On Tue, Oct 21, 2014 at 1:46 AM, Christos Zoulas <chris...@astron.com> wrote: > In article <20141020154606.ga10...@asim.lip6.fr>, > Manuel Bouyer <bou...@antioche.eu.org> wrote: >>On Mon, Oct 20, 2014 at 03:38:11PM +0200, Maxime Villard wrote: >>> [...] >>> With a broken superblock the kernel will read far beyond the allocated >>> area, which mostly means it will crash. >> >>Sure. There's lot of other ways to crash the kernel with a broken ffs. >>In this specific case it's OK to return an error, but in the general >>case I prefer to have the kernel panic when an inconsistency is >>detected in ffs, than return an error and try to continue running with >>a bogus filesystem. > > Well, this was the mentality 30 years ago (let's panic), and this is why > we are here today. Sure it is fine and safe to panic(), but if I can > prevent the whole system from crashing and I can keep running in degraded > mode (isolating the broken filesystem), I'd rather have the choice to do > so. I.e. The best thing would be to choose the panic or isolate behavior > via a sysctl or a compilation time kernel define.
Have you heard minix3? :)