Package: qemu Version: 1:2.8+dfsg-1 Severity: normal Tags: patch User: tails-...@boum.org Usertags: test-suite, virt-guest
Dear Maintainer, It seems the fix of CVE-2016-8576 (Debian bug #840343) introduced a regression in QEMU 2.8. While formatting partitions (on virtual USB drives and the nec-xhci virtual USB controller) to EXT4, I have observed errors like these: kernel: sd 8:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK kernel: sd 8:0:0:0: [sda] tag#0 CDB: Write(10) 2a 00 00 66 49 86 00 08 00 00 kernel: blk_update_request: I/O error, dev sda, sector 6703494 kernel: Buffer I/O error on dev dm-0, logical block 1573254, lost async page write Raising TRB_LINK_LIMIT fixes the limit, but the new value was admittedly arbitrarily chosen. Regarding cycle detection in general, allowing at most 4 levels of links seems pretty low. This bump should be safe: a high number only means that we get a performance hit when encountering cycles but then we should have a fatal error any way; a low number instead means that we'll incorrectly identify cycles and abort operations that otherwise would succeed, like in the case above. It would be fabulous if this patch could be applied to Debian's package before upstream fixes it! Cheers! -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages qemu depends on: ii qemu-system 1:2.8+dfsg-1 ii qemu-user 1:2.8+dfsg-1 ii qemu-utils 1:2.8+dfsg-1 qemu recommends no packages. Versions of packages qemu suggests: ii qemu-user-static 1:2.8+dfsg-1 -- no debconf information