On Thu, 2 Jul 2020 07:22:49 -0400
"Michael S. Tsirkin" <m...@redhat.com> wrote:
> On Thu, Jul 02, 2020 at 12:45:38PM +0200, Cornelia Huck wrote:
> > On Thu, 2 Jul 2020 06:16:06 -0400
> > "Michael S. Tsirkin" <m...@redhat.com> wrote:
> >
> > > On Wed, Jul 01, 2020 at 06:19:17PM +0200, Cornelia Huck wrote:
> > > > On Tue, 30 Jun 2020 09:04:38 -0400
> > > > "Michael S. Tsirkin" <m...@redhat.com> wrote:
> > > >
> > > > > On Tue, Jun 30, 2020 at 02:25:04PM +0200, Cornelia Huck wrote:
> > > >
> > > > > > What bothers me most is that you need to explicitly request a
> > > > > > device to
> > > > > > be modern-only, while that should be the default for any newly added
> > > > > > device. Hence the approach with the centralized list of device types
> > > > > > mentioned in a parallel thread. The main problem with that is that
> > > > > > the
> > > > > > proxy device starts getting realized before the virtio device with
> > > > > > its
> > > > > > id is present... I failed to find a solution so far. But I'd really
> > > > > > like an approach that can work for all transports.
> > > > >
> > > > > So how about simply validating that the device is modern only,
> > > > > unless it's one of the whitelist?
> > > >
> > > > Who would do the validation, the virtio core? How can it distinguish
> > > > between transitional and non-transitional? But maybe I'm just not
> > > > getting your idea.
> > >
> > > OK I've been thinking about two ideas, we can use them both:
> > > 1. virtio core: that can detect VIRTIO_1 being clear
> > > in virtio_validate_features.
> >
> > After feature negotiation is complete? That feels like a regression in
> > behaviour: You would be able to add a device that may not be usable
> > (and you'll only find out after the guest tried to use it), instead of
> > making sure that only a non-transitional device can be added to start
> > with.
>
> I mean, we can still have transports validate, that is point 2.
> It seems prudent to check though, since guest could be buggy
> ignoring bits that it got.
>
> > (We do not validate if the guest did not negotiate VERSION_1, but we
> > can certainly add a special case for the "guest did not accept offered
> > VERSION_1" case.)
>
> exaclty.
>
> >
> > > 2. transports: could use a core API to detect whether
> > > device can be a legacy one, to block device creation.
> >
> > That would be the best, but how do we get around the "transport does
> > not know the device type until it is too late" problem? Unless you want
> > to redo the internal interfaces.
>
> Oh. I think I am missing something.
> So I'm considering virtio_pci_device_plugged for example.
>
>
> static void virtio_pci_device_plugged(DeviceState *d, Error **errp)
> {
> VirtIOPCIProxy *proxy = VIRTIO_PCI(d);
> VirtioBusState *bus = &proxy->bus;
> bool legacy = virtio_pci_legacy(proxy);
> bool modern;
> bool modern_pio = proxy->flags & VIRTIO_PCI_FLAG_MODERN_PIO_NOTIFY;
> uint8_t *config;
> uint32_t size;
> VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
>
> /*
>
> ..
>
> }
>
> can't we check device type here and make sure it matches the "legacy"
> flag?
It would be a change in behaviour: Currently, I can specify e.g.
-device virtio-gpu-pci,disable-legacy=off,disable-modern=true
and the code in the realize function would force it to a modern-only
device. Checking in the plugged function would cause it to fail. This
might be preferable, but could break existing command lines.
Note that ccw is different: if I specify
-device virtio-gpu-ccw,max_revision=0
it actually fails with
qemu-system-s390x: -device virtio-gpu-ccw,max_revision=0: Invalid value of
property max_rev (is 0 expected >= 1)
so moving to the plugged function would not cause a change in behaviour
from the user's point of view.
>
>
>
> > >
> > >
> > > > Also, ccw does not currently have a way to explicitly configure a
> > > > device non-transitional; the revisions can be used to fence off newer
> > > > features, going down to legacy-only, but fencing off older features is
> > > > not possible (that is only done by the device, if it has no legacy
> > > > support).
> > >
> > > I guess for ccw only option 1 works.
> > >
> >
> > Or keep it as-is, and disallow legacy for the individual device types,
> > with the validate check as a safety net during development.
>
> Problem is people cut and paste from transitional devices.
That should not be a problem for ccw (as transitional and
non-transitional are the same on the command line); moreover, people
are unlikely to set max_revision themselves (this is usually only done
by compat machines).
If changing the behaviour for pci is acceptable, we can sure move to
the plugged approach.
