On Tue, Apr 10, 2018 at 01:26:29PM +0800, Stefan Hajnoczi wrote: > Commit d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ("vhost: validate log > when IOTLB is enabled") introduced a regression. The logic was > originally: > > if (vq->iotlb) > return 1; > return A && B; > > After the patch the short-circuit logic for A was inverted: > > if (A || vq->iotlb) > return A; > return B; > > This patch fixes the regression by rewriting the checks in the obvious > way, no longer returning A when vq->iotlb is non-NULL (which is hard to > understand). > > Reported-by: syzbot+65a84dde0214b0387ccd@xxxxxxxxxxxxxxxxxxxxxxxxx > Cc: Jason Wang <jasowang@xxxxxxxxxx> > Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx> This patch only makes sense after patch 2/2 is applied. Otherwise the logic seems reversed below. Can you pls squash these two? > --- > drivers/vhost/vhost.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 5320039671b7..93fd0c75b0d8 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -1244,10 +1244,12 @@ static int vq_log_access_ok(struct vhost_virtqueue *vq, > /* Caller should have vq mutex and device mutex */ > int vhost_vq_access_ok(struct vhost_virtqueue *vq) > { > - int ret = vq_log_access_ok(vq, vq->log_base); > + if (!vq_log_access_ok(vq, vq->log_base)) > + return 0; > > - if (ret || vq->iotlb) > - return ret; > + /* Access validation occurs at prefetch time with IOTLB */ > + if (vq->iotlb) > + return 1; > > return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used); > } > -- > 2.14.3