In article <[email protected]>, Manuel Bouyer <[email protected]> wrote: >On Mon, Oct 20, 2014 at 03:38:11PM +0200, Maxime Villard wrote: >> [...] >> With a broken superblock the kernel will read far beyond the allocated >> area, which mostly means it will crash. > >Sure. There's lot of other ways to crash the kernel with a broken ffs. >In this specific case it's OK to return an error, but in the general >case I prefer to have the kernel panic when an inconsistency is >detected in ffs, than return an error and try to continue running with >a bogus filesystem.
Well, this was the mentality 30 years ago (let's panic), and this is why we are here today. Sure it is fine and safe to panic(), but if I can prevent the whole system from crashing and I can keep running in degraded mode (isolating the broken filesystem), I'd rather have the choice to do so. I.e. The best thing would be to choose the panic or isolate behavior via a sysctl or a compilation time kernel define. christos
