In article <[email protected]>, Taylor R Campbell <[email protected]> wrote: > Date: Mon, 20 Oct 2014 17:46:06 +0200 > From: Manuel Bouyer <[email protected]> > > Sure. There's lot of other ways to crash the kernel with a broken ffs. > In this specific case it's OK to return an error, but in the general > case I prefer to have the kernel panic when an inconsistency is > detected in ffs, than return an error and try to continue running with > a bogus filesystem. > >Continuing to run with a bogus file system is no good, but panicking >the kernel is worse. If the kernel takes any drastic action beyond >merely returning an error, it should remount the file system >read-only.
This is wishful thinking (unless we fix the current set of bugs that prevent us from doing so even in a healthy filesystem for example PR/30525). I would be happy if we could isolate the broken filesystem from all I/O operations instead of crashing. There are many different recipes that keep filedescriptors for R/W that corrupt the filesystem during R/O downgrades. christos
