Patch "netfilter: nft_socket: make cgroup match work in input too" has been added to the 5.17-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 17 Apr 2022 23:57:08 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nft_socket: make cgroup match work in input too

to the 5.17-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nft_socket-make-cgroup-match-work-in-input.patch
and it can be found in the queue-5.17 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit efc8cba749f7267bcbed35e28304554a36bdd707
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Sat Apr 9 13:20:19 2022 +0200

    netfilter: nft_socket: make cgroup match work in input too
    
    [ Upstream commit 05ae2fba821c4d122ab4ba3e52144e21586c4010 ]
    
    cgroupv2 helper function ignores the already-looked up sk
    and uses skb->sk instead.
    
    Just pass sk from the calling function instead; this will
    make cgroup matching work for udp and tcp in input even when
    edemux did not set skb->sk already.
    
    Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Tested-by: Topi Miettinen <toiwoton@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index d601974c9d2e..b8f011145765 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -36,12 +36,11 @@ static void nft_socket_wildcard(const struct nft_pktinfo *pkt,
 
 #ifdef CONFIG_SOCK_CGROUP_DATA
 static noinline bool
-nft_sock_get_eval_cgroupv2(u32 *dest, const struct nft_pktinfo *pkt, u32 level)
+nft_sock_get_eval_cgroupv2(u32 *dest, struct sock *sk, const struct nft_pktinfo *pkt, u32 level)
 {
-	struct sock *sk = skb_to_full_sk(pkt->skb);
 	struct cgroup *cgrp;
 
-	if (!sk || !sk_fullsock(sk) || !net_eq(nft_net(pkt), sock_net(sk)))
+	if (!sk_fullsock(sk))
 		return false;
 
 	cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
@@ -108,7 +107,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
 		break;
 #ifdef CONFIG_SOCK_CGROUP_DATA
 	case NFT_SOCKET_CGROUPV2:
-		if (!nft_sock_get_eval_cgroupv2(dest, pkt, priv->level)) {
+		if (!nft_sock_get_eval_cgroupv2(dest, sk, pkt, priv->level)) {
 			regs->verdict.code = NFT_BREAK;
 			return;
 		}






