Date: Mon, 1 Oct 2007 22:10:36 +1000 (EST) From: Bruce Evans <brde@optusnet.com.au> To: "Bjoern A. Zeeb" <bz@freebsd.org> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org, Bruce Evans <brde@optusnet.com.au> Subject: Re: cvs commit: src/sys/ufs/ffs ffs_alloc.c Message-ID: <20071001212813.X2796@besplex.bde.org> In-Reply-To: <20071001110057.V85753@maildrop.int.zabbadoz.net> References: <200709241339.l8ODd6k6059694@repoman.freebsd.org> <47002674.8050707@tomjudge.com> <47002E2F.3030306@tomjudge.com> <20071001090547.H85753@maildrop.int.zabbadoz.net> <20071001201359.M2557@besplex.bde.org> <20071001110057.V85753@maildrop.int.zabbadoz.net>
index | next in thread | previous in thread | raw e-mail
On Mon, 1 Oct 2007, Bjoern A. Zeeb wrote: > On Mon, 1 Oct 2007, Bruce Evans wrote: > >> On Mon, 1 Oct 2007, Bjoern A. Zeeb wrote: >>>> s/fis/fix/ >>> >>> yes it should. I closed the PR, See the comment there. >> >> s/fix/work around/ >> >> The bug is in newfs and tunefs permitting garbage parameters, so it cannot >> be fixed in ffs_alloc.c. > > No matter what iput the kernel gets and from where, it MUST NOT (or at > least SHOULD not;) panic unless explicitly request by KASSERT/panic/.. Not quite true. There are hundreds or thousands of sysctls that can be used to set critical parameters to garbage which will cause a panic. Bounds checking for sysctl parameters is almost completely absent, and this is sometimes useful for investigating the limits of useful parameters without rebuilding the kernel. Also, a division by zero trap is preferable to a panic since it is restartable. > So this commit fixes a DIV0 bug in the kernel. > > Of course you are right, that the values should be checked by the tools > that we have in the tree so that this problem would not occur. > We could even check if the values given make sense at all, but that still > is a different story to a kernel panic. You deleted the part where I said where the fix belongs in the kernel (next to related fixups). ffs does almost no runtime checking by design. It depends on fsck or mount-time fixups doing all the necessary checking and fixups, so that the main code can be simpler and faster. New code shouldn't do things differently. Brucehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071001212813.X2796>