KASAN: use-after-free Read in cipso_v4_genopt

KASAN: use-after-free Read in cipso_v4_genopt

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    5695e516 Merge tag 'io_uring-worker.v3-2021-02-25' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=168c27f2d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e33ab2de74f48295
dashboard link: https://syzkaller.appspot.com/bug?extid=9ec037722d2603a9f52e
compiler:       Debian clang version 11.0.1-2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
Read of size 1 at addr ffff888017bba510 by task kworker/1:3/4821

CPU: 1 PID: 4821 Comm: kworker/1:3 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events p9_write_work
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x125/0x19e lib/dump_stack.c:120
 print_address_description+0x5f/0x3a0 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report+0x15e/0x210 mm/kasan/report.c:416
 cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
 cipso_v4_sock_setattr+0x7c/0x460 net/ipv4/cipso_ipv4.c:1866
 netlbl_sock_setattr+0x28e/0x2f0 net/netlabel/netlabel_kapi.c:995
 smack_netlbl_add security/smack/smack_lsm.c:2404 [inline]
 smack_socket_post_create+0x13b/0x280 security/smack/smack_lsm.c:2774
 security_socket_post_create+0x6f/0xd0 security/security.c:2122
 __sock_create+0x62f/0x8c0 net/socket.c:1424
 udp_sock_create4+0x73/0x5f0 net/ipv4/udp_tunnel_core.c:20
 udp_sock_create include/net/udp_tunnel.h:59 [inline]
 rxrpc_open_socket net/rxrpc/local_object.c:129 [inline]
 rxrpc_lookup_local+0xd54/0x14d0 net/rxrpc/local_object.c:226
 rxrpc_sendmsg+0x481/0x8a0 net/rxrpc/af_rxrpc.c:541
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 sock_write_iter+0x31a/0x470 net/socket.c:1001
 __kernel_write+0x52c/0x990 fs/read_write.c:550
 kernel_write+0x63/0x80 fs/read_write.c:579
 p9_fd_write net/9p/trans_fd.c:430 [inline]
 p9_write_work+0x5ed/0xd20 net/9p/trans_fd.c:481
 process_one_work+0x789/0xfd0 kernel/workqueue.c:2275
 worker_thread+0xac1/0x1300 kernel/workqueue.c:2421
 kthread+0x39a/0x3c0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 4802:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506
 kasan_kmalloc include/linux/kasan.h:233 [inline]
 __kmalloc+0xb4/0x370 mm/slub.c:4055
 kmalloc include/linux/slab.h:559 [inline]
 kzalloc include/linux/slab.h:684 [inline]
 tomoyo_encode2+0x25a/0x560 security/tomoyo/realpath.c:45
 tomoyo_encode security/tomoyo/realpath.c:80 [inline]
 tomoyo_realpath_from_path+0x5c3/0x610 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x191/0x570 security/tomoyo/file.c:822
 security_inode_getattr+0xc0/0x140 security/security.c:1288
 vfs_getattr fs/stat.c:131 [inline]
 vfs_statx+0xe8/0x320 fs/stat.c:199
 vfs_fstatat fs/stat.c:217 [inline]
 vfs_lstat include/linux/fs.h:3240 [inline]
 __do_sys_newlstat fs/stat.c:372 [inline]
 __se_sys_newlstat fs/stat.c:366 [inline]
 __x64_sys_newlstat+0x81/0xd0 fs/stat.c:366
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 4802:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:357
 ____kasan_slab_free+0x100/0x140 mm/kasan/common.c:360
 kasan_slab_free include/linux/kasan.h:199 [inline]
 slab_free_hook mm/slub.c:1562 [inline]
 slab_free_freelist_hook+0x13a/0x200 mm/slub.c:1600
 slab_free mm/slub.c:3161 [inline]
 kfree+0xcf/0x2b0 mm/slub.c:4213
 tomoyo_path_perm+0x447/0x570 security/tomoyo/file.c:842
 security_inode_getattr+0xc0/0x140 security/security.c:1288
 vfs_getattr fs/stat.c:131 [inline]
 vfs_statx+0xe8/0x320 fs/stat.c:199
 vfs_fstatat fs/stat.c:217 [inline]
 vfs_lstat include/linux/fs.h:3240 [inline]
 __do_sys_newlstat fs/stat.c:372 [inline]
 __se_sys_newlstat fs/stat.c:366 [inline]
 __x64_sys_newlstat+0x81/0xd0 fs/stat.c:366
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3039 [inline]
 call_rcu+0x12f/0x8a0 kernel/rcu/tree.c:3114
 cipso_v4_doi_remove+0x2e2/0x310 net/ipv4/cipso_ipv4.c:531
 netlbl_cipsov4_remove+0x219/0x390 net/netlabel/netlabel_cipso_v4.c:715
 genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x9ae/0xd50 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2350
 ___sys_sendmsg net/socket.c:2404 [inline]
 __sys_sendmsg+0x2bf/0x370 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888017bba500
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 16 bytes inside of
 64-byte region [ffff888017bba500, ffff888017bba540)
The buggy address belongs to the page:
page:000000004f188e85 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17bba
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010841640
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888017bba400: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
 ffff888017bba480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff888017bba500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                         ^
 ffff888017bba580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ffff888017bba600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: KASAN: use-after-free Read in cipso_v4_genopt

[Dmitry Vyukov]

On Tue, Mar 2, 2021 at 12:01 PM syzbot
<syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    5695e516 Merge tag 'io_uring-worker.v3-2021-02-25' of git:..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=168c27f2d00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e33ab2de74f48295
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ec037722d2603a9f52e
> compiler:       Debian clang version 11.0.1-2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
> Read of size 1 at addr ffff888017bba510 by task kworker/1:3/4821
>
> CPU: 1 PID: 4821 Comm: kworker/1:3 Not tainted 5.11.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: events p9_write_work
> Call Trace:
>  __dump_stack lib/dump_stack.c:79 [inline]
>  dump_stack+0x125/0x19e lib/dump_stack.c:120
>  print_address_description+0x5f/0x3a0 mm/kasan/report.c:232
>  __kasan_report mm/kasan/report.c:399 [inline]
>  kasan_report+0x15e/0x210 mm/kasan/report.c:416
>  cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
>  cipso_v4_sock_setattr+0x7c/0x460 net/ipv4/cipso_ipv4.c:1866
>  netlbl_sock_setattr+0x28e/0x2f0 net/netlabel/netlabel_kapi.c:995
>  smack_netlbl_add security/smack/smack_lsm.c:2404 [inline]
>  smack_socket_post_create+0x13b/0x280 security/smack/smack_lsm.c:2774
>  security_socket_post_create+0x6f/0xd0 security/security.c:2122
>  __sock_create+0x62f/0x8c0 net/socket.c:1424
>  udp_sock_create4+0x73/0x5f0 net/ipv4/udp_tunnel_core.c:20
>  udp_sock_create include/net/udp_tunnel.h:59 [inline]
>  rxrpc_open_socket net/rxrpc/local_object.c:129 [inline]
>  rxrpc_lookup_local+0xd54/0x14d0 net/rxrpc/local_object.c:226
>  rxrpc_sendmsg+0x481/0x8a0 net/rxrpc/af_rxrpc.c:541
>  sock_sendmsg_nosec net/socket.c:654 [inline]
>  sock_sendmsg net/socket.c:674 [inline]
>  sock_write_iter+0x31a/0x470 net/socket.c:1001
>  __kernel_write+0x52c/0x990 fs/read_write.c:550
>  kernel_write+0x63/0x80 fs/read_write.c:579
>  p9_fd_write net/9p/trans_fd.c:430 [inline]
>  p9_write_work+0x5ed/0xd20 net/9p/trans_fd.c:481
>  process_one_work+0x789/0xfd0 kernel/workqueue.c:2275
>  worker_thread+0xac1/0x1300 kernel/workqueue.c:2421
>  kthread+0x39a/0x3c0 kernel/kthread.c:292
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> Allocated by task 4802:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track mm/kasan/common.c:46 [inline]
>  set_alloc_info mm/kasan/common.c:427 [inline]
>  ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506
>  kasan_kmalloc include/linux/kasan.h:233 [inline]
>  __kmalloc+0xb4/0x370 mm/slub.c:4055
>  kmalloc include/linux/slab.h:559 [inline]
>  kzalloc include/linux/slab.h:684 [inline]
>  tomoyo_encode2+0x25a/0x560 security/tomoyo/realpath.c:45
>  tomoyo_encode security/tomoyo/realpath.c:80 [inline]
>  tomoyo_realpath_from_path+0x5c3/0x610 security/tomoyo/realpath.c:288
>  tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
>  tomoyo_path_perm+0x191/0x570 security/tomoyo/file.c:822
>  security_inode_getattr+0xc0/0x140 security/security.c:1288
>  vfs_getattr fs/stat.c:131 [inline]
>  vfs_statx+0xe8/0x320 fs/stat.c:199
>  vfs_fstatat fs/stat.c:217 [inline]
>  vfs_lstat include/linux/fs.h:3240 [inline]
>  __do_sys_newlstat fs/stat.c:372 [inline]
>  __se_sys_newlstat fs/stat.c:366 [inline]
>  __x64_sys_newlstat+0x81/0xd0 fs/stat.c:366
>  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Freed by task 4802:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
>  kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:357
>  ____kasan_slab_free+0x100/0x140 mm/kasan/common.c:360
>  kasan_slab_free include/linux/kasan.h:199 [inline]
>  slab_free_hook mm/slub.c:1562 [inline]
>  slab_free_freelist_hook+0x13a/0x200 mm/slub.c:1600
>  slab_free mm/slub.c:3161 [inline]
>  kfree+0xcf/0x2b0 mm/slub.c:4213
>  tomoyo_path_perm+0x447/0x570 security/tomoyo/file.c:842
>  security_inode_getattr+0xc0/0x140 security/security.c:1288
>  vfs_getattr fs/stat.c:131 [inline]
>  vfs_statx+0xe8/0x320 fs/stat.c:199
>  vfs_fstatat fs/stat.c:217 [inline]
>  vfs_lstat include/linux/fs.h:3240 [inline]
>  __do_sys_newlstat fs/stat.c:372 [inline]
>  __se_sys_newlstat fs/stat.c:366 [inline]
>  __x64_sys_newlstat+0x81/0xd0 fs/stat.c:366
>  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Last potentially related work creation:
>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
>  __call_rcu kernel/rcu/tree.c:3039 [inline]
>  call_rcu+0x12f/0x8a0 kernel/rcu/tree.c:3114
>  cipso_v4_doi_remove+0x2e2/0x310 net/ipv4/cipso_ipv4.c:531
>  netlbl_cipsov4_remove+0x219/0x390 net/netlabel/netlabel_cipso_v4.c:715
>  genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
>  genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
>  genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
>  netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2502
>  genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
>  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
>  netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1338
>  netlink_sendmsg+0x9ae/0xd50 net/netlink/af_netlink.c:1927
>  sock_sendmsg_nosec net/socket.c:654 [inline]
>  sock_sendmsg net/socket.c:674 [inline]
>  ____sys_sendmsg+0x519/0x800 net/socket.c:2350
>  ___sys_sendmsg net/socket.c:2404 [inline]
>  __sys_sendmsg+0x2bf/0x370 net/socket.c:2433
>  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> The buggy address belongs to the object at ffff888017bba500
>  which belongs to the cache kmalloc-64 of size 64
> The buggy address is located 16 bytes inside of
>  64-byte region [ffff888017bba500, ffff888017bba540)
> The buggy address belongs to the page:
> page:000000004f188e85 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17bba
> flags: 0xfff00000000200(slab)
> raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010841640
> raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffff888017bba400: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>  ffff888017bba480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
> >ffff888017bba500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>                          ^
>  ffff888017bba580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>  ffff888017bba600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
> ==================================================================


Besides these 2 crashes, we've also seen one on a 4.19 based kernel, see below.
Based on the reports with mismatching stacks, it looks like
cipso_v4_genopt is doing some kind of wild pointer access (uninit
pointer?).


netlink: 'syz-executor.0': attribute type 4 has an invalid length.
==================================================================
BUG: KASAN: use-after-free in
cipso_v4_genopt.part.0.constprop.0+0x11f3/0x1400
net/ipv4/cipso_ipv4.c:1795
Read of size 1 at addr ffff8881f41bb790 by task syz-executor.1/7116

CPU: 0 PID: 7116 Comm: syz-executor.1 Not tainted
4.19.121-syzkaller-00217-g3b679299c55f #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x10d/0x199 lib/dump_stack.c:118
 print_address_description.cold+0x54/0x204 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.part.0.cold+0x187/0x2db mm/kasan/report.c:412
 cipso_v4_genopt.part.0.constprop.0+0x11f3/0x1400 net/ipv4/cipso_ipv4.c:1795
 cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786 [inline]
 cipso_v4_sock_setattr+0x7b/0x450 net/ipv4/cipso_ipv4.c:1877
 netlbl_sock_setattr+0x1cd/0x2a0 net/netlabel/netlabel_kapi.c:1003
 smack_netlabel+0x13a/0x180 security/smack/smack_lsm.c:2511
 smack_socket_post_create security/smack/smack_lsm.c:2852 [inline]
 smack_socket_post_create+0xd0/0x190 security/smack/smack_lsm.c:2830
 security_socket_post_create+0x69/0xc0 security/security.c:1381
 __sock_create+0x5ba/0x740 net/socket.c:1292
 sock_create net/socket.c:1316 [inline]
 __sys_socket+0xf4/0x200 net/socket.c:1346
 __do_sys_socket net/socket.c:1355 [inline]
 __se_sys_socket net/socket.c:1353 [inline]
 __x64_sys_socket+0x74/0xb0 net/socket.c:1353
 do_syscall_64+0xbc/0x130 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x465ef9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4fc3392188 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465ef9
RDX: 0000000000000002 RSI: 0000000000000003 RDI: 0000040000000002
RBP: 00000000004bd8bc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffdccf28b3f R14: 00007f4fc3392300 R15: 0000000000022000

Allocated by task 397:
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc2/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_node_trace+0x129/0x210 mm/slub.c:2769
 kmalloc_node include/linux/slab.h:553 [inline]
 kzalloc_node include/linux/slab.h:720 [inline]
 __get_vm_area_node+0x12d/0x3b0 mm/vmalloc.c:1394
 __vmalloc_node_range mm/vmalloc.c:1748 [inline]
 __vmalloc_node mm/vmalloc.c:1804 [inline]
 __vmalloc_node_flags mm/vmalloc.c:1818 [inline]
 vzalloc+0xeb/0x1a0 mm/vmalloc.c:1857
 do_ipt_get_ctl+0x4f2/0x8e0 net/ipv4/netfilter/ip_tables.c:803
 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
 nf_getsockopt+0x77/0xd0 net/netfilter/nf_sockopt.c:122
 ip_getsockopt net/ipv4/ip_sockglue.c:1574 [inline]
 ip_getsockopt+0x16c/0x1c0 net/ipv4/ip_sockglue.c:1554
 tcp_getsockopt+0x8b/0xd0 net/ipv4/tcp.c:3605
 __sys_getsockopt+0x13a/0x220 net/socket.c:1938
 __do_sys_getsockopt net/socket.c:1949 [inline]
 __se_sys_getsockopt net/socket.c:1946 [inline]
 __x64_sys_getsockopt+0xbf/0x160 net/socket.c:1946
 do_syscall_64+0xbc/0x130 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 397:
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11f/0x160 mm/kasan/kasan.c:521
 slab_free_hook mm/slub.c:1371 [inline]
 slab_free_freelist_hook+0x5a/0x110 mm/slub.c:1398
 slab_free mm/slub.c:2963 [inline]
 kfree+0xc7/0x2a0 mm/slub.c:3928
 __vunmap+0x3da/0x550 mm/vmalloc.c:1537
 vfree+0x6a/0x100 mm/vmalloc.c:1598
 copy_entries_to_user net/ipv4/netfilter/ip_tables.c:870 [inline]
 get_entries net/ipv4/netfilter/ip_tables.c:1027 [inline]
 do_ipt_get_ctl+0x6ed/0x8e0 net/ipv4/netfilter/ip_tables.c:1703
 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
 nf_getsockopt+0x77/0xd0 net/netfilter/nf_sockopt.c:122
 ip_getsockopt net/ipv4/ip_sockglue.c:1574 [inline]
 ip_getsockopt+0x16c/0x1c0 net/ipv4/ip_sockglue.c:1554
 tcp_getsockopt+0x8b/0xd0 net/ipv4/tcp.c:3605
 __sys_getsockopt+0x13a/0x220 net/socket.c:1938
 __do_sys_getsockopt net/socket.c:1949 [inline]
 __se_sys_getsockopt net/socket.c:1946 [inline]
 __x64_sys_getsockopt+0xbf/0x160 net/socket.c:1946
 do_syscall_64+0xbc/0x130 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881f41bb780
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 16 bytes inside of
 64-byte region [ffff8881f41bb780, ffff8881f41bb7c0)
The buggy address belongs to the page:
page:ffffea0007d06ec0 count:1 mapcount:0 mapping:ffff8881f6c03600 index:0x0
flags: 0x200000000000100(slab)
raw: 0200000000000100 dead000000000100 dead000000000200 ffff8881f6c03600
raw: 0000000000000000 00000000002a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881f41bb680: 00 fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8881f41bb700: fc fc fc fc 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff8881f41bb780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
                         ^
 ffff8881f41bb800: 00 00 fc fc fc fc fc fc 00 00 00 00 00 00 fc fc
 ffff8881f41bb880: fc fc fc fc 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================

Re: KASAN: use-after-free Read in cipso_v4_genopt

[Paul Moore]

On Tue, Mar 2, 2021 at 6:03 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>

...

> Besides these 2 crashes, we've also seen one on a 4.19 based kernel, see below.
> Based on the reports with mismatching stacks, it looks like
> cipso_v4_genopt is doing some kind of wild pointer access (uninit
> pointer?).

Hmm, interesting.  Looking quickly at the stack dump, it appears that
the problem occurs (at least in the recent kernel) when accessing the
cipso_v4_doi.tags[] array which is embedded in the cipso_v4_doi
struct.  Based on the code in cipso_v4_genopt() it doesn't appear that
we are shooting past the end of the array/struct and the cipso_v4_doi
struct appears to be refcounted correctly in cipso_v4_doi_getdef() and
cipso_v4_doi_putdef().  I'll look at it some more today to see if
something jumps out at me, but obviously a reproducer would be very
helpful if you are able to find one.

It's also worth adding that this code really hasn't changed much in a
*long* time, not that this means it isn't broken, just that it might
also be worth looking at other odd memory bugs to see if there is
chance they are wandering around and stomping on memory ...

-- 
paul moore
www.paul-moore.com

Re: KASAN: use-after-free Read in cipso_v4_genopt

[Dmitry Vyukov]

On Tue, Mar 2, 2021 at 5:10 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Tue, Mar 2, 2021 at 6:03 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> >
>
> ...
>
> > Besides these 2 crashes, we've also seen one on a 4.19 based kernel, see below.
> > Based on the reports with mismatching stacks, it looks like
> > cipso_v4_genopt is doing some kind of wild pointer access (uninit
> > pointer?).
>
> Hmm, interesting.  Looking quickly at the stack dump, it appears that
> the problem occurs (at least in the recent kernel) when accessing the
> cipso_v4_doi.tags[] array which is embedded in the cipso_v4_doi
> struct.  Based on the code in cipso_v4_genopt() it doesn't appear that
> we are shooting past the end of the array/struct and the cipso_v4_doi
> struct appears to be refcounted correctly in cipso_v4_doi_getdef() and
> cipso_v4_doi_putdef().  I'll look at it some more today to see if
> something jumps out at me, but obviously a reproducer would be very
> helpful if you are able to find one.
>
> It's also worth adding that this code really hasn't changed much in a
> *long* time, not that this means it isn't broken, just that it might
> also be worth looking at other odd memory bugs to see if there is
> chance they are wandering around and stomping on memory ...

Not sure if it's the root cause or not, but I am looking at this
reference drop in cipso_v4_doi_remove:
https://elixir.bootlin.com/linux/v5.12-rc1/source/net/ipv4/cipso_ipv4.c#L522
The thing is that it does not remove from the list if reference is not
0, right? So what if I send 1000 of netlink remove messages? Will it
drain refcount to 0?
I did not read all involved code, but the typical pattern is to drop
refcount and always remove from the list. Then the last use will
delete the object.
Does it make any sense?

Re: KASAN: use-after-free Read in cipso_v4_genopt

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    7a7fd0de Merge branch 'kmap-conversion-for-5.12' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13693866d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=779a2568b654c1c6
dashboard link: https://syzkaller.appspot.com/bug?extid=9ec037722d2603a9f52e
compiler:       Debian clang version 11.0.1-2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1576737ad00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=107bdcead00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
Read of size 1 at addr ffff8881437d5710 by task syz-executor557/8392

CPU: 1 PID: 8392 Comm: syz-executor557 Not tainted 5.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x125/0x19e lib/dump_stack.c:120
 print_address_description+0x5f/0x3a0 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report+0x15e/0x210 mm/kasan/report.c:416
 cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
 cipso_v4_sock_setattr+0x7c/0x460 net/ipv4/cipso_ipv4.c:1866
 netlbl_sock_setattr+0x28e/0x2f0 net/netlabel/netlabel_kapi.c:995
 smack_netlbl_add security/smack/smack_lsm.c:2404 [inline]
 smack_socket_post_create+0x13b/0x280 security/smack/smack_lsm.c:2774
 security_socket_post_create+0x6f/0xd0 security/security.c:2122
 __sock_create+0x62f/0x8c0 net/socket.c:1424
 sock_create net/socket.c:1459 [inline]
 __sys_socket+0xde/0x2d0 net/socket.c:1501
 __do_sys_socket net/socket.c:1510 [inline]
 __se_sys_socket net/socket.c:1508 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1508
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x440999
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcfe002d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 000000000000b3fc RCX: 0000000000440999
RDX: 0000000000000002 RSI: 0000000000000003 RDI: 0000040000000002
RBP: 0000000000000000 R08: 00007ffcfe002ee8 R09: 00007ffcfe002ee8
R10: 0000000000000012 R11: 0000000000000246 R12: 00007ffcfe002d5c
R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0

Allocated by task 1:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506
 kasan_kmalloc include/linux/kasan.h:233 [inline]
 kmem_cache_alloc_trace+0x21b/0x340 mm/slub.c:2934
 kmalloc include/linux/slab.h:554 [inline]
 smk_cipso_doi+0x1af/0x4e0 security/smack/smackfs.c:696
 init_smk_fs+0xe2/0x24e security/smack/smackfs.c:3010
 do_one_initcall+0x12b/0x310 init/main.c:1226
 do_initcall_level+0x14a/0x1f5 init/main.c:1299
 do_initcalls+0x4b/0x8c init/main.c:1315
 kernel_init_freeable+0x2e3/0x406 init/main.c:1537
 kernel_init+0xd/0x290 init/main.c:1424
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 0:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:357
 ____kasan_slab_free+0x100/0x140 mm/kasan/common.c:360
 kasan_slab_free include/linux/kasan.h:199 [inline]
 slab_free_hook mm/slub.c:1562 [inline]
 slab_free_freelist_hook+0x13a/0x200 mm/slub.c:1600
 slab_free mm/slub.c:3161 [inline]
 kfree+0xcf/0x2b0 mm/slub.c:4213
 rcu_do_batch kernel/rcu/tree.c:2559 [inline]
 rcu_core+0x7a0/0x1220 kernel/rcu/tree.c:2794
 __do_softirq+0x318/0x714 kernel/softirq.c:345

Last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3039 [inline]
 call_rcu+0x12f/0x8a0 kernel/rcu/tree.c:3114
 cipso_v4_doi_remove+0x2e2/0x310 net/ipv4/cipso_ipv4.c:531
 netlbl_cipsov4_remove+0x219/0x390 net/netlabel/netlabel_cipso_v4.c:715
 genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x9ae/0xd50 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2350
 ___sys_sendmsg net/socket.c:2404 [inline]
 __sys_sendmsg+0x2bf/0x370 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8881437d5700
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 16 bytes inside of
 64-byte region [ffff8881437d5700, ffff8881437d5740)
The buggy address belongs to the page:
page:000000003e519aab refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881437d5b00 pfn:0x1437d5
flags: 0x57ff00000000200(slab)
raw: 057ff00000000200 ffffea000511ff88 ffffea00051d0a48 ffff888010841640
raw: ffff8881437d5b00 0000000000200019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881437d5600: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
 ffff8881437d5680: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff8881437d5700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                         ^
 ffff8881437d5780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ffff8881437d5800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================

Re: KASAN: use-after-free Read in cipso_v4_genopt

[Dmitry Vyukov]

On Tue, Mar 2, 2021 at 8:25 PM syzbot
<syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    7a7fd0de Merge branch 'kmap-conversion-for-5.12' of git://..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13693866d00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=779a2568b654c1c6
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ec037722d2603a9f52e
> compiler:       Debian clang version 11.0.1-2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1576737ad00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=107bdcead00000

This wasn't arranged :)
But the reproducer indeed contains NLBL_CIPSOV4_C_REMOVE and is
repeated in a loop...


> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
> Read of size 1 at addr ffff8881437d5710 by task syz-executor557/8392
>
> CPU: 1 PID: 8392 Comm: syz-executor557 Not tainted 5.12.0-rc1-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:79 [inline]
>  dump_stack+0x125/0x19e lib/dump_stack.c:120
>  print_address_description+0x5f/0x3a0 mm/kasan/report.c:232
>  __kasan_report mm/kasan/report.c:399 [inline]
>  kasan_report+0x15e/0x210 mm/kasan/report.c:416
>  cipso_v4_genopt+0x1078/0x1700 net/ipv4/cipso_ipv4.c:1784
>  cipso_v4_sock_setattr+0x7c/0x460 net/ipv4/cipso_ipv4.c:1866
>  netlbl_sock_setattr+0x28e/0x2f0 net/netlabel/netlabel_kapi.c:995
>  smack_netlbl_add security/smack/smack_lsm.c:2404 [inline]
>  smack_socket_post_create+0x13b/0x280 security/smack/smack_lsm.c:2774
>  security_socket_post_create+0x6f/0xd0 security/security.c:2122
>  __sock_create+0x62f/0x8c0 net/socket.c:1424
>  sock_create net/socket.c:1459 [inline]
>  __sys_socket+0xde/0x2d0 net/socket.c:1501
>  __do_sys_socket net/socket.c:1510 [inline]
>  __se_sys_socket net/socket.c:1508 [inline]
>  __x64_sys_socket+0x76/0x80 net/socket.c:1508
>  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x440999
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcfe002d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
> RAX: ffffffffffffffda RBX: 000000000000b3fc RCX: 0000000000440999
> RDX: 0000000000000002 RSI: 0000000000000003 RDI: 0000040000000002
> RBP: 0000000000000000 R08: 00007ffcfe002ee8 R09: 00007ffcfe002ee8
> R10: 0000000000000012 R11: 0000000000000246 R12: 00007ffcfe002d5c
> R13: 431bde82d7b634db R14: 00000000004ae018 R15: 00000000004004a0
>
> Allocated by task 1:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track mm/kasan/common.c:46 [inline]
>  set_alloc_info mm/kasan/common.c:427 [inline]
>  ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506
>  kasan_kmalloc include/linux/kasan.h:233 [inline]
>  kmem_cache_alloc_trace+0x21b/0x340 mm/slub.c:2934
>  kmalloc include/linux/slab.h:554 [inline]
>  smk_cipso_doi+0x1af/0x4e0 security/smack/smackfs.c:696
>  init_smk_fs+0xe2/0x24e security/smack/smackfs.c:3010
>  do_one_initcall+0x12b/0x310 init/main.c:1226
>  do_initcall_level+0x14a/0x1f5 init/main.c:1299
>  do_initcalls+0x4b/0x8c init/main.c:1315
>  kernel_init_freeable+0x2e3/0x406 init/main.c:1537
>  kernel_init+0xd/0x290 init/main.c:1424
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> Freed by task 0:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
>  kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:357
>  ____kasan_slab_free+0x100/0x140 mm/kasan/common.c:360
>  kasan_slab_free include/linux/kasan.h:199 [inline]
>  slab_free_hook mm/slub.c:1562 [inline]
>  slab_free_freelist_hook+0x13a/0x200 mm/slub.c:1600
>  slab_free mm/slub.c:3161 [inline]
>  kfree+0xcf/0x2b0 mm/slub.c:4213
>  rcu_do_batch kernel/rcu/tree.c:2559 [inline]
>  rcu_core+0x7a0/0x1220 kernel/rcu/tree.c:2794
>  __do_softirq+0x318/0x714 kernel/softirq.c:345
>
> Last potentially related work creation:
>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
>  __call_rcu kernel/rcu/tree.c:3039 [inline]
>  call_rcu+0x12f/0x8a0 kernel/rcu/tree.c:3114
>  cipso_v4_doi_remove+0x2e2/0x310 net/ipv4/cipso_ipv4.c:531
>  netlbl_cipsov4_remove+0x219/0x390 net/netlabel/netlabel_cipso_v4.c:715
>  genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
>  genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
>  genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
>  netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2502
>  genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
>  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
>  netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1338
>  netlink_sendmsg+0x9ae/0xd50 net/netlink/af_netlink.c:1927
>  sock_sendmsg_nosec net/socket.c:654 [inline]
>  sock_sendmsg net/socket.c:674 [inline]
>  ____sys_sendmsg+0x519/0x800 net/socket.c:2350
>  ___sys_sendmsg net/socket.c:2404 [inline]
>  __sys_sendmsg+0x2bf/0x370 net/socket.c:2433
>  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> The buggy address belongs to the object at ffff8881437d5700
>  which belongs to the cache kmalloc-64 of size 64
> The buggy address is located 16 bytes inside of
>  64-byte region [ffff8881437d5700, ffff8881437d5740)
> The buggy address belongs to the page:
> page:000000003e519aab refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881437d5b00 pfn:0x1437d5
> flags: 0x57ff00000000200(slab)
> raw: 057ff00000000200 ffffea000511ff88 ffffea00051d0a48 ffff888010841640
> raw: ffff8881437d5b00 0000000000200019 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffff8881437d5600: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>  ffff8881437d5680: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
> >ffff8881437d5700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>                          ^
>  ffff8881437d5780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>  ffff8881437d5800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>

Re: KASAN: use-after-free Read in cipso_v4_genopt

[Paul Moore]

On Tue, Mar 2, 2021 at 2:15 PM Dmitry Vyukov <dvyukov@google.com> wrote:

...

> Not sure if it's the root cause or not, but I am looking at this
> reference drop in cipso_v4_doi_remove:
> https://elixir.bootlin.com/linux/v5.12-rc1/source/net/ipv4/cipso_ipv4.c#L522
> The thing is that it does not remove from the list if reference is not
> 0, right? So what if I send 1000 of netlink remove messages? Will it
> drain refcount to 0?
> I did not read all involved code, but the typical pattern is to drop
> refcount and always remove from the list. Then the last use will
> delete the object.
> Does it make any sense?

Looking at it quickly, the logic above seems sane.  I wrote this code
a *long* time ago, so let me get my head back into it and make sure
that still holds.

-- 
paul moore
www.paul-moore.com