sys/linux: add basic examples of vusb variants

fellair · fellair · commit 522d67bc1755 · 2025-08-18T13:11:41.000+03:00
This change is the first step in addressing issue [1]. Despite syzkaller's best efforts, some usb drivers are proving resistant to attempts to probe them. Specifically, crafted devices are not accurate enough to bypass checks in probe(). These checks mostly deal with usb interfaces and endpoints. One way to address this issue is to define syz_connect_* calls variants to help syzkaller succeed probing by describing in detail various device attributes. Start by describing such calls for select drivers, each representing its own category of sorts. At the moment, code coverage for these drivers is unimpressive: - rtl8150 Used to succeed probing until a better usb endpoint check was implemented. - sierra_net Same as rtl8150. Depends on usbnet API for bind() and usb ep checks. - lan78xx Requires numerous control requests between driver and device DURING probe. Extra descriptions are helpful but are not enough to fully complete probing process. Also, add a seed for each such example. This is only a stepping stone to improve usb fuzzing results and most likely will be subject to change in the future. [1] #6206
diff --git a/sys/linux/test/vusb_lan78xx b/sys/linux/test/vusb_lan78xx
@@ -0,0 +1,72 @@
+# This seed helps syzkaller to reliably pass the probe() checks for lan78xx driver.
+# As some CTRL requests occur during the probe, a few syz_usb_control_io() calls may
+# be in a weird order or even duplicate.
+
+# TODO: currently, probe does not succeed completely. Most likely, it stems from the fact that
+# the abundance of expected CTRL requests *during* probe is not something syzkaller can handle at the moment.
+# Timing is essential among other things. This should be mitigated by a separate syz_usb_connect pseudo-call 
+# that deals with such requests without syz_usb_control_io.
+
+# Ensure that we pass driver-specific basic usb interface and endpoint checks during initial probe() stages.
+
+r0 = syz_usb_connect$lan78xx(0x5, 0x3f, &(0x7f0000000000)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0x424, 0x7850, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x80, 0xfa, {{0x9, 0x4, 0x0, 0x0, 0x3, 0xff, 0x0, 0x0, 0x0, "", {{0x9, 0x5, 0x81, 0x2, 0x200, 0x0, 0x0, 0x0, ""}, {0x9, 0x5, 0x2, 0x2, 0x200, 0x0, 0x0, 0x0, ""}, {0x9, 0x5, 0x83, 0x3, 0x40, 0x1, 0x0, 0x0, ""}}}}}}]}}, 0x0)
+
+# This is where the fun begins.
+# Functions like lan78xx_bind() and lan78xx_phy_init() in lan78xx_probe() utilize ~50 CTRL requests, both directions, during probe.
+
+# Write to INT_EP_CTL register in lan78xx_setup_irq_domain().
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f00000003c0)={0x34, &(0x7f0000000140)={0x20, 0x11, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})
+
+# Write to HW_CFG register in lan78xx_reset().
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000780)={0x34, &(0x7f0000000600)={0x40, 0x11, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})
+
+# Read from HW_CFG register.
+
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+
+# Write to HW_CFG register.
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000f00)={0x34, &(0x7f0000000cc0)={0x40, 0x10, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})
+
+# Write to RX_ADDRL and RX_ADDRH registers in lan78xx_init_mac_address().
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000001240)={0x34, &(0x7f0000001080)={0x0, 0x6, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000001700)={0x34, &(0x7f0000001500)={0x20, 0x18, 0x1, ')'}, 0x0, 0x0, 0x0, 0x0, 0x0})
+
+# Read from MAF_LO(0) and MAF_HI(0) registers.
+
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+
+# Write to ID_REV register, back in lan78xx_reset().
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000002180)={0x34, &(0x7f0000000400)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0})
+
+# Write and read to/from USB_CFG0 register.
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f00000006c0)={0x34, &(0x7f0000000500)={0x0, 0x7, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+
+# Write to USB_CFG1 register in lan78xx_init_ltm().
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000002540)={0x34, &(0x7f0000002340)={0x0, 0xf, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})
+
+# Read from 6 registers (LTM_BELT_IDLE0 etc.) in a row.
+
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+
+# Read from BURST_CAP and BULK_IN_DLY registers in lan78xx_reset().
+
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+syz_usb_control_io$lan78xx(r0, 0x0, 0x0)
+
+# Write to HW_CFG register.
+
+syz_usb_control_io$lan78xx(r0, 0x0, &(0x7f0000000380)={0x34, &(0x7f0000000840)={0x0, 0x0, 0x0, ""}, 0x0, 0x0, 0x0, 0x0, 0x0})
diff --git a/sys/linux/test/vusb_rtl8150 b/sys/linux/test/vusb_rtl8150
@@ -0,0 +1,25 @@
+# This seed helps syzkaller to reliably pass the probe() checks for rtl8150 driver.
+# As some CTRL requests occur during the probe, a few syz_usb_control_io() calls may
+# be in a weird order or even duplicate.
+
+# Ensure that we pass driver-specific basic usb interface and endpoint checks during initial probe() stages.
+
+r0 = syz_usb_connect$rtl8150(0x3, 0x3f, &(0x7f00000003c0)={{0x12, 0x1, 0x110, 0xff, 0xff, 0x0, 0x40, 0xbda, 0x8150, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x5, 0x80, 0x0, {{0x9, 0x4, 0x0, 0x7f, 0x3, 0xff, 0x11, 0x1, 0x5, "", {{0x9, 0x5, 0x81, 0x2, 0x40, 0x6, 0x9, 0x4, ""}, {0x9, 0x5, 0x2, 0x2, 0x20, 0x2, 0x57, 0x6e, ""}, {0x9, 0x5, 0x83, 0x3, 0x240, 0x3, 0x82, 0x8, ""}}}}}}]}}, 0x0)
+
+# During probe, rtl8150_reset() requires reading/writing registers via usb_control_msg(), see:
+# https://elixir.bootlin.com/linux/v6.16/source/drivers/net/usb/rtl8150.c#L316
+
+# The timing of dealing with CTRL requests is very awkward. So as not to fail dealing with registers, these calls come in.
+# They are not directly related to rtl8150 code itself yet seem to be making that the next calls below run on time.
+# TODO: figure out the circumstances fully and consider switching to sleep/nanosleep instead.
+
+syz_usb_control_io$rtl8150(r0, &(0x7f0000000580)={0x14, 0x0, &(0x7f0000000480)={0x0, 0x3, 0x3, @lang_id={0x0, 0x3, 0x0}}}, 0x0)
+syz_usb_control_io$rtl8150(r0, &(0x7f0000002980)={0x14, 0x0, &(0x7f00000028c0)={0x0, 0x3, 0x3, @lang_id={0x0, 0x3, 0x0}}}, 0x0)
+
+# Receive a request via set_registers().
+
+syz_usb_control_io$rtl8150(r0, 0x0, 0x0)
+
+# Send a request via get_registers(). Sent data should make the while{} loop in rtl8150_reset() stop early.
+
+syz_usb_control_io$rtl8150(r0, 0x0, &(0x7f0000004280)={0x2c, 0x0, 0x0, 0x0, 0x0, &(0x7f0000004240)={0x40, 0x5, 0x2, "2bd8"}})
diff --git a/sys/linux/test/vusb_sierra_net b/sys/linux/test/vusb_sierra_net
@@ -0,0 +1,21 @@
+# This seed helps syzkaller to reliably pass the probe() checks for sierra_net driver.
+# As some CTRL requests occur during the probe, a few syz_usb_control_io() calls may
+# be in a weird order or even duplicate.
+
+# Ensure that we pass driver-specific basic usb interface and endpoint checks during initial probe() stages.
+
+r0 = syz_usb_connect$sierra_net(0x0, 0x3f, &(0x7f0000000080)={{0x12, 0x1, 0x200, 0xff, 0xff, 0xff, 0x40, 0x1199, 0x68a3, 0x0, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2d, 0x1, 0x1, 0x0, 0x80, 0xfa, {{0x9, 0x4, 0x7, 0x0, 0x3, 0xff, 0x0, 0x0, 0x0, "", {{0x9, 0x5, 0x43978451d8f6fedb, 0x2, 0x40, 0x2, 0x1b, 0xfe, ""}, {0x9, 0x5, 0x7, 0x2, 0x200, 0xc, 0x77, 0x3, ""}, {0x9, 0x5, 0x81, 0x3, 0x20, 0x0, 0xfd, 0x32, ""}}}}}}]}}, 0x0)
+
+# To pass the probe, at the minumum one has to make the crafted device write to the driver in sierra_net_get_fw_attr(), see:
+# https://elixir.bootlin.com/linux/v6.16/source/drivers/net/usb/sierra_net.c#L636
+# Technically, there are other CTRL requests, such as the ones in sierra_net_dosync() - however, they are allowed to fail, so we can ignore them.
+
+# Seemingly, this call is only here to keep the timing right. 
+# TODO: fix the expected delay with sleep/nanosleep.
+
+syz_usb_control_io$sierra_net(r0, 0x0, 0x0)
+
+# Send a CTRL request to driver concerning firmware data. See:
+# https://elixir.bootlin.com/linux/v6.16/source/drivers/net/usb/sierra_net.c#L743
+
+syz_usb_control_io$sierra_net(r0, &(0x7f0000000100)={0x14, &(0x7f0000000000)={0x20, 0x21, 0x8, {0x8, 0x11, "e4ff14eca81f"}}, 0x0}, 0x0)
diff --git a/sys/linux/vusb.txt b/sys/linux/vusb.txt
@@ -1438,3 +1438,175 @@ htc_frame_flags = HTC_FLAGS_RECV_TRAILER
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+# Assorted driver-specific descriptions of generic syz_* calls' variants.
+
+# Generic calls such as syz_usb_connect() and syz_usb_control_io() should be enough
+# (in theory) to emulate a proper device and finish driver probes without a hitch.
+# However, there are cases when syzkaller fails to come up with correct inputs to achieve it.
+# Use fixed descriptors to quickly pass through probe() to access select drivers' post-probe functionality.
+
+# It is important to note that, one way or another, drivers in question require multiple control requests
+# between a driver and a device processed during probe(). Descriptions below do not deal with specific
+# CTRL requests as such (except for basic information included in vusb_responses_XXX). Instead, rely on
+# seeds, created both manually and with syzkaller's help. For examples, see sys/linux/test/vusb_XXX.
+
+# Common constants for endpoint descriptors.
+define USB_ENDPOINT_BULK_ATTR	(USB_ENDPOINT_XFER_BULK)
+define USB_ENDPOINT_INT_ATTR	(USB_ENDPOINT_XFER_INT)
+
+define USB_FIXED_ENDPOINT_BULK_IN_ADDR	(1 | USB_DIR_IN)
+define USB_FIXED_ENDPOINT_BULK_OUT_ADDR	(2)
+define USB_FIXED_ENDPOINT_INT_IN_ADDR	(3 | USB_DIR_IN)
+
+define USB_RECIP_DEVICE	0x00
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+# rtl8150 driver specific descriptions.
+
+resource fd_usb_rtl8150[fd_usb]
+
+syz_usb_connect$rtl8150(speed flags[usb_device_speed], dev_len len[dev], dev ptr[in, usb_device_descriptor_rtl8150], conn_descs const[0]) fd_usb_rtl8150 (timeout[3000], prog_timeout[3000], remote_cover)
+syz_usb_control_io$rtl8150(fd fd_usb_rtl8150, descs ptr[in, vusb_descriptors_rtl8150], resps ptr[in, vusb_responses_rtl8150]) (timeout[300], remote_cover)
+
+usb_device_descriptor_rtl8150 {
+	inner	usb_device_descriptor_fixed_t[0x200, USB_CLASS_VENDOR_SPEC, USB_SUBCLASS_VENDOR_SPEC, 0xff, 64, 0xbda, 0x8150, 0, array[usb_config_descriptor_rtl8150, 1]]
+} [packed]
+
+usb_config_descriptor_rtl8150 {
+	inner	usb_config_descriptor_fixed_t[1, 1, USB_CONFIG_ATT_ONE, 250, usb_interface_descriptor_rtl8150]
+} [packed]
+
+usb_interface_descriptor_rtl8150 {
+	iface	usb_interface_descriptor_fixed_t[0, 0, 3, USB_CLASS_VENDOR_SPEC, 0, 0, void, usb_endpoint_descriptors_rtl8150]
+} [packed]
+
+usb_endpoint_descriptors_rtl8150 {
+	bulk_in		usb_endpoint_descriptor_fixed_t[USB_FIXED_ENDPOINT_BULK_IN_ADDR, USB_ENDPOINT_BULK_ATTR, 512, 0, void]
+	bulk_out	usb_endpoint_descriptor_fixed_t[USB_FIXED_ENDPOINT_BULK_OUT_ADDR, USB_ENDPOINT_BULK_ATTR, 512, 0, void]
+	int_in		usb_endpoint_descriptor_fixed_t[USB_FIXED_ENDPOINT_INT_IN_ADDR, USB_ENDPOINT_INT_ATTR, 64, 1, void]
+} [packed]
+
+vusb_descriptors_rtl8150 {
+	len		len[parent, int32]
+	generic		ptr[in, vusb_descriptor_generic]
+
+	USB_DT_STRING	ptr[in, vusb_descriptor_t[USB_TYPE_STANDARD, USB_DT_STRING, usb_string_descriptor]]
+} [packed]
+
+vusb_responses_rtl8150 {
+	len				len[parent, int32]
+	generic				ptr[in, vusb_response_generic]
+
+	USB_REQ_GET_INTERFACE		ptr[in, vusb_response_t[USB_TYPE_STANDARD, USB_REQ_GET_INTERFACE, int8]]
+	USB_REQ_GET_CONFIGURATION	ptr[in, vusb_response_t[USB_TYPE_STANDARD, USB_REQ_GET_CONFIGURATION, int8]]
+
+	RTL8150_REQ_GET_REGS		ptr[in, vusb_response_t[RTL8150_REQT_READ, RTL8150_REQ_GET_REGS, array[int8, 0:6]]]
+	RTL8150_REQ_SET_REGS		ptr[in, vusb_response_t[RTL8150_REQT_WRITE, RTL8150_REQ_SET_REGS, array[int8, 0:6]]]
+} [packed]
+
+define RTL8150_REQ_GET_REGS	0x05
+define RTL8150_REQ_SET_REGS	0x05
+define RTL8150_REQT_READ	0xc0
+define RTL8150_REQT_WRITE	0x40
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+# sierra_net driver specific descriptions.
+
+resource fd_usb_sierra_net[fd_usb]
+
+syz_usb_connect$sierra_net(speed flags[usb_device_speed], dev_len len[dev], dev ptr[in, usb_device_descriptor_sierra_net], conn_descs const[0]) fd_usb_sierra_net (timeout[3000], prog_timeout[3000], remote_cover)
+syz_usb_control_io$sierra_net(fd fd_usb_sierra_net, descs ptr[in, vusb_descriptors_sierra_net], resps ptr[in, vusb_responses_sierra_net]) (timeout[300], remote_cover)
+
+usb_device_descriptor_sierra_net {
+	inner	usb_device_descriptor_fixed_t[0x200, USB_CLASS_VENDOR_SPEC, USB_SUBCLASS_VENDOR_SPEC, 0xff, 64, 0x1199, 0x68a3, 0, array[usb_config_descriptor_sierra_net, 1]]
+} [packed]
+
+usb_config_descriptor_sierra_net {
+	inner	usb_config_descriptor_fixed_t[1, 1, USB_CONFIG_ATT_ONE, 250, usb_interface_descriptor_sierra_net]
+} [packed]
+
+usb_interface_descriptor_sierra_net {
+	iface	usb_interface_descriptor_fixed_t[7, 0, 3, USB_CLASS_VENDOR_SPEC, 0, 0, void, usb_endpoint_descriptors_sierra_net]
+} [packed]
+
+# sierra_net driver does not expect fixed ep addresses, so refrain from being too specific here.
+# As long as we ensure there are 3 endpoints, 2 bulk and 1 int, syzkaller should figure it out.
+usb_endpoint_descriptors_sierra_net {
+	bulk_in		usb_endpoint_descriptor_t[flags[usb_endpoint_addresses, int8], const[USB_ENDPOINT_BULK_ATTR, int8], void]
+	bulk_out	usb_endpoint_descriptor_t[flags[usb_endpoint_addresses, int8], const[USB_ENDPOINT_BULK_ATTR, int8], void]
+	status		usb_endpoint_descriptor_t[flags[usb_endpoint_addresses, int8], const[USB_ENDPOINT_INT_ATTR, int8], void]
+} [packed]
+
+vusb_descriptors_sierra_net {
+	len		len[parent, int32]
+	generic		ptr[in, vusb_descriptor_generic]
+
+	USB_DT_STRING	ptr[in, vusb_descriptor_t[USB_TYPE_STANDARD, USB_DT_STRING, usb_string_descriptor]]
+} [packed]
+
+vusb_responses_sierra_net {
+	len					len[parent, int32]
+	generic					ptr[in, vusb_response_generic]
+
+	USB_CDC_GET_ENCAPSULATED_RESPONSE	ptr[in, vusb_response_t[SIERRA_CMD_TYPE_IN, USB_CDC_GET_ENCAPSULATED_RESPONSE, array[int8, 1024]]]
+	USB_CDC_SEND_ENCAPSULATED_COMMANDT	ptr[in, vusb_response_t[SIERRA_CMD_TYPE_OUT, USB_CDC_SEND_ENCAPSULATED_COMMAND, array[int8, 0:4]]]
+} [packed]
+
+define SIERRA_CMD_TYPE_IN	(USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE)
+define SIERRA_CMD_TYPE_OUT	(USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE)
+
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+# lan78xx driver specific descriptions.
+# While these syz_* variants noticably help with the probe() process, they are not enough.
+# This is due to a high number of control requests expected between the driver and the device.
+
+include <drivers/net/usb/smsc95xx.h>
+
+resource fd_usb_lan78xx[fd_usb]
+
+syz_usb_connect$lan78xx(speed flags[usb_device_speed], dev_len len[dev], dev ptr[in, usb_device_descriptor_lan78xx], conn_descs const[0]) fd_usb_lan78xx (timeout[3000], prog_timeout[3000], remote_cover)
+syz_usb_control_io$lan78xx(fd fd_usb_lan78xx, descs ptr[in, vusb_descriptors_lan78xx], resps ptr[in, vusb_responses_lan78xx]) (timeout[300], remote_cover)
+
+usb_device_descriptor_lan78xx {
+	inner	usb_device_descriptor_fixed_t[0x200, USB_CLASS_VENDOR_SPEC, USB_SUBCLASS_VENDOR_SPEC, 0xff, 64, 0x424, 0x7850, 0, array[usb_config_descriptor_lan78xx, 1]]
+} [packed]
+
+usb_config_descriptor_lan78xx {
+	inner	usb_config_descriptor_fixed_t[1, 1, USB_CONFIG_ATT_ONE, 250, usb_interface_descriptor_lan78xx]
+} [packed]
+
+usb_interface_descriptor_lan78xx {
+	iface	usb_interface_descriptor_fixed_t[0, 0, 3, USB_CLASS_VENDOR_SPEC, 0, 0, void, usb_endpoint_descriptors_lan78xx]
+} [packed]
+
+usb_endpoint_descriptors_lan78xx {
+	bulk_in		usb_endpoint_descriptor_fixed_t[USB_FIXED_ENDPOINT_BULK_IN_ADDR, USB_ENDPOINT_BULK_ATTR, 512, 0, void]
+	bulk_out	usb_endpoint_descriptor_fixed_t[USB_FIXED_ENDPOINT_BULK_OUT_ADDR, USB_ENDPOINT_BULK_ATTR, 512, 0, void]
+	int_in		usb_endpoint_descriptor_fixed_t[USB_FIXED_ENDPOINT_INT_IN_ADDR, USB_ENDPOINT_INT_ATTR, 64, 1, void]
+} [packed]
+
+vusb_descriptors_lan78xx {
+	len		len[parent, int32]
+	generic		ptr[in, vusb_descriptor_generic]
+
+	USB_DT_STRING	ptr[in, vusb_descriptor_t[USB_TYPE_STANDARD, USB_DT_STRING, usb_string_descriptor]]
+} [packed]
+
+vusb_responses_lan78xx {
+	len					len[parent, int32]
+	generic					ptr[in, vusb_response_generic]
+
+	USB_REQ_GET_INTERFACE			ptr[in, vusb_response_t[USB_TYPE_STANDARD, USB_REQ_GET_INTERFACE, int8]]
+	USB_REQ_GET_CONFIGURATION		ptr[in, vusb_response_t[USB_TYPE_STANDARD, USB_REQ_GET_CONFIGURATION, int8]]
+
+	USB_VENDOR_REQUEST_READ_REGISTER	ptr[in, vusb_response_t[LAN78XX_REG_TYPE_IN, USB_VENDOR_REQUEST_READ_REGISTER, int32]]
+	USB_VENDOR_REQUEST_WRITE_REGISTER	ptr[in, vusb_response_t[LAN78XX_REG_TYPE_OUT, USB_VENDOR_REQUEST_WRITE_REGISTER, int32]]
+	USB_VENDOR_REQUEST_GET_STATS		ptr[in, vusb_response_t[LAN78XX_REG_TYPE_IN, USB_VENDOR_REQUEST_GET_STATS, array[int8, 47]]]
+} [packed]
+
+define LAN78XX_REG_TYPE_IN	(USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE)
+define LAN78XX_REG_TYPE_OUT	(USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE)
diff --git a/sys/linux/vusb.txt.const b/sys/linux/vusb.txt.const
@@ -73,6 +73,14 @@ HUB_CHAR_PORTIND = 128
 HUB_CHAR_TTTT = 96
 HUB_STATUS_LOCAL_POWER = 1
 HUB_STATUS_OVERCURRENT = 2
+LAN78XX_REG_TYPE_IN = 192
+LAN78XX_REG_TYPE_OUT = 64
+RTL8150_REQT_READ = 192
+RTL8150_REQT_WRITE = 64
+RTL8150_REQ_GET_REGS = 5
+RTL8150_REQ_SET_REGS = 5
+SIERRA_CMD_TYPE_IN = 161
+SIERRA_CMD_TYPE_OUT = 33
 UAC1_EXTENSION_UNIT = 8
 UAC1_PROCESSING_UNIT = 7
 UAC_AS_GENERAL = 1
@@ -162,6 +170,7 @@ USB_CDC_COUNTRY_TYPE = 7
 USB_CDC_DMM_TYPE = 20
 USB_CDC_ETHERNET_TYPE = 15
 USB_CDC_GET_CRC_MODE = 137
+USB_CDC_GET_ENCAPSULATED_RESPONSE = 1
 USB_CDC_GET_MAX_DATAGRAM_SIZE = 135
 USB_CDC_GET_NTB_FORMAT = 131
 USB_CDC_GET_NTB_INPUT_SIZE = 133
@@ -181,6 +190,7 @@ USB_CDC_NCM_TYPE = 26
 USB_CDC_NETWORK_TERMINAL_TYPE = 10
 USB_CDC_OBEX_TYPE = 21
 USB_CDC_PROTO_NONE = 0
+USB_CDC_SEND_ENCAPSULATED_COMMAND = 0
 USB_CDC_SUBCLASS_ETHERNET = 6
 USB_CDC_SUBCLASS_NCM = 13
 USB_CDC_UNION_TYPE = 6
@@ -235,6 +245,7 @@ USB_ENDPOINT_ATH9K_BULK_OUT_ADDRESS = 1
 USB_ENDPOINT_ATH9K_INT_ATTRIBUTES = 3
 USB_ENDPOINT_ATH9K_INT_IN_ADDRESS = 131
 USB_ENDPOINT_ATH9K_INT_OUT_ADDRESS = 4
+USB_ENDPOINT_BULK_ATTR = 2
 USB_ENDPOINT_CDC_ECM_DATA_ATTRIBUTES = 2
 USB_ENDPOINT_CDC_ECM_IN_ADDRESS = 130
 USB_ENDPOINT_CDC_ECM_NOTIFY_ADDRESS = 129
@@ -245,6 +256,7 @@ USB_ENDPOINT_HID_IN_ADDRESS = 129
 USB_ENDPOINT_HID_OUT_ADDRESS = 2
 USB_ENDPOINT_INTR_NOTIFICATION = 16
 USB_ENDPOINT_INTR_PERIODIC = 0
+USB_ENDPOINT_INT_ATTR = 3
 USB_ENDPOINT_PRINTER_ATTRIBUTES = 2
 USB_ENDPOINT_PRINTER_IN_ADDRESS = 130
 USB_ENDPOINT_PRINTER_OUT_ADDRESS = 1
@@ -265,6 +277,9 @@ USB_EXT_PORT_STAT_RX_LANES = 3840
 USB_EXT_PORT_STAT_RX_SPEED_ID = 15
 USB_EXT_PORT_STAT_TX_LANES = 61440
 USB_EXT_PORT_STAT_TX_SPEED_ID = 240
+USB_FIXED_ENDPOINT_BULK_IN_ADDR = 129
+USB_FIXED_ENDPOINT_BULK_OUT_ADDR = 2
+USB_FIXED_ENDPOINT_INT_IN_ADDR = 131
 USB_FULL_SPEED_OPERATION = 2
 USB_HIGH_SPEED_OPERATION = 4
 USB_HUB_PORTS_BITS = 4
@@ -297,6 +312,7 @@ USB_PORT_STAT_SPEED_5GBPS = 0
 USB_PORT_STAT_SUSPEND = 4
 USB_PORT_STAT_TEST = 2048
 USB_PTM_CAP_TYPE = 11
+USB_RECIP_DEVICE = 0
 USB_REQ_CLEAR_FEATURE = 1
 USB_REQ_GET_BATTERY_STATUS = 21
 USB_REQ_GET_CONFIGURATION = 8
@@ -366,6 +382,9 @@ USB_SUBCLASS_VENDOR_SPEC = 255
 USB_TYPE_CLASS = 32
 USB_TYPE_STANDARD = 0
 USB_TYPE_VENDOR = 64
+USB_VENDOR_REQUEST_GET_STATS = 162
+USB_VENDOR_REQUEST_READ_REGISTER = 161
+USB_VENDOR_REQUEST_WRITE_REGISTER = 160
 USB_WIRELESS_BEACON_DIRECTED = 8
 USB_WIRELESS_BEACON_MASK = 12
 USB_WIRELESS_BEACON_NONE = 12
