Re: FFS: wrong superblock check ~> crash

[Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>]

Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> On Mon, Oct 20, 2014 at 03:58:45PM +0000, Taylor R Campbell wrote:
> >    Date: Mon, 20 Oct 2014 17:46:06 +0200
> >    From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> > 
> >    Sure. There's lot of other ways to crash the kernel with a broken
> > ffs. In this specific case it's OK to return an error, but in the
> > general case I prefer to have the kernel panic when an inconsistency is
> >    detected in ffs, than return an error and try to continue running
> > with a bogus filesystem.
> > 
> > Continuing to run with a bogus file system is no good, but panicking
> > the kernel is worse.  If the kernel takes any drastic action beyond
> > merely returning an error, it should remount the file system
> > read-only.
> 
> definitively not. I want a panic. If the filesystsem is corrupted
> something has gone really wrong and you can't trust the running system
> any more. And there are cases where returning EROFS is worse than
> panicing (e.g. a NFS server).

Disagree.  The kernel should remount the file system in read-only mode.

Perhaps we can debate what to do with corrupted / when the system is
booting, but for other cases (especially hot-plug or external disks)
I certainly do not expect a crash.  The system should clearly indicate
the errors to the user and be defensive (hence remount in read-only),
but if I insert a USB stick with a garbage and my system crashes then
it is a plain bug with potential security implications.

-- 
Mindaugas