Re: FFS: wrong superblock check ~> crash

[Manuel Bouyer <manuel.bouyer%lip6.fr@localhost>]

On Mon, Oct 20, 2014 at 04:57:19PM +0000, Paul_Koning%dell.com@localhost wrote:
> I disagree.
> 
> There?s a principle of networking product design, which is that you are never allowed to crash due to external input.  If you receive an invalid packet, you can complain about it and say the sender is broken, but if you crash from it it?s always your bug, no excuses, no exceptions.

I agree.

> 
> I would treat all external inputs that way; storage is an external input.

no, for most server usage it's internal input. You don't plug random
USB keys to your servers, don't you ? And even if I have ffs on
USB keys I don't consider them as external as I use them only on
my systems.

> Panics are for INTERNAL consistency failures, for example a state machine that gets into a non-existent state.  But any objection to outside data must be a rejection of that data, nothing more.

I agree. And if the kernel detects an inconsistent ffs state, it's either
because it did write bogus data to the disk (in which case you can consider
that the kernel itself is in an inconsistent state) or because the
hardware is bogus (in which case a panic is also not that silly).

Remounting a filesystem read-only on a running server is certainly the worse
way of dealing with the problem.

-- 
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer%lip6.fr@localhost
     Tel: 01 44 27 70 14  Fax: 01 44 27 72 80
--