From patchwork Mon Sep 23 14:46:12 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Jason A. Donenfeld" <jason@zx2c4.com>
X-Patchwork-Id: 174216
Delivered-To: patch@linaro.org
Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp2907343ill;
 Mon, 23 Sep 2019 07:53:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxS+r1RplkKqZuvE2Qf8plKWBTg8vuxnYLTwf89AaJaNK2UuvX61BAEUEL97yR+/mcwBkSv
X-Received: by 2002:a17:906:5957:: with SMTP id
 g23mr256609ejr.312.1569250384508; 
 Mon, 23 Sep 2019 07:53:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569250384; cv=none;
 d=google.com; s=arc-20160816;
 b=Av+0dk51hNPN0C/oZuNzgewltrKZnqeg8d21Ikoj51/nFnMurmp2Du9EMet7hlwhKl
 zn8f07N7VEfB840c/nS/yz4obS32lkaMKwl+AjHWrKJnB/DPguAGzvFXtUNC4KHNs7Vc
 HSnVRSyHSeMT4nIwaTcefN72YGSCS+IaOZbGrJzoEgOeoB+2qOLmC1cqB/0e9uIebb0Z
 58GnzNsi1XcloNwIFdZKaKfEPen4EpniRfGZXTb8hTphxOQ889hpsm5TDRLwJ9mbKPa0
 eWaD0wcki8Nwlkw4Dno0bAhT4R8P+VBkcCLr1lHjhb1sievbThJuVDQ+QOIpkRyNxhqm
 oXYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:content-transfer-encoding:mime-version
 :message-id:date:subject:cc:to:from:dkim-signature;
 bh=4dfwtwZE+D6bjaPpamlFYuUAzjdY5mccZ5s+Tk9JbU8=;
 b=Gzy9vDw8l6p0f85w1tAuhBvRcbdTKNGL4KD3rix2tFcxvbWb6il9VJLf9ERKaqG1TO
 TqIgNPLF06IFpHQzEy3ovH27kxDAjzQ0iVGwgV1Q6oloqO8pIGECxjvtFoEoMlwyZidz
 G7eMghvVVqMSNR/ZOf5QMMN9IZ3RySzWGLNgdxBoXReDG0CRPVg7K2YEKt1ubE47ivXe
 oKK6oJnqITibUwwx8BPVC48w+amEN1e1RvlvkY5ZTdVBcH6gzmZybLgz87dqhB0sJE8Y
 PmW50l+seK6jcA7P2cNHDQ+2INBt55NjVv9wIZjh/C8jDn26LGEI88ngKVSGm+8bBUT+
 auhQ==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@zx2c4.com header.s=mail header.b=j1H39S7d;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id f57si6610524ede.78.2019.09.23.07.53.04;
 Mon, 23 Sep 2019 07:53:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@zx2c4.com header.s=mail header.b=j1H39S7d;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1728575AbfIWOxD (ORCPT <rfc822;naresh.kamboju@linaro.org>
 + 14 others); Mon, 23 Sep 2019 10:53:03 -0400
Received: from frisell.zx2c4.com ([192.95.5.64]:37385 "EHLO frisell.zx2c4.com"
 rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
 id S1726290AbfIWOxD (ORCPT <rfc822;stable@vger.kernel.org>);
 Mon, 23 Sep 2019 10:53:03 -0400
X-Greylist: delayed 399 seconds by postgrey-1.27 at vger.kernel.org;
 Mon, 23 Sep 2019 10:53:02 EDT
Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 46271643;
 Mon, 23 Sep 2019 14:00:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc
 :subject:date:message-id:mime-version:content-transfer-encoding;
 s=mail; bh=yyymxKdabkTqYObyJhZGJkfA+vU=; b=j1H39S7dE4Mp4+0YGsvk
 RHmhWaANn0VLxXbjt6ayCpqFzg0UrAP3zQ1DdCEfCO8DjpYEzwCWqo18Tys3u7qH
 Mw3sd08/jjGus1O8x6UbsDWWVbZ0xlFSDb5OOsQq1dAlriT+lxXbW0lqloc51CkI
 yTd304TZKnXYrca7sSRu+xc7aKspeUBMjUPuXHrb+e/tqBspt7lPP+X9Zhxjfzd7
 qMIm3o69SlZiIl2NlhAXsecrWqrhF2PrNhOUPm983e1+G9khhRSi2n+gAbRU2+hV
 7xRXm0uLAwHH45EGrG+dkUlleXj6MB/WgZJuYp9qHQdrJ4bK9LeZK21uoKIwca9q
 Mg==
Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 561504fe
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Mon, 23 Sep 2019 14:00:52 +0000 (UTC)
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>, stable@vger.kernel.org
Subject: [PATCH] ipv6: Properly check reference count flag before taking
 reference
Date: Mon, 23 Sep 2019 16:46:12 +0200
Message-Id: <20190923144612.29668-1-Jason@zx2c4.com>
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

People are reporting that WireGuard experiences erratic crashes on 5.3,
and bisected it down to 7d30a7f6424e. Casually flipping through that
commit I noticed that a flag is checked using `|` instead of `&`, which in
this current case, means that a reference is never incremented, which
would result in the use-after-free users are seeing. This commit changes
the `|` to the proper `&` test.

Cc: stable@vger.kernel.org
Fixes: 7d30a7f6424e ("Merge branch 'ipv6-avoid-taking-refcnt-on-dst-during-route-lookup'")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 net/ipv6/ip6_fib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.21.0

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 87f47bc55c5e..6e2af411cd9c 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -318,7 +318,7 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
 	if (rt->dst.error == -EAGAIN) {
 		ip6_rt_put_flags(rt, flags);
 		rt = net->ipv6.ip6_null_entry;
-		if (!(flags | RT6_LOOKUP_F_DST_NOREF))
+		if (!(flags & RT6_LOOKUP_F_DST_NOREF))
 			dst_hold(&rt->dst);
 	}