Bug#779197: linux-image-3.16.0-4-amd64: Guests running kernel >=3.8 on a Wheezy host crash when connecting through qemu-kvm VNC port
Package: src:linux
Version: 3.16.7-ckt4-3
Severity: important
Tags: upstream
Dear Maintainer,
We have observed some strange behavior while dist-upgrading some of our VMs 
from wheezy to jessie kernels. Under certain circumstances the combination of a
jessie guest on a wheezy host might lead to VM crashes while one is using the 
qemu-kvm VNC port.
Steps to reproduce:
1. Wheezy host with kernel 3.2.0-4-amd64
2. Wheezy-bpo or Jessie KVM guest with kernel linux-image-3.16.0-4-amd64
3. Connect with a VNC client to the guest's KVM-VNC port
4. cat /dev/urandom while on VNC 
5. Wait from a few seconds to 2-3 minutes and then the OS inside the VM crashes.
The KVM process is still running but the KVM socket is not responding.
The guest OS is inaccessible and the vm (after a restart) shows no
signs of having crashed.
We have done testing with various Debian kernels as both host and guest and 
also testing with other distributions as guests. Our tests so far have shown
that on a host running a wheezy-bpo/jessie kernel the crash does not appear to
happen.
We can reproduce the bug on Debian Jessie and Centos 7, but not on
Ubuntu LTS or the latest GRML live cd. 
Here's a matrix of what works and what doesn't:
HOST KERNEL           | GUEST KERNEL               | qemu-kvm version      | Crash | Notes
3.2.63-2+deb7u1       | 3.2.65-1                   | 1.1.2+dfsg-6+deb7u4   | no    | wheezy on wheezy
3.2.63-2+deb7u1       | 3.16.7-ckt4-3              | 1.1.2+dfsg-6+deb7u4   | YES   | jessie on wheezy
3.2.63-2+deb7u1       | 3.10.0-123.20.1.el7.x86_64 | 1.1.2+dfsg-6+deb7u4   | YES   | centos7 on wheezy
3.2.63-2+deb7u2       | 3.2.65-1                   | 2.0.0+dfsg-4~bpo70+1  | no    | wheezy on wheezy with KVM from bpo 
3.2.63-2+deb7u2       | 3.16.7-ckt4-3              | 2.0.0+dfsg-4~bpo70+1  | YES   | jessie on wheezy with KVM from bpo 
3.2.65-1              | 3.16.7-ckt4-3~bpo70+1      | 1.1.2+dfsg-6+deb7u6   | YES   | wheezy-bpo on wheezy
3.16.7-ckt4-3~bpo70+1 | 3.16.7-ckt4-3~bpo70+1      | 1.1.2+dfsg-6+deb7u6   | no    | wheezy-bpo on wheezy-bpo
3.2.63-2+deb7u2       | 2.6.32-504.8.1.el6.x86_64  | 2.0.0+dfsg-4~bpo70+1  | no    | centos6 on wheezy
3.2.63-2+deb7u2       | 2.6.32-5                   | 2.0.0+dfsg-4~bpo70+1  | no    | squeeze on wheezy with KVM from bpo 
3.16.7-ckt2-1         | 3.2.65-1+deb7u1            | 2.1+dfsg-11           | no    | wheezy on jessie
3.2.63-2+deb7u2       | 3.13.0-39-generic          | 2.0.0+dfsg-4~bpo70+1  | no    | ubuntu 14.04 on wheezy with KVM from bpo 
3.2.63-2+deb7u2       | 3.16.7-1+grml.1            | 2.0.0+dfsg-4~bpo70+1  | no    | grml on wheezy with KVM from bpo 
3.2.65-1              | 3.4-trunk-amd64            | 1.1.2+dfsg-6+deb7u6   | no    | wheezy 3.4 trunk on wheezy
3.2.65-1              | 3.6-trunk-amd64            | 1.1.2+dfsg-6+deb7u6   | no    | wheezy 3.6 trunk on wheezy
3.2.65-1              | 3.7-trunk-amd64            | 1.1.2+dfsg-6+deb7u6   | no    | wheezy 3.7 trunk on wheezy
3.2.65-1              | 3.8-trunk-amd64            | 1.1.2+dfsg-6+deb7u6   | YES   | wheezy 3.8 trunk on wheezy
>From our tests the problem first appears when the guest uses kernel 3.8-trunk-amd64.
Testing with different qemu-kvm versions has shown that no direct relation exists.
-- Package-specific info:
** Version:
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt4-3 (2015-02-03)
** Command line:
root=/dev/vda3 ro 
** Not tainted
** Kernel log:
[    0.822291] virtio-pci 0000:00:05.0: irq 44 for MSI/MSI-X
[    0.896563] ata2.01: NODEV after polling detection
[    0.897094] ata2.00: ATAPI: QEMU DVD-ROM, 1.1.2, max UDMA/100
[    0.898478] ata2.00: configured for MWDMA2
[    0.900231] scsi 1:0:0:0: CD-ROM            QEMU     QEMU DVD-ROM     1.1. PQ: 0 ANSI: 5
[    0.921570] sr0: scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray
[    0.922599] cdrom: Uniform CD-ROM driver Revision: 3.20
[    0.924093] sr 1:0:0:0: Attached scsi CD-ROM sr0
[    0.926157] sr 1:0:0:0: Attached scsi generic sg0 type 5
[    0.939244]  vda: vda1 vda2 vda3
[    1.036190] usb 1-1: new full-speed USB device number 2 using uhci_hcd
[    1.453028] usb 1-1: New USB device found, idVendor=0627, idProduct=0001
[    1.453815] usb 1-1: New USB device strings: Mfr=1, Product=3, SerialNumber=5
[    1.454508] usb 1-1: Product: QEMU USB Tablet
[    1.455104] usb 1-1: Manufacturer: QEMU 1.1.2
[    1.455684] usb 1-1: SerialNumber: 42
[    1.466088] hidraw: raw HID events driver (C) Jiri Kosina
[    1.477309] usbcore: registered new interface driver usbhid
[    1.477943] usbhid: USB HID core driver
[    1.482236] input: QEMU 1.1.2 QEMU USB Tablet as /devices/pci0000:00/0000:00:01.2/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input2
[    1.483794] hid-generic 0003:0627:0001.0001: input,hidraw0: USB HID v0.01 Pointer [QEMU 1.1.2 QEMU USB Tablet] on usb-0000:00:01.2-1/input0
[    1.568374] tsc: Refined TSC clocksource calibration: 2266.728 MHz
[    1.879342] PM: Starting manual resume from disk
[    1.880338] PM: Hibernation image partition 254:2 present
[    1.880341] PM: Looking for hibernation image.
[    1.881505] PM: Image not found (code -22)
[    1.881508] PM: Hibernation image not present or could not be loaded.
[    1.898924] EXT4-fs (vda3): mounting ext3 file system using the ext4 subsystem
[    1.902497] EXT4-fs (vda3): INFO: recovery required on readonly filesystem
[    1.903196] EXT4-fs (vda3): write access will be enabled during recovery
[    2.202609] EXT4-fs (vda3): recovery complete
[    2.228302] EXT4-fs (vda3): mounted filesystem with ordered data mode. Opts: (null)
[    4.100342] systemd[1]: systemd 215 running in system mode. (+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR)
[    4.104105] systemd[1]: Detected virtualization 'kvm'.
[    4.104533] systemd[1]: Detected architecture 'x86-64'.
[    4.784557] systemd[1]: Inserted module 'autofs4'
[    4.815378] systemd[1]: Set hostname to <jessie.me>.
[    7.986571] systemd[1]: Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory.
[    7.989086] systemd[1]: Starting Forward Password Requests to Wall Directory Watch.
[    7.990332] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[    7.991495] systemd[1]: Starting Remote File Systems (Pre).
[    7.994060] systemd[1]: Reached target Remote File Systems (Pre).
[    7.994752] systemd[1]: Starting Encrypted Volumes.
[    7.997096] systemd[1]: Reached target Encrypted Volumes.
[    7.997783] systemd[1]: Starting Dispatch Password Requests to Console Directory Watch.
[    7.999125] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[    8.000400] systemd[1]: Starting Arbitrary Executable File Formats File System Automount Point.
[    8.003566] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point.
[    8.004892] systemd[1]: Expecting device dev-disk-by\x2duuid-b6399fc6\x2d6dfd\x2d4d05\x2d974b\x2d0854eaf1920a.device...
[    8.007574] systemd[1]: Expecting device dev-disk-by\x2duuid-9ff3bacd\x2d543d\x2d4ff4\x2db2d5\x2de9046e73efce.device...
[    8.009606] systemd[1]: Starting Root Slice.
[    8.017043] systemd[1]: Created slice Root Slice.
[    8.017451] systemd[1]: Starting User and Session Slice.
[    8.019081] systemd[1]: Created slice User and Session Slice.
[    8.019557] systemd[1]: Starting Delayed Shutdown Socket.
[    8.021144] systemd[1]: Listening on Delayed Shutdown Socket.
[    8.021579] systemd[1]: Starting /dev/initctl Compatibility Named Pipe.
[    8.023226] systemd[1]: Listening on /dev/initctl Compatibility Named Pipe.
[    8.023722] systemd[1]: Starting Journal Socket (/dev/log).
[    8.025367] systemd[1]: Listening on Journal Socket (/dev/log).
[    8.025787] systemd[1]: Starting Syslog Socket.
[    8.027450] systemd[1]: Listening on Syslog Socket.
[    8.028097] systemd[1]: Starting udev Control Socket.
[    8.029524] systemd[1]: Listening on udev Control Socket.
[    8.030125] systemd[1]: Starting udev Kernel Socket.
[    8.031684] systemd[1]: Listening on udev Kernel Socket.
[    8.032394] systemd[1]: Starting Journal Socket.
[    8.033907] systemd[1]: Listening on Journal Socket.
[    8.034516] systemd[1]: Starting System Slice.
[    8.036150] systemd[1]: Created slice System Slice.
[    8.036655] systemd[1]: Starting File System Check on Root Device...
[    8.038841] systemd[1]: Starting system-systemd\x2dfsck.slice.
[    8.041029] systemd[1]: Created slice system-systemd\x2dfsck.slice.
[    8.041567] systemd[1]: Starting system-getty.slice.
[    8.043302] systemd[1]: Created slice system-getty.slice.
[    8.081282] systemd[1]: Started Set Up Additional Binary Formats.
[    8.082127] systemd[1]: Mounting Huge Pages File System...
[    8.084872] systemd[1]: Mounting POSIX Message Queue File System...
[    8.087634] systemd[1]: Mounting Debug File System...
[    8.119867] systemd[1]: Starting Load Kernel Modules...
[    8.122768] systemd[1]: Starting Create list of required static device nodes for the current kernel...
[    8.126254] systemd[1]: Starting udev Coldplug all Devices...
[    8.129225] systemd[1]: Starting Journal Service...
[    8.134571] systemd[1]: Started Journal Service.
[    8.919552] systemd-udevd[146]: starting version 215
[    9.348317] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input3
[    9.348323] ACPI: Power Button [PWRF]
[    9.498808] EXT4-fs (vda3): re-mounted. Opts: (null)
[    9.503648] parport_pc 00:04: reported by Plug and Play ACPI
[    9.504793] parport0: PC-style at 0x378, irq 7 [PCSPP,TRISTATE]
[    9.543131] input: PC Speaker as /devices/platform/pcspkr/input/input4
[    9.543223] piix4_smbus 0000:00:01.3: SMBus Host Controller at 0xb100, revision 0
[    9.593875] [drm] Initialized drm 1.1.0 20060810
[    9.644863] ppdev: user-space parallel port driver
[    9.700609] Adding 524284k swap on /dev/vda2.  Priority:-1 extents:1 across:524284k FS
[   10.220994] EXT4-fs (vda1): mounting ext3 file system using the ext4 subsystem
[   10.238827] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)
[   10.443072] systemd-journald[132]: Received request to flush runtime journal from PID 1
[   10.455144] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input5
[   89.569179] random: nonblocking pool is initialized
** Model information
sys_vendor: Bochs
product_name: Bochs
product_version: 
chassis_vendor: Bochs
chassis_version: 
bios_vendor: Bochs
bios_version: Bochs
** Loaded modules:
ppdev
ttm
psmouse
drm_kms_helper
joydev
drm
evdev
pcspkr
i2c_piix4
serio_raw
i2c_core
parport_pc
pvpanic
virtio_balloon
parport
processor
thermal_sys
button
autofs4
ext4
crc16
mbcache
jbd2
hid_generic
usbhid
hid
sg
sr_mod
cdrom
ata_generic
virtio_blk
virtio_net
ata_piix
floppy
libata
uhci_hcd
ehci_hcd
virtio_pci
scsi_mod
virtio_ring
virtio
usbcore
usb_common
** Network interface configuration:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether aa:aa:bb:cc:cc:dd brd ff:ff:ff:ff:ff:ff
    inet 62.217.xxx.yyy/24 brd 62.217.zzz.zzz scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:648:2ffc:113:aaaa:bbbb:cccc:dddd/64 scope global mngtmpaddr dynamic 
       valid_lft forever preferred_lft forever
    inet6 fe80::aaaa:bbbb:cccc:dddd/64 scope link 
       valid_lft forever preferred_lft forever
*** Device statistics:
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
  eth0: 26678658   25330    0    1    0     0          0         0  4560997   27233    0    0    0     0       0          0
    lo:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
*** Protocol statistics:
Ip:
    24068 total packets received
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    24067 incoming packets delivered
    26125 requests sent out
Icmp:
    48 ICMP messages received
    39 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 39
        timeout in transit: 1
        echo requests: 8
    174 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 166
        echo replies: 8
IcmpMsg:
        InType3: 39
        InType8: 8
        InType11: 1
        OutType0: 8
        OutType3: 166
Tcp:
    86 active connections openings
    1165 passive connection openings
    33 failed connection attempts
    8 connection resets received
    1 connections established
    23009 segments received
    24375 segments send out
    898 segments retransmited
    2 bad segments received.
    417 resets sent
    InCsumErrors: 1
Udp:
    1152 packets received
    166 packets to unknown port received.
    0 packet receive errors
    1161 packets sent
UdpLite:
TcpExt:
    4 invalid SYN cookies received
    33 resets received for embryonic SYN_RECV sockets
    50 TCP sockets finished time wait in fast timer
    2 packets rejects in established connections because of timestamp
    2899 delayed acks sent
    Quick ack mode was activated 279 times
    1 SYNs to LISTEN sockets dropped
    300 packets directly queued to recvmsg prequeue.
    10 bytes directly received in process context from prequeue
    6979 packet headers predicted
    3855 acknowledgments not containing data payload received
    3484 predicted acknowledgments
    52 times recovered from packet loss by selective acknowledgements
    1 congestion windows recovered without slow start by DSACK
    18 congestion windows recovered without slow start after partial ack
    8 timeouts after SACK recovery
    52 fast retransmits
    3 retransmits in slow start
    245 other TCP timeouts
    TCPLossProbes: 539
    TCPLossProbeRecovery: 313
    5 SACK retransmits failed
    281 DSACKs sent for old packets
    76 DSACKs received
    2 connections reset due to early user close
    TCPDSACKIgnoredNoUndo: 33
    TCPSpuriousRTOs: 1
    TCPSackShiftFallback: 57
    TCPRcvCoalesce: 1357
    TCPOFOQueue: 48
    TCPChallengeACK: 1
    TCPSYNChallenge: 1
    TCPWantZeroWindowAdv: 7
    TCPSynRetrans: 181
    TCPOrigDataSent: 10857
IpExt:
    InOctets: 23732474
    OutOctets: 4082166
    InNoECTPkts: 24066
    InECT0Pkts: 2
** PCI devices:
not available
** USB devices:
not available
-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages linux-image-3.16.0-4-amd64 depends on:
ii  debconf [debconf-2.0]                   1.5.55
ii  initramfs-tools [linux-initramfs-tool]  0.116
ii  kmod                                    18-3
ii  linux-base                              3.5
ii  module-init-tools                       18-3
Versions of packages linux-image-3.16.0-4-amd64 recommends:
ii  firmware-linux-free  3.3
ii  irqbalance           1.0.6-3
Versions of packages linux-image-3.16.0-4-amd64 suggests:
pn  debian-kernel-handbook         <none>
pn  grub-pc | grub-efi | extlinux  <none>
pn  linux-doc-3.16                 <none>
Versions of packages linux-image-3.16.0-4-amd64 is related to:
pn  firmware-atheros        <none>
pn  firmware-bnx2           <none>
pn  firmware-bnx2x          <none>
pn  firmware-brcm80211      <none>
pn  firmware-intelwimax     <none>
pn  firmware-ipw2x00        <none>
pn  firmware-ivtv           <none>
pn  firmware-iwlwifi        <none>
pn  firmware-libertas       <none>
pn  firmware-linux          <none>
pn  firmware-linux-nonfree  <none>
pn  firmware-myricom        <none>
pn  firmware-netxen         <none>
pn  firmware-qlogic         <none>
pn  firmware-ralink         <none>
pn  firmware-realtek        <none>
pn  xen-hypervisor          <none>
-- debconf information:
  linux-image-3.16.0-4-amd64/postinst/mips-initrd-3.16.0-4-amd64:
  linux-image-3.16.0-4-amd64/prerm/removing-running-kernel-3.16.0-4-amd64: true
  linux-image-3.16.0-4-amd64/postinst/depmod-error-initrd-3.16.0-4-amd64: false
Reply to: