1 // Copyright 2019 The ChromiumOS Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 use std::collections::HashMap; 6 use std::mem; 7 use std::mem::drop; 8 use std::sync::Arc; 9 10 use base::error; 11 use base::warn; 12 use sync::Mutex; 13 use usb_util::ConfigDescriptorTree; 14 use usb_util::ControlRequestDataPhaseTransferDirection; 15 use usb_util::ControlRequestRecipient; 16 use usb_util::DescriptorHeader; 17 use usb_util::DescriptorType; 18 use usb_util::Device; 19 use usb_util::DeviceSpeed; 20 use usb_util::InterfaceDescriptor; 21 use usb_util::StandardControlRequest; 22 use usb_util::Transfer; 23 use usb_util::TransferStatus; 24 use usb_util::UsbRequestSetup; 25 use zerocopy::AsBytes; 26 27 use super::error::*; 28 use super::usb_endpoint::UsbEndpoint; 29 use super::utils::submit_transfer; 30 use super::utils::update_transfer_state; 31 use crate::usb::xhci::scatter_gather_buffer::ScatterGatherBuffer; 32 use crate::usb::xhci::xhci_backend_device::BackendType; 33 use crate::usb::xhci::xhci_backend_device::UsbDeviceAddress; 34 use crate::usb::xhci::xhci_backend_device::XhciBackendDevice; 35 use crate::usb::xhci::xhci_transfer::XhciTransfer; 36 use crate::usb::xhci::xhci_transfer::XhciTransferState; 37 use crate::usb::xhci::xhci_transfer::XhciTransferType; 38 use crate::utils::AsyncJobQueue; 39 use crate::utils::FailHandle; 40 41 #[derive(PartialEq, Eq)] 42 pub enum ControlEndpointState { 43 /// Control endpoint should receive setup stage next. 44 SetupStage, 45 /// Control endpoint should receive data stage next. 46 DataStage, 47 /// Control endpoint should receive status stage next. 48 StatusStage, 49 } 50 51 /// Host device is a device connected to host. 52 pub struct HostDevice { 53 fail_handle: Arc<dyn FailHandle>, 54 // Endpoints only contains data endpoints (1 to 30). Control transfers are handled at device 55 // level. 56 endpoints: Vec<UsbEndpoint>, 57 device: Arc<Mutex<Device>>, 58 ctl_ep_state: ControlEndpointState, 59 alt_settings: HashMap<u8, u8>, 60 claimed_interfaces: Vec<u8>, 61 control_request_setup: UsbRequestSetup, 62 executed: bool, 63 initialized: bool, 64 job_queue: Arc<AsyncJobQueue>, 65 } 66 67 impl Drop for HostDevice { drop(&mut self)68 fn drop(&mut self) { 69 self.release_interfaces(); 70 } 71 } 72 73 impl HostDevice { 74 /// Create a new host device. new( fail_handle: Arc<dyn FailHandle>, job_queue: Arc<AsyncJobQueue>, device: Arc<Mutex<Device>>, ) -> Result<HostDevice>75 pub fn new( 76 fail_handle: Arc<dyn FailHandle>, 77 job_queue: Arc<AsyncJobQueue>, 78 device: Arc<Mutex<Device>>, 79 ) -> Result<HostDevice> { 80 let mut host_device = HostDevice { 81 fail_handle, 82 endpoints: vec![], 83 device, 84 ctl_ep_state: ControlEndpointState::SetupStage, 85 alt_settings: HashMap::new(), 86 claimed_interfaces: vec![], 87 control_request_setup: UsbRequestSetup::new(0, 0, 0, 0, 0), 88 executed: false, 89 initialized: false, 90 job_queue, 91 }; 92 93 let cur_config = host_device 94 .device 95 .lock() 96 .get_active_configuration() 97 .map_err(Error::GetActiveConfig)?; 98 let config_descriptor = host_device 99 .device 100 .lock() 101 .get_config_descriptor(cur_config) 102 .map_err(Error::GetActiveConfig)?; 103 host_device.claim_interfaces(&config_descriptor); 104 105 Ok(host_device) 106 } 107 108 // Check for requests that should be intercepted and emulated using libusb 109 // functions rather than passed directly to the device. 110 // Returns true if the request has been intercepted or false if the request 111 // should be passed through to the device. intercepted_control_transfer( &mut self, xhci_transfer: &XhciTransfer, buffer: &Option<ScatterGatherBuffer>, ) -> Result<bool>112 fn intercepted_control_transfer( 113 &mut self, 114 xhci_transfer: &XhciTransfer, 115 buffer: &Option<ScatterGatherBuffer>, 116 ) -> Result<bool> { 117 let direction = self.control_request_setup.get_direction(); 118 let recipient = self.control_request_setup.get_recipient(); 119 let standard_request = if let Some(req) = self.control_request_setup.get_standard_request() 120 { 121 req 122 } else { 123 // Unknown control requests will be passed through to the device. 124 return Ok(false); 125 }; 126 127 let (status, bytes_transferred) = match (standard_request, recipient, direction) { 128 ( 129 StandardControlRequest::SetAddress, 130 ControlRequestRecipient::Device, 131 ControlRequestDataPhaseTransferDirection::HostToDevice, 132 ) => { 133 usb_debug!("host device handling set address"); 134 let addr = self.control_request_setup.value as u32; 135 self.set_address(addr); 136 (TransferStatus::Completed, 0) 137 } 138 ( 139 StandardControlRequest::SetConfiguration, 140 ControlRequestRecipient::Device, 141 ControlRequestDataPhaseTransferDirection::HostToDevice, 142 ) => { 143 usb_debug!("host device handling set config"); 144 (self.set_config()?, 0) 145 } 146 ( 147 StandardControlRequest::SetInterface, 148 ControlRequestRecipient::Interface, 149 ControlRequestDataPhaseTransferDirection::HostToDevice, 150 ) => { 151 usb_debug!("host device handling set interface"); 152 (self.set_interface()?, 0) 153 } 154 ( 155 StandardControlRequest::ClearFeature, 156 ControlRequestRecipient::Endpoint, 157 ControlRequestDataPhaseTransferDirection::HostToDevice, 158 ) => { 159 usb_debug!("host device handling clear feature"); 160 (self.clear_feature()?, 0) 161 } 162 ( 163 StandardControlRequest::GetDescriptor, 164 ControlRequestRecipient::Device, 165 ControlRequestDataPhaseTransferDirection::DeviceToHost, 166 ) => { 167 let descriptor_type = (self.control_request_setup.value >> 8) as u8; 168 if descriptor_type == DescriptorType::Configuration as u8 { 169 usb_debug!("host device handling get config descriptor"); 170 let buffer = if let Some(buffer) = buffer { 171 buffer 172 } else { 173 return Err(Error::MissingRequiredBuffer); 174 }; 175 176 self.get_config_descriptor_filtered(buffer)? 177 } else { 178 return Ok(false); 179 } 180 } 181 _ => { 182 // Other requests will be passed through to the device. 183 return Ok(false); 184 } 185 }; 186 187 xhci_transfer 188 .on_transfer_complete(&status, bytes_transferred) 189 .map_err(Error::TransferComplete)?; 190 Ok(true) 191 } 192 execute_control_transfer( &mut self, xhci_transfer: Arc<XhciTransfer>, buffer: Option<ScatterGatherBuffer>, ) -> Result<()>193 fn execute_control_transfer( 194 &mut self, 195 xhci_transfer: Arc<XhciTransfer>, 196 buffer: Option<ScatterGatherBuffer>, 197 ) -> Result<()> { 198 if self.intercepted_control_transfer(&xhci_transfer, &buffer)? { 199 return Ok(()); 200 } 201 202 // Allocate a buffer for the control transfer. 203 // This buffer will hold a UsbRequestSetup struct followed by the data. 204 let control_buffer_len = 205 mem::size_of::<UsbRequestSetup>() + self.control_request_setup.length as usize; 206 let mut control_buffer = vec![0u8; control_buffer_len]; 207 208 // Copy the control request header. 209 control_buffer[..mem::size_of::<UsbRequestSetup>()] 210 .copy_from_slice(self.control_request_setup.as_bytes()); 211 212 let direction = self.control_request_setup.get_direction(); 213 let buffer = if direction == ControlRequestDataPhaseTransferDirection::HostToDevice { 214 if let Some(buffer) = buffer { 215 buffer 216 .read(&mut control_buffer[mem::size_of::<UsbRequestSetup>()..]) 217 .map_err(Error::ReadBuffer)?; 218 } 219 // buffer is consumed here for HostToDevice transfers. 220 None 221 } else { 222 // buffer will be used later in the callback for DeviceToHost transfers. 223 buffer 224 }; 225 226 let mut control_transfer = 227 Transfer::new_control(control_buffer).map_err(Error::CreateTransfer)?; 228 229 let tmp_transfer = xhci_transfer.clone(); 230 let callback = move |t: Transfer| { 231 usb_debug!("setup token control transfer callback invoked"); 232 update_transfer_state(&xhci_transfer, &t)?; 233 let state = xhci_transfer.state().lock(); 234 match *state { 235 XhciTransferState::Cancelled => { 236 usb_debug!("transfer cancelled"); 237 drop(state); 238 xhci_transfer 239 .on_transfer_complete(&TransferStatus::Cancelled, 0) 240 .map_err(Error::TransferComplete)?; 241 } 242 XhciTransferState::Completed => { 243 let status = t.status(); 244 let actual_length = t.actual_length(); 245 if direction == ControlRequestDataPhaseTransferDirection::DeviceToHost { 246 if let Some(control_request_data) = 247 t.buffer.get(mem::size_of::<UsbRequestSetup>()..) 248 { 249 if let Some(buffer) = &buffer { 250 buffer 251 .write(control_request_data) 252 .map_err(Error::WriteBuffer)?; 253 } 254 } 255 } 256 drop(state); 257 usb_debug!("transfer completed with actual length {}", actual_length); 258 xhci_transfer 259 .on_transfer_complete(&status, actual_length as u32) 260 .map_err(Error::TransferComplete)?; 261 } 262 _ => { 263 // update_transfer_state is already invoked before match. 264 // This transfer could only be `Cancelled` or `Completed`. 265 // Any other state means there is a bug in crosvm implementation. 266 error!("should not take this branch"); 267 return Err(Error::BadXhciTransferState); 268 } 269 } 270 Ok(()) 271 }; 272 273 let fail_handle = self.fail_handle.clone(); 274 control_transfer.set_callback(move |t: Transfer| match callback(t) { 275 Ok(_) => {} 276 Err(e) => { 277 error!("control transfer callback failed {:?}", e); 278 fail_handle.fail(); 279 } 280 }); 281 submit_transfer( 282 self.fail_handle.clone(), 283 &self.job_queue, 284 tmp_transfer, 285 &mut self.device.lock(), 286 control_transfer, 287 ) 288 } 289 handle_control_transfer(&mut self, transfer: XhciTransfer) -> Result<()>290 fn handle_control_transfer(&mut self, transfer: XhciTransfer) -> Result<()> { 291 let xhci_transfer = Arc::new(transfer); 292 let transfer_type = xhci_transfer 293 .get_transfer_type() 294 .map_err(Error::GetXhciTransferType)?; 295 match transfer_type { 296 XhciTransferType::SetupStage(setup) => { 297 if self.ctl_ep_state != ControlEndpointState::SetupStage { 298 error!("Control endpoint is in an inconsistant state"); 299 return Ok(()); 300 } 301 usb_debug!("setup stage setup buffer: {:?}", setup); 302 self.control_request_setup = setup; 303 xhci_transfer 304 .on_transfer_complete(&TransferStatus::Completed, 0) 305 .map_err(Error::TransferComplete)?; 306 self.ctl_ep_state = ControlEndpointState::DataStage; 307 } 308 XhciTransferType::DataStage(buffer) => { 309 if self.ctl_ep_state != ControlEndpointState::DataStage { 310 error!("Control endpoint is in an inconsistant state"); 311 return Ok(()); 312 } 313 // Requests with a DataStage will be executed here. 314 // Requests without a DataStage will be executed in StatusStage. 315 self.execute_control_transfer(xhci_transfer, Some(buffer))?; 316 self.executed = true; 317 self.ctl_ep_state = ControlEndpointState::StatusStage; 318 } 319 XhciTransferType::StatusStage => { 320 if self.ctl_ep_state == ControlEndpointState::SetupStage { 321 error!("Control endpoint is in an inconsistant state"); 322 return Ok(()); 323 } 324 if self.executed { 325 // Request was already executed during DataStage. 326 // Just complete the StatusStage transfer. 327 xhci_transfer 328 .on_transfer_complete(&TransferStatus::Completed, 0) 329 .map_err(Error::TransferComplete)?; 330 } else { 331 // Execute the request now since there was no DataStage. 332 self.execute_control_transfer(xhci_transfer, None)?; 333 } 334 self.executed = false; 335 self.ctl_ep_state = ControlEndpointState::SetupStage; 336 } 337 _ => { 338 // Non control transfer should not be handled in this function. 339 error!( 340 "Non control {} transfer sent to control endpoint.", 341 transfer_type, 342 ); 343 xhci_transfer 344 .on_transfer_complete(&TransferStatus::Completed, 0) 345 .map_err(Error::TransferComplete)?; 346 } 347 } 348 Ok(()) 349 } 350 set_config(&mut self) -> Result<TransferStatus>351 fn set_config(&mut self) -> Result<TransferStatus> { 352 // It's a standard, set_config, device request. 353 let config = (self.control_request_setup.value & 0xff) as u8; 354 usb_debug!( 355 "Set config control transfer is received with config: {}", 356 config 357 ); 358 self.release_interfaces(); 359 360 let cur_config = match self.device.lock().get_active_configuration() { 361 Ok(c) => Some(c), 362 Err(e) => { 363 // The device may be in the default state, in which case 364 // GET_CONFIGURATION may fail. Assume the device needs to be 365 // reconfigured. 366 usb_debug!("Failed to get active configuration: {}", e); 367 error!("Failed to get active configuration: {}", e); 368 None 369 } 370 }; 371 372 let mut need_set_config = true; 373 if !self.initialized { 374 need_set_config = Some(config) != cur_config; 375 self.initialized = true; 376 } 377 378 if need_set_config { 379 self.device 380 .lock() 381 .set_active_configuration(config) 382 .map_err(Error::SetActiveConfig)?; 383 } 384 385 let config_descriptor = self 386 .device 387 .lock() 388 .get_config_descriptor(config) 389 .map_err(Error::GetActiveConfig)?; 390 self.claim_interfaces(&config_descriptor); 391 self.create_endpoints(&config_descriptor)?; 392 Ok(TransferStatus::Completed) 393 } 394 set_interface(&mut self) -> Result<TransferStatus>395 fn set_interface(&mut self) -> Result<TransferStatus> { 396 usb_debug!("set interface"); 397 // It's a standard, set_interface, interface request. 398 let interface = self.control_request_setup.index as u8; 399 let alt_setting = self.control_request_setup.value as u8; 400 self.device 401 .lock() 402 .set_interface_alt_setting(interface, alt_setting) 403 .map_err(Error::SetInterfaceAltSetting)?; 404 self.alt_settings.insert(interface, alt_setting); 405 let config = self 406 .device 407 .lock() 408 .get_active_configuration() 409 .map_err(Error::GetActiveConfig)?; 410 let config_descriptor = self 411 .device 412 .lock() 413 .get_config_descriptor(config) 414 .map_err(Error::GetActiveConfig)?; 415 self.create_endpoints(&config_descriptor)?; 416 Ok(TransferStatus::Completed) 417 } 418 clear_feature(&mut self) -> Result<TransferStatus>419 fn clear_feature(&mut self) -> Result<TransferStatus> { 420 usb_debug!("clear feature"); 421 let request_setup = &self.control_request_setup; 422 // It's a standard, clear_feature, endpoint request. 423 const STD_FEATURE_ENDPOINT_HALT: u16 = 0; 424 if request_setup.value == STD_FEATURE_ENDPOINT_HALT { 425 self.device 426 .lock() 427 .clear_halt(request_setup.index as u8) 428 .map_err(Error::ClearHalt)?; 429 } 430 Ok(TransferStatus::Completed) 431 } 432 433 // Execute a Get Descriptor control request with type Configuration. 434 // This function is used to return a filtered version of the host device's configuration 435 // descriptor that only includes the interfaces in `self.claimed_interfaces`. get_config_descriptor_filtered( &mut self, buffer: &ScatterGatherBuffer, ) -> Result<(TransferStatus, u32)>436 fn get_config_descriptor_filtered( 437 &mut self, 438 buffer: &ScatterGatherBuffer, 439 ) -> Result<(TransferStatus, u32)> { 440 let descriptor_index = self.control_request_setup.value as u8; 441 usb_debug!( 442 "get_config_descriptor_filtered config index: {}", 443 descriptor_index, 444 ); 445 446 let config_descriptor = self 447 .device 448 .lock() 449 .get_config_descriptor_by_index(descriptor_index) 450 .map_err(Error::GetConfigDescriptor)?; 451 452 let device = self.device.lock(); 453 let device_descriptor = device.get_device_descriptor_tree(); 454 455 let config_start = config_descriptor.offset(); 456 let config_end = config_start + config_descriptor.wTotalLength as usize; 457 let mut descriptor_data = device_descriptor.raw()[config_start..config_end].to_vec(); 458 459 if config_descriptor.bConfigurationValue 460 == device 461 .get_active_configuration() 462 .map_err(Error::GetActiveConfig)? 463 { 464 for i in 0..config_descriptor.bNumInterfaces { 465 if !self.claimed_interfaces.contains(&i) { 466 // Rewrite descriptors for unclaimed interfaces to vendor-specific class. 467 // This prevents them from being recognized by the guest drivers. 468 let alt_setting = self.alt_settings.get(&i).unwrap_or(&0); 469 let interface = config_descriptor 470 .get_interface_descriptor(i, *alt_setting) 471 .ok_or(Error::GetInterfaceDescriptor(i, *alt_setting))?; 472 let mut interface_data: InterfaceDescriptor = **interface; 473 interface_data.bInterfaceClass = 0xFF; 474 interface_data.bInterfaceSubClass = 0xFF; 475 interface_data.bInterfaceProtocol = 0xFF; 476 477 let interface_start = 478 interface.offset() + mem::size_of::<DescriptorHeader>() - config_start; 479 let interface_end = interface_start + mem::size_of::<InterfaceDescriptor>(); 480 descriptor_data[interface_start..interface_end] 481 .copy_from_slice(interface_data.as_bytes()); 482 } 483 } 484 } 485 486 let bytes_transferred = buffer.write(&descriptor_data).map_err(Error::WriteBuffer)?; 487 Ok((TransferStatus::Completed, bytes_transferred as u32)) 488 } 489 claim_interfaces(&mut self, config_descriptor: &ConfigDescriptorTree)490 fn claim_interfaces(&mut self, config_descriptor: &ConfigDescriptorTree) { 491 for i in 0..config_descriptor.num_interfaces() { 492 match self.device.lock().claim_interface(i) { 493 Ok(()) => { 494 usb_debug!("claimed interface {}", i); 495 self.claimed_interfaces.push(i); 496 } 497 Err(e) => { 498 error!("unable to claim interface {}: {:?}", i, e); 499 } 500 } 501 } 502 } 503 create_endpoints(&mut self, config_descriptor: &ConfigDescriptorTree) -> Result<()>504 fn create_endpoints(&mut self, config_descriptor: &ConfigDescriptorTree) -> Result<()> { 505 self.endpoints = Vec::new(); 506 for i in &self.claimed_interfaces { 507 let alt_setting = self.alt_settings.get(i).unwrap_or(&0); 508 let interface = config_descriptor 509 .get_interface_descriptor(*i, *alt_setting) 510 .ok_or(Error::GetInterfaceDescriptor(*i, *alt_setting))?; 511 for ep_idx in 0..interface.bNumEndpoints { 512 let ep_dp = interface 513 .get_endpoint_descriptor(ep_idx) 514 .ok_or(Error::GetEndpointDescriptor(ep_idx))?; 515 let ep_num = ep_dp.get_endpoint_number(); 516 if ep_num == 0 { 517 usb_debug!("endpoint 0 in endpoint descriptors"); 518 continue; 519 } 520 let direction = ep_dp.get_direction(); 521 let ty = ep_dp.get_endpoint_type().ok_or(Error::GetEndpointType)?; 522 self.endpoints.push(UsbEndpoint::new( 523 self.fail_handle.clone(), 524 self.job_queue.clone(), 525 self.device.clone(), 526 ep_num, 527 direction, 528 ty, 529 )); 530 } 531 } 532 Ok(()) 533 } 534 release_interfaces(&mut self)535 fn release_interfaces(&mut self) { 536 for i in &self.claimed_interfaces { 537 if let Err(e) = self.device.lock().release_interface(*i) { 538 error!("could not release interface: {:?}", e); 539 } 540 } 541 self.claimed_interfaces = Vec::new(); 542 } 543 submit_transfer_helper(&mut self, transfer: XhciTransfer) -> Result<()>544 fn submit_transfer_helper(&mut self, transfer: XhciTransfer) -> Result<()> { 545 if transfer.get_endpoint_number() == 0 { 546 return self.handle_control_transfer(transfer); 547 } 548 for ep in &self.endpoints { 549 if ep.match_ep(transfer.get_endpoint_number(), transfer.get_transfer_dir()) { 550 return ep.handle_transfer(transfer); 551 } 552 } 553 warn!("Could not find endpoint for transfer"); 554 transfer 555 .on_transfer_complete(&TransferStatus::Error, 0) 556 .map_err(Error::TransferComplete) 557 } 558 } 559 560 impl XhciBackendDevice for HostDevice { get_backend_type(&self) -> BackendType561 fn get_backend_type(&self) -> BackendType { 562 let d = match self.device.lock().get_device_descriptor() { 563 Ok(d) => d, 564 Err(_) => return BackendType::Usb2, 565 }; 566 567 // See definition of bcdUsb. 568 const USB3_MASK: u16 = 0x0300; 569 match d.bcdUSB & USB3_MASK { 570 USB3_MASK => BackendType::Usb3, 571 _ => BackendType::Usb2, 572 } 573 } 574 get_vid(&self) -> u16575 fn get_vid(&self) -> u16 { 576 match self.device.lock().get_device_descriptor() { 577 Ok(d) => d.idVendor, 578 Err(e) => { 579 error!("cannot get device descriptor: {:?}", e); 580 0 581 } 582 } 583 } 584 get_pid(&self) -> u16585 fn get_pid(&self) -> u16 { 586 match self.device.lock().get_device_descriptor() { 587 Ok(d) => d.idProduct, 588 Err(e) => { 589 error!("cannot get device descriptor: {:?}", e); 590 0 591 } 592 } 593 } 594 submit_transfer(&mut self, transfer: XhciTransfer) -> Result<()>595 fn submit_transfer(&mut self, transfer: XhciTransfer) -> Result<()> { 596 self.submit_transfer_helper(transfer) 597 } 598 set_address(&mut self, _address: UsbDeviceAddress)599 fn set_address(&mut self, _address: UsbDeviceAddress) { 600 // It's a standard, set_address, device request. We do nothing here. As described in XHCI 601 // spec. See set address command ring trb. 602 usb_debug!( 603 "Set address control transfer is received with address: {}", 604 _address 605 ); 606 } 607 reset(&mut self) -> Result<()>608 fn reset(&mut self) -> Result<()> { 609 usb_debug!("resetting host device"); 610 self.device.lock().reset().map_err(Error::Reset) 611 } 612 get_speed(&self) -> Option<DeviceSpeed>613 fn get_speed(&self) -> Option<DeviceSpeed> { 614 let speed = self.device.lock().get_speed(); 615 if let Ok(speed) = speed { 616 speed 617 } else { 618 None 619 } 620 } 621 } 622