bpf: use skb_to_full_sk helper in bpf_skb_under_cgroup

We need to use skb_to_full_sk() helper introduced in commit bd5eb35 ("xfrm: take care of request sockets") as otherwise we miss tcp synack messages, since ownership is on request socket and therefore it would miss the sk_fullsock() check. Use skb_to_full_sk() as also done similarly in the bpf_get_cgroup_classid() helper via 2309236 ("cls_cgroup: get sk_classid only from full sockets") fix to not let this fall through. Fixes: 4a482f3 ("cgroup: bpf: Add bpf_skb_in_cgroup_proto") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
mariux64 · Sep 23, 2016 · 2d48c5f · 2d48c5f
1 parent c14fec3
commit 2d48c5f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/net/core/filter.c b/net/core/filter.c
@@ -2408,7 +2408,7 @@ BPF_CALL_3(bpf_skb_under_cgroup, struct sk_buff *, skb, struct bpf_map *, map,
 	struct cgroup *cgrp;
 	struct sock *sk;
 
-	sk = skb->sk;
+	sk = skb_to_full_sk(skb);
 	if (!sk || !sk_fullsock(sk))
 		return -ENOENT;
 	if (unlikely(idx >= array->map.max_entries))