diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 5197874372ec4a2055a3f9251f3a3ec248f53fbb..d79ce88be77f3568aa9e6409f7de20242d9c343f 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -166,9 +166,8 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 		dest->data[0] = out->group;
 		break;
 	case NFT_META_CGROUP:
-		if (skb->sk == NULL)
-			break;
-
+		if (skb->sk == NULL || !sk_fullsock(skb->sk))
+			goto err;
 		dest->data[0] = skb->sk->sk_classid;
 		break;
 	default: