On Thu, Jan 7, 2021 at 6:02 PM Julian Wiedmann <[email protected]> wrote: > > On 21.12.20 12:23, Jason A. Donenfeld wrote: > > Hi Dmitry, > > > > ... > > > fall on the border of a mapping? Is UBSAN non-deterministic as an > > optimization? Or is there actually some mysterious UaF happening with > > my usage of skbs that I shouldn't overlook? > > > > One oddity is that wg_xmit() returns negative errnos, rather than a > netdev_tx_t (ie. NETDEV_TX_OK or NETDEV_TX_BUSY). > > Any chance that the stack mis-interprets one of those custom errnos > as NETDEV_TX_BUSY, and thus believes that it still owns the skb?
The stack trace shows the splat happening as a result of __skb_queue_tail, called from wg_xmit, not something that happens after wg_xmit returns.
