From 5b005652959b4d108ea8b18f7ccc25315f10fc46 Mon Sep 17 00:00:00 2001 From: Anmol Jain Date: Wed, 11 Jun 2025 17:50:47 +0000 Subject: [PATCH] net: sched: Fix use after free in red_enqueue() jira VULN-66495 cve CVE-2022-49921 commit-author Dan Carpenter commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9 We can't use "skb" again after passing it to qdisc_enqueue(). This is basically identical to commit 2f09707d0c97 ("sch_sfb: Also store skb len before calling child enqueue"). Fixes: d7f4f332f082 ("sch_red: update backlog as well") Signed-off-by: Dan Carpenter Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller (cherry picked from commit 8bdc2acd420c6f3dd1f1c78750ec989f02a1e2b9) Signed-off-by: Anmol Jain --- net/sched/sch_red.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c index e4789760457a5..f6813fc28f196 100644 --- a/net/sched/sch_red.c +++ b/net/sched/sch_red.c @@ -62,6 +62,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch, { struct red_sched_data *q = qdisc_priv(sch); struct Qdisc *child = q->qdisc; + unsigned int len; int ret; q->vars.qavg = red_calc_qavg(&q->parms, @@ -97,9 +98,10 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch, break; } + len = qdisc_pkt_len(skb); ret = qdisc_enqueue(skb, child, to_free); if (likely(ret == NET_XMIT_SUCCESS)) { - qdisc_qstats_backlog_inc(sch, skb); + sch->qstats.backlog += len; sch->q.qlen++; } else if (net_xmit_drop_count(ret)) { q->stats.pdrop++;