1 // Copyright 2019 The Chromium OS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 use std::mem::drop; 6 use std::sync::Arc; 7 8 use super::error::*; 9 use super::usb_endpoint::UsbEndpoint; 10 use super::utils::{submit_transfer, update_transfer_state}; 11 use crate::usb::xhci::scatter_gather_buffer::ScatterGatherBuffer; 12 use crate::usb::xhci::xhci_backend_device::{BackendType, UsbDeviceAddress, XhciBackendDevice}; 13 use crate::usb::xhci::xhci_transfer::{XhciTransfer, XhciTransferState, XhciTransferType}; 14 use crate::utils::AsyncJobQueue; 15 use crate::utils::FailHandle; 16 use base::{error, warn}; 17 use data_model::DataInit; 18 use std::collections::HashMap; 19 use std::mem; 20 use sync::Mutex; 21 use usb_util::{ 22 ConfigDescriptorTree, ControlRequestDataPhaseTransferDirection, ControlRequestRecipient, 23 DescriptorHeader, DescriptorType, Device, InterfaceDescriptor, StandardControlRequest, 24 Transfer, TransferStatus, UsbRequestSetup, 25 }; 26 27 #[derive(PartialEq)] 28 pub enum ControlEndpointState { 29 /// Control endpoint should receive setup stage next. 30 SetupStage, 31 /// Control endpoint should receive data stage next. 32 DataStage, 33 /// Control endpoint should receive status stage next. 34 StatusStage, 35 } 36 37 /// Host device is a device connected to host. 38 pub struct HostDevice { 39 fail_handle: Arc<dyn FailHandle>, 40 // Endpoints only contains data endpoints (1 to 30). Control transfers are handled at device 41 // level. 42 endpoints: Vec<UsbEndpoint>, 43 device: Arc<Mutex<Device>>, 44 ctl_ep_state: ControlEndpointState, 45 alt_settings: HashMap<u8, u8>, 46 claimed_interfaces: Vec<u8>, 47 control_request_setup: UsbRequestSetup, 48 executed: bool, 49 job_queue: Arc<AsyncJobQueue>, 50 } 51 52 impl Drop for HostDevice { drop(&mut self)53 fn drop(&mut self) { 54 self.release_interfaces(); 55 } 56 } 57 58 impl HostDevice { 59 /// Create a new host device. new( fail_handle: Arc<dyn FailHandle>, job_queue: Arc<AsyncJobQueue>, device: Arc<Mutex<Device>>, ) -> Result<HostDevice>60 pub fn new( 61 fail_handle: Arc<dyn FailHandle>, 62 job_queue: Arc<AsyncJobQueue>, 63 device: Arc<Mutex<Device>>, 64 ) -> Result<HostDevice> { 65 let mut host_device = HostDevice { 66 fail_handle, 67 endpoints: vec![], 68 device, 69 ctl_ep_state: ControlEndpointState::SetupStage, 70 alt_settings: HashMap::new(), 71 claimed_interfaces: vec![], 72 control_request_setup: UsbRequestSetup::new(0, 0, 0, 0, 0), 73 executed: false, 74 job_queue, 75 }; 76 77 let cur_config = host_device 78 .device 79 .lock() 80 .get_active_configuration() 81 .map_err(Error::GetActiveConfig)?; 82 let config_descriptor = host_device 83 .device 84 .lock() 85 .get_config_descriptor(cur_config) 86 .map_err(Error::GetActiveConfig)?; 87 host_device.claim_interfaces(&config_descriptor); 88 89 Ok(host_device) 90 } 91 92 // Check for requests that should be intercepted and emulated using libusb 93 // functions rather than passed directly to the device. 94 // Returns true if the request has been intercepted or false if the request 95 // should be passed through to the device. intercepted_control_transfer( &mut self, xhci_transfer: &XhciTransfer, buffer: &Option<ScatterGatherBuffer>, ) -> Result<bool>96 fn intercepted_control_transfer( 97 &mut self, 98 xhci_transfer: &XhciTransfer, 99 buffer: &Option<ScatterGatherBuffer>, 100 ) -> Result<bool> { 101 let direction = self.control_request_setup.get_direction(); 102 let recipient = self.control_request_setup.get_recipient(); 103 let standard_request = if let Some(req) = self.control_request_setup.get_standard_request() 104 { 105 req 106 } else { 107 // Unknown control requests will be passed through to the device. 108 return Ok(false); 109 }; 110 111 let (status, bytes_transferred) = match (standard_request, recipient, direction) { 112 ( 113 StandardControlRequest::SetAddress, 114 ControlRequestRecipient::Device, 115 ControlRequestDataPhaseTransferDirection::HostToDevice, 116 ) => { 117 usb_debug!("host device handling set address"); 118 let addr = self.control_request_setup.value as u32; 119 self.set_address(addr); 120 (TransferStatus::Completed, 0) 121 } 122 ( 123 StandardControlRequest::SetConfiguration, 124 ControlRequestRecipient::Device, 125 ControlRequestDataPhaseTransferDirection::HostToDevice, 126 ) => { 127 usb_debug!("host device handling set config"); 128 (self.set_config()?, 0) 129 } 130 ( 131 StandardControlRequest::SetInterface, 132 ControlRequestRecipient::Interface, 133 ControlRequestDataPhaseTransferDirection::HostToDevice, 134 ) => { 135 usb_debug!("host device handling set interface"); 136 (self.set_interface()?, 0) 137 } 138 ( 139 StandardControlRequest::ClearFeature, 140 ControlRequestRecipient::Endpoint, 141 ControlRequestDataPhaseTransferDirection::HostToDevice, 142 ) => { 143 usb_debug!("host device handling clear feature"); 144 (self.clear_feature()?, 0) 145 } 146 ( 147 StandardControlRequest::GetDescriptor, 148 ControlRequestRecipient::Device, 149 ControlRequestDataPhaseTransferDirection::DeviceToHost, 150 ) => { 151 let descriptor_type = (self.control_request_setup.value >> 8) as u8; 152 if descriptor_type == DescriptorType::Configuration as u8 { 153 usb_debug!("host device handling get config descriptor"); 154 let buffer = if let Some(buffer) = buffer { 155 buffer 156 } else { 157 return Err(Error::MissingRequiredBuffer); 158 }; 159 160 self.get_config_descriptor_filtered(buffer)? 161 } else { 162 return Ok(false); 163 } 164 } 165 _ => { 166 // Other requests will be passed through to the device. 167 return Ok(false); 168 } 169 }; 170 171 xhci_transfer 172 .on_transfer_complete(&status, bytes_transferred) 173 .map_err(Error::TransferComplete)?; 174 Ok(true) 175 } 176 execute_control_transfer( &mut self, xhci_transfer: Arc<XhciTransfer>, buffer: Option<ScatterGatherBuffer>, ) -> Result<()>177 fn execute_control_transfer( 178 &mut self, 179 xhci_transfer: Arc<XhciTransfer>, 180 buffer: Option<ScatterGatherBuffer>, 181 ) -> Result<()> { 182 if self.intercepted_control_transfer(&xhci_transfer, &buffer)? { 183 return Ok(()); 184 } 185 186 // Allocate a buffer for the control transfer. 187 // This buffer will hold a UsbRequestSetup struct followed by the data. 188 let control_buffer_len = 189 mem::size_of::<UsbRequestSetup>() + self.control_request_setup.length as usize; 190 let mut control_buffer = vec![0u8; control_buffer_len]; 191 192 // Copy the control request header. 193 control_buffer[..mem::size_of::<UsbRequestSetup>()] 194 .copy_from_slice(self.control_request_setup.as_slice()); 195 196 let direction = self.control_request_setup.get_direction(); 197 let buffer = if direction == ControlRequestDataPhaseTransferDirection::HostToDevice { 198 if let Some(buffer) = buffer { 199 buffer 200 .read(&mut control_buffer[mem::size_of::<UsbRequestSetup>()..]) 201 .map_err(Error::ReadBuffer)?; 202 } 203 // buffer is consumed here for HostToDevice transfers. 204 None 205 } else { 206 // buffer will be used later in the callback for DeviceToHost transfers. 207 buffer 208 }; 209 210 let mut control_transfer = 211 Transfer::new_control(control_buffer).map_err(Error::CreateTransfer)?; 212 213 let tmp_transfer = xhci_transfer.clone(); 214 let callback = move |t: Transfer| { 215 usb_debug!("setup token control transfer callback invoked"); 216 update_transfer_state(&xhci_transfer, &t)?; 217 let state = xhci_transfer.state().lock(); 218 match *state { 219 XhciTransferState::Cancelled => { 220 usb_debug!("transfer cancelled"); 221 drop(state); 222 xhci_transfer 223 .on_transfer_complete(&TransferStatus::Cancelled, 0) 224 .map_err(Error::TransferComplete)?; 225 } 226 XhciTransferState::Completed => { 227 let status = t.status(); 228 let actual_length = t.actual_length(); 229 if direction == ControlRequestDataPhaseTransferDirection::DeviceToHost { 230 if let Some(control_request_data) = 231 t.buffer.get(mem::size_of::<UsbRequestSetup>()..) 232 { 233 if let Some(buffer) = &buffer { 234 buffer 235 .write(control_request_data) 236 .map_err(Error::WriteBuffer)?; 237 } 238 } 239 } 240 drop(state); 241 usb_debug!("transfer completed with actual length {}", actual_length); 242 xhci_transfer 243 .on_transfer_complete(&status, actual_length as u32) 244 .map_err(Error::TransferComplete)?; 245 } 246 _ => { 247 // update_transfer_state is already invoked before match. 248 // This transfer could only be `Cancelled` or `Completed`. 249 // Any other state means there is a bug in crosvm implementation. 250 error!("should not take this branch"); 251 return Err(Error::BadXhciTransferState); 252 } 253 } 254 Ok(()) 255 }; 256 257 let fail_handle = self.fail_handle.clone(); 258 control_transfer.set_callback(move |t: Transfer| match callback(t) { 259 Ok(_) => {} 260 Err(e) => { 261 error!("control transfer callback failed {:?}", e); 262 fail_handle.fail(); 263 } 264 }); 265 submit_transfer( 266 self.fail_handle.clone(), 267 &self.job_queue, 268 tmp_transfer, 269 &mut self.device.lock(), 270 control_transfer, 271 ) 272 } 273 handle_control_transfer(&mut self, transfer: XhciTransfer) -> Result<()>274 fn handle_control_transfer(&mut self, transfer: XhciTransfer) -> Result<()> { 275 let xhci_transfer = Arc::new(transfer); 276 let transfer_type = xhci_transfer 277 .get_transfer_type() 278 .map_err(Error::GetXhciTransferType)?; 279 match transfer_type { 280 XhciTransferType::SetupStage(setup) => { 281 if self.ctl_ep_state != ControlEndpointState::SetupStage { 282 error!("Control endpoint is in an inconsistant state"); 283 return Ok(()); 284 } 285 usb_debug!("setup stage setup buffer: {:?}", setup); 286 self.control_request_setup = setup; 287 xhci_transfer 288 .on_transfer_complete(&TransferStatus::Completed, 0) 289 .map_err(Error::TransferComplete)?; 290 self.ctl_ep_state = ControlEndpointState::DataStage; 291 } 292 XhciTransferType::DataStage(buffer) => { 293 if self.ctl_ep_state != ControlEndpointState::DataStage { 294 error!("Control endpoint is in an inconsistant state"); 295 return Ok(()); 296 } 297 // Requests with a DataStage will be executed here. 298 // Requests without a DataStage will be executed in StatusStage. 299 self.execute_control_transfer(xhci_transfer, Some(buffer))?; 300 self.executed = true; 301 self.ctl_ep_state = ControlEndpointState::StatusStage; 302 } 303 XhciTransferType::StatusStage => { 304 if self.ctl_ep_state == ControlEndpointState::SetupStage { 305 error!("Control endpoint is in an inconsistant state"); 306 return Ok(()); 307 } 308 if self.executed { 309 // Request was already executed during DataStage. 310 // Just complete the StatusStage transfer. 311 xhci_transfer 312 .on_transfer_complete(&TransferStatus::Completed, 0) 313 .map_err(Error::TransferComplete)?; 314 } else { 315 // Execute the request now since there was no DataStage. 316 self.execute_control_transfer(xhci_transfer, None)?; 317 } 318 self.executed = false; 319 self.ctl_ep_state = ControlEndpointState::SetupStage; 320 } 321 _ => { 322 // Non control transfer should not be handled in this function. 323 error!( 324 "Non control {} transfer sent to control endpoint.", 325 transfer_type, 326 ); 327 xhci_transfer 328 .on_transfer_complete(&TransferStatus::Completed, 0) 329 .map_err(Error::TransferComplete)?; 330 } 331 } 332 Ok(()) 333 } 334 set_config(&mut self) -> Result<TransferStatus>335 fn set_config(&mut self) -> Result<TransferStatus> { 336 // It's a standard, set_config, device request. 337 let config = (self.control_request_setup.value & 0xff) as u8; 338 usb_debug!( 339 "Set config control transfer is received with config: {}", 340 config 341 ); 342 self.release_interfaces(); 343 344 let cur_config = match self.device.lock().get_active_configuration() { 345 Ok(c) => Some(c), 346 Err(e) => { 347 // The device may be in the default state, in which case 348 // GET_CONFIGURATION may fail. Assume the device needs to be 349 // reconfigured. 350 usb_debug!("Failed to get active configuration: {}", e); 351 error!("Failed to get active configuration: {}", e); 352 None 353 } 354 }; 355 if Some(config) != cur_config { 356 self.device 357 .lock() 358 .set_active_configuration(config) 359 .map_err(Error::SetActiveConfig)?; 360 } 361 362 let config_descriptor = self 363 .device 364 .lock() 365 .get_config_descriptor(config) 366 .map_err(Error::GetActiveConfig)?; 367 self.claim_interfaces(&config_descriptor); 368 self.create_endpoints(&config_descriptor)?; 369 Ok(TransferStatus::Completed) 370 } 371 set_interface(&mut self) -> Result<TransferStatus>372 fn set_interface(&mut self) -> Result<TransferStatus> { 373 usb_debug!("set interface"); 374 // It's a standard, set_interface, interface request. 375 let interface = self.control_request_setup.index as u8; 376 let alt_setting = self.control_request_setup.value as u8; 377 self.device 378 .lock() 379 .set_interface_alt_setting(interface, alt_setting) 380 .map_err(Error::SetInterfaceAltSetting)?; 381 self.alt_settings.insert(interface, alt_setting); 382 let config = self 383 .device 384 .lock() 385 .get_active_configuration() 386 .map_err(Error::GetActiveConfig)?; 387 let config_descriptor = self 388 .device 389 .lock() 390 .get_config_descriptor(config) 391 .map_err(Error::GetActiveConfig)?; 392 self.create_endpoints(&config_descriptor)?; 393 Ok(TransferStatus::Completed) 394 } 395 clear_feature(&mut self) -> Result<TransferStatus>396 fn clear_feature(&mut self) -> Result<TransferStatus> { 397 usb_debug!("clear feature"); 398 let request_setup = &self.control_request_setup; 399 // It's a standard, clear_feature, endpoint request. 400 const STD_FEATURE_ENDPOINT_HALT: u16 = 0; 401 if request_setup.value == STD_FEATURE_ENDPOINT_HALT { 402 self.device 403 .lock() 404 .clear_halt(request_setup.index as u8) 405 .map_err(Error::ClearHalt)?; 406 } 407 Ok(TransferStatus::Completed) 408 } 409 410 // Execute a Get Descriptor control request with type Configuration. 411 // This function is used to return a filtered version of the host device's configuration 412 // descriptor that only includes the interfaces in `self.claimed_interfaces`. get_config_descriptor_filtered( &mut self, buffer: &ScatterGatherBuffer, ) -> Result<(TransferStatus, u32)>413 fn get_config_descriptor_filtered( 414 &mut self, 415 buffer: &ScatterGatherBuffer, 416 ) -> Result<(TransferStatus, u32)> { 417 let descriptor_index = self.control_request_setup.value as u8; 418 usb_debug!( 419 "get_config_descriptor_filtered config index: {}", 420 descriptor_index, 421 ); 422 423 let config_descriptor = self 424 .device 425 .lock() 426 .get_config_descriptor_by_index(descriptor_index) 427 .map_err(Error::GetConfigDescriptor)?; 428 429 let device = self.device.lock(); 430 let device_descriptor = device.get_device_descriptor_tree(); 431 432 let config_start = config_descriptor.offset(); 433 let config_end = config_start + config_descriptor.wTotalLength as usize; 434 let mut descriptor_data = device_descriptor.raw()[config_start..config_end].to_vec(); 435 436 if config_descriptor.bConfigurationValue 437 == device 438 .get_active_configuration() 439 .map_err(Error::GetActiveConfig)? 440 { 441 for i in 0..config_descriptor.bNumInterfaces { 442 if !self.claimed_interfaces.contains(&i) { 443 // Rewrite descriptors for unclaimed interfaces to vendor-specific class. 444 // This prevents them from being recognized by the guest drivers. 445 let alt_setting = self.alt_settings.get(&i).unwrap_or(&0); 446 let interface = config_descriptor 447 .get_interface_descriptor(i, *alt_setting) 448 .ok_or(Error::GetInterfaceDescriptor(i, *alt_setting))?; 449 let mut interface_data: InterfaceDescriptor = **interface; 450 interface_data.bInterfaceClass = 0xFF; 451 interface_data.bInterfaceSubClass = 0xFF; 452 interface_data.bInterfaceProtocol = 0xFF; 453 454 let interface_start = 455 interface.offset() + mem::size_of::<DescriptorHeader>() - config_start; 456 let interface_end = interface_start + mem::size_of::<InterfaceDescriptor>(); 457 descriptor_data[interface_start..interface_end] 458 .copy_from_slice(interface_data.as_slice()); 459 } 460 } 461 } 462 463 let bytes_transferred = buffer.write(&descriptor_data).map_err(Error::WriteBuffer)?; 464 Ok((TransferStatus::Completed, bytes_transferred as u32)) 465 } 466 claim_interfaces(&mut self, config_descriptor: &ConfigDescriptorTree)467 fn claim_interfaces(&mut self, config_descriptor: &ConfigDescriptorTree) { 468 for i in 0..config_descriptor.num_interfaces() { 469 match self.device.lock().claim_interface(i) { 470 Ok(()) => { 471 usb_debug!("claimed interface {}", i); 472 self.claimed_interfaces.push(i); 473 } 474 Err(e) => { 475 error!("unable to claim interface {}: {:?}", i, e); 476 } 477 } 478 } 479 } 480 create_endpoints(&mut self, config_descriptor: &ConfigDescriptorTree) -> Result<()>481 fn create_endpoints(&mut self, config_descriptor: &ConfigDescriptorTree) -> Result<()> { 482 self.endpoints = Vec::new(); 483 for i in &self.claimed_interfaces { 484 let alt_setting = self.alt_settings.get(i).unwrap_or(&0); 485 let interface = config_descriptor 486 .get_interface_descriptor(*i, *alt_setting) 487 .ok_or(Error::GetInterfaceDescriptor(*i, *alt_setting))?; 488 for ep_idx in 0..interface.bNumEndpoints { 489 let ep_dp = interface 490 .get_endpoint_descriptor(ep_idx) 491 .ok_or(Error::GetEndpointDescriptor(ep_idx))?; 492 let ep_num = ep_dp.get_endpoint_number(); 493 if ep_num == 0 { 494 usb_debug!("endpoint 0 in endpoint descriptors"); 495 continue; 496 } 497 let direction = ep_dp.get_direction(); 498 let ty = ep_dp.get_endpoint_type().ok_or(Error::GetEndpointType)?; 499 self.endpoints.push(UsbEndpoint::new( 500 self.fail_handle.clone(), 501 self.job_queue.clone(), 502 self.device.clone(), 503 ep_num, 504 direction, 505 ty, 506 )); 507 } 508 } 509 Ok(()) 510 } 511 release_interfaces(&mut self)512 fn release_interfaces(&mut self) { 513 for i in &self.claimed_interfaces { 514 if let Err(e) = self.device.lock().release_interface(*i) { 515 error!("could not release interface: {:?}", e); 516 } 517 } 518 self.claimed_interfaces = Vec::new(); 519 } 520 submit_transfer_helper(&mut self, transfer: XhciTransfer) -> Result<()>521 fn submit_transfer_helper(&mut self, transfer: XhciTransfer) -> Result<()> { 522 if transfer.get_endpoint_number() == 0 { 523 return self.handle_control_transfer(transfer); 524 } 525 for ep in &self.endpoints { 526 if ep.match_ep(transfer.get_endpoint_number(), transfer.get_transfer_dir()) { 527 return ep.handle_transfer(transfer); 528 } 529 } 530 warn!("Could not find endpoint for transfer"); 531 transfer 532 .on_transfer_complete(&TransferStatus::Error, 0) 533 .map_err(Error::TransferComplete) 534 } 535 } 536 537 impl XhciBackendDevice for HostDevice { get_backend_type(&self) -> BackendType538 fn get_backend_type(&self) -> BackendType { 539 let d = match self.device.lock().get_device_descriptor() { 540 Ok(d) => d, 541 Err(_) => return BackendType::Usb2, 542 }; 543 544 // See definition of bcdUsb. 545 const USB3_MASK: u16 = 0x0300; 546 match d.bcdUSB & USB3_MASK { 547 USB3_MASK => BackendType::Usb3, 548 _ => BackendType::Usb2, 549 } 550 } 551 get_vid(&self) -> u16552 fn get_vid(&self) -> u16 { 553 match self.device.lock().get_device_descriptor() { 554 Ok(d) => d.idVendor, 555 Err(e) => { 556 error!("cannot get device descriptor: {:?}", e); 557 0 558 } 559 } 560 } 561 get_pid(&self) -> u16562 fn get_pid(&self) -> u16 { 563 match self.device.lock().get_device_descriptor() { 564 Ok(d) => d.idProduct, 565 Err(e) => { 566 error!("cannot get device descriptor: {:?}", e); 567 0 568 } 569 } 570 } 571 submit_transfer(&mut self, transfer: XhciTransfer) -> Result<()>572 fn submit_transfer(&mut self, transfer: XhciTransfer) -> Result<()> { 573 self.submit_transfer_helper(transfer) 574 } 575 set_address(&mut self, _address: UsbDeviceAddress)576 fn set_address(&mut self, _address: UsbDeviceAddress) { 577 // It's a standard, set_address, device request. We do nothing here. As described in XHCI 578 // spec. See set address command ring trb. 579 usb_debug!( 580 "Set address control transfer is received with address: {}", 581 _address 582 ); 583 } 584 reset(&mut self) -> Result<()>585 fn reset(&mut self) -> Result<()> { 586 usb_debug!("resetting host device"); 587 self.device.lock().reset().map_err(Error::Reset) 588 } 589 } 590