From 5b005652959b4d108ea8b18f7ccc25315f10fc46 Mon Sep 17 00:00:00 2001
From: Anmol Jain <ajain@ciq.com>
Date: Wed, 11 Jun 2025 17:50:47 +0000
Subject: [PATCH] net: sched: Fix use after free in red_enqueue()

jira VULN-66495
cve CVE-2022-49921
commit-author Dan Carpenter <dan.carpenter@oracle.com>
commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9

We can't use "skb" again after passing it to qdisc_enqueue().  This is
basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb
len before calling child enqueue").

Fixes: d7f4f332f082 ("sch_red: update backlog as well")
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Reviewed-by: Eric Dumazet <edumazet@google.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9)
	Signed-off-by: Anmol Jain <ajain@ciq.com>
---
 net/sched/sch_red.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index e4789760457a5..f6813fc28f196 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -62,6 +62,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 {
 	struct red_sched_data *q = qdisc_priv(sch);
 	struct Qdisc *child = q->qdisc;
+	unsigned int len;
 	int ret;
 
 	q->vars.qavg = red_calc_qavg(&q->parms,
@@ -97,9 +98,10 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		break;
 	}
 
+	len = qdisc_pkt_len(skb);
 	ret = qdisc_enqueue(skb, child, to_free);
 	if (likely(ret == NET_XMIT_SUCCESS)) {
-		qdisc_qstats_backlog_inc(sch, skb);
+		sch->qstats.backlog += len;
 		sch->q.qlen++;
 	} else if (net_xmit_drop_count(ret)) {
 		q->stats.pdrop++;