A deep dive into how Linux handles USB hotplug events under the hood. When a device is plugged in, the kernel sends notifications via netlink (a BSD-socket-like API). udev listens to these kernel netlink messages and then re-broadcasts its own udev events — also via netlink — to userspace programs. The post covers the udev event format (including its stable magic version 0xfeedcafe), how a bloom filter is used to quickly discard irrelevant events, and provides example code for listening to both raw kernel netlink messages and udev events. Some security nuances remain unexplained.
Sort: