net: sched: Fix use after free in red_enqueue()

jira VULN-66497
cve CVE-2022-49921
commit-author Dan Carpenter <[email protected]>
commit 8bdc2ac

We can't use "skb" again after passing it to qdisc_enqueue().  This is
basically identical to commit 2f09707 ("sch_sfb: Also store skb
len before calling child enqueue").

Fixes: d7f4f33 ("sch_red: update backlog as well")
	Signed-off-by: Dan Carpenter <[email protected]>
	Reviewed-by: Eric Dumazet <[email protected]>
	Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit 8bdc2ac)
	Signed-off-by: Anmol Jain <[email protected]>

Author: jainanmol84

net/sched/sch_red.c

@@ -76,6 +76,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 {
 	struct red_sched_data *q = qdisc_priv(sch);
 	struct Qdisc *child = q->qdisc;
+	unsigned int len;
 	int ret;
 
 	q->vars.qavg = red_calc_qavg(&q->parms,
@@ -130,9 +131,10 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch,
 		break;
 	}
 
+	len = qdisc_pkt_len(skb);
 	ret = qdisc_enqueue(skb, child, to_free);
 	if (likely(ret == NET_XMIT_SUCCESS)) {
-		qdisc_qstats_backlog_inc(sch, skb);
+		sch->qstats.backlog += len;
 		sch->q.qlen++;
 	} else if (net_xmit_drop_count(ret)) {
 		q->stats.pdrop++;