Manuel Bouyer <[email protected]> wrote: > On Mon, Oct 20, 2014 at 03:58:45PM +0000, Taylor R Campbell wrote: > > Date: Mon, 20 Oct 2014 17:46:06 +0200 > > From: Manuel Bouyer <[email protected]> > > > > Sure. There's lot of other ways to crash the kernel with a broken > > ffs. In this specific case it's OK to return an error, but in the > > general case I prefer to have the kernel panic when an inconsistency is > > detected in ffs, than return an error and try to continue running > > with a bogus filesystem. > > > > Continuing to run with a bogus file system is no good, but panicking > > the kernel is worse. If the kernel takes any drastic action beyond > > merely returning an error, it should remount the file system > > read-only. > > definitively not. I want a panic. If the filesystsem is corrupted > something has gone really wrong and you can't trust the running system > any more. And there are cases where returning EROFS is worse than > panicing (e.g. a NFS server).
Disagree. The kernel should remount the file system in read-only mode. Perhaps we can debate what to do with corrupted / when the system is booting, but for other cases (especially hot-plug or external disks) I certainly do not expect a crash. The system should clearly indicate the errors to the user and be defensive (hence remount in read-only), but if I insert a USB stick with a garbage and my system crashes then it is a plain bug with potential security implications. -- Mindaugas
