Re: Proposal: validate FFS root inode during the mount.

To: tech-kern%NetBSD.org@localhost
Subject: Re: Proposal: validate FFS root inode during the mount.
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Wed, 20 Nov 2019 19:48:40 -0500 (EST)

>> There are 3 popular behaviours and all can be useful.

>> -   return errors
>> -   return errors + reject further writes
>> -   panic

I can think of at least one more: forcibly unmount the filesystem
(which, like any forced unmount, means returning errors for I/O
attempts).

>>     The second is Linux default behaviour and some people hate it,
>>     maybe because the read-only mode is rather silent.

I don't think I would have much use for it, but that's very different
from thinking it shouldn't be available.  Ideally, I would like to see
all four of the above available - though of course whoever does the
work gets to decide what work gets done.

> 1. My biggest concern, and reason for putting this validation in
> place, is the case where we allow mount the Filesystem that later
> cannot be umounted from Userland.

> [...] umount(2) [...]

As far as I can tell there is no umount(2).  There isn't in the
versions I have easy access to (it's unmount(2)), and someone has
improved man.netbsd.org to the point where it doesn't work at all for
me so I can't check that.

Assuming that should be unmount(2), I agree that it is a bug if a
mounted filesystem cannot be unmounted at all.

> 2. other validation for root inode,

I don't think this is a bad thing; I just see it as fixing a tiny
sliver of a much larger problem.  Abstractly, I believe that the
on-disk data structures must be considered possibly-hostile external
input; I think there should be nothing the disk can hold which crashes
the system.  Obviously we're a long way from that, and I can't see
getting closer to it as a bad thing in general.  I just see this as
checking three or four values out of what, a dozen?, in one inode,
out of typically millions - I question whether the value in fixing this
tiny sliver of the problem outweighs the maintenance cost of the
special-case code it involves.  (Of course, questioning whether it does
is not the same as thinking it doesn't.)

> I [...] do not want to check entire FS on the mount because that will
> make mount process very unuseful.

No, of course not.  I doubt anyone thinks that would be a good idea.  I
would not expect that checking to happen until the inode in question
actually gets used.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- Proposal: validate FFS root inode during the mount.
  - From: Maciej
- Re: Proposal: validate FFS root inode during the mount.
  - From: Mouse
- Re: Proposal: validate FFS root inode during the mount.
  - From: Kamil Rytarowski
- Re: Proposal: validate FFS root inode during the mount.
  - From: Michael van Elst
- Re: Proposal: validate FFS root inode during the mount.
  - From: Kamil Rytarowski
- Re: Proposal: validate FFS root inode during the mount.
  - From: Mouse
- Re: Proposal: validate FFS root inode during the mount.
  - From: Michael van Elst
- Re: Proposal: validate FFS root inode during the mount.
  - From: Maciej

Prev by Date: Re: Some minor improvements to select/poll
Next by Date: Re: netbsd32_{,u}int64 in sys/types.h for compat/sys/siginfo.h
Previous by Thread: Re: Proposal: validate FFS root inode during the mount.
Next by Thread: Re: Proposal: validate FFS root inode during the mount.
Indexes:

Home | Main Index | Thread Index | Old Index