diff --git a/SOURCES/kvm-Do-not-build-bluetooth-support.patch b/SOURCES/kvm-Do-not-build-bluetooth-support.patch
new file mode 100644
index 0000000..d3683df
--- /dev/null
+++ b/SOURCES/kvm-Do-not-build-bluetooth-support.patch
@@ -0,0 +1,117 @@
+From d930ba960a1abaf8b76e507707a7fe081a376741 Mon Sep 17 00:00:00 2001
+From: Miroslav Rezanina <mrezanin@redhat.com>
+Date: Mon, 17 Dec 2018 11:04:15 +0100
+Subject: [PATCH 2/2] Do not build bluetooth support
+
+RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
+Message-id: <1545044655-7801-1-git-send-email-mrezanin@redhat.com>
+Patchwork-id: 83537
+O-Subject: [RHEL-7.7 qemu-kvm PATCH] Do not build bluetooth support
+Bugzilla: 1654627
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Markus Armbruster <armbru@redhat.com>
+
+From: Miroslav Rezanina <mrezanin@redhat.com>
+
+We do not support bt devices however some bt related code is built in.
+As this code is deprecated upstream disabling build of this code downstream.
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ Makefile.objs | 2 +-
+ hw/bt/Makefile.objs | 4 ++--
+ qemu-options.hx | 2 ++
+ vl.c | 6 ++++++
+ 4 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.objs b/Makefile.objs
+index 74f722e44e..1712ee6133 100644
+--- a/Makefile.objs
++++ b/Makefile.objs
+@@ -64,7 +64,7 @@ common-obj-y += audio/
+ common-obj-y += hw/
+
+ common-obj-y += ui/
+-common-obj-y += bt-host.o bt-vhci.o
++#common-obj-y += bt-host.o bt-vhci.o
+
+ common-obj-y += dma-helpers.o
+ common-obj-y += vl.o
+diff --git a/hw/bt/Makefile.objs b/hw/bt/Makefile.objs
+index 867a7d2e8a..e678e9ee3c 100644
+--- a/hw/bt/Makefile.objs
++++ b/hw/bt/Makefile.objs
+@@ -1,3 +1,3 @@
+-common-obj-y += core.o l2cap.o sdp.o hci.o hid.o
+-common-obj-y += hci-csr.o
++#common-obj-y += core.o l2cap.o sdp.o hci.o hid.o
++#common-obj-y += hci-csr.o
+
+diff --git a/qemu-options.hx b/qemu-options.hx
+index 24ffab6a50..bcf1b8f755 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -2157,6 +2157,7 @@ STEXI
+ @end table
+ ETEXI
+
++#if 0
+ DEFHEADING(Bluetooth(R) options:)
+ STEXI
+ @table @option
+@@ -2231,6 +2232,7 @@ STEXI
+ @end table
+ ETEXI
+ DEFHEADING()
++#endif
+
+ #ifdef CONFIG_TPM
+ DEFHEADING(TPM device options:)
+diff --git a/vl.c b/vl.c
+index 7c34b7c64f..5c5cdbe88b 100644
+--- a/vl.c
++++ b/vl.c
+@@ -840,6 +840,7 @@ static void configure_rtc(QemuOpts *opts)
+ }
+ }
+
++#if 0 // Disabled for Red Hat Enterprise Linux
+ /***********************************************************/
+ /* Bluetooth support */
+ static int nb_hcis;
+@@ -961,6 +962,7 @@ static int bt_parse(const char *opt)
+ fprintf(stderr, "qemu: bad bluetooth parameter '%s'\n", opt);
+ return 1;
+ }
++#endif
+
+ static int parse_sandbox(QemuOpts *opts, void *opaque)
+ {
+@@ -3132,9 +3134,11 @@ int main(int argc, char **argv, char **envp)
+ exit(1);
+ break;
+ #endif
++#if 0 // Disabled for Red Hat Enterprise Linux
+ case QEMU_OPTION_bt:
+ add_device_config(DEV_BT, optarg);
+ break;
++#endif
+ case QEMU_OPTION_audio_help:
+ AUD_help ();
+ exit (0);
+@@ -4113,9 +4117,11 @@ int main(int argc, char **argv, char **envp)
+ }
+ #endif
+
++#if 0 // Disabled for Red Hat Enterprise Linux
+ /* init the bluetooth world */
+ if (foreach_device_config(DEV_BT, bt_parse))
+ exit(1);
++#endif
+
+ if (!xen_enabled()) {
+ /* On 32-bit hosts, QEMU is limited by virtual address space */
+--
+2.19.1
+
diff --git a/SOURCES/kvm-Fix-eax-for-cpuid-leaf-0x40000000.patch b/SOURCES/kvm-Fix-eax-for-cpuid-leaf-0x40000000.patch
new file mode 100644
index 0000000..699e2f5
--- /dev/null
+++ b/SOURCES/kvm-Fix-eax-for-cpuid-leaf-0x40000000.patch
@@ -0,0 +1,51 @@
+From 9903f2031b13dfeff37514197cdd56cbcb3431f4 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 15 May 2019 15:53:55 +0200
+Subject: [PATCH 1/4] kvm: Fix eax for cpuid leaf 0x40000000
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20190515155355.22182-2-ehabkost@redhat.com>
+Patchwork-id: 87888
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 1/1] kvm: Fix eax for cpuid leaf 0x40000000
+Bugzilla: 1709495
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Sergio Lopez Pascual <slp@redhat.com>
+
+From: Jidong Xiao <jidong.xiao@gmail.com>
+
+Since Linux kernel 3.5, KVM has documented eax for leaf 0x40000000
+to be KVM_CPUID_FEATURES:
+
+https://github.com/torvalds/linux/commit/57c22e5f35aa4b9b2fe11f73f3e62bbf9ef36190
+
+But qemu still tries to set it to 0. It would be better to make qemu
+and kvm consistent. This patch just fixes this issue.
+
+Signed-off-by: Jidong Xiao <jidong.xiao@gmail.com>
+[Include kvm_base in the value. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 79b6f2f651d64a122dd647c1456635d5a6a176ac)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/kvm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target-i386/kvm.c b/target-i386/kvm.c
+index 35a9cf4..d5f6deb 100644
+--- a/target-i386/kvm.c
++++ b/target-i386/kvm.c
+@@ -532,7 +532,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
+ memcpy(signature, "KVMKVMKVM\0\0\0", 12);
+ c = &cpuid_data.entries[cpuid_i++];
+ c->function = KVM_CPUID_SIGNATURE | kvm_base;
+- c->eax = 0;
++ c->eax = KVM_CPUID_FEATURES | kvm_base;
+ c->ebx = signature[0];
+ c->ecx = signature[1];
+ c->edx = signature[2];
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-Inhibit-ballooning-during-postcopy.patch b/SOURCES/kvm-Inhibit-ballooning-during-postcopy.patch
new file mode 100644
index 0000000..bd1a2e5
--- /dev/null
+++ b/SOURCES/kvm-Inhibit-ballooning-during-postcopy.patch
@@ -0,0 +1,110 @@
+From cc224bcb3c12238466f8a6a366d3f813fb866a16 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 13 Dec 2018 21:54:28 +0100
+Subject: [PATCH 1/5] Inhibit ballooning during postcopy
+
+RH-Author: Alex Williamson <alex.williamson@redhat.com>
+Message-id: <154473806860.22725.2305869657628116679.stgit@gimli.home>
+Patchwork-id: 83493
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 1/5] Inhibit ballooning during postcopy
+Bugzilla: 1659229
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+RH-Acked-by: Auger Eric <eric.auger@redhat.com>
+
+From: Dr. David Alan Gilbert <dgilbert@redhat.com>
+
+Bugzilla: 1659229
+Notes: Dropped all but balloon inhibitor infrastructure
+
+Postcopy detects accesses to pages that haven't been transferred yet
+using userfaultfd, and it causes exceptions on pages that are 'not
+present'.
+Ballooning also causes pages to be marked as 'not present' when the
+guest inflates the balloon.
+Potentially a balloon could be inflated to discard pages that are
+currently inflight during postcopy and that may be arriving at about
+the same time.
+
+To avoid this confusion, disable ballooning during postcopy.
+
+When disabled we drop balloon requests from the guest. Since ballooning
+is generally initiated by the host, the management system should avoid
+initiating any balloon instructions to the guest during migration,
+although it's not possible to know how long it would take a guest to
+process a request made prior to the start of migration.
+Guest initiated ballooning will not know if it's really freed a page
+of host memory or not.
+
+Queueing the requests until after migration would be nice, but is
+non-trivial, since the set of inflate/deflate requests have to
+be compared with the state of the page to know what the final
+outcome is allowed to be.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+(cherry picked from commit 371ff5a3f04cd7d05bab49ac6e80da319026d95b)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ balloon.c | 11 +++++++++++
+ hw/virtio/virtio-balloon.c | 4 +++-
+ include/sysemu/balloon.h | 2 ++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/balloon.c b/balloon.c
+index e321f2c..c7a0cf1 100644
+--- a/balloon.c
++++ b/balloon.c
+@@ -35,6 +35,17 @@
+ static QEMUBalloonEvent *balloon_event_fn;
+ static QEMUBalloonStatus *balloon_stat_fn;
+ static void *balloon_opaque;
++static bool balloon_inhibited;
++
++bool qemu_balloon_is_inhibited(void)
++{
++ return balloon_inhibited;
++}
++
++void qemu_balloon_inhibit(bool state)
++{
++ balloon_inhibited = state;
++}
+
+ int qemu_add_balloon_handler(QEMUBalloonEvent *event_func,
+ QEMUBalloonStatus *stat_func, void *opaque)
+diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
+index 1a60d3c..c9562ef 100644
+--- a/hw/virtio/virtio-balloon.c
++++ b/hw/virtio/virtio-balloon.c
+@@ -34,9 +34,11 @@
+ static void balloon_page(void *addr, int deflate)
+ {
+ #if defined(__linux__)
+- if (!kvm_enabled() || kvm_has_sync_mmu())
++ if (!qemu_balloon_is_inhibited() && (!kvm_enabled() ||
++ kvm_has_sync_mmu())) {
+ qemu_madvise(addr, TARGET_PAGE_SIZE,
+ deflate ? QEMU_MADV_WILLNEED : QEMU_MADV_DONTNEED);
++ }
+ #endif
+ }
+
+diff --git a/include/sysemu/balloon.h b/include/sysemu/balloon.h
+index bd9d395..eb5af19 100644
+--- a/include/sysemu/balloon.h
++++ b/include/sysemu/balloon.h
+@@ -23,6 +23,8 @@ typedef void (QEMUBalloonStatus)(void *opaque, BalloonInfo *info);
+ int qemu_add_balloon_handler(QEMUBalloonEvent *event_func,
+ QEMUBalloonStatus *stat_func, void *opaque);
+ void qemu_remove_balloon_handler(void *opaque);
++bool qemu_balloon_is_inhibited(void);
++void qemu_balloon_inhibit(bool state);
+
+ void qemu_balloon_changed(int64_t actual);
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-Use-inhibit-to-prevent-ballooning-without-synchr.patch b/SOURCES/kvm-Use-inhibit-to-prevent-ballooning-without-synchr.patch
new file mode 100644
index 0000000..6f6c985
--- /dev/null
+++ b/SOURCES/kvm-Use-inhibit-to-prevent-ballooning-without-synchr.patch
@@ -0,0 +1,79 @@
+From 56e7f4a46b448ec40f72272658296df226ff0b5a Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 13 Dec 2018 21:55:20 +0100
+Subject: [PATCH 4/5] kvm: Use inhibit to prevent ballooning without
+ synchronous mmu
+
+RH-Author: Alex Williamson <alex.williamson@redhat.com>
+Message-id: <154473812068.22725.2716400707312373292.stgit@gimli.home>
+Patchwork-id: 83496
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 4/5] kvm: Use inhibit to prevent ballooning without synchronous mmu
+Bugzilla: 1659229
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+RH-Acked-by: Auger Eric <eric.auger@redhat.com>
+
+Bugzilla: 1659229
+
+Remove KVM specific tests in balloon_page(), instead marking
+ballooning as inhibited without KVM_CAP_SYNC_MMU support.
+
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+(cherry picked from commit f59489423ab79852e98d9b3025b7d99ba8da584f)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/virtio/virtio-balloon.c | 4 +---
+ kvm-all.c | 4 ++++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
+index c9562ef..d8add23 100644
+--- a/hw/virtio/virtio-balloon.c
++++ b/hw/virtio/virtio-balloon.c
+@@ -21,7 +21,6 @@
+ #include "cpu.h"
+ #include "sysemu/balloon.h"
+ #include "hw/virtio/virtio-balloon.h"
+-#include "sysemu/kvm.h"
+ #include "exec/address-spaces.h"
+ #include "qapi/visitor.h"
+
+@@ -34,8 +33,7 @@
+ static void balloon_page(void *addr, int deflate)
+ {
+ #if defined(__linux__)
+- if (!qemu_balloon_is_inhibited() && (!kvm_enabled() ||
+- kvm_has_sync_mmu())) {
++ if (!qemu_balloon_is_inhibited()) {
+ qemu_madvise(addr, TARGET_PAGE_SIZE,
+ deflate ? QEMU_MADV_WILLNEED : QEMU_MADV_DONTNEED);
+ }
+diff --git a/kvm-all.c b/kvm-all.c
+index f5b7958..572275e 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -17,6 +17,7 @@
+ #include <sys/ioctl.h>
+ #include <sys/mman.h>
+ #include <stdarg.h>
++#include "sysemu/balloon.h"
+
+ #include <linux/kvm.h>
+
+@@ -1481,6 +1482,9 @@ int kvm_init(void)
+ cpu_interrupt_handler = kvm_handle_interrupt;
+
+ s->sync_mmu = !!kvm_check_extension(kvm_state, KVM_CAP_SYNC_MMU);
++ if (!s->sync_mmu) {
++ qemu_balloon_inhibit(true);
++ }
+
+ return 0;
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-balloon-Allow-multiple-inhibit-users.patch b/SOURCES/kvm-balloon-Allow-multiple-inhibit-users.patch
new file mode 100644
index 0000000..453160b
--- /dev/null
+++ b/SOURCES/kvm-balloon-Allow-multiple-inhibit-users.patch
@@ -0,0 +1,71 @@
+From 8e0778982e9a71000c6a1d999e0caf5934bebd61 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 13 Dec 2018 21:54:44 +0100
+Subject: [PATCH 2/5] balloon: Allow multiple inhibit users
+
+RH-Author: Alex Williamson <alex.williamson@redhat.com>
+Message-id: <154473808463.22725.5535931320059757090.stgit@gimli.home>
+Patchwork-id: 83494
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 2/5] balloon: Allow multiple inhibit users
+Bugzilla: 1659229
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+RH-Acked-by: Auger Eric <eric.auger@redhat.com>
+
+Bugzilla: 1659229
+
+A simple true/false internal state does not allow multiple users. Fix
+this within the existing interface by converting to a counter, so long
+as the counter is elevated, ballooning is inhibited.
+
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+(cherry picked from commit 01ccbec7bdf6f89f1b7d46dda05e4c1fd2dd5ade)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ balloon.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/balloon.c b/balloon.c
+index c7a0cf1..6a17096 100644
+--- a/balloon.c
++++ b/balloon.c
+@@ -25,6 +25,7 @@
+ */
+
+ #include "monitor/monitor.h"
++#include "qemu/atomic.h"
+ #include "exec/cpu-common.h"
+ #include "sysemu/kvm.h"
+ #include "sysemu/balloon.h"
+@@ -35,16 +36,22 @@
+ static QEMUBalloonEvent *balloon_event_fn;
+ static QEMUBalloonStatus *balloon_stat_fn;
+ static void *balloon_opaque;
+-static bool balloon_inhibited;
++static int balloon_inhibit_count;
+
+ bool qemu_balloon_is_inhibited(void)
+ {
+- return balloon_inhibited;
++ return atomic_read(&balloon_inhibit_count) > 0;
+ }
+
+ void qemu_balloon_inhibit(bool state)
+ {
+- balloon_inhibited = state;
++ if (state) {
++ atomic_inc(&balloon_inhibit_count);
++ } else {
++ atomic_dec(&balloon_inhibit_count);
++ }
++
++ assert(atomic_read(&balloon_inhibit_count) >= 0);
+ }
+
+ int qemu_add_balloon_handler(QEMUBalloonEvent *event_func,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-check-KVM_CAP_SYNC_MMU-with-kvm_vm_check_extensi.patch b/SOURCES/kvm-check-KVM_CAP_SYNC_MMU-with-kvm_vm_check_extensi.patch
new file mode 100644
index 0000000..32dae59
--- /dev/null
+++ b/SOURCES/kvm-check-KVM_CAP_SYNC_MMU-with-kvm_vm_check_extensi.patch
@@ -0,0 +1,116 @@
+From 53c0d0dcad838ef8b9b0faf0c8066d47380f2cf1 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 13 Dec 2018 21:55:04 +0100
+Subject: [PATCH 3/5] kvm: check KVM_CAP_SYNC_MMU with kvm_vm_check_extension()
+
+RH-Author: Alex Williamson <alex.williamson@redhat.com>
+Message-id: <154473810399.22725.17809569801460658619.stgit@gimli.home>
+Patchwork-id: 83495
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 3/5] kvm: check KVM_CAP_SYNC_MMU with kvm_vm_check_extension()
+Bugzilla: 1659229
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+RH-Acked-by: Auger Eric <eric.auger@redhat.com>
+
+From: Greg Kurz <groug@kaod.org>
+
+Bugzilla: 1659229
+Notes: We don't have kvm_vm_check_extension() but we can still
+ cache the result, which gives us the same hook to trigger
+ the balloon inhibitor here.
+
+On a server-class ppc host, this capability depends on the KVM type,
+ie, HV or PR. If both KVM are present in the kernel, we will always
+get the HV specific value, even if we explicitely requested PR on
+the command line.
+
+This can have an impact if we're using hugepages or a balloon device.
+
+Since we've already created the VM at the time any user calls
+kvm_has_sync_mmu(), switching to kvm_vm_check_extension() is
+enough to fix any potential issue.
+
+It is okay for the other archs that also implement KVM_CAP_SYNC_MMU,
+ie, mips, s390, x86 and arm, because they don't depend on the VM being
+created or not.
+
+While here, let's cache the state of this extension in a bool variable,
+since it has several users in the code, as suggested by Thomas Huth.
+
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Message-Id: <150600965332.30533.14702405809647835716.stgit@bahia.lan>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 62dd4edaaf859b60f74a51f2a526d4d3d85d0248)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ include/sysemu/kvm.h | 2 +-
+ kvm-all.c | 7 +++++--
+ kvm-stub.c | 4 ++--
+ 3 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
+index 49cfc42..e4403be 100644
+--- a/include/sysemu/kvm.h
++++ b/include/sysemu/kvm.h
+@@ -135,7 +135,7 @@ extern KVMState *kvm_state;
+
+ int kvm_init(void);
+
+-int kvm_has_sync_mmu(void);
++bool kvm_has_sync_mmu(void);
+ int kvm_has_vcpu_events(void);
+ int kvm_has_robust_singlestep(void);
+ int kvm_has_debugregs(void);
+diff --git a/kvm-all.c b/kvm-all.c
+index 9486b9a..f5b7958 100644
+--- a/kvm-all.c
++++ b/kvm-all.c
+@@ -92,6 +92,7 @@ struct KVMState
+ int xsave, xcrs;
+ int many_ioeventfds;
+ int intx_set_mask;
++ bool sync_mmu;
+ /* The man page (and posix) say ioctl numbers are signed int, but
+ * they're not. Linux, glibc and *BSD all treat ioctl numbers as
+ * unsigned, and treating them as signed here can break things */
+@@ -1479,6 +1480,8 @@ int kvm_init(void)
+
+ cpu_interrupt_handler = kvm_handle_interrupt;
+
++ s->sync_mmu = !!kvm_check_extension(kvm_state, KVM_CAP_SYNC_MMU);
++
+ return 0;
+
+ err:
+@@ -1775,9 +1778,9 @@ int kvm_vcpu_ioctl(CPUState *cpu, int type, ...)
+ return ret;
+ }
+
+-int kvm_has_sync_mmu(void)
++bool kvm_has_sync_mmu(void)
+ {
+- return kvm_check_extension(kvm_state, KVM_CAP_SYNC_MMU);
++ return kvm_state->sync_mmu;
+ }
+
+ int kvm_has_vcpu_events(void)
+diff --git a/kvm-stub.c b/kvm-stub.c
+index 22eaff0..ca6ddd7 100644
+--- a/kvm-stub.c
++++ b/kvm-stub.c
+@@ -59,9 +59,9 @@ int kvm_cpu_exec(CPUArchState *env)
+ abort ();
+ }
+
+-int kvm_has_sync_mmu(void)
++bool kvm_has_sync_mmu(void)
+ {
+- return 0;
++ return false;
+ }
+
+ int kvm_has_many_ioeventfds(void)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch b/SOURCES/kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch
index 75a1165..8011d2d 100644
--- a/SOURCES/kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch
+++ b/SOURCES/kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch
@@ -1,14 +1,14 @@
-From 8cafea931977e494797584610664279ea21ef427 Mon Sep 17 00:00:00 2001
+From 59c1aecdd92dc66e92f8ffe8a2a5e121031a2ae7 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
Date: Fri, 21 Dec 2018 00:31:11 +0100
-Subject: [PATCH] i386: Deprecate arch-facilities and make it block live
+Subject: [PATCH 1/2] i386: Deprecate arch-facilities and make it block live
migration
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
Message-id: <20181221003111.32374-1-ehabkost@redhat.com>
Patchwork-id: 83733
O-Subject: [RHEL-7.7 qemu-kvm PATCH] i386: Deprecate arch-facilities and make it block live migration
-Bugzilla: 1664792
+Bugzilla: 1658407
RH-Acked-by: Bandan Das <bsd@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Jiri Denemark <jdenemar@redhat.com>
diff --git a/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch b/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch
index e4347b0..dc98e6f 100644
--- a/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch
+++ b/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch
@@ -1,19 +1,19 @@
-From 5cba04974b46608f462b7ce711c8eb0966f5d101 Mon Sep 17 00:00:00 2001
+From 013f795cb54d42e6b057689f7d51fd27e1730197 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 20 May 2019 17:00:52 +0200
-Subject: [PATCH 1/4] slirp: check sscanf result when emulating ident
+Date: Tue, 2 Apr 2019 13:39:01 +0200
+Subject: [PATCH 3/3] slirp: check sscanf result when emulating ident
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: <20190520170055.15404-2-marcandre.lureau@redhat.com>
-Patchwork-id: 88098
-O-Subject: [RHEL-7.6.z qemu-kvm PATCH 1/4] slirp: check sscanf result when emulating ident
-Bugzilla: 1669067
+Message-id: <20190402133901.28238-1-marcandre.lureau@redhat.com>
+Patchwork-id: 85305
+O-Subject: [RHEL-7.7 qemu-kvm PATCH] slirp: check sscanf result when emulating ident
+Bugzilla: 1689791
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
-RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Markus Armbruster <armbru@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
From: William Bowling <will@wbowling.info>
diff --git a/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
index 8ab4afc..7ba8686 100644
--- a/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
+++ b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
@@ -1,16 +1,16 @@
-From dae1fad6e93e6bdff0d5366fdb269904cd00c83c Mon Sep 17 00:00:00 2001
+From 5e805decf566e71cd315243de9a037d99becb074 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 20 May 2019 17:00:55 +0200
+Date: Mon, 20 May 2019 16:43:15 +0200
Subject: [PATCH 4/4] slirp: don't manipulate so_rcv in tcp_emu()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: <20190520170055.15404-5-marcandre.lureau@redhat.com>
-Patchwork-id: 88097
-O-Subject: [RHEL-7.6.z qemu-kvm PATCH 4/4] slirp: don't manipulate so_rcv in tcp_emu()
-Bugzilla: 1669067
+Message-id: <20190520164315.22140-4-marcandre.lureau@redhat.com>
+Patchwork-id: 88095
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 3/3] slirp: don't manipulate so_rcv in tcp_emu()
+Bugzilla: 1669068
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
diff --git a/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
index ceb2fc0..9971280 100644
--- a/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
+++ b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
@@ -1,6 +1,6 @@
-From 16725ff1e92b21449017a6e3aa9b1621d06c84a4 Mon Sep 17 00:00:00 2001
+From e80c12dfdbde349dcd225771a4801b47be0b3b5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 20 May 2019 17:00:54 +0200
+Date: Mon, 20 May 2019 16:43:14 +0200
Subject: [PATCH 3/4] slirp: ensure there is enough space in mbuf to
null-terminate
MIME-Version: 1.0
@@ -8,10 +8,10 @@ Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: <20190520170055.15404-4-marcandre.lureau@redhat.com>
-Patchwork-id: 88099
-O-Subject: [RHEL-7.6.z qemu-kvm PATCH 3/4] slirp: ensure there is enough space in mbuf to null-terminate
-Bugzilla: 1669067
+Message-id: <20190520164315.22140-3-marcandre.lureau@redhat.com>
+Patchwork-id: 88094
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 2/3] slirp: ensure there is enough space in mbuf to null-terminate
+Bugzilla: 1669068
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
diff --git a/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
index 861404e..4d7e4ed 100644
--- a/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
+++ b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
@@ -1,16 +1,16 @@
-From 6e4dad9d915f8de71e1695720398160c97e8ebd0 Mon Sep 17 00:00:00 2001
+From 91ca04a8a1df19f73e50733190175e137eeba933 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 20 May 2019 17:00:53 +0200
+Date: Mon, 20 May 2019 16:43:13 +0200
Subject: [PATCH 2/4] slirp: fix big/little endian conversion in ident protocol
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: <20190520170055.15404-3-marcandre.lureau@redhat.com>
-Patchwork-id: 88100
-O-Subject: [RHEL-7.6.z qemu-kvm PATCH 2/4] slirp: fix big/little endian conversion in ident protocol
-Bugzilla: 1669067
+Message-id: <20190520164315.22140-2-marcandre.lureau@redhat.com>
+Patchwork-id: 88093
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 1/3] slirp: fix big/little endian conversion in ident protocol
+Bugzilla: 1669068
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
@@ -20,10 +20,12 @@ From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-[ MA - backported to ease backport of CVE-2019-6778 ]
+[ MA - backported to ease backport of
+ https://bugzilla.redhat.com/show_bug.cgi?id=1669068 ]
-(cherry picked from commit 1fd71067dae501f1c78618e9583c6cc72db0cfa6)
+(cherry picked from 1fd71067dae501f1c78618e9583c6cc72db0cfa6)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
slirp/tcp_subr.c | 4 +++-
diff --git a/SOURCES/kvm-vfio-Inhibit-ballooning-based-on-group-attachment-to.patch b/SOURCES/kvm-vfio-Inhibit-ballooning-based-on-group-attachment-to.patch
new file mode 100644
index 0000000..c766450
--- /dev/null
+++ b/SOURCES/kvm-vfio-Inhibit-ballooning-based-on-group-attachment-to.patch
@@ -0,0 +1,169 @@
+From e9148733cef44bebb0d74a731a70b3304e720634 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 13 Dec 2018 21:55:26 +0100
+Subject: [PATCH 5/5] vfio: Inhibit ballooning based on group attachment to a
+ container
+
+RH-Author: Alex Williamson <alex.williamson@redhat.com>
+Message-id: <154473812659.22725.6814768117383324849.stgit@gimli.home>
+Patchwork-id: 83497
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 5/5] vfio: Inhibit ballooning based on group attachment to a container
+Bugzilla: 1659229
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+RH-Acked-by: Auger Eric <eric.auger@redhat.com>
+
+Bugzilla: 1659229
+Notes: Error path has more exit paths versus upstream
+
+We use a VFIOContainer to associate an AddressSpace to one or more
+VFIOGroups. The VFIOContainer represents the DMA context for that
+AdressSpace for those VFIOGroups and is synchronized to changes in
+that AddressSpace via a MemoryListener. For IOMMU backed devices,
+maintaining the DMA context for a VFIOGroup generally involves
+pinning a host virtual address in order to create a stable host
+physical address and then mapping a translation from the associated
+guest physical address to that host physical address into the IOMMU.
+
+While the above maintains the VFIOContainer synchronized to the QEMU
+memory API of the VM, memory ballooning occurs outside of that API.
+Inflating the memory balloon (ie. cooperatively capturing pages from
+the guest for use by the host) simply uses MADV_DONTNEED to "zap"
+pages from QEMU's host virtual address space. The page pinning and
+IOMMU mapping above remains in place, negating the host's ability to
+reuse the page, but the host virtual to host physical mapping of the
+page is invalidated outside of QEMU's memory API.
+
+When the balloon is later deflated, attempting to cooperatively
+return pages to the guest, the page is simply freed by the guest
+balloon driver, allowing it to be used in the guest and incurring a
+page fault when that occurs. The page fault maps a new host physical
+page backing the existing host virtual address, meanwhile the
+VFIOContainer still maintains the translation to the original host
+physical address. At this point the guest vCPU and any assigned
+devices will map different host physical addresses to the same guest
+physical address. Badness.
+
+The IOMMU typically does not have page level granularity with which
+it can track this mapping without also incurring inefficiencies in
+using page size mappings throughout. MMU notifiers in the host
+kernel also provide indicators for invalidating the mapping on
+balloon inflation, not for updating the mapping when the balloon is
+deflated. For these reasons we assume a default behavior that the
+mapping of each VFIOGroup into the VFIOContainer is incompatible
+with memory ballooning and increment the balloon inhibitor to match
+the attached VFIOGroups.
+
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+(cherry picked from commit c65ee433153b5925e183a00ebf568e160077c694)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/misc/vfio.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
+index f91eecb..f7360bf 100644
+--- a/hw/misc/vfio.c
++++ b/hw/misc/vfio.c
+@@ -37,6 +37,7 @@
+ #include "qemu/event_notifier.h"
+ #include "qemu/queue.h"
+ #include "qemu/range.h"
++#include "sysemu/balloon.h"
+ #include "sysemu/kvm.h"
+ #include "sysemu/sysemu.h"
+ #include "trace.h"
+@@ -3667,6 +3668,33 @@ static int vfio_connect_container(VFIOGroup *group)
+ return 0;
+ }
+
++ /*
++ * VFIO is currently incompatible with memory ballooning insofar as the
++ * madvise to purge (zap) the page from QEMU's address space does not
++ * interact with the memory API and therefore leaves stale virtual to
++ * physical mappings in the IOMMU if the page was previously pinned. We
++ * therefore add a balloon inhibit for each group added to a container,
++ * whether the container is used individually or shared. This provides
++ * us with options to allow devices within a group to opt-in and allow
++ * ballooning, so long as it is done consistently for a group (for instance
++ * if the device is an mdev device where it is known that the host vendor
++ * driver will never pin pages outside of the working set of the guest
++ * driver, which would thus not be ballooning candidates).
++ *
++ * The first opportunity to induce pinning occurs here where we attempt to
++ * attach the group to existing containers within the AddressSpace. If any
++ * pages are already zapped from the virtual address space, such as from a
++ * previous ballooning opt-in, new pinning will cause valid mappings to be
++ * re-established. Likewise, when the overall MemoryListener for a new
++ * container is registered, a replay of mappings within the AddressSpace
++ * will occur, re-establishing any previously zapped pages as well.
++ *
++ * NB. Balloon inhibiting does not currently block operation of the
++ * balloon driver or revoke previously pinned pages, it only prevents
++ * calling madvise to modify the virtual mapping of ballooned pages.
++ */
++ qemu_balloon_inhibit(true);
++
+ QLIST_FOREACH(container, &container_list, next) {
+ if (!ioctl(group->fd, VFIO_GROUP_SET_CONTAINER, &container->fd)) {
+ group->container = container;
+@@ -3678,6 +3706,7 @@ static int vfio_connect_container(VFIOGroup *group)
+ fd = qemu_open("/dev/vfio/vfio", O_RDWR);
+ if (fd < 0) {
+ error_report("vfio: failed to open /dev/vfio/vfio: %m");
++ qemu_balloon_inhibit(false);
+ return -errno;
+ }
+
+@@ -3686,6 +3715,7 @@ static int vfio_connect_container(VFIOGroup *group)
+ error_report("vfio: supported vfio version: %d, "
+ "reported version: %d", VFIO_API_VERSION, ret);
+ close(fd);
++ qemu_balloon_inhibit(false);
+ return -EINVAL;
+ }
+
+@@ -3701,6 +3731,7 @@ static int vfio_connect_container(VFIOGroup *group)
+ error_report("vfio: failed to set group container: %m");
+ g_free(container);
+ close(fd);
++ qemu_balloon_inhibit(false);
+ return -errno;
+ }
+
+@@ -3710,6 +3741,7 @@ static int vfio_connect_container(VFIOGroup *group)
+ error_report("vfio: failed to set iommu for container: %m");
+ g_free(container);
+ close(fd);
++ qemu_balloon_inhibit(false);
+ return -errno;
+ }
+
+@@ -3724,6 +3756,7 @@ static int vfio_connect_container(VFIOGroup *group)
+ vfio_listener_release(container);
+ g_free(container);
+ close(fd);
++ qemu_balloon_inhibit(false);
+ error_report("vfio: memory listener initialization failed for container\n");
+ return ret;
+ }
+@@ -3734,6 +3767,7 @@ static int vfio_connect_container(VFIOGroup *group)
+ error_report("vfio: No available IOMMU models");
+ g_free(container);
+ close(fd);
++ qemu_balloon_inhibit(false);
+ return -EINVAL;
+ }
+
+@@ -3834,6 +3868,7 @@ static void vfio_put_group(VFIOGroup *group)
+ return;
+ }
+
++ qemu_balloon_inhibit(false);
+ vfio_kvm_device_del_group(group);
+ vfio_disconnect_container(group);
+ QLIST_REMOVE(group, next);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vfio-pci-Lazy-PBA-emulation.patch b/SOURCES/kvm-vfio-pci-Lazy-PBA-emulation.patch
new file mode 100644
index 0000000..a009b88
--- /dev/null
+++ b/SOURCES/kvm-vfio-pci-Lazy-PBA-emulation.patch
@@ -0,0 +1,163 @@
+From 1cdac7e143db48d28605da1feb85a229197d9692 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 18 Mar 2019 19:41:40 +0100
+Subject: [PATCH 2/3] vfio/pci: Lazy PBA emulation
+
+RH-Author: Alex Williamson <alex.williamson@redhat.com>
+Message-id: <155293738623.17152.7817154338901863813.stgit@gimli.home>
+Patchwork-id: 84905
+O-Subject: [RHEL7.7 qemu-kvm PATCH] vfio/pci: Lazy PBA emulation
+Bugzilla: 1459077
+RH-Acked-by: Auger Eric <eric.auger@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Bugzilla: 1459077
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=20652144
+
+Notes: Intel's Omnipath card seems to depend on direct access to the
+ MSI-X PBA, when it's emulated the driver in the guest will
+ report:
+
+ hfi1_0: Interrupt registers not properly mapped by VMM
+
+ The patch here disables the PBA memory region except when
+ vectors are masked, which is essentially never, and therefore
+ provides that direct access. Tested against an "Omni-Path
+ HFI Silicon 100 Series" card as well as regression tested
+ against a Intel 82576 PF and VF, both of which also use MSI-X.
+
+The PCI spec recommends devices use additional alignment for MSI-X
+data structures to allow software to map them to separate processor
+pages. One advantage of doing this is that we can emulate those data
+structures without a significant performance impact to the operation
+of the device. Some devices fail to implement that suggestion and
+assigned device performance suffers.
+
+One such case of this is a Mellanox MT27500 series, ConnectX-3 VF,
+where the MSI-X vector table and PBA are aligned on separate 4K
+pages. If PBA emulation is enabled, performance suffers. It's not
+clear how much value we get from PBA emulation, but the solution here
+is to only lazily enable the emulated PBA when a masked MSI-X vector
+fires. We then attempt to more aggresively disable the PBA memory
+region any time a vector is unmasked. The expectation is then that
+a typical VM will run entirely with PBA emulation disabled, and only
+when used is that emulation re-enabled.
+
+Reported-by: Shyam Kaushik <shyam.kaushik@gmail.com>
+Tested-by: Shyam Kaushik <shyam.kaushik@gmail.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+(cherry picked from 95239e162518dc6577164be3d9a789aba7f591a3)
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/misc/vfio.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ trace-events | 2 ++
+ 2 files changed, 42 insertions(+)
+
+diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
+index f7360bf..781acd9 100644
+--- a/hw/misc/vfio.c
++++ b/hw/misc/vfio.c
+@@ -190,6 +190,7 @@ typedef struct VFIOMSIXInfo {
+ uint32_t pba_offset;
+ MemoryRegion mmap_mem;
+ void *mmap;
++ unsigned long *pending;
+ } VFIOMSIXInfo;
+
+ typedef struct VFIODeviceOps VFIODeviceOps;
+@@ -691,6 +692,13 @@ static void vfio_msi_interrupt(void *opaque)
+ #endif
+
+ if (vdev->interrupt == VFIO_INT_MSIX) {
++ /* A masked vector firing needs to use the PBA, enable it */
++ if (msix_is_masked(&vdev->pdev, nr)) {
++ set_bit(nr, vdev->msix->pending);
++ memory_region_set_enabled(&vdev->pdev.msix_pba_mmio, true);
++ trace_vfio_msix_pba_enable(vdev->vbasedev.name);
++ }
++
+ msix_notify(&vdev->pdev, nr);
+ } else if (vdev->interrupt == VFIO_INT_MSI) {
+ msi_notify(&vdev->pdev, nr);
+@@ -866,6 +874,14 @@ static int vfio_msix_vector_do_use(PCIDevice *pdev, unsigned int nr,
+ }
+ }
+
++ /* Disable PBA emulation when nothing more is pending. */
++ clear_bit(nr, vdev->msix->pending);
++ if (find_first_bit(vdev->msix->pending,
++ vdev->nr_vectors) == vdev->nr_vectors) {
++ memory_region_set_enabled(&vdev->pdev.msix_pba_mmio, false);
++ trace_vfio_msix_pba_disable(vdev->vbasedev.name);
++ }
++
+ return 0;
+ }
+
+@@ -1070,6 +1086,9 @@ static void vfio_disable_msix(VFIOPCIDevice *vdev)
+
+ vfio_disable_msi_common(vdev);
+
++ memset(vdev->msix->pending, 0,
++ BITS_TO_LONGS(vdev->msix->entries) * sizeof(unsigned long));
++
+ DPRINTF("%s(%s)\n", __func__, vdev->vbasedev.name);
+ }
+
+@@ -2561,6 +2580,8 @@ static int vfio_setup_msix(VFIOPCIDevice *vdev, int pos)
+ {
+ int ret;
+
++ vdev->msix->pending = g_malloc0(BITS_TO_LONGS(vdev->msix->entries) *
++ sizeof(unsigned long));
+ ret = msix_init(&vdev->pdev, vdev->msix->entries,
+ vdev->bars[vdev->msix->table_bar].region.mem,
+ vdev->msix->table_bar, vdev->msix->table_offset,
+@@ -2574,6 +2595,24 @@ static int vfio_setup_msix(VFIOPCIDevice *vdev, int pos)
+ return ret;
+ }
+
++ /*
++ * The PCI spec suggests that devices provide additional alignment for
++ * MSI-X structures and avoid overlapping non-MSI-X related registers.
++ * For an assigned device, this hopefully means that emulation of MSI-X
++ * structures does not affect the performance of the device. If devices
++ * fail to provide that alignment, a significant performance penalty may
++ * result, for instance Mellanox MT27500 VFs:
++ * http://www.spinics.net/lists/kvm/msg125881.html
++ *
++ * The PBA is simply not that important for such a serious regression and
++ * most drivers do not appear to look at it. The solution for this is to
++ * disable the PBA MemoryRegion unless it's being used. We disable it
++ * here and only enable it if a masked vector fires through QEMU. As the
++ * vector-use notifier is called, which occurs on unmask, we test whether
++ * PBA emulation is needed and again disable if not.
++ */
++ memory_region_set_enabled(&vdev->pdev.msix_pba_mmio, false);
++
+ return 0;
+ }
+
+@@ -2585,6 +2624,7 @@ static void vfio_teardown_msi(VFIOPCIDevice *vdev)
+ msix_uninit(&vdev->pdev,
+ vdev->bars[vdev->msix->table_bar].region.mem,
+ vdev->bars[vdev->msix->pba_bar].region.mem);
++ g_free(vdev->msix->pending);
+ }
+ }
+
+diff --git a/trace-events b/trace-events
+index 7b7aad1..0fb2745 100644
+--- a/trace-events
++++ b/trace-events
+@@ -1166,3 +1166,5 @@ vfio_region_finalize(const char *name, int index) "Device %s, region %d"
+ vfio_region_mmaps_set_enabled(const char *name, bool enabled) "Region %s mmaps enabled: %d"
+ vfio_region_sparse_mmap_header(const char *name, int index, int nr_areas) "Device %s region %d: %d sparse mmap entries"
+ vfio_region_sparse_mmap_entry(int i, unsigned long start, unsigned long end) "sparse entry %d [0x%lx - 0x%lx]"
++vfio_msix_pba_disable(const char *name) " (%s)"
++vfio_msix_pba_enable(const char *name) " (%s)"
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-x86-cpu-Enable-CLDEMOTE-Demote-Cache-Line-cpu-featur.patch b/SOURCES/kvm-x86-cpu-Enable-CLDEMOTE-Demote-Cache-Line-cpu-featur.patch
new file mode 100644
index 0000000..8404108
--- /dev/null
+++ b/SOURCES/kvm-x86-cpu-Enable-CLDEMOTE-Demote-Cache-Line-cpu-featur.patch
@@ -0,0 +1,80 @@
+From 7fa8107debfd4c659b77a8ba12b96144dfbdc113 Mon Sep 17 00:00:00 2001
+From: "plai@redhat.com" <plai@redhat.com>
+Date: Mon, 4 Feb 2019 17:29:44 +0100
+Subject: [PATCH 1/3] x86/cpu: Enable CLDEMOTE(Demote Cache Line) cpu feature
+
+RH-Author: plai@redhat.com
+Message-id: <1549301384-19698-1-git-send-email-plai@redhat.com>
+Patchwork-id: 84205
+O-Subject: [RHEL7.7 qemu-kvm PATCH BZ 1537773 RESEND] x86/cpu: Enable CLDEMOTE(Demote Cache Line) cpu feature
+Bugzilla: 1537773
+RH-Acked-by: Bandan Das <bsd@redhat.com>
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+From: Jingqi Liu <jingqi.liu@intel.com>
+
+The CLDEMOTE instruction hints to hardware that the cache line that
+contains the linear address should be moved("demoted") from
+the cache(s) closest to the processor core to a level more distant
+from the processor core. This may accelerate subsequent accesses
+to the line by other cores in the same coherence domain,
+especially if the line was written by the core that demotes the line.
+
+Intel Snow Ridge has added new cpu feature, CLDEMOTE.
+The new cpu feature needs to be exposed to guest VM.
+
+The bit definition:
+CPUID.(EAX=7,ECX=0):ECX[bit 25] CLDEMOTE
+
+The release document ref below link:
+https://software.intel.com/sites/default/files/managed/c5/15/\
+architecture-instruction-set-extensions-programming-reference.pdf
+
+Signed-off-by: Jingqi Liu <jingqi.liu@intel.com>
+Message-Id: <1525406253-54846-1-git-send-email-jingqi.liu@intel.com>
+Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit 0da0fb062841d0dcd8ba47e4a989d2e952cdf0ff)
+Signed-off-by: Paul Lai <plai@redhat.com>
+
+Resolved Conflicts:
+ target/i386/cpu.c [doesn't exist]
+ changes made to target-i386/cpu.c
+ target/i386/cpu.h [doesn't exist]
+ changes made to target-i386/cpu.h
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 2 +-
+ target-i386/cpu.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index a36483e..c9603df 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -162,7 +162,7 @@ static const char *cpuid_7_0_ecx_feature_name[] = {
+ "avx512bitalg", NULL, "avx512-vpopcntdq", NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, "rdpid", NULL,
+- NULL, NULL, NULL, NULL,
++ NULL, "cldemote", NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ };
+
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index 73437f1..5d47ab8 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -593,6 +593,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_ECX_AVX512BITALG (1U << 12)
+ #define CPUID_7_0_ECX_AVX512_VPOPCNTDQ (1U << 14) /* POPCNT for vectors of DW/QW */
+ #define CPUID_7_0_ECX_RDPID (1U << 22)
++#define CPUID_7_0_ECX_CLDEMOTE (1U << 25) /* CLDEMOTE Instruction */
+
+ #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
+ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index b7e76d5..77a527c 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 160%{?dist}.3
+Release: 167%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2 and GPLv2+ and CC-BY
@@ -3939,18 +3939,36 @@ Patch1940: kvm-ide-support-reporting-of-rotation-rate.patch
Patch1941: kvm-ide-avoid-referencing-NULL-dev-in-rotational-rate-se.patch
# For bz#1586253 - CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.6]
Patch1942: kvm-slirp-Correct-size-check-in-m_inc.patch
-# For bz#1664792 - mode="host-model" VMs include broken "arch-facilities" flag name [qemu-kvm] [rhel-7.6.z]
-Patch1943: kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch
-# For bz#1693216 - qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-7.6.z]
-Patch1944: kvm-target-i386-define-md-clear-bit-rhel.patch
-# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
-Patch1945: kvm-slirp-check-sscanf-result-when-emulating-ident.patch
-# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
-Patch1946: kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
-# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
-Patch1947: kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
-# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
-Patch1948: kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
+# For bz#1659229 - Ballooning is incompatible with vfio assigned devices, but not prevented
+Patch1943: kvm-Inhibit-ballooning-during-postcopy.patch
+# For bz#1659229 - Ballooning is incompatible with vfio assigned devices, but not prevented
+Patch1944: kvm-balloon-Allow-multiple-inhibit-users.patch
+# For bz#1659229 - Ballooning is incompatible with vfio assigned devices, but not prevented
+Patch1945: kvm-check-KVM_CAP_SYNC_MMU-with-kvm_vm_check_extensi.patch
+# For bz#1659229 - Ballooning is incompatible with vfio assigned devices, but not prevented
+Patch1946: kvm-Use-inhibit-to-prevent-ballooning-without-synchr.patch
+# For bz#1659229 - Ballooning is incompatible with vfio assigned devices, but not prevented
+Patch1947: kvm-vfio-Inhibit-ballooning-based-on-group-attachment-to.patch
+# For bz#1658407 - mode="host-model" VMs include broken "arch-facilities" flag name [qemu-kvm]
+Patch1948: kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch
+# For bz#1654627 - Qemu: hw: bt: keep bt/* objects from building [rhel-7.7]
+Patch1949: kvm-Do-not-build-bluetooth-support.patch
+# For bz#1537773 - [Intel 7.7 Feat] KVM Enabling SnowRidge new NIs - qemu-kvm
+Patch1950: kvm-x86-cpu-Enable-CLDEMOTE-Demote-Cache-Line-cpu-featur.patch
+# For bz#1459077 - [Intel 7.7 Bug] QEMU version in RHEL7.4 beta does not support KVM passthrough with WFR card
+Patch1951: kvm-vfio-pci-Lazy-PBA-emulation.patch
+# For bz#1689791 - CVE-2019-9824 qemu-kvm: QEMU: Slirp: information leakage in tcp_emu() due to uninitialized stack variables [rhel-7]
+Patch1952: kvm-slirp-check-sscanf-result-when-emulating-ident.patch
+# For bz#1693217 - CVE-2018-12126 qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-7.7]
+Patch1953: kvm-target-i386-define-md-clear-bit-rhel.patch
+# For bz#1709495 - Change CPUID[0x40000000].EAX from 0 to KVM_CPUID_FE...ATURES (0x40000001)
+Patch1954: kvm-Fix-eax-for-cpuid-leaf-0x40000000.patch
+# For bz#1669068 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.7]
+Patch1955: kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
+# For bz#1669068 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.7]
+Patch1956: kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
+# For bz#1669068 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.7]
+Patch1957: kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
BuildRequires: zlib-devel
@@ -6077,6 +6095,15 @@ tar -xf %{SOURCE21}
%patch1946 -p1
%patch1947 -p1
%patch1948 -p1
+%patch1949 -p1
+%patch1950 -p1
+%patch1951 -p1
+%patch1952 -p1
+%patch1953 -p1
+%patch1954 -p1
+%patch1955 -p1
+%patch1956 -p1
+%patch1957 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -6522,23 +6549,58 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_mandir}/man8/qemu-nbd.8*
%changelog
-* Tue May 28 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-160.el7_6.3
-- kvm-slirp-check-sscanf-result-when-emulating-ident.patch [bz#1669067]
-- kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch [bz#1669067]
-- kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch [bz#1669067]
-- kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch [bz#1669067]
-- Resolves: bz#1669067
- (CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z])
-
-* Wed Apr 10 2019 Danilo C. L. de Paula <ddepaula@redhat.com> - 1.5.3-160.el7_6.2
-- kvm-target-i386-define-md-clear-bit-rhel.patch
-- Resolves: bz#1693216
- (qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling)
-
-* Mon Jan 14 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-160.el7_6.1
-- kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch [bz#1664792]
-- Resolves: bz#1664792
- (mode="host-model" VMs include broken "arch-facilities" flag name [qemu-kvm] [rhel-7.6.z])
+* Wed Jun 12 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-167.el7
+- Reverting kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch [bz#1618503]
+- Resolves: bz#1618503
+ (qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7])
+
+* Wed Jun 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-166.el7
+- kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch [bz#1618503]
+- Resolves: bz#1618503
+ (qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7])
+
+* Tue May 28 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-165.el7
+- kvm-Fix-eax-for-cpuid-leaf-0x40000000.patch [bz#1709495]
+- kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch [bz#1669068]
+- kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch [bz#1669068]
+- kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch [bz#1669068]
+- Resolves: bz#1669068
+ (CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.7])
+- Resolves: bz#1709495
+ (Change CPUID[0x40000000].EAX from 0 to KVM_CPUID_FE...ATURES (0x40000001))
+
+* Wed Apr 10 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-164.el7
+- kvm-target-i386-define-md-clear-bit-rhel.patch [bz#1693217]
+- Resolves: bz#1693217
+ (CVE-2018-12126 qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-7.7] )
+
+* Wed Apr 03 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-163.el7
+- kvm-x86-cpu-Enable-CLDEMOTE-Demote-Cache-Line-cpu-featur.patch [bz#1537773]
+- kvm-vfio-pci-Lazy-PBA-emulation.patch [bz#1459077]
+- kvm-slirp-check-sscanf-result-when-emulating-ident.patch [bz#1689791]
+- Resolves: bz#1459077
+ ([Intel 7.7 Bug] QEMU version in RHEL7.4 beta does not support KVM passthrough with WFR card)
+- Resolves: bz#1537773
+ ([Intel 7.7 Feat] KVM Enabling SnowRidge new NIs - qemu-kvm)
+- Resolves: bz#1689791
+ (CVE-2019-9824 qemu-kvm: QEMU: Slirp: information leakage in tcp_emu() due to uninitialized stack variables [rhel-7])
+
+* Mon Jan 14 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-162.el7
+- kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch [bz#1658407]
+- kvm-Do-not-build-bluetooth-support.patch [bz#1654627]
+- Resolves: bz#1654627
+ (Qemu: hw: bt: keep bt/* objects from building [rhel-7.7])
+- Resolves: bz#1658407
+ (mode="host-model" VMs include broken "arch-facilities" flag name [qemu-kvm])
+
+* Wed Jan 02 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-161.el7
+- kvm-Inhibit-ballooning-during-postcopy.patch [bz#1659229]
+- kvm-balloon-Allow-multiple-inhibit-users.patch [bz#1659229]
+- kvm-check-KVM_CAP_SYNC_MMU-with-kvm_vm_check_extensi.patch [bz#1659229]
+- kvm-Use-inhibit-to-prevent-ballooning-without-synchr.patch [bz#1659229]
+- kvm-vfio-Inhibit-ballooning-based-on-group-attachment-to.patch [bz#1659229]
+- Resolves: bz#1659229
+ (Ballooning is incompatible with vfio assigned devices, but not prevented)
* Mon Aug 20 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-160.el7
- kvm-scsi-disk-support-reporting-of-rotation-rate.patch [bz#1583807]