net: convert BUG_TRAP to generic WARN_ON

[linux-2.6.git] / net / ipv6 / ip6_output.c

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4cfdad4e835621a19d7b90a8040fb71ea7856a9c..6811901e6b1ec94c0e3084de16c7b8c408bb0503 100644 (file)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -5,8 +5,6 @@
  *     Authors:
  *     Pedro Roque             <roque@di.fc.ul.pt>
  *
- *     $Id: ip6_output.c,v 1.34 2002/02/01 22:01:04 davem Exp $
- *
  *     Based on linux/net/ipv4/ip_output.c
  *
  *     This program is free software; you can redistribute it and/or
@@ -29,7 +27,7 @@
  */
 
 #include <linux/errno.h>
-#include <linux/types.h>
+#include <linux/kernel.h>
 #include <linux/string.h>
 #include <linux/socket.h>
 #include <linux/net.h>
@@ -55,6 +53,7 @@
 #include <net/icmp.h>
 #include <net/xfrm.h>
 #include <net/checksum.h>
+#include <linux/mroute6.h>
 
 static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));
 
@@ -70,7 +69,32 @@ static __inline__ void ipv6_select_ident(struct sk_buff *skb, struct frag_hdr *f
        spin_unlock_bh(&ip6_id_lock);
 }
 
-static inline int ip6_output_finish(struct sk_buff *skb)
+int __ip6_local_out(struct sk_buff *skb)
+{
+       int len;
+
+       len = skb->len - sizeof(struct ipv6hdr);
+       if (len > IPV6_MAXPLEN)
+               len = 0;
+       ipv6_hdr(skb)->payload_len = htons(len);
+
+       return nf_hook(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dst->dev,
+                      dst_output);
+}
+
+int ip6_local_out(struct sk_buff *skb)
+{
+       int err;
+
+       err = __ip6_local_out(skb);
+       if (likely(err == 1))
+               err = dst_output(skb);
+
+       return err;
+}
+EXPORT_SYMBOL_GPL(ip6_local_out);
+
+static int ip6_output_finish(struct sk_buff *skb)
 {
        struct dst_entry *dst = skb->dst;
 
@@ -92,7 +116,7 @@ static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
        __skb_pull(newskb, skb_network_offset(newskb));
        newskb->pkt_type = PACKET_LOOPBACK;
        newskb->ip_summed = CHECKSUM_UNNECESSARY;
-       BUG_TRAP(newskb->dst);
+       WARN_ON(!newskb->dst);
 
        netif_rx(newskb);
        return 0;
@@ -112,16 +136,17 @@ static int ip6_output2(struct sk_buff *skb)
                struct inet6_dev *idev = ip6_dst_idev(skb->dst);
 
                if (!(dev->flags & IFF_LOOPBACK) && (!np || np->mc_loop) &&
-                   ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,
-                                       &ipv6_hdr(skb)->saddr)) {
+                   ((mroute6_socket && !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
+                    ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,
+                                        &ipv6_hdr(skb)->saddr))) {
                        struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
 
                        /* Do not check for IFF_ALLMULTI; multicast routing
                           is not supported in any case.
                         */
                        if (newskb)
-                               NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, newskb, NULL,
-                                       newskb->dev,
+                               NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, newskb,
+                                       NULL, newskb->dev,
                                        ip6_dev_loopback_xmit);
 
                        if (ipv6_hdr(skb)->hop_limit == 0) {
@@ -134,12 +159,28 @@ static int ip6_output2(struct sk_buff *skb)
                IP6_INC_STATS(idev, IPSTATS_MIB_OUTMCASTPKTS);
        }
 
-       return NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, skb,NULL, skb->dev,ip6_output_finish);
+       return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
+                      ip6_output_finish);
+}
+
+static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
+{
+       struct ipv6_pinfo *np = skb->sk ? inet6_sk(skb->sk) : NULL;
+
+       return (np && np->pmtudisc == IPV6_PMTUDISC_PROBE) ?
+              skb->dst->dev->mtu : dst_mtu(skb->dst);
 }
 
 int ip6_output(struct sk_buff *skb)
 {
-       if ((skb->len > dst_mtu(skb->dst) && !skb_is_gso(skb)) ||
+       struct inet6_dev *idev = ip6_dst_idev(skb->dst);
+       if (unlikely(idev->cnf.disable_ipv6)) {
+               IP6_INC_STATS(idev, IPSTATS_MIB_OUTDISCARDS);
+               kfree_skb(skb);
+               return 0;
+       }
+
+       if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
                                dst_allfrag(skb->dst))
                return ip6_fragment(skb, ip6_output2);
        else
@@ -163,7 +204,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
        u32 mtu;
 
        if (opt) {
-               int head_room;
+               unsigned int head_room;
 
                /* First: exthdrs may take lots of space (~8K for now)
                   MAX_HEADER is not enough.
@@ -203,9 +244,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
        if (np)
                hlimit = np->hop_limit;
        if (hlimit < 0)
-               hlimit = dst_metric(dst, RTAX_HOPLIMIT);
-       if (hlimit < 0)
-               hlimit = ipv6_get_hoplimit(dst->dev);
+               hlimit = ip6_dst_hoplimit(dst);
 
        tclass = -1;
        if (np)
@@ -223,12 +262,13 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
        ipv6_addr_copy(&hdr->daddr, first_hop);
 
        skb->priority = sk->sk_priority;
+       skb->mark = sk->sk_mark;
 
        mtu = dst_mtu(dst);
        if ((skb->len <= mtu) || ipfragok || skb_is_gso(skb)) {
                IP6_INC_STATS(ip6_dst_idev(skb->dst),
                              IPSTATS_MIB_OUTREQUESTS);
-               return NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev,
+               return NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
                                dst_output);
        }
 
@@ -251,7 +291,7 @@ EXPORT_SYMBOL(ip6_xmit);
  */
 
 int ip6_nd_hdr(struct sock *sk, struct sk_buff *skb, struct net_device *dev,
-              struct in6_addr *saddr, struct in6_addr *daddr,
+              const struct in6_addr *saddr, const struct in6_addr *daddr,
               int proto, int len)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
@@ -369,10 +409,14 @@ int ip6_forward(struct sk_buff *skb)
        struct dst_entry *dst = skb->dst;
        struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct inet6_skb_parm *opt = IP6CB(skb);
+       struct net *net = dev_net(dst->dev);
 
-       if (ipv6_devconf.forwarding == 0)
+       if (net->ipv6.devconf_all->forwarding == 0)
                goto error;
 
+       if (skb_warn_if_lro(skb))
+               goto drop;
+
        if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
                IP6_INC_STATS(ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
                goto drop;
@@ -414,8 +458,8 @@ int ip6_forward(struct sk_buff *skb)
        }
 
        /* XXX: idev->cnf.proxy_ndp? */
-       if (ipv6_devconf.proxy_ndp &&
-           pneigh_lookup(&nd_tbl, &hdr->daddr, skb->dev, 0)) {
+       if (net->ipv6.devconf_all->proxy_ndp &&
+           pneigh_lookup(&nd_tbl, net, &hdr->daddr, skb->dev, 0)) {
                int proxied = ip6_forward_proxy_check(skb);
                if (proxied > 0)
                        return ip6_input(skb);
@@ -433,8 +477,10 @@ int ip6_forward(struct sk_buff *skb)
 
        /* IPv6 specs say nothing about it, but it is clear that we cannot
           send redirects to source routed frames.
+          We don't send redirects to frames decapsulated from IPsec.
         */
-       if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0) {
+       if (skb->dev == dst->dev && dst->neighbour && opt->srcrt == 0 &&
+           !skb->sp) {
                struct in6_addr *target = NULL;
                struct rt6_info *rt;
                struct neighbour *n = dst->neighbour;
@@ -455,10 +501,18 @@ int ip6_forward(struct sk_buff *skb)
                 */
                if (xrlim_allow(dst, 1*HZ))
                        ndisc_send_redirect(skb, n, target);
-       } else if (ipv6_addr_type(&hdr->saddr)&(IPV6_ADDR_MULTICAST|IPV6_ADDR_LOOPBACK
-                                               |IPV6_ADDR_LINKLOCAL)) {
+       } else {
+               int addrtype = ipv6_addr_type(&hdr->saddr);
+
                /* This check is security critical. */
-               goto error;
+               if (addrtype == IPV6_ADDR_ANY ||
+                   addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
+                       goto error;
+               if (addrtype & IPV6_ADDR_LINKLOCAL) {
+                       icmpv6_send(skb, ICMPV6_DEST_UNREACH,
+                               ICMPV6_NOT_NEIGHBOUR, 0, skb->dev);
+                       goto error;
+               }
        }
 
        if (skb->len > dst_mtu(dst)) {
@@ -483,7 +537,8 @@ int ip6_forward(struct sk_buff *skb)
        hdr->hop_limit--;
 
        IP6_INC_STATS_BH(ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
-       return NF_HOOK(PF_INET6,NF_IP6_FORWARD, skb, skb->dev, dst->dev, ip6_forward_finish);
+       return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
+                      ip6_forward_finish);
 
 error:
        IP6_INC_STATS_BH(ip6_dst_idev(dst), IPSTATS_MIB_INADDRERRORS);
@@ -506,6 +561,10 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        to->tc_index = from->tc_index;
 #endif
        nf_copy(to, from);
+#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
+    defined(CONFIG_NETFILTER_XT_TARGET_TRACE_MODULE)
+       to->nf_trace = from->nf_trace;
+#endif
        skb_copy_secmark(to, from);
 }
 
@@ -528,7 +587,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
                        found_rhdr = 1;
                        break;
                case NEXTHDR_DEST:
-#ifdef CONFIG_IPV6_MIP6
+#if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
                        if (ipv6_find_tlv(skb, offset, IPV6_TLV_HAO) >= 0)
                                break;
 #endif
@@ -547,7 +606,6 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
        return offset;
 }
-EXPORT_SYMBOL_GPL(ip6_find_1stfragopt);
 
 static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 {
@@ -566,7 +624,20 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
        hlen = ip6_find_1stfragopt(skb, &prevhdr);
        nexthdr = *prevhdr;
 
-       mtu = dst_mtu(&rt->u.dst);
+       mtu = ip6_skb_dst_mtu(skb);
+
+       /* We must not fragment if the socket is set to force MTU discovery
+        * or if the skb it not generated by a local socket.  (This last
+        * check should be redundant, but it's free.)
+        */
+       if (!skb->local_df) {
+               skb->dev = skb->dst->dev;
+               icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
+               IP6_INC_STATS(ip6_dst_idev(skb->dst), IPSTATS_MIB_FRAGFAILS);
+               kfree_skb(skb);
+               return -EMSGSIZE;
+       }
+
        if (np && np->frag_size < mtu) {
                if (np->frag_size)
                        mtu = np->frag_size;
@@ -575,6 +646,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 
        if (skb_shinfo(skb)->frag_list) {
                int first_len = skb_pagelen(skb);
+               int truesizes = 0;
 
                if (first_len - hlen > mtu ||
                    ((first_len - hlen) & 7) ||
@@ -597,7 +669,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
                                sock_hold(skb->sk);
                                frag->sk = skb->sk;
                                frag->destructor = sock_wfree;
-                               skb->truesize -= frag->truesize;
+                               truesizes += frag->truesize;
                        }
                }
 
@@ -628,6 +700,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 
                first_len = skb_pagelen(skb);
                skb->data_len = first_len - skb_headlen(skb);
+               skb->truesize -= truesizes;
                skb->len = first_len;
                ipv6_hdr(skb)->payload_len = htons(first_len -
                                                   sizeof(struct ipv6hdr));
@@ -716,7 +789,7 @@ slow_path:
                 *      Allocate buffer.
                 */
 
-               if ((frag = alloc_skb(len+hlen+sizeof(struct frag_hdr)+LL_RESERVED_SPACE(rt->u.dst.dev), GFP_ATOMIC)) == NULL) {
+               if ((frag = alloc_skb(len+hlen+sizeof(struct frag_hdr)+LL_ALLOCATED_SPACE(rt->u.dst.dev), GFP_ATOMIC)) == NULL) {
                        NETDEBUG(KERN_INFO "IPv6: frag: no memory for new fragment!\n");
                        IP6_INC_STATS(ip6_dst_idev(skb->dst),
                                      IPSTATS_MIB_FRAGFAILS);
@@ -762,7 +835,7 @@ slow_path:
                /*
                 *      Copy a block of the IP datagram.
                 */
-               if (skb_copy_bits(skb, ptr, skb_transport_header(skb), len))
+               if (skb_copy_bits(skb, ptr, skb_transport_header(frag), len))
                        BUG();
                left -= len;
 
@@ -848,15 +921,19 @@ static int ip6_dst_lookup_tail(struct sock *sk,
                               struct dst_entry **dst, struct flowi *fl)
 {
        int err;
+       struct net *net = sock_net(sk);
 
        if (*dst == NULL)
-               *dst = ip6_route_output(sk, fl);
+               *dst = ip6_route_output(net, sk, fl);
 
        if ((err = (*dst)->error))
                goto out_err_release;
 
        if (ipv6_addr_any(&fl->fl6_src)) {
-               err = ipv6_get_saddr(*dst, &fl->fl6_dst, &fl->fl6_src);
+               err = ipv6_dev_get_saddr(ip6_dst_idev(*dst)->dev,
+                                        &fl->fl6_dst,
+                                        sk ? inet6_sk(sk)->srcprefs : 0,
+                                        &fl->fl6_src);
                if (err)
                        goto out_err_release;
        }
@@ -875,7 +952,8 @@ static int ip6_dst_lookup_tail(struct sock *sk,
                        struct flowi fl_gw;
                        int redirect;
 
-                       ifp = ipv6_get_ifaddr(&fl->fl6_src, (*dst)->dev, 1);
+                       ifp = ipv6_get_ifaddr(net, &fl->fl6_src,
+                                             (*dst)->dev, 1);
 
                        redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
                        if (ifp)
@@ -889,7 +967,7 @@ static int ip6_dst_lookup_tail(struct sock *sk,
                                dst_release(*dst);
                                memcpy(&fl_gw, fl, sizeof(struct flowi));
                                memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
-                               *dst = ip6_route_output(sk, &fl_gw);
+                               *dst = ip6_route_output(net, sk, &fl_gw);
                                if ((err = (*dst)->error))
                                        goto out_err_release;
                        }
@@ -899,6 +977,8 @@ static int ip6_dst_lookup_tail(struct sock *sk,
        return 0;
 
 out_err_release:
+       if (err == -ENETUNREACH)
+               IP6_INC_STATS_BH(NULL, IPSTATS_MIB_OUTNOROUTES);
        dst_release(*dst);
        *dst = NULL;
        return err;
@@ -1046,11 +1126,12 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                        /* need source address above miyazawa*/
                }
                dst_hold(&rt->u.dst);
-               np->cork.rt = rt;
+               inet->cork.dst = &rt->u.dst;
                inet->cork.fl = *fl;
                np->cork.hop_limit = hlimit;
                np->cork.tclass = tclass;
-               mtu = dst_mtu(rt->u.dst.path);
+               mtu = np->pmtudisc == IPV6_PMTUDISC_PROBE ?
+                     rt->u.dst.dev->mtu : dst_mtu(rt->u.dst.path);
                if (np->frag_size < mtu) {
                        if (np->frag_size)
                                mtu = np->frag_size;
@@ -1061,11 +1142,12 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                inet->cork.length = 0;
                sk->sk_sndmsg_page = NULL;
                sk->sk_sndmsg_off = 0;
-               exthdrlen = rt->u.dst.header_len + (opt ? opt->opt_flen : 0);
+               exthdrlen = rt->u.dst.header_len + (opt ? opt->opt_flen : 0) -
+                           rt->rt6i_nfheader_len;
                length += exthdrlen;
                transhdrlen += exthdrlen;
        } else {
-               rt = np->cork.rt;
+               rt = (struct rt6_info *)inet->cork.dst;
                fl = &inet->cork.fl;
                if (inet->cork.flags & IPCORK_OPT)
                        opt = np->cork.opt;
@@ -1076,7 +1158,8 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
 
        hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
 
-       fragheaderlen = sizeof(struct ipv6hdr) + rt->u.dst.nfheader_len + (opt ? opt->opt_nflen : 0);
+       fragheaderlen = sizeof(struct ipv6hdr) + rt->rt6i_nfheader_len +
+                       (opt ? opt->opt_nflen : 0);
        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr);
 
        if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
@@ -1279,8 +1362,6 @@ alloc_new_skb:
 
                                skb_fill_page_desc(skb, i, page, 0, 0);
                                frag = &skb_shinfo(skb)->frags[i];
-                               skb->truesize += PAGE_SIZE;
-                               atomic_add(PAGE_SIZE, &sk->sk_wmem_alloc);
                        } else {
                                err = -EMSGSIZE;
                                goto error;
@@ -1293,6 +1374,8 @@ alloc_new_skb:
                        frag->size += copy;
                        skb->len += copy;
                        skb->data_len += copy;
+                       skb->truesize += copy;
+                       atomic_add(copy, &sk->sk_wmem_alloc);
                }
                offset += copy;
                length -= copy;
@@ -1304,6 +1387,19 @@ error:
        return err;
 }
 
+static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
+{
+       inet->cork.flags &= ~IPCORK_OPT;
+       kfree(np->cork.opt);
+       np->cork.opt = NULL;
+       if (inet->cork.dst) {
+               dst_release(inet->cork.dst);
+               inet->cork.dst = NULL;
+               inet->cork.flags &= ~IPCORK_ALLFRAG;
+       }
+       memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
+}
+
 int ip6_push_pending_frames(struct sock *sk)
 {
        struct sk_buff *skb, *tmp_skb;
@@ -1313,7 +1409,7 @@ int ip6_push_pending_frames(struct sock *sk)
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct ipv6hdr *hdr;
        struct ipv6_txoptions *opt = np->cork.opt;
-       struct rt6_info *rt = np->cork.rt;
+       struct rt6_info *rt = (struct rt6_info *)inet->cork.dst;
        struct flowi *fl = &inet->cork.fl;
        unsigned char proto = fl->proto;
        int err = 0;
@@ -1337,6 +1433,10 @@ int ip6_push_pending_frames(struct sock *sk)
                tmp_skb->sk = NULL;
        }
 
+       /* Allow local fragmentation. */
+       if (np->pmtudisc < IPV6_PMTUDISC_DO)
+               skb->local_df = 1;
+
        ipv6_addr_copy(final_dst, &fl->fl6_dst);
        __skb_pull(skb, skb_network_header_len(skb));
        if (opt && opt->opt_flen)
@@ -1351,20 +1451,24 @@ int ip6_push_pending_frames(struct sock *sk)
        *(__be32*)hdr = fl->fl6_flowlabel |
                     htonl(0x60000000 | ((int)np->cork.tclass << 20));
 
-       if (skb->len <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN)
-               hdr->payload_len = htons(skb->len - sizeof(struct ipv6hdr));
-       else
-               hdr->payload_len = 0;
        hdr->hop_limit = np->cork.hop_limit;
        hdr->nexthdr = proto;
        ipv6_addr_copy(&hdr->saddr, &fl->fl6_src);
        ipv6_addr_copy(&hdr->daddr, final_dst);
 
        skb->priority = sk->sk_priority;
+       skb->mark = sk->sk_mark;
 
        skb->dst = dst_clone(&rt->u.dst);
        IP6_INC_STATS(rt->rt6i_idev, IPSTATS_MIB_OUTREQUESTS);
-       err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, skb->dst->dev, dst_output);
+       if (proto == IPPROTO_ICMPV6) {
+               struct inet6_dev *idev = ip6_dst_idev(skb->dst);
+
+               ICMP6MSGOUT_INC_STATS_BH(idev, icmp6_hdr(skb)->icmp6_type);
+               ICMP6_INC_STATS_BH(idev, ICMP6_MIB_OUTMSGS);
+       }
+
+       err = ip6_local_out(skb);
        if (err) {
                if (err > 0)
                        err = np->recverr ? net_xmit_errno(err) : 0;
@@ -1373,15 +1477,7 @@ int ip6_push_pending_frames(struct sock *sk)
        }
 
 out:
-       inet->cork.flags &= ~IPCORK_OPT;
-       kfree(np->cork.opt);
-       np->cork.opt = NULL;
-       if (np->cork.rt) {
-               dst_release(&np->cork.rt->u.dst);
-               np->cork.rt = NULL;
-               inet->cork.flags &= ~IPCORK_ALLFRAG;
-       }
-       memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
+       ip6_cork_release(inet, np);
        return err;
 error:
        goto out;
@@ -1389,24 +1485,14 @@ error:
 
 void ip6_flush_pending_frames(struct sock *sk)
 {
-       struct inet_sock *inet = inet_sk(sk);
-       struct ipv6_pinfo *np = inet6_sk(sk);
        struct sk_buff *skb;
 
        while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL) {
-               IP6_INC_STATS(ip6_dst_idev(skb->dst),
-                             IPSTATS_MIB_OUTDISCARDS);
+               if (skb->dst)
+                       IP6_INC_STATS(ip6_dst_idev(skb->dst),
+                                     IPSTATS_MIB_OUTDISCARDS);
                kfree_skb(skb);
        }
 
-       inet->cork.flags &= ~IPCORK_OPT;
-
-       kfree(np->cork.opt);
-       np->cork.opt = NULL;
-       if (np->cork.rt) {
-               dst_release(&np->cork.rt->u.dst);
-               np->cork.rt = NULL;
-               inet->cork.flags &= ~IPCORK_ALLFRAG;
-       }
-       memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
+       ip6_cork_release(inet_sk(sk), inet6_sk(sk));
 }