Race condition in /proc/bus/usb + hotplug

To: debian-devel@lists.debian.org
Cc: debian-user@lists.debian.org, Marco d'Itri <md@linux.it>, Fumitoshi UKAI <ukai@debian.or.jp>
Subject: Race condition in /proc/bus/usb + hotplug
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Tue, 4 Oct 2005 02:24:05 -0300
Message-id: <[🔎] 20051004052405.GF32046@khazad-dum.debian.net>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] fb3eb65c0510032045s1416be1fu547cf4f41c1d98f7@mail.gmail.com>
References: <[🔎] fb3eb65c0510031852i67510a17t876c986703f8690d@mail.gmail.com> <[🔎] 20051004032549.GE32046@khazad-dum.debian.net> <[🔎] fb3eb65c0510032045s1416be1fu547cf4f41c1d98f7@mail.gmail.com>

I am taking this thread to debian-devel.  Please direct replies there, as
per the reply-to and mail-followup-to headers.  Please remove debian-user
from any further replies.

Marco, Ukai-san, here is a short synopsis of the problem:
   1. User hotplugs an USB camera device.
   2. Kernel creates usbfs notes for the device, with generic onwership and
      permissions (lsusb shows the camera on the listing)
   3. hotplug usb.agent gets run and changes permissions and modes
   4. lsusb cannot reach the camera anymore, and doesn't list it.

(2) and (3) above are a hideous race that needs to be fixed.  It probably
could be used to gain limited, but still unauthorized access to mass-storage
devices for example (I didn't test).

On Mon, 03 Oct 2005, Sayantan Sur wrote:
> > Ah. This means hotplug is probably the one to blame for the race condition.
> 
> Looks like it. Can you tell me what should I do to accurately describe
> (collect info) the race condition to the developers of gphoto2/usb
> drivers?

I have not examined the situation very deeply, but to me it smells like
something that is beyond a simple hotplug braindamage.  This comment in
/etc/init.d/mountvirtfs supports this hunch:

# Usbfs/usbdevfs is used for USB related binaries/libraries.
# "usbfs" and "usbdevfs" are the exact same filesystem.
# "usbdevfs" was renamed to "usbfs" by linux usb developers,
# because people sometimes mistook it as a part of devfs. Usbfs
# will be superseded by other filesystems (e.g. sysfs), and when
# it becomes obsolete the mount action below should be removed.

In that case, the fix would probably be to get rid of usbfs completely... as
long as whatever is done in sysfs space is not just as broken.  I am not
sure we are at a point where we can do it.

And the workaround would be to have the kernel create inodes in usbfs in an
inaccessible state for every non-root process, and later update that through
hotplug.  mount(8) seems to indicate this is possible, by using

mount -t usbfs /proc/bus/usb -o devmode=0600,busmode=0500,listmode=0400

I will ask the udev and hotplug maintainers about the issue.  In fact, I am
CCing them on this message.  Depending on their answers, a bug against
package initscripts is in order...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- problem using Canon SD400 on Debian Sarge
  - From: Sayantan Sur <sayantan.sur@gmail.com>
- Re: problem using Canon SD400 on Debian Sarge
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: problem using Canon SD400 on Debian Sarge
  - From: Sayantan Sur <sayantan.sur@gmail.com>

Prev by Date: Re: backup compress on the fly
Next by Date: Re: libmysqlclient12 and libmysqlclient14
Previous by thread: Re: problem using Canon SD400 on Debian Sarge
Next by thread: Re: problem using Canon SD400 on Debian Sarge
Index(es):
- Date
- Thread