diff --git a/net/ipv4/netfilter/ipt_CONNMARK.c b/net/ipv4/netfilter/ipt_CONNMARK.c
index ef3d21703121c0d0f9a6f4babe2669e3da597e1d..30ddd3e18eb747184b80eea693778058a85c14ec 100644
--- a/net/ipv4/netfilter/ipt_CONNMARK.c
+++ b/net/ipv4/netfilter/ipt_CONNMARK.c
@@ -60,7 +60,7 @@ target(struct sk_buff **pskb,
 		break;
 	    case IPT_CONNMARK_RESTORE:
 		nfmark = (*pskb)->nfmark;
-		diff = (ct->mark ^ nfmark & markinfo->mask);
+		diff = (ct->mark ^ nfmark) & markinfo->mask;
 		if (diff != 0) {
 		    (*pskb)->nfmark = nfmark ^ diff;
 		    (*pskb)->nfcache |= NFC_ALTERED;