loopback with functionfs? > > you don't need functionfs for g_zero's loopback. just load g_zero You may not be using the word "loopback" in the same way. g_zero (a gadget driver) provides a loopback mode, in which any data sent by the host to the gadget gets echoed back, over a different endpoint, from the gadget to the host. Earlier, Andrey used described dummy-hcd as providing a loopback connection, in which the USB gadget and the USB host are the same physical computer. functionfs can be used with dummy-hcd, just as gadgetfs can. > > Are there any advantages of using functionfs over gadgetfs for fuzzing? > > nope, from your point of view, you can use either. There may be one difference: gadgetfs only supports one configuration. I haven't worked with functionfs, but doesn't it support multiple configurations? Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
