1 files changed, 17 insertions, 9 deletions

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0bb6b6de7962..8fa83b78f81a 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -128,16 +128,8 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
         return -EINVAL;
 }
 
-static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+static int __ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-        int ret;
-
-        ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
-        if (ret) {
-                kfree_skb(skb);
-                return ret;
-        }
-
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
         /* Policy lookup after SNAT yielded a new policy */
         if (skb_dst(skb)->xfrm) {
@@ -154,6 +146,22 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
                 return ip6_finish_output2(net, sk, skb);
 }
 
+static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+{
+        int ret;
+
+        ret = BPF_CGROUP_RUN_PROG_INET_EGRESS(sk, skb);
+        switch (ret) {
+        case NET_XMIT_SUCCESS:
+                return __ip6_finish_output(net, sk, skb);
+        case NET_XMIT_CN:
+                return __ip6_finish_output(net, sk, skb) ? : ret;
+        default:
+                kfree_skb(skb);
+                return ret;
+        }
+}
+
 int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
         struct net_device *dev = skb_dst(skb)->dev;