如何创建 IOUSBHostPipe::CompleteAsyncIO 回调?
How to create a IOUSBHostPipe::CompleteAsyncIO callback?
我正在编写一个 SystemExtension 来与 USB 设备通信。我最初的计划是创建一个 class Transfer 来分配必要的 IOMemoryDescriptor, and then pass the interface that I want the Transfer class to communicate with. I would like to have the callback resulting from AsyncIO completing to be made to the Transfer class. If I need to queue up multiple reads I could then create more instances of this class. In the callback completeCallback I would then unpack the data and then submit another read.
我用 OSTypeAlloc(Transfer) 创建 Transfer class。
我面临的问题是创建 OSAction 失败并显示此堆栈跟踪:
0 libsystem_kernel.dylib 0x000000010df950ce __pthread_kill + 10
1 libsystem_pthread.dylib 0x000000010e07cf6a pthread_kill + 152
2 libsystem_c.dylib 0x000000010df2c3a0 abort + 120
3 com.apple.DriverKit 0x000000010dc9124b __assert_rtn + 102
4 com.apple.DriverKit 0x000000010dc91a34 OSCopyOutObjects(IOUserServer_IVars*, IORPCMessageMach*, IORPCMessage*, bool) (.cold.4) + 35
5 com.apple.DriverKit 0x000000010dc7a2ff OSCopyOutObjects(IOUserServer_IVars*, IORPCMessageMach*, IORPCMessage*, bool) + 328
6 com.apple.DriverKit 0x000000010dc79126 InvokeRemote(IOUserServer_IVars*, unsigned long long, IORPC) + 159
7 com.apple.DriverKit 0x000000010dc796b6 OSMetaClassBase::Invoke(IORPC) + 754
8 com.apple.DriverKit 0x000000010dc90048 OSAction::Create_Call(OSObject*, unsigned long long, unsigned long long, unsigned long, OSAction**) + 212
9 com.apple.DriverKit 0x000000010dc7ca15 OSAction::Create(OSObject*, unsigned long long, unsigned long long, unsigned long, OSAction**) + 37
10 sc.example.MyUserUSBInterfaceDriver 0x000000010dc3bffc Transfer::CreateActioncompleteCallback(unsigned long, OSAction**) + 60 (Transfer.iig.cpp:175)
11 sc.example.MyUserUSBInterfaceDriver 0x000000010dc34e6e Transfer::setup(IOUSBHostInterface*, int, int) + 638 (Transfer.cpp:53)
如果我改为在连接 USB 设备时由系统实例化的 class 中定义、实现和创建回调(此 class 在 plist 中指定使用键 IOUserClass),然后创建 OSAction 对象工作正常。
对 IOUSBHostInterface::Open 的调用是从 IOUserClass 传递指向 IOUserClass 的指针作为 Open 的第一个参数进行的。这样做应该可以吗?或者是否要求 IOService 对象也是从 AsyncIO.
接收回调的同一对象
class Transfer : public OSObject {
public:
bool init() override;
void free() override;
bool setup(IOUSBHostInterface* interface, int endpointAddress, int maxPacketSize) LOCALONLY;
bool submit() LOCALONLY;
protected:
virtual void completeCallback(OSAction* action,
IOReturn status,
uint32_t actualByteCount,
uint64_t completionTimestamp) TYPE(IOUSBHostPipe::CompleteAsyncIO);
};
struct Transfer_IVars {
IOUSBHostInterface* interface;
int maxPacketSize;
IOUSBHostPipe* pipe;
IOBufferMemoryDescriptor* buffer;
OSAction* ioCompleteCallback;
};
bool Transfer::init() {
LOG_DEBUG();
if (!super::init()) {
LOG_ERROR("super::init failed");
}
if (ivars = IONewZero(Transfer_IVars, 1); ivars == nullptr) {
LOG_ERROR("Allocating ivars failed");
return false;
}
return true;
}
void Transfer::free() {
LOG_DEBUG();
IOSafeDeleteNULL(ivars, Transfer_IVars, 1);
super::free();
}
bool Transfer::setup(IOUSBHostInterface* interface, int endpointAddress,
int maxPacketSize) {
ivars->interface = interface;
ivars->maxPacketSize = maxPacketSize;
if (auto ret = interface->CopyPipe(endpointAddress, &ivars->pipe);
ret != kIOReturnSuccess) {
LOG_ERROR("Could not copy pipe: %{public}s, endpointAddress: %{public}d",
kern_return_t_toCStr(ret), endpointAddress);
}
if (auto ret =
interface->CreateIOBuffer(kIOMemoryDirectionIn, maxPacketSize, &ivars->buffer);
ret != kIOReturnSuccess) {
LOG_ERROR("CreateIOBuffer failed, ret: %{public}d", ret);
return false;
}
if (auto ret = CreateActioncompleteCallback(0, &ivars->ioCompleteCallback);
ret != kIOReturnSuccess) {
LOG_ERROR("Failed to set iocomplete callback, ret: %{public}d", ret);
return false;
}
return true;
}
bool Transfer::submit() {
if (auto ret = ivars->pipe->AsyncIO(ivars->buffer, ivars->maxPacketSize,
ivars->ioCompleteCallback, 0);
ret != kIOReturnSuccess) {
LOG_ERROR("Failed to call AsyncIO, ret: %{public}d", ret);
return false;
}
return true;
}
void IMPL(Transfer, completeCallback) {
LOG_DEBUG(
"Complete callback bytecount %{public}d, timestamp: %{public}llu, status %{public}s",
actualByteCount, completionTimestamp, kern_return_t_toCStr(status));
// TODO Unpack and then schedule another read.
}
您可能已经发现,这在任何地方都没有记录。然而,根据我的实验,我得到的印象是 OSAction 基本上是 IPC 消息的包装器。如果为真,则意味着操作的目标对象必须在内核和 dext 上下文中都有表示,以便内核向其发送消息是有意义的。
使用 OSTypeAlloc() 创建的对象似乎不是这种情况,因为它只是在 dext 中创建了一个对象。似乎只有使用 IOService::Create 创建的对象才能在两种上下文中获得表示。这个函数只适用于 IOService 个子类,当然这些子类是相当重量级的。
我的建议是通过主驱动程序对象或用户客户端对象中的完成方法发送 I/O 完成,并在该完成方法中将调用转发给实际发起 I/O.您可以将任意数据存储在 OSAction 中,方法是将 sizeof(some_struct) 作为第一个参数传递给创建它的 CreateAction… 调用,然后使用
获取指向该结构的指针
some_struct* my_context = static_cast<some_struct*>(action->GetReference());
你可以放一个普通的函数指针和指向最终目标的指针,或者任何你喜欢的东西。
我认为传递给接口或设备的 Open() 函数的客户端对象不需要与用于 I/O 回调的 OSAction 的目标相同。它们都需要是 kernel/dext 阴影对象,但它们可以是不同的对象。
我正在编写一个 SystemExtension 来与 USB 设备通信。我最初的计划是创建一个 class Transfer 来分配必要的 IOMemoryDescriptor, and then pass the interface that I want the Transfer class to communicate with. I would like to have the callback resulting from AsyncIO completing to be made to the Transfer class. If I need to queue up multiple reads I could then create more instances of this class. In the callback completeCallback I would then unpack the data and then submit another read.
我用 OSTypeAlloc(Transfer) 创建 Transfer class。
我面临的问题是创建 OSAction 失败并显示此堆栈跟踪:
0 libsystem_kernel.dylib 0x000000010df950ce __pthread_kill + 10
1 libsystem_pthread.dylib 0x000000010e07cf6a pthread_kill + 152
2 libsystem_c.dylib 0x000000010df2c3a0 abort + 120
3 com.apple.DriverKit 0x000000010dc9124b __assert_rtn + 102
4 com.apple.DriverKit 0x000000010dc91a34 OSCopyOutObjects(IOUserServer_IVars*, IORPCMessageMach*, IORPCMessage*, bool) (.cold.4) + 35
5 com.apple.DriverKit 0x000000010dc7a2ff OSCopyOutObjects(IOUserServer_IVars*, IORPCMessageMach*, IORPCMessage*, bool) + 328
6 com.apple.DriverKit 0x000000010dc79126 InvokeRemote(IOUserServer_IVars*, unsigned long long, IORPC) + 159
7 com.apple.DriverKit 0x000000010dc796b6 OSMetaClassBase::Invoke(IORPC) + 754
8 com.apple.DriverKit 0x000000010dc90048 OSAction::Create_Call(OSObject*, unsigned long long, unsigned long long, unsigned long, OSAction**) + 212
9 com.apple.DriverKit 0x000000010dc7ca15 OSAction::Create(OSObject*, unsigned long long, unsigned long long, unsigned long, OSAction**) + 37
10 sc.example.MyUserUSBInterfaceDriver 0x000000010dc3bffc Transfer::CreateActioncompleteCallback(unsigned long, OSAction**) + 60 (Transfer.iig.cpp:175)
11 sc.example.MyUserUSBInterfaceDriver 0x000000010dc34e6e Transfer::setup(IOUSBHostInterface*, int, int) + 638 (Transfer.cpp:53)
如果我改为在连接 USB 设备时由系统实例化的 class 中定义、实现和创建回调(此 class 在 plist 中指定使用键 IOUserClass),然后创建 OSAction 对象工作正常。
对 IOUSBHostInterface::Open 的调用是从 IOUserClass 传递指向 IOUserClass 的指针作为 Open 的第一个参数进行的。这样做应该可以吗?或者是否要求 IOService 对象也是从 AsyncIO.
class Transfer : public OSObject {
public:
bool init() override;
void free() override;
bool setup(IOUSBHostInterface* interface, int endpointAddress, int maxPacketSize) LOCALONLY;
bool submit() LOCALONLY;
protected:
virtual void completeCallback(OSAction* action,
IOReturn status,
uint32_t actualByteCount,
uint64_t completionTimestamp) TYPE(IOUSBHostPipe::CompleteAsyncIO);
};
struct Transfer_IVars {
IOUSBHostInterface* interface;
int maxPacketSize;
IOUSBHostPipe* pipe;
IOBufferMemoryDescriptor* buffer;
OSAction* ioCompleteCallback;
};
bool Transfer::init() {
LOG_DEBUG();
if (!super::init()) {
LOG_ERROR("super::init failed");
}
if (ivars = IONewZero(Transfer_IVars, 1); ivars == nullptr) {
LOG_ERROR("Allocating ivars failed");
return false;
}
return true;
}
void Transfer::free() {
LOG_DEBUG();
IOSafeDeleteNULL(ivars, Transfer_IVars, 1);
super::free();
}
bool Transfer::setup(IOUSBHostInterface* interface, int endpointAddress,
int maxPacketSize) {
ivars->interface = interface;
ivars->maxPacketSize = maxPacketSize;
if (auto ret = interface->CopyPipe(endpointAddress, &ivars->pipe);
ret != kIOReturnSuccess) {
LOG_ERROR("Could not copy pipe: %{public}s, endpointAddress: %{public}d",
kern_return_t_toCStr(ret), endpointAddress);
}
if (auto ret =
interface->CreateIOBuffer(kIOMemoryDirectionIn, maxPacketSize, &ivars->buffer);
ret != kIOReturnSuccess) {
LOG_ERROR("CreateIOBuffer failed, ret: %{public}d", ret);
return false;
}
if (auto ret = CreateActioncompleteCallback(0, &ivars->ioCompleteCallback);
ret != kIOReturnSuccess) {
LOG_ERROR("Failed to set iocomplete callback, ret: %{public}d", ret);
return false;
}
return true;
}
bool Transfer::submit() {
if (auto ret = ivars->pipe->AsyncIO(ivars->buffer, ivars->maxPacketSize,
ivars->ioCompleteCallback, 0);
ret != kIOReturnSuccess) {
LOG_ERROR("Failed to call AsyncIO, ret: %{public}d", ret);
return false;
}
return true;
}
void IMPL(Transfer, completeCallback) {
LOG_DEBUG(
"Complete callback bytecount %{public}d, timestamp: %{public}llu, status %{public}s",
actualByteCount, completionTimestamp, kern_return_t_toCStr(status));
// TODO Unpack and then schedule another read.
}
您可能已经发现,这在任何地方都没有记录。然而,根据我的实验,我得到的印象是 OSAction 基本上是 IPC 消息的包装器。如果为真,则意味着操作的目标对象必须在内核和 dext 上下文中都有表示,以便内核向其发送消息是有意义的。
使用 OSTypeAlloc() 创建的对象似乎不是这种情况,因为它只是在 dext 中创建了一个对象。似乎只有使用 IOService::Create 创建的对象才能在两种上下文中获得表示。这个函数只适用于 IOService 个子类,当然这些子类是相当重量级的。
我的建议是通过主驱动程序对象或用户客户端对象中的完成方法发送 I/O 完成,并在该完成方法中将调用转发给实际发起 I/O.您可以将任意数据存储在 OSAction 中,方法是将 sizeof(some_struct) 作为第一个参数传递给创建它的 CreateAction… 调用,然后使用
some_struct* my_context = static_cast<some_struct*>(action->GetReference());
你可以放一个普通的函数指针和指向最终目标的指针,或者任何你喜欢的东西。
我认为传递给接口或设备的 Open() 函数的客户端对象不需要与用于 I/O 回调的 OSAction 的目标相同。它们都需要是 kernel/dext 阴影对象,但它们可以是不同的对象。