Netdev Archive on
 help / color / Atom feed
From: "Jason A. Donenfeld" <>
Cc: "Jason A. Donenfeld" <>,
Subject: [PATCH] ipv6: Properly check reference count flag before taking reference
Date: Mon, 23 Sep 2019 16:46:12 +0200
Message-ID: <> (raw)

People are reporting that WireGuard experiences erratic crashes on 5.3,
and bisected it down to 7d30a7f6424e. Casually flipping through that
commit I noticed that a flag is checked using `|` instead of `&`, which in
this current case, means that a reference is never incremented, which
would result in the use-after-free users are seeing. This commit changes
the `|` to the proper `&` test.

Fixes: 7d30a7f6424e ("Merge branch 'ipv6-avoid-taking-refcnt-on-dst-during-route-lookup'")
Signed-off-by: Jason A. Donenfeld <>
 net/ipv6/ip6_fib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 87f47bc55c5e..6e2af411cd9c 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -318,7 +318,7 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
 	if (rt->dst.error == -EAGAIN) {
 		ip6_rt_put_flags(rt, flags);
 		rt = net->ipv6.ip6_null_entry;
-		if (!(flags | RT6_LOOKUP_F_DST_NOREF))
+		if (!(flags & RT6_LOOKUP_F_DST_NOREF))

             reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-23 14:46 Jason A. Donenfeld [this message]
2019-09-23 15:06 ` Petr Vorel
2019-09-23 15:24   ` Jason A. Donenfeld
2019-09-25 21:37   ` Eric Dumazet

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netdev Archive on

Archives are clonable:
	git clone --mirror netdev/git/0.git
	git clone --mirror netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ \
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone