--- Begin Message ---
Package: qemu-system-x86
Version: 1:2.8+dfsg-6+deb9u1
Severity: important
X-Debbugs-Cc: secur...@debian.org
Dear maintainers, dear security team,
after performing the security upgrade to 1:2.8+dfsg-6+deb9u1 a virtual
machine (managed via libvirt) does not start anymore.
Underlying CPU is an Intel Kaby Lake Core i7-7700. VT-x and VT-d are
enabled in the BIOS. Kernel cmdline has intel_iommu=on. Latest
microcode update is installed.
KVM configuration: Machine of guest is set to pc-i440fx-2.8, CPU is set
to Skylake-Client. A PCIe framegrabber card (in x16 slot, but card is
x4 or x8, I don't remember exactly) is passed through to the guest.
With 1:2.8+dfsg-6 the guest boots just fine.
With 1:2.8+dfsg-6+deb9u1 the guest doesn't start properly. In the
journal I can find the following message every time I try to start the
guest:
libvirtd[964]: ...: 984: error : x86FeatureInData:780 : internal error:
unknown CPU feature __kvm_hv_spinlocks
libvirtd[964]: ...: 964: error : qemuMonitorIO:695 : internal error: End
of file from qemu monitor
To get this working again I downgraded qemu-kvm, qemu-system-common
and qemu-system-x86 back to 1:2.8+dfsg-6.
The full command that is used to start qemu by libvirt is the
following (UUIDs and MAC addresses censored):
qemu-system-x86_64
-enable-kvm
-name guest=win10,debug-threads=on
-S
-object
secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-4-win10/master-key.aes
-machine pc-i440fx-2.8,accel=kvm,usb=off,vmport=off,dump-guest-core=off
-cpu
Skylake-Client,+ds,+acpi,+ss,+ht,+tm,+pbe,+dtes64,+monitor,+ds_cpl,+vmx,+smx,+est,+tm2,+xtpr,+pdcm,+osxsave,+tsc_adjust,+clflushopt,+pdpe1gb,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff
-m 16384
-realtime mlock=off
-smp 4,sockets=4,cores=1,threads=1
-uuid ....
-no-user-config
-nodefaults
-chardev
socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-4-win10/monitor.sock,server,nowait
-mon chardev=charmonitor,id=monitor,mode=control
-rtc base=localtime,driftfix=slew
-global kvm-pit.lost_tick_policy=delay
-no-hpet
-no-shutdown
-global PIIX4_PM.disable_s3=1
-global PIIX4_PM.disable_s4=1
-boot strict=on
-device nec-usb-xhci,id=usb,bus=pci.0,addr=0x5
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6
-drive
file=/var/lib/libvirt/images/win10.qcow2,format=qcow2,if=none,id=drive-virtio-disk0
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x8,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
-drive
file=/var/lib/libvirt/images/win10_data.qcow2,format=qcow2,if=none,id=drive-virtio-disk1
-device
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk1,id=virtio-disk1
-drive if=none,id=drive-ide0-0-1,readonly=on
-device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1
-netdev tap,fd=25,id=hostnet0
-device rtl8139,netdev=hostnet0,id=net0,mac=...,bus=pci.0,addr=0x3
-chardev pty,id=charserial0
-device isa-serial,chardev=charserial0,id=serial0
-chardev spicevmc,id=charchannel0,name=vdagent
-device
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0
-device usb-tablet,id=input0,bus=usb.0,port=1
-spice
port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on
-device
qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pci.0,addr=0x2
-device intel-hda,id=sound0,bus=pci.0,addr=0x4
-device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0
-chardev spicevmc,id=charredir0,name=usbredir
-device usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2
-chardev spicevmc,id=charredir1,name=usbredir
-device usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3
-device vfio-pci,host=02:00.0,id=hostdev0,bus=pci.0,addr=0xa
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7
-msg timestamp=on
I did take a look at the patches in the git repository:
https://anonscm.debian.org/cgit/pkg-qemu/qemu.git/log/?id=refs/heads/debian-stretch
But I'm very confused because none of these patches actually touch the
CPU flags or any other part of virtualization.
Regards,
Christian
-- System Information:
Debian Release: 9.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages qemu-system-x86 depends on:
ii ipxe-qemu 1.0.0+git-20161027.b991c67-1
ii libaio1 0.3.110-3
ii libasound2 1.1.3-5
ii libbluetooth3 5.43-2
ii libbrlapi0.6 5.4-7
ii libc6 2.24-11+deb9u1
ii libcacard0 1:2.5.0-3
ii libfdt1 1.4.2-1
ii libgcc1 1:6.3.0-18
ii libglib2.0-0 2.50.3-2
ii libgnutls30 3.5.8-5+deb9u2
ii libjpeg62-turbo 1:1.5.1-2
ii libncursesw5 6.0+20161126-1
ii libnettle6 3.3-1+b1
ii libnuma1 2.0.11-2.1
ii libpixman-1-0 0.34.0-1
ii libpng16-16 1.6.28-1
ii libpulse0 10.0-1+deb9u1
ii libsasl2-2 2.1.27~101-g0780600+dfsg-3
ii libsdl1.2debian 1.2.15+dfsg1-4
ii libseccomp2 2.3.1-2.1
ii libspice-server1 0.12.8-2.1+deb9u1
ii libtinfo5 6.0+20161126-1
ii libusb-1.0-0 2:1.0.21-1
ii libusbredirparser1 0.7.1-1
ii libvdeplug2 2.3.2+r586-2.1
ii libx11-6 2:1.6.4-3
ii libxen-4.8 4.8.1-1+deb9u1
ii libxenstore3.0 4.8.1-1+deb9u1
ii qemu-system-common 1:2.8+dfsg-6+deb9u1
ii seabios 1.10.2-1
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages qemu-system-x86 recommends:
ii qemu-utils 1:2.8+dfsg-6+deb9u1
Versions of packages qemu-system-x86 suggests:
ii kmod 23-2
pn ovmf <none>
pn qemu-block-extra <none>
pn samba <none>
pn sgabios <none>
pn vde2 <none>
-- no debconf information
--- End Message ---