netfilter: ipset: Fix forceadd evaluation path

When the forceadd option is enabled, the hash:* types should find and replace
the first entry in the bucket with the new one if there are no reuseable
(deleted or timed out) entries. However, the position index was just not set
to zero and remained the invalid -1 if there were no reuseable entries.

Reported-by: syzbot+6a86565c74ebe30aea18@syzkaller.appspotmail.com
Fixes: e95426d910b8 ("netfilter: ipset: Introduction of new commands and protocol version 7")
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>

diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 71e93eac083190969a2f999078c94daa15bd4a2d..e52d7b7597a0d8f3d6cfed5d2af6544ae1ad2e5d 100644 (file)
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -931,6 +931,8 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
                }
        }
        if (reuse || forceadd) {
+               if (j == -1)
+                       j = 0;
                data = ahash_data(n, j, set->dsize);
                if (!deleted) {
 #ifdef IP_SET_HASH_WITH_NETS