net: sched: Fix use after free in red_enqueue()

jainanmol84 · jainanmol84 · commit 1e3e706ea1ba · 2025-06-11T22:38:50.000+05:30
jira VULN-66500 cve CVE-2022-49921 commit-author Dan Carpenter <dan.carpenter@oracle.com> commit 8bdc2ac We can't use "skb" again after passing it to qdisc_enqueue(). This is basically identical to commit 2f09707 ("sch_sfb: Also store skb len before calling child enqueue"). Fixes: d7f4f33 ("sch_red: update backlog as well") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 8bdc2ac) Signed-off-by: Anmol Jain <ajain@ciq.com>
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
@@ -76,6 +76,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 {
 	struct red_sched_data *q = qdisc_priv(sch);
 	struct Qdisc *child = q->qdisc;
+	unsigned int len;
 	int ret;
 
 	q->vars.qavg = red_calc_qavg(&q->parms,
@@ -130,9 +131,10 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		break;
 	}
 
+	len = qdisc_pkt_len(skb);
 	ret = qdisc_enqueue(skb, child, to_free);
 	if (likely(ret == NET_XMIT_SUCCESS)) {
-		qdisc_qstats_backlog_inc(sch, skb);
+		sch->qstats.backlog += len;
 		sch->q.qlen++;
 	} else if (net_xmit_drop_count(ret)) {
 		q->stats.pdrop++;
