Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp803915ybn; Wed, 25 Sep 2019 07:59:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqw5Ob1R/YWOX4KaaksXxdRxh/R8g9yML6f7/AgcBhpl6RY8d4DOg29ZxR6kV2MZYKVfPNkI X-Received: by 2002:a17:906:6c7:: with SMTP id v7mr4561430ejb.27.1569423562630; Wed, 25 Sep 2019 07:59:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569423562; cv=none; d=google.com; s=arc-20160816; b=yLv8D6y+7PvmzfL04oRX0WQnZF0lKh7Bp4MnuvGPslVkKG+sCVhV5X0aCZ3P+vi0W1 teNGqjUXJJXI3oehC1E6wCORNqYseX/X71OsNOuul1jVdMxvoRCzGg0YExq0WnNagpcP Rt5lm1KvwkXK5cJ5Vn6OVyYSzRkEYmeJ9W+gaXNYAHh6JLP3TH/jGIaOQaXJlNnNDkH1 7TTsuYbvICiRk9wxtbY06r7s7HlcBeWxhfKo8+dKrkdbKBTmzy1yFWj0fDWOvmbF4G6e tOCcJDYdlkbVPjlL5zOx2RXJxukDy9DlcIRbGElCTp8USPp2wP5Y5chyzKxUKHZuQf6y sZFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=4dfwtwZE+D6bjaPpamlFYuUAzjdY5mccZ5s+Tk9JbU8=; b=jWOxKP0Yvx9hShp69UGyZvwsBck4ccXqG74+Sc7D7LwwwtZTTik/KQkQecCGCM4+Pl /kBjMrH2G2s2okexVJLWu7wy1lcgJQ2Y9ab6GQEatGzoD8hqIkeVJHx1BaKjRw64mQn9 5r4rgdFQqS/9oXl2/Y9l9GiaWEEi0dSRKuEtUqjAR64T7g/BV1TSM0M6F2vK/Q3NN0js bHUig1TRqjRdCTpMfP3QCTNzx6V2FtgsBDwZ4imQuJ2q2QBj7xPYSYCU0luRRwhtNib8 EOFDh3Y13dSVGXJzJvl1H+u6j9T9pBkePKWf9vBzhpaqvvkJTGdXnYrJ27xBETqdwkV0 omWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=j1H39S7d; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id sd13si2657984ejb.256.2019.09.25.07.58.57; Wed, 25 Sep 2019 07:59:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=j1H39S7d; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732466AbfIWOxE (ORCPT + 99 others); Mon, 23 Sep 2019 10:53:04 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:37385 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726290AbfIWOxD (ORCPT ); Mon, 23 Sep 2019 10:53:03 -0400 X-Greylist: delayed 399 seconds by postgrey-1.27 at vger.kernel.org; Mon, 23 Sep 2019 10:53:02 EDT Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 46271643; Mon, 23 Sep 2019 14:00:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:mime-version:content-transfer-encoding; s=mail; bh=yyymxKdabkTqYObyJhZGJkfA+vU=; b=j1H39S7dE4Mp4+0YGsvk RHmhWaANn0VLxXbjt6ayCpqFzg0UrAP3zQ1DdCEfCO8DjpYEzwCWqo18Tys3u7qH Mw3sd08/jjGus1O8x6UbsDWWVbZ0xlFSDb5OOsQq1dAlriT+lxXbW0lqloc51CkI yTd304TZKnXYrca7sSRu+xc7aKspeUBMjUPuXHrb+e/tqBspt7lPP+X9Zhxjfzd7 qMIm3o69SlZiIl2NlhAXsecrWqrhF2PrNhOUPm983e1+G9khhRSi2n+gAbRU2+hV 7xRXm0uLAwHH45EGrG+dkUlleXj6MB/WgZJuYp9qHQdrJ4bK9LeZK21uoKIwca9q Mg== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 561504fe (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 23 Sep 2019 14:00:52 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: "Jason A. Donenfeld" , stable@vger.kernel.org Subject: [PATCH] ipv6: Properly check reference count flag before taking reference Date: Mon, 23 Sep 2019 16:46:12 +0200 Message-Id: <20190923144612.29668-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org People are reporting that WireGuard experiences erratic crashes on 5.3, and bisected it down to 7d30a7f6424e. Casually flipping through that commit I noticed that a flag is checked using `|` instead of `&`, which in this current case, means that a reference is never incremented, which would result in the use-after-free users are seeing. This commit changes the `|` to the proper `&` test. Cc: stable@vger.kernel.org Fixes: 7d30a7f6424e ("Merge branch 'ipv6-avoid-taking-refcnt-on-dst-during-route-lookup'") Signed-off-by: Jason A. Donenfeld --- net/ipv6/ip6_fib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 87f47bc55c5e..6e2af411cd9c 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -318,7 +318,7 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, if (rt->dst.error == -EAGAIN) { ip6_rt_put_flags(rt, flags); rt = net->ipv6.ip6_null_entry; - if (!(flags | RT6_LOOKUP_F_DST_NOREF)) + if (!(flags & RT6_LOOKUP_F_DST_NOREF)) dst_hold(&rt->dst); } -- 2.21.0