Subject: Re: Patch to disallow mounts of unclean FFS unless forced
To: None <tech-kern@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 10/14/2003 18:10:50
>> Right now, it's incredibly easy to accidentally mount an unclean
>> file system that can cause the kernel to panic.
> But isn't the right fix to make sure that the kernel correctly checks
> its data before using it?

Maybe.

Such checks would sprinkle a _lot_ of error checking code throughout
the filesystem code in the kernel; indeed, they would amount to moving
all of fsck except the fixup code into the kernel, and possibly the
fixup code too if you want to automatically recover from such errors.

This will increase the size and complexity of the filesystem code in
the kernel nontrivially.  I suspect it would also slow down certain
common code paths significantly, but as I haven't tried it that's only
a suspicion and could well be wrong.

It depends on what you think "the right fix" is: is it more important
to handle the (overwhelmingly) common case well, or survive the very
rare case?

Personally, I would be content with either the current state or Jason's
patch absent the superuser check.  I don't really consider it a problem
that mounting garbaged filesystems can panic the kernel, any more than
I consider it a problem that dd if=/dev/random of=/dev/mem can panic
the kernel.  (I realize I may well be in a minority.)

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B