Merge rsync://rsync.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6

248 files changed, 2092 insertions, 1941 deletions

diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 458031bfff55..18fcb9fa518d 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -67,10 +67,6 @@ static struct packet_type vlan_packet_type = {
         .func = vlan_skb_recv, /* VLAN receive method */
 };
 
-/* Bits of netdev state that are propagated from real device to virtual */
-#define VLAN_LINK_STATE_MASK \
-        ((1<<__LINK_STATE_PRESENT)|(1<<__LINK_STATE_NOCARRIER)|(1<<__LINK_STATE_DORMANT))
-
 /* End of global variables definitions. */
 
 /*
@@ -479,7 +475,9 @@ static struct net_device *register_vlan_device(const char *eth_IF_name,
         new_dev->flags = real_dev->flags;
         new_dev->flags &= ~IFF_UP;
 
-        new_dev->state = real_dev->state & ~(1<<__LINK_STATE_START);
+        new_dev->state = (real_dev->state & ((1<<__LINK_STATE_NOCARRIER) |
+                                             (1<<__LINK_STATE_DORMANT))) |
+                         (1<<__LINK_STATE_PRESENT); 
 
         /* need 4 bytes for extra VLAN header info,
          * hope the underlying device can handle it.
@@ -542,12 +540,11 @@ static struct net_device *register_vlan_device(const char *eth_IF_name,
          * so it cannot "appear" on us.
          */
         if (!grp) { /* need to add a new group */
-                grp = kmalloc(sizeof(struct vlan_group), GFP_KERNEL);
+                grp = kzalloc(sizeof(struct vlan_group), GFP_KERNEL);
                 if (!grp)
                         goto out_free_unregister;
                                         
                 /* printk(KERN_ALERT "VLAN REGISTER:  Allocated new group.\n"); */
-                memset(grp, 0, sizeof(struct vlan_group));
                 grp->real_dev_ifindex = real_dev->ifindex;
 
                 hlist_add_head_rcu(&grp->hlist, 
diff --git a/net/Kconfig b/net/Kconfig
index c6cec5aa5486..4959a4e1e0fe 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -177,7 +177,7 @@ source "net/lapb/Kconfig"
 
 config NET_DIVERT
         bool "Frame Diverter (EXPERIMENTAL)"
-        depends on EXPERIMENTAL
+        depends on EXPERIMENTAL && BROKEN
         ---help---
           The Frame Diverter allows you to divert packets from the
           network, that are not aimed at the interface receiving it (in
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 5ee96d4b40e9..96dc6bb52d14 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -227,12 +227,11 @@ static void atif_drop_device(struct net_device *dev)
 static struct atalk_iface *atif_add_device(struct net_device *dev,
                                            struct atalk_addr *sa)
 {
-        struct atalk_iface *iface = kmalloc(sizeof(*iface), GFP_KERNEL);
+        struct atalk_iface *iface = kzalloc(sizeof(*iface), GFP_KERNEL);
 
         if (!iface)
                 goto out;
 
-        memset(iface, 0, sizeof(*iface));
         dev_hold(dev);
         iface->dev = dev;
         dev->atalk_ptr = iface;
@@ -559,12 +558,11 @@ static int atrtr_create(struct rtentry *r, struct net_device *devhint)
         }
 
         if (!rt) {
-                rt = kmalloc(sizeof(*rt), GFP_ATOMIC);
+                rt = kzalloc(sizeof(*rt), GFP_ATOMIC);
 
                 retval = -ENOBUFS;
                 if (!rt)
                         goto out_unlock;
-                memset(rt, 0, sizeof(*rt));
 
                 rt->next = atalk_routes;
                 atalk_routes = rt;
diff --git a/net/atm/br2684.c b/net/atm/br2684.c
index a487233dc466..d00cca97eb33 100644
--- a/net/atm/br2684.c
+++ b/net/atm/br2684.c
@@ -508,10 +508,9 @@ Note: we do not have explicit unassign, but look at _push()
 
         if (copy_from_user(&be, arg, sizeof be))
                 return -EFAULT;
-        brvcc = kmalloc(sizeof(struct br2684_vcc), GFP_KERNEL);
+        brvcc = kzalloc(sizeof(struct br2684_vcc), GFP_KERNEL);
         if (!brvcc)
                 return -ENOMEM;
-        memset(brvcc, 0, sizeof(struct br2684_vcc));
         write_lock_irq(&devs_lock);
         net_dev = br2684_find_dev(&be.ifspec);
         if (net_dev == NULL) {
diff --git a/net/atm/clip.c b/net/atm/clip.c
index 121bf6f49148..7af2c411da82 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -500,9 +500,11 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
                 } else {
                         unsigned int len = skb->len;
 
+                        skb_get(skb);
                         clip_push(vcc, skb);
                         PRIV(skb->dev)->stats.rx_packets--;
                         PRIV(skb->dev)->stats.rx_bytes -= len;
+                        kfree_skb(skb);
                 }
         return 0;
 }
@@ -929,12 +931,11 @@ static int arp_seq_open(struct inode *inode, struct file *file)
         struct seq_file *seq;
         int rc = -EAGAIN;
 
-        state = kmalloc(sizeof(*state), GFP_KERNEL);
+        state = kzalloc(sizeof(*state), GFP_KERNEL);
         if (!state) {
                 rc = -ENOMEM;
                 goto out_kfree;
         }
-        memset(state, 0, sizeof(*state));
         state->ns.neigh_sub_iter = clip_seq_sub_iter;
 
         rc = seq_open(file, &arp_seq_ops);
@@ -962,7 +963,6 @@ static struct file_operations arp_seq_fops = {
 
 static int __init atm_clip_init(void)
 {
-        struct proc_dir_entry *p;
         neigh_table_init_no_netlink(&clip_tbl);
 
         clip_tbl_hook = &clip_tbl;
@@ -972,9 +972,15 @@ static int __init atm_clip_init(void)
 
         setup_timer(&idle_timer, idle_timer_check, 0);
 
-        p = create_proc_entry("arp", S_IRUGO, atm_proc_root);
-        if (p)
-                p->proc_fops = &arp_seq_fops;
+#ifdef CONFIG_PROC_FS
+        {
+                struct proc_dir_entry *p;
+
+                p = create_proc_entry("arp", S_IRUGO, atm_proc_root);
+                if (p)
+                        p->proc_fops = &arp_seq_fops;
+        }
+#endif
 
         return 0;
 }
diff --git a/net/atm/ipcommon.c b/net/atm/ipcommon.c
index 4b1faca5013f..1d3de42fada0 100644
--- a/net/atm/ipcommon.c
+++ b/net/atm/ipcommon.c
@@ -25,22 +25,27 @@
 /*
  * skb_migrate appends the list at "from" to "to", emptying "from" in the
  * process. skb_migrate is atomic with respect to all other skb operations on
- * "from" and "to". Note that it locks both lists at the same time, so beware
- * of potential deadlocks.
+ * "from" and "to". Note that it locks both lists at the same time, so to deal
+ * with the lock ordering, the locks are taken in address order.
  *
  * This function should live in skbuff.c or skbuff.h.
  */
 
 
-void skb_migrate(struct sk_buff_head *from,struct sk_buff_head *to)
+void skb_migrate(struct sk_buff_head *from, struct sk_buff_head *to)
 {
         unsigned long flags;
         struct sk_buff *skb_from = (struct sk_buff *) from;
         struct sk_buff *skb_to = (struct sk_buff *) to;
         struct sk_buff *prev;
 
-        spin_lock_irqsave(&from->lock,flags);
-        spin_lock(&to->lock);
+        if ((unsigned long) from < (unsigned long) to) {
+                spin_lock_irqsave(&from->lock, flags);
+                spin_lock_nested(&to->lock, SINGLE_DEPTH_NESTING);
+        } else {
+                spin_lock_irqsave(&to->lock, flags);
+                spin_lock_nested(&from->lock, SINGLE_DEPTH_NESTING);
+        }
         prev = from->prev;
         from->next->prev = to->prev;
         prev->next = skb_to;
@@ -51,7 +56,7 @@ void skb_migrate(struct sk_buff_head *from,struct sk_buff_head *to)
         from->prev = skb_from;
         from->next = skb_from;
         from->qlen = 0;
-        spin_unlock_irqrestore(&from->lock,flags);
+        spin_unlock_irqrestore(&from->lock, flags);
 }
 
 
diff --git a/net/atm/lec.c b/net/atm/lec.c
index 4b68a18171cf..b4aa489849df 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -1811,12 +1811,11 @@ make_entry(struct lec_priv *priv, unsigned char *mac_addr)
 {
         struct lec_arp_table *to_return;
 
-        to_return = kmalloc(sizeof(struct lec_arp_table), GFP_ATOMIC);
+        to_return = kzalloc(sizeof(struct lec_arp_table), GFP_ATOMIC);
         if (!to_return) {
                 printk("LEC: Arp entry kmalloc failed\n");
                 return NULL;
         }
-        memset(to_return, 0, sizeof(struct lec_arp_table));
         memcpy(to_return->mac_addr, mac_addr, ETH_ALEN);
         init_timer(&to_return->timer);
         to_return->timer.function = lec_arp_expire_arp;
diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 9aafe1e2f048..00704661e83f 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -258,10 +258,9 @@ static struct mpoa_client *alloc_mpc(void)
 {
         struct mpoa_client *mpc;
 
-        mpc = kmalloc(sizeof (struct mpoa_client), GFP_KERNEL);
+        mpc = kzalloc(sizeof (struct mpoa_client), GFP_KERNEL);
         if (mpc == NULL)
                 return NULL;
-        memset(mpc, 0, sizeof(struct mpoa_client));
         rwlock_init(&mpc->ingress_lock);
         rwlock_init(&mpc->egress_lock);
         mpc->next = mpcs;
diff --git a/net/atm/pppoatm.c b/net/atm/pppoatm.c
index 76a7d8ff6c0e..19d5dfc0702f 100644
--- a/net/atm/pppoatm.c
+++ b/net/atm/pppoatm.c
@@ -287,10 +287,9 @@ static int pppoatm_assign_vcc(struct atm_vcc *atmvcc, void __user *arg)
         if (be.encaps != PPPOATM_ENCAPS_AUTODETECT &&
             be.encaps != PPPOATM_ENCAPS_VC && be.encaps != PPPOATM_ENCAPS_LLC)
                 return -EINVAL;
-        pvcc = kmalloc(sizeof(*pvcc), GFP_KERNEL);
+        pvcc = kzalloc(sizeof(*pvcc), GFP_KERNEL);
         if (pvcc == NULL)
                 return -ENOMEM;
-        memset(pvcc, 0, sizeof(*pvcc));
         pvcc->atmvcc = atmvcc;
         pvcc->old_push = atmvcc->push;
         pvcc->old_pop = atmvcc->pop;
diff --git a/net/atm/proc.c b/net/atm/proc.c
index 3f95b0886a6a..91fe5f53ff11 100644
--- a/net/atm/proc.c
+++ b/net/atm/proc.c
@@ -507,7 +507,7 @@ err_out:
         goto out;
 }
 
-void __exit atm_proc_exit(void)
+void atm_proc_exit(void)
 {
         atm_proc_dirs_remove();
 }
diff --git a/net/atm/resources.c b/net/atm/resources.c
index de25c6408b04..529f7e64aa2c 100644
--- a/net/atm/resources.c
+++ b/net/atm/resources.c
@@ -33,10 +33,9 @@ static struct atm_dev *__alloc_atm_dev(const char *type)
 {
         struct atm_dev *dev;
 
-        dev = kmalloc(sizeof(*dev), GFP_KERNEL);
+        dev = kzalloc(sizeof(*dev), GFP_KERNEL);
         if (!dev)
                 return NULL;
-        memset(dev, 0, sizeof(*dev));
         dev->type = type;
         dev->signal = ATM_PHY_SIG_UNKNOWN;
         dev->link_rate = ATM_OC3_PCR;
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 10a3c0aa8398..000695c48583 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -145,7 +145,7 @@ struct sock *ax25_find_listener(ax25_address *addr, int digi,
         ax25_cb *s;
         struct hlist_node *node;
 
-        spin_lock_bh(&ax25_list_lock);
+        spin_lock(&ax25_list_lock);
         ax25_for_each(s, node, &ax25_list) {
                 if ((s->iamdigi && !digi) || (!s->iamdigi && digi))
                         continue;
@@ -154,12 +154,12 @@ struct sock *ax25_find_listener(ax25_address *addr, int digi,
                         /* If device is null we match any device */
                         if (s->ax25_dev == NULL || s->ax25_dev->dev == dev) {
                                 sock_hold(s->sk);
-                                spin_unlock_bh(&ax25_list_lock);
+                                spin_unlock(&ax25_list_lock);
                                 return s->sk;
                         }
                 }
         }
-        spin_unlock_bh(&ax25_list_lock);
+        spin_unlock(&ax25_list_lock);
 
         return NULL;
 }
@@ -174,7 +174,7 @@ struct sock *ax25_get_socket(ax25_address *my_addr, ax25_address *dest_addr,
         ax25_cb *s;
         struct hlist_node *node;
 
-        spin_lock_bh(&ax25_list_lock);
+        spin_lock(&ax25_list_lock);
         ax25_for_each(s, node, &ax25_list) {
                 if (s->sk && !ax25cmp(&s->source_addr, my_addr) &&
                     !ax25cmp(&s->dest_addr, dest_addr) &&
@@ -185,7 +185,7 @@ struct sock *ax25_get_socket(ax25_address *my_addr, ax25_address *dest_addr,
                 }
         }
 
-        spin_unlock_bh(&ax25_list_lock);
+        spin_unlock(&ax25_list_lock);
 
         return sk;
 }
@@ -235,7 +235,7 @@ void ax25_send_to_raw(ax25_address *addr, struct sk_buff *skb, int proto)
         struct sk_buff *copy;
         struct hlist_node *node;
 
-        spin_lock_bh(&ax25_list_lock);
+        spin_lock(&ax25_list_lock);
         ax25_for_each(s, node, &ax25_list) {
                 if (s->sk != NULL && ax25cmp(&s->source_addr, addr) == 0 &&
                     s->sk->sk_type == SOCK_RAW &&
@@ -248,7 +248,7 @@ void ax25_send_to_raw(ax25_address *addr, struct sk_buff *skb, int proto)
                                 kfree_skb(copy);
                 }
         }
-        spin_unlock_bh(&ax25_list_lock);
+        spin_unlock(&ax25_list_lock);
 }
 
 /*
@@ -486,10 +486,9 @@ ax25_cb *ax25_create_cb(void)
 {
         ax25_cb *ax25;
 
-        if ((ax25 = kmalloc(sizeof(*ax25), GFP_ATOMIC)) == NULL)
+        if ((ax25 = kzalloc(sizeof(*ax25), GFP_ATOMIC)) == NULL)
                 return NULL;
 
-        memset(ax25, 0x00, sizeof(*ax25));
         atomic_set(&ax25->refcount, 1);
 
         skb_queue_head_init(&ax25->write_queue);
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 47e6e790bd67..b787678220ff 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -55,15 +55,13 @@ void ax25_dev_device_up(struct net_device *dev)
 {
         ax25_dev *ax25_dev;
 
-        if ((ax25_dev = kmalloc(sizeof(*ax25_dev), GFP_ATOMIC)) == NULL) {
+        if ((ax25_dev = kzalloc(sizeof(*ax25_dev), GFP_ATOMIC)) == NULL) {
                 printk(KERN_ERR "AX.25: ax25_dev_device_up - out of memory\n");
                 return;
         }
 
         ax25_unregister_sysctl();
 
-        memset(ax25_dev, 0x00, sizeof(*ax25_dev));
-
         dev->ax25_ptr     = ax25_dev;
         ax25_dev->dev     = dev;
         dev_hold(dev);
diff --git a/net/ax25/ax25_ds_subr.c b/net/ax25/ax25_ds_subr.c
index 1d4ab641f82b..4d22d4430ec8 100644
--- a/net/ax25/ax25_ds_subr.c
+++ b/net/ax25/ax25_ds_subr.c
@@ -80,7 +80,7 @@ void ax25_ds_enquiry_response(ax25_cb *ax25)
         ax25_start_t3timer(ax25);
         ax25_ds_set_timer(ax25->ax25_dev);
 
-        spin_lock_bh(&ax25_list_lock);
+        spin_lock(&ax25_list_lock);
         ax25_for_each(ax25o, node, &ax25_list) {
                 if (ax25o == ax25)
                         continue;
@@ -106,7 +106,7 @@ void ax25_ds_enquiry_response(ax25_cb *ax25)
                 if (ax25o->state != AX25_STATE_0)
                         ax25_start_t3timer(ax25o);
         }
-        spin_unlock_bh(&ax25_list_lock);
+        spin_unlock(&ax25_list_lock);
 }
 
 void ax25_ds_establish_data_link(ax25_cb *ax25)
@@ -162,13 +162,13 @@ static int ax25_check_dama_slave(ax25_dev *ax25_dev)
         int res = 0;
         struct hlist_node *node;
 
-        spin_lock_bh(&ax25_list_lock);
+        spin_lock(&ax25_list_lock);
         ax25_for_each(ax25, node, &ax25_list)
                 if (ax25->ax25_dev == ax25_dev && (ax25->condition & AX25_COND_DAMA_MODE) && ax25->state > AX25_STATE_1) {
                         res = 1;
                         break;
                 }
-        spin_unlock_bh(&ax25_list_lock);
+        spin_unlock(&ax25_list_lock);
 
         return res;
 }
diff --git a/net/ax25/ax25_ds_timer.c b/net/ax25/ax25_ds_timer.c
index 5961459935eb..4f44185955c7 100644
--- a/net/ax25/ax25_ds_timer.c
+++ b/net/ax25/ax25_ds_timer.c
@@ -85,7 +85,7 @@ static void ax25_ds_timeout(unsigned long arg)
                 return;
         }
 
-        spin_lock_bh(&ax25_list_lock);
+        spin_lock(&ax25_list_lock);
         ax25_for_each(ax25, node, &ax25_list) {
                 if (ax25->ax25_dev != ax25_dev || !(ax25->condition & AX25_COND_DAMA_MODE))
                         continue;
@@ -93,7 +93,7 @@ static void ax25_ds_timeout(unsigned long arg)
                 ax25_send_control(ax25, AX25_DISC, AX25_POLLON, AX25_COMMAND);
                 ax25_disconnect(ax25, ETIMEDOUT);
         }
-        spin_unlock_bh(&ax25_list_lock);
+        spin_unlock(&ax25_list_lock);
 
         ax25_dev_dama_off(ax25_dev);
 }
diff --git a/net/ax25/ax25_iface.c b/net/ax25/ax25_iface.c
index 77ba07c67682..07ac0207eb69 100644
--- a/net/ax25/ax25_iface.c
+++ b/net/ax25/ax25_iface.c
@@ -66,10 +66,10 @@ int ax25_protocol_register(unsigned int pid,
         protocol->pid  = pid;
         protocol->func = func;
 
-        write_lock(&protocol_list_lock);
+        write_lock_bh(&protocol_list_lock);
         protocol->next = protocol_list;
         protocol_list  = protocol;
-        write_unlock(&protocol_list_lock);
+        write_unlock_bh(&protocol_list_lock);
 
         return 1;
 }
@@ -80,16 +80,16 @@ void ax25_protocol_release(unsigned int pid)
 {
         struct protocol_struct *s, *protocol;
 
-        write_lock(&protocol_list_lock);
+        write_lock_bh(&protocol_list_lock);
         protocol = protocol_list;
         if (protocol == NULL) {
-                write_unlock(&protocol_list_lock);
+                write_unlock_bh(&protocol_list_lock);
                 return;
         }
 
         if (protocol->pid == pid) {
                 protocol_list = protocol->next;
-                write_unlock(&protocol_list_lock);
+                write_unlock_bh(&protocol_list_lock);
                 kfree(protocol);
                 return;
         }
@@ -98,14 +98,14 @@ void ax25_protocol_release(unsigned int pid)
                 if (protocol->next->pid == pid) {
                         s = protocol->next;
                         protocol->next = protocol->next->next;
-                        write_unlock(&protocol_list_lock);
+                        write_unlock_bh(&protocol_list_lock);
                         kfree(s);
                         return;
                 }
 
                 protocol = protocol->next;
         }
-        write_unlock(&protocol_list_lock);
+        write_unlock_bh(&protocol_list_lock);
 }
 
 EXPORT_SYMBOL(ax25_protocol_release);
@@ -266,13 +266,13 @@ int ax25_protocol_is_registered(unsigned int pid)
         struct protocol_struct *protocol;
         int res = 0;
 
-        read_lock(&protocol_list_lock);
+        read_lock_bh(&protocol_list_lock);
         for (protocol = protocol_list; protocol != NULL; protocol = protocol->next)
                 if (protocol->pid == pid) {
                         res = 1;
                         break;
                 }
-        read_unlock(&protocol_list_lock);
+        read_unlock_bh(&protocol_list_lock);
 
         return res;
 }
diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index 4cf87540fb3a..e9d94291581e 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -102,8 +102,8 @@ static int ax25_rx_fragment(ax25_cb *ax25, struct sk_buff *skb)
 int ax25_rx_iframe(ax25_cb *ax25, struct sk_buff *skb)
 {
         int (*func)(struct sk_buff *, ax25_cb *);
-        volatile int queued = 0;
         unsigned char pid;
+        int queued = 0;
 
         if (skb == NULL) return 0;
 
diff --git a/net/ax25/sysctl_net_ax25.c b/net/ax25/sysctl_net_ax25.c
index 369a75b160f2..867d42537979 100644
--- a/net/ax25/sysctl_net_ax25.c
+++ b/net/ax25/sysctl_net_ax25.c
@@ -203,13 +203,11 @@ void ax25_register_sysctl(void)
         for (ax25_table_size = sizeof(ctl_table), ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next)
                 ax25_table_size += sizeof(ctl_table);
 
-        if ((ax25_table = kmalloc(ax25_table_size, GFP_ATOMIC)) == NULL) {
+        if ((ax25_table = kzalloc(ax25_table_size, GFP_ATOMIC)) == NULL) {
                 spin_unlock_bh(&ax25_dev_lock);
                 return;
         }
 
-        memset(ax25_table, 0x00, ax25_table_size);
-
         for (n = 0, ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) {
                 ctl_table *child = kmalloc(sizeof(ax25_param_table), GFP_ATOMIC);
                 if (!child) {
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 6fb47e00e188..be04e9fb11f6 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -75,15 +75,13 @@
 
 static struct cmtp_application *cmtp_application_add(struct cmtp_session *session, __u16 appl)
 {
-        struct cmtp_application *app = kmalloc(sizeof(*app), GFP_KERNEL);
+        struct cmtp_application *app = kzalloc(sizeof(*app), GFP_KERNEL);
 
         BT_DBG("session %p application %p appl %d", session, app, appl);
 
         if (!app)
                 return NULL;
 
-        memset(app, 0, sizeof(*app));
-
         app->state = BT_OPEN;
         app->appl = appl;
 
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index 182254a580e2..b81a01c64aea 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -335,10 +335,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
         baswap(&src, &bt_sk(sock->sk)->src);
         baswap(&dst, &bt_sk(sock->sk)->dst);
 
-        session = kmalloc(sizeof(struct cmtp_session), GFP_KERNEL);
+        session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
         if (!session) 
                 return -ENOMEM;
-        memset(session, 0, sizeof(struct cmtp_session));
 
         down_write(&cmtp_session_sem);
 
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 54e8e5ea2154..5ed474277903 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -336,9 +336,8 @@ void hci_inquiry_cache_update(struct hci_dev *hdev, struct inquiry_data *data)
 
         if (!(e = hci_inquiry_cache_lookup(hdev, &data->bdaddr))) {
                 /* Entry not in the cache. Add new one. */
-                if (!(e = kmalloc(sizeof(struct inquiry_entry), GFP_ATOMIC)))
+                if (!(e = kzalloc(sizeof(struct inquiry_entry), GFP_ATOMIC)))
                         return;
-                memset(e, 0, sizeof(struct inquiry_entry));
                 e->next     = cache->list;
                 cache->list = e;
         }
@@ -800,12 +799,10 @@ struct hci_dev *hci_alloc_dev(void)
 {
         struct hci_dev *hdev;
 
-        hdev = kmalloc(sizeof(struct hci_dev), GFP_KERNEL);
+        hdev = kzalloc(sizeof(struct hci_dev), GFP_KERNEL);
         if (!hdev)
                 return NULL;
 
-        memset(hdev, 0, sizeof(struct hci_dev));
-
         skb_queue_head_init(&hdev->driver_init);
 
         return hdev;
diff --git a/net/bluetooth/hidp/Kconfig b/net/bluetooth/hidp/Kconfig
index edfea772fb67..c6abf2a5a932 100644
--- a/net/bluetooth/hidp/Kconfig
+++ b/net/bluetooth/hidp/Kconfig
@@ -1,7 +1,6 @@
 config BT_HIDP
         tristate "HIDP protocol support"
-        depends on BT && BT_L2CAP && (BROKEN || !S390)
-        select INPUT
+        depends on BT && BT_L2CAP && INPUT
         help
           HIDP (Human Interface Device Protocol) is a transport layer
           for HID reports.  HIDP is required for the Bluetooth Human
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index b9c24a55425c..c6e3a2c27c6e 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -582,10 +582,9 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
                         bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
                 return -ENOTUNIQ;
 
-        session = kmalloc(sizeof(struct hidp_session), GFP_KERNEL);
+        session = kzalloc(sizeof(struct hidp_session), GFP_KERNEL);
         if (!session)
                 return -ENOMEM;
-        memset(session, 0, sizeof(struct hidp_session));
 
         session->input = input_allocate_device();
         if (!session->input) {
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index eaaad658d11d..d56f60b392ac 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -185,7 +185,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
 {
         struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
 
-        write_lock(&l->lock);
+        write_lock_bh(&l->lock);
         if (sk == l->head)
                 l->head = next;
 
@@ -193,7 +193,7 @@ static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
                 l2cap_pi(next)->prev_c = prev;
         if (prev)
                 l2cap_pi(prev)->next_c = next;
-        write_unlock(&l->lock);
+        write_unlock_bh(&l->lock);
 
         __sock_put(sk);
 }
@@ -313,9 +313,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
 static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
 {
         struct l2cap_chan_list *l = &conn->chan_list;
-        write_lock(&l->lock);
+        write_lock_bh(&l->lock);
         __l2cap_chan_add(conn, sk, parent);
-        write_unlock(&l->lock);
+        write_unlock_bh(&l->lock);
 }
 
 static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
@@ -328,14 +328,14 @@ static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
          *  200 - 254 are used by utilities like l2ping, etc.
          */
 
-        spin_lock(&conn->lock);
+        spin_lock_bh(&conn->lock);
 
         if (++conn->tx_ident > 128)
                 conn->tx_ident = 1;
 
         id = conn->tx_ident;
 
-        spin_unlock(&conn->lock);
+        spin_unlock_bh(&conn->lock);
 
         return id;
 }
@@ -1416,11 +1416,11 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
         if (!sk)
                 goto response;
 
-        write_lock(&list->lock);
+        write_lock_bh(&list->lock);
 
         /* Check if we already have channel with that dcid */
         if (__l2cap_get_chan_by_dcid(list, scid)) {
-                write_unlock(&list->lock);
+                write_unlock_bh(&list->lock);
                 sock_set_flag(sk, SOCK_ZAPPED);
                 l2cap_sock_kill(sk);
                 goto response;
@@ -1458,7 +1458,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
         result = status = 0;
 
 done:
-        write_unlock(&list->lock);
+        write_unlock_bh(&list->lock);
 
 response:
         bh_unlock_sock(parent);
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 155a2b93760e..332dd8f436ea 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -55,6 +55,7 @@
 #define VERSION "1.8"
 
 static int disable_cfc = 0;
+static int channel_mtu = -1;
 static unsigned int l2cap_mtu = RFCOMM_MAX_L2CAP_MTU;
 
 static struct task_struct *rfcomm_thread;
@@ -273,10 +274,10 @@ static void rfcomm_dlc_clear_state(struct rfcomm_dlc *d)
 
 struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
 {
-        struct rfcomm_dlc *d = kmalloc(sizeof(*d), prio);
+        struct rfcomm_dlc *d = kzalloc(sizeof(*d), prio);
+
         if (!d)
                 return NULL;
-        memset(d, 0, sizeof(*d));
 
         init_timer(&d->timer);
         d->timer.function = rfcomm_dlc_timeout;
@@ -289,6 +290,7 @@ struct rfcomm_dlc *rfcomm_dlc_alloc(gfp_t prio)
         rfcomm_dlc_clear_state(d);
         
         BT_DBG("%p", d);
+
         return d;
 }
 
@@ -522,10 +524,10 @@ int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig)
 /* ---- RFCOMM sessions ---- */
 static struct rfcomm_session *rfcomm_session_add(struct socket *sock, int state)
 {
-        struct rfcomm_session *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct rfcomm_session *s = kzalloc(sizeof(*s), GFP_KERNEL);
+
         if (!s)
                 return NULL;
-        memset(s, 0, sizeof(*s));
 
         BT_DBG("session %p sock %p", s, sock);
 
@@ -811,7 +813,10 @@ static int rfcomm_send_pn(struct rfcomm_session *s, int cr, struct rfcomm_dlc *d
                 pn->credits   = 0;
         }
 
-        pn->mtu = htobs(d->mtu);
+        if (cr && channel_mtu >= 0)
+                pn->mtu = htobs(channel_mtu);
+        else
+                pn->mtu = htobs(d->mtu);
 
         *ptr = __fcs(buf); ptr++;
 
@@ -1242,7 +1247,10 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
 
         d->priority = pn->priority;
 
-        d->mtu = s->mtu = btohs(pn->mtu);
+        d->mtu = btohs(pn->mtu);
+
+        if (cr && d->mtu > s->mtu)
+                d->mtu = s->mtu;
 
         return 0;
 }
@@ -1769,6 +1777,11 @@ static inline void rfcomm_accept_connection(struct rfcomm_session *s)
         s = rfcomm_session_add(nsock, BT_OPEN);
         if (s) {
                 rfcomm_session_hold(s);
+
+                /* We should adjust MTU on incoming sessions.
+                 * L2CAP MTU minus UIH header and FCS. */
+                s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
+
                 rfcomm_schedule(RFCOMM_SCHED_RX);
         } else
                 sock_release(nsock);
@@ -2086,6 +2099,9 @@ module_exit(rfcomm_exit);
 module_param(disable_cfc, bool, 0644);
 MODULE_PARM_DESC(disable_cfc, "Disable credit based flow control");
 
+module_param(channel_mtu, int, 0644);
+MODULE_PARM_DESC(channel_mtu, "Default MTU for the RFCOMM channel");
+
 module_param(l2cap_mtu, uint, 0644);
 MODULE_PARM_DESC(l2cap_mtu, "Default MTU for the L2CAP connection");
 
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 2ff2d5b87c93..bd8d671a0ba6 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -169,10 +169,9 @@ static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
 
         BT_DBG("id %d channel %d", req->dev_id, req->channel);
         
-        dev = kmalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
+        dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
         if (!dev)
                 return -ENOMEM;
-        memset(dev, 0, sizeof(struct rfcomm_dev));
 
         write_lock_bh(&rfcomm_dev_lock);
 
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 85defccc0287..7714a2ec3854 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -108,17 +108,14 @@ static void sco_sock_init_timer(struct sock *sk)
 static struct sco_conn *sco_conn_add(struct hci_conn *hcon, __u8 status)
 {
         struct hci_dev *hdev = hcon->hdev;
-        struct sco_conn *conn;
-
-        if ((conn = hcon->sco_data))
-                return conn;
+        struct sco_conn *conn = hcon->sco_data;
 
-        if (status)
+        if (conn || status)
                 return conn;
 
-        if (!(conn = kmalloc(sizeof(struct sco_conn), GFP_ATOMIC)))
+        conn = kzalloc(sizeof(struct sco_conn), GFP_ATOMIC);
+        if (!conn)
                 return NULL;
-        memset(conn, 0, sizeof(struct sco_conn));
 
         spin_lock_init(&conn->lock);
 
@@ -134,6 +131,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon, __u8 status)
                 conn->mtu = 60;
 
         BT_DBG("hcon %p conn %p", hcon, conn);
+
         return conn;
 }
 
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 8be9f2123e54..864fbbc7b24d 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -35,16 +35,20 @@ static inline unsigned packet_length(const struct sk_buff *skb)
 int br_dev_queue_push_xmit(struct sk_buff *skb)
 {
         /* drop mtu oversized packets except gso */
-        if (packet_length(skb) > skb->dev->mtu && !skb_shinfo(skb)->gso_size)
+        if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
                 kfree_skb(skb);
         else {
 #ifdef CONFIG_BRIDGE_NETFILTER
                 /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
-                nf_bridge_maybe_copy_header(skb);
+                if (nf_bridge_maybe_copy_header(skb))
+                        kfree_skb(skb);
+                else
 #endif
-                skb_push(skb, ETH_HLEN);
+                {
+                        skb_push(skb, ETH_HLEN);
 
-                dev_queue_xmit(skb);
+                        dev_queue_xmit(skb);
+                }
         }
 
         return 0;
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index f55ef682ef84..b1211d5342f6 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -386,12 +386,17 @@ void br_features_recompute(struct net_bridge *br)
                         checksum = 0;
 
                 if (feature & NETIF_F_GSO)
-                        feature |= NETIF_F_TSO;
+                        feature |= NETIF_F_GSO_SOFTWARE;
                 feature |= NETIF_F_GSO;
 
                 features &= feature;
         }
 
+        if (!(checksum & NETIF_F_ALL_CSUM))
+                features &= ~NETIF_F_SG;
+        if (!(features & NETIF_F_SG))
+                features &= ~NETIF_F_GSO_MASK;
+
         br->dev->features = features | checksum | NETIF_F_LLTX |
                             NETIF_F_GSO_ROBUST;
 }
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 159fb8409824..4e4119a12139 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -162,12 +162,10 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
                 if (num > BR_MAX_PORTS)
                         num = BR_MAX_PORTS;
 
-                indices = kmalloc(num*sizeof(int), GFP_KERNEL);
+                indices = kcalloc(num, sizeof(int), GFP_KERNEL);
                 if (indices == NULL)
                         return -ENOMEM;
 
-                memset(indices, 0, num*sizeof(int));
-
                 get_port_ifindices(br, indices, num);
                 if (copy_to_user((void __user *)args[1], indices, num*sizeof(int)))
                         num =  -EFAULT;
@@ -327,11 +325,10 @@ static int old_deviceless(void __user *uarg)
 
                 if (args[2] >= 2048)
                         return -ENOMEM;
-                indices = kmalloc(args[2]*sizeof(int), GFP_KERNEL);
+                indices = kcalloc(args[2], sizeof(int), GFP_KERNEL);
                 if (indices == NULL)
                         return -ENOMEM;
 
-                memset(indices, 0, args[2]*sizeof(int));
                 args[2] = get_bridge_ifindices(indices, args[2]);
 
                 ret = copy_to_user((void __user *)args[1], indices, args[2]*sizeof(int))
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 8298a5179aef..05b3de888243 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -61,6 +61,9 @@ static int brnf_filter_vlan_tagged = 1;
 #define brnf_filter_vlan_tagged 1
 #endif
 
+int brnf_deferred_hooks;
+EXPORT_SYMBOL_GPL(brnf_deferred_hooks);
+
 static __be16 inline vlan_proto(const struct sk_buff *skb)
 {
         return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
@@ -761,7 +764,7 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 {
         if (skb->protocol == htons(ETH_P_IP) &&
             skb->len > skb->dev->mtu &&
-            !skb_shinfo(skb)->gso_size)
+            !skb_is_gso(skb))
                 return ip_fragment(skb, br_dev_queue_push_xmit);
         else
                 return br_dev_queue_push_xmit(skb);
@@ -890,6 +893,8 @@ static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
                                 return NF_ACCEPT;
                         else if (ip->version == 6 && !brnf_call_ip6tables)
                                 return NF_ACCEPT;
+                        else if (!brnf_deferred_hooks)
+                                return NF_ACCEPT;
 #endif
                         if (hook == NF_IP_POST_ROUTING)
                                 return NF_ACCEPT;
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 06abb6634f5b..53086fb75089 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -85,7 +85,7 @@ void br_ifinfo_notify(int event, struct net_bridge_port *port)
                 goto err_out;
 
         err = br_fill_ifinfo(skb, port, current->pid, 0, event, 0);
-        if (err)
+        if (err < 0)
                 goto err_kfree;
 
         NETLINK_CB(skb).dst_group = RTNLGRP_LINK;
diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
index a7ba0cce0b46..068d8afbf0a7 100644
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -121,7 +121,7 @@ void br_send_tcn_bpdu(struct net_bridge_port *p)
         buf[1] = 0;
         buf[2] = 0;
         buf[3] = BPDU_TYPE_TCN;
-        br_send_bpdu(p, buf, 7);
+        br_send_bpdu(p, buf, 4);
 }
 
 /*
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 02693a230dc1..9f950db3b76f 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -74,6 +74,9 @@ static void ulog_send(unsigned int nlgroup)
         if (timer_pending(&ub->timer))
                 del_timer(&ub->timer);
 
+        if (!ub->skb)
+                return;
+
         /* last nlmsg needs NLMSG_DONE */
         if (ub->qlen > 1)
                 ub->lastnlh->nlmsg_type = NLMSG_DONE;
diff --git a/net/core/Makefile b/net/core/Makefile
index e9bd2467d5a9..2645ba428d48 100644
--- a/net/core/Makefile
+++ b/net/core/Makefile
@@ -7,7 +7,7 @@ obj-y := sock.o request_sock.o skbuff.o iovec.o datagram.o stream.o scm.o \
 
 obj-$(CONFIG_SYSCTL) += sysctl_net_core.o
 
-obj-y                += dev.o ethtool.o dev_mcast.o dst.o \
+obj-y                += dev.o ethtool.o dev_mcast.o dst.o netevent.o \
                         neighbour.o rtnetlink.o utils.o link_watch.o filter.o
 
 obj-$(CONFIG_XFRM) += flow.o
diff --git a/net/core/dev.c b/net/core/dev.c
index 066a60a75280..d4a1ec3bded5 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -116,6 +116,7 @@
 #include <linux/audit.h>
 #include <linux/dmaengine.h>
 #include <linux/err.h>
+#include <linux/ctype.h>
 
 /*
  *      The list of packet types we will receive (as opposed to discard)
@@ -632,14 +633,22 @@ struct net_device * dev_get_by_flags(unsigned short if_flags, unsigned short mas
  *      @name: name string
  *
  *      Network device names need to be valid file names to
- *      to allow sysfs to work
+ *      to allow sysfs to work.  We also disallow any kind of
+ *      whitespace.
  */
 int dev_valid_name(const char *name)
 {
-        return !(*name == '\0' 
-                 || !strcmp(name, ".")
-                 || !strcmp(name, "..")
-                 || strchr(name, '/'));
+        if (*name == '\0')
+                return 0;
+        if (!strcmp(name, ".") || !strcmp(name, ".."))
+                return 0;
+
+        while (*name) {
+                if (*name == '/' || isspace(*name))
+                        return 0;
+                name++;
+        }
+        return 1;
 }
 
 /**
@@ -1162,9 +1171,12 @@ int skb_checksum_help(struct sk_buff *skb, int inward)
         unsigned int csum;
         int ret = 0, offset = skb->h.raw - skb->data;
 
-        if (inward) {
-                skb->ip_summed = CHECKSUM_NONE;
-                goto out;
+        if (inward)
+                goto out_set_summed;
+
+        if (unlikely(skb_shinfo(skb)->gso_size)) {
+                /* Let GSO fix up the checksum. */
+                goto out_set_summed;
         }
 
         if (skb_cloned(skb)) {
@@ -1181,6 +1193,8 @@ int skb_checksum_help(struct sk_buff *skb, int inward)
         BUG_ON(skb->csum + 2 > offset);
 
         *(u16*)(skb->h.raw + skb->csum) = csum_fold(csum);
+
+out_set_summed:
         skb->ip_summed = CHECKSUM_NONE;
 out:    
         return ret;
@@ -1201,17 +1215,30 @@ struct sk_buff *skb_gso_segment(struct sk_buff *skb, int features)
         struct sk_buff *segs = ERR_PTR(-EPROTONOSUPPORT);
         struct packet_type *ptype;
         int type = skb->protocol;
+        int err;
 
         BUG_ON(skb_shinfo(skb)->frag_list);
-        BUG_ON(skb->ip_summed != CHECKSUM_HW);
 
         skb->mac.raw = skb->data;
         skb->mac_len = skb->nh.raw - skb->data;
         __skb_pull(skb, skb->mac_len);
 
+        if (unlikely(skb->ip_summed != CHECKSUM_HW)) {
+                if (skb_header_cloned(skb) &&
+                    (err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
+                        return ERR_PTR(err);
+        }
+
         rcu_read_lock();
         list_for_each_entry_rcu(ptype, &ptype_base[ntohs(type) & 15], list) {
                 if (ptype->type == type && !ptype->dev && ptype->gso_segment) {
+                        if (unlikely(skb->ip_summed != CHECKSUM_HW)) {
+                                err = ptype->gso_send_check(skb);
+                                segs = ERR_PTR(err);
+                                if (err || skb_gso_ok(skb, features))
+                                        break;
+                                __skb_push(skb, skb->data - skb->nh.raw);
+                        }
                         segs = ptype->gso_segment(skb, features);
                         break;
                 }
@@ -1601,26 +1628,10 @@ static inline struct net_device *skb_bond(struct sk_buff *skb)
         struct net_device *dev = skb->dev;
 
         if (dev->master) {
-                /*
-                 * On bonding slaves other than the currently active
-                 * slave, suppress duplicates except for 802.3ad
-                 * ETH_P_SLOW and alb non-mcast/bcast.
-                 */
-                if (dev->priv_flags & IFF_SLAVE_INACTIVE) {
-                        if (dev->master->priv_flags & IFF_MASTER_ALB) {
-                                if (skb->pkt_type != PACKET_BROADCAST &&
-                                    skb->pkt_type != PACKET_MULTICAST)
-                                        goto keep;
-                        }
-
-                        if (dev->master->priv_flags & IFF_MASTER_8023AD &&
-                            skb->protocol == __constant_htons(ETH_P_SLOW))
-                                goto keep;
-                
+                if (skb_bond_should_drop(skb)) {
                         kfree_skb(skb);
                         return NULL;
                 }
-keep:
                 skb->dev = dev->master;
         }
 
@@ -1727,7 +1738,7 @@ static int ing_filter(struct sk_buff *skb)
         if (dev->qdisc_ingress) {
                 __u32 ttl = (__u32) G_TC_RTTL(skb->tc_verd);
                 if (MAX_RED_LOOP < ttl++) {
-                        printk("Redir loop detected Dropping packet (%s->%s)\n",
+                        printk(KERN_WARNING "Redir loop detected Dropping packet (%s->%s)\n",
                                 skb->input_dev->name, skb->dev->name);
                         return TC_ACT_SHOT;
                 }
@@ -2922,7 +2933,7 @@ int register_netdevice(struct net_device *dev)
         /* Fix illegal SG+CSUM combinations. */
         if ((dev->features & NETIF_F_SG) &&
             !(dev->features & NETIF_F_ALL_CSUM)) {
-                printk("%s: Dropping NETIF_F_SG since no checksum feature.\n",
+                printk(KERN_NOTICE "%s: Dropping NETIF_F_SG since no checksum feature.\n",
                        dev->name);
                 dev->features &= ~NETIF_F_SG;
         }
@@ -2930,7 +2941,7 @@ int register_netdevice(struct net_device *dev)
         /* TSO requires that SG is present as well. */
         if ((dev->features & NETIF_F_TSO) &&
             !(dev->features & NETIF_F_SG)) {
-                printk("%s: Dropping NETIF_F_TSO since no SG feature.\n",
+                printk(KERN_NOTICE "%s: Dropping NETIF_F_TSO since no SG feature.\n",
                        dev->name);
                 dev->features &= ~NETIF_F_TSO;
         }
@@ -3401,12 +3412,9 @@ static void net_dma_rebalance(void)
         unsigned int cpu, i, n;
         struct dma_chan *chan;
 
-        lock_cpu_hotplug();
-
         if (net_dma_count == 0) {
                 for_each_online_cpu(cpu)
-                        rcu_assign_pointer(per_cpu(softnet_data.net_dma, cpu), NULL);
-                unlock_cpu_hotplug();
+                        rcu_assign_pointer(per_cpu(softnet_data, cpu).net_dma, NULL);
                 return;
         }
 
@@ -3419,15 +3427,13 @@ static void net_dma_rebalance(void)
                    + (i < (num_online_cpus() % net_dma_count) ? 1 : 0));
 
                 while(n) {
-                        per_cpu(softnet_data.net_dma, cpu) = chan;
+                        per_cpu(softnet_data, cpu).net_dma = chan;
                         cpu = next_cpu(cpu, cpu_online_map);
                         n--;
                 }
                 i++;
         }
         rcu_read_unlock();
-
-        unlock_cpu_hotplug();
 }
 
 /**
diff --git a/net/core/dst.c b/net/core/dst.c
index 470c05bc4cb2..1a5e49da0e77 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -95,12 +95,11 @@ static void dst_run_gc(unsigned long dummy)
                 dst_gc_timer_inc = DST_GC_INC;
                 dst_gc_timer_expires = DST_GC_MIN;
         }
-        dst_gc_timer.expires = jiffies + dst_gc_timer_expires;
 #if RT_CACHE_DEBUG >= 2
         printk("dst_total: %d/%d %ld\n",
                atomic_read(&dst_total), delayed,  dst_gc_timer_expires);
 #endif
-        add_timer(&dst_gc_timer);
+        mod_timer(&dst_gc_timer, jiffies + dst_gc_timer_expires);
 
 out:
         spin_unlock(&dst_lock);
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 27ce1683caf5..2797e2815418 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -437,7 +437,7 @@ static int ethtool_set_pauseparam(struct net_device *dev, void __user *useraddr)
 {
         struct ethtool_pauseparam pauseparam;
 
-        if (!dev->ethtool_ops->get_pauseparam)
+        if (!dev->ethtool_ops->set_pauseparam)
                 return -EOPNOTSUPP;
 
         if (copy_from_user(&pauseparam, useraddr, sizeof(pauseparam)))
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 7ad681f5e712..fe2113f54e2b 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -29,6 +29,7 @@
 #include <net/neighbour.h>
 #include <net/dst.h>
 #include <net/sock.h>
+#include <net/netevent.h>
 #include <linux/rtnetlink.h>
 #include <linux/random.h>
 #include <linux/string.h>
@@ -754,6 +755,7 @@ static void neigh_timer_handler(unsigned long arg)
                         neigh->nud_state = NUD_STALE;
                         neigh->updated = jiffies;
                         neigh_suspect(neigh);
+                        notify = 1;
                 }
         } else if (state & NUD_DELAY) {
                 if (time_before_eq(now, 
@@ -762,6 +764,7 @@ static void neigh_timer_handler(unsigned long arg)
                         neigh->nud_state = NUD_REACHABLE;
                         neigh->updated = jiffies;
                         neigh_connect(neigh);
+                        notify = 1;
                         next = neigh->confirmed + neigh->parms->reachable_time;
                 } else {
                         NEIGH_PRINTK2("neigh %p is probed.\n", neigh);
@@ -819,6 +822,8 @@ static void neigh_timer_handler(unsigned long arg)
 out:
                 write_unlock(&neigh->lock);
         }
+        if (notify)
+                call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, neigh);
 
 #ifdef CONFIG_ARPD
         if (notify && neigh->parms->app_probes)
@@ -926,9 +931,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
 {
         u8 old;
         int err;
-#ifdef CONFIG_ARPD
         int notify = 0;
-#endif
         struct net_device *dev;
         int update_isrouter = 0;
 
@@ -948,9 +951,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                         neigh_suspect(neigh);
                 neigh->nud_state = new;
                 err = 0;
-#ifdef CONFIG_ARPD
                 notify = old & NUD_VALID;
-#endif
                 goto out;
         }
 
@@ -1022,9 +1023,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                 if (!(new & NUD_CONNECTED))
                         neigh->confirmed = jiffies -
                                       (neigh->parms->base_reachable_time << 1);
-#ifdef CONFIG_ARPD
                 notify = 1;
-#endif
         }
         if (new == old)
                 goto out;
@@ -1056,6 +1055,9 @@ out:
                         (neigh->flags & ~NTF_ROUTER);
         }
         write_unlock_bh(&neigh->lock);
+
+        if (notify)
+                call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, neigh);
 #ifdef CONFIG_ARPD
         if (notify && neigh->parms->app_probes)
                 neigh_app_notify(neigh);
@@ -1430,6 +1432,9 @@ int neigh_table_clear(struct neigh_table *tbl)
         kfree(tbl->phash_buckets);
         tbl->phash_buckets = NULL;
 
+        free_percpu(tbl->stats);
+        tbl->stats = NULL;
+
         return 0;
 }
 
diff --git a/net/core/netevent.c b/net/core/netevent.c
new file mode 100644
index 000000000000..35d02c38554e
--- /dev/null
+++ b/net/core/netevent.c
@@ -0,0 +1,69 @@
+/*
+ *      Network event notifiers
+ *
+ *      Authors:
+ *      Tom Tucker             <tom@opengridcomputing.com>
+ *      Steve Wise             <swise@opengridcomputing.com>
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ *
+ *      Fixes:
+ */
+
+#include <linux/rtnetlink.h>
+#include <linux/notifier.h>
+
+static ATOMIC_NOTIFIER_HEAD(netevent_notif_chain);
+
+/**
+ *      register_netevent_notifier - register a netevent notifier block
+ *      @nb: notifier
+ *
+ *      Register a notifier to be called when a netevent occurs.
+ *      The notifier passed is linked into the kernel structures and must
+ *      not be reused until it has been unregistered. A negative errno code
+ *      is returned on a failure.
+ */
+int register_netevent_notifier(struct notifier_block *nb)
+{
+        int err;
+
+        err = atomic_notifier_chain_register(&netevent_notif_chain, nb);
+        return err;
+}
+
+/**
+ *      netevent_unregister_notifier - unregister a netevent notifier block
+ *      @nb: notifier
+ *
+ *      Unregister a notifier previously registered by
+ *      register_neigh_notifier(). The notifier is unlinked into the
+ *      kernel structures and may then be reused. A negative errno code
+ *      is returned on a failure.
+ */
+
+int unregister_netevent_notifier(struct notifier_block *nb)
+{
+        return atomic_notifier_chain_unregister(&netevent_notif_chain, nb);
+}
+
+/**
+ *      call_netevent_notifiers - call all netevent notifier blocks
+ *      @val: value passed unmodified to notifier function
+ *      @v:   pointer passed unmodified to notifier function
+ *
+ *      Call all neighbour notifier blocks.  Parameters and return value
+ *      are as for notifier_call_chain().
+ */
+
+int call_netevent_notifiers(unsigned long val, void *v)
+{
+        return atomic_notifier_call_chain(&netevent_notif_chain, val, v);
+}
+
+EXPORT_SYMBOL_GPL(register_netevent_notifier);
+EXPORT_SYMBOL_GPL(unregister_netevent_notifier);
+EXPORT_SYMBOL_GPL(call_netevent_notifiers);
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 67ed14ddabd2..6a7320b39ed0 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2149,6 +2149,8 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
         skb->mac.raw = ((u8 *) iph) - 14 - pkt_dev->nr_labels*sizeof(u32);
         skb->dev = odev;
         skb->pkt_type = PACKET_HOST;
+        skb->nh.iph = iph;
+        skb->h.uh = udph;
 
         if (pkt_dev->nfrags <= 0)
                 pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
@@ -2460,6 +2462,8 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev,
         skb->protocol = protocol;
         skb->dev = odev;
         skb->pkt_type = PACKET_HOST;
+        skb->nh.ipv6h = iph;
+        skb->h.uh = udph;
 
         if (pkt_dev->nfrags <= 0)
                 pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 20e5bb73f147..30cc1ba6ed5c 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -394,6 +394,9 @@ static int do_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
         }
 
         if (ida[IFLA_ADDRESS - 1]) {
+                struct sockaddr *sa;
+                int len;
+
                 if (!dev->set_mac_address) {
                         err = -EOPNOTSUPP;
                         goto out;
@@ -405,7 +408,17 @@ static int do_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
                 if (ida[IFLA_ADDRESS - 1]->rta_len != RTA_LENGTH(dev->addr_len))
                         goto out;
 
-                err = dev->set_mac_address(dev, RTA_DATA(ida[IFLA_ADDRESS - 1]));
+                len = sizeof(sa_family_t) + dev->addr_len;
+                sa = kmalloc(len, GFP_KERNEL);
+                if (!sa) {
+                        err = -ENOMEM;
+                        goto out;
+                }
+                sa->sa_family = dev->type;
+                memcpy(sa->sa_data, RTA_DATA(ida[IFLA_ADDRESS - 1]),
+                       dev->addr_len);
+                err = dev->set_mac_address(dev, sa);
+                kfree(sa);
                 if (err)
                         goto out;
                 send_addr_notify = 1;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 44f6a181a754..c54f3664bce5 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -71,13 +71,6 @@ static kmem_cache_t *skbuff_head_cache __read_mostly;
 static kmem_cache_t *skbuff_fclone_cache __read_mostly;
 
 /*
- * lockdep: lock class key used by skb_queue_head_init():
- */
-struct lock_class_key skb_queue_lock_key;
-
-EXPORT_SYMBOL(skb_queue_lock_key);
-
-/*
  *      Keep out-of-line to prevent kernel bloat.
  *      __builtin_return_address is not used because it is not always
  *      reliable.
@@ -256,12 +249,37 @@ nodata:
         goto out;
 }
 
+/**
+ *      __netdev_alloc_skb - allocate an skbuff for rx on a specific device
+ *      @dev: network device to receive on
+ *      @length: length to allocate
+ *      @gfp_mask: get_free_pages mask, passed to alloc_skb
+ *
+ *      Allocate a new &sk_buff and assign it a usage count of one. The
+ *      buffer has unspecified headroom built in. Users should allocate
+ *      the headroom they think they need without accounting for the
+ *      built in space. The built in space is used for optimisations.
+ *
+ *      %NULL is returned if there is no free memory.
+ */
+struct sk_buff *__netdev_alloc_skb(struct net_device *dev,
+                unsigned int length, gfp_t gfp_mask)
+{
+        struct sk_buff *skb;
 
-static void skb_drop_fraglist(struct sk_buff *skb)
+        skb = alloc_skb(length + NET_SKB_PAD, gfp_mask);
+        if (likely(skb)) {
+                skb_reserve(skb, NET_SKB_PAD);
+                skb->dev = dev;
+        }
+        return skb;
+}
+
+static void skb_drop_list(struct sk_buff **listp)
 {
-        struct sk_buff *list = skb_shinfo(skb)->frag_list;
+        struct sk_buff *list = *listp;
 
-        skb_shinfo(skb)->frag_list = NULL;
+        *listp = NULL;
 
         do {
                 struct sk_buff *this = list;
@@ -270,6 +288,11 @@ static void skb_drop_fraglist(struct sk_buff *skb)
         } while (list);
 }
 
+static inline void skb_drop_fraglist(struct sk_buff *skb)
+{
+        skb_drop_list(&skb_shinfo(skb)->frag_list);
+}
+
 static void skb_clone_fraglist(struct sk_buff *skb)
 {
         struct sk_buff *list;
@@ -830,41 +853,81 @@ free_skb:
 
 int ___pskb_trim(struct sk_buff *skb, unsigned int len)
 {
+        struct sk_buff **fragp;
+        struct sk_buff *frag;
         int offset = skb_headlen(skb);
         int nfrags = skb_shinfo(skb)->nr_frags;
         int i;
+        int err;
 
-        for (i = 0; i < nfrags; i++) {
+        if (skb_cloned(skb) &&
+            unlikely((err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC))))
+                return err;
+
+        i = 0;
+        if (offset >= len)
+                goto drop_pages;
+
+        for (; i < nfrags; i++) {
                 int end = offset + skb_shinfo(skb)->frags[i].size;
-                if (end > len) {
-                        if (skb_cloned(skb)) {
-                                if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
-                                        return -ENOMEM;
-                        }
-                        if (len <= offset) {
-                                put_page(skb_shinfo(skb)->frags[i].page);
-                                skb_shinfo(skb)->nr_frags--;
-                        } else {
-                                skb_shinfo(skb)->frags[i].size = len - offset;
-                        }
+
+                if (end < len) {
+                        offset = end;
+                        continue;
                 }
-                offset = end;
+
+                skb_shinfo(skb)->frags[i++].size = len - offset;
+
+drop_pages:
+                skb_shinfo(skb)->nr_frags = i;
+
+                for (; i < nfrags; i++)
+                        put_page(skb_shinfo(skb)->frags[i].page);
+
+                if (skb_shinfo(skb)->frag_list)
+                        skb_drop_fraglist(skb);
+                goto done;
         }
 
-        if (offset < len) {
+        for (fragp = &skb_shinfo(skb)->frag_list; (frag = *fragp);
+             fragp = &frag->next) {
+                int end = offset + frag->len;
+
+                if (skb_shared(frag)) {
+                        struct sk_buff *nfrag;
+
+                        nfrag = skb_clone(frag, GFP_ATOMIC);
+                        if (unlikely(!nfrag))
+                                return -ENOMEM;
+
+                        nfrag->next = frag->next;
+                        kfree_skb(frag);
+                        frag = nfrag;
+                        *fragp = frag;
+                }
+
+                if (end < len) {
+                        offset = end;
+                        continue;
+                }
+
+                if (end > len &&
+                    unlikely((err = pskb_trim(frag, len - offset))))
+                        return err;
+
+                if (frag->next)
+                        skb_drop_list(&frag->next);
+                break;
+        }
+
+done:
+        if (len > skb_headlen(skb)) {
                 skb->data_len -= skb->len - len;
                 skb->len       = len;
         } else {
-                if (len <= skb_headlen(skb)) {
-                        skb->len      = len;
-                        skb->data_len = 0;
-                        skb->tail     = skb->data + len;
-                        if (skb_shinfo(skb)->frag_list && !skb_cloned(skb))
-                                skb_drop_fraglist(skb);
-                } else {
-                        skb->data_len -= skb->len - len;
-                        skb->len       = len;
-                }
+                skb->len       = len;
+                skb->data_len  = 0;
+                skb->tail      = skb->data + len;
         }
 
         return 0;
@@ -2003,6 +2066,7 @@ EXPORT_SYMBOL(__kfree_skb);
 EXPORT_SYMBOL(kfree_skb);
 EXPORT_SYMBOL(__pskb_pull_tail);
 EXPORT_SYMBOL(__alloc_skb);
+EXPORT_SYMBOL(__netdev_alloc_skb);
 EXPORT_SYMBOL(pskb_copy);
 EXPORT_SYMBOL(pskb_expand_head);
 EXPORT_SYMBOL(skb_checksum);
diff --git a/net/core/stream.c b/net/core/stream.c
index e9489696f694..d1d7decf70b0 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -196,15 +196,13 @@ EXPORT_SYMBOL(sk_stream_error);
 
 void __sk_stream_mem_reclaim(struct sock *sk)
 {
-        if (sk->sk_forward_alloc >= SK_STREAM_MEM_QUANTUM) {
-                atomic_sub(sk->sk_forward_alloc / SK_STREAM_MEM_QUANTUM,
-                           sk->sk_prot->memory_allocated);
-                sk->sk_forward_alloc &= SK_STREAM_MEM_QUANTUM - 1;
-                if (*sk->sk_prot->memory_pressure &&
-                    (atomic_read(sk->sk_prot->memory_allocated) <
-                     sk->sk_prot->sysctl_mem[0]))
-                        *sk->sk_prot->memory_pressure = 0;
-        }
+        atomic_sub(sk->sk_forward_alloc / SK_STREAM_MEM_QUANTUM,
+                   sk->sk_prot->memory_allocated);
+        sk->sk_forward_alloc &= SK_STREAM_MEM_QUANTUM - 1;
+        if (*sk->sk_prot->memory_pressure &&
+            (atomic_read(sk->sk_prot->memory_allocated) <
+             sk->sk_prot->sysctl_mem[0]))
+                *sk->sk_prot->memory_pressure = 0;
 }
 
 EXPORT_SYMBOL(__sk_stream_mem_reclaim);
diff --git a/net/core/user_dma.c b/net/core/user_dma.c
index b7c98dbcdb81..248a6b666aff 100644
--- a/net/core/user_dma.c
+++ b/net/core/user_dma.c
@@ -29,6 +29,7 @@
 #include <linux/socket.h>
 #include <linux/rtnetlink.h> /* for BUG_TRAP */
 #include <net/tcp.h>
+#include <net/netdma.h>
 
 #define NET_DMA_DEFAULT_COPYBREAK 4096
 
diff --git a/net/core/utils.c b/net/core/utils.c
index 4f96f389243d..e31c90e05594 100644
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -130,12 +130,13 @@ void __init net_random_init(void)
 static int net_random_reseed(void)
 {
         int i;
-        unsigned long seed[NR_CPUS];
+        unsigned long seed;
 
-        get_random_bytes(seed, sizeof(seed));
         for_each_possible_cpu(i) {
                 struct nrnd_state *state = &per_cpu(net_rand_state,i);
-                __net_srandom(state, seed[i]);
+
+                get_random_bytes(&seed, sizeof(seed));
+                __net_srandom(state, seed);
         }
         return 0;
 }
diff --git a/net/core/wireless.c b/net/core/wireless.c
index d2bc72d318f7..de0bde4b51dd 100644
--- a/net/core/wireless.c
+++ b/net/core/wireless.c
@@ -82,6 +82,7 @@
 #include <linux/init.h>                 /* for __init */
 #include <linux/if_arp.h>               /* ARPHRD_ETHER */
 #include <linux/etherdevice.h>          /* compare_ether_addr */
+#include <linux/interrupt.h>
 
 #include <linux/wireless.h>             /* Pretty obvious */
 #include <net/iw_handler.h>             /* New driver API */
@@ -1842,6 +1843,18 @@ int wireless_rtnetlink_set(struct net_device *	dev,
  */
 
 #ifdef WE_EVENT_RTNETLINK
+static struct sk_buff_head wireless_nlevent_queue;
+
+static void wireless_nlevent_process(unsigned long data)
+{
+        struct sk_buff *skb;
+
+        while ((skb = skb_dequeue(&wireless_nlevent_queue)))
+                netlink_broadcast(rtnl, skb, 0, RTNLGRP_LINK, GFP_ATOMIC);
+}
+
+static DECLARE_TASKLET(wireless_nlevent_tasklet, wireless_nlevent_process, 0);
+
 /* ---------------------------------------------------------------- */
 /*
  * Fill a rtnetlink message with our event data.
@@ -1904,8 +1917,17 @@ static inline void rtmsg_iwinfo(struct net_device *	dev,
                 return;
         }
         NETLINK_CB(skb).dst_group = RTNLGRP_LINK;
-        netlink_broadcast(rtnl, skb, 0, RTNLGRP_LINK, GFP_ATOMIC);
+        skb_queue_tail(&wireless_nlevent_queue, skb);
+        tasklet_schedule(&wireless_nlevent_tasklet);
+}
+
+static int __init wireless_nlevent_init(void)
+{
+        skb_queue_head_init(&wireless_nlevent_queue);
+        return 0;
 }
+
+subsys_initcall(wireless_nlevent_init);
 #endif  /* WE_EVENT_RTNETLINK */
 
 /* ---------------------------------------------------------------- */
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index c39bff706cfc..090bc39e8199 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -2,7 +2,7 @@
  *  net/dccp/ccids/ccid3.c
  *
  *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
- *  Copyright (c) 2005-6 Ian McDonald <imcdnzl@gmail.com>
+ *  Copyright (c) 2005-6 Ian McDonald <ian.mcdonald@jandi.co.nz>
  *
  *  An implementation of the DCCP protocol
  *
@@ -342,6 +342,8 @@ static int ccid3_hc_tx_send_packet(struct sock *sk,
                 new_packet->dccphtx_ccval =
                         DCCP_SKB_CB(skb)->dccpd_ccval =
                                 hctx->ccid3hctx_last_win_count;
+                timeval_add_usecs(&hctx->ccid3hctx_t_nom,
+                                  hctx->ccid3hctx_t_ipi);
         }
 out:
         return rc;
@@ -413,7 +415,8 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, int more, int len)
         case TFRC_SSTATE_NO_FBACK:
         case TFRC_SSTATE_FBACK:
                 if (len > 0) {
-                        hctx->ccid3hctx_t_nom = now;
+                        timeval_sub_usecs(&hctx->ccid3hctx_t_nom,
+                                  hctx->ccid3hctx_t_ipi);
                         ccid3_calc_new_t_ipi(hctx);
                         ccid3_calc_new_delta(hctx);
                         timeval_add_usecs(&hctx->ccid3hctx_t_nom,
@@ -757,8 +760,7 @@ static void ccid3_hc_rx_send_feedback(struct sock *sk)
         }
 
         hcrx->ccid3hcrx_tstamp_last_feedback = now;
-        hcrx->ccid3hcrx_last_counter         = packet->dccphrx_ccval;
-        hcrx->ccid3hcrx_seqno_last_counter   = packet->dccphrx_seqno;
+        hcrx->ccid3hcrx_ccval_last_counter   = packet->dccphrx_ccval;
         hcrx->ccid3hcrx_bytes_recv           = 0;
 
         /* Convert to multiples of 10us */
@@ -782,7 +784,7 @@ static int ccid3_hc_rx_insert_options(struct sock *sk, struct sk_buff *skb)
         if (!(sk->sk_state == DCCP_OPEN || sk->sk_state == DCCP_PARTOPEN))
                 return 0;
 
-        DCCP_SKB_CB(skb)->dccpd_ccval = hcrx->ccid3hcrx_last_counter;
+        DCCP_SKB_CB(skb)->dccpd_ccval = hcrx->ccid3hcrx_ccval_last_counter;
 
         if (dccp_packet_without_ack(skb))
                 return 0;
@@ -854,6 +856,11 @@ static u32 ccid3_hc_rx_calc_first_li(struct sock *sk)
                 interval = 1;
         }
 found:
+        if (!tail) {
+                LIMIT_NETDEBUG(KERN_WARNING "%s: tail is null\n",
+                   __FUNCTION__);
+                return ~0;
+        }
         rtt = timeval_delta(&tstamp, &tail->dccphrx_tstamp) * 4 / interval;
         ccid3_pr_debug("%s, sk=%p, approximated RTT to %uus\n",
                        dccp_role(sk), sk, rtt);
@@ -864,9 +871,20 @@ found:
         delta = timeval_delta(&tstamp, &hcrx->ccid3hcrx_tstamp_last_feedback);
         x_recv = usecs_div(hcrx->ccid3hcrx_bytes_recv, delta);
 
+        if (x_recv == 0)
+                x_recv = hcrx->ccid3hcrx_x_recv;
+
         tmp1 = (u64)x_recv * (u64)rtt;
         do_div(tmp1,10000000);
         tmp2 = (u32)tmp1;
+
+        if (!tmp2) {
+                LIMIT_NETDEBUG(KERN_WARNING "tmp2 = 0 "
+                   "%s: x_recv = %u, rtt =%u\n",
+                   __FUNCTION__, x_recv, rtt);
+                return ~0;
+        }
+
         fval = (hcrx->ccid3hcrx_s * 100000) / tmp2;
         /* do not alter order above or you will get overflow on 32 bit */
         p = tfrc_calc_x_reverse_lookup(fval);
@@ -882,31 +900,101 @@ found:
 static void ccid3_hc_rx_update_li(struct sock *sk, u64 seq_loss, u8 win_loss)
 {
         struct ccid3_hc_rx_sock *hcrx = ccid3_hc_rx_sk(sk);
+        struct dccp_li_hist_entry *next, *head;
+        u64 seq_temp;
 
-        if (seq_loss != DCCP_MAX_SEQNO + 1 &&
-            list_empty(&hcrx->ccid3hcrx_li_hist)) {
-                struct dccp_li_hist_entry *li_tail;
+        if (list_empty(&hcrx->ccid3hcrx_li_hist)) {
+                if (!dccp_li_hist_interval_new(ccid3_li_hist,
+                   &hcrx->ccid3hcrx_li_hist, seq_loss, win_loss))
+                        return;
 
-                li_tail = dccp_li_hist_interval_new(ccid3_li_hist,
-                                                    &hcrx->ccid3hcrx_li_hist,
-                                                    seq_loss, win_loss);
-                if (li_tail == NULL)
+                next = (struct dccp_li_hist_entry *)
+                   hcrx->ccid3hcrx_li_hist.next;
+                next->dccplih_interval = ccid3_hc_rx_calc_first_li(sk);
+        } else {
+                struct dccp_li_hist_entry *entry;
+                struct list_head *tail;
+
+                head = (struct dccp_li_hist_entry *)
+                   hcrx->ccid3hcrx_li_hist.next;
+                /* FIXME win count check removed as was wrong */
+                /* should make this check with receive history */
+                /* and compare there as per section 10.2 of RFC4342 */
+
+                /* new loss event detected */
+                /* calculate last interval length */
+                seq_temp = dccp_delta_seqno(head->dccplih_seqno, seq_loss);
+                entry = dccp_li_hist_entry_new(ccid3_li_hist, SLAB_ATOMIC);
+
+                if (entry == NULL) {
+                        printk(KERN_CRIT "%s: out of memory\n",__FUNCTION__);
+                        dump_stack();
                         return;
-                li_tail->dccplih_interval = ccid3_hc_rx_calc_first_li(sk);
-        } else
-                    LIMIT_NETDEBUG(KERN_WARNING "%s: FIXME: find end of "
-                                   "interval\n", __FUNCTION__);
+                }
+
+                list_add(&entry->dccplih_node, &hcrx->ccid3hcrx_li_hist);
+
+                tail = hcrx->ccid3hcrx_li_hist.prev;
+                list_del(tail);
+                kmem_cache_free(ccid3_li_hist->dccplih_slab, tail);
+
+                /* Create the newest interval */
+                entry->dccplih_seqno = seq_loss;
+                entry->dccplih_interval = seq_temp;
+                entry->dccplih_win_count = win_loss;
+        }
 }
 
-static void ccid3_hc_rx_detect_loss(struct sock *sk)
+static int ccid3_hc_rx_detect_loss(struct sock *sk,
+                                    struct dccp_rx_hist_entry *packet)
 {
         struct ccid3_hc_rx_sock *hcrx = ccid3_hc_rx_sk(sk);
-        u8 win_loss;
-        const u64 seq_loss = dccp_rx_hist_detect_loss(&hcrx->ccid3hcrx_hist,
-                                                      &hcrx->ccid3hcrx_li_hist,
-                                                      &win_loss);
+        struct dccp_rx_hist_entry *rx_hist = dccp_rx_hist_head(&hcrx->ccid3hcrx_hist);
+        u64 seqno = packet->dccphrx_seqno;
+        u64 tmp_seqno;
+        int loss = 0;
+        u8 ccval;
+
+
+        tmp_seqno = hcrx->ccid3hcrx_seqno_nonloss;
+
+        if (!rx_hist ||
+           follows48(packet->dccphrx_seqno, hcrx->ccid3hcrx_seqno_nonloss)) {
+                hcrx->ccid3hcrx_seqno_nonloss = seqno;
+                hcrx->ccid3hcrx_ccval_nonloss = packet->dccphrx_ccval;
+                goto detect_out;
+        }
+
 
-        ccid3_hc_rx_update_li(sk, seq_loss, win_loss);
+        while (dccp_delta_seqno(hcrx->ccid3hcrx_seqno_nonloss, seqno)
+           > TFRC_RECV_NUM_LATE_LOSS) {
+                loss = 1;
+                ccid3_hc_rx_update_li(sk, hcrx->ccid3hcrx_seqno_nonloss,
+                   hcrx->ccid3hcrx_ccval_nonloss);
+                tmp_seqno = hcrx->ccid3hcrx_seqno_nonloss;
+                dccp_inc_seqno(&tmp_seqno);
+                hcrx->ccid3hcrx_seqno_nonloss = tmp_seqno;
+                dccp_inc_seqno(&tmp_seqno);
+                while (dccp_rx_hist_find_entry(&hcrx->ccid3hcrx_hist,
+                   tmp_seqno, &ccval)) {
+                        hcrx->ccid3hcrx_seqno_nonloss = tmp_seqno;
+                        hcrx->ccid3hcrx_ccval_nonloss = ccval;
+                        dccp_inc_seqno(&tmp_seqno);
+                }
+        }
+
+        /* FIXME - this code could be simplified with above while */
+        /* but works at moment */
+        if (follows48(packet->dccphrx_seqno, hcrx->ccid3hcrx_seqno_nonloss)) {
+                hcrx->ccid3hcrx_seqno_nonloss = seqno;
+                hcrx->ccid3hcrx_ccval_nonloss = packet->dccphrx_ccval;
+        }
+
+detect_out:
+        dccp_rx_hist_add_packet(ccid3_rx_hist, &hcrx->ccid3hcrx_hist,
+                   &hcrx->ccid3hcrx_li_hist, packet,
+                   hcrx->ccid3hcrx_seqno_nonloss);
+        return loss;
 }
 
 static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
@@ -916,8 +1004,8 @@ static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
         struct dccp_rx_hist_entry *packet;
         struct timeval now;
         u8 win_count;
-        u32 p_prev, r_sample, t_elapsed;
-        int ins;
+        u32 p_prev, rtt_prev, r_sample, t_elapsed;
+        int loss;
 
         BUG_ON(hcrx == NULL ||
                !(hcrx->ccid3hcrx_state == TFRC_RSTATE_NO_DATA ||
@@ -932,7 +1020,7 @@ static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
         case DCCP_PKT_DATAACK:
                 if (opt_recv->dccpor_timestamp_echo == 0)
                         break;
-                p_prev = hcrx->ccid3hcrx_rtt;
+                rtt_prev = hcrx->ccid3hcrx_rtt;
                 dccp_timestamp(sk, &now);
                 timeval_sub_usecs(&now, opt_recv->dccpor_timestamp_echo * 10);
                 r_sample = timeval_usecs(&now);
@@ -951,8 +1039,8 @@ static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
                         hcrx->ccid3hcrx_rtt = (hcrx->ccid3hcrx_rtt * 9) / 10 +
                                               r_sample / 10;
 
-                if (p_prev != hcrx->ccid3hcrx_rtt)
-                        ccid3_pr_debug("%s, New RTT=%luus, elapsed time=%u\n",
+                if (rtt_prev != hcrx->ccid3hcrx_rtt)
+                        ccid3_pr_debug("%s, New RTT=%uus, elapsed time=%u\n",
                                        dccp_role(sk), hcrx->ccid3hcrx_rtt,
                                        opt_recv->dccpor_elapsed_time);
                 break;
@@ -973,8 +1061,7 @@ static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
 
         win_count = packet->dccphrx_ccval;
 
-        ins = dccp_rx_hist_add_packet(ccid3_rx_hist, &hcrx->ccid3hcrx_hist,
-                                      &hcrx->ccid3hcrx_li_hist, packet);
+        loss = ccid3_hc_rx_detect_loss(sk, packet);
 
         if (DCCP_SKB_CB(skb)->dccpd_type == DCCP_PKT_ACK)
                 return;
@@ -991,7 +1078,7 @@ static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
         case TFRC_RSTATE_DATA:
                 hcrx->ccid3hcrx_bytes_recv += skb->len -
                                               dccp_hdr(skb)->dccph_doff * 4;
-                if (ins != 0)
+                if (loss)
                         break;
 
                 dccp_timestamp(sk, &now);
@@ -1012,7 +1099,6 @@ static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
         ccid3_pr_debug("%s, sk=%p(%s), data loss! Reacting...\n",
                        dccp_role(sk), sk, dccp_state_name(sk->sk_state));
 
-        ccid3_hc_rx_detect_loss(sk);
         p_prev = hcrx->ccid3hcrx_p;
         
         /* Calculate loss event rate */
@@ -1022,6 +1108,9 @@ static void ccid3_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
                 /* Scaling up by 1000000 as fixed decimal */
                 if (i_mean != 0)
                         hcrx->ccid3hcrx_p = 1000000 / i_mean;
+        } else {
+                printk(KERN_CRIT "%s: empty loss hist\n",__FUNCTION__);
+                dump_stack();
         }
 
         if (hcrx->ccid3hcrx_p > p_prev) {
@@ -1230,7 +1319,7 @@ static __exit void ccid3_module_exit(void)
 }
 module_exit(ccid3_module_exit);
 
-MODULE_AUTHOR("Ian McDonald <iam4@cs.waikato.ac.nz>, "
+MODULE_AUTHOR("Ian McDonald <ian.mcdonald@jandi.co.nz>, "
               "Arnaldo Carvalho de Melo <acme@ghostprotocols.net>");
 MODULE_DESCRIPTION("DCCP TFRC CCID3 CCID");
 MODULE_LICENSE("GPL");
diff --git a/net/dccp/ccids/ccid3.h b/net/dccp/ccids/ccid3.h
index 5ade4f668b22..0a2cb7536d26 100644
--- a/net/dccp/ccids/ccid3.h
+++ b/net/dccp/ccids/ccid3.h
@@ -1,13 +1,13 @@
 /*
  *  net/dccp/ccids/ccid3.h
  *
- *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
+ *  Copyright (c) 2005-6 The University of Waikato, Hamilton, New Zealand.
  *
  *  An implementation of the DCCP protocol
  *
  *  This code has been developed by the University of Waikato WAND
  *  research group. For further information please see http://www.wand.net.nz/
- *  or e-mail Ian McDonald - iam4@cs.waikato.ac.nz
+ *  or e-mail Ian McDonald - ian.mcdonald@jandi.co.nz
  *
  *  This code also uses code from Lulea University, rereleased as GPL by its
  *  authors:
@@ -120,9 +120,10 @@ struct ccid3_hc_rx_sock {
 #define ccid3hcrx_x_recv        ccid3hcrx_tfrc.tfrcrx_x_recv
 #define ccid3hcrx_rtt           ccid3hcrx_tfrc.tfrcrx_rtt
 #define ccid3hcrx_p             ccid3hcrx_tfrc.tfrcrx_p
-        u64                     ccid3hcrx_seqno_last_counter:48,
+        u64                     ccid3hcrx_seqno_nonloss:48,
+                                ccid3hcrx_ccval_nonloss:4,
                                 ccid3hcrx_state:8,
-                                ccid3hcrx_last_counter:4;
+                                ccid3hcrx_ccval_last_counter:4;
         u32                     ccid3hcrx_bytes_recv;
         struct timeval          ccid3hcrx_tstamp_last_feedback;
         struct timeval          ccid3hcrx_tstamp_last_ack;
diff --git a/net/dccp/ccids/lib/loss_interval.c b/net/dccp/ccids/lib/loss_interval.c
index 5d7b7d864385..906c81ab9d4f 100644
--- a/net/dccp/ccids/lib/loss_interval.c
+++ b/net/dccp/ccids/lib/loss_interval.c
@@ -2,7 +2,7 @@
  *  net/dccp/ccids/lib/loss_interval.c
  *
  *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
- *  Copyright (c) 2005 Ian McDonald <iam4@cs.waikato.ac.nz>
+ *  Copyright (c) 2005-6 Ian McDonald <ian.mcdonald@jandi.co.nz>
  *  Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@conectiva.com.br>
  *
  *  This program is free software; you can redistribute it and/or modify
@@ -12,6 +12,7 @@
  */
 
 #include <linux/module.h>
+#include <net/sock.h>
 
 #include "loss_interval.h"
 
@@ -90,13 +91,13 @@ u32 dccp_li_hist_calc_i_mean(struct list_head *list)
         u32 w_tot  = 0;
 
         list_for_each_entry_safe(li_entry, li_next, list, dccplih_node) {
-                if (i < DCCP_LI_HIST_IVAL_F_LENGTH) {
+                if (li_entry->dccplih_interval != ~0) {
                         i_tot0 += li_entry->dccplih_interval * dccp_li_hist_w[i];
                         w_tot  += dccp_li_hist_w[i];
+                        if (i != 0)
+                                i_tot1 += li_entry->dccplih_interval * dccp_li_hist_w[i - 1];
                 }
 
-                if (i != 0)
-                        i_tot1 += li_entry->dccplih_interval * dccp_li_hist_w[i - 1];
 
                 if (++i > DCCP_LI_HIST_IVAL_F_LENGTH)
                         break;
@@ -107,37 +108,36 @@ u32 dccp_li_hist_calc_i_mean(struct list_head *list)
 
         i_tot = max(i_tot0, i_tot1);
 
-        /* FIXME: Why do we do this? -Ian McDonald */
-        if (i_tot * 4 < w_tot)
-                i_tot = w_tot * 4;
+        if (!w_tot) {
+                LIMIT_NETDEBUG(KERN_WARNING "%s: w_tot = 0\n", __FUNCTION__);
+                return 1;
+        }
 
-        return i_tot * 4 / w_tot;
+        return i_tot / w_tot;
 }
 
 EXPORT_SYMBOL_GPL(dccp_li_hist_calc_i_mean);
 
-struct dccp_li_hist_entry *dccp_li_hist_interval_new(struct dccp_li_hist *hist,
-                                                     struct list_head *list,
-                                                     const u64 seq_loss,
-                                                     const u8 win_loss)
+int dccp_li_hist_interval_new(struct dccp_li_hist *hist,
+   struct list_head *list, const u64 seq_loss, const u8 win_loss)
 {
-        struct dccp_li_hist_entry *tail = NULL, *entry;
+        struct dccp_li_hist_entry *entry;
         int i;
 
-        for (i = 0; i <= DCCP_LI_HIST_IVAL_F_LENGTH; ++i) {
+        for (i = 0; i < DCCP_LI_HIST_IVAL_F_LENGTH; i++) {
                 entry = dccp_li_hist_entry_new(hist, SLAB_ATOMIC);
                 if (entry == NULL) {
                         dccp_li_hist_purge(hist, list);
-                        return NULL;
+                        dump_stack();
+                        return 0;
                 }
-                if (tail == NULL)
-                        tail = entry;
+                entry->dccplih_interval = ~0;
                 list_add(&entry->dccplih_node, list);
         }
 
         entry->dccplih_seqno     = seq_loss;
         entry->dccplih_win_count = win_loss;
-        return tail;
+        return 1;
 }
 
 EXPORT_SYMBOL_GPL(dccp_li_hist_interval_new);
diff --git a/net/dccp/ccids/lib/loss_interval.h b/net/dccp/ccids/lib/loss_interval.h
index 43bf78269d1d..0ae85f0340b2 100644
--- a/net/dccp/ccids/lib/loss_interval.h
+++ b/net/dccp/ccids/lib/loss_interval.h
@@ -4,7 +4,7 @@
  *  net/dccp/ccids/lib/loss_interval.h
  *
  *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
- *  Copyright (c) 2005 Ian McDonald <iam4@cs.waikato.ac.nz>
+ *  Copyright (c) 2005 Ian McDonald <ian.mcdonald@jandi.co.nz>
  *  Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@conectiva.com.br>
  *
  *  This program is free software; you can redistribute it and/or modify it
@@ -52,9 +52,6 @@ extern void dccp_li_hist_purge(struct dccp_li_hist *hist,
 
 extern u32 dccp_li_hist_calc_i_mean(struct list_head *list);
 
-extern struct dccp_li_hist_entry *
-                        dccp_li_hist_interval_new(struct dccp_li_hist *hist,
-                                                  struct list_head *list,
-                                                  const u64 seq_loss,
-                                                  const u8 win_loss);
+extern int dccp_li_hist_interval_new(struct dccp_li_hist *hist,
+   struct list_head *list, const u64 seq_loss, const u8 win_loss);
 #endif /* _DCCP_LI_HIST_ */
diff --git a/net/dccp/ccids/lib/packet_history.c b/net/dccp/ccids/lib/packet_history.c
index ad98d6a322eb..b876c9c81c65 100644
--- a/net/dccp/ccids/lib/packet_history.c
+++ b/net/dccp/ccids/lib/packet_history.c
@@ -1,13 +1,13 @@
 /*
- *  net/dccp/packet_history.h
+ *  net/dccp/packet_history.c
  *
- *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
+ *  Copyright (c) 2005-6 The University of Waikato, Hamilton, New Zealand.
  *
  *  An implementation of the DCCP protocol
  *
  *  This code has been developed by the University of Waikato WAND
  *  research group. For further information please see http://www.wand.net.nz/
- *  or e-mail Ian McDonald - iam4@cs.waikato.ac.nz
+ *  or e-mail Ian McDonald - ian.mcdonald@jandi.co.nz
  *
  *  This code also uses code from Lulea University, rereleased as GPL by its
  *  authors:
@@ -112,64 +112,27 @@ struct dccp_rx_hist_entry *
 
 EXPORT_SYMBOL_GPL(dccp_rx_hist_find_data_packet);
 
-int dccp_rx_hist_add_packet(struct dccp_rx_hist *hist,
+void dccp_rx_hist_add_packet(struct dccp_rx_hist *hist,
                             struct list_head *rx_list,
                             struct list_head *li_list,
-                            struct dccp_rx_hist_entry *packet)
+                            struct dccp_rx_hist_entry *packet,
+                            u64 nonloss_seqno)
 {
-        struct dccp_rx_hist_entry *entry, *next, *iter;
+        struct dccp_rx_hist_entry *entry, *next;
         u8 num_later = 0;
 
-        iter = dccp_rx_hist_head(rx_list);
-        if (iter == NULL)
-                dccp_rx_hist_add_entry(rx_list, packet);
-        else {
-                const u64 seqno = packet->dccphrx_seqno;
-
-                if (after48(seqno, iter->dccphrx_seqno))
-                        dccp_rx_hist_add_entry(rx_list, packet);
-                else {
-                        if (dccp_rx_hist_entry_data_packet(iter))
-                                num_later = 1;
-
-                        list_for_each_entry_continue(iter, rx_list,
-                                                     dccphrx_node) {
-                                if (after48(seqno, iter->dccphrx_seqno)) {
-                                        dccp_rx_hist_add_entry(&iter->dccphrx_node,
-                                                               packet);
-                                        goto trim_history;
-                                }
-
-                                if (dccp_rx_hist_entry_data_packet(iter))
-                                        num_later++;
+        list_add(&packet->dccphrx_node, rx_list);
 
-                                if (num_later == TFRC_RECV_NUM_LATE_LOSS) {
-                                        dccp_rx_hist_entry_delete(hist, packet);
-                                        return 1;
-                                }
-                        }
-
-                        if (num_later < TFRC_RECV_NUM_LATE_LOSS)
-                                dccp_rx_hist_add_entry(rx_list, packet);
-                        /*
-                         * FIXME: else what? should we destroy the packet
-                         * like above?
-                         */
-                }
-        }
-
-trim_history:
-        /*
-         * Trim history (remove all packets after the NUM_LATE_LOSS + 1
-         * data packets)
-         */
         num_later = TFRC_RECV_NUM_LATE_LOSS + 1;
 
         if (!list_empty(li_list)) {
                 list_for_each_entry_safe(entry, next, rx_list, dccphrx_node) {
                         if (num_later == 0) {
-                                list_del_init(&entry->dccphrx_node);
-                                dccp_rx_hist_entry_delete(hist, entry);
+                                if (after48(nonloss_seqno,
+                                   entry->dccphrx_seqno)) {
+                                        list_del_init(&entry->dccphrx_node);
+                                        dccp_rx_hist_entry_delete(hist, entry);
+                                }
                         } else if (dccp_rx_hist_entry_data_packet(entry))
                                 --num_later;
                 }
@@ -217,94 +180,10 @@ trim_history:
                                 --num_later;
                 }
         }
-
-        return 0;
 }
 
 EXPORT_SYMBOL_GPL(dccp_rx_hist_add_packet);
 
-u64 dccp_rx_hist_detect_loss(struct list_head *rx_list,
-                             struct list_head *li_list, u8 *win_loss)
-{
-        struct dccp_rx_hist_entry *entry, *next, *packet;
-        struct dccp_rx_hist_entry *a_loss = NULL;
-        struct dccp_rx_hist_entry *b_loss = NULL;
-        u64 seq_loss = DCCP_MAX_SEQNO + 1;
-        u8 num_later = TFRC_RECV_NUM_LATE_LOSS;
-
-        list_for_each_entry_safe(entry, next, rx_list, dccphrx_node) {
-                if (num_later == 0) {
-                        b_loss = entry;
-                        break;
-                } else if (dccp_rx_hist_entry_data_packet(entry))
-                        --num_later;
-        }
-
-        if (b_loss == NULL)
-                goto out;
-
-        num_later = 1;
-        list_for_each_entry_safe_continue(entry, next, rx_list, dccphrx_node) {
-                if (num_later == 0) {
-                        a_loss = entry;
-                        break;
-                } else if (dccp_rx_hist_entry_data_packet(entry))
-                        --num_later;
-        }
-
-        if (a_loss == NULL) {
-                if (list_empty(li_list)) {
-                        /* no loss event have occured yet */
-                        LIMIT_NETDEBUG("%s: TODO: find a lost data packet by "
-                                       "comparing to initial seqno\n",
-                                       __FUNCTION__);
-                        goto out;
-                } else {
-                        LIMIT_NETDEBUG("%s: Less than 4 data pkts in history!",
-                                       __FUNCTION__);
-                        goto out;
-                }
-        }
-
-        /* Locate a lost data packet */
-        entry = packet = b_loss;
-        list_for_each_entry_safe_continue(entry, next, rx_list, dccphrx_node) {
-                u64 delta = dccp_delta_seqno(entry->dccphrx_seqno,
-                                             packet->dccphrx_seqno);
-
-                if (delta != 0) {
-                        if (dccp_rx_hist_entry_data_packet(packet))
-                                --delta;
-                        /*
-                         * FIXME: check this, probably this % usage is because
-                         * in earlier drafts the ndp count was just 8 bits
-                         * long, but now it cam be up to 24 bits long.
-                         */
-#if 0
-                        if (delta % DCCP_NDP_LIMIT !=
-                            (packet->dccphrx_ndp -
-                             entry->dccphrx_ndp) % DCCP_NDP_LIMIT)
-#endif
-                        if (delta != packet->dccphrx_ndp - entry->dccphrx_ndp) {
-                                seq_loss = entry->dccphrx_seqno;
-                                dccp_inc_seqno(&seq_loss);
-                        }
-                }
-                packet = entry;
-                if (packet == a_loss)
-                        break;
-        }
-out:
-        if (seq_loss != DCCP_MAX_SEQNO + 1)
-                *win_loss = a_loss->dccphrx_ccval;
-        else
-                *win_loss = 0; /* Paranoia */
-
-        return seq_loss;
-}
-
-EXPORT_SYMBOL_GPL(dccp_rx_hist_detect_loss);
-
 struct dccp_tx_hist *dccp_tx_hist_new(const char *name)
 {
         struct dccp_tx_hist *hist = kmalloc(sizeof(*hist), GFP_ATOMIC);
@@ -365,6 +244,25 @@ struct dccp_tx_hist_entry *
 
 EXPORT_SYMBOL_GPL(dccp_tx_hist_find_entry);
 
+int dccp_rx_hist_find_entry(const struct list_head *list, const u64 seq,
+   u8 *ccval)
+{
+        struct dccp_rx_hist_entry *packet = NULL, *entry;
+
+        list_for_each_entry(entry, list, dccphrx_node)
+                if (entry->dccphrx_seqno == seq) {
+                        packet = entry;
+                        break;
+                }
+
+        if (packet)
+                *ccval = packet->dccphrx_ccval;
+
+        return packet != NULL;
+}
+
+EXPORT_SYMBOL_GPL(dccp_rx_hist_find_entry);
+
 void dccp_tx_hist_purge_older(struct dccp_tx_hist *hist,
                               struct list_head *list,
                               struct dccp_tx_hist_entry *packet)
@@ -391,7 +289,7 @@ void dccp_tx_hist_purge(struct dccp_tx_hist *hist, struct list_head *list)
 
 EXPORT_SYMBOL_GPL(dccp_tx_hist_purge);
 
-MODULE_AUTHOR("Ian McDonald <iam4@cs.waikato.ac.nz>, "
+MODULE_AUTHOR("Ian McDonald <ian.mcdonald@jandi.co.nz>, "
               "Arnaldo Carvalho de Melo <acme@ghostprotocols.net>");
 MODULE_DESCRIPTION("DCCP TFRC library");
 MODULE_LICENSE("GPL");
diff --git a/net/dccp/ccids/lib/packet_history.h b/net/dccp/ccids/lib/packet_history.h
index 673c209e4e85..067cf1c85a37 100644
--- a/net/dccp/ccids/lib/packet_history.h
+++ b/net/dccp/ccids/lib/packet_history.h
@@ -1,13 +1,13 @@
 /*
  *  net/dccp/packet_history.h
  *
- *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
+ *  Copyright (c) 2005-6 The University of Waikato, Hamilton, New Zealand.
  *
  *  An implementation of the DCCP protocol
  *
  *  This code has been developed by the University of Waikato WAND
  *  research group. For further information please see http://www.wand.net.nz/
- *  or e-mail Ian McDonald - iam4@cs.waikato.ac.nz
+ *  or e-mail Ian McDonald - ian.mcdonald@jandi.co.nz
  *
  *  This code also uses code from Lulea University, rereleased as GPL by its
  *  authors:
@@ -106,6 +106,8 @@ static inline void dccp_tx_hist_entry_delete(struct dccp_tx_hist *hist,
 extern struct dccp_tx_hist_entry *
                         dccp_tx_hist_find_entry(const struct list_head *list,
                                                 const u64 seq);
+extern int dccp_rx_hist_find_entry(const struct list_head *list, const u64 seq,
+   u8 *ccval);
 
 static inline void dccp_tx_hist_add_entry(struct list_head *list,
                                           struct dccp_tx_hist_entry *entry)
@@ -164,12 +166,6 @@ static inline void dccp_rx_hist_entry_delete(struct dccp_rx_hist *hist,
 extern void dccp_rx_hist_purge(struct dccp_rx_hist *hist,
                                struct list_head *list);
 
-static inline void dccp_rx_hist_add_entry(struct list_head *list,
-                                          struct dccp_rx_hist_entry *entry)
-{
-        list_add(&entry->dccphrx_node, list);
-}
-
 static inline struct dccp_rx_hist_entry *
                 dccp_rx_hist_head(struct list_head *list)
 {
@@ -188,10 +184,11 @@ static inline int
                entry->dccphrx_type == DCCP_PKT_DATAACK;
 }
 
-extern int dccp_rx_hist_add_packet(struct dccp_rx_hist *hist,
+extern void dccp_rx_hist_add_packet(struct dccp_rx_hist *hist,
                                    struct list_head *rx_list,
                                    struct list_head *li_list,
-                                   struct dccp_rx_hist_entry *packet);
+                                   struct dccp_rx_hist_entry *packet,
+                                   u64 nonloss_seqno);
 
 extern u64 dccp_rx_hist_detect_loss(struct list_head *rx_list,
                                     struct list_head *li_list, u8 *win_loss);
diff --git a/net/dccp/ccids/lib/tfrc.h b/net/dccp/ccids/lib/tfrc.h
index 130c4c40cfe3..45f30f59ea2a 100644
--- a/net/dccp/ccids/lib/tfrc.h
+++ b/net/dccp/ccids/lib/tfrc.h
@@ -4,7 +4,7 @@
  *  net/dccp/ccids/lib/tfrc.h
  *
  *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
- *  Copyright (c) 2005 Ian McDonald <iam4@cs.waikato.ac.nz>
+ *  Copyright (c) 2005 Ian McDonald <ian.mcdonald@jandi.co.nz>
  *  Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@conectiva.com.br>
  *  Copyright (c) 2003 Nils-Erik Mattsson, Joacim Haggmark, Magnus Erixzon
  *
diff --git a/net/dccp/ccids/lib/tfrc_equation.c b/net/dccp/ccids/lib/tfrc_equation.c
index 4fd2ebebf5a0..44076e0c6591 100644
--- a/net/dccp/ccids/lib/tfrc_equation.c
+++ b/net/dccp/ccids/lib/tfrc_equation.c
@@ -2,7 +2,7 @@
  *  net/dccp/ccids/lib/tfrc_equation.c
  *
  *  Copyright (c) 2005 The University of Waikato, Hamilton, New Zealand.
- *  Copyright (c) 2005 Ian McDonald <iam4@cs.waikato.ac.nz>
+ *  Copyright (c) 2005 Ian McDonald <ian.mcdonald@jandi.co.nz>
  *  Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@conectiva.com.br>
  *  Copyright (c) 2003 Nils-Erik Mattsson, Joacim Haggmark, Magnus Erixzon
  *
diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
index d00a2f4ee5dd..a5c5475724c0 100644
--- a/net/dccp/dccp.h
+++ b/net/dccp/dccp.h
@@ -5,7 +5,7 @@
  *
  *  An implementation of the DCCP protocol
  *  Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@conectiva.com.br>
- *  Copyright (c) 2005 Ian McDonald <iam4@cs.waikato.ac.nz>
+ *  Copyright (c) 2005-6 Ian McDonald <ian.mcdonald@jandi.co.nz>
  *
  *      This program is free software; you can redistribute it and/or modify it
  *      under the terms of the GNU General Public License version 2 as
@@ -81,6 +81,14 @@ static inline u64 max48(const u64 seq1, const u64 seq2)
         return after48(seq1, seq2) ? seq1 : seq2;
 }
 
+/* is seq1 next seqno after seq2 */
+static inline int follows48(const u64 seq1, const u64 seq2)
+{
+        int diff = (seq1 & 0xFFFF) - (seq2 & 0xFFFF);
+
+        return diff==1;
+}
+
 enum {
         DCCP_MIB_NUM = 0,
         DCCP_MIB_ACTIVEOPENS,                   /* ActiveOpens */
diff --git a/net/dccp/feat.h b/net/dccp/feat.h
index 6048373c7186..b44c45504fb6 100644
--- a/net/dccp/feat.h
+++ b/net/dccp/feat.h
@@ -26,4 +26,6 @@ extern void dccp_feat_clean(struct dccp_minisock *dmsk);
 extern int  dccp_feat_clone(struct sock *oldsk, struct sock *newsk);
 extern int  dccp_feat_init(struct dccp_minisock *dmsk);
 
+extern int  dccp_feat_default_sequence_window;
+
 #endif /* _DCCP_FEAT_H */
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index c3073e7e81d3..7f56f7e8f571 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -504,8 +504,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
         ireq = inet_rsk(req);
         ireq->loc_addr = daddr;
         ireq->rmt_addr = saddr;
-        req->rcv_wnd    = 100; /* Fake, option parsing will get the
-                                  right value */
+        req->rcv_wnd    = dccp_feat_default_sequence_window;
         ireq->opt       = NULL;
 
         /* 
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index ff42bc43263d..610c722ac27f 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -31,6 +31,7 @@
 
 #include "dccp.h"
 #include "ipv6.h"
+#include "feat.h"
 
 /* Socket used for sending RSTs and ACKs */
 static struct socket *dccp_v6_ctl_socket;
@@ -229,7 +230,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
         ipv6_addr_copy(&np->saddr, saddr);
         inet->rcv_saddr = LOOPBACK4_IPV6;
 
-        ip6_dst_store(sk, dst, NULL);
+        __ip6_dst_store(sk, dst, NULL);
 
         icsk->icsk_ext_hdr_len = 0;
         if (np->opt != NULL)
@@ -707,8 +708,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
         ireq = inet_rsk(req);
         ipv6_addr_copy(&ireq6->rmt_addr, &skb->nh.ipv6h->saddr);
         ipv6_addr_copy(&ireq6->loc_addr, &skb->nh.ipv6h->daddr);
-        req->rcv_wnd    = 100; /* Fake, option parsing will get the
-                                  right value */
+        req->rcv_wnd    = dccp_feat_default_sequence_window;
         ireq6->pktopts  = NULL;
 
         if (ipv6_opt_accepted(sk, skb) ||
@@ -863,7 +863,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
          * comment in that function for the gory details. -acme
          */
 
-        ip6_dst_store(newsk, dst, NULL);
+        __ip6_dst_store(newsk, dst, NULL);
         newsk->sk_route_caps = dst->dev->features & ~(NETIF_F_IP_CSUM |
                                                       NETIF_F_TSO);
         newdp6 = (struct dccp6_sock *)newsk;
diff --git a/net/dccp/options.c b/net/dccp/options.c
index c3cda1e39aa8..07a34696ac97 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -4,7 +4,7 @@
  *  An implementation of the DCCP protocol
  *  Copyright (c) 2005 Aristeu Sergio Rozanski Filho <aris@cathedrallabs.org>
  *  Copyright (c) 2005 Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
- *  Copyright (c) 2005 Ian McDonald <iam4@cs.waikato.ac.nz>
+ *  Copyright (c) 2005 Ian McDonald <ian.mcdonald@jandi.co.nz>
  *
  *      This program is free software; you can redistribute it and/or
  *      modify it under the terms of the GNU General Public License
@@ -29,6 +29,8 @@ int dccp_feat_default_ack_ratio	      = DCCPF_INITIAL_ACK_RATIO;
 int dccp_feat_default_send_ack_vector = DCCPF_INITIAL_SEND_ACK_VECTOR;
 int dccp_feat_default_send_ndp_count  = DCCPF_INITIAL_SEND_NDP_COUNT;
 
+EXPORT_SYMBOL_GPL(dccp_feat_default_sequence_window);
+
 void dccp_minisock_init(struct dccp_minisock *dmsk)
 {
         dmsk->dccpms_sequence_window = dccp_feat_default_sequence_window;
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index f4f0627ea41c..6f14bb5a28d4 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -484,7 +484,7 @@ static int do_dccp_setsockopt(struct sock *sk, int level, int optname,
                         err = -EINVAL;
                 else
                         err = dccp_setsockopt_change(sk, DCCPO_CHANGE_L,
-                                                     (struct dccp_so_feat *)
+                                                     (struct dccp_so_feat __user *)
                                                      optval);
                 break;
 
@@ -493,7 +493,7 @@ static int do_dccp_setsockopt(struct sock *sk, int level, int optname,
                         err = -EINVAL;
                 else
                         err = dccp_setsockopt_change(sk, DCCPO_CHANGE_R,
-                                                     (struct dccp_so_feat *)
+                                                     (struct dccp_so_feat __user *)
                                                      optval);
                 break;
 
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
index 98a25208440d..476455fbdb03 100644
--- a/net/decnet/dn_dev.c
+++ b/net/decnet/dn_dev.c
@@ -413,11 +413,7 @@ static struct dn_ifaddr *dn_dev_alloc_ifa(void)
 {
         struct dn_ifaddr *ifa;
 
-        ifa = kmalloc(sizeof(*ifa), GFP_KERNEL);
-
-        if (ifa) {
-                memset(ifa, 0, sizeof(*ifa));
-        }
+        ifa = kzalloc(sizeof(*ifa), GFP_KERNEL);
 
         return ifa;
 }
@@ -1105,10 +1101,9 @@ struct dn_dev *dn_dev_create(struct net_device *dev, int *err)
                 return NULL;
 
         *err = -ENOBUFS;
-        if ((dn_db = kmalloc(sizeof(struct dn_dev), GFP_ATOMIC)) == NULL)
+        if ((dn_db = kzalloc(sizeof(struct dn_dev), GFP_ATOMIC)) == NULL)
                 return NULL;
 
-        memset(dn_db, 0, sizeof(struct dn_dev));
         memcpy(&dn_db->parms, p, sizeof(struct dn_dev_parms));
         smp_wmb();
         dev->dn_ptr = dn_db;
diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
index 0375077391b7..fa20e2efcfc1 100644
--- a/net/decnet/dn_fib.c
+++ b/net/decnet/dn_fib.c
@@ -283,11 +283,10 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct dn_kern_rta
                         goto err_inval;
         }
 
-        fi = kmalloc(sizeof(*fi)+nhs*sizeof(struct dn_fib_nh), GFP_KERNEL);
+        fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct dn_fib_nh), GFP_KERNEL);
         err = -ENOBUFS;
         if (fi == NULL)
                 goto failure;
-        memset(fi, 0, sizeof(*fi)+nhs*sizeof(struct dn_fib_nh));
 
         fi->fib_protocol = r->rtm_protocol;
         fi->fib_nhs = nhs;
diff --git a/net/decnet/dn_neigh.c b/net/decnet/dn_neigh.c
index 5ce9c9e0565c..ff0ebe99137d 100644
--- a/net/decnet/dn_neigh.c
+++ b/net/decnet/dn_neigh.c
@@ -580,12 +580,11 @@ static int dn_neigh_seq_open(struct inode *inode, struct file *file)
 {
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct neigh_seq_state *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct neigh_seq_state *s = kzalloc(sizeof(*s), GFP_KERNEL);
 
         if (!s)
                 goto out;
 
-        memset(s, 0, sizeof(*s));
         rc = seq_open(file, &dn_neigh_seq_ops);
         if (rc)
                 goto out_kfree;
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index 1355614ec11b..743e9fcf7c5a 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -925,8 +925,13 @@ static int dn_route_output_slow(struct dst_entry **pprt, const struct flowi *old
                 for(dev_out = dev_base; dev_out; dev_out = dev_out->next) {
                         if (!dev_out->dn_ptr)
                                 continue;
-                        if (dn_dev_islocal(dev_out, oldflp->fld_src))
-                                break;
+                        if (!dn_dev_islocal(dev_out, oldflp->fld_src))
+                                continue;
+                        if ((dev_out->flags & IFF_LOOPBACK) &&
+                            oldflp->fld_dst &&
+                            !dn_dev_islocal(dev_out, oldflp->fld_dst))
+                                continue;
+                        break;
                 }
                 read_unlock(&dev_base_lock);
                 if (dev_out == NULL)
diff --git a/net/decnet/dn_rules.c b/net/decnet/dn_rules.c
index 06e785fe5757..6986be754ef2 100644
--- a/net/decnet/dn_rules.c
+++ b/net/decnet/dn_rules.c
@@ -151,10 +151,9 @@ int dn_fib_rtm_newrule(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
                 }
         }
 
-        new_r = kmalloc(sizeof(*new_r), GFP_KERNEL);
+        new_r = kzalloc(sizeof(*new_r), GFP_KERNEL);
         if (!new_r)
                 return -ENOMEM;
-        memset(new_r, 0, sizeof(*new_r));
 
         if (rta[RTA_SRC-1])
                 memcpy(&new_r->r_src, RTA_DATA(rta[RTA_SRC-1]), 2);
@@ -399,9 +398,10 @@ int dn_fib_dump_rules(struct sk_buff *skb, struct netlink_callback *cb)
         rcu_read_lock();
         hlist_for_each_entry(r, node, &dn_fib_rules, r_hlist) {
                 if (idx < s_idx)
-                        continue;
+                        goto next;
                 if (dn_fib_fill_rule(skb, r, cb, NLM_F_MULTI) < 0)
                         break;
+next:
                 idx++;
         }
         rcu_read_unlock();
diff --git a/net/decnet/dn_table.c b/net/decnet/dn_table.c
index 37d9d0a1ac8c..e926c952e363 100644
--- a/net/decnet/dn_table.c
+++ b/net/decnet/dn_table.c
@@ -158,12 +158,10 @@ static void dn_rehash_zone(struct dn_zone *dz)
                         break;
         }
 
-        ht = kmalloc(new_divisor*sizeof(struct dn_fib_node*), GFP_KERNEL);
-
+        ht = kcalloc(new_divisor, sizeof(struct dn_fib_node*), GFP_KERNEL);
         if (ht == NULL)
                 return;
 
-        memset(ht, 0, new_divisor*sizeof(struct dn_fib_node *));
         write_lock_bh(&dn_fib_tables_lock);
         old_ht = dz->dz_hash;
         dz->dz_hash = ht;
@@ -184,11 +182,10 @@ static void dn_free_node(struct dn_fib_node *f)
 static struct dn_zone *dn_new_zone(struct dn_hash *table, int z)
 {
         int i;
-        struct dn_zone *dz = kmalloc(sizeof(struct dn_zone), GFP_KERNEL);
+        struct dn_zone *dz = kzalloc(sizeof(struct dn_zone), GFP_KERNEL);
         if (!dz)
                 return NULL;
 
-        memset(dz, 0, sizeof(struct dn_zone));
         if (z) {
                 dz->dz_divisor = 16;
                 dz->dz_hashmask = 0x0F;
@@ -197,14 +194,12 @@ static struct dn_zone *dn_new_zone(struct dn_hash *table, int z)
                 dz->dz_hashmask = 0;
         }
 
-        dz->dz_hash = kmalloc(dz->dz_divisor*sizeof(struct dn_fib_node *), GFP_KERNEL);
-
+        dz->dz_hash = kcalloc(dz->dz_divisor, sizeof(struct dn_fib_node *), GFP_KERNEL);
         if (!dz->dz_hash) {
                 kfree(dz);
                 return NULL;
         }
 
-        memset(dz->dz_hash, 0, dz->dz_divisor*sizeof(struct dn_fib_node*));
         dz->dz_order = z;
         dz->dz_mask = dnet_make_mask(z);
 
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 309ae4c6549a..4d66aac13483 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -673,12 +673,11 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
                 edev = dev->ec_ptr;
                 if (edev == NULL) {
                         /* Magic up a new one. */
-                        edev = kmalloc(sizeof(struct ec_device), GFP_KERNEL);
+                        edev = kzalloc(sizeof(struct ec_device), GFP_KERNEL);
                         if (edev == NULL) {
                                 err = -ENOMEM;
                                 break;
                         }
-                        memset(edev, 0, sizeof(struct ec_device));
                         dev->ec_ptr = edev;
                 } else
                         net2dev_map[edev->net] = NULL;
diff --git a/net/ieee80211/Kconfig b/net/ieee80211/Kconfig
index dbb08528ddf5..f7e84e9d13ad 100644
--- a/net/ieee80211/Kconfig
+++ b/net/ieee80211/Kconfig
@@ -58,6 +58,7 @@ config IEEE80211_CRYPT_TKIP
         depends on IEEE80211 && NET_RADIO
         select CRYPTO
         select CRYPTO_MICHAEL_MIC
+        select CRC32
         ---help---
         Include software based cipher suites in support of IEEE 802.11i
         (aka TGi, WPA, WPA2, WPA-PSK, etc.) for use with TKIP enabled
diff --git a/net/ieee80211/ieee80211_crypt.c b/net/ieee80211/ieee80211_crypt.c
index cb71d794a7d1..5ed0a98b2d76 100644
--- a/net/ieee80211/ieee80211_crypt.c
+++ b/net/ieee80211/ieee80211_crypt.c
@@ -110,11 +110,10 @@ int ieee80211_register_crypto_ops(struct ieee80211_crypto_ops *ops)
         unsigned long flags;
         struct ieee80211_crypto_alg *alg;
 
-        alg = kmalloc(sizeof(*alg), GFP_KERNEL);
+        alg = kzalloc(sizeof(*alg), GFP_KERNEL);
         if (alg == NULL)
                 return -ENOMEM;
 
-        memset(alg, 0, sizeof(*alg));
         alg->ops = ops;
 
         spin_lock_irqsave(&ieee80211_crypto_lock, flags);
diff --git a/net/ieee80211/ieee80211_crypt_ccmp.c b/net/ieee80211/ieee80211_crypt_ccmp.c
index 492647382ad0..ed90a8af1444 100644
--- a/net/ieee80211/ieee80211_crypt_ccmp.c
+++ b/net/ieee80211/ieee80211_crypt_ccmp.c
@@ -76,10 +76,9 @@ static void *ieee80211_ccmp_init(int key_idx)
 {
         struct ieee80211_ccmp_data *priv;
 
-        priv = kmalloc(sizeof(*priv), GFP_ATOMIC);
+        priv = kzalloc(sizeof(*priv), GFP_ATOMIC);
         if (priv == NULL)
                 goto fail;
-        memset(priv, 0, sizeof(*priv));
         priv->key_idx = key_idx;
 
         priv->tfm = crypto_alloc_tfm("aes", 0);
diff --git a/net/ieee80211/ieee80211_crypt_wep.c b/net/ieee80211/ieee80211_crypt_wep.c
index c5a87724aabe..0ebf235f6939 100644
--- a/net/ieee80211/ieee80211_crypt_wep.c
+++ b/net/ieee80211/ieee80211_crypt_wep.c
@@ -39,10 +39,9 @@ static void *prism2_wep_init(int keyidx)
 {
         struct prism2_wep_data *priv;
 
-        priv = kmalloc(sizeof(*priv), GFP_ATOMIC);
+        priv = kzalloc(sizeof(*priv), GFP_ATOMIC);
         if (priv == NULL)
                 goto fail;
-        memset(priv, 0, sizeof(*priv));
         priv->key_idx = keyidx;
 
         priv->tfm = crypto_alloc_tfm("arc4", 0);
diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c
index 47ccf159372c..72d4d4e04d42 100644
--- a/net/ieee80211/ieee80211_rx.c
+++ b/net/ieee80211/ieee80211_rx.c
@@ -368,6 +368,7 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
 
         /* Put this code here so that we avoid duplicating it in all
          * Rx paths. - Jean II */
+#ifdef CONFIG_WIRELESS_EXT
 #ifdef IW_WIRELESS_SPY          /* defined in iw_handler.h */
         /* If spy monitoring on */
         if (ieee->spy_data.spy_number > 0) {
@@ -396,15 +397,16 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
                 wireless_spy_update(ieee->dev, hdr->addr2, &wstats);
         }
 #endif                          /* IW_WIRELESS_SPY */
+#endif                          /* CONFIG_WIRELESS_EXT */
 
 #ifdef NOT_YET
         hostap_update_rx_stats(local->ap, hdr, rx_stats);
 #endif
 
         if (ieee->iw_mode == IW_MODE_MONITOR) {
-                ieee80211_monitor_rx(ieee, skb, rx_stats);
                 stats->rx_packets++;
                 stats->rx_bytes += skb->len;
+                ieee80211_monitor_rx(ieee, skb, rx_stats);
                 return 1;
         }
 
diff --git a/net/ieee80211/ieee80211_tx.c b/net/ieee80211/ieee80211_tx.c
index de148ae594f3..bf042139c7ab 100644
--- a/net/ieee80211/ieee80211_tx.c
+++ b/net/ieee80211/ieee80211_tx.c
@@ -562,10 +562,13 @@ int ieee80211_tx_frame(struct ieee80211_device *ieee,
         struct net_device_stats *stats = &ieee->stats;
         struct sk_buff *skb_frag;
         int priority = -1;
+        int fraglen = total_len;
+        int headroom = ieee->tx_headroom;
+        struct ieee80211_crypt_data *crypt = ieee->crypt[ieee->tx_keyidx];
 
         spin_lock_irqsave(&ieee->lock, flags);
 
-        if (encrypt_mpdu && !ieee->sec.encrypt)
+        if (encrypt_mpdu && (!ieee->sec.encrypt || !crypt))
                 encrypt_mpdu = 0;
 
         /* If there is no driver handler to take the TXB, dont' bother
@@ -581,20 +584,24 @@ int ieee80211_tx_frame(struct ieee80211_device *ieee,
                 goto success;
         }
 
-        if (encrypt_mpdu)
+        if (encrypt_mpdu) {
                 frame->frame_ctl |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
+                fraglen += crypt->ops->extra_mpdu_prefix_len +
+                           crypt->ops->extra_mpdu_postfix_len;
+                headroom += crypt->ops->extra_mpdu_prefix_len;
+        }
 
         /* When we allocate the TXB we allocate enough space for the reserve
          * and full fragment bytes (bytes_per_frag doesn't include prefix,
          * postfix, header, FCS, etc.) */
-        txb = ieee80211_alloc_txb(1, total_len, ieee->tx_headroom, GFP_ATOMIC);
+        txb = ieee80211_alloc_txb(1, fraglen, headroom, GFP_ATOMIC);
         if (unlikely(!txb)) {
                 printk(KERN_WARNING "%s: Could not allocate TXB\n",
                        ieee->dev->name);
                 goto failed;
         }
         txb->encrypted = 0;
-        txb->payload_size = total_len;
+        txb->payload_size = fraglen;
 
         skb_frag = txb->fragments[0];
 
diff --git a/net/ieee80211/ieee80211_wx.c b/net/ieee80211/ieee80211_wx.c
index a78c4f845f66..5cb9cfd35397 100644
--- a/net/ieee80211/ieee80211_wx.c
+++ b/net/ieee80211/ieee80211_wx.c
@@ -369,11 +369,10 @@ int ieee80211_wx_set_encode(struct ieee80211_device *ieee,
                 struct ieee80211_crypt_data *new_crypt;
 
                 /* take WEP into use */
-                new_crypt = kmalloc(sizeof(struct ieee80211_crypt_data),
+                new_crypt = kzalloc(sizeof(struct ieee80211_crypt_data),
                                     GFP_KERNEL);
                 if (new_crypt == NULL)
                         return -ENOMEM;
-                memset(new_crypt, 0, sizeof(struct ieee80211_crypt_data));
                 new_crypt->ops = ieee80211_get_crypto_ops("WEP");
                 if (!new_crypt->ops) {
                         request_module("ieee80211_crypt_wep");
@@ -616,13 +615,11 @@ int ieee80211_wx_set_encodeext(struct ieee80211_device *ieee,
 
                 ieee80211_crypt_delayed_deinit(ieee, crypt);
 
-                new_crypt = (struct ieee80211_crypt_data *)
-                    kmalloc(sizeof(*new_crypt), GFP_KERNEL);
+                new_crypt = kzalloc(sizeof(*new_crypt), GFP_KERNEL);
                 if (new_crypt == NULL) {
                         ret = -ENOMEM;
                         goto done;
                 }
-                memset(new_crypt, 0, sizeof(struct ieee80211_crypt_data));
                 new_crypt->ops = ops;
                 if (new_crypt->ops && try_module_get(new_crypt->ops->owner))
                         new_crypt->priv = new_crypt->ops->init(idx);
diff --git a/net/ieee80211/softmac/ieee80211softmac_assoc.c b/net/ieee80211/softmac/ieee80211softmac_assoc.c
index 5e9a90651d04..44215ce64d4e 100644
--- a/net/ieee80211/softmac/ieee80211softmac_assoc.c
+++ b/net/ieee80211/softmac/ieee80211softmac_assoc.c
@@ -47,9 +47,7 @@ ieee80211softmac_assoc(struct ieee80211softmac_device *mac, struct ieee80211soft
         
         dprintk(KERN_INFO PFX "sent association request!\n");
 
-        /* Change the state to associating */
         spin_lock_irqsave(&mac->lock, flags);
-        mac->associnfo.associating = 1;
         mac->associated = 0; /* just to make sure */
 
         /* Set a timer for timeout */
@@ -63,6 +61,7 @@ void
 ieee80211softmac_assoc_timeout(void *d)
 {
         struct ieee80211softmac_device *mac = (struct ieee80211softmac_device *)d;
+        struct ieee80211softmac_network *n;
         unsigned long flags;
 
         spin_lock_irqsave(&mac->lock, flags);
@@ -75,11 +74,12 @@ ieee80211softmac_assoc_timeout(void *d)
         mac->associnfo.associating = 0;
         mac->associnfo.bssvalid = 0;
         mac->associated = 0;
+
+        n = ieee80211softmac_get_network_by_bssid_locked(mac, mac->associnfo.bssid);
         spin_unlock_irqrestore(&mac->lock, flags);
 
         dprintk(KERN_INFO PFX "assoc request timed out!\n");
-        /* FIXME: we need to know the network here. that requires a bit of restructuring */
-        ieee80211softmac_call_events(mac, IEEE80211SOFTMAC_EVENT_ASSOCIATE_TIMEOUT, NULL);
+        ieee80211softmac_call_events(mac, IEEE80211SOFTMAC_EVENT_ASSOCIATE_TIMEOUT, n);
 }
 
 void
@@ -203,6 +203,10 @@ ieee80211softmac_assoc_work(void *d)
         if (mac->associated)
                 ieee80211softmac_send_disassoc_req(mac, WLAN_REASON_DISASSOC_STA_HAS_LEFT);
 
+        spin_lock_irqsave(&mac->lock, flags);
+        mac->associnfo.associating = 1;
+        spin_unlock_irqrestore(&mac->lock, flags);
+
         /* try to find the requested network in our list, if we found one already */
         if (bssvalid || mac->associnfo.bssfixed)
                 found = ieee80211softmac_get_network_by_bssid(mac, mac->associnfo.bssid);       
@@ -295,19 +299,32 @@ ieee80211softmac_assoc_work(void *d)
         memcpy(mac->associnfo.associate_essid.data, found->essid.data, IW_ESSID_MAX_SIZE + 1);
         
         /* we found a network! authenticate (if necessary) and associate to it. */
-        if (!found->authenticated) {
+        if (found->authenticating) {
+                dprintk(KERN_INFO PFX "Already requested authentication, waiting...\n");
+                if(!mac->associnfo.assoc_wait) {
+                        mac->associnfo.assoc_wait = 1;
+                        ieee80211softmac_notify_internal(mac, IEEE80211SOFTMAC_EVENT_ANY, found, ieee80211softmac_assoc_notify_auth, NULL, GFP_KERNEL);
+                }
+                return;
+        }
+        if (!found->authenticated && !found->authenticating) {
                 /* This relies on the fact that _auth_req only queues the work,
                  * otherwise adding the notification would be racy. */
                 if (!ieee80211softmac_auth_req(mac, found)) {
-                        dprintk(KERN_INFO PFX "cannot associate without being authenticated, requested authentication\n");
-                        ieee80211softmac_notify_internal(mac, IEEE80211SOFTMAC_EVENT_ANY, found, ieee80211softmac_assoc_notify_auth, NULL, GFP_KERNEL);
+                        if(!mac->associnfo.assoc_wait) {
+                                dprintk(KERN_INFO PFX "Cannot associate without being authenticated, requested authentication\n");
+                                mac->associnfo.assoc_wait = 1;
+                                ieee80211softmac_notify_internal(mac, IEEE80211SOFTMAC_EVENT_ANY, found, ieee80211softmac_assoc_notify_auth, NULL, GFP_KERNEL);
+                        }
                 } else {
                         printkl(KERN_WARNING PFX "Not authenticated, but requesting authentication failed. Giving up to associate\n");
+                        mac->associnfo.assoc_wait = 0;
                         ieee80211softmac_call_events(mac, IEEE80211SOFTMAC_EVENT_ASSOCIATE_FAILED, found);
                 }
                 return;
         }
         /* finally! now we can start associating */
+        mac->associnfo.assoc_wait = 0;
         ieee80211softmac_assoc(mac, found);
 }
 
diff --git a/net/ieee80211/softmac/ieee80211softmac_auth.c b/net/ieee80211/softmac/ieee80211softmac_auth.c
index 90b8484e509b..4cef39e171d0 100644
--- a/net/ieee80211/softmac/ieee80211softmac_auth.c
+++ b/net/ieee80211/softmac/ieee80211softmac_auth.c
@@ -36,8 +36,9 @@ ieee80211softmac_auth_req(struct ieee80211softmac_device *mac,
         struct ieee80211softmac_auth_queue_item *auth;
         unsigned long flags;
         
-        if (net->authenticating)
+        if (net->authenticating || net->authenticated)
                 return 0;
+        net->authenticating = 1;
 
         /* Add the network if it's not already added */
         ieee80211softmac_add_network(mac, net);
@@ -92,7 +93,6 @@ ieee80211softmac_auth_queue(void *data)
                         return;
                 }
                 net->authenticated = 0;
-                net->authenticating = 1;
                 /* add a timeout call so we eventually give up waiting for an auth reply */
                 schedule_delayed_work(&auth->work, IEEE80211SOFTMAC_AUTH_TIMEOUT);
                 auth->retry--;
@@ -116,6 +116,16 @@ ieee80211softmac_auth_queue(void *data)
         kfree(auth);
 }
 
+/* Sends a response to an auth challenge (for shared key auth). */
+static void
+ieee80211softmac_auth_challenge_response(void *_aq)
+{
+        struct ieee80211softmac_auth_queue_item *aq = _aq;
+
+        /* Send our response */
+        ieee80211softmac_send_mgt_frame(aq->mac, aq->net, IEEE80211_STYPE_AUTH, aq->state);
+}
+
 /* Handle the auth response from the AP
  * This should be registered with ieee80211 as handle_auth 
  */
@@ -197,24 +207,30 @@ ieee80211softmac_auth_resp(struct net_device *dev, struct ieee80211_auth *auth)
                 case IEEE80211SOFTMAC_AUTH_SHARED_CHALLENGE:
                         /* Check to make sure we have a challenge IE */
                         data = (u8 *)auth->info_element;
-                        if(*data++ != MFIE_TYPE_CHALLENGE){
+                        if (*data++ != MFIE_TYPE_CHALLENGE) {
                                 printkl(KERN_NOTICE PFX "Shared Key Authentication failed due to a missing challenge.\n");
                                 break;  
                         }
                         /* Save the challenge */
                         spin_lock_irqsave(&mac->lock, flags);
                         net->challenge_len = *data++;   
-                        if(net->challenge_len > WLAN_AUTH_CHALLENGE_LEN)
+                        if (net->challenge_len > WLAN_AUTH_CHALLENGE_LEN)
                                 net->challenge_len = WLAN_AUTH_CHALLENGE_LEN;
-                        if(net->challenge != NULL)
+                        if (net->challenge != NULL)
                                 kfree(net->challenge);
                         net->challenge = kmalloc(net->challenge_len, GFP_ATOMIC);
                         memcpy(net->challenge, data, net->challenge_len);
                         aq->state = IEEE80211SOFTMAC_AUTH_SHARED_RESPONSE; 
-                        spin_unlock_irqrestore(&mac->lock, flags);
 
-                        /* Send our response */
-                        ieee80211softmac_send_mgt_frame(mac, aq->net, IEEE80211_STYPE_AUTH, aq->state);
+                        /* We reuse the work struct from the auth request here.
+                         * It is safe to do so as each one is per-request, and
+                         * at this point (dealing with authentication response)
+                         * we have obviously already sent the initial auth
+                         * request. */
+                        cancel_delayed_work(&aq->work);
+                        INIT_WORK(&aq->work, &ieee80211softmac_auth_challenge_response, (void *)aq);
+                        schedule_work(&aq->work);
+                        spin_unlock_irqrestore(&mac->lock, flags);
                         return 0;
                 case IEEE80211SOFTMAC_AUTH_SHARED_PASS:
                         kfree(net->challenge);
diff --git a/net/ieee80211/softmac/ieee80211softmac_io.c b/net/ieee80211/softmac/ieee80211softmac_io.c
index 09541611e48c..6ae5a1dc7956 100644
--- a/net/ieee80211/softmac/ieee80211softmac_io.c
+++ b/net/ieee80211/softmac/ieee80211softmac_io.c
@@ -96,8 +96,7 @@ ieee80211softmac_alloc_mgt(u32 size)
         if(size > IEEE80211_DATA_LEN)
                 return NULL;
         /* Allocate the frame */
-        data = kmalloc(size, GFP_ATOMIC);
-        memset(data, 0, size);
+        data = kzalloc(size, GFP_ATOMIC);
         return data;
 }
 
@@ -229,6 +228,9 @@ ieee80211softmac_assoc_req(struct ieee80211_assoc_request **pkt,
                 return 0;
         ieee80211softmac_hdr_3addr(mac, &((*pkt)->header), IEEE80211_STYPE_ASSOC_REQ, net->bssid, net->bssid);
 
+        /* Fill in the capabilities */
+        (*pkt)->capability = ieee80211softmac_capabilities(mac, net);
+
         /* Fill in Listen Interval (?) */
         (*pkt)->listen_interval = cpu_to_le16(10);
         
diff --git a/net/ieee80211/softmac/ieee80211softmac_wx.c b/net/ieee80211/softmac/ieee80211softmac_wx.c
index 0e65ff4e33fc..75320b6842ab 100644
--- a/net/ieee80211/softmac/ieee80211softmac_wx.c
+++ b/net/ieee80211/softmac/ieee80211softmac_wx.c
@@ -70,12 +70,44 @@ ieee80211softmac_wx_set_essid(struct net_device *net_dev,
                               char *extra)
 {
         struct ieee80211softmac_device *sm = ieee80211_priv(net_dev);
+        struct ieee80211softmac_network *n;
+        struct ieee80211softmac_auth_queue_item *authptr;
         int length = 0;
         unsigned long flags;
-        
+
+        /* Check if we're already associating to this or another network
+         * If it's another network, cancel and start over with our new network
+         * If it's our network, ignore the change, we're already doing it!
+         */
+        if((sm->associnfo.associating || sm->associated) &&
+           (data->essid.flags && data->essid.length && extra)) {
+                /* Get the associating network */
+                n = ieee80211softmac_get_network_by_bssid(sm, sm->associnfo.bssid);
+                if(n && n->essid.len == (data->essid.length - 1) &&
+                   !memcmp(n->essid.data, extra, n->essid.len)) {
+                        dprintk(KERN_INFO PFX "Already associating or associated to "MAC_FMT"\n",
+                                MAC_ARG(sm->associnfo.bssid));
+                        return 0;
+                } else {
+                        dprintk(KERN_INFO PFX "Canceling existing associate request!\n");
+                        spin_lock_irqsave(&sm->lock,flags);
+                        /* Cancel assoc work */
+                        cancel_delayed_work(&sm->associnfo.work);
+                        /* We don't have to do this, but it's a little cleaner */
+                        list_for_each_entry(authptr, &sm->auth_queue, list)
+                                cancel_delayed_work(&authptr->work);
+                        sm->associnfo.bssvalid = 0;
+                        sm->associnfo.bssfixed = 0;
+                        spin_unlock_irqrestore(&sm->lock,flags);
+                        flush_scheduled_work();
+                }
+        }
+
+
         spin_lock_irqsave(&sm->lock, flags);
-        
+
         sm->associnfo.static_essid = 0;
+        sm->associnfo.assoc_wait = 0;
 
         if (data->essid.flags && data->essid.length && extra /*required?*/) {
                 length = min(data->essid.length - 1, IW_ESSID_MAX_SIZE);
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index da33393be45f..8514106761b0 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -572,16 +572,6 @@ config TCP_CONG_VENO
         loss packets.
         See http://www.ntu.edu.sg/home5/ZHOU0022/papers/CPFu03a.pdf
 
-config TCP_CONG_COMPOUND
-        tristate "TCP Compound"
-        depends on EXPERIMENTAL
-        default n
-        ---help---
-        TCP Compound is a sender-side only change to TCP that uses
-        a mixed Reno/Vegas approach to calculate the cwnd.
-        For further details look here:
-          ftp://ftp.research.microsoft.com/pub/tr/TR-2005-86.pdf
-
 endmenu
 
 config TCP_CONG_BIC
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index 38b8039bdd55..4878fc5be85f 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -47,7 +47,6 @@ obj-$(CONFIG_TCP_CONG_VEGAS) += tcp_vegas.o
 obj-$(CONFIG_TCP_CONG_VENO) += tcp_veno.o
 obj-$(CONFIG_TCP_CONG_SCALABLE) += tcp_scalable.o
 obj-$(CONFIG_TCP_CONG_LP) += tcp_lp.o
-obj-$(CONFIG_TCP_CONG_COMPOUND) += tcp_compound.o
 
 obj-$(CONFIG_XFRM) += xfrm4_policy.o xfrm4_state.o xfrm4_input.o \
                       xfrm4_output.o
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 318d4674faa1..c84a32070f8d 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1097,6 +1097,40 @@ int inet_sk_rebuild_header(struct sock *sk)
 
 EXPORT_SYMBOL(inet_sk_rebuild_header);
 
+static int inet_gso_send_check(struct sk_buff *skb)
+{
+        struct iphdr *iph;
+        struct net_protocol *ops;
+        int proto;
+        int ihl;
+        int err = -EINVAL;
+
+        if (unlikely(!pskb_may_pull(skb, sizeof(*iph))))
+                goto out;
+
+        iph = skb->nh.iph;
+        ihl = iph->ihl * 4;
+        if (ihl < sizeof(*iph))
+                goto out;
+
+        if (unlikely(!pskb_may_pull(skb, ihl)))
+                goto out;
+
+        skb->h.raw = __skb_pull(skb, ihl);
+        iph = skb->nh.iph;
+        proto = iph->protocol & (MAX_INET_PROTOS - 1);
+        err = -EPROTONOSUPPORT;
+
+        rcu_read_lock();
+        ops = rcu_dereference(inet_protos[proto]);
+        if (likely(ops && ops->gso_send_check))
+                err = ops->gso_send_check(skb);
+        rcu_read_unlock();
+
+out:
+        return err;
+}
+
 static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
 {
         struct sk_buff *segs = ERR_PTR(-EINVAL);
@@ -1162,6 +1196,7 @@ static struct net_protocol igmp_protocol = {
 static struct net_protocol tcp_protocol = {
         .handler =      tcp_v4_rcv,
         .err_handler =  tcp_v4_err,
+        .gso_send_check = tcp_v4_gso_send_check,
         .gso_segment =  tcp_tso_segment,
         .no_policy =    1,
 };
@@ -1208,6 +1243,7 @@ static int ipv4_proc_init(void);
 static struct packet_type ip_packet_type = {
         .type = __constant_htons(ETH_P_IP),
         .func = ip_rcv,
+        .gso_send_check = inet_gso_send_check,
         .gso_segment = inet_gso_segment,
 };
 
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index 8e748be36c5a..1366bc6ce6a5 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -215,12 +215,10 @@ static int ah_init_state(struct xfrm_state *x)
         if (x->encap)
                 goto error;
 
-        ahp = kmalloc(sizeof(*ahp), GFP_KERNEL);
+        ahp = kzalloc(sizeof(*ahp), GFP_KERNEL);
         if (ahp == NULL)
                 return -ENOMEM;
 
-        memset(ahp, 0, sizeof(*ahp));
-
         ahp->key = x->aalg->alg_key;
         ahp->key_len = (x->aalg->alg_key_len+7)/8;
         ahp->tfm = crypto_alloc_tfm(x->aalg->alg_name, 0);
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 7b51b3bdb548..c8a3723bc001 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1372,12 +1372,11 @@ static int arp_seq_open(struct inode *inode, struct file *file)
 {
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct neigh_seq_state *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct neigh_seq_state *s = kzalloc(sizeof(*s), GFP_KERNEL);
        
         if (!s)
                 goto out;
 
-        memset(s, 0, sizeof(*s));
         rc = seq_open(file, &arp_seq_ops);
         if (rc)
                 goto out_kfree;
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index a7c65e9e5ec9..a6cc31d911eb 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -93,10 +93,9 @@ static void devinet_sysctl_unregister(struct ipv4_devconf *p);
 
 static struct in_ifaddr *inet_alloc_ifa(void)
 {
-        struct in_ifaddr *ifa = kmalloc(sizeof(*ifa), GFP_KERNEL);
+        struct in_ifaddr *ifa = kzalloc(sizeof(*ifa), GFP_KERNEL);
 
         if (ifa) {
-                memset(ifa, 0, sizeof(*ifa));
                 INIT_RCU_HEAD(&ifa->rcu_head);
         }
 
@@ -140,10 +139,9 @@ struct in_device *inetdev_init(struct net_device *dev)
 
         ASSERT_RTNL();
 
-        in_dev = kmalloc(sizeof(*in_dev), GFP_KERNEL);
+        in_dev = kzalloc(sizeof(*in_dev), GFP_KERNEL);
         if (!in_dev)
                 goto out;
-        memset(in_dev, 0, sizeof(*in_dev));
         INIT_RCU_HEAD(&in_dev->rcu_head);
         memcpy(&in_dev->cnf, &ipv4_devconf_dflt, sizeof(in_dev->cnf));
         in_dev->cnf.sysctl = NULL;
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 4e112738b3fa..fc2f8ce441de 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -316,12 +316,10 @@ static int esp_init_state(struct xfrm_state *x)
         if (x->ealg == NULL)
                 goto error;
 
-        esp = kmalloc(sizeof(*esp), GFP_KERNEL);
+        esp = kzalloc(sizeof(*esp), GFP_KERNEL);
         if (esp == NULL)
                 return -ENOMEM;
 
-        memset(esp, 0, sizeof(*esp));
-
         if (x->aalg) {
                 struct xfrm_algo_desc *aalg_desc;
 
diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
index 3c1d32ad35f2..72c633b357cf 100644
--- a/net/ipv4/fib_hash.c
+++ b/net/ipv4/fib_hash.c
@@ -204,11 +204,10 @@ static struct fn_zone *
 fn_new_zone(struct fn_hash *table, int z)
 {
         int i;
-        struct fn_zone *fz = kmalloc(sizeof(struct fn_zone), GFP_KERNEL);
+        struct fn_zone *fz = kzalloc(sizeof(struct fn_zone), GFP_KERNEL);
         if (!fz)
                 return NULL;
 
-        memset(fz, 0, sizeof(struct fn_zone));
         if (z) {
                 fz->fz_divisor = 16;
         } else {
@@ -1046,7 +1045,7 @@ static int fib_seq_open(struct inode *inode, struct file *file)
 {
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct fib_iter_state *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct fib_iter_state *s = kzalloc(sizeof(*s), GFP_KERNEL);
        
         if (!s)
                 goto out;
@@ -1057,7 +1056,6 @@ static int fib_seq_open(struct inode *inode, struct file *file)
 
         seq          = file->private_data;
         seq->private = s;
-        memset(s, 0, sizeof(*s));
 out:
         return rc;
 out_kfree:
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 6c642d11d4ca..79b04718bdfd 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -196,10 +196,9 @@ int inet_rtm_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
                 }
         }
 
-        new_r = kmalloc(sizeof(*new_r), GFP_KERNEL);
+        new_r = kzalloc(sizeof(*new_r), GFP_KERNEL);
         if (!new_r)
                 return -ENOMEM;
-        memset(new_r, 0, sizeof(*new_r));
 
         if (rta[RTA_SRC-1])
                 memcpy(&new_r->r_src, RTA_DATA(rta[RTA_SRC-1]), 4);
@@ -457,13 +456,13 @@ int inet_dump_rules(struct sk_buff *skb, struct netlink_callback *cb)
 
         rcu_read_lock();
         hlist_for_each_entry(r, node, &fib_rules, hlist) {
-
                 if (idx < s_idx)
-                        continue;
+                        goto next;
                 if (inet_fill_rule(skb, r, NETLINK_CB(cb->skb).pid,
                                    cb->nlh->nlmsg_seq,
                                    RTM_NEWRULE, NLM_F_MULTI) < 0)
                         break;
+next:
                 idx++;
         }
         rcu_read_unlock();
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 5f87533684d5..51738000f3dc 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -159,7 +159,7 @@ void free_fib_info(struct fib_info *fi)
 
 void fib_release_info(struct fib_info *fi)
 {
-        write_lock(&fib_info_lock);
+        write_lock_bh(&fib_info_lock);
         if (fi && --fi->fib_treeref == 0) {
                 hlist_del(&fi->fib_hash);
                 if (fi->fib_prefsrc)
@@ -172,7 +172,7 @@ void fib_release_info(struct fib_info *fi)
                 fi->fib_dead = 1;
                 fib_info_put(fi);
         }
-        write_unlock(&fib_info_lock);
+        write_unlock_bh(&fib_info_lock);
 }
 
 static __inline__ int nh_comp(const struct fib_info *fi, const struct fib_info *ofi)
@@ -598,7 +598,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
         unsigned int old_size = fib_hash_size;
         unsigned int i, bytes;
 
-        write_lock(&fib_info_lock);
+        write_lock_bh(&fib_info_lock);
         old_info_hash = fib_info_hash;
         old_laddrhash = fib_info_laddrhash;
         fib_hash_size = new_size;
@@ -639,7 +639,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
         }
         fib_info_laddrhash = new_laddrhash;
 
-        write_unlock(&fib_info_lock);
+        write_unlock_bh(&fib_info_lock);
 
         bytes = old_size * sizeof(struct hlist_head *);
         fib_hash_free(old_info_hash, bytes);
@@ -709,11 +709,10 @@ fib_create_info(const struct rtmsg *r, struct kern_rta *rta,
                         goto failure;
         }
 
-        fi = kmalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
+        fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
         if (fi == NULL)
                 goto failure;
         fib_info_cnt++;
-        memset(fi, 0, sizeof(*fi)+nhs*sizeof(struct fib_nh));
 
         fi->fib_protocol = r->rtm_protocol;
 
@@ -821,7 +820,7 @@ link_it:
 
         fi->fib_treeref++;
         atomic_inc(&fi->fib_clntref);
-        write_lock(&fib_info_lock);
+        write_lock_bh(&fib_info_lock);
         hlist_add_head(&fi->fib_hash,
                        &fib_info_hash[fib_info_hashfn(fi)]);
         if (fi->fib_prefsrc) {
@@ -840,7 +839,7 @@ link_it:
                 head = &fib_info_devhash[hash];
                 hlist_add_head(&nh->nh_hash, head);
         } endfor_nexthops(fi)
-        write_unlock(&fib_info_lock);
+        write_unlock_bh(&fib_info_lock);
         return fi;
 
 err_inval:
@@ -962,10 +961,6 @@ fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
         rtm->rtm_protocol = fi->fib_protocol;
         if (fi->fib_priority)
                 RTA_PUT(skb, RTA_PRIORITY, 4, &fi->fib_priority);
-#ifdef CONFIG_NET_CLS_ROUTE
-        if (fi->fib_nh[0].nh_tclassid)
-                RTA_PUT(skb, RTA_FLOW, 4, &fi->fib_nh[0].nh_tclassid);
-#endif
         if (rtnetlink_put_metrics(skb, fi->fib_metrics) < 0)
                 goto rtattr_failure;
         if (fi->fib_prefsrc)
@@ -975,6 +970,10 @@ fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                         RTA_PUT(skb, RTA_GATEWAY, 4, &fi->fib_nh->nh_gw);
                 if (fi->fib_nh->nh_oif)
                         RTA_PUT(skb, RTA_OIF, sizeof(int), &fi->fib_nh->nh_oif);
+#ifdef CONFIG_NET_CLS_ROUTE
+                if (fi->fib_nh[0].nh_tclassid)
+                        RTA_PUT(skb, RTA_FLOW, 4, &fi->fib_nh[0].nh_tclassid);
+#endif
         }
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
         if (fi->fib_nhs > 1) {
@@ -993,6 +992,10 @@ fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                         nhp->rtnh_ifindex = nh->nh_oif;
                         if (nh->nh_gw)
                                 RTA_PUT(skb, RTA_GATEWAY, 4, &nh->nh_gw);
+#ifdef CONFIG_NET_CLS_ROUTE
+                        if (nh->nh_tclassid)
+                                RTA_PUT(skb, RTA_FLOW, 4, &nh->nh_tclassid);
+#endif
                         nhp->rtnh_len = skb->tail - (unsigned char*)nhp;
                 } endfor_nexthops(fi);
                 mp_head->rta_type = RTA_MULTIPATH;
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 1cb65305e102..23fb9d9768e3 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1252,8 +1252,8 @@ fn_trie_insert(struct fib_table *tb, struct rtmsg *r, struct kern_rta *rta,
          */
 
         if (!fa_head) {
-                fa_head = fib_insert_node(t, &err, key, plen);
                 err = 0;
+                fa_head = fib_insert_node(t, &err, key, plen);
                 if (err)
                         goto out_free_new_fa;
         }
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index d299c8e547d6..8e8117c19e4d 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1028,10 +1028,9 @@ static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im)
          * for deleted items allows change reports to use common code with
          * non-deleted or query-response MCA's.
          */
-        pmc = kmalloc(sizeof(*pmc), GFP_KERNEL);
+        pmc = kzalloc(sizeof(*pmc), GFP_KERNEL);
         if (!pmc)
                 return;
-        memset(pmc, 0, sizeof(*pmc));
         spin_lock_bh(&im->lock);
         pmc->interface = im->interface;
         in_dev_hold(in_dev);
@@ -1529,10 +1528,9 @@ static int ip_mc_add1_src(struct ip_mc_list *pmc, int sfmode,
                 psf_prev = psf;
         }
         if (!psf) {
-                psf = kmalloc(sizeof(*psf), GFP_ATOMIC);
+                psf = kzalloc(sizeof(*psf), GFP_ATOMIC);
                 if (!psf)
                         return -ENOBUFS;
-                memset(psf, 0, sizeof(*psf));
                 psf->sf_inaddr = *psfsrc;
                 if (psf_prev) {
                         psf_prev->sf_next = psf;
@@ -1795,29 +1793,35 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
         struct in_device *in_dev;
         u32 group = imr->imr_multiaddr.s_addr;
         u32 ifindex;
+        int ret = -EADDRNOTAVAIL;
 
         rtnl_lock();
         in_dev = ip_mc_find_dev(imr);
-        if (!in_dev) {
-                rtnl_unlock();
-                return -ENODEV;
-        }
         ifindex = imr->imr_ifindex;
         for (imlp = &inet->mc_list; (iml = *imlp) != NULL; imlp = &iml->next) {
-                if (iml->multi.imr_multiaddr.s_addr == group &&
-                    iml->multi.imr_ifindex == ifindex) {
-                        (void) ip_mc_leave_src(sk, iml, in_dev);
+                if (iml->multi.imr_multiaddr.s_addr != group)
+                        continue;
+                if (ifindex) {
+                        if (iml->multi.imr_ifindex != ifindex)
+                                continue;
+                } else if (imr->imr_address.s_addr && imr->imr_address.s_addr !=
+                                iml->multi.imr_address.s_addr)
+                        continue;
+
+                (void) ip_mc_leave_src(sk, iml, in_dev);
 
-                        *imlp = iml->next;
+                *imlp = iml->next;
 
+                if (in_dev)
                         ip_mc_dec_group(in_dev, group);
-                        rtnl_unlock();
-                        sock_kfree_s(sk, iml, sizeof(*iml));
-                        return 0;
-                }
+                rtnl_unlock();
+                sock_kfree_s(sk, iml, sizeof(*iml));
+                return 0;
         }
+        if (!in_dev)
+                ret = -ENODEV;
         rtnl_unlock();
-        return -EADDRNOTAVAIL;
+        return ret;
 }
 
 int ip_mc_source(int add, int omode, struct sock *sk, struct
@@ -2201,13 +2205,13 @@ void ip_mc_drop_socket(struct sock *sk)
                 struct in_device *in_dev;
                 inet->mc_list = iml->next;
 
-                if ((in_dev = inetdev_by_index(iml->multi.imr_ifindex)) != NULL) {
-                        (void) ip_mc_leave_src(sk, iml, in_dev);
+                in_dev = inetdev_by_index(iml->multi.imr_ifindex);
+                (void) ip_mc_leave_src(sk, iml, in_dev);
+                if (in_dev != NULL) {
                         ip_mc_dec_group(in_dev, iml->multi.imr_multiaddr.s_addr);
                         in_dev_put(in_dev);
                 }
                 sock_kfree_s(sk, iml, sizeof(*iml));
-
         }
         rtnl_unlock();
 }
@@ -2380,7 +2384,7 @@ static int igmp_mc_seq_open(struct inode *inode, struct file *file)
 {
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct igmp_mc_iter_state *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct igmp_mc_iter_state *s = kzalloc(sizeof(*s), GFP_KERNEL);
 
         if (!s)
                 goto out;
@@ -2390,7 +2394,6 @@ static int igmp_mc_seq_open(struct inode *inode, struct file *file)
 
         seq = file->private_data;
         seq->private = s;
-        memset(s, 0, sizeof(*s));
 out:
         return rc;
 out_kfree:
@@ -2555,7 +2558,7 @@ static int igmp_mcf_seq_open(struct inode *inode, struct file *file)
 {
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct igmp_mcf_iter_state *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct igmp_mcf_iter_state *s = kzalloc(sizeof(*s), GFP_KERNEL);
 
         if (!s)
                 goto out;
@@ -2565,7 +2568,6 @@ static int igmp_mcf_seq_open(struct inode *inode, struct file *file)
 
         seq = file->private_data;
         seq->private = s;
-        memset(s, 0, sizeof(*s));
 out:
         return rc;
 out_kfree:
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 8e7e41b66c79..492858e6faf0 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -909,11 +909,10 @@ static int __init inet_diag_init(void)
                                           sizeof(struct inet_diag_handler *));
         int err = -ENOMEM;
 
-        inet_diag_table = kmalloc(inet_diag_table_size, GFP_KERNEL);
+        inet_diag_table = kzalloc(inet_diag_table_size, GFP_KERNEL);
         if (!inet_diag_table)
                 goto out;
 
-        memset(inet_diag_table, 0, inet_diag_table_size);
         idiagnl = netlink_kernel_create(NETLINK_INET_DIAG, 0, inet_diag_rcv,
                                         THIS_MODULE);
         if (idiagnl == NULL)
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index 2160874ce7aa..03ff62ebcfeb 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -86,7 +86,7 @@ static struct inet_peer *peer_root = peer_avl_empty;
 static DEFINE_RWLOCK(peer_pool_lock);
 #define PEER_MAXDEPTH 40 /* sufficient for about 2^27 nodes */
 
-static volatile int peer_total;
+static int peer_total;
 /* Exported for sysctl_net_ipv4.  */
 int inet_peer_threshold = 65536 + 128;  /* start to throw entries more
                                          * aggressively at this stage */
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 6ff9b10d9563..0f9b3a31997b 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -617,7 +617,6 @@ static int ipgre_rcv(struct sk_buff *skb)
                 skb->mac.raw = skb->nh.raw;
                 skb->nh.raw = __pskb_pull(skb, offset);
                 skb_postpull_rcsum(skb, skb->h.raw, offset);
-                memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
                 skb->pkt_type = PACKET_HOST;
 #ifdef CONFIG_NET_IPGRE_BROADCAST
                 if (MULTICAST(iph->daddr)) {
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index e1a7dba2fa8a..212734ca238f 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -428,6 +428,9 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
                 goto drop;
         }
 
+        /* Remove any debris in the socket control block */
+        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
+
         return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
                        ip_rcv_finish);
 
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index cbcae6544622..406056edc02b 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -256,7 +256,6 @@ int ip_options_compile(struct ip_options * opt, struct sk_buff * skb)
 
         if (!opt) {
                 opt = &(IPCB(skb)->opt);
-                memset(opt, 0, sizeof(struct ip_options));
                 iph = skb->nh.raw;
                 opt->optlen = ((struct iphdr *)iph)->ihl*4 - sizeof(struct iphdr);
                 optptr = iph + sizeof(struct iphdr);
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index ca0e714613fb..a2ede167e045 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -209,7 +209,7 @@ static inline int ip_finish_output(struct sk_buff *skb)
                 return dst_output(skb);
         }
 #endif
-        if (skb->len > dst_mtu(skb->dst) && !skb_shinfo(skb)->gso_size)
+        if (skb->len > dst_mtu(skb->dst) && !skb_is_gso(skb))
                 return ip_fragment(skb, ip_finish_output2);
         else
                 return ip_finish_output2(skb);
@@ -440,6 +440,7 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
         iph = skb->nh.iph;
 
         if (unlikely((iph->frag_off & htons(IP_DF)) && !skb->local_df)) {
+                IP_INC_STATS(IPSTATS_MIB_FRAGFAILS);
                 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
                           htonl(dst_mtu(&rt->u.dst)));
                 kfree_skb(skb);
@@ -526,6 +527,8 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
 
                         err = output(skb);
 
+                        if (!err)
+                                IP_INC_STATS(IPSTATS_MIB_FRAGCREATES);
                         if (err || !frag)
                                 break;
 
@@ -649,9 +652,6 @@ slow_path:
                 /*
                  *      Put this fragment into the sending queue.
                  */
-
-                IP_INC_STATS(IPSTATS_MIB_FRAGCREATES);
-
                 iph->tot_len = htons(len + hlen);
 
                 ip_send_check(iph);
@@ -659,6 +659,8 @@ slow_path:
                 err = output(skb2);
                 if (err)
                         goto fail;
+
+                IP_INC_STATS(IPSTATS_MIB_FRAGCREATES);
         }
         kfree_skb(skb);
         IP_INC_STATS(IPSTATS_MIB_FRAGOKS);
@@ -946,7 +948,7 @@ alloc_new_skb:
                                 skb_prev->csum = csum_sub(skb_prev->csum,
                                                           skb->csum);
                                 data += fraggap;
-                                skb_trim(skb_prev, maxfraglen);
+                                pskb_trim_unique(skb_prev, maxfraglen);
                         }
 
                         copy = datalen - transhdrlen - fraggap;
@@ -1095,7 +1097,7 @@ ssize_t	ip_append_page(struct sock *sk, struct page *page,
         while (size > 0) {
                 int i;
 
-                if (skb_shinfo(skb)->gso_size)
+                if (skb_is_gso(skb))
                         len = size;
                 else {
 
@@ -1141,7 +1143,7 @@ ssize_t	ip_append_page(struct sock *sk, struct page *page,
                                         data, fraggap, 0);
                                 skb_prev->csum = csum_sub(skb_prev->csum,
                                                           skb->csum);
-                                skb_trim(skb_prev, maxfraglen);
+                                pskb_trim_unique(skb_prev, maxfraglen);
                         }
 
                         /*
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 84f43a3c9098..2d05c4133d3e 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -112,14 +112,19 @@ static void ip_cmsg_recv_retopts(struct msghdr *msg, struct sk_buff *skb)
 static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 {
         char *secdata;
-        u32 seclen;
+        u32 seclen, secid;
         int err;
 
-        err = security_socket_getpeersec_dgram(skb, &secdata, &seclen);
+        err = security_socket_getpeersec_dgram(NULL, skb, &secid);
+        if (err)
+                return;
+
+        err = security_secid_to_secctx(secid, &secdata, &seclen);
         if (err)
                 return;
 
         put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
+        security_release_secctx(secdata, seclen);
 }
 
 
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 8e0374847532..a0c28b2b756e 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -70,7 +70,8 @@ static int ipcomp_decompress(struct xfrm_state *x, struct sk_buff *skb)
         if (err)
                 goto out;
                 
-        skb_put(skb, dlen - plen);
+        skb->truesize += dlen - plen;
+        __skb_put(skb, dlen - plen);
         memcpy(skb->data, scratch, dlen);
 out:    
         put_cpu();
@@ -409,11 +410,10 @@ static int ipcomp_init_state(struct xfrm_state *x)
                 goto out;
 
         err = -ENOMEM;
-        ipcd = kmalloc(sizeof(*ipcd), GFP_KERNEL);
+        ipcd = kzalloc(sizeof(*ipcd), GFP_KERNEL);
         if (!ipcd)
                 goto out;
 
-        memset(ipcd, 0, sizeof(*ipcd));
         x->props.header_len = 0;
         if (x->props.mode)
                 x->props.header_len += sizeof(struct iphdr);
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 3291d5192aad..76ab50b0d6ef 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -487,7 +487,6 @@ static int ipip_rcv(struct sk_buff *skb)
 
                 skb->mac.raw = skb->nh.raw;
                 skb->nh.raw = skb->data;
-                memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
                 skb->protocol = htons(ETH_P_IP);
                 skb->pkt_type = PACKET_HOST;
 
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index ba33f8621c67..85893eef6b16 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1461,7 +1461,6 @@ int pim_rcv_v1(struct sk_buff * skb)
         skb_pull(skb, (u8*)encap - skb->data);
         skb->nh.iph = (struct iphdr *)skb->data;
         skb->dev = reg_dev;
-        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
         skb->protocol = htons(ETH_P_IP);
         skb->ip_summed = 0;
         skb->pkt_type = PACKET_HOST;
@@ -1517,7 +1516,6 @@ static int pim_rcv(struct sk_buff * skb)
         skb_pull(skb, (u8*)encap - skb->data);
         skb->nh.iph = (struct iphdr *)skb->data;
         skb->dev = reg_dev;
-        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
         skb->protocol = htons(ETH_P_IP);
         skb->ip_summed = 0;
         skb->pkt_type = PACKET_HOST;
@@ -1580,6 +1578,7 @@ int ipmr_get_route(struct sk_buff *skb, struct rtmsg *rtm, int nowait)
         cache = ipmr_cache_find(rt->rt_src, rt->rt_dst);
 
         if (cache==NULL) {
+                struct sk_buff *skb2;
                 struct net_device *dev;
                 int vif;
 
@@ -1593,12 +1592,18 @@ int ipmr_get_route(struct sk_buff *skb, struct rtmsg *rtm, int nowait)
                         read_unlock(&mrt_lock);
                         return -ENODEV;
                 }
-                skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
-                skb->nh.iph->ihl = sizeof(struct iphdr)>>2;
-                skb->nh.iph->saddr = rt->rt_src;
-                skb->nh.iph->daddr = rt->rt_dst;
-                skb->nh.iph->version = 0;
-                err = ipmr_cache_unresolved(vif, skb);
+                skb2 = skb_clone(skb, GFP_ATOMIC);
+                if (!skb2) {
+                        read_unlock(&mrt_lock);
+                        return -ENOMEM;
+                }
+
+                skb2->nh.raw = skb_push(skb2, sizeof(struct iphdr));
+                skb2->nh.iph->ihl = sizeof(struct iphdr)>>2;
+                skb2->nh.iph->saddr = rt->rt_src;
+                skb2->nh.iph->daddr = rt->rt_dst;
+                skb2->nh.iph->version = 0;
+                err = ipmr_cache_unresolved(vif, skb2);
                 read_unlock(&mrt_lock);
                 return err;
         }
diff --git a/net/ipv4/ipvs/ip_vs_ctl.c b/net/ipv4/ipvs/ip_vs_ctl.c
index f28ec6882162..6a28fafe910c 100644
--- a/net/ipv4/ipvs/ip_vs_ctl.c
+++ b/net/ipv4/ipvs/ip_vs_ctl.c
@@ -735,12 +735,11 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user *udest,
         if (atype != RTN_LOCAL && atype != RTN_UNICAST)
                 return -EINVAL;
 
-        dest = kmalloc(sizeof(struct ip_vs_dest), GFP_ATOMIC);
+        dest = kzalloc(sizeof(struct ip_vs_dest), GFP_ATOMIC);
         if (dest == NULL) {
                 IP_VS_ERR("ip_vs_new_dest: kmalloc failed.\n");
                 return -ENOMEM;
         }
-        memset(dest, 0, sizeof(struct ip_vs_dest));
 
         dest->protocol = svc->protocol;
         dest->vaddr = svc->addr;
@@ -1050,14 +1049,12 @@ ip_vs_add_service(struct ip_vs_service_user *u, struct ip_vs_service **svc_p)
                 goto out_mod_dec;
         }
 
-        svc = (struct ip_vs_service *)
-                kmalloc(sizeof(struct ip_vs_service), GFP_ATOMIC);
+        svc = kzalloc(sizeof(struct ip_vs_service), GFP_ATOMIC);
         if (svc == NULL) {
                 IP_VS_DBG(1, "ip_vs_add_service: kmalloc failed.\n");
                 ret = -ENOMEM;
                 goto out_err;
         }
-        memset(svc, 0, sizeof(struct ip_vs_service));
 
         /* I'm the first user of the service */
         atomic_set(&svc->usecnt, 1);
@@ -1797,7 +1794,7 @@ static int ip_vs_info_open(struct inode *inode, struct file *file)
 {
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct ip_vs_iter *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct ip_vs_iter *s = kzalloc(sizeof(*s), GFP_KERNEL);
 
         if (!s)
                 goto out;
@@ -1808,7 +1805,6 @@ static int ip_vs_info_open(struct inode *inode, struct file *file)
 
         seq          = file->private_data;
         seq->private = s;
-        memset(s, 0, sizeof(*s));
 out:
         return rc;
 out_kfree:
diff --git a/net/ipv4/ipvs/ip_vs_est.c b/net/ipv4/ipvs/ip_vs_est.c
index 4c1940381ba0..7d68b80c4c19 100644
--- a/net/ipv4/ipvs/ip_vs_est.c
+++ b/net/ipv4/ipvs/ip_vs_est.c
@@ -123,11 +123,10 @@ int ip_vs_new_estimator(struct ip_vs_stats *stats)
 {
         struct ip_vs_estimator *est;
 
-        est = kmalloc(sizeof(*est), GFP_KERNEL);
+        est = kzalloc(sizeof(*est), GFP_KERNEL);
         if (est == NULL)
                 return -ENOMEM;
 
-        memset(est, 0, sizeof(*est));
         est->stats = stats;
         est->last_conns = stats->conns;
         est->cps = stats->cps<<10;
diff --git a/net/ipv4/ipvs/ip_vs_ftp.c b/net/ipv4/ipvs/ip_vs_ftp.c
index a19a33ceb811..37fafb1fbcff 100644
--- a/net/ipv4/ipvs/ip_vs_ftp.c
+++ b/net/ipv4/ipvs/ip_vs_ftp.c
@@ -46,14 +46,7 @@
  */
 static int ports[IP_VS_APP_MAX_PORTS] = {21, 0};
 module_param_array(ports, int, NULL, 0);
-
-/*
- *      Debug level
- */
-#ifdef CONFIG_IP_VS_DEBUG
-static int debug=0;
-module_param(debug, int, 0);
-#endif
+MODULE_PARM_DESC(ports, "Ports to monitor for FTP control commands");
 
 
 /*      Dummy variable */
@@ -177,7 +170,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
                                            &start, &end) != 1)
                         return 1;
 
-                IP_VS_DBG(1-debug, "PASV response (%u.%u.%u.%u:%d) -> "
+                IP_VS_DBG(7, "PASV response (%u.%u.%u.%u:%d) -> "
                           "%u.%u.%u.%u:%d detected\n",
                           NIPQUAD(from), ntohs(port), NIPQUAD(cp->caddr), 0);
 
@@ -280,7 +273,7 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
         while (data <= data_limit - 6) {
                 if (strnicmp(data, "PASV\r\n", 6) == 0) {
                         /* Passive mode on */
-                        IP_VS_DBG(1-debug, "got PASV at %zd of %zd\n",
+                        IP_VS_DBG(7, "got PASV at %zd of %zd\n",
                                   data - data_start,
                                   data_limit - data_start);
                         cp->app_data = &ip_vs_ftp_pasv;
@@ -302,7 +295,7 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
                                    &start, &end) != 1)
                 return 1;
 
-        IP_VS_DBG(1-debug, "PORT %u.%u.%u.%u:%d detected\n",
+        IP_VS_DBG(7, "PORT %u.%u.%u.%u:%d detected\n",
                   NIPQUAD(to), ntohs(port));
 
         /* Passive mode off */
@@ -311,7 +304,7 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
         /*
          * Now update or create a connection entry for it
          */
-        IP_VS_DBG(1-debug, "protocol %s %u.%u.%u.%u:%d %u.%u.%u.%u:%d\n",
+        IP_VS_DBG(7, "protocol %s %u.%u.%u.%u:%d %u.%u.%u.%u:%d\n",
                   ip_vs_proto_name(iph->protocol),
                   NIPQUAD(to), ntohs(port), NIPQUAD(cp->vaddr), 0);
 
@@ -372,11 +365,17 @@ static int __init ip_vs_ftp_init(void)
         for (i=0; i<IP_VS_APP_MAX_PORTS; i++) {
                 if (!ports[i])
                         continue;
+                if (ports[i] < 0 || ports[i] > 0xffff) {
+                        IP_VS_WARNING("ip_vs_ftp: Ignoring invalid "
+                                      "configuration port[%d] = %d\n",
+                                      i, ports[i]);
+                        continue;
+                }
                 ret = register_ip_vs_app_inc(app, app->protocol, ports[i]);
                 if (ret)
                         break;
-                IP_VS_DBG(1-debug, "%s: loaded support on port[%d] = %d\n",
-                          app->name, i, ports[i]);
+                IP_VS_INFO("%s: loaded support on port[%d] = %d\n",
+                           app->name, i, ports[i]);
         }
 
         if (ret)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 80c73ca90116..8d1d7a6e72a5 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -236,7 +236,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
         struct arpt_entry *e, *back;
         const char *indev, *outdev;
         void *table_base;
-        struct xt_table_info *private = table->private;
+        struct xt_table_info *private;
 
         /* ARP header, plus 2 device addresses, plus 2 IP addresses.  */
         if (!pskb_may_pull((*pskb), (sizeof(struct arphdr) +
@@ -248,6 +248,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
         outdev = out ? out->name : nulldevname;
 
         read_lock_bh(&table->lock);
+        private = table->private;
         table_base = (void *)private->entries[smp_processor_id()];
         e = get_entry(table_base, private->hook_entry[hook]);
         back = get_entry(table_base, private->underflow[hook]);
@@ -1170,21 +1171,34 @@ static int __init arp_tables_init(void)
 {
         int ret;
 
-        xt_proto_init(NF_ARP);
+        ret = xt_proto_init(NF_ARP);
+        if (ret < 0)
+                goto err1;
 
         /* Noone else will be downing sem now, so we won't sleep */
-        xt_register_target(&arpt_standard_target);
-        xt_register_target(&arpt_error_target);
+        ret = xt_register_target(&arpt_standard_target);
+        if (ret < 0)
+                goto err2;
+        ret = xt_register_target(&arpt_error_target);
+        if (ret < 0)
+                goto err3;
 
         /* Register setsockopt */
         ret = nf_register_sockopt(&arpt_sockopts);
-        if (ret < 0) {
-                duprintf("Unable to register sockopts.\n");
-                return ret;
-        }
+        if (ret < 0)
+                goto err4;
 
         printk("arp_tables: (C) 2002 David S. Miller\n");
         return 0;
+
+err4:
+        xt_unregister_target(&arpt_error_target);
+err3:
+        xt_unregister_target(&arpt_standard_target);
+err2:
+        xt_proto_fini(NF_ARP);
+err1:
+        return ret;
 }
 
 static void __exit arp_tables_fini(void)
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index af35235672d5..9a39e2969712 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1200,7 +1200,7 @@ static struct ip_conntrack_expect *find_expect(struct ip_conntrack *ct,
         tuple.dst.protonum = IPPROTO_TCP;
 
         exp = __ip_conntrack_expect_find(&tuple);
-        if (exp->master == ct)
+        if (exp && exp->master == ct)
                 return exp;
         return NULL;
 }
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 33891bb1fde4..0d4cc92391fa 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -415,21 +415,18 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
                         cb->args[0], *id);
 
         read_lock_bh(&ip_conntrack_lock);
+        last = (struct ip_conntrack *)cb->args[1];
         for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++) {
 restart:
-                last = (struct ip_conntrack *)cb->args[1];
                 list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) {
                         h = (struct ip_conntrack_tuple_hash *) i;
                         if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
                                 continue;
                         ct = tuplehash_to_ctrack(h);
-                        if (last != NULL) {
-                                if (ct == last) {
-                                        ip_conntrack_put(last);
-                                        cb->args[1] = 0;
-                                        last = NULL;
-                                } else
+                        if (cb->args[1]) {
+                                if (ct != last)
                                         continue;
+                                cb->args[1] = 0;
                         }
                         if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
                                                 cb->nlh->nlmsg_seq,
@@ -440,17 +437,17 @@ restart:
                                 goto out;
                         }
                 }
-                if (last != NULL) {
-                        ip_conntrack_put(last);
+                if (cb->args[1]) {
                         cb->args[1] = 0;
                         goto restart;
                 }
         }
 out:
         read_unlock_bh(&ip_conntrack_lock);
+        if (last)
+                ip_conntrack_put(last);
 
         DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
-
         return skb->len;
 }
 
diff --git a/net/ipv4/netfilter/ip_conntrack_sip.c b/net/ipv4/netfilter/ip_conntrack_sip.c
index fc87ce0da40d..4f222d6be009 100644
--- a/net/ipv4/netfilter/ip_conntrack_sip.c
+++ b/net/ipv4/netfilter/ip_conntrack_sip.c
@@ -442,7 +442,7 @@ static int __init init(void)
                 sip[i].tuple.src.u.udp.port = htons(ports[i]);
                 sip[i].mask.src.u.udp.port = 0xFFFF;
                 sip[i].mask.dst.protonum = 0xFF;
-                sip[i].max_expected = 1;
+                sip[i].max_expected = 2;
                 sip[i].timeout = 3 * 60; /* 3 minutes */
                 sip[i].me = THIS_MODULE;
                 sip[i].help = sip_help;
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 7bd3c22003a2..7a9fa04a467a 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -534,6 +534,8 @@ static struct nf_hook_ops ip_conntrack_ops[] = {
 
 /* Sysctl support */
 
+int ip_conntrack_checksum = 1;
+
 #ifdef CONFIG_SYSCTL
 
 /* From ip_conntrack_core.c */
@@ -568,8 +570,6 @@ extern unsigned int ip_ct_generic_timeout;
 static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
 
-int ip_conntrack_checksum = 1;
-
 static struct ctl_table_header *ip_ct_sysctl_header;
 
 static ctl_table ip_ct_sysctl_table[] = {
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index 0b1b416759cc..18b7fbdccb61 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -1255,9 +1255,9 @@ static int help(struct sk_buff **pskb,
         struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
 
         /* SNMP replies and originating SNMP traps get mangled */
-        if (udph->source == ntohs(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
+        if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
                 return NF_ACCEPT;
-        if (udph->dest == ntohs(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
+        if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
                 return NF_ACCEPT;
 
         /* No NAT? */
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index fc5bdd5eb7d3..048514f15f2f 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -230,7 +230,7 @@ ipt_do_table(struct sk_buff **pskb,
         const char *indev, *outdev;
         void *table_base;
         struct ipt_entry *e, *back;
-        struct xt_table_info *private = table->private;
+        struct xt_table_info *private;
 
         /* Initialization */
         ip = (*pskb)->nh.iph;
@@ -247,6 +247,7 @@ ipt_do_table(struct sk_buff **pskb,
 
         read_lock_bh(&table->lock);
         IP_NF_ASSERT(table->valid_hooks & (1 << hook));
+        private = table->private;
         table_base = (void *)private->entries[smp_processor_id()];
         e = get_entry(table_base, private->hook_entry[hook]);
 
@@ -2239,22 +2240,39 @@ static int __init ip_tables_init(void)
 {
         int ret;
 
-        xt_proto_init(AF_INET);
+        ret = xt_proto_init(AF_INET);
+        if (ret < 0)
+                goto err1;
 
         /* Noone else will be downing sem now, so we won't sleep */
-        xt_register_target(&ipt_standard_target);
-        xt_register_target(&ipt_error_target);
-        xt_register_match(&icmp_matchstruct);
+        ret = xt_register_target(&ipt_standard_target);
+        if (ret < 0)
+                goto err2;
+        ret = xt_register_target(&ipt_error_target);
+        if (ret < 0)
+                goto err3;
+        ret = xt_register_match(&icmp_matchstruct);
+        if (ret < 0)
+                goto err4;
 
         /* Register setsockopt */
         ret = nf_register_sockopt(&ipt_sockopts);
-        if (ret < 0) {
-                duprintf("Unable to register sockopts.\n");
-                return ret;
-        }
+        if (ret < 0)
+                goto err5;
 
         printk("ip_tables: (C) 2000-2006 Netfilter Core Team\n");
         return 0;
+
+err5:
+        xt_unregister_match(&icmp_matchstruct);
+err4:
+        xt_unregister_target(&ipt_error_target);
+err3:
+        xt_unregister_target(&ipt_standard_target);
+err2:
+        xt_proto_fini(AF_INET);
+err1:
+        return ret;
 }
 
 static void __exit ip_tables_fini(void)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index cbffeae3f565..d994c5f5744c 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -172,11 +172,10 @@ clusterip_config_init(struct ipt_clusterip_tgt_info *i, u_int32_t ip,
         struct clusterip_config *c;
         char buffer[16];
 
-        c = kmalloc(sizeof(*c), GFP_ATOMIC);
+        c = kzalloc(sizeof(*c), GFP_ATOMIC);
         if (!c)
                 return NULL;
 
-        memset(c, 0, sizeof(*c));
         c->dev = dev;
         c->clusterip = ip;
         memcpy(&c->clustermac, &i->clustermac, ETH_ALEN);
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index d7dd7fe7051c..d46fd677fa11 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -115,6 +115,11 @@ static void ulog_send(unsigned int nlgroupnum)
                 del_timer(&ub->timer);
         }
 
+        if (!ub->skb) {
+                DEBUGP("ipt_ULOG: ulog_send: nothing to send\n");
+                return;
+        }
+
         /* last nlmsg needs NLMSG_DONE */
         if (ub->qlen > 1)
                 ub->lastnlh->nlmsg_type = NLMSG_DONE;
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c
index 92980ab8ce48..3bd2368e1fc9 100644
--- a/net/ipv4/netfilter/ipt_hashlimit.c
+++ b/net/ipv4/netfilter/ipt_hashlimit.c
@@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb,
                 dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * 
                                                         hinfo->cfg.burst);
                 dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
-
-                spin_unlock_bh(&hinfo->lock);
-                return 1;
+        } else {
+                /* update expiration timeout */
+                dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
+                rateinfo_recalc(dh, now);
         }
 
-        /* update expiration timeout */
-        dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
-
-        rateinfo_recalc(dh, now);
         if (dh->rateinfo.credit >= dh->rateinfo.cost) {
                 /* We're underlimit. */
                 dh->rateinfo.credit -= dh->rateinfo.cost;
@@ -508,6 +505,9 @@ hashlimit_checkentry(const char *tablename,
         if (!r->cfg.expire)
                 return 0;
 
+        if (r->name[sizeof(r->name) - 1] != '\0')
+                return 0;
+
         /* This is the best we've got: We cannot release and re-grab lock,
          * since checkentry() is called before ip_tables.c grabs ipt_mutex.  
          * We also cannot grab the hashtable spinlock, since htable_create will 
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index bd221ec3f81e..62b2762a2420 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -609,6 +609,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
         if (sin) {
                 sin->sin_family = AF_INET;
                 sin->sin_addr.s_addr = skb->nh.iph->saddr;
+                sin->sin_port = 0;
                 memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
         }
         if (inet->cmsg_flags)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 2dc6dbb28467..b873cbcdd0b8 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -104,6 +104,7 @@
 #include <net/icmp.h>
 #include <net/xfrm.h>
 #include <net/ip_mp_alg.h>
+#include <net/netevent.h>
 #ifdef CONFIG_SYSCTL
 #include <linux/sysctl.h>
 #endif
@@ -1125,6 +1126,7 @@ void ip_rt_redirect(u32 old_gw, u32 daddr, u32 new_gw,
         struct rtable *rth, **rthp;
         u32  skeys[2] = { saddr, 0 };
         int  ikeys[2] = { dev->ifindex, 0 };
+        struct netevent_redirect netevent;
 
         if (!in_dev)
                 return;
@@ -1216,6 +1218,11 @@ void ip_rt_redirect(u32 old_gw, u32 daddr, u32 new_gw,
                                         rt_drop(rt);
                                         goto do_next;
                                 }
+                                
+                                netevent.old = &rth->u.dst;
+                                netevent.new = &rt->u.dst;
+                                call_netevent_notifiers(NETEVENT_REDIRECT, 
+                                                        &netevent);
 
                                 rt_del(hash, rth);
                                 if (!rt_intern_hash(hash, rt, &rt))
@@ -1452,6 +1459,7 @@ static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
                 }
                 dst->metrics[RTAX_MTU-1] = mtu;
                 dst_set_expires(dst, ip_rt_mtu_expires);
+                call_netevent_notifiers(NETEVENT_PMTU_UPDATE, dst);
         }
 }
 
@@ -3149,7 +3157,7 @@ int __init ip_rt_init(void)
                                         rhash_entries,
                                         (num_physpages >= 128 * 1024) ?
                                         15 : 17,
-                                        HASH_HIGHMEM,
+                                        0,
                                         &rt_hash_log,
                                         &rt_hash_mask,
                                         0);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index f6a2d9223d07..934396bb1376 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1132,7 +1132,7 @@ int tcp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
         tp->ucopy.dma_chan = NULL;
         preempt_disable();
         if ((len > sysctl_tcp_dma_copybreak) && !(flags & MSG_PEEK) &&
-            !sysctl_tcp_low_latency && __get_cpu_var(softnet_data.net_dma)) {
+            !sysctl_tcp_low_latency && __get_cpu_var(softnet_data).net_dma) {
                 preempt_enable_no_resched();
                 tp->ucopy.pinned_list = dma_pin_iovec_pages(msg->msg_iov, len);
         } else
@@ -1659,7 +1659,8 @@ adjudge_to_death:
                         const int tmo = tcp_fin_time(sk);
 
                         if (tmo > TCP_TIMEWAIT_LEN) {
-                                inet_csk_reset_keepalive_timer(sk, tcp_fin_time(sk));
+                                inet_csk_reset_keepalive_timer(sk,
+                                                tmo - TCP_TIMEWAIT_LEN);
                         } else {
                                 tcp_time_wait(sk, TCP_FIN_WAIT2, tmo);
                                 goto out;
diff --git a/net/ipv4/tcp_compound.c b/net/ipv4/tcp_compound.c
deleted file mode 100644
index bc54f7e9aea9..000000000000
--- a/net/ipv4/tcp_compound.c
+++ /dev/null
@@ -1,448 +0,0 @@
-/*
- * TCP Vegas congestion control
- *
- * This is based on the congestion detection/avoidance scheme described in
- *    Lawrence S. Brakmo and Larry L. Peterson.
- *    "TCP Vegas: End to end congestion avoidance on a global internet."
- *    IEEE Journal on Selected Areas in Communication, 13(8):1465--1480,
- *    October 1995. Available from:
- *      ftp://ftp.cs.arizona.edu/xkernel/Papers/jsac.ps
- *
- * See http://www.cs.arizona.edu/xkernel/ for their implementation.
- * The main aspects that distinguish this implementation from the
- * Arizona Vegas implementation are:
- *   o We do not change the loss detection or recovery mechanisms of
- *     Linux in any way. Linux already recovers from losses quite well,
- *     using fine-grained timers, NewReno, and FACK.
- *   o To avoid the performance penalty imposed by increasing cwnd
- *     only every-other RTT during slow start, we increase during
- *     every RTT during slow start, just like Reno.
- *   o Largely to allow continuous cwnd growth during slow start,
- *     we use the rate at which ACKs come back as the "actual"
- *     rate, rather than the rate at which data is sent.
- *   o To speed convergence to the right rate, we set the cwnd
- *     to achieve the right ("actual") rate when we exit slow start.
- *   o To filter out the noise caused by delayed ACKs, we use the
- *     minimum RTT sample observed during the last RTT to calculate
- *     the actual rate.
- *   o When the sender re-starts from idle, it waits until it has
- *     received ACKs for an entire flight of new data before making
- *     a cwnd adjustment decision. The original Vegas implementation
- *     assumed senders never went idle.
- *
- *
- *   TCP Compound based on TCP Vegas
- *
- *   further details can be found here:
- *      ftp://ftp.research.microsoft.com/pub/tr/TR-2005-86.pdf
- */
-
-#include <linux/config.h>
-#include <linux/mm.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/inet_diag.h>
-
-#include <net/tcp.h>
-
-/* Default values of the Vegas variables, in fixed-point representation
- * with V_PARAM_SHIFT bits to the right of the binary point.
- */
-#define V_PARAM_SHIFT 1
-
-#define TCP_COMPOUND_ALPHA          3U
-#define TCP_COMPOUND_BETA           1U
-#define TCP_COMPOUND_GAMMA         30
-#define TCP_COMPOUND_ZETA           1
-
-/* TCP compound variables */
-struct compound {
-        u32 beg_snd_nxt;        /* right edge during last RTT */
-        u32 beg_snd_una;        /* left edge  during last RTT */
-        u32 beg_snd_cwnd;       /* saves the size of the cwnd */
-        u8 doing_vegas_now;     /* if true, do vegas for this RTT */
-        u16 cntRTT;             /* # of RTTs measured within last RTT */
-        u32 minRTT;             /* min of RTTs measured within last RTT (in usec) */
-        u32 baseRTT;            /* the min of all Vegas RTT measurements seen (in usec) */
-
-        u32 cwnd;
-        u32 dwnd;
-};
-
-/* There are several situations when we must "re-start" Vegas:
- *
- *  o when a connection is established
- *  o after an RTO
- *  o after fast recovery
- *  o when we send a packet and there is no outstanding
- *    unacknowledged data (restarting an idle connection)
- *
- * In these circumstances we cannot do a Vegas calculation at the
- * end of the first RTT, because any calculation we do is using
- * stale info -- both the saved cwnd and congestion feedback are
- * stale.
- *
- * Instead we must wait until the completion of an RTT during
- * which we actually receive ACKs.
- */
-static inline void vegas_enable(struct sock *sk)
-{
-        const struct tcp_sock *tp = tcp_sk(sk);
-        struct compound *vegas = inet_csk_ca(sk);
-
-        /* Begin taking Vegas samples next time we send something. */
-        vegas->doing_vegas_now = 1;
-
-        /* Set the beginning of the next send window. */
-        vegas->beg_snd_nxt = tp->snd_nxt;
-
-        vegas->cntRTT = 0;
-        vegas->minRTT = 0x7fffffff;
-}
-
-/* Stop taking Vegas samples for now. */
-static inline void vegas_disable(struct sock *sk)
-{
-        struct compound *vegas = inet_csk_ca(sk);
-
-        vegas->doing_vegas_now = 0;
-}
-
-static void tcp_compound_init(struct sock *sk)
-{
-        struct compound *vegas = inet_csk_ca(sk);
-        const struct tcp_sock *tp = tcp_sk(sk);
-
-        vegas->baseRTT = 0x7fffffff;
-        vegas_enable(sk);
-
-        vegas->dwnd = 0;
-        vegas->cwnd = tp->snd_cwnd;
-}
-
-/* Do RTT sampling needed for Vegas.
- * Basically we:
- *   o min-filter RTT samples from within an RTT to get the current
- *     propagation delay + queuing delay (we are min-filtering to try to
- *     avoid the effects of delayed ACKs)
- *   o min-filter RTT samples from a much longer window (forever for now)
- *     to find the propagation delay (baseRTT)
- */
-static void tcp_compound_rtt_calc(struct sock *sk, u32 usrtt)
-{
-        struct compound *vegas = inet_csk_ca(sk);
-        u32 vrtt = usrtt + 1;   /* Never allow zero rtt or baseRTT */
-
-        /* Filter to find propagation delay: */
-        if (vrtt < vegas->baseRTT)
-                vegas->baseRTT = vrtt;
-
-        /* Find the min RTT during the last RTT to find
-         * the current prop. delay + queuing delay:
-         */
-
-        vegas->minRTT = min(vegas->minRTT, vrtt);
-        vegas->cntRTT++;
-}
-
-static void tcp_compound_state(struct sock *sk, u8 ca_state)
-{
-
-        if (ca_state == TCP_CA_Open)
-                vegas_enable(sk);
-        else
-                vegas_disable(sk);
-}
-
-
-/* 64bit divisor, dividend and result. dynamic precision */
-static inline u64 div64_64(u64 dividend, u64 divisor)
-{
-        u32 d = divisor;
-
-        if (divisor > 0xffffffffULL) {
-                unsigned int shift = fls(divisor >> 32);
-
-                d = divisor >> shift;
-                dividend >>= shift;
-        }
-
-        /* avoid 64 bit division if possible */
-        if (dividend >> 32)
-                do_div(dividend, d);
-        else
-                dividend = (u32) dividend / d;
-
-        return dividend;
-}
-
-/* calculate the quartic root of "a" using Newton-Raphson */
-static u32 qroot(u64 a)
-{
-        u32 x, x1;
-
-        /* Initial estimate is based on:
-         * qrt(x) = exp(log(x) / 4)
-         */
-        x = 1u << (fls64(a) >> 2);
-
-        /*
-         * Iteration based on:
-         *                         3
-         * x    = ( 3 * x  +  a / x  ) / 4
-         *  k+1          k         k
-         */
-        do {
-                u64 x3 = x;
-
-                x1 = x;
-                x3 *= x;
-                x3 *= x;
-
-                x = (3 * x + (u32) div64_64(a, x3)) / 4;
-        } while (abs(x1 - x) > 1);
-
-        return x;
-}
-
-
-/*
- * If the connection is idle and we are restarting,
- * then we don't want to do any Vegas calculations
- * until we get fresh RTT samples.  So when we
- * restart, we reset our Vegas state to a clean
- * slate. After we get acks for this flight of
- * packets, _then_ we can make Vegas calculations
- * again.
- */
-static void tcp_compound_cwnd_event(struct sock *sk, enum tcp_ca_event event)
-{
-        if (event == CA_EVENT_CWND_RESTART || event == CA_EVENT_TX_START)
-                tcp_compound_init(sk);
-}
-
-static void tcp_compound_cong_avoid(struct sock *sk, u32 ack,
-                                    u32 seq_rtt, u32 in_flight, int flag)
-{
-        struct tcp_sock *tp = tcp_sk(sk);
-        struct compound *vegas = inet_csk_ca(sk);
-        u8 inc = 0;
-
-        if (vegas->cwnd + vegas->dwnd > tp->snd_cwnd) {
-                if (vegas->cwnd > tp->snd_cwnd || vegas->dwnd > tp->snd_cwnd) {
-                        vegas->cwnd = tp->snd_cwnd;
-                        vegas->dwnd = 0;
-                } else
-                        vegas->cwnd = tp->snd_cwnd - vegas->dwnd;
-
-        }
-
-        if (!tcp_is_cwnd_limited(sk, in_flight))
-                return;
-
-        if (vegas->cwnd <= tp->snd_ssthresh)
-                inc = 1;
-        else if (tp->snd_cwnd_cnt < tp->snd_cwnd)
-                tp->snd_cwnd_cnt++;
-
-        if (tp->snd_cwnd_cnt >= tp->snd_cwnd) {
-                inc = 1;
-                tp->snd_cwnd_cnt = 0;
-        }
-
-        if (inc && tp->snd_cwnd < tp->snd_cwnd_clamp)
-                vegas->cwnd++;
-
-        /* The key players are v_beg_snd_una and v_beg_snd_nxt.
-         *
-         * These are so named because they represent the approximate values
-         * of snd_una and snd_nxt at the beginning of the current RTT. More
-         * precisely, they represent the amount of data sent during the RTT.
-         * At the end of the RTT, when we receive an ACK for v_beg_snd_nxt,
-         * we will calculate that (v_beg_snd_nxt - v_beg_snd_una) outstanding
-         * bytes of data have been ACKed during the course of the RTT, giving
-         * an "actual" rate of:
-         *
-         *     (v_beg_snd_nxt - v_beg_snd_una) / (rtt duration)
-         *
-         * Unfortunately, v_beg_snd_una is not exactly equal to snd_una,
-         * because delayed ACKs can cover more than one segment, so they
-         * don't line up nicely with the boundaries of RTTs.
-         *
-         * Another unfortunate fact of life is that delayed ACKs delay the
-         * advance of the left edge of our send window, so that the number
-         * of bytes we send in an RTT is often less than our cwnd will allow.
-         * So we keep track of our cwnd separately, in v_beg_snd_cwnd.
-         */
-
-        if (after(ack, vegas->beg_snd_nxt)) {
-                /* Do the Vegas once-per-RTT cwnd adjustment. */
-                u32 old_wnd, old_snd_cwnd;
-
-                /* Here old_wnd is essentially the window of data that was
-                 * sent during the previous RTT, and has all
-                 * been acknowledged in the course of the RTT that ended
-                 * with the ACK we just received. Likewise, old_snd_cwnd
-                 * is the cwnd during the previous RTT.
-                 */
-                if (!tp->mss_cache)
-                        return;
-
-                old_wnd = (vegas->beg_snd_nxt - vegas->beg_snd_una) /
-                    tp->mss_cache;
-                old_snd_cwnd = vegas->beg_snd_cwnd;
-
-                /* Save the extent of the current window so we can use this
-                 * at the end of the next RTT.
-                 */
-                vegas->beg_snd_una = vegas->beg_snd_nxt;
-                vegas->beg_snd_nxt = tp->snd_nxt;
-                vegas->beg_snd_cwnd = tp->snd_cwnd;
-
-                /* We do the Vegas calculations only if we got enough RTT
-                 * samples that we can be reasonably sure that we got
-                 * at least one RTT sample that wasn't from a delayed ACK.
-                 * If we only had 2 samples total,
-                 * then that means we're getting only 1 ACK per RTT, which
-                 * means they're almost certainly delayed ACKs.
-                 * If  we have 3 samples, we should be OK.
-                 */
-
-                if (vegas->cntRTT > 2) {
-                        u32 rtt, target_cwnd, diff;
-                        u32 brtt, dwnd;
-
-                        /* We have enough RTT samples, so, using the Vegas
-                         * algorithm, we determine if we should increase or
-                         * decrease cwnd, and by how much.
-                         */
-
-                        /* Pluck out the RTT we are using for the Vegas
-                         * calculations. This is the min RTT seen during the
-                         * last RTT. Taking the min filters out the effects
-                         * of delayed ACKs, at the cost of noticing congestion
-                         * a bit later.
-                         */
-                        rtt = vegas->minRTT;
-
-                        /* Calculate the cwnd we should have, if we weren't
-                         * going too fast.
-                         *
-                         * This is:
-                         *     (actual rate in segments) * baseRTT
-                         * We keep it as a fixed point number with
-                         * V_PARAM_SHIFT bits to the right of the binary point.
-                         */
-                        if (!rtt)
-                                return;
-
-                        brtt = vegas->baseRTT;
-                        target_cwnd = ((old_wnd * brtt)
-                                       << V_PARAM_SHIFT) / rtt;
-
-                        /* Calculate the difference between the window we had,
-                         * and the window we would like to have. This quantity
-                         * is the "Diff" from the Arizona Vegas papers.
-                         *
-                         * Again, this is a fixed point number with
-                         * V_PARAM_SHIFT bits to the right of the binary
-                         * point.
-                         */
-
-                        diff = (old_wnd << V_PARAM_SHIFT) - target_cwnd;
-
-                        dwnd = vegas->dwnd;
-
-                        if (diff < (TCP_COMPOUND_GAMMA << V_PARAM_SHIFT)) {
-                                u64 v;
-                                u32 x;
-
-                                /*
-                                 * The TCP Compound paper describes the choice
-                                 * of "k" determines the agressiveness,
-                                 * ie. slope of the response function.
-                                 *
-                                 * For same value as HSTCP would be 0.8
-                                 * but for computaional reasons, both the
-                                 * original authors and this implementation
-                                 * use 0.75.
-                                 */
-                                v = old_wnd;
-                                x = qroot(v * v * v) >> TCP_COMPOUND_ALPHA;
-                                if (x > 1)
-                                        dwnd = x - 1;
-                                else
-                                        dwnd = 0;
-
-                                dwnd += vegas->dwnd;
-
-                        } else if ((dwnd << V_PARAM_SHIFT) <
-                                   (diff * TCP_COMPOUND_BETA))
-                                dwnd = 0;
-                        else
-                                dwnd =
-                                    ((dwnd << V_PARAM_SHIFT) -
-                                     (diff *
-                                      TCP_COMPOUND_BETA)) >> V_PARAM_SHIFT;
-
-                        vegas->dwnd = dwnd;
-
-                }
-
-                /* Wipe the slate clean for the next RTT. */
-                vegas->cntRTT = 0;
-                vegas->minRTT = 0x7fffffff;
-        }
-
-        tp->snd_cwnd = vegas->cwnd + vegas->dwnd;
-}
-
-/* Extract info for Tcp socket info provided via netlink. */
-static void tcp_compound_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)
-{
-        const struct compound *ca = inet_csk_ca(sk);
-        if (ext & (1 << (INET_DIAG_VEGASINFO - 1))) {
-                struct tcpvegas_info *info;
-
-                info = RTA_DATA(__RTA_PUT(skb, INET_DIAG_VEGASINFO,
-                                          sizeof(*info)));
-
-                info->tcpv_enabled = ca->doing_vegas_now;
-                info->tcpv_rttcnt = ca->cntRTT;
-                info->tcpv_rtt = ca->baseRTT;
-                info->tcpv_minrtt = ca->minRTT;
-        rtattr_failure:;
-        }
-}
-
-static struct tcp_congestion_ops tcp_compound = {
-        .init           = tcp_compound_init,
-        .ssthresh       = tcp_reno_ssthresh,
-        .cong_avoid     = tcp_compound_cong_avoid,
-        .rtt_sample     = tcp_compound_rtt_calc,
-        .set_state      = tcp_compound_state,
-        .cwnd_event     = tcp_compound_cwnd_event,
-        .get_info       = tcp_compound_get_info,
-
-        .owner          = THIS_MODULE,
-        .name           = "compound",
-};
-
-static int __init tcp_compound_register(void)
-{
-        BUG_ON(sizeof(struct compound) > ICSK_CA_PRIV_SIZE);
-        tcp_register_congestion_control(&tcp_compound);
-        return 0;
-}
-
-static void __exit tcp_compound_unregister(void)
-{
-        tcp_unregister_congestion_control(&tcp_compound);
-}
-
-module_init(tcp_compound_register);
-module_exit(tcp_compound_unregister);
-
-MODULE_AUTHOR("Angelo P. Castellani, Stephen Hemminger");
-MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("TCP Compound");
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 5765f9d03174..7ff2e4273a7c 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -189,7 +189,7 @@ void tcp_slow_start(struct tcp_sock *tp)
                         return;
 
                 /* We MAY increase by 2 if discovered delayed ack */
-                if (sysctl_tcp_abc > 1 && tp->bytes_acked > 2*tp->mss_cache) {
+                if (sysctl_tcp_abc > 1 && tp->bytes_acked >= 2*tp->mss_cache) {
                         if (tp->snd_cwnd < tp->snd_cwnd_clamp)
                                 tp->snd_cwnd++;
                 }
diff --git a/net/ipv4/tcp_highspeed.c b/net/ipv4/tcp_highspeed.c
index aaa1538c0692..fa3e1aad660c 100644
--- a/net/ipv4/tcp_highspeed.c
+++ b/net/ipv4/tcp_highspeed.c
@@ -139,14 +139,19 @@ static void hstcp_cong_avoid(struct sock *sk, u32 adk, u32 rtt,
                                 tp->snd_cwnd++;
                 }
         } else {
-                /* Update AIMD parameters */
+                /* Update AIMD parameters.
+                 *
+                 * We want to guarantee that:
+                 *     hstcp_aimd_vals[ca->ai-1].cwnd <
+                 *     snd_cwnd <=
+                 *     hstcp_aimd_vals[ca->ai].cwnd
+                 */
                 if (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd) {
                         while (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd &&
                                ca->ai < HSTCP_AIMD_MAX - 1)
                                 ca->ai++;
-                } else if (tp->snd_cwnd < hstcp_aimd_vals[ca->ai].cwnd) {
-                        while (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd &&
-                               ca->ai > 0)
+                } else if (ca->ai && tp->snd_cwnd <= hstcp_aimd_vals[ca->ai-1].cwnd) {
+                        while (ca->ai && tp->snd_cwnd <= hstcp_aimd_vals[ca->ai-1].cwnd)
                                 ca->ai--;
                 }
 
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 738dad9f7d49..159fa3f1ba67 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -89,7 +89,7 @@ int sysctl_tcp_frto;
 int sysctl_tcp_nometrics_save;
 
 int sysctl_tcp_moderate_rcvbuf = 1;
-int sysctl_tcp_abc = 1;
+int sysctl_tcp_abc;
 
 #define FLAG_DATA               0x01 /* Incoming frame contained data.          */
 #define FLAG_WIN_UPDATE         0x02 /* Incoming ACK was a window update.       */
@@ -2505,8 +2505,13 @@ static int tcp_ack(struct sock *sk, struct sk_buff *skb, int flag)
         if (before(ack, prior_snd_una))
                 goto old_ack;
 
-        if (sysctl_tcp_abc && icsk->icsk_ca_state < TCP_CA_CWR)
-                tp->bytes_acked += ack - prior_snd_una;
+        if (sysctl_tcp_abc) {
+                if (icsk->icsk_ca_state < TCP_CA_CWR)
+                        tp->bytes_acked += ack - prior_snd_una;
+                else if (icsk->icsk_ca_state == TCP_CA_Loss)
+                        /* we assume just one segment left network */
+                        tp->bytes_acked += min(ack - prior_snd_una, tp->mss_cache);
+        }
 
         if (!(flag&FLAG_SLOWPATH) && after(ack, prior_snd_una)) {
                 /* Window is constant, pure forward advance.
@@ -3541,7 +3546,8 @@ void tcp_cwnd_application_limited(struct sock *sk)
         if (inet_csk(sk)->icsk_ca_state == TCP_CA_Open &&
             sk->sk_socket && !test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) {
                 /* Limited by application or receiver window. */
-                u32 win_used = max(tp->snd_cwnd_used, 2U);
+                u32 init_win = tcp_init_cwnd(tp, __sk_dst_get(sk));
+                u32 win_used = max(tp->snd_cwnd_used, init_win);
                 if (win_used < tp->snd_cwnd) {
                         tp->snd_ssthresh = tcp_current_ssthresh(sk);
                         tp->snd_cwnd = (tp->snd_cwnd + win_used) >> 1;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 5a886e6efbbe..4b04c3edd4a9 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -438,7 +438,6 @@ void tcp_v4_err(struct sk_buff *skb, u32 info)
                                It can f.e. if SYNs crossed.
                              */
                 if (!sock_owned_by_user(sk)) {
-                        TCP_INC_STATS_BH(TCP_MIB_ATTEMPTFAILS);
                         sk->sk_err = err;
 
                         sk->sk_error_report(sk);
@@ -496,6 +495,24 @@ void tcp_v4_send_check(struct sock *sk, int len, struct sk_buff *skb)
         }
 }
 
+int tcp_v4_gso_send_check(struct sk_buff *skb)
+{
+        struct iphdr *iph;
+        struct tcphdr *th;
+
+        if (!pskb_may_pull(skb, sizeof(*th)))
+                return -EINVAL;
+
+        iph = skb->nh.iph;
+        th = skb->h.th;
+
+        th->check = 0;
+        th->check = ~tcp_v4_check(th, skb->len, iph->saddr, iph->daddr, 0);
+        skb->csum = offsetof(struct tcphdr, check);
+        skb->ip_summed = CHECKSUM_HW;
+        return 0;
+}
+
 /*
  *      This routine will send an RST to the other tcp.
  *
@@ -856,7 +873,6 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 drop_and_free:
         reqsk_free(req);
 drop:
-        TCP_INC_STATS_BH(TCP_MIB_ATTEMPTFAILS);
         return 0;
 }
 
@@ -1622,10 +1638,9 @@ static int tcp_seq_open(struct inode *inode, struct file *file)
         if (unlikely(afinfo == NULL))
                 return -EINVAL;
 
-        s = kmalloc(sizeof(*s), GFP_KERNEL);
+        s = kzalloc(sizeof(*s), GFP_KERNEL);
         if (!s)
                 return -ENOMEM;
-        memset(s, 0, sizeof(*s));
         s->family               = afinfo->family;
         s->seq_ops.start        = tcp_seq_start;
         s->seq_ops.next         = tcp_seq_next;
diff --git a/net/ipv4/tcp_lp.c b/net/ipv4/tcp_lp.c
index 1f977b6ee9a1..48f28d617ce6 100644
--- a/net/ipv4/tcp_lp.c
+++ b/net/ipv4/tcp_lp.c
@@ -3,13 +3,8 @@
  *
  * TCP Low Priority is a distributed algorithm whose goal is to utilize only
  *   the excess network bandwidth as compared to the ``fair share`` of
- *   bandwidth as targeted by TCP. Available from:
- *     http://www.ece.rice.edu/~akuzma/Doc/akuzma/TCP-LP.pdf
+ *   bandwidth as targeted by TCP.
  *
- * Original Author:
- *   Aleksandar Kuzmanovic <akuzma@northwestern.edu>
- *
- * See http://www-ece.rice.edu/networks/TCP-LP/ for their implementation.
  * As of 2.6.13, Linux supports pluggable congestion control algorithms.
  * Due to the limitation of the API, we take the following changes from
  * the original TCP-LP implementation:
@@ -24,11 +19,20 @@
  *   o OWD is handled in relative format, where local time stamp will in
  *     tcp_time_stamp format.
  *
- * Port from 2.4.19 to 2.6.16 as module by:
- *   Wong Hoi Sing Edison <hswong3i@gmail.com>
- *   Hung Hing Lun <hlhung3i@gmail.com>
+ * Original Author:
+ *   Aleksandar Kuzmanovic <akuzma@northwestern.edu>
+ * Available from:
+ *   http://www.ece.rice.edu/~akuzma/Doc/akuzma/TCP-LP.pdf
+ * Original implementation for 2.4.19:
+ *   http://www-ece.rice.edu/networks/TCP-LP/
  *
- * Version: $Id: tcp_lp.c,v 1.22 2006-05-02 18:18:19 hswong3i Exp $
+ * 2.6.x module Authors:
+ *   Wong Hoi Sing, Edison <hswong3i@gmail.com>
+ *   Hung Hing Lun, Mike <hlhung3i@gmail.com>
+ * SourceForge project page:
+ *   http://tcp-lp-mod.sourceforge.net/
+ *
+ * Version: $Id: tcp_lp.c,v 1.24 2006/09/05 20:22:53 hswong3i Exp $
  */
 
 #include <linux/config.h>
@@ -153,16 +157,19 @@ static u32 tcp_lp_remote_hz_estimator(struct sock *sk)
         if (m < 0)
                 m = -m;
 
-        if (rhz != 0) {
+        if (rhz > 0) {
                 m -= rhz >> 6;  /* m is now error in remote HZ est */
                 rhz += m;       /* 63/64 old + 1/64 new */
         } else
                 rhz = m << 6;
 
+ out:
         /* record time for successful remote HZ calc */
-        lp->flag |= LP_VALID_RHZ;
+        if (rhz > 0)
+                lp->flag |= LP_VALID_RHZ;
+        else
+                lp->flag &= ~LP_VALID_RHZ;
 
- out:
         /* record reference time stamp */
         lp->remote_ref_time = tp->rx_opt.rcv_tsval;
         lp->local_ref_time = tp->rx_opt.rcv_tsecr;
@@ -333,6 +340,6 @@ static void __exit tcp_lp_unregister(void)
 module_init(tcp_lp_register);
 module_exit(tcp_lp_unregister);
 
-MODULE_AUTHOR("Wong Hoi Sing Edison, Hung Hing Lun");
+MODULE_AUTHOR("Wong Hoi Sing Edison, Hung Hing Lun Mike");
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("TCP Low Priority");
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 0ccb7cb22b15..624e2b2c7f53 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -589,8 +589,10 @@ struct sock *tcp_check_req(struct sock *sk,struct sk_buff *skb,
                 /* RFC793: "second check the RST bit" and
                  *         "fourth, check the SYN bit"
                  */
-                if (flg & (TCP_FLAG_RST|TCP_FLAG_SYN))
+                if (flg & (TCP_FLAG_RST|TCP_FLAG_SYN)) {
+                        TCP_INC_STATS_BH(TCP_MIB_ATTEMPTFAILS);
                         goto embryonic_reset;
+                }
 
                 /* ACK sequence verified above, just make sure ACK is
                  * set.  If ACK not set, just silently drop the packet.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5c08ea20a18d..b4f3ffe1b3b4 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -201,6 +201,7 @@ void tcp_select_initial_window(int __space, __u32 mss,
                  * See RFC1323 for an explanation of the limit to 14 
                  */
                 space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+                space = min_t(u32, space, *window_clamp);
                 while (space > 65535 && (*rcv_wscale) < 14) {
                         space >>= 1;
                         (*rcv_wscale)++;
@@ -466,7 +467,8 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
         if (skb->len != tcp_header_size)
                 tcp_event_data_sent(tp, skb, sk);
 
-        TCP_INC_STATS(TCP_MIB_OUTSEGS);
+        if (after(tcb->end_seq, tp->snd_nxt) || tcb->seq == tcb->end_seq)
+                TCP_INC_STATS(TCP_MIB_OUTSEGS);
 
         err = icsk->icsk_af_ops->queue_xmit(skb, 0);
         if (likely(err <= 0))
@@ -2157,10 +2159,9 @@ int tcp_connect(struct sock *sk)
         skb_shinfo(buff)->gso_size = 0;
         skb_shinfo(buff)->gso_type = 0;
         buff->csum = 0;
+        tp->snd_nxt = tp->write_seq;
         TCP_SKB_CB(buff)->seq = tp->write_seq++;
         TCP_SKB_CB(buff)->end_seq = tp->write_seq;
-        tp->snd_nxt = tp->write_seq;
-        tp->pushed_seq = tp->write_seq;
 
         /* Send it off. */
         TCP_SKB_CB(buff)->when = tcp_time_stamp;
@@ -2170,6 +2171,12 @@ int tcp_connect(struct sock *sk)
         sk_charge_skb(sk, buff);
         tp->packets_out += tcp_skb_pcount(buff);
         tcp_transmit_skb(sk, buff, 1, GFP_KERNEL);
+
+        /* We change tp->snd_nxt after the tcp_transmit_skb() call
+         * in order to make this packet get counted in tcpOutSegs.
+         */
+        tp->snd_nxt = tp->write_seq;
+        tp->pushed_seq = tp->write_seq;
         TCP_INC_STATS(TCP_MIB_ACTIVEOPENS);
 
         /* Timer for repeating the SYN until an answer. */
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index d7d517a3a238..dab37d2f65fc 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -114,7 +114,7 @@ static int tcpprobe_open(struct inode * inode, struct file * file)
 static ssize_t tcpprobe_read(struct file *file, char __user *buf,
                              size_t len, loff_t *ppos)
 {
-        int error = 0, cnt;
+        int error = 0, cnt = 0;
         unsigned char *tbuf;
 
         if (!buf || len < 0)
@@ -130,11 +130,12 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
         error = wait_event_interruptible(tcpw.wait,
                                          __kfifo_len(tcpw.fifo) != 0);
         if (error)
-                return error;
+                goto out_free;
 
         cnt = kfifo_get(tcpw.fifo, tbuf, len);
         error = copy_to_user(buf, tbuf, cnt);
 
+out_free:
         vfree(tbuf);
 
         return error ? error : cnt;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 9bfcddad695b..f136cec96d95 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1468,11 +1468,10 @@ static int udp_seq_open(struct inode *inode, struct file *file)
         struct udp_seq_afinfo *afinfo = PDE(inode)->data;
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct udp_iter_state *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct udp_iter_state *s = kzalloc(sizeof(*s), GFP_KERNEL);
 
         if (!s)
                 goto out;
-        memset(s, 0, sizeof(*s));
         s->family               = afinfo->family;
         s->seq_ops.start        = udp_seq_start;
         s->seq_ops.next         = udp_seq_next;
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index f8d880beb12f..13cafbe56ce3 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -92,7 +92,6 @@ static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
         skb->mac.raw = memmove(skb->data - skb->mac_len,
                                skb->mac.raw, skb->mac_len);
         skb->nh.raw = skb->data;
-        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
         err = 0;
 
 out:
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 193363e22932..d16f863cf687 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -134,7 +134,7 @@ static int xfrm4_output_finish(struct sk_buff *skb)
         }
 #endif
 
-        if (!skb_shinfo(skb)->gso_size)
+        if (!skb_is_gso(skb))
                 return xfrm4_output_finish2(skb);
 
         skb->protocol = htons(ETH_P_IP);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index c250d0af10d7..c7852b38e03e 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -508,6 +508,26 @@ void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp)
         kfree(ifp);
 }
 
+static void
+ipv6_link_dev_addr(struct inet6_dev *idev, struct inet6_ifaddr *ifp)
+{
+        struct inet6_ifaddr *ifa, **ifap;
+        int ifp_scope = ipv6_addr_src_scope(&ifp->addr);
+
+        /*
+         * Each device address list is sorted in order of scope -
+         * global before linklocal.
+         */
+        for (ifap = &idev->addr_list; (ifa = *ifap) != NULL;
+             ifap = &ifa->if_next) {
+                if (ifp_scope >= ipv6_addr_src_scope(&ifa->addr))
+                        break;
+        }
+
+        ifp->if_next = *ifap;
+        *ifap = ifp;
+}
+
 /* On success it returns ifp with increased reference count */
 
 static struct inet6_ifaddr *
@@ -558,6 +578,8 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen,
         ifa->flags = flags | IFA_F_TENTATIVE;
         ifa->cstamp = ifa->tstamp = jiffies;
 
+        ifa->rt = rt;
+
         ifa->idev = idev;
         in6_dev_hold(idev);
         /* For caller */
@@ -573,8 +595,7 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen,
 
         write_lock(&idev->lock);
         /* Add to inet6_dev unicast addr list. */
-        ifa->if_next = idev->addr_list;
-        idev->addr_list = ifa;
+        ipv6_link_dev_addr(idev, ifa);
 
 #ifdef CONFIG_IPV6_PRIVACY
         if (ifa->flags&IFA_F_TEMPORARY) {
@@ -584,8 +605,6 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen,
         }
 #endif
 
-        ifa->rt = rt;
-
         in6_ifa_hold(ifa);
         write_unlock(&idev->lock);
 out2:
@@ -987,7 +1006,7 @@ int ipv6_dev_get_saddr(struct net_device *daddr_dev,
                                         continue;
                         } else if (score.scope < hiscore.scope) {
                                 if (score.scope < daddr_scope)
-                                        continue;
+                                        break; /* addresses sorted by scope */
                                 else {
                                         score.rule = 2;
                                         goto record_it;
@@ -1850,15 +1869,21 @@ err_exit:
 /*
  *      Manual configuration of address on an interface
  */
-static int inet6_addr_add(int ifindex, struct in6_addr *pfx, int plen)
+static int inet6_addr_add(int ifindex, struct in6_addr *pfx, int plen,
+                          __u32 prefered_lft, __u32 valid_lft)
 {
         struct inet6_ifaddr *ifp;
         struct inet6_dev *idev;
         struct net_device *dev;
+        __u8 ifa_flags = 0;
         int scope;
 
         ASSERT_RTNL();
         
+        /* check the lifetime */
+        if (!valid_lft || prefered_lft > valid_lft)
+                return -EINVAL;
+
         if ((dev = __dev_get_by_index(ifindex)) == NULL)
                 return -ENODEV;
         
@@ -1870,10 +1895,29 @@ static int inet6_addr_add(int ifindex, struct in6_addr *pfx, int plen)
 
         scope = ipv6_addr_scope(pfx);
 
-        ifp = ipv6_add_addr(idev, pfx, plen, scope, IFA_F_PERMANENT);
+        if (valid_lft == INFINITY_LIFE_TIME)
+                ifa_flags |= IFA_F_PERMANENT;
+        else if (valid_lft >= 0x7FFFFFFF/HZ)
+                valid_lft = 0x7FFFFFFF/HZ;
+
+        if (prefered_lft == 0)
+                ifa_flags |= IFA_F_DEPRECATED;
+        else if ((prefered_lft >= 0x7FFFFFFF/HZ) &&
+                 (prefered_lft != INFINITY_LIFE_TIME))
+                prefered_lft = 0x7FFFFFFF/HZ;
+
+        ifp = ipv6_add_addr(idev, pfx, plen, scope, ifa_flags);
+
         if (!IS_ERR(ifp)) {
+                spin_lock_bh(&ifp->lock);
+                ifp->valid_lft = valid_lft;
+                ifp->prefered_lft = prefered_lft;
+                ifp->tstamp = jiffies;
+                spin_unlock_bh(&ifp->lock);
+
                 addrconf_dad_start(ifp, 0);
                 in6_ifa_put(ifp);
+                addrconf_verify(0);
                 return 0;
         }
 
@@ -1926,7 +1970,8 @@ int addrconf_add_ifaddr(void __user *arg)
                 return -EFAULT;
 
         rtnl_lock();
-        err = inet6_addr_add(ireq.ifr6_ifindex, &ireq.ifr6_addr, ireq.ifr6_prefixlen);
+        err = inet6_addr_add(ireq.ifr6_ifindex, &ireq.ifr6_addr, ireq.ifr6_prefixlen,
+                             INFINITY_LIFE_TIME, INFINITY_LIFE_TIME);
         rtnl_unlock();
         return err;
 }
@@ -2752,12 +2797,16 @@ restart:
                                         ifp->idev->nd_parms->retrans_time / HZ;
 #endif
 
-                        if (age >= ifp->valid_lft) {
+                        if (ifp->valid_lft != INFINITY_LIFE_TIME &&
+                            age >= ifp->valid_lft) {
                                 spin_unlock(&ifp->lock);
                                 in6_ifa_hold(ifp);
                                 read_unlock(&addrconf_hash_lock);
                                 ipv6_del_addr(ifp);
                                 goto restart;
+                        } else if (ifp->prefered_lft == INFINITY_LIFE_TIME) {
+                                spin_unlock(&ifp->lock);
+                                continue;
                         } else if (age >= ifp->prefered_lft) {
                                 /* jiffies - ifp->tsamp > age >= ifp->prefered_lft */
                                 int deprecate = 0;
@@ -2834,7 +2883,8 @@ inet6_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
                 pfx = RTA_DATA(rta[IFA_ADDRESS-1]);
         }
         if (rta[IFA_LOCAL-1]) {
-                if (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx)))
+                if (RTA_PAYLOAD(rta[IFA_LOCAL-1]) < sizeof(*pfx) ||
+                    (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx))))
                         return -EINVAL;
                 pfx = RTA_DATA(rta[IFA_LOCAL-1]);
         }
@@ -2845,11 +2895,61 @@ inet6_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
 }
 
 static int
+inet6_addr_modify(int ifindex, struct in6_addr *pfx,
+                  __u32 prefered_lft, __u32 valid_lft)
+{
+        struct inet6_ifaddr *ifp = NULL;
+        struct net_device *dev;
+        int ifa_flags = 0;
+
+        if ((dev = __dev_get_by_index(ifindex)) == NULL)
+                return -ENODEV;
+
+        if (!(dev->flags&IFF_UP))
+                return -ENETDOWN;
+
+        if (!valid_lft || (prefered_lft > valid_lft))
+                return -EINVAL;
+
+        ifp = ipv6_get_ifaddr(pfx, dev, 1);
+        if (ifp == NULL)
+                return -ENOENT;
+
+        if (valid_lft == INFINITY_LIFE_TIME)
+                ifa_flags = IFA_F_PERMANENT;
+        else if (valid_lft >= 0x7FFFFFFF/HZ)
+                valid_lft = 0x7FFFFFFF/HZ;
+
+        if (prefered_lft == 0)
+                ifa_flags = IFA_F_DEPRECATED;
+        else if ((prefered_lft >= 0x7FFFFFFF/HZ) &&
+                 (prefered_lft != INFINITY_LIFE_TIME))
+                prefered_lft = 0x7FFFFFFF/HZ;
+
+        spin_lock_bh(&ifp->lock);
+        ifp->flags = (ifp->flags & ~(IFA_F_DEPRECATED|IFA_F_PERMANENT)) | ifa_flags;
+
+        ifp->tstamp = jiffies;
+        ifp->valid_lft = valid_lft;
+        ifp->prefered_lft = prefered_lft;
+
+        spin_unlock_bh(&ifp->lock);
+        if (!(ifp->flags&IFA_F_TENTATIVE))
+                ipv6_ifa_notify(0, ifp);
+        in6_ifa_put(ifp);
+
+        addrconf_verify(0);
+
+        return 0;
+}
+
+static int
 inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
 {
         struct rtattr  **rta = arg;
         struct ifaddrmsg *ifm = NLMSG_DATA(nlh);
         struct in6_addr *pfx;
+        __u32 valid_lft = INFINITY_LIFE_TIME, prefered_lft = INFINITY_LIFE_TIME;
 
         pfx = NULL;
         if (rta[IFA_ADDRESS-1]) {
@@ -2858,14 +2958,34 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
                 pfx = RTA_DATA(rta[IFA_ADDRESS-1]);
         }
         if (rta[IFA_LOCAL-1]) {
-                if (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx)))
+                if (RTA_PAYLOAD(rta[IFA_LOCAL-1]) < sizeof(*pfx) ||
+                    (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx))))
                         return -EINVAL;
                 pfx = RTA_DATA(rta[IFA_LOCAL-1]);
         }
         if (pfx == NULL)
                 return -EINVAL;
 
-        return inet6_addr_add(ifm->ifa_index, pfx, ifm->ifa_prefixlen);
+        if (rta[IFA_CACHEINFO-1]) {
+                struct ifa_cacheinfo *ci;
+                if (RTA_PAYLOAD(rta[IFA_CACHEINFO-1]) < sizeof(*ci))
+                        return -EINVAL;
+                ci = RTA_DATA(rta[IFA_CACHEINFO-1]);
+                valid_lft = ci->ifa_valid;
+                prefered_lft = ci->ifa_prefered;
+        }
+
+        if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+                int ret;
+                ret = inet6_addr_modify(ifm->ifa_index, pfx,
+                                        prefered_lft, valid_lft);
+                if (ret == 0 || !(nlh->nlmsg_flags & NLM_F_CREATE))
+                        return ret;
+        }
+
+        return inet6_addr_add(ifm->ifa_index, pfx, ifm->ifa_prefixlen,
+                              prefered_lft, valid_lft);
+
 }
 
 /* Maximum length of ifa_cacheinfo attributes */
@@ -3102,6 +3222,62 @@ static int inet6_dump_ifacaddr(struct sk_buff *skb, struct netlink_callback *cb)
         return inet6_dump_addr(skb, cb, type);
 }
 
+static int inet6_rtm_getaddr(struct sk_buff *in_skb,
+                struct nlmsghdr* nlh, void *arg)
+{
+        struct rtattr **rta = arg;
+        struct ifaddrmsg *ifm = NLMSG_DATA(nlh);
+        struct in6_addr *addr = NULL;
+        struct net_device *dev = NULL;
+        struct inet6_ifaddr *ifa;
+        struct sk_buff *skb;
+        int size = NLMSG_SPACE(sizeof(struct ifaddrmsg) + INET6_IFADDR_RTA_SPACE);
+        int err;
+
+        if (rta[IFA_ADDRESS-1]) {
+                if (RTA_PAYLOAD(rta[IFA_ADDRESS-1]) < sizeof(*addr))
+                        return -EINVAL;
+                addr = RTA_DATA(rta[IFA_ADDRESS-1]);
+        }
+        if (rta[IFA_LOCAL-1]) {
+                if (RTA_PAYLOAD(rta[IFA_LOCAL-1]) < sizeof(*addr) ||
+                    (addr && memcmp(addr, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*addr))))
+                        return -EINVAL;
+                addr = RTA_DATA(rta[IFA_LOCAL-1]);
+        }
+        if (addr == NULL)
+                return -EINVAL;
+
+        if (ifm->ifa_index)
+                dev = __dev_get_by_index(ifm->ifa_index);
+
+        if ((ifa = ipv6_get_ifaddr(addr, dev, 1)) == NULL)
+                return -EADDRNOTAVAIL;
+
+        if ((skb = alloc_skb(size, GFP_KERNEL)) == NULL) {
+                err = -ENOBUFS;
+                goto out;
+        }
+
+        NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
+        err = inet6_fill_ifaddr(skb, ifa, NETLINK_CB(in_skb).pid,
+                                nlh->nlmsg_seq, RTM_NEWADDR, 0);
+        if (err < 0) {
+                err = -EMSGSIZE;
+                goto out_free;
+        }
+
+        err = netlink_unicast(rtnl, skb, NETLINK_CB(in_skb).pid, MSG_DONTWAIT);
+        if (err > 0)
+                err = 0;
+out:
+        in6_ifa_put(ifa);
+        return err;
+out_free:
+        kfree_skb(skb);
+        goto out;
+}
+
 static void inet6_ifa_notify(int event, struct inet6_ifaddr *ifa)
 {
         struct sk_buff *skb;
@@ -3344,7 +3520,8 @@ static struct rtnetlink_link inet6_rtnetlink_table[RTM_NR_MSGTYPES] = {
         [RTM_GETLINK - RTM_BASE] = { .dumpit    = inet6_dump_ifinfo, },
         [RTM_NEWADDR - RTM_BASE] = { .doit      = inet6_rtm_newaddr, },
         [RTM_DELADDR - RTM_BASE] = { .doit      = inet6_rtm_deladdr, },
-        [RTM_GETADDR - RTM_BASE] = { .dumpit    = inet6_dump_ifaddr, },
+        [RTM_GETADDR - RTM_BASE] = { .doit      = inet6_rtm_getaddr,
+                                     .dumpit    = inet6_dump_ifaddr, },
         [RTM_GETMULTICAST - RTM_BASE] = { .dumpit = inet6_dump_ifmcaddr, },
         [RTM_GETANYCAST - RTM_BASE] = { .dumpit = inet6_dump_ifacaddr, },
         [RTM_NEWROUTE - RTM_BASE] = { .doit     = inet6_rtm_newroute, },
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 5a0ba58b86cc..ac85e9c532c2 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -658,7 +658,7 @@ int inet6_sk_rebuild_header(struct sock *sk)
                         return err;
                 }
 
-                ip6_dst_store(sk, dst, NULL);
+                __ip6_dst_store(sk, dst, NULL);
         }
 
         return 0;
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 99a6eb23378b..3b55b4c8e2d1 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -696,7 +696,7 @@ int datagram_send_ctl(struct msghdr *msg, struct flowi *fl,
                         }
 
                         tc = *(int *)CMSG_DATA(cmsg);
-                        if (tc < 0 || tc > 0xff)
+                        if (tc < -1 || tc > 0xff)
                                 goto exit_f;
 
                         err = 0;
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 9d0ee7f0eeb5..86dac106873b 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -635,14 +635,17 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
         struct ipv6_txoptions *opt2;
         int err;
 
-        if (newtype != IPV6_HOPOPTS && opt->hopopt)
-                tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
-        if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
-                tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
-        if (newtype != IPV6_RTHDR && opt->srcrt)
-                tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
-        if (newtype != IPV6_DSTOPTS && opt->dst1opt)
-                tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
+        if (opt) {
+                if (newtype != IPV6_HOPOPTS && opt->hopopt)
+                        tot_len += CMSG_ALIGN(ipv6_optlen(opt->hopopt));
+                if (newtype != IPV6_RTHDRDSTOPTS && opt->dst0opt)
+                        tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst0opt));
+                if (newtype != IPV6_RTHDR && opt->srcrt)
+                        tot_len += CMSG_ALIGN(ipv6_optlen(opt->srcrt));
+                if (newtype != IPV6_DSTOPTS && opt->dst1opt)
+                        tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt));
+        }
+
         if (newopt && newoptlen)
                 tot_len += CMSG_ALIGN(newoptlen);
 
@@ -659,25 +662,25 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
         opt2->tot_len = tot_len;
         p = (char *)(opt2 + 1);
 
-        err = ipv6_renew_option(opt->hopopt, newopt, newoptlen,
+        err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen,
                                 newtype != IPV6_HOPOPTS,
                                 &opt2->hopopt, &p);
         if (err)
                 goto out;
 
-        err = ipv6_renew_option(opt->dst0opt, newopt, newoptlen,
+        err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen,
                                 newtype != IPV6_RTHDRDSTOPTS,
                                 &opt2->dst0opt, &p);
         if (err)
                 goto out;
 
-        err = ipv6_renew_option(opt->srcrt, newopt, newoptlen,
+        err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen,
                                 newtype != IPV6_RTHDR,
-                                (struct ipv6_opt_hdr **)opt2->srcrt, &p);
+                                (struct ipv6_opt_hdr **)&opt2->srcrt, &p);
         if (err)
                 goto out;
 
-        err = ipv6_renew_option(opt->dst1opt, newopt, newoptlen,
+        err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen,
                                 newtype != IPV6_DSTOPTS,
                                 &opt2->dst1opt, &p);
         if (err)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 1044b6fce0d5..356a8a7ef22a 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -401,7 +401,7 @@ void icmpv6_send(struct sk_buff *skb, int type, int code, __u32 info,
         if (hlimit < 0)
                 hlimit = ipv6_get_hoplimit(dst->dev);
 
-        tclass = np->cork.tclass;
+        tclass = np->tclass;
         if (tclass < 0)
                 tclass = 0;
 
@@ -497,7 +497,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
         if (hlimit < 0)
                 hlimit = ipv6_get_hoplimit(dst->dev);
 
-        tclass = np->cork.tclass;
+        tclass = np->tclass;
         if (tclass < 0)
                 tclass = 0;
 
@@ -712,6 +712,11 @@ discard_it:
         return 0;
 }
 
+/*
+ * Special lock-class for __icmpv6_socket:
+ */
+static struct lock_class_key icmpv6_socket_sk_dst_lock_key;
+
 int __init icmpv6_init(struct net_proto_family *ops)
 {
         struct sock *sk;
@@ -730,6 +735,14 @@ int __init icmpv6_init(struct net_proto_family *ops)
 
                 sk = per_cpu(__icmpv6_socket, i)->sk;
                 sk->sk_allocation = GFP_ATOMIC;
+                /*
+                 * Split off their lock-class, because sk->sk_dst_lock
+                 * gets used from softirqs, which is safe for
+                 * __icmpv6_socket (because those never get directly used
+                 * via userspace syscalls), but unsafe for normal sockets.
+                 */
+                lockdep_set_class(&sk->sk_dst_lock,
+                                  &icmpv6_socket_sk_dst_lock_key);
 
                 /* Enough space for 2 64K ICMP packets, including
                  * sk_buff struct overhead.
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index 5c950cc79d80..bf491077b822 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -185,7 +185,7 @@ int inet6_csk_xmit(struct sk_buff *skb, int ipfragok)
                         return err;
                 }
 
-                ip6_dst_store(sk, dst, NULL);
+                __ip6_dst_store(sk, dst, NULL);
         }
 
         skb->dst = dst_clone(dst);
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index df8f051c0fce..25c2a9e03895 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -71,6 +71,8 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
                 goto out;
         }
 
+        memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
+
         /*
          * Store incoming device index. When the packet will
          * be queued, we cannot refer to skb->dev anymore.
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 2c5b44575af0..4fb47a252913 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -147,7 +147,7 @@ static int ip6_output2(struct sk_buff *skb)
 
 int ip6_output(struct sk_buff *skb)
 {
-        if ((skb->len > dst_mtu(skb->dst) && !skb_shinfo(skb)->gso_size) ||
+        if ((skb->len > dst_mtu(skb->dst) && !skb_is_gso(skb)) ||
                                 dst_allfrag(skb->dst))
                 return ip6_fragment(skb, ip6_output2);
         else
@@ -229,7 +229,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
         skb->priority = sk->sk_priority;
 
         mtu = dst_mtu(dst);
-        if ((skb->len <= mtu) || ipfragok || skb_shinfo(skb)->gso_size) {
+        if ((skb->len <= mtu) || ipfragok || skb_is_gso(skb)) {
                 IP6_INC_STATS(IPSTATS_MIB_OUTREQUESTS);
                 return NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL, dst->dev,
                                 dst_output);
@@ -356,6 +356,7 @@ int ip6_forward(struct sk_buff *skb)
                 skb->dev = dst->dev;
                 icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
                             0, skb->dev);
+                IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
 
                 kfree_skb(skb);
                 return -ETIMEDOUT;
@@ -595,6 +596,9 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
                         }
                         
                         err = output(skb);
+                        if(!err)
+                                IP6_INC_STATS(IPSTATS_MIB_FRAGCREATES);
+
                         if (err || !frag)
                                 break;
 
@@ -706,12 +710,11 @@ slow_path:
                 /*
                  *      Put this fragment into the sending queue.
                  */
-
-                IP6_INC_STATS(IPSTATS_MIB_FRAGCREATES);
-
                 err = output(frag);
                 if (err)
                         goto fail;
+
+                IP6_INC_STATS(IPSTATS_MIB_FRAGCREATES);
         }
         kfree_skb(skb);
         IP6_INC_STATS(IPSTATS_MIB_FRAGOKS);
@@ -723,48 +726,51 @@ fail:
         return err;
 }
 
-int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
+static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
+                                          struct dst_entry *dst,
+                                          struct flowi *fl)
 {
-        int err = 0;
+        struct ipv6_pinfo *np = inet6_sk(sk);
+        struct rt6_info *rt = (struct rt6_info *)dst;
 
-        *dst = NULL;
-        if (sk) {
-                struct ipv6_pinfo *np = inet6_sk(sk);
-        
-                *dst = sk_dst_check(sk, np->dst_cookie);
-                if (*dst) {
-                        struct rt6_info *rt = (struct rt6_info*)*dst;
-        
-                        /* Yes, checking route validity in not connected
-                         * case is not very simple. Take into account,
-                         * that we do not support routing by source, TOS,
-                         * and MSG_DONTROUTE            --ANK (980726)
-                         *
-                         * 1. If route was host route, check that
-                         *    cached destination is current.
-                         *    If it is network route, we still may
-                         *    check its validity using saved pointer
-                         *    to the last used address: daddr_cache.
-                         *    We do not want to save whole address now,
-                         *    (because main consumer of this service
-                         *    is tcp, which has not this problem),
-                         *    so that the last trick works only on connected
-                         *    sockets.
-                         * 2. oif also should be the same.
-                         */
-                        if (((rt->rt6i_dst.plen != 128 ||
-                              !ipv6_addr_equal(&fl->fl6_dst,
-                                               &rt->rt6i_dst.addr))
-                             && (np->daddr_cache == NULL ||
-                                 !ipv6_addr_equal(&fl->fl6_dst,
-                                                  np->daddr_cache)))
-                            || (fl->oif && fl->oif != (*dst)->dev->ifindex)) {
-                                dst_release(*dst);
-                                *dst = NULL;
-                        }
-                }
+        if (!dst)
+                goto out;
+
+        /* Yes, checking route validity in not connected
+         * case is not very simple. Take into account,
+         * that we do not support routing by source, TOS,
+         * and MSG_DONTROUTE            --ANK (980726)
+         *
+         * 1. If route was host route, check that
+         *    cached destination is current.
+         *    If it is network route, we still may
+         *    check its validity using saved pointer
+         *    to the last used address: daddr_cache.
+         *    We do not want to save whole address now,
+         *    (because main consumer of this service
+         *    is tcp, which has not this problem),
+         *    so that the last trick works only on connected
+         *    sockets.
+         * 2. oif also should be the same.
+         */
+        if (((rt->rt6i_dst.plen != 128 ||
+              !ipv6_addr_equal(&fl->fl6_dst, &rt->rt6i_dst.addr))
+             && (np->daddr_cache == NULL ||
+                 !ipv6_addr_equal(&fl->fl6_dst, np->daddr_cache)))
+            || (fl->oif && fl->oif != dst->dev->ifindex)) {
+                dst_release(dst);
+                dst = NULL;
         }
 
+out:
+        return dst;
+}
+
+static int ip6_dst_lookup_tail(struct sock *sk,
+                               struct dst_entry **dst, struct flowi *fl)
+{
+        int err;
+
         if (*dst == NULL)
                 *dst = ip6_route_output(sk, fl);
 
@@ -773,7 +779,6 @@ int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
 
         if (ipv6_addr_any(&fl->fl6_src)) {
                 err = ipv6_get_saddr(*dst, &fl->fl6_dst, &fl->fl6_src);
-
                 if (err)
                         goto out_err_release;
         }
@@ -786,8 +791,48 @@ out_err_release:
         return err;
 }
 
+/**
+ *      ip6_dst_lookup - perform route lookup on flow
+ *      @sk: socket which provides route info
+ *      @dst: pointer to dst_entry * for result
+ *      @fl: flow to lookup
+ *
+ *      This function performs a route lookup on the given flow.
+ *
+ *      It returns zero on success, or a standard errno code on error.
+ */
+int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
+{
+        *dst = NULL;
+        return ip6_dst_lookup_tail(sk, dst, fl);
+}
 EXPORT_SYMBOL_GPL(ip6_dst_lookup);
 
+/**
+ *      ip6_sk_dst_lookup - perform socket cached route lookup on flow
+ *      @sk: socket which provides the dst cache and route info
+ *      @dst: pointer to dst_entry * for result
+ *      @fl: flow to lookup
+ *
+ *      This function performs a route lookup on the given flow with the
+ *      possibility of using the cached route in the socket if it is valid.
+ *      It will take the socket dst lock when operating on the dst cache.
+ *      As a result, this function can only be used in process context.
+ *
+ *      It returns zero on success, or a standard errno code on error.
+ */
+int ip6_sk_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
+{
+        *dst = NULL;
+        if (sk) {
+                *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
+                *dst = ip6_sk_dst_check(sk, *dst, fl);
+        }
+
+        return ip6_dst_lookup_tail(sk, dst, fl);
+}
+EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup);
+
 static inline int ip6_ufo_append_data(struct sock *sk,
                         int getfrag(void *from, char *to, int offset, int len,
                         int odd, struct sk_buff *skb),
@@ -1050,7 +1095,7 @@ alloc_new_skb:
                                 skb_prev->csum = csum_sub(skb_prev->csum,
                                                           skb->csum);
                                 data += fraggap;
-                                skb_trim(skb_prev, maxfraglen);
+                                pskb_trim_unique(skb_prev, maxfraglen);
                         }
                         copy = datalen - transhdrlen - fraggap;
                         if (copy < 0) {
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index bc77c0e1a943..84d7ebdb9d21 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -567,10 +567,9 @@ static inline struct ipv6_txoptions *create_tel(__u8 encap_limit)
 
         int opt_len = sizeof(*opt) + 8;
 
-        if (!(opt = kmalloc(opt_len, GFP_ATOMIC))) {
+        if (!(opt = kzalloc(opt_len, GFP_ATOMIC))) {
                 return NULL;
         }
-        memset(opt, 0, opt_len);
         opt->tot_len = opt_len;
         opt->dst0opt = (struct ipv6_opt_hdr *) (opt + 1);
         opt->opt_nflen = 8;
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index b285b0357084..7e4d1c17bfbc 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -109,7 +109,8 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
                 goto out_put_cpu;
         }
 
-        skb_put(skb, dlen - plen);
+        skb->truesize += dlen - plen;
+        __skb_put(skb, dlen - plen);
         memcpy(skb->data, scratch, dlen);
         err = ipch->nexthdr;
 
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 0c17dec11c8d..a5eaaf693abf 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -57,29 +57,11 @@
 
 DEFINE_SNMP_STAT(struct ipstats_mib, ipv6_statistics) __read_mostly;
 
-static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, int features)
+static struct inet6_protocol *ipv6_gso_pull_exthdrs(struct sk_buff *skb,
+                                                    int proto)
 {
-        struct sk_buff *segs = ERR_PTR(-EINVAL);
-        struct ipv6hdr *ipv6h;
-        struct inet6_protocol *ops;
-        int proto;
+        struct inet6_protocol *ops = NULL;
 
-        if (unlikely(skb_shinfo(skb)->gso_type &
-                     ~(SKB_GSO_UDP |
-                       SKB_GSO_DODGY |
-                       SKB_GSO_TCP_ECN |
-                       SKB_GSO_TCPV6 |
-                       0)))
-                goto out;
-
-        if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
-                goto out;
-
-        ipv6h = skb->nh.ipv6h;
-        proto = ipv6h->nexthdr;
-        __skb_pull(skb, sizeof(*ipv6h));
-
-        rcu_read_lock();
         for (;;) {
                 struct ipv6_opt_hdr *opth;
                 int len;
@@ -88,30 +70,80 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, int features)
                         ops = rcu_dereference(inet6_protos[proto]);
 
                         if (unlikely(!ops))
-                                goto unlock;
+                                break;
 
                         if (!(ops->flags & INET6_PROTO_GSO_EXTHDR))
                                 break;
                 }
 
                 if (unlikely(!pskb_may_pull(skb, 8)))
-                        goto unlock;
+                        break;
 
                 opth = (void *)skb->data;
                 len = opth->hdrlen * 8 + 8;
 
                 if (unlikely(!pskb_may_pull(skb, len)))
-                        goto unlock;
+                        break;
 
                 proto = opth->nexthdr;
                 __skb_pull(skb, len);
         }
 
-        skb->h.raw = skb->data;
-        if (likely(ops->gso_segment))
-                segs = ops->gso_segment(skb, features);
+        return ops;
+}
+
+static int ipv6_gso_send_check(struct sk_buff *skb)
+{
+        struct ipv6hdr *ipv6h;
+        struct inet6_protocol *ops;
+        int err = -EINVAL;
+
+        if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
+                goto out;
 
-unlock:
+        ipv6h = skb->nh.ipv6h;
+        __skb_pull(skb, sizeof(*ipv6h));
+        err = -EPROTONOSUPPORT;
+
+        rcu_read_lock();
+        ops = ipv6_gso_pull_exthdrs(skb, ipv6h->nexthdr);
+        if (likely(ops && ops->gso_send_check)) {
+                skb->h.raw = skb->data;
+                err = ops->gso_send_check(skb);
+        }
+        rcu_read_unlock();
+
+out:
+        return err;
+}
+
+static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, int features)
+{
+        struct sk_buff *segs = ERR_PTR(-EINVAL);
+        struct ipv6hdr *ipv6h;
+        struct inet6_protocol *ops;
+
+        if (unlikely(skb_shinfo(skb)->gso_type &
+                     ~(SKB_GSO_UDP |
+                       SKB_GSO_DODGY |
+                       SKB_GSO_TCP_ECN |
+                       SKB_GSO_TCPV6 |
+                       0)))
+                goto out;
+
+        if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
+                goto out;
+
+        ipv6h = skb->nh.ipv6h;
+        __skb_pull(skb, sizeof(*ipv6h));
+        segs = ERR_PTR(-EPROTONOSUPPORT);
+
+        rcu_read_lock();
+        ops = ipv6_gso_pull_exthdrs(skb, ipv6h->nexthdr);
+        if (likely(ops && ops->gso_segment)) {
+                skb->h.raw = skb->data;
+                segs = ops->gso_segment(skb, features);
+        }
         rcu_read_unlock();
 
         if (unlikely(IS_ERR(segs)))
@@ -130,6 +162,7 @@ out:
 static struct packet_type ipv6_packet_type = {
         .type = __constant_htons(ETH_P_IPV6), 
         .func = ipv6_rcv,
+        .gso_send_check = ipv6_gso_send_check,
         .gso_segment = ipv6_gso_segment,
 };
 
@@ -329,7 +362,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                 break;
 
         case IPV6_TCLASS:
-                if (val < 0 || val > 0xff)
+                if (val < -1 || val > 0xff)
                         goto e_inval;
                 np->tclass = val;
                 retv = 0;
@@ -914,6 +947,8 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
 
         case IPV6_TCLASS:
                 val = np->tclass;
+                if (val < 0)
+                        val = 0;
                 break;
 
         case IPV6_RECVTCLASS:
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 9d697d4dcffc..639eb20c9f1f 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -268,13 +268,14 @@ int ipv6_sock_mc_drop(struct sock *sk, int ifindex, struct in6_addr *addr)
                         if ((dev = dev_get_by_index(mc_lst->ifindex)) != NULL) {
                                 struct inet6_dev *idev = in6_dev_get(dev);
 
+                                (void) ip6_mc_leave_src(sk, mc_lst, idev);
                                 if (idev) {
-                                        (void) ip6_mc_leave_src(sk,mc_lst,idev);
                                         __ipv6_dev_mc_dec(idev, &mc_lst->addr);
                                         in6_dev_put(idev);
                                 }
                                 dev_put(dev);
-                        }
+                        } else
+                                (void) ip6_mc_leave_src(sk, mc_lst, NULL);
                         sock_kfree_s(sk, mc_lst, sizeof(*mc_lst));
                         return 0;
                 }
@@ -334,13 +335,14 @@ void ipv6_sock_mc_close(struct sock *sk)
                 if (dev) {
                         struct inet6_dev *idev = in6_dev_get(dev);
 
+                        (void) ip6_mc_leave_src(sk, mc_lst, idev);
                         if (idev) {
-                                (void) ip6_mc_leave_src(sk, mc_lst, idev);
                                 __ipv6_dev_mc_dec(idev, &mc_lst->addr);
                                 in6_dev_put(idev);
                         }
                         dev_put(dev);
-                }
+                } else
+                        (void) ip6_mc_leave_src(sk, mc_lst, NULL);
 
                 sock_kfree_s(sk, mc_lst, sizeof(*mc_lst));
 
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f26898b00347..c9d6b23cd3f7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1398,23 +1398,39 @@ static int __init ip6_tables_init(void)
 {
         int ret;
 
-        xt_proto_init(AF_INET6);
+        ret = xt_proto_init(AF_INET6);
+        if (ret < 0)
+                goto err1;
 
         /* Noone else will be downing sem now, so we won't sleep */
-        xt_register_target(&ip6t_standard_target);
-        xt_register_target(&ip6t_error_target);
-        xt_register_match(&icmp6_matchstruct);
+        ret = xt_register_target(&ip6t_standard_target);
+        if (ret < 0)
+                goto err2;
+        ret = xt_register_target(&ip6t_error_target);
+        if (ret < 0)
+                goto err3;
+        ret = xt_register_match(&icmp6_matchstruct);
+        if (ret < 0)
+                goto err4;
 
         /* Register setsockopt */
         ret = nf_register_sockopt(&ip6t_sockopts);
-        if (ret < 0) {
-                duprintf("Unable to register sockopts.\n");
-                xt_proto_fini(AF_INET6);
-                return ret;
-        }
+        if (ret < 0)
+                goto err5;
 
         printk("ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
         return 0;
+
+err5:
+        xt_unregister_match(&icmp6_matchstruct);
+err4:
+        xt_unregister_target(&ip6t_error_target);
+err3:
+        xt_unregister_target(&ip6t_standard_target);
+err2:
+        xt_proto_fini(AF_INET6);
+err1:
+        return ret;
 }
 
 static void __exit ip6_tables_fini(void)
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index fa1ce0ae123e..15b862d8acab 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -411,6 +411,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
         /* Copy the address. */
         if (sin6) {
                 sin6->sin6_family = AF_INET6;
+                sin6->sin6_port = 0;
                 ipv6_addr_copy(&sin6->sin6_addr, &skb->nh.ipv6h->saddr);
                 sin6->sin6_flowinfo = 0;
                 sin6->sin6_scope_id = 0;
@@ -780,7 +781,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
         }
 
         if (tclass < 0) {
-                tclass = np->cork.tclass;
+                tclass = np->tclass;
                 if (tclass < 0)
                         tclass = 0;
         }
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 87c39c978cd0..d9baca062d24 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -53,6 +53,7 @@
 #include <linux/rtnetlink.h>
 #include <net/dst.h>
 #include <net/xfrm.h>
+#include <net/netevent.h>
 
 #include <asm/uaccess.h>
 
@@ -742,6 +743,7 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
                         dst->metrics[RTAX_FEATURES-1] |= RTAX_FEATURE_ALLFRAG;
                 }
                 dst->metrics[RTAX_MTU-1] = mtu;
+                call_netevent_notifiers(NETEVENT_PMTU_UPDATE, dst);
         }
 }
 
@@ -1155,6 +1157,7 @@ void rt6_redirect(struct in6_addr *dest, struct in6_addr *saddr,
         struct rt6_info *rt, *nrt = NULL;
         int strict;
         struct fib6_node *fn;
+        struct netevent_redirect netevent;
 
         /*
          * Get the "current" route for this destination and
@@ -1252,6 +1255,10 @@ restart:
         if (ip6_ins_rt(nrt, NULL, NULL, NULL))
                 goto out;
 
+        netevent.old = &rt->u.dst;
+        netevent.new = &nrt->u.dst;
+        call_netevent_notifiers(NETEVENT_REDIRECT, &netevent);
+
         if (rt->rt6i_flags&RTF_CACHE) {
                 ip6_del_rt(rt, NULL, NULL, NULL);
                 return;
@@ -1525,6 +1532,10 @@ int ipv6_route_ioctl(unsigned int cmd, void __user *arg)
 
 static int ip6_pkt_discard(struct sk_buff *skb)
 {
+        int type = ipv6_addr_type(&skb->nh.ipv6h->daddr);
+        if (type == IPV6_ADDR_ANY || type == IPV6_ADDR_RESERVED)
+                IP6_INC_STATS(IPSTATS_MIB_INADDRERRORS);
+
         IP6_INC_STATS(IPSTATS_MIB_OUTNOROUTES);
         icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_NOROUTE, 0, skb->dev);
         kfree_skb(skb);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index c56aeece2bf5..836eecd7e62b 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -380,7 +380,6 @@ static int ipip6_rcv(struct sk_buff *skb)
                 secpath_reset(skb);
                 skb->mac.raw = skb->nh.raw;
                 skb->nh.raw = skb->data;
-                memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
                 IPCB(skb)->flags = 0;
                 skb->protocol = htons(ETH_P_IPV6);
                 skb->pkt_type = PACKET_HOST;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 5bdcb9002cf7..802a1a6b1037 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -270,7 +270,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
         inet->rcv_saddr = LOOPBACK4_IPV6;
 
         sk->sk_gso_type = SKB_GSO_TCPV6;
-        ip6_dst_store(sk, dst, NULL);
+        __ip6_dst_store(sk, dst, NULL);
 
         icsk->icsk_ext_hdr_len = 0;
         if (np->opt)
@@ -427,7 +427,6 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
         case TCP_SYN_RECV:  /* Cannot happen.
                                It can, it SYNs are crossed. --ANK */ 
                 if (!sock_owned_by_user(sk)) {
-                        TCP_INC_STATS_BH(TCP_MIB_ATTEMPTFAILS);
                         sk->sk_err = err;
                         sk->sk_error_report(sk);                /* Wake people up to see the error (see connect in sock.c) */
 
@@ -552,6 +551,24 @@ static void tcp_v6_send_check(struct sock *sk, int len, struct sk_buff *skb)
         }
 }
 
+static int tcp_v6_gso_send_check(struct sk_buff *skb)
+{
+        struct ipv6hdr *ipv6h;
+        struct tcphdr *th;
+
+        if (!pskb_may_pull(skb, sizeof(*th)))
+                return -EINVAL;
+
+        ipv6h = skb->nh.ipv6h;
+        th = skb->h.th;
+
+        th->check = 0;
+        th->check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr, skb->len,
+                                     IPPROTO_TCP, 0);
+        skb->csum = offsetof(struct tcphdr, check);
+        skb->ip_summed = CHECKSUM_HW;
+        return 0;
+}
 
 static void tcp_v6_send_reset(struct sk_buff *skb)
 {
@@ -813,7 +830,6 @@ drop:
         if (req)
                 reqsk_free(req);
 
-        TCP_INC_STATS_BH(TCP_MIB_ATTEMPTFAILS);
         return 0; /* don't send reset */
 }
 
@@ -928,8 +944,8 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
          * comment in that function for the gory details. -acme
          */
 
-        sk->sk_gso_type = SKB_GSO_TCPV6;
-        ip6_dst_store(newsk, dst, NULL);
+        newsk->sk_gso_type = SKB_GSO_TCPV6;
+        __ip6_dst_store(newsk, dst, NULL);
 
         newtcp6sk = (struct tcp6_sock *)newsk;
         inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
@@ -1603,6 +1619,7 @@ struct proto tcpv6_prot = {
 static struct inet6_protocol tcpv6_protocol = {
         .handler        =       tcp_v6_rcv,
         .err_handler    =       tcp_v6_err,
+        .gso_send_check =       tcp_v6_gso_send_check,
         .gso_segment    =       tcp_tso_segment,
         .flags          =       INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
 };
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index ccc57f434cd3..3d54f246411e 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -782,7 +782,7 @@ do_udp_sendmsg:
                 connected = 0;
         }
 
-        err = ip6_dst_lookup(sk, &dst, fl);
+        err = ip6_sk_dst_lookup(sk, &dst, fl);
         if (err)
                 goto out;
         if (final_p)
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 48fccb1eca08..c8c8b44a0f58 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -122,10 +122,10 @@ static int xfrm6_output_finish(struct sk_buff *skb)
 {
         struct sk_buff *segs;
 
-        if (!skb_shinfo(skb)->gso_size)
+        if (!skb_is_gso(skb))
                 return xfrm6_output_finish2(skb);
 
-        skb->protocol = htons(ETH_P_IP);
+        skb->protocol = htons(ETH_P_IPV6);
         segs = skb_gso_segment(skb, 0);
         kfree_skb(skb);
         if (unlikely(IS_ERR(segs)))
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 6b44fe8516c3..c8f9369c2a87 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -31,27 +31,6 @@
 #include <linux/icmpv6.h>
 #include <linux/mutex.h>
 
-#ifdef CONFIG_IPV6_XFRM6_TUNNEL_DEBUG
-# define X6TDEBUG       3
-#else
-# define X6TDEBUG       1
-#endif
-
-#define X6TPRINTK(fmt, args...)         printk(fmt, ## args)
-#define X6TNOPRINTK(fmt, args...)       do { ; } while(0)
-
-#if X6TDEBUG >= 1
-# define X6TPRINTK1     X6TPRINTK
-#else
-# define X6TPRINTK1     X6TNOPRINTK
-#endif
-
-#if X6TDEBUG >= 3
-# define X6TPRINTK3     X6TPRINTK
-#else
-# define X6TPRINTK3     X6TNOPRINTK
-#endif
-
 /*
  * xfrm_tunnel_spi things are for allocating unique id ("spi") 
  * per xfrm_address_t.
@@ -62,15 +41,8 @@ struct xfrm6_tunnel_spi {
         xfrm_address_t addr;
         u32 spi;
         atomic_t refcnt;
-#ifdef XFRM6_TUNNEL_SPI_MAGIC
-        u32 magic;
-#endif
 };
 
-#ifdef CONFIG_IPV6_XFRM6_TUNNEL_DEBUG
-# define XFRM6_TUNNEL_SPI_MAGIC 0xdeadbeef
-#endif
-
 static DEFINE_RWLOCK(xfrm6_tunnel_spi_lock);
 
 static u32 xfrm6_tunnel_spi;
@@ -86,43 +58,15 @@ static kmem_cache_t *xfrm6_tunnel_spi_kmem __read_mostly;
 static struct hlist_head xfrm6_tunnel_spi_byaddr[XFRM6_TUNNEL_SPI_BYADDR_HSIZE];
 static struct hlist_head xfrm6_tunnel_spi_byspi[XFRM6_TUNNEL_SPI_BYSPI_HSIZE];
 
-#ifdef XFRM6_TUNNEL_SPI_MAGIC
-static int x6spi_check_magic(const struct xfrm6_tunnel_spi *x6spi,
-                             const char *name)
-{
-        if (unlikely(x6spi->magic != XFRM6_TUNNEL_SPI_MAGIC)) {
-                X6TPRINTK3(KERN_DEBUG "%s(): x6spi object "
-                                      "at %p has corrupted magic %08x "
-                                      "(should be %08x)\n",
-                           name, x6spi, x6spi->magic, XFRM6_TUNNEL_SPI_MAGIC);
-                return -1;
-        }
-        return 0;
-}
-#else
-static int inline x6spi_check_magic(const struct xfrm6_tunnel_spi *x6spi,
-                                    const char *name)
-{
-        return 0;
-}
-#endif
-
-#define X6SPI_CHECK_MAGIC(x6spi) x6spi_check_magic((x6spi), __FUNCTION__)
-
-
 static unsigned inline xfrm6_tunnel_spi_hash_byaddr(xfrm_address_t *addr)
 {
         unsigned h;
 
-        X6TPRINTK3(KERN_DEBUG "%s(addr=%p)\n", __FUNCTION__, addr);
-
         h = addr->a6[0] ^ addr->a6[1] ^ addr->a6[2] ^ addr->a6[3];
         h ^= h >> 16;
         h ^= h >> 8;
         h &= XFRM6_TUNNEL_SPI_BYADDR_HSIZE - 1;
 
-        X6TPRINTK3(KERN_DEBUG "%s() = %u\n", __FUNCTION__, h);
-
         return h;
 }
 
@@ -136,19 +80,13 @@ static int xfrm6_tunnel_spi_init(void)
 {
         int i;
 
-        X6TPRINTK3(KERN_DEBUG "%s()\n", __FUNCTION__);
-
         xfrm6_tunnel_spi = 0;
         xfrm6_tunnel_spi_kmem = kmem_cache_create("xfrm6_tunnel_spi",
                                                   sizeof(struct xfrm6_tunnel_spi),
                                                   0, SLAB_HWCACHE_ALIGN,
                                                   NULL, NULL);
-        if (!xfrm6_tunnel_spi_kmem) {
-                X6TPRINTK1(KERN_ERR
-                           "%s(): failed to allocate xfrm6_tunnel_spi_kmem\n",
-                           __FUNCTION__);
+        if (!xfrm6_tunnel_spi_kmem)
                 return -ENOMEM;
-        }
 
         for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
                 INIT_HLIST_HEAD(&xfrm6_tunnel_spi_byaddr[i]);
@@ -161,22 +99,16 @@ static void xfrm6_tunnel_spi_fini(void)
 {
         int i;
 
-        X6TPRINTK3(KERN_DEBUG "%s()\n", __FUNCTION__);
-
         for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++) {
                 if (!hlist_empty(&xfrm6_tunnel_spi_byaddr[i]))
-                        goto err;
+                        return;
         }
         for (i = 0; i < XFRM6_TUNNEL_SPI_BYSPI_HSIZE; i++) {
                 if (!hlist_empty(&xfrm6_tunnel_spi_byspi[i]))
-                        goto err;
+                        return;
         }
         kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
         xfrm6_tunnel_spi_kmem = NULL;
-        return;
-err:
-        X6TPRINTK1(KERN_ERR "%s(): table is not empty\n", __FUNCTION__);
-        return;
 }
 
 static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr)
@@ -184,19 +116,13 @@ static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr)
         struct xfrm6_tunnel_spi *x6spi;
         struct hlist_node *pos;
 
-        X6TPRINTK3(KERN_DEBUG "%s(saddr=%p)\n", __FUNCTION__, saddr);
-
         hlist_for_each_entry(x6spi, pos,
                              &xfrm6_tunnel_spi_byaddr[xfrm6_tunnel_spi_hash_byaddr(saddr)],
                              list_byaddr) {
-                if (memcmp(&x6spi->addr, saddr, sizeof(x6spi->addr)) == 0) {
-                        X6SPI_CHECK_MAGIC(x6spi);
-                        X6TPRINTK3(KERN_DEBUG "%s() = %p(%u)\n", __FUNCTION__, x6spi, x6spi->spi);
+                if (memcmp(&x6spi->addr, saddr, sizeof(x6spi->addr)) == 0)
                         return x6spi;
-                }
         }
 
-        X6TPRINTK3(KERN_DEBUG "%s() = NULL(0)\n", __FUNCTION__);
         return NULL;
 }
 
@@ -205,8 +131,6 @@ u32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr)
         struct xfrm6_tunnel_spi *x6spi;
         u32 spi;
 
-        X6TPRINTK3(KERN_DEBUG "%s(saddr=%p)\n", __FUNCTION__, saddr);
-
         read_lock_bh(&xfrm6_tunnel_spi_lock);
         x6spi = __xfrm6_tunnel_spi_lookup(saddr);
         spi = x6spi ? x6spi->spi : 0;
@@ -223,8 +147,6 @@ static u32 __xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr)
         struct hlist_node *pos;
         unsigned index;
 
-        X6TPRINTK3(KERN_DEBUG "%s(saddr=%p)\n", __FUNCTION__, saddr);
-
         if (xfrm6_tunnel_spi < XFRM6_TUNNEL_SPI_MIN ||
             xfrm6_tunnel_spi >= XFRM6_TUNNEL_SPI_MAX)
                 xfrm6_tunnel_spi = XFRM6_TUNNEL_SPI_MIN;
@@ -258,18 +180,10 @@ try_next_2:;
         spi = 0;
         goto out;
 alloc_spi:
-        X6TPRINTK3(KERN_DEBUG "%s(): allocate new spi for " NIP6_FMT "\n",
-                              __FUNCTION__, 
-                              NIP6(*(struct in6_addr *)saddr));
         x6spi = kmem_cache_alloc(xfrm6_tunnel_spi_kmem, SLAB_ATOMIC);
-        if (!x6spi) {
-                X6TPRINTK1(KERN_ERR "%s(): kmem_cache_alloc() failed\n", 
-                           __FUNCTION__);
+        if (!x6spi)
                 goto out;
-        }
-#ifdef XFRM6_TUNNEL_SPI_MAGIC
-        x6spi->magic = XFRM6_TUNNEL_SPI_MAGIC;
-#endif
+
         memcpy(&x6spi->addr, saddr, sizeof(x6spi->addr));
         x6spi->spi = spi;
         atomic_set(&x6spi->refcnt, 1);
@@ -278,9 +192,7 @@ alloc_spi:
 
         index = xfrm6_tunnel_spi_hash_byaddr(saddr);
         hlist_add_head(&x6spi->list_byaddr, &xfrm6_tunnel_spi_byaddr[index]);
-        X6SPI_CHECK_MAGIC(x6spi);
 out:
-        X6TPRINTK3(KERN_DEBUG "%s() = %u\n", __FUNCTION__, spi);
         return spi;
 }
 
@@ -289,8 +201,6 @@ u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr)
         struct xfrm6_tunnel_spi *x6spi;
         u32 spi;
 
-        X6TPRINTK3(KERN_DEBUG "%s(saddr=%p)\n", __FUNCTION__, saddr);
-
         write_lock_bh(&xfrm6_tunnel_spi_lock);
         x6spi = __xfrm6_tunnel_spi_lookup(saddr);
         if (x6spi) {
@@ -300,8 +210,6 @@ u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr)
                 spi = __xfrm6_tunnel_alloc_spi(saddr);
         write_unlock_bh(&xfrm6_tunnel_spi_lock);
 
-        X6TPRINTK3(KERN_DEBUG "%s() = %u\n", __FUNCTION__, spi);
-
         return spi;
 }
 
@@ -312,8 +220,6 @@ void xfrm6_tunnel_free_spi(xfrm_address_t *saddr)
         struct xfrm6_tunnel_spi *x6spi;
         struct hlist_node *pos, *n;
 
-        X6TPRINTK3(KERN_DEBUG "%s(saddr=%p)\n", __FUNCTION__, saddr);
-
         write_lock_bh(&xfrm6_tunnel_spi_lock);
 
         hlist_for_each_entry_safe(x6spi, pos, n, 
@@ -321,12 +227,6 @@ void xfrm6_tunnel_free_spi(xfrm_address_t *saddr)
                                   list_byaddr)
         {
                 if (memcmp(&x6spi->addr, saddr, sizeof(x6spi->addr)) == 0) {
-                        X6TPRINTK3(KERN_DEBUG "%s(): x6spi object for " NIP6_FMT 
-                                              " found at %p\n",
-                                   __FUNCTION__, 
-                                   NIP6(*(struct in6_addr *)saddr),
-                                   x6spi);
-                        X6SPI_CHECK_MAGIC(x6spi);
                         if (atomic_dec_and_test(&x6spi->refcnt)) {
                                 hlist_del(&x6spi->list_byaddr);
                                 hlist_del(&x6spi->list_byspi);
@@ -377,20 +277,14 @@ static int xfrm6_tunnel_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                 case ICMPV6_ADDR_UNREACH:
                 case ICMPV6_PORT_UNREACH:
                 default:
-                        X6TPRINTK3(KERN_DEBUG
-                                   "xfrm6_tunnel: Destination Unreach.\n");
                         break;
                 }
                 break;
         case ICMPV6_PKT_TOOBIG:
-                        X6TPRINTK3(KERN_DEBUG 
-                                   "xfrm6_tunnel: Packet Too Big.\n");
                 break;
         case ICMPV6_TIME_EXCEED:
                 switch (code) {
                 case ICMPV6_EXC_HOPLIMIT:
-                        X6TPRINTK3(KERN_DEBUG
-                                   "xfrm6_tunnel: Too small Hoplimit.\n");
                         break;
                 case ICMPV6_EXC_FRAGTIME:
                 default: 
@@ -447,22 +341,14 @@ static struct xfrm6_tunnel xfrm6_tunnel_handler = {
 
 static int __init xfrm6_tunnel_init(void)
 {
-        X6TPRINTK3(KERN_DEBUG "%s()\n", __FUNCTION__);
-
-        if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0) {
-                X6TPRINTK1(KERN_ERR
-                           "xfrm6_tunnel init: can't add xfrm type\n");
+        if (xfrm_register_type(&xfrm6_tunnel_type, AF_INET6) < 0)
                 return -EAGAIN;
-        }
+
         if (xfrm6_tunnel_register(&xfrm6_tunnel_handler)) {
-                X6TPRINTK1(KERN_ERR
-                           "xfrm6_tunnel init(): can't add handler\n");
                 xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
                 return -EAGAIN;
         }
         if (xfrm6_tunnel_spi_init() < 0) {
-                X6TPRINTK1(KERN_ERR
-                           "xfrm6_tunnel init: failed to initialize spi\n");
                 xfrm6_tunnel_deregister(&xfrm6_tunnel_handler);
                 xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
                 return -EAGAIN;
@@ -472,15 +358,9 @@ static int __init xfrm6_tunnel_init(void)
 
 static void __exit xfrm6_tunnel_fini(void)
 {
-        X6TPRINTK3(KERN_DEBUG "%s()\n", __FUNCTION__);
-
         xfrm6_tunnel_spi_fini();
-        if (xfrm6_tunnel_deregister(&xfrm6_tunnel_handler))
-                X6TPRINTK1(KERN_ERR 
-                           "xfrm6_tunnel close: can't remove handler\n");
-        if (xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6) < 0)
-                X6TPRINTK1(KERN_ERR
-                           "xfrm6_tunnel close: can't remove xfrm type\n");
+        xfrm6_tunnel_deregister(&xfrm6_tunnel_handler);
+        xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
 }
 
 module_init(xfrm6_tunnel_init);
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index aa34ff4b707c..bef3f61569f7 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -1642,13 +1642,17 @@ static int ipx_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_ty
         if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
                 goto out;
 
-        ipx             = ipx_hdr(skb);
-        ipx_pktsize     = ntohs(ipx->ipx_pktsize);
+        if (!pskb_may_pull(skb, sizeof(struct ipxhdr)))
+                goto drop;
+
+        ipx_pktsize = ntohs(ipx_hdr(skb)->ipx_pktsize);
         
         /* Too small or invalid header? */
-        if (ipx_pktsize < sizeof(struct ipxhdr) || ipx_pktsize > skb->len)
+        if (ipx_pktsize < sizeof(struct ipxhdr) ||
+            !pskb_may_pull(skb, ipx_pktsize))
                 goto drop;
                         
+        ipx = ipx_hdr(skb);
         if (ipx->ipx_checksum != IPX_NO_CHECKSUM &&
            ipx->ipx_checksum != ipx_cksum(ipx, ipx_pktsize))
                 goto drop;
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 7fae48a53bff..17699eeb64d7 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -308,7 +308,7 @@ static void irda_connect_response(struct irda_sock *self)
 
         IRDA_ASSERT(self != NULL, return;);
 
-        skb = dev_alloc_skb(64);
+        skb = alloc_skb(64, GFP_ATOMIC);
         if (skb == NULL) {
                 IRDA_DEBUG(0, "%s() Unable to allocate sk_buff!\n",
                            __FUNCTION__);
diff --git a/net/irda/ircomm/ircomm_core.c b/net/irda/ircomm/ircomm_core.c
index 9c4a902a9dba..ad6b6af3dd97 100644
--- a/net/irda/ircomm/ircomm_core.c
+++ b/net/irda/ircomm/ircomm_core.c
@@ -115,12 +115,10 @@ struct ircomm_cb *ircomm_open(notify_t *notify, __u8 service_type, int line)
 
         IRDA_ASSERT(ircomm != NULL, return NULL;);
 
-        self = kmalloc(sizeof(struct ircomm_cb), GFP_ATOMIC);
+        self = kzalloc(sizeof(struct ircomm_cb), GFP_ATOMIC);
         if (self == NULL)
                 return NULL;
 
-        memset(self, 0, sizeof(struct ircomm_cb));
-
         self->notify = *notify;
         self->magic = IRCOMM_MAGIC;
 
diff --git a/net/irda/ircomm/ircomm_lmp.c b/net/irda/ircomm/ircomm_lmp.c
index d9097207aed3..959874b6451f 100644
--- a/net/irda/ircomm/ircomm_lmp.c
+++ b/net/irda/ircomm/ircomm_lmp.c
@@ -81,7 +81,7 @@ static int ircomm_lmp_connect_response(struct ircomm_cb *self,
         
         /* Any userdata supplied? */
         if (userdata == NULL) {
-                tx_skb = dev_alloc_skb(64);
+                tx_skb = alloc_skb(64, GFP_ATOMIC);
                 if (!tx_skb)
                         return -ENOMEM;
 
@@ -115,7 +115,7 @@ static int ircomm_lmp_disconnect_request(struct ircomm_cb *self,
         IRDA_DEBUG(0, "%s()\n", __FUNCTION__ );
 
         if (!userdata) {
-                tx_skb = dev_alloc_skb(64);
+                tx_skb = alloc_skb(64, GFP_ATOMIC);
                 if (!tx_skb)
                         return -ENOMEM;
                 
diff --git a/net/irda/ircomm/ircomm_param.c b/net/irda/ircomm/ircomm_param.c
index 6009bab05091..a39f5735a90b 100644
--- a/net/irda/ircomm/ircomm_param.c
+++ b/net/irda/ircomm/ircomm_param.c
@@ -121,7 +121,7 @@ int ircomm_param_request(struct ircomm_tty_cb *self, __u8 pi, int flush)
 
         skb = self->ctrl_skb;   
         if (!skb) {
-                skb = dev_alloc_skb(256);
+                skb = alloc_skb(256, GFP_ATOMIC);
                 if (!skb) {
                         spin_unlock_irqrestore(&self->spinlock, flags);
                         return -ENOMEM;
diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
index b400f27851fc..3bcdb467efc5 100644
--- a/net/irda/ircomm/ircomm_tty.c
+++ b/net/irda/ircomm/ircomm_tty.c
@@ -379,12 +379,11 @@ static int ircomm_tty_open(struct tty_struct *tty, struct file *filp)
         self = hashbin_lock_find(ircomm_tty, line, NULL);
         if (!self) {
                 /* No, so make new instance */
-                self = kmalloc(sizeof(struct ircomm_tty_cb), GFP_KERNEL);
+                self = kzalloc(sizeof(struct ircomm_tty_cb), GFP_KERNEL);
                 if (self == NULL) {
                         IRDA_ERROR("%s(), kmalloc failed!\n", __FUNCTION__);
                         return -ENOMEM;
                 }
-                memset(self, 0, sizeof(struct ircomm_tty_cb));
                 
                 self->magic = IRCOMM_TTY_MAGIC;
                 self->flow = FLOW_STOP;
@@ -759,8 +758,9 @@ static int ircomm_tty_write(struct tty_struct *tty,
                         }
                 } else {
                         /* Prepare a full sized frame */
-                        skb = dev_alloc_skb(self->max_data_size+
-                                            self->max_header_size);
+                        skb = alloc_skb(self->max_data_size+
+                                        self->max_header_size,
+                                        GFP_ATOMIC);
                         if (!skb) {
                                 spin_unlock_irqrestore(&self->spinlock, flags);
                                 return -ENOBUFS;
diff --git a/net/irda/irda_device.c b/net/irda/irda_device.c
index ba40e5495f58..7e7a31798d8d 100644
--- a/net/irda/irda_device.c
+++ b/net/irda/irda_device.c
@@ -401,12 +401,10 @@ dongle_t *irda_device_dongle_init(struct net_device *dev, int type)
         }
 
         /* Allocate dongle info for this instance */
-        dongle = kmalloc(sizeof(dongle_t), GFP_KERNEL);
+        dongle = kzalloc(sizeof(dongle_t), GFP_KERNEL);
         if (!dongle)
                 goto out;
 
-        memset(dongle, 0, sizeof(dongle_t));
-
         /* Bind the registration info to this particular instance */
         dongle->issue = reg;
         dongle->dev = dev;
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index a0472652a44e..61128aa05b40 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -345,7 +345,7 @@ static void iriap_disconnect_request(struct iriap_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IAS_MAGIC, return;);
 
-        tx_skb = dev_alloc_skb(64);
+        tx_skb = alloc_skb(64, GFP_ATOMIC);
         if (tx_skb == NULL) {
                 IRDA_DEBUG(0, "%s(), Could not allocate an sk_buff of length %d\n", 
                         __FUNCTION__, 64);
@@ -396,7 +396,7 @@ int iriap_getvaluebyclass_request(struct iriap_cb *self,
         attr_len = strlen(attr);        /* Up to IAS_MAX_ATTRIBNAME = 60 */
 
         skb_len = self->max_header_size+2+name_len+1+attr_len+4;
-        tx_skb = dev_alloc_skb(skb_len);
+        tx_skb = alloc_skb(skb_len, GFP_ATOMIC);
         if (!tx_skb)
                 return -ENOMEM;
 
@@ -562,7 +562,8 @@ static void iriap_getvaluebyclass_response(struct iriap_cb *self,
          *  value. We add 32 bytes because of the 6 bytes for the frame and
          *  max 5 bytes for the value coding.
          */
-        tx_skb = dev_alloc_skb(value->len + self->max_header_size + 32);
+        tx_skb = alloc_skb(value->len + self->max_header_size + 32,
+                           GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -700,7 +701,7 @@ void iriap_send_ack(struct iriap_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IAS_MAGIC, return;);
 
-        tx_skb = dev_alloc_skb(64);
+        tx_skb = alloc_skb(64, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
diff --git a/net/irda/iriap_event.c b/net/irda/iriap_event.c
index a73607450de1..da17395df05a 100644
--- a/net/irda/iriap_event.c
+++ b/net/irda/iriap_event.c
@@ -365,7 +365,7 @@ static void state_r_disconnect(struct iriap_cb *self, IRIAP_EVENT event,
 
         switch (event) {
         case IAP_LM_CONNECT_INDICATION:
-                tx_skb = dev_alloc_skb(64);
+                tx_skb = alloc_skb(64, GFP_ATOMIC);
                 if (tx_skb == NULL) {
                         IRDA_WARNING("%s: unable to malloc!\n", __FUNCTION__);
                         return;
diff --git a/net/irda/irias_object.c b/net/irda/irias_object.c
index 82e665c79991..a154b1d71c0f 100644
--- a/net/irda/irias_object.c
+++ b/net/irda/irias_object.c
@@ -82,13 +82,12 @@ struct ias_object *irias_new_object( char *name, int id)
 
         IRDA_DEBUG( 4, "%s()\n", __FUNCTION__);
 
-        obj = kmalloc(sizeof(struct ias_object), GFP_ATOMIC);
+        obj = kzalloc(sizeof(struct ias_object), GFP_ATOMIC);
         if (obj == NULL) {
                 IRDA_WARNING("%s(), Unable to allocate object!\n",
                              __FUNCTION__);
                 return NULL;
         }
-        memset(obj, 0, sizeof( struct ias_object));
 
         obj->magic = IAS_OBJECT_MAGIC;
         obj->name = strndup(name, IAS_MAX_CLASSNAME);
@@ -346,13 +345,12 @@ void irias_add_integer_attrib(struct ias_object *obj, char *name, int value,
         IRDA_ASSERT(obj->magic == IAS_OBJECT_MAGIC, return;);
         IRDA_ASSERT(name != NULL, return;);
 
-        attrib = kmalloc(sizeof(struct ias_attrib), GFP_ATOMIC);
+        attrib = kzalloc(sizeof(struct ias_attrib), GFP_ATOMIC);
         if (attrib == NULL) {
                 IRDA_WARNING("%s: Unable to allocate attribute!\n",
                              __FUNCTION__);
                 return;
         }
-        memset(attrib, 0, sizeof( struct ias_attrib));
 
         attrib->magic = IAS_ATTRIB_MAGIC;
         attrib->name = strndup(name, IAS_MAX_ATTRIBNAME);
@@ -382,13 +380,12 @@ void irias_add_octseq_attrib(struct ias_object *obj, char *name, __u8 *octets,
         IRDA_ASSERT(name != NULL, return;);
         IRDA_ASSERT(octets != NULL, return;);
 
-        attrib = kmalloc(sizeof(struct ias_attrib), GFP_ATOMIC);
+        attrib = kzalloc(sizeof(struct ias_attrib), GFP_ATOMIC);
         if (attrib == NULL) {
                 IRDA_WARNING("%s: Unable to allocate attribute!\n",
                              __FUNCTION__);
                 return;
         }
-        memset(attrib, 0, sizeof( struct ias_attrib));
 
         attrib->magic = IAS_ATTRIB_MAGIC;
         attrib->name = strndup(name, IAS_MAX_ATTRIBNAME);
@@ -416,13 +413,12 @@ void irias_add_string_attrib(struct ias_object *obj, char *name, char *value,
         IRDA_ASSERT(name != NULL, return;);
         IRDA_ASSERT(value != NULL, return;);
 
-        attrib = kmalloc(sizeof( struct ias_attrib), GFP_ATOMIC);
+        attrib = kzalloc(sizeof( struct ias_attrib), GFP_ATOMIC);
         if (attrib == NULL) {
                 IRDA_WARNING("%s: Unable to allocate attribute!\n",
                              __FUNCTION__);
                 return;
         }
-        memset(attrib, 0, sizeof( struct ias_attrib));
 
         attrib->magic = IAS_ATTRIB_MAGIC;
         attrib->name = strndup(name, IAS_MAX_ATTRIBNAME);
@@ -443,12 +439,11 @@ struct ias_value *irias_new_integer_value(int integer)
 {
         struct ias_value *value;
 
-        value = kmalloc(sizeof(struct ias_value), GFP_ATOMIC);
+        value = kzalloc(sizeof(struct ias_value), GFP_ATOMIC);
         if (value == NULL) {
                 IRDA_WARNING("%s: Unable to kmalloc!\n", __FUNCTION__);
                 return NULL;
         }
-        memset(value, 0, sizeof(struct ias_value));
 
         value->type = IAS_INTEGER;
         value->len = 4;
@@ -469,12 +464,11 @@ struct ias_value *irias_new_string_value(char *string)
 {
         struct ias_value *value;
 
-        value = kmalloc(sizeof(struct ias_value), GFP_ATOMIC);
+        value = kzalloc(sizeof(struct ias_value), GFP_ATOMIC);
         if (value == NULL) {
                 IRDA_WARNING("%s: Unable to kmalloc!\n", __FUNCTION__);
                 return NULL;
         }
-        memset( value, 0, sizeof( struct ias_value));
 
         value->type = IAS_STRING;
         value->charset = CS_ASCII;
@@ -495,12 +489,11 @@ struct ias_value *irias_new_octseq_value(__u8 *octseq , int len)
 {
         struct ias_value *value;
 
-        value = kmalloc(sizeof(struct ias_value), GFP_ATOMIC);
+        value = kzalloc(sizeof(struct ias_value), GFP_ATOMIC);
         if (value == NULL) {
                 IRDA_WARNING("%s: Unable to kmalloc!\n", __FUNCTION__);
                 return NULL;
         }
-        memset(value, 0, sizeof(struct ias_value));
 
         value->type = IAS_OCT_SEQ;
         /* Check length */
@@ -522,12 +515,11 @@ struct ias_value *irias_new_missing_value(void)
 {
         struct ias_value *value;
 
-        value = kmalloc(sizeof(struct ias_value), GFP_ATOMIC);
+        value = kzalloc(sizeof(struct ias_value), GFP_ATOMIC);
         if (value == NULL) {
                 IRDA_WARNING("%s: Unable to kmalloc!\n", __FUNCTION__);
                 return NULL;
         }
-        memset(value, 0, sizeof(struct ias_value));
 
         value->type = IAS_MISSING;
         value->len = 0;
diff --git a/net/irda/irlan/irlan_common.c b/net/irda/irlan/irlan_common.c
index bd659dd545ac..7dd0a2fe1d20 100644
--- a/net/irda/irlan/irlan_common.c
+++ b/net/irda/irlan/irlan_common.c
@@ -636,7 +636,7 @@ void irlan_get_provider_info(struct irlan_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
 
-        skb = dev_alloc_skb(64);
+        skb = alloc_skb(64, GFP_ATOMIC);
         if (!skb)
                 return;
 
@@ -668,7 +668,7 @@ void irlan_open_data_channel(struct irlan_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
         
-        skb = dev_alloc_skb(64);
+        skb = alloc_skb(64, GFP_ATOMIC);
         if (!skb)
                 return;
 
@@ -704,7 +704,7 @@ void irlan_close_data_channel(struct irlan_cb *self)
         if (self->client.tsap_ctrl == NULL)
                 return;
 
-        skb = dev_alloc_skb(64);
+        skb = alloc_skb(64, GFP_ATOMIC);
         if (!skb)
                 return;
 
@@ -739,7 +739,7 @@ static void irlan_open_unicast_addr(struct irlan_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);       
         
-        skb = dev_alloc_skb(128);
+        skb = alloc_skb(128, GFP_ATOMIC);
         if (!skb)
                 return;
 
@@ -777,7 +777,7 @@ void irlan_set_broadcast_filter(struct irlan_cb *self, int status)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
         
-        skb = dev_alloc_skb(128);
+        skb = alloc_skb(128, GFP_ATOMIC);
         if (!skb)
                 return;
 
@@ -816,7 +816,7 @@ void irlan_set_multicast_filter(struct irlan_cb *self, int status)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
 
-        skb = dev_alloc_skb(128);
+        skb = alloc_skb(128, GFP_ATOMIC);
         if (!skb)
                 return;
         
@@ -856,7 +856,7 @@ static void irlan_get_unicast_addr(struct irlan_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
         
-        skb = dev_alloc_skb(128);
+        skb = alloc_skb(128, GFP_ATOMIC);
         if (!skb)
                 return;
 
@@ -891,7 +891,7 @@ void irlan_get_media_char(struct irlan_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
         
-        skb = dev_alloc_skb(64);
+        skb = alloc_skb(64, GFP_ATOMIC);
         if (!skb)
                 return;
 
diff --git a/net/irda/irlan/irlan_provider.c b/net/irda/irlan/irlan_provider.c
index 39c202d1c374..9c0df86044d7 100644
--- a/net/irda/irlan/irlan_provider.c
+++ b/net/irda/irlan/irlan_provider.c
@@ -296,7 +296,7 @@ void irlan_provider_send_reply(struct irlan_cb *self, int command,
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
 
-        skb = dev_alloc_skb(128);
+        skb = alloc_skb(128, GFP_ATOMIC);
         if (!skb)
                 return;
 
diff --git a/net/irda/irlap.c b/net/irda/irlap.c
index cade355ac8af..e7852a07495e 100644
--- a/net/irda/irlap.c
+++ b/net/irda/irlap.c
@@ -116,11 +116,10 @@ struct irlap_cb *irlap_open(struct net_device *dev, struct qos_info *qos,
         IRDA_DEBUG(4, "%s()\n", __FUNCTION__);
 
         /* Initialize the irlap structure. */
-        self = kmalloc(sizeof(struct irlap_cb), GFP_KERNEL);
+        self = kzalloc(sizeof(struct irlap_cb), GFP_KERNEL);
         if (self == NULL)
                 return NULL;
 
-        memset(self, 0, sizeof(struct irlap_cb));
         self->magic = LAP_MAGIC;
 
         /* Make a binding between the layers */
@@ -882,7 +881,7 @@ static void irlap_change_speed(struct irlap_cb *self, __u32 speed, int now)
         /* Change speed now, or just piggyback speed on frames */
         if (now) {
                 /* Send down empty frame to trigger speed change */
-                skb = dev_alloc_skb(0);
+                skb = alloc_skb(0, GFP_ATOMIC);
                 if (skb)
                         irlap_queue_xmit(self, skb);
         }
@@ -1222,7 +1221,7 @@ static int irlap_seq_open(struct inode *inode, struct file *file)
 {
         struct seq_file *seq;
         int rc = -ENOMEM;
-        struct irlap_iter_state *s = kmalloc(sizeof(*s), GFP_KERNEL);
+        struct irlap_iter_state *s = kzalloc(sizeof(*s), GFP_KERNEL);
        
         if (!s)
                 goto out;
@@ -1238,7 +1237,6 @@ static int irlap_seq_open(struct inode *inode, struct file *file)
 
         seq          = file->private_data;
         seq->private = s;
-        memset(s, 0, sizeof(*s));
 out:
         return rc;
 out_kfree:
diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
index 3e9a06abbdd0..ccb983bf0f4a 100644
--- a/net/irda/irlap_frame.c
+++ b/net/irda/irlap_frame.c
@@ -117,7 +117,7 @@ void irlap_send_snrm_frame(struct irlap_cb *self, struct qos_info *qos)
         IRDA_ASSERT(self->magic == LAP_MAGIC, return;);
 
         /* Allocate frame */
-        tx_skb = dev_alloc_skb(64);
+        tx_skb = alloc_skb(64, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -210,7 +210,7 @@ void irlap_send_ua_response_frame(struct irlap_cb *self, struct qos_info *qos)
         IRDA_ASSERT(self->magic == LAP_MAGIC, return;);
 
         /* Allocate frame */
-        tx_skb = dev_alloc_skb(64);
+        tx_skb = alloc_skb(64, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -250,7 +250,7 @@ void irlap_send_dm_frame( struct irlap_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == LAP_MAGIC, return;);
 
-        tx_skb = dev_alloc_skb(32);
+        tx_skb = alloc_skb(32, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -282,7 +282,7 @@ void irlap_send_disc_frame(struct irlap_cb *self)
         IRDA_ASSERT(self != NULL, return;);
         IRDA_ASSERT(self->magic == LAP_MAGIC, return;);
 
-        tx_skb = dev_alloc_skb(16);
+        tx_skb = alloc_skb(16, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -315,7 +315,7 @@ void irlap_send_discovery_xid_frame(struct irlap_cb *self, int S, __u8 s,
         IRDA_ASSERT(self->magic == LAP_MAGIC, return;);
         IRDA_ASSERT(discovery != NULL, return;);
 
-        tx_skb = dev_alloc_skb(64);
+        tx_skb = alloc_skb(64, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -422,11 +422,10 @@ static void irlap_recv_discovery_xid_rsp(struct irlap_cb *self,
                 return;
         }
 
-        if ((discovery = kmalloc(sizeof(discovery_t), GFP_ATOMIC)) == NULL) {
+        if ((discovery = kzalloc(sizeof(discovery_t), GFP_ATOMIC)) == NULL) {
                 IRDA_WARNING("%s: kmalloc failed!\n", __FUNCTION__);
                 return;
         }
-        memset(discovery, 0, sizeof(discovery_t));
 
         discovery->data.daddr = info->daddr;
         discovery->data.saddr = self->saddr;
@@ -576,7 +575,7 @@ void irlap_send_rr_frame(struct irlap_cb *self, int command)
         struct sk_buff *tx_skb;
         __u8 *frame;
 
-        tx_skb = dev_alloc_skb(16);
+        tx_skb = alloc_skb(16, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -601,7 +600,7 @@ void irlap_send_rd_frame(struct irlap_cb *self)
         struct sk_buff *tx_skb;
         __u8 *frame;
 
-        tx_skb = dev_alloc_skb(16);
+        tx_skb = alloc_skb(16, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -1215,7 +1214,7 @@ void irlap_send_test_frame(struct irlap_cb *self, __u8 caddr, __u32 daddr,
         struct test_frame *frame;
         __u8 *info;
 
-        tx_skb = dev_alloc_skb(cmd->len+sizeof(struct test_frame));
+        tx_skb = alloc_skb(cmd->len+sizeof(struct test_frame), GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
index 129ad64c15bb..c440913dee14 100644
--- a/net/irda/irlmp.c
+++ b/net/irda/irlmp.c
@@ -78,10 +78,9 @@ int __init irlmp_init(void)
 {
         IRDA_DEBUG(1, "%s()\n", __FUNCTION__);
         /* Initialize the irlmp structure. */
-        irlmp = kmalloc( sizeof(struct irlmp_cb), GFP_KERNEL);
+        irlmp = kzalloc( sizeof(struct irlmp_cb), GFP_KERNEL);
         if (irlmp == NULL)
                 return -ENOMEM;
-        memset(irlmp, 0, sizeof(struct irlmp_cb));
 
         irlmp->magic = LMP_MAGIC;
 
@@ -160,12 +159,11 @@ struct lsap_cb *irlmp_open_lsap(__u8 slsap_sel, notify_t *notify, __u8 pid)
                 return NULL;
 
         /* Allocate new instance of a LSAP connection */
-        self = kmalloc(sizeof(struct lsap_cb), GFP_ATOMIC);
+        self = kzalloc(sizeof(struct lsap_cb), GFP_ATOMIC);
         if (self == NULL) {
                 IRDA_ERROR("%s: can't allocate memory\n", __FUNCTION__);
                 return NULL;
         }
-        memset(self, 0, sizeof(struct lsap_cb));
 
         self->magic = LMP_LSAP_MAGIC;
         self->slsap_sel = slsap_sel;
@@ -288,12 +286,11 @@ void irlmp_register_link(struct irlap_cb *irlap, __u32 saddr, notify_t *notify)
         /*
          *  Allocate new instance of a LSAP connection
          */
-        lap = kmalloc(sizeof(struct lap_cb), GFP_KERNEL);
+        lap = kzalloc(sizeof(struct lap_cb), GFP_KERNEL);
         if (lap == NULL) {
                 IRDA_ERROR("%s: unable to kmalloc\n", __FUNCTION__);
                 return;
         }
-        memset(lap, 0, sizeof(struct lap_cb));
 
         lap->irlap = irlap;
         lap->magic = LMP_LAP_MAGIC;
@@ -395,7 +392,7 @@ int irlmp_connect_request(struct lsap_cb *self, __u8 dlsap_sel,
 
         /* Any userdata? */
         if (tx_skb == NULL) {
-                tx_skb = dev_alloc_skb(64);
+                tx_skb = alloc_skb(64, GFP_ATOMIC);
                 if (!tx_skb)
                         return -ENOMEM;
 
diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c
index e53bf9e0053e..a1e502ff9070 100644
--- a/net/irda/irnet/irnet_ppp.c
+++ b/net/irda/irnet/irnet_ppp.c
@@ -476,11 +476,10 @@ dev_irnet_open(struct inode *	inode,
 #endif /* SECURE_DEVIRNET */
 
   /* Allocate a private structure for this IrNET instance */
-  ap = kmalloc(sizeof(*ap), GFP_KERNEL);
+  ap = kzalloc(sizeof(*ap), GFP_KERNEL);
   DABORT(ap == NULL, -ENOMEM, FS_ERROR, "Can't allocate struct irnet...\n");
 
   /* initialize the irnet structure */
-  memset(ap, 0, sizeof(*ap));
   ap->file = file;
 
   /* PPP channel setup */
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index 49c51c5f1a86..42acf1cde737 100644
--- a/net/irda/irttp.c
+++ b/net/irda/irttp.c
@@ -85,10 +85,9 @@ static pi_param_info_t param_info = { pi_major_call_table, 1, 0x0f, 4 };
  */
 int __init irttp_init(void)
 {
-        irttp = kmalloc(sizeof(struct irttp_cb), GFP_KERNEL);
+        irttp = kzalloc(sizeof(struct irttp_cb), GFP_KERNEL);
         if (irttp == NULL)
                 return -ENOMEM;
-        memset(irttp, 0, sizeof(struct irttp_cb));
 
         irttp->magic = TTP_MAGIC;
 
@@ -306,7 +305,8 @@ static inline void irttp_fragment_skb(struct tsap_cb *self,
                 IRDA_DEBUG(2, "%s(), fragmenting ...\n", __FUNCTION__);
 
                 /* Make new segment */
-                frag = dev_alloc_skb(self->max_seg_size+self->max_header_size);
+                frag = alloc_skb(self->max_seg_size+self->max_header_size,
+                                 GFP_ATOMIC);
                 if (!frag)
                         return;
 
@@ -389,12 +389,11 @@ struct tsap_cb *irttp_open_tsap(__u8 stsap_sel, int credit, notify_t *notify)
                 return NULL;
         }
 
-        self = kmalloc(sizeof(struct tsap_cb), GFP_ATOMIC);
+        self = kzalloc(sizeof(struct tsap_cb), GFP_ATOMIC);
         if (self == NULL) {
                 IRDA_DEBUG(0, "%s(), unable to kmalloc!\n", __FUNCTION__);
                 return NULL;
         }
-        memset(self, 0, sizeof(struct tsap_cb));
         spin_lock_init(&self->lock);
 
         /* Initialise todo timer */
@@ -805,7 +804,7 @@ static inline void irttp_give_credit(struct tsap_cb *self)
                    self->send_credit, self->avail_credit, self->remote_credit);
 
         /* Give credit to peer */
-        tx_skb = dev_alloc_skb(64);
+        tx_skb = alloc_skb(64, GFP_ATOMIC);
         if (!tx_skb)
                 return;
 
@@ -1094,7 +1093,7 @@ int irttp_connect_request(struct tsap_cb *self, __u8 dtsap_sel,
 
         /* Any userdata supplied? */
         if (userdata == NULL) {
-                tx_skb = dev_alloc_skb(64);
+                tx_skb = alloc_skb(64, GFP_ATOMIC);
                 if (!tx_skb)
                         return -ENOMEM;
 
@@ -1342,7 +1341,7 @@ int irttp_connect_response(struct tsap_cb *self, __u32 max_sdu_size,
 
         /* Any userdata supplied? */
         if (userdata == NULL) {
-                tx_skb = dev_alloc_skb(64);
+                tx_skb = alloc_skb(64, GFP_ATOMIC);
                 if (!tx_skb)
                         return -ENOMEM;
 
@@ -1541,7 +1540,7 @@ int irttp_disconnect_request(struct tsap_cb *self, struct sk_buff *userdata,
 
         if (!userdata) {
                 struct sk_buff *tx_skb;
-                tx_skb = dev_alloc_skb(64);
+                tx_skb = alloc_skb(64, GFP_ATOMIC);
                 if (!tx_skb)
                         return -ENOMEM;
 
@@ -1876,7 +1875,7 @@ static int irttp_seq_open(struct inode *inode, struct file *file)
         int rc = -ENOMEM;
         struct irttp_iter_state *s;
 
-        s = kmalloc(sizeof(*s), GFP_KERNEL);
+        s = kzalloc(sizeof(*s), GFP_KERNEL);
         if (!s)
                 goto out;
 
@@ -1886,7 +1885,6 @@ static int irttp_seq_open(struct inode *inode, struct file *file)
 
         seq          = file->private_data;
         seq->private = s;
-        memset(s, 0, sizeof(*s));
 out:
         return rc;
 out_kfree:
diff --git a/net/lapb/lapb_iface.c b/net/lapb/lapb_iface.c
index aea6616cea3d..7e6bc41eeb21 100644
--- a/net/lapb/lapb_iface.c
+++ b/net/lapb/lapb_iface.c
@@ -115,14 +115,12 @@ static struct lapb_cb *lapb_devtostruct(struct net_device *dev)
  */
 static struct lapb_cb *lapb_create_cb(void)
 {
-        struct lapb_cb *lapb = kmalloc(sizeof(*lapb), GFP_ATOMIC);
+        struct lapb_cb *lapb = kzalloc(sizeof(*lapb), GFP_ATOMIC);
 
 
         if (!lapb)
                 goto out;
 
-        memset(lapb, 0x00, sizeof(*lapb));
-
         skb_queue_head_init(&lapb->write_queue);
         skb_queue_head_init(&lapb->ack_queue);
 
@@ -240,11 +238,13 @@ int lapb_setparms(struct net_device *dev, struct lapb_parms_struct *parms)
                 goto out_put;
 
         if (lapb->state == LAPB_STATE_0) {
-                if (((parms->mode & LAPB_EXTENDED) &&
-                     (parms->window < 1 || parms->window > 127)) ||
-                    (parms->window < 1 || parms->window > 7))
-                        goto out_put;
-
+                if (parms->mode & LAPB_EXTENDED) {
+                        if (parms->window < 1 || parms->window > 127)
+                                goto out_put;
+                } else {
+                        if (parms->window < 1 || parms->window > 7)
+                                goto out_put;
+                }
                 lapb->mode    = parms->mode;
                 lapb->window  = parms->window;
         }
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index d6cfe84d521b..2652ead96c64 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -784,24 +784,20 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
                 copied += used;
                 len -= used;
 
-                if (used + offset < skb->len)
-                        continue;
-
                 if (!(flags & MSG_PEEK)) {
                         sk_eat_skb(sk, skb, 0);
                         *seq = 0;
                 }
+
+                /* For non stream protcols we get one packet per recvmsg call */
+                if (sk->sk_type != SOCK_STREAM)
+                        goto copy_uaddr;
+
+                /* Partial read */
+                if (used + offset < skb->len)
+                        continue;
         } while (len > 0);
 
-        /* 
-         * According to UNIX98, msg_name/msg_namelen are ignored
-         * on connected socket. -ANK
-         * But... af_llc still doesn't have separate sets of methods for
-         * SOCK_DGRAM and SOCK_STREAM :-( So we have to do this test, will
-         * eventually fix this tho :-) -acme
-         */
-        if (sk->sk_type == SOCK_DGRAM)
-                goto copy_uaddr;
 out:
         release_sock(sk);
         return copied;
diff --git a/net/llc/llc_core.c b/net/llc/llc_core.c
index bd242a49514a..d12413cff5bd 100644
--- a/net/llc/llc_core.c
+++ b/net/llc/llc_core.c
@@ -33,10 +33,9 @@ unsigned char llc_station_mac_sa[ETH_ALEN];
  */
 static struct llc_sap *llc_sap_alloc(void)
 {
-        struct llc_sap *sap = kmalloc(sizeof(*sap), GFP_ATOMIC);
+        struct llc_sap *sap = kzalloc(sizeof(*sap), GFP_ATOMIC);
 
         if (sap) {
-                memset(sap, 0, sizeof(*sap));
                 sap->state = LLC_SAP_STATE_ACTIVE;
                 memcpy(sap->laddr.mac, llc_station_mac_sa, ETH_ALEN);
                 rwlock_init(&sap->sk_list.lock);
diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
index 20c4eb5c1ac6..61cb8cf7d153 100644
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -51,10 +51,10 @@ void llc_save_primitive(struct sock *sk, struct sk_buff* skb, u8 prim)
 {
         struct sockaddr_llc *addr;
 
-        if (skb->sk->sk_type == SOCK_STREAM) /* See UNIX98 */
-                return;
        /* save primitive for use by the user. */
         addr              = llc_ui_skb_cb(skb);
+
+        memset(addr, 0, sizeof(*addr));
         addr->sllc_family = sk->sk_family;
         addr->sllc_arphrd = skb->dev->type;
         addr->sllc_test   = prim == LLC_TEST_PRIM;
@@ -330,6 +330,9 @@ static void llc_sap_mcast(struct llc_sap *sap,
                 if (llc->laddr.lsap != laddr->lsap)
                         continue;
 
+                if (llc->dev != skb->dev)
+                        continue;
+
                 skb1 = skb_clone(skb, GFP_ATOMIC);
                 if (!skb1)
                         break;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 42a178aa30f9..a9894ddfd72a 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -386,8 +386,8 @@ config NETFILTER_XT_MATCH_REALM
           <file:Documentation/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_SCTP
-        tristate  '"sctp" protocol match support'
-        depends on NETFILTER_XTABLES
+        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
+        depends on NETFILTER_XTABLES && EXPERIMENTAL
         help
           With this option enabled, you will be able to use the 
           `sctp' match in order to match on SCTP source/destination ports
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index af4845971f70..6527d4e048d8 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -429,9 +429,9 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
                         cb->args[0], *id);
 
         read_lock_bh(&nf_conntrack_lock);
+        last = (struct nf_conn *)cb->args[1];
         for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
 restart:
-                last = (struct nf_conn *)cb->args[1];
                 list_for_each_prev(i, &nf_conntrack_hash[cb->args[0]]) {
                         h = (struct nf_conntrack_tuple_hash *) i;
                         if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
@@ -442,13 +442,10 @@ restart:
                          * then dump everything. */
                         if (l3proto && L3PROTO(ct) != l3proto)
                                 continue;
-                        if (last != NULL) {
-                                if (ct == last) {
-                                        nf_ct_put(last);
-                                        cb->args[1] = 0;
-                                        last = NULL;
-                                } else
+                        if (cb->args[1]) {
+                                if (ct != last)
                                         continue;
+                                cb->args[1] = 0;
                         }
                         if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
                                                 cb->nlh->nlmsg_seq,
@@ -459,17 +456,17 @@ restart:
                                 goto out;
                         }
                 }
-                if (last != NULL) {
-                        nf_ct_put(last);
+                if (cb->args[1]) {
                         cb->args[1] = 0;
                         goto restart;
                 }
         }
 out:
         read_unlock_bh(&nf_conntrack_lock);
+        if (last)
+                nf_ct_put(last);
 
         DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
-
         return skb->len;
 }
 
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 5fcab2ef231f..4ef836699962 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -428,6 +428,8 @@ static struct file_operations ct_cpu_seq_fops = {
 
 /* Sysctl support */
 
+int nf_conntrack_checksum = 1;
+
 #ifdef CONFIG_SYSCTL
 
 /* From nf_conntrack_core.c */
@@ -459,8 +461,6 @@ extern unsigned int nf_ct_generic_timeout;
 static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
 
-int nf_conntrack_checksum = 1;
-
 static struct ctl_table_header *nf_ct_sysctl_header;
 
 static ctl_table nf_ct_sysctl_table[] = {
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index bb6fcee452ca..662a869593bf 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -219,21 +219,20 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
 
         switch (verdict & NF_VERDICT_MASK) {
         case NF_ACCEPT:
+        case NF_STOP:
                 info->okfn(skb);
+        case NF_STOLEN:
                 break;
-
         case NF_QUEUE:
                 if (!nf_queue(&skb, elem, info->pf, info->hook, 
                               info->indev, info->outdev, info->okfn,
                               verdict >> NF_VERDICT_BITS))
                         goto next_hook;
                 break;
+        default:
+                kfree_skb(skb);
         }
         rcu_read_unlock();
-
-        if (verdict == NF_DROP)
-                kfree_skb(skb);
-
         kfree(info);
         return;
 }
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 61cdda4e5d3b..b59d3b2bde21 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -366,6 +366,9 @@ __nfulnl_send(struct nfulnl_instance *inst)
         if (timer_pending(&inst->timer))
                 del_timer(&inst->timer);
 
+        if (!inst->skb)
+                return 0;
+
         if (inst->qlen > 1)
                 inst->lastnlh->nlmsg_type = NLMSG_DONE;
 
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index c2ce9c4011cc..de9537ad9a7c 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -57,6 +57,8 @@ static int checkentry_selinux(struct xt_secmark_target_info *info)
 {
         int err;
         struct xt_secmark_target_selinux_info *sel = &info->u.sel;
+        
+        sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
 
         err = selinux_string_to_sid(sel->selctx, &sel->selsid);
         if (err) {
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 5fe4c9df17f5..63a965467465 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -10,6 +10,7 @@
 
 #include <linux/module.h>
 #include <linux/skbuff.h>
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter/xt_physdev.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_bridge.h>
@@ -113,6 +114,21 @@ checkentry(const char *tablename,
         if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
             info->bitmask & ~XT_PHYSDEV_OP_MASK)
                 return 0;
+        if (brnf_deferred_hooks == 0 &&
+            info->bitmask & XT_PHYSDEV_OP_OUT &&
+            (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
+             info->invert & XT_PHYSDEV_OP_BRIDGED) &&
+            hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
+                         (1 << NF_IP_POST_ROUTING))) {
+                printk(KERN_WARNING "physdev match: using --physdev-out in the "
+                       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
+                       "traffic is deprecated and breaks other things, it will "
+                       "be removed in January 2007. See Documentation/"
+                       "feature-removal-schedule.txt for details. This doesn't "
+                       "affect you in case you're using it for purely bridged "
+                       "traffic.\n");
+                brnf_deferred_hooks = 1;
+        }
         return 1;
 }
 
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 3ac703b5cb8f..d2f5320a80bf 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -9,6 +9,8 @@
 #include <linux/skbuff.h>
 #include <linux/if_ether.h>
 #include <linux/if_packet.h>
+#include <linux/in.h>
+#include <linux/ip.h>
 
 #include <linux/netfilter/xt_pkttype.h>
 #include <linux/netfilter/x_tables.h>
@@ -28,9 +30,17 @@ static int match(const struct sk_buff *skb,
       unsigned int protoff,
       int *hotdrop)
 {
+        u_int8_t type;
         const struct xt_pkttype_info *info = matchinfo;
 
-        return (skb->pkt_type == info->pkttype) ^ info->invert;
+        if (skb->pkt_type == PACKET_LOOPBACK)
+                type = (MULTICAST(skb->nh.iph->daddr)
+                        ? PACKET_MULTICAST
+                        : PACKET_BROADCAST);
+        else
+                type = skb->pkt_type;
+
+        return (type == info->pkttype) ^ info->invert;
 }
 
 static struct xt_match pkttype_match = {
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 0ebb6ac2c8c7..275330fcdaaa 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -37,7 +37,7 @@ static int match(const struct sk_buff *skb,
 
         return (skb_find_text((struct sk_buff *)skb, conf->from_offset, 
                              conf->to_offset, conf->config, &state) 
-                             != UINT_MAX) && !conf->invert;
+                             != UINT_MAX) ^ conf->invert;
 }
 
 #define STRING_TEXT_PRIV(m) ((struct xt_string_info *) m)
@@ -55,7 +55,10 @@ static int checkentry(const char *tablename,
         /* Damn, can't handle this case properly with iptables... */
         if (conf->from_offset > conf->to_offset)
                 return 0;
-
+        if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
+                return 0;
+        if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
+                return 0;
         ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
                                      GFP_KERNEL, TS_AUTOLOAD);
         if (IS_ERR(ts_conf))
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 55c0adc8f115..8b85036ba8e3 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -562,10 +562,9 @@ static int netlink_alloc_groups(struct sock *sk)
         if (err)
                 return err;
 
-        nlk->groups = kmalloc(NLGRPSZ(groups), GFP_KERNEL);
+        nlk->groups = kzalloc(NLGRPSZ(groups), GFP_KERNEL);
         if (nlk->groups == NULL)
                 return -ENOMEM;
-        memset(nlk->groups, 0, NLGRPSZ(groups));
         nlk->ngroups = groups;
         return 0;
 }
@@ -1274,8 +1273,7 @@ netlink_kernel_create(int unit, unsigned int groups,
         struct netlink_sock *nlk;
         unsigned long *listeners = NULL;
 
-        if (!nl_table)
-                return NULL;
+        BUG_ON(!nl_table);
 
         if (unit<0 || unit>=MAX_LINKS)
                 return NULL;
@@ -1393,11 +1391,10 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
         struct sock *sk;
         struct netlink_sock *nlk;
 
-        cb = kmalloc(sizeof(*cb), GFP_KERNEL);
+        cb = kzalloc(sizeof(*cb), GFP_KERNEL);
         if (cb == NULL)
                 return -ENOBUFS;
 
-        memset(cb, 0, sizeof(*cb));
         cb->dump = dump;
         cb->done = done;
         cb->nlh = nlh;
@@ -1668,7 +1665,7 @@ static int netlink_seq_open(struct inode *inode, struct file *file)
         struct nl_seq_iter *iter;
         int err;
 
-        iter = kmalloc(sizeof(*iter), GFP_KERNEL);
+        iter = kzalloc(sizeof(*iter), GFP_KERNEL);
         if (!iter)
                 return -ENOMEM;
 
@@ -1678,7 +1675,6 @@ static int netlink_seq_open(struct inode *inode, struct file *file)
                 return err;
         }
 
-        memset(iter, 0, sizeof(*iter));
         seq = file->private_data;
         seq->private = iter;
         return 0;
@@ -1747,14 +1743,9 @@ static int __init netlink_proto_init(void)
         if (sizeof(struct netlink_skb_parms) > sizeof(dummy_skb->cb))
                 netlink_skb_parms_too_large();
 
-        nl_table = kmalloc(sizeof(*nl_table) * MAX_LINKS, GFP_KERNEL);
-        if (!nl_table) {
-enomem:
-                printk(KERN_CRIT "netlink_init: Cannot allocate nl_table\n");
-                return -ENOMEM;
-        }
-
-        memset(nl_table, 0, sizeof(*nl_table) * MAX_LINKS);
+        nl_table = kcalloc(MAX_LINKS, sizeof(*nl_table), GFP_KERNEL);
+        if (!nl_table)
+                goto panic;
 
         if (num_physpages >= (128 * 1024))
                 max = num_physpages >> (21 - PAGE_SHIFT);
@@ -1774,7 +1765,7 @@ enomem:
                                 nl_pid_hash_free(nl_table[i].hash.table,
                                                  1 * sizeof(*hash->table));
                         kfree(nl_table);
-                        goto enomem;
+                        goto panic;
                 }
                 memset(hash->table, 0, 1 * sizeof(*hash->table));
                 hash->max_shift = order;
@@ -1791,6 +1782,8 @@ enomem:
         rtnetlink_init();
 out:
         return err;
+panic:
+        panic("netlink_init: Cannot allocate nl_table\n");
 }
 
 core_initcall(netlink_proto_init);
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 389a4119e1b4..1d50f801f181 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -66,6 +66,14 @@ static DEFINE_SPINLOCK(nr_list_lock);
 static const struct proto_ops nr_proto_ops;
 
 /*
+ * NETROM network devices are virtual network devices encapsulating NETROM
+ * frames into AX.25 which will be sent through an AX.25 device, so form a
+ * special "super class" of normal net devices; split their locks off into a
+ * separate class since they always nest.
+ */
+static struct lock_class_key nr_netdev_xmit_lock_key;
+
+/*
  *      Socket removal during an interrupt is now safe.
  */
 static void nr_remove_socket(struct sock *sk)
@@ -986,18 +994,18 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
         nr_make->vl        = 0;
         nr_make->state     = NR_STATE_3;
         sk_acceptq_added(sk);
-
-        nr_insert_socket(make);
-
         skb_queue_head(&sk->sk_receive_queue, skb);
 
-        nr_start_heartbeat(make);
-        nr_start_idletimer(make);
-
         if (!sock_flag(sk, SOCK_DEAD))
                 sk->sk_data_ready(sk, skb->len);
 
         bh_unlock_sock(sk);
+
+        nr_insert_socket(make);
+
+        nr_start_heartbeat(make);
+        nr_start_idletimer(make);
+
         return 1;
 }
 
@@ -1382,14 +1390,12 @@ static int __init nr_proto_init(void)
                 return -1;
         }
 
-        dev_nr = kmalloc(nr_ndevs * sizeof(struct net_device *), GFP_KERNEL);
+        dev_nr = kzalloc(nr_ndevs * sizeof(struct net_device *), GFP_KERNEL);
         if (dev_nr == NULL) {
                 printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device array\n");
                 return -1;
         }
 
-        memset(dev_nr, 0x00, nr_ndevs * sizeof(struct net_device *));
-
         for (i = 0; i < nr_ndevs; i++) {
                 char name[IFNAMSIZ];
                 struct net_device *dev;
@@ -1407,6 +1413,7 @@ static int __init nr_proto_init(void)
                         free_netdev(dev);
                         goto fail;
                 }
+                lockdep_set_class(&dev->_xmit_lock, &nr_netdev_xmit_lock_key);
                 dev_nr[i] = dev;
         }
 
diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
index 75b72d389ba9..ddba1c144260 100644
--- a/net/netrom/nr_timer.c
+++ b/net/netrom/nr_timer.c
@@ -138,8 +138,8 @@ static void nr_heartbeat_expiry(unsigned long param)
                 if (sock_flag(sk, SOCK_DESTROY) ||
                     (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
                         sock_hold(sk);
-                        nr_destroy_socket(sk);
                         bh_unlock_sock(sk);
+                        nr_destroy_socket(sk);
                         sock_put(sk);
                         return;
                 }
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index f9cef3671593..4172a5235916 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -626,8 +626,6 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
                 if ((int)snaplen < 0)
                         snaplen = 0;
         }
-        if (snaplen > skb->len-skb->data_len)
-                snaplen = skb->len-skb->data_len;
 
         spin_lock(&sk->sk_receive_queue.lock);
         h = (struct tpacket_hdr *)packet_lookup_frame(po, po->head);
@@ -644,7 +642,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
                 status &= ~TP_STATUS_LOSING;
         spin_unlock(&sk->sk_receive_queue.lock);
 
-        memcpy((u8*)h + macoff, skb->data, snaplen);
+        skb_copy_bits(skb, 0, (u8*)h + macoff, snaplen);
 
         h->tp_len = skb->len;
         h->tp_snaplen = snaplen;
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index d0a67bb31363..08a542855654 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -67,6 +67,14 @@ static struct proto_ops rose_proto_ops;
 ax25_address rose_callsign;
 
 /*
+ * ROSE network devices are virtual network devices encapsulating ROSE
+ * frames into AX.25 which will be sent through an AX.25 device, so form a
+ * special "super class" of normal net devices; split their locks off into a
+ * separate class since they always nest.
+ */
+static struct lock_class_key rose_netdev_xmit_lock_key;
+
+/*
  *      Convert a ROSE address into text.
  */
 const char *rose2asc(const rose_address *addr)
@@ -1490,14 +1498,13 @@ static int __init rose_proto_init(void)
 
         rose_callsign = null_ax25_address;
 
-        dev_rose = kmalloc(rose_ndevs * sizeof(struct net_device *), GFP_KERNEL);
+        dev_rose = kzalloc(rose_ndevs * sizeof(struct net_device *), GFP_KERNEL);
         if (dev_rose == NULL) {
                 printk(KERN_ERR "ROSE: rose_proto_init - unable to allocate device structure\n");
                 rc = -ENOMEM;
                 goto out_proto_unregister;
         }
 
-        memset(dev_rose, 0x00, rose_ndevs * sizeof(struct net_device*));
         for (i = 0; i < rose_ndevs; i++) {
                 struct net_device *dev;
                 char name[IFNAMSIZ];
@@ -1516,6 +1523,7 @@ static int __init rose_proto_init(void)
                         free_netdev(dev);
                         goto fail;
                 }
+                lockdep_set_class(&dev->_xmit_lock, &rose_netdev_xmit_lock_key);
                 dev_rose[i] = dev;
         }
 
diff --git a/net/rxrpc/connection.c b/net/rxrpc/connection.c
index 573b572f8f91..93d2c55ad2d5 100644
--- a/net/rxrpc/connection.c
+++ b/net/rxrpc/connection.c
@@ -58,13 +58,12 @@ static inline int __rxrpc_create_connection(struct rxrpc_peer *peer,
         _enter("%p",peer);
 
         /* allocate and initialise a connection record */
-        conn = kmalloc(sizeof(struct rxrpc_connection), GFP_KERNEL);
+        conn = kzalloc(sizeof(struct rxrpc_connection), GFP_KERNEL);
         if (!conn) {
                 _leave(" = -ENOMEM");
                 return -ENOMEM;
         }
 
-        memset(conn, 0, sizeof(struct rxrpc_connection));
         atomic_set(&conn->usage, 1);
 
         INIT_LIST_HEAD(&conn->link);
@@ -535,13 +534,12 @@ int rxrpc_conn_newmsg(struct rxrpc_connection *conn,
                 return -EINVAL;
         }
 
-        msg = kmalloc(sizeof(struct rxrpc_message), alloc_flags);
+        msg = kzalloc(sizeof(struct rxrpc_message), alloc_flags);
         if (!msg) {
                 _leave(" = -ENOMEM");
                 return -ENOMEM;
         }
 
-        memset(msg, 0, sizeof(*msg));
         atomic_set(&msg->usage, 1);
 
         INIT_LIST_HEAD(&msg->link);
diff --git a/net/rxrpc/peer.c b/net/rxrpc/peer.c
index ed38f5b17c1b..8a275157a3bb 100644
--- a/net/rxrpc/peer.c
+++ b/net/rxrpc/peer.c
@@ -58,13 +58,12 @@ static int __rxrpc_create_peer(struct rxrpc_transport *trans, __be32 addr,
         _enter("%p,%08x", trans, ntohl(addr));
 
         /* allocate and initialise a peer record */
-        peer = kmalloc(sizeof(struct rxrpc_peer), GFP_KERNEL);
+        peer = kzalloc(sizeof(struct rxrpc_peer), GFP_KERNEL);
         if (!peer) {
                 _leave(" = -ENOMEM");
                 return -ENOMEM;
         }
 
-        memset(peer, 0, sizeof(struct rxrpc_peer));
         atomic_set(&peer->usage, 1);
 
         INIT_LIST_HEAD(&peer->link);
diff --git a/net/rxrpc/transport.c b/net/rxrpc/transport.c
index dbe6105e83a5..465efc86fccf 100644
--- a/net/rxrpc/transport.c
+++ b/net/rxrpc/transport.c
@@ -68,11 +68,10 @@ int rxrpc_create_transport(unsigned short port,
 
         _enter("%hu", port);
 
-        trans = kmalloc(sizeof(struct rxrpc_transport), GFP_KERNEL);
+        trans = kzalloc(sizeof(struct rxrpc_transport), GFP_KERNEL);
         if (!trans)
                 return -ENOMEM;
 
-        memset(trans, 0, sizeof(struct rxrpc_transport));
         atomic_set(&trans->usage, 1);
         INIT_LIST_HEAD(&trans->services);
         INIT_LIST_HEAD(&trans->link);
@@ -312,13 +311,12 @@ static int rxrpc_incoming_msg(struct rxrpc_transport *trans,
 
         _enter("");
 
-        msg = kmalloc(sizeof(struct rxrpc_message), GFP_KERNEL);
+        msg = kzalloc(sizeof(struct rxrpc_message), GFP_KERNEL);
         if (!msg) {
                 _leave(" = -ENOMEM");
                 return -ENOMEM;
         }
 
-        memset(msg, 0, sizeof(*msg));
         atomic_set(&msg->usage, 1);
         list_add_tail(&msg->link,msgq);
 
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 5b9397b33238..a2587b52e531 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -250,15 +250,17 @@ tcf_action_dump(struct sk_buff *skb, struct tc_action *act, int bind, int ref)
                 RTA_PUT(skb, a->order, 0, NULL);
                 err = tcf_action_dump_1(skb, a, bind, ref);
                 if (err < 0)
-                        goto rtattr_failure;
+                        goto errout;
                 r->rta_len = skb->tail - (u8*)r;
         }
 
         return 0;
 
 rtattr_failure:
+        err = -EINVAL;
+errout:
         skb_trim(skb, b - skb->data);
-        return -err;
+        return err;
 }
 
 struct tc_action *tcf_action_init_1(struct rtattr *rta, struct rtattr *est,
@@ -305,14 +307,14 @@ struct tc_action *tcf_action_init_1(struct rtattr *rta, struct rtattr *est,
                         goto err_mod;
                 }
 #endif
+                *err = -ENOENT;
                 goto err_out;
         }
 
         *err = -ENOMEM;
-        a = kmalloc(sizeof(*a), GFP_KERNEL);
+        a = kzalloc(sizeof(*a), GFP_KERNEL);
         if (a == NULL)
                 goto err_mod;
-        memset(a, 0, sizeof(*a));
 
         /* backward compatibility for policer */
         if (name == NULL)
@@ -489,10 +491,9 @@ tcf_action_get_1(struct rtattr *rta, struct nlmsghdr *n, u32 pid, int *err)
         index = *(int *)RTA_DATA(tb[TCA_ACT_INDEX - 1]);
 
         *err = -ENOMEM;
-        a = kmalloc(sizeof(struct tc_action), GFP_KERNEL);
+        a = kzalloc(sizeof(struct tc_action), GFP_KERNEL);
         if (a == NULL)
                 return NULL;
-        memset(a, 0, sizeof(struct tc_action));
 
         *err = -EINVAL;
         a->ops = tc_lookup_action(tb[TCA_ACT_KIND - 1]);
@@ -528,12 +529,11 @@ static struct tc_action *create_a(int i)
 {
         struct tc_action *act;
 
-        act = kmalloc(sizeof(*act), GFP_KERNEL);
+        act = kzalloc(sizeof(*act), GFP_KERNEL);
         if (act == NULL) {
                 printk("create_a: failed to alloc!\n");
                 return NULL;
         }
-        memset(act, 0, sizeof(*act));
         act->order = i;
         return act;
 }
@@ -599,8 +599,8 @@ static int tca_action_flush(struct rtattr *rta, struct nlmsghdr *n, u32 pid)
         return err;
 
 rtattr_failure:
-        module_put(a->ops->owner);
 nlmsg_failure:
+        module_put(a->ops->owner);
 err_out:
         kfree_skb(skb);
         kfree(a);
@@ -776,7 +776,7 @@ replay:
         return ret;
 }
 
-static char *
+static struct rtattr *
 find_dump_kind(struct nlmsghdr *n)
 {
         struct rtattr *tb1, *tb2[TCA_ACT_MAX+1];
@@ -804,7 +804,7 @@ find_dump_kind(struct nlmsghdr *n)
                 return NULL;
         kind = tb2[TCA_ACT_KIND-1];
 
-        return (char *) RTA_DATA(kind);
+        return kind;
 }
 
 static int
@@ -817,16 +817,15 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
         struct tc_action a;
         int ret = 0;
         struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh);
-        char *kind = find_dump_kind(cb->nlh);
+        struct rtattr *kind = find_dump_kind(cb->nlh);
 
         if (kind == NULL) {
                 printk("tc_dump_action: action bad kind\n");
                 return 0;
         }
 
-        a_o = tc_lookup_action_n(kind);
+        a_o = tc_lookup_action(kind);
         if (a_o == NULL) {
-                printk("failed to find %s\n", kind);
                 return 0;
         }
 
@@ -834,7 +833,7 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
         a.ops = a_o;
 
         if (a_o->walk == NULL) {
-                printk("tc_dump_action: %s !capable of dumping table\n", kind);
+                printk("tc_dump_action: %s !capable of dumping table\n", a_o->kind);
                 goto rtattr_failure;
         }
 
@@ -882,8 +881,6 @@ static int __init tc_action_init(void)
                 link_p[RTM_GETACTION-RTM_BASE].dumpit = tc_dump_action;
         }
 
-        printk("TC classifier action (bugs to netdev@vger.kernel.org cc "
-               "hadi@cyberus.ca)\n");
         return 0;
 }
 
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 58b3a8652042..f257475e0e0c 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -209,10 +209,9 @@ tcf_pedit_dump(struct sk_buff *skb, struct tc_action *a,int bind, int ref)
         s = sizeof(*opt) + p->nkeys * sizeof(struct tc_pedit_key);
 
         /* netlink spinlocks held above us - must use ATOMIC */
-        opt = kmalloc(s, GFP_ATOMIC);
+        opt = kzalloc(s, GFP_ATOMIC);
         if (opt == NULL)
                 return -ENOBUFS;
-        memset(opt, 0, s);
 
         memcpy(opt->keys, p->keys, p->nkeys * sizeof(struct tc_pedit_key));
         opt->index = p->index;
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 47e00bd9625e..da905d7b4b40 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -196,10 +196,9 @@ static int tcf_act_police_locate(struct rtattr *rta, struct rtattr *est,
                 return ret;
         }
 
-        p = kmalloc(sizeof(*p), GFP_KERNEL);
+        p = kzalloc(sizeof(*p), GFP_KERNEL);
         if (p == NULL)
                 return -ENOMEM;
-        memset(p, 0, sizeof(*p));
 
         ret = ACT_P_CREATED;
         p->refcnt = 1;
@@ -429,11 +428,10 @@ struct tcf_police * tcf_police_locate(struct rtattr *rta, struct rtattr *est)
                 return p;
         }
 
-        p = kmalloc(sizeof(*p), GFP_KERNEL);
+        p = kzalloc(sizeof(*p), GFP_KERNEL);
         if (p == NULL)
                 return NULL;
 
-        memset(p, 0, sizeof(*p));
         p->refcnt = 1;
         spin_lock_init(&p->lock);
         p->stats_lock = &p->lock;
diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c
index 61507f006b11..86cac49a0531 100644
--- a/net/sched/cls_basic.c
+++ b/net/sched/cls_basic.c
@@ -178,19 +178,17 @@ static int basic_change(struct tcf_proto *tp, unsigned long base, u32 handle,
 
         err = -ENOBUFS;
         if (head == NULL) {
-                head = kmalloc(sizeof(*head), GFP_KERNEL);
+                head = kzalloc(sizeof(*head), GFP_KERNEL);
                 if (head == NULL)
                         goto errout;
 
-                memset(head, 0, sizeof(*head));
                 INIT_LIST_HEAD(&head->flist);
                 tp->root = head;
         }
 
-        f = kmalloc(sizeof(*f), GFP_KERNEL);
+        f = kzalloc(sizeof(*f), GFP_KERNEL);
         if (f == NULL)
                 goto errout;
-        memset(f, 0, sizeof(*f));
 
         err = -EINVAL;
         if (handle)
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index d41de91fc4f6..e6973d9b686d 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -267,20 +267,18 @@ static int fw_change(struct tcf_proto *tp, unsigned long base,
                 return -EINVAL;
 
         if (head == NULL) {
-                head = kmalloc(sizeof(struct fw_head), GFP_KERNEL);
+                head = kzalloc(sizeof(struct fw_head), GFP_KERNEL);
                 if (head == NULL)
                         return -ENOBUFS;
-                memset(head, 0, sizeof(*head));
 
                 tcf_tree_lock(tp);
                 tp->root = head;
                 tcf_tree_unlock(tp);
         }
 
-        f = kmalloc(sizeof(struct fw_filter), GFP_KERNEL);
+        f = kzalloc(sizeof(struct fw_filter), GFP_KERNEL);
         if (f == NULL)
                 return -ENOBUFS;
-        memset(f, 0, sizeof(*f));
 
         f->id = handle;
 
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index c2e71900f7bd..d3aea730d4c8 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -396,10 +396,9 @@ static int route4_set_parms(struct tcf_proto *tp, unsigned long base,
         h1 = to_hash(nhandle);
         if ((b = head->table[h1]) == NULL) {
                 err = -ENOBUFS;
-                b = kmalloc(sizeof(struct route4_bucket), GFP_KERNEL);
+                b = kzalloc(sizeof(struct route4_bucket), GFP_KERNEL);
                 if (b == NULL)
                         goto errout;
-                memset(b, 0, sizeof(*b));
 
                 tcf_tree_lock(tp);
                 head->table[h1] = b;
@@ -475,20 +474,18 @@ static int route4_change(struct tcf_proto *tp, unsigned long base,
 
         err = -ENOBUFS;
         if (head == NULL) {
-                head = kmalloc(sizeof(struct route4_head), GFP_KERNEL);
+                head = kzalloc(sizeof(struct route4_head), GFP_KERNEL);
                 if (head == NULL)
                         goto errout;
-                memset(head, 0, sizeof(struct route4_head));
 
                 tcf_tree_lock(tp);
                 tp->root = head;
                 tcf_tree_unlock(tp);
         }
 
-        f = kmalloc(sizeof(struct route4_filter), GFP_KERNEL);
+        f = kzalloc(sizeof(struct route4_filter), GFP_KERNEL);
         if (f == NULL)
                 goto errout;
-        memset(f, 0, sizeof(*f));
 
         err = route4_set_parms(tp, base, f, handle, head, tb,
                 tca[TCA_RATE-1], 1);
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index ba8741971629..6e230ecfba05 100644
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -240,9 +240,8 @@ static int rsvp_init(struct tcf_proto *tp)
 {
         struct rsvp_head *data;
 
-        data = kmalloc(sizeof(struct rsvp_head), GFP_KERNEL);
+        data = kzalloc(sizeof(struct rsvp_head), GFP_KERNEL);
         if (data) {
-                memset(data, 0, sizeof(struct rsvp_head));
                 tp->root = data;
                 return 0;
         }
@@ -446,11 +445,10 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
                 goto errout2;
 
         err = -ENOBUFS;
-        f = kmalloc(sizeof(struct rsvp_filter), GFP_KERNEL);
+        f = kzalloc(sizeof(struct rsvp_filter), GFP_KERNEL);
         if (f == NULL)
                 goto errout2;
 
-        memset(f, 0, sizeof(*f));
         h2 = 16;
         if (tb[TCA_RSVP_SRC-1]) {
                 err = -EINVAL;
@@ -532,10 +530,9 @@ insert:
         /* No session found. Create new one. */
 
         err = -ENOBUFS;
-        s = kmalloc(sizeof(struct rsvp_session), GFP_KERNEL);
+        s = kzalloc(sizeof(struct rsvp_session), GFP_KERNEL);
         if (s == NULL)
                 goto errout;
-        memset(s, 0, sizeof(*s));
         memcpy(s->dst, dst, sizeof(s->dst));
 
         if (pinfo) {
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 7870e7bb0bac..5af8a59e1503 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -148,11 +148,10 @@ static int tcindex_init(struct tcf_proto *tp)
         struct tcindex_data *p;
 
         DPRINTK("tcindex_init(tp %p)\n",tp);
-        p = kmalloc(sizeof(struct tcindex_data),GFP_KERNEL);
+        p = kzalloc(sizeof(struct tcindex_data),GFP_KERNEL);
         if (!p)
                 return -ENOMEM;
 
-        memset(p, 0, sizeof(*p));
         p->mask = 0xffff;
         p->hash = DEFAULT_HASH_SIZE;
         p->fall_through = 1;
@@ -296,16 +295,14 @@ tcindex_set_parms(struct tcf_proto *tp, unsigned long base, u32 handle,
         err = -ENOMEM;
         if (!cp.perfect && !cp.h) {
                 if (valid_perfect_hash(&cp)) {
-                        cp.perfect = kmalloc(cp.hash * sizeof(*r), GFP_KERNEL);
+                        cp.perfect = kcalloc(cp.hash, sizeof(*r), GFP_KERNEL);
                         if (!cp.perfect)
                                 goto errout;
-                        memset(cp.perfect, 0, cp.hash * sizeof(*r));
                         balloc = 1;
                 } else {
-                        cp.h = kmalloc(cp.hash * sizeof(f), GFP_KERNEL);
+                        cp.h = kcalloc(cp.hash, sizeof(f), GFP_KERNEL);
                         if (!cp.h)
                                 goto errout;
-                        memset(cp.h, 0, cp.hash * sizeof(f));
                         balloc = 2;
                 }
         }
@@ -316,10 +313,9 @@ tcindex_set_parms(struct tcf_proto *tp, unsigned long base, u32 handle,
                 r = tcindex_lookup(&cp, handle) ? : &new_filter_result;
 
         if (r == &new_filter_result) {
-                f = kmalloc(sizeof(*f), GFP_KERNEL);
+                f = kzalloc(sizeof(*f), GFP_KERNEL);
                 if (!f)
                         goto errout_alloc;
-                memset(f, 0, sizeof(*f));
         }
 
         if (tb[TCA_TCINDEX_CLASSID-1]) {
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index d712edcd1bcf..0a6cfa0005be 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -307,23 +307,21 @@ static int u32_init(struct tcf_proto *tp)
                 if (tp_c->q == tp->q)
                         break;
 
-        root_ht = kmalloc(sizeof(*root_ht), GFP_KERNEL);
+        root_ht = kzalloc(sizeof(*root_ht), GFP_KERNEL);
         if (root_ht == NULL)
                 return -ENOBUFS;
 
-        memset(root_ht, 0, sizeof(*root_ht));
         root_ht->divisor = 0;
         root_ht->refcnt++;
         root_ht->handle = tp_c ? gen_new_htid(tp_c) : 0x80000000;
         root_ht->prio = tp->prio;
 
         if (tp_c == NULL) {
-                tp_c = kmalloc(sizeof(*tp_c), GFP_KERNEL);
+                tp_c = kzalloc(sizeof(*tp_c), GFP_KERNEL);
                 if (tp_c == NULL) {
                         kfree(root_ht);
                         return -ENOBUFS;
                 }
-                memset(tp_c, 0, sizeof(*tp_c));
                 tp_c->q = tp->q;
                 tp_c->next = u32_list;
                 u32_list = tp_c;
@@ -571,10 +569,9 @@ static int u32_change(struct tcf_proto *tp, unsigned long base, u32 handle,
                         if (handle == 0)
                                 return -ENOMEM;
                 }
-                ht = kmalloc(sizeof(*ht) + divisor*sizeof(void*), GFP_KERNEL);
+                ht = kzalloc(sizeof(*ht) + divisor*sizeof(void*), GFP_KERNEL);
                 if (ht == NULL)
                         return -ENOBUFS;
-                memset(ht, 0, sizeof(*ht) + divisor*sizeof(void*));
                 ht->tp_c = tp_c;
                 ht->refcnt = 0;
                 ht->divisor = divisor;
@@ -617,18 +614,16 @@ static int u32_change(struct tcf_proto *tp, unsigned long base, u32 handle,
 
         s = RTA_DATA(tb[TCA_U32_SEL-1]);
 
-        n = kmalloc(sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key), GFP_KERNEL);
+        n = kzalloc(sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key), GFP_KERNEL);
         if (n == NULL)
                 return -ENOBUFS;
 
-        memset(n, 0, sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key));
 #ifdef CONFIG_CLS_U32_PERF
-        n->pf = kmalloc(sizeof(struct tc_u32_pcnt) + s->nkeys*sizeof(u64), GFP_KERNEL);
+        n->pf = kzalloc(sizeof(struct tc_u32_pcnt) + s->nkeys*sizeof(u64), GFP_KERNEL);
         if (n->pf == NULL) {
                 kfree(n);
                 return -ENOBUFS;
         }
-        memset(n->pf, 0, sizeof(struct tc_u32_pcnt) + s->nkeys*sizeof(u64));
 #endif
 
         memcpy(&n->sel, s, sizeof(*s) + s->nkeys*sizeof(struct tc_u32_key));
@@ -801,7 +796,7 @@ static int __init init_u32(void)
 {
         printk("u32 classifier\n");
 #ifdef CONFIG_CLS_U32_PERF
-        printk("    Perfomance counters on\n");
+        printk("    Performance counters on\n");
 #endif
 #ifdef CONFIG_NET_CLS_POLICE
         printk("    OLD policer on \n");
diff --git a/net/sched/em_meta.c b/net/sched/em_meta.c
index 698372954f4d..61e3b740ab1a 100644
--- a/net/sched/em_meta.c
+++ b/net/sched/em_meta.c
@@ -773,10 +773,9 @@ static int em_meta_change(struct tcf_proto *tp, void *data, int len,
             TCF_META_ID(hdr->right.kind) > TCF_META_ID_MAX)
                 goto errout;
 
-        meta = kmalloc(sizeof(*meta), GFP_KERNEL);
+        meta = kzalloc(sizeof(*meta), GFP_KERNEL);
         if (meta == NULL)
                 goto errout;
-        memset(meta, 0, sizeof(*meta));
 
         memcpy(&meta->lvalue.hdr, &hdr->left, sizeof(hdr->left));
         memcpy(&meta->rvalue.hdr, &hdr->right, sizeof(hdr->right));
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 2405a86093a2..0fd0768a17c6 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -321,10 +321,9 @@ int tcf_em_tree_validate(struct tcf_proto *tp, struct rtattr *rta,
         list_len = RTA_PAYLOAD(rt_list);
         matches_len = tree_hdr->nmatches * sizeof(*em);
 
-        tree->matches = kmalloc(matches_len, GFP_KERNEL);
+        tree->matches = kzalloc(matches_len, GFP_KERNEL);
         if (tree->matches == NULL)
                 goto errout;
-        memset(tree->matches, 0, matches_len);
 
         /* We do not use rtattr_parse_nested here because the maximum
          * number of attributes is unknown. This saves us the allocation
diff --git a/net/sched/estimator.c b/net/sched/estimator.c
index 5d3ae03e22a7..0ebc98e9be2d 100644
--- a/net/sched/estimator.c
+++ b/net/sched/estimator.c
@@ -139,11 +139,10 @@ int qdisc_new_estimator(struct tc_stats *stats, spinlock_t *stats_lock, struct r
         if (parm->interval < -2 || parm->interval > 3)
                 return -EINVAL;
 
-        est = kmalloc(sizeof(*est), GFP_KERNEL);
+        est = kzalloc(sizeof(*est), GFP_KERNEL);
         if (est == NULL)
                 return -ENOBUFS;
 
-        memset(est, 0, sizeof(*est));
         est->interval = parm->interval + 2;
         est->stats = stats;
         est->stats_lock = stats_lock;
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index c7844bacbbcb..a19eff12cf78 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -430,7 +430,7 @@ qdisc_create(struct net_device *dev, u32 handle, struct rtattr **tca, int *errp)
         }
 #endif
 
-        err = -EINVAL;
+        err = -ENOENT;
         if (ops == NULL)
                 goto err_out;
 
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 80b7f6a8d008..bac881bfe362 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1926,10 +1926,9 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct rtattr **t
         }
 
         err = -ENOBUFS;
-        cl = kmalloc(sizeof(*cl), GFP_KERNEL);
+        cl = kzalloc(sizeof(*cl), GFP_KERNEL);
         if (cl == NULL)
                 goto failure;
-        memset(cl, 0, sizeof(*cl));
         cl->R_tab = rtab;
         rtab = NULL;
         cl->refcnt = 1;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index d735f51686a1..6f9151899795 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -238,9 +238,7 @@ void __netdev_watchdog_up(struct net_device *dev)
 
 static void dev_watchdog_up(struct net_device *dev)
 {
-        netif_tx_lock_bh(dev);
         __netdev_watchdog_up(dev);
-        netif_tx_unlock_bh(dev);
 }
 
 static void dev_watchdog_down(struct net_device *dev)
@@ -432,10 +430,9 @@ struct Qdisc *qdisc_alloc(struct net_device *dev, struct Qdisc_ops *ops)
         size = QDISC_ALIGN(sizeof(*sch));
         size += ops->priv_size + (QDISC_ALIGNTO - 1);
 
-        p = kmalloc(size, GFP_KERNEL);
+        p = kzalloc(size, GFP_KERNEL);
         if (!p)
                 goto errout;
-        memset(p, 0, size);
         sch = (struct Qdisc *) QDISC_ALIGN((unsigned long) p);
         sch->padded = (char *) sch - (char *) p;
 
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index 0cafdd5feb1b..18e81a8ffb01 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -406,10 +406,9 @@ static inline int gred_change_vq(struct Qdisc *sch, int dp,
         struct gred_sched_data *q;
 
         if (table->tab[dp] == NULL) {
-                table->tab[dp] = kmalloc(sizeof(*q), GFP_KERNEL);
+                table->tab[dp] = kzalloc(sizeof(*q), GFP_KERNEL);
                 if (table->tab[dp] == NULL)
                         return -ENOMEM;
-                memset(table->tab[dp], 0, sizeof(*q));
         }
 
         q = table->tab[dp];
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 6b1b4a981e88..6a6735a2ed35 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1123,10 +1123,9 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
         if (rsc == NULL && fsc == NULL)
                 return -EINVAL;
 
-        cl = kmalloc(sizeof(struct hfsc_class), GFP_KERNEL);
+        cl = kzalloc(sizeof(struct hfsc_class), GFP_KERNEL);
         if (cl == NULL)
                 return -ENOBUFS;
-        memset(cl, 0, sizeof(struct hfsc_class));
 
         if (rsc != NULL)
                 hfsc_change_rsc(cl, rsc, 0);
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 34afe41fa2f3..880a3394a51f 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -196,7 +196,7 @@ struct htb_class
     struct qdisc_rate_table *rate;      /* rate table of the class itself */
     struct qdisc_rate_table *ceil;      /* ceiling rate (limits borrows too) */
     long buffer,cbuffer;                /* token bucket depth/rate */
-    long mbuffer;                       /* max wait time */
+    psched_tdiff_t mbuffer;             /* max wait time */
     long tokens,ctokens;                /* current number of tokens */
     psched_time_t t_c;                  /* checkpoint time */
 };
@@ -1559,10 +1559,9 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                         goto failure;
                 }
                 err = -ENOBUFS;
-                if ((cl = kmalloc(sizeof(*cl), GFP_KERNEL)) == NULL)
+                if ((cl = kzalloc(sizeof(*cl), GFP_KERNEL)) == NULL)
                         goto failure;
                 
-                memset(cl, 0, sizeof(*cl));
                 cl->refcnt = 1;
                 INIT_LIST_HEAD(&cl->sibling);
                 INIT_LIST_HEAD(&cl->hlist);
@@ -1601,7 +1600,7 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                 /* set class to be in HTB_CAN_SEND state */
                 cl->tokens = hopt->buffer;
                 cl->ctokens = hopt->cbuffer;
-                cl->mbuffer = 60000000; /* 1min */
+                cl->mbuffer = PSCHED_JIFFIE2US(HZ*60); /* 1min */
                 PSCHED_GET_TIME(cl->t_c);
                 cl->cmode = HTB_CAN_SEND;
 
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index c5bd8064e6d8..a08ec4c7c55d 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -148,7 +148,8 @@ static long tabledist(unsigned long mu, long sigma,
 static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
         struct netem_sched_data *q = qdisc_priv(sch);
-        struct netem_skb_cb *cb = (struct netem_skb_cb *)skb->cb;
+        /* We don't fill cb now as skb_unshare() may invalidate it */
+        struct netem_skb_cb *cb;
         struct sk_buff *skb2;
         int ret;
         int count = 1;
@@ -200,6 +201,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                 skb->data[net_random() % skb_headlen(skb)] ^= 1<<(net_random() % 8);
         }
 
+        cb = (struct netem_skb_cb *)skb->cb;
         if (q->gap == 0                 /* not doing reordering */
             || q->counter < q->gap      /* inside last reordering gap */
             || q->reorder < get_crandom(&q->reorder_cor)) {
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 9d05e13e92f6..27329ce9c311 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -441,7 +441,8 @@ void sctp_assoc_set_primary(struct sctp_association *asoc,
         /* If the primary path is changing, assume that the
          * user wants to use this new path.
          */
-        if (transport->state != SCTP_INACTIVE)
+        if ((transport->state == SCTP_ACTIVE) ||
+            (transport->state == SCTP_UNKNOWN))
                 asoc->peer.active_path = transport;
 
         /*
@@ -532,11 +533,11 @@ struct sctp_transport *sctp_assoc_add_peer(struct sctp_association *asoc,
         port = addr->v4.sin_port;
 
         SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_add_peer:association %p addr: ",
-                                 " port: %d state:%s\n",
+                                 " port: %d state:%d\n",
                                  asoc,
                                  addr,
                                  addr->v4.sin_port,
-                                 peer_state == SCTP_UNKNOWN?"UNKNOWN":"ACTIVE");
+                                 peer_state);
 
         /* Set the port if it has not been set yet.  */
         if (0 == asoc->peer.port)
@@ -545,9 +546,12 @@ struct sctp_transport *sctp_assoc_add_peer(struct sctp_association *asoc,
         /* Check to see if this is a duplicate. */
         peer = sctp_assoc_lookup_paddr(asoc, addr);
         if (peer) {
-                if (peer_state == SCTP_ACTIVE &&
-                    peer->state == SCTP_UNKNOWN)
-                     peer->state = SCTP_ACTIVE;
+                if (peer->state == SCTP_UNKNOWN) {
+                        if (peer_state == SCTP_ACTIVE)
+                                peer->state = SCTP_ACTIVE;
+                        if (peer_state == SCTP_UNCONFIRMED)
+                                peer->state = SCTP_UNCONFIRMED;
+                }
                 return peer;
         }
 
@@ -739,7 +743,8 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
         list_for_each(pos, &asoc->peer.transport_addr_list) {
                 t = list_entry(pos, struct sctp_transport, transports);
 
-                if (t->state == SCTP_INACTIVE)
+                if ((t->state == SCTP_INACTIVE) ||
+                    (t->state == SCTP_UNCONFIRMED))
                         continue;
                 if (!first || t->last_time_heard > first->last_time_heard) {
                         second = first;
@@ -759,7 +764,8 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
          * [If the primary is active but not most recent, bump the most
          * recently used transport.]
          */
-        if (asoc->peer.primary_path->state != SCTP_INACTIVE &&
+        if (((asoc->peer.primary_path->state == SCTP_ACTIVE) ||
+             (asoc->peer.primary_path->state == SCTP_UNKNOWN)) &&
             first != asoc->peer.primary_path) {
                 second = first;
                 first = asoc->peer.primary_path;
@@ -1054,7 +1060,7 @@ void sctp_assoc_update(struct sctp_association *asoc,
                                            transports);
                         if (!sctp_assoc_lookup_paddr(asoc, &trans->ipaddr))
                                 sctp_assoc_add_peer(asoc, &trans->ipaddr,
-                                                    GFP_ATOMIC, SCTP_ACTIVE);
+                                                    GFP_ATOMIC, trans->state);
                 }
 
                 asoc->ctsn_ack_point = asoc->next_tsn - 1;
@@ -1094,7 +1100,8 @@ void sctp_assoc_update_retran_path(struct sctp_association *asoc)
 
                 /* Try to find an active transport. */
 
-                if (t->state != SCTP_INACTIVE) {
+                if ((t->state == SCTP_ACTIVE) ||
+                    (t->state == SCTP_UNKNOWN)) {
                         break;
                 } else {
                         /* Keep track of the next transport in case
diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
index 2b962627f631..2b9c12a170e5 100644
--- a/net/sctp/bind_addr.c
+++ b/net/sctp/bind_addr.c
@@ -146,7 +146,7 @@ void sctp_bind_addr_free(struct sctp_bind_addr *bp)
 
 /* Add an address to the bind address list in the SCTP_bind_addr structure. */
 int sctp_add_bind_addr(struct sctp_bind_addr *bp, union sctp_addr *new,
-                       gfp_t gfp)
+                       __u8 use_as_src, gfp_t gfp)
 {
         struct sctp_sockaddr_entry *addr;
 
@@ -163,6 +163,8 @@ int sctp_add_bind_addr(struct sctp_bind_addr *bp, union sctp_addr *new,
         if (!addr->a.v4.sin_port)
                 addr->a.v4.sin_port = bp->port;
 
+        addr->use_as_src = use_as_src;
+
         INIT_LIST_HEAD(&addr->list);
         list_add_tail(&addr->list, &bp->address_list);
         SCTP_DBG_OBJCNT_INC(addr);
@@ -274,7 +276,7 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list,
                 }
 
                 af->from_addr_param(&addr, rawaddr, port, 0);
-                retval = sctp_add_bind_addr(bp, &addr, gfp);
+                retval = sctp_add_bind_addr(bp, &addr, 1, gfp);
                 if (retval) {
                         /* Can't finish building the list, clean up. */
                         sctp_bind_addr_clean(bp);
@@ -367,7 +369,7 @@ static int sctp_copy_one_addr(struct sctp_bind_addr *dest,
                     (((AF_INET6 == addr->sa.sa_family) &&
                       (flags & SCTP_ADDR6_ALLOWED) &&
                       (flags & SCTP_ADDR6_PEERSUPP))))
-                        error = sctp_add_bind_addr(dest, addr, gfp);
+                        error = sctp_add_bind_addr(dest, addr, 1, gfp);
         }
 
         return error;
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 67bd53070ee0..ffda1d680529 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -158,6 +158,12 @@ void sctp_endpoint_add_asoc(struct sctp_endpoint *ep,
 void sctp_endpoint_free(struct sctp_endpoint *ep)
 {
         ep->base.dead = 1;
+
+        ep->base.sk->sk_state = SCTP_SS_CLOSED;
+
+        /* Unlink this endpoint, so we can't find it again! */
+        sctp_unhash_endpoint(ep);
+
         sctp_endpoint_put(ep);
 }
 
@@ -166,11 +172,6 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
 {
         SCTP_ASSERT(ep->base.dead, "Endpoint is not dead", return);
 
-        ep->base.sk->sk_state = SCTP_SS_CLOSED;
-
-        /* Unlink this endpoint, so we can't find it again! */
-        sctp_unhash_endpoint(ep);
-
         /* Free up the HMAC transform. */
         sctp_crypto_free_tfm(sctp_sk(ep->base.sk)->hmac);
 
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 8ef08070c8b6..99c0cefc04e0 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -290,7 +290,8 @@ static void sctp_v6_get_saddr(struct sctp_association *asoc,
         sctp_read_lock(addr_lock);
         list_for_each(pos, &bp->address_list) {
                 laddr = list_entry(pos, struct sctp_sockaddr_entry, list);
-                if ((laddr->a.sa.sa_family == AF_INET6) &&
+                if ((laddr->use_as_src) &&
+                    (laddr->a.sa.sa_family == AF_INET6) &&
                     (scope <= sctp_scope(&laddr->a))) {
                         bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
                         if (!baddr || (matchlen < bmatchlen)) {
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index e5faa351aaad..30b710c54e64 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -691,7 +691,8 @@ int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
 
                 if (!new_transport) {
                         new_transport = asoc->peer.active_path;
-                } else if (new_transport->state == SCTP_INACTIVE) {
+                } else if ((new_transport->state == SCTP_INACTIVE) ||
+                           (new_transport->state == SCTP_UNCONFIRMED)) {
                         /* If the chunk is Heartbeat or Heartbeat Ack,
                          * send it to chunk->transport, even if it's
                          * inactive.
@@ -848,7 +849,8 @@ int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
                          */
                         new_transport = chunk->transport;
                         if (!new_transport ||
-                            new_transport->state == SCTP_INACTIVE)
+                            ((new_transport->state == SCTP_INACTIVE) ||
+                             (new_transport->state == SCTP_UNCONFIRMED)))
                                 new_transport = asoc->peer.active_path;
 
                         /* Change packets if necessary.  */
@@ -1464,7 +1466,8 @@ static void sctp_check_transmitted(struct sctp_outq *q,
                         /* Mark the destination transport address as
                          * active if it is not so marked.
                          */
-                        if (transport->state == SCTP_INACTIVE) {
+                        if ((transport->state == SCTP_INACTIVE) ||
+                            (transport->state == SCTP_UNCONFIRMED)) {
                                 sctp_assoc_control_transport(
                                         transport->asoc,
                                         transport,
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 816c033d7886..1ab03a27a76e 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -240,7 +240,7 @@ int sctp_copy_local_addr_list(struct sctp_bind_addr *bp, sctp_scope_t scope,
                             (((AF_INET6 == addr->a.sa.sa_family) &&
                               (copy_flags & SCTP_ADDR6_ALLOWED) &&
                               (copy_flags & SCTP_ADDR6_PEERSUPP)))) {
-                                error = sctp_add_bind_addr(bp, &addr->a, 
+                                error = sctp_add_bind_addr(bp, &addr->a, 1,
                                                            GFP_ATOMIC);
                                 if (error)
                                         goto end_copy;
@@ -486,6 +486,8 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
                 list_for_each(pos, &bp->address_list) {
                         laddr = list_entry(pos, struct sctp_sockaddr_entry,
                                            list);
+                        if (!laddr->use_as_src)
+                                continue;
                         sctp_v4_dst_saddr(&dst_saddr, dst, bp->port);
                         if (sctp_v4_cmp_addr(&dst_saddr, &laddr->a))
                                 goto out_unlock;
@@ -506,7 +508,8 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
         list_for_each(pos, &bp->address_list) {
                 laddr = list_entry(pos, struct sctp_sockaddr_entry, list);
 
-                if (AF_INET == laddr->a.sa.sa_family) {
+                if ((laddr->use_as_src) &&
+                    (AF_INET == laddr->a.sa.sa_family)) {
                         fl.fl4_src = laddr->a.v4.sin_addr.s_addr;
                         if (!ip_route_output_key(&rt, &fl)) {
                                 dst = &rt->u.dst;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 2a8773691695..17b509282cf2 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -806,38 +806,26 @@ no_mem:
 
 /* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error.  */
 struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc,
-                                   const struct sctp_chunk *chunk,
-                                   const struct msghdr *msg)
+                                        const struct msghdr *msg,
+                                        size_t paylen)
 {
         struct sctp_chunk *retval;
-        void *payload = NULL, *payoff;
-        size_t paylen = 0;
-        struct iovec *iov = NULL;
-        int iovlen = 0;
-
-        if (msg) {
-                iov = msg->msg_iov;
-                iovlen = msg->msg_iovlen;
-                paylen = get_user_iov_size(iov, iovlen);
-        }
+        void *payload = NULL;
+        int err;
 
-        retval = sctp_make_abort(asoc, chunk, sizeof(sctp_errhdr_t) + paylen);
+        retval = sctp_make_abort(asoc, NULL, sizeof(sctp_errhdr_t) + paylen);
         if (!retval)
                 goto err_chunk;
 
         if (paylen) {
                 /* Put the msg_iov together into payload.  */
-                payload = kmalloc(paylen, GFP_ATOMIC);
+                payload = kmalloc(paylen, GFP_KERNEL);
                 if (!payload)
                         goto err_payload;
-                payoff = payload;
 
-                for (; iovlen > 0; --iovlen) {
-                        if (copy_from_user(payoff, iov->iov_base,iov->iov_len))
-                                goto err_copy;
-                        payoff += iov->iov_len;
-                        iov++;
-                }
+                err = memcpy_fromiovec(payload, msg->msg_iov, paylen);
+                if (err < 0)
+                        goto err_copy;
         }
 
         sctp_init_cause(retval, SCTP_ERROR_USER_ABORT, payload, paylen);
@@ -1493,7 +1481,7 @@ no_hmac:
 
         /* Also, add the destination address. */
         if (list_empty(&retval->base.bind_addr.address_list)) {
-                sctp_add_bind_addr(&retval->base.bind_addr, &chunk->dest,
+                sctp_add_bind_addr(&retval->base.bind_addr, &chunk->dest, 1,
                                    GFP_ATOMIC);
         }
 
@@ -2017,7 +2005,7 @@ static int sctp_process_param(struct sctp_association *asoc,
                 af->from_addr_param(&addr, param.addr, asoc->peer.port, 0);
                 scope = sctp_scope(peer_addr);
                 if (sctp_in_scope(&addr, scope))
-                        if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_ACTIVE))
+                        if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED))
                                 return 0;
                 break;
 
@@ -2418,7 +2406,7 @@ static __u16 sctp_process_asconf_param(struct sctp_association *asoc,
                  * Due to Resource Shortage'.
                  */
 
-                peer = sctp_assoc_add_peer(asoc, &addr, GFP_ATOMIC, SCTP_ACTIVE);
+                peer = sctp_assoc_add_peer(asoc, &addr, GFP_ATOMIC, SCTP_UNCONFIRMED);
                 if (!peer)
                         return SCTP_ERROR_RSRC_LOW;
 
@@ -2565,6 +2553,7 @@ static int sctp_asconf_param_success(struct sctp_association *asoc,
         union sctp_addr_param *addr_param;
         struct list_head *pos;
         struct sctp_transport *transport;
+        struct sctp_sockaddr_entry *saddr;
         int retval = 0;
 
         addr_param = (union sctp_addr_param *)
@@ -2578,7 +2567,11 @@ static int sctp_asconf_param_success(struct sctp_association *asoc,
         case SCTP_PARAM_ADD_IP:
                 sctp_local_bh_disable();
                 sctp_write_lock(&asoc->base.addr_lock);
-                retval = sctp_add_bind_addr(bp, &addr, GFP_ATOMIC);
+                list_for_each(pos, &bp->address_list) {
+                        saddr = list_entry(pos, struct sctp_sockaddr_entry, list);
+                        if (sctp_cmp_addr_exact(&saddr->a, &addr))
+                                saddr->use_as_src = 1;
+                }
                 sctp_write_unlock(&asoc->base.addr_lock);
                 sctp_local_bh_enable();
                 break;
@@ -2591,6 +2584,7 @@ static int sctp_asconf_param_success(struct sctp_association *asoc,
                 list_for_each(pos, &asoc->peer.transport_addr_list) {
                         transport = list_entry(pos, struct sctp_transport,
                                                  transports);
+                        dst_release(transport->dst);
                         sctp_transport_route(transport, NULL,
                                              sctp_sk(asoc->base.sk));
                 }
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index c5beb2ad7ef7..9c10bdec1afe 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -430,7 +430,11 @@ static void sctp_do_8_2_transport_strike(struct sctp_association *asoc,
         /* The check for association's overall error counter exceeding the
          * threshold is done in the state function.
          */
-        asoc->overall_error_count++;
+        /* When probing UNCONFIRMED addresses, the association overall
+         * error count is NOT incremented
+         */
+        if (transport->state != SCTP_UNCONFIRMED)
+                asoc->overall_error_count++;
 
         if (transport->state != SCTP_INACTIVE &&
             (transport->error_count++ >= transport->pathmaxrxt)) {
@@ -610,7 +614,7 @@ static void sctp_cmd_transport_on(sctp_cmd_seq_t *cmds,
         /* Mark the destination transport address as active if it is not so
          * marked.
          */
-        if (t->state == SCTP_INACTIVE)
+        if ((t->state == SCTP_INACTIVE) || (t->state == SCTP_UNCONFIRMED))
                 sctp_assoc_control_transport(asoc, t, SCTP_TRANSPORT_UP,
                                              SCTP_HEARTBEAT_SUCCESS);
 
@@ -620,6 +624,10 @@ static void sctp_cmd_transport_on(sctp_cmd_seq_t *cmds,
          */
         hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
         sctp_transport_update_rto(t, (jiffies - hbinfo->sent_at));
+
+        /* Update the heartbeat timer.  */
+        if (!mod_timer(&t->hb_timer, sctp_transport_timeout(t)))
+                sctp_transport_hold(t);
 }
 
 /* Helper function to do a transport reset at the expiry of the hearbeat
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 9e58144f4851..5b5ae7958322 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -846,6 +846,7 @@ static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
         hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
         hbinfo.daddr = transport->ipaddr;
         hbinfo.sent_at = jiffies;
+        hbinfo.hb_nonce = transport->hb_nonce;
 
         /* Send a heartbeat to our peer.  */
         paylen = sizeof(sctp_sender_hb_info_t);
@@ -1048,6 +1049,10 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
                 return SCTP_DISPOSITION_DISCARD;
         }
 
+        /* Validate the 64-bit random nonce. */
+        if (hbinfo->hb_nonce != link->hb_nonce)
+                return SCTP_DISPOSITION_DISCARD;
+
         max_interval = link->hbinterval + link->rto;
 
         /* Check if the timestamp looks valid.  */
@@ -4026,18 +4031,12 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort(
          * from its upper layer, but retransmits data to the far end
          * if necessary to fill gaps.
          */
-        struct msghdr *msg = arg;
-        struct sctp_chunk *abort;
+        struct sctp_chunk *abort = arg;
         sctp_disposition_t retval;
 
         retval = SCTP_DISPOSITION_CONSUME;
 
-        /* Generate ABORT chunk to send the peer.  */
-        abort = sctp_make_abort_user(asoc, NULL, msg);
-        if (!abort)
-                retval = SCTP_DISPOSITION_NOMEM;
-        else
-                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
 
         /* Even if we can't send the ABORT due to low memory delete the
          * TCB.  This is a departure from our typical NOMEM handling.
@@ -4161,8 +4160,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
         void *arg,
         sctp_cmd_seq_t *commands)
 {
-        struct msghdr *msg = arg;
-        struct sctp_chunk *abort;
+        struct sctp_chunk *abort = arg;
         sctp_disposition_t retval;
 
         /* Stop T1-init timer */
@@ -4170,12 +4168,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
                         SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
         retval = SCTP_DISPOSITION_CONSUME;
 
-        /* Generate ABORT chunk to send the peer */
-        abort = sctp_make_abort_user(asoc, NULL, msg);
-        if (!abort)
-                retval = SCTP_DISPOSITION_NOMEM;
-        else
-                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
 
         sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
                         SCTP_STATE(SCTP_STATE_CLOSED));
@@ -5278,7 +5271,6 @@ static int sctp_eat_data(const struct sctp_association *asoc,
         datalen -= sizeof(sctp_data_chunk_t);
 
         deliver = SCTP_CMD_CHUNK_ULP;
-        chunk->data_accepted = 1;
 
         /* Think about partial delivery. */
         if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
@@ -5357,6 +5349,8 @@ static int sctp_eat_data(const struct sctp_association *asoc,
         if (SCTP_CMD_CHUNK_ULP == deliver)
                 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
 
+        chunk->data_accepted = 1;
+
         /* Note: Some chunks may get overcounted (if we drop) or overcounted
          * if we renege and the chunk arrives again.
          */
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 0a2c71d0d8aa..dab15949958e 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -369,7 +369,7 @@ SCTP_STATIC int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len)
 
         /* Use GFP_ATOMIC since BHs are disabled.  */
         addr->v4.sin_port = ntohs(addr->v4.sin_port);
-        ret = sctp_add_bind_addr(bp, addr, GFP_ATOMIC);
+        ret = sctp_add_bind_addr(bp, addr, 1, GFP_ATOMIC);
         addr->v4.sin_port = htons(addr->v4.sin_port);
         sctp_write_unlock(&ep->base.addr_lock);
         sctp_local_bh_enable();
@@ -491,6 +491,7 @@ static int sctp_send_asconf_add_ip(struct sock		*sk,
         struct sctp_chunk               *chunk;
         struct sctp_sockaddr_entry      *laddr;
         union sctp_addr                 *addr;
+        union sctp_addr                 saveaddr;
         void                            *addr_buf;
         struct sctp_af                  *af;
         struct list_head                *pos;
@@ -558,14 +559,26 @@ static int sctp_send_asconf_add_ip(struct sock		*sk,
                 }
 
                 retval = sctp_send_asconf(asoc, chunk);
+                if (retval)
+                        goto out;
 
-                /* FIXME: After sending the add address ASCONF chunk, we
-                 * cannot append the address to the association's binding
-                 * address list, because the new address may be used as the
-                 * source of a message sent to the peer before the ASCONF
-                 * chunk is received by the peer.  So we should wait until
-                 * ASCONF_ACK is received.
+                /* Add the new addresses to the bind address list with
+                 * use_as_src set to 0.
                  */
+                sctp_local_bh_disable();
+                sctp_write_lock(&asoc->base.addr_lock);
+                addr_buf = addrs;
+                for (i = 0; i < addrcnt; i++) {
+                        addr = (union sctp_addr *)addr_buf;
+                        af = sctp_get_af_specific(addr->v4.sin_family);
+                        memcpy(&saveaddr, addr, af->sockaddr_len);
+                        saveaddr.v4.sin_port = ntohs(saveaddr.v4.sin_port);
+                        retval = sctp_add_bind_addr(bp, &saveaddr, 0,
+                                                    GFP_ATOMIC);
+                        addr_buf += af->sockaddr_len;
+                }
+                sctp_write_unlock(&asoc->base.addr_lock);
+                sctp_local_bh_enable();
         }
 
 out:
@@ -676,12 +689,15 @@ static int sctp_send_asconf_del_ip(struct sock		*sk,
         struct sctp_sock        *sp;
         struct sctp_endpoint    *ep;
         struct sctp_association *asoc;
+        struct sctp_transport   *transport;
         struct sctp_bind_addr   *bp;
         struct sctp_chunk       *chunk;
         union sctp_addr         *laddr;
+        union sctp_addr         saveaddr;
         void                    *addr_buf;
         struct sctp_af          *af;
-        struct list_head        *pos;
+        struct list_head        *pos, *pos1;
+        struct sctp_sockaddr_entry *saddr;
         int                     i;
         int                     retval = 0;
 
@@ -748,14 +764,42 @@ static int sctp_send_asconf_del_ip(struct sock		*sk,
                         goto out;
                 }
 
-                retval = sctp_send_asconf(asoc, chunk);
+                /* Reset use_as_src flag for the addresses in the bind address
+                 * list that are to be deleted.
+                 */
+                sctp_local_bh_disable();
+                sctp_write_lock(&asoc->base.addr_lock);
+                addr_buf = addrs;
+                for (i = 0; i < addrcnt; i++) {
+                        laddr = (union sctp_addr *)addr_buf;
+                        af = sctp_get_af_specific(laddr->v4.sin_family);
+                        memcpy(&saveaddr, laddr, af->sockaddr_len);
+                        saveaddr.v4.sin_port = ntohs(saveaddr.v4.sin_port);
+                        list_for_each(pos1, &bp->address_list) {
+                                saddr = list_entry(pos1,
+                                                   struct sctp_sockaddr_entry,
+                                                   list);
+                                if (sctp_cmp_addr_exact(&saddr->a, &saveaddr))
+                                        saddr->use_as_src = 0;
+                        }
+                        addr_buf += af->sockaddr_len;
+                }
+                sctp_write_unlock(&asoc->base.addr_lock);
+                sctp_local_bh_enable();
 
-                /* FIXME: After sending the delete address ASCONF chunk, we
-                 * cannot remove the addresses from the association's bind
-                 * address list, because there maybe some packet send to
-                 * the delete addresses, so we should wait until ASCONF_ACK
-                 * packet is received.
+                /* Update the route and saddr entries for all the transports
+                 * as some of the addresses in the bind address list are
+                 * about to be deleted and cannot be used as source addresses.
                  */
+                list_for_each(pos1, &asoc->peer.transport_addr_list) {
+                        transport = list_entry(pos1, struct sctp_transport,
+                                               transports);
+                        dst_release(transport->dst);
+                        sctp_transport_route(transport, NULL,
+                                             sctp_sk(asoc->base.sk));
+                }
+
+                retval = sctp_send_asconf(asoc, chunk);
         }
 out:
         return retval;
@@ -1245,9 +1289,13 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
                         }
                 }
 
-                if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)
-                        sctp_primitive_ABORT(asoc, NULL);
-                else
+                if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime) {
+                        struct sctp_chunk *chunk;
+
+                        chunk = sctp_make_abort_user(asoc, NULL, 0);
+                        if (chunk)
+                                sctp_primitive_ABORT(asoc, chunk);
+                } else
                         sctp_primitive_SHUTDOWN(asoc, NULL);
         }
 
@@ -1476,8 +1524,16 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
                         goto out_unlock;
                 }
                 if (sinfo_flags & SCTP_ABORT) {
+                        struct sctp_chunk *chunk;
+
+                        chunk = sctp_make_abort_user(asoc, msg, msg_len);
+                        if (!chunk) {
+                                err = -ENOMEM;
+                                goto out_unlock;
+                        }
+
                         SCTP_DEBUG_PRINTK("Aborting association: %p\n", asoc);
-                        sctp_primitive_ABORT(asoc, msg);
+                        sctp_primitive_ABORT(asoc, chunk);
                         err = 0;
                         goto out_unlock;
                 }
@@ -4977,7 +5033,7 @@ static struct sctp_bind_bucket *sctp_bucket_create(
 /* Caller must hold hashbucket lock for this tb with local BH disabled */
 static void sctp_bucket_destroy(struct sctp_bind_bucket *pp)
 {
-        if (hlist_empty(&pp->owner)) {
+        if (pp && hlist_empty(&pp->owner)) {
                 if (pp->next)
                         pp->next->pprev = pp->pprev;
                 *(pp->pprev) = pp->next;
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 160f62ad1cc5..2763aa93de1a 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -49,6 +49,7 @@
  */
 
 #include <linux/types.h>
+#include <linux/random.h>
 #include <net/sctp/sctp.h>
 #include <net/sctp/sm.h>
 
@@ -85,7 +86,6 @@ static struct sctp_transport *sctp_transport_init(struct sctp_transport *peer,
 
         peer->init_sent_count = 0;
 
-        peer->state = SCTP_ACTIVE;
         peer->param_flags = SPP_HB_DISABLE |
                             SPP_PMTUD_ENABLE |
                             SPP_SACKDELAY_ENABLE;
@@ -109,6 +109,9 @@ static struct sctp_transport *sctp_transport_init(struct sctp_transport *peer,
         peer->hb_timer.function = sctp_generate_heartbeat_event;
         peer->hb_timer.data = (unsigned long)peer;
 
+        /* Initialize the 64-bit random nonce sent with heartbeat. */
+        get_random_bytes(&peer->hb_nonce, sizeof(peer->hb_nonce));
+
         atomic_set(&peer->refcnt, 1);
         peer->dead = 0;
 
@@ -517,7 +520,9 @@ void sctp_transport_lower_cwnd(struct sctp_transport *transport,
 unsigned long sctp_transport_timeout(struct sctp_transport *t)
 {
         unsigned long timeout;
-        timeout = t->hbinterval + t->rto + sctp_jitter(t->rto);
+        timeout = t->rto + sctp_jitter(t->rto);
+        if (t->state != SCTP_UNCONFIRMED)
+                timeout += t->hbinterval;
         timeout += jiffies;
         return timeout;
 }
diff --git a/net/socket.c b/net/socket.c
index b4848ce0d6ac..6d261bf206fc 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1178,7 +1178,8 @@ static int __sock_create(int family, int type, int protocol, struct socket **res
  */
 
         if (!(sock = sock_alloc())) {
-                printk(KERN_WARNING "socket: no more sockets\n");
+                if (net_ratelimit())
+                        printk(KERN_WARNING "socket: no more sockets\n");
                 err = -ENFILE;          /* Not exactly a match, but its the
                                            closest posix thing */
                 goto out;
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 519ebc17c028..ef1cf5b476c8 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -225,9 +225,8 @@ gss_alloc_context(void)
 {
         struct gss_cl_ctx *ctx;
 
-        ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
+        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
         if (ctx != NULL) {
-                memset(ctx, 0, sizeof(*ctx));
                 ctx->gc_proc = RPC_GSS_PROC_DATA;
                 ctx->gc_seq = 1;        /* NetApp 6.4R1 doesn't accept seq. no. 0 */
                 spin_lock_init(&ctx->gc_seq_lock);
@@ -391,9 +390,8 @@ gss_alloc_msg(struct gss_auth *gss_auth, uid_t uid)
 {
         struct gss_upcall_msg *gss_msg;
 
-        gss_msg = kmalloc(sizeof(*gss_msg), GFP_KERNEL);
+        gss_msg = kzalloc(sizeof(*gss_msg), GFP_KERNEL);
         if (gss_msg != NULL) {
-                memset(gss_msg, 0, sizeof(*gss_msg));
                 INIT_LIST_HEAD(&gss_msg->list);
                 rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq");
                 init_waitqueue_head(&gss_msg->waitqueue);
@@ -720,8 +718,7 @@ gss_destroy(struct rpc_auth *auth)
                 auth, auth->au_flavor);
 
         gss_auth = container_of(auth, struct gss_auth, rpc_auth);
-        rpc_unlink(gss_auth->path);
-        dput(gss_auth->dentry);
+        rpc_unlink(gss_auth->dentry);
         gss_auth->dentry = NULL;
         gss_mech_put(gss_auth->mech);
 
@@ -776,10 +773,9 @@ gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
         dprintk("RPC:      gss_create_cred for uid %d, flavor %d\n",
                 acred->uid, auth->au_flavor);
 
-        if (!(cred = kmalloc(sizeof(*cred), GFP_KERNEL)))
+        if (!(cred = kzalloc(sizeof(*cred), GFP_KERNEL)))
                 goto out_err;
 
-        memset(cred, 0, sizeof(*cred));
         atomic_set(&cred->gc_count, 1);
         cred->gc_uid = acred->uid;
         /*
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index b8714a87b34c..70e1e53a632b 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -129,9 +129,8 @@ gss_import_sec_context_kerberos(const void *p,
         const void *end = (const void *)((const char *)p + len);
         struct  krb5_ctx *ctx;
 
-        if (!(ctx = kmalloc(sizeof(*ctx), GFP_KERNEL)))
+        if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL)))
                 goto out_err;
-        memset(ctx, 0, sizeof(*ctx));
 
         p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate));
         if (IS_ERR(p))
diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c
index d88468d21c37..3db745379d06 100644
--- a/net/sunrpc/auth_gss/gss_mech_switch.c
+++ b/net/sunrpc/auth_gss/gss_mech_switch.c
@@ -237,9 +237,8 @@ gss_import_sec_context(const void *input_token, size_t bufsize,
                        struct gss_api_mech      *mech,
                        struct gss_ctx           **ctx_id)
 {
-        if (!(*ctx_id = kmalloc(sizeof(**ctx_id), GFP_KERNEL)))
+        if (!(*ctx_id = kzalloc(sizeof(**ctx_id), GFP_KERNEL)))
                 return GSS_S_FAILURE;
-        memset(*ctx_id, 0, sizeof(**ctx_id));
         (*ctx_id)->mech_type = gss_mech_get(mech);
 
         return mech->gm_ops
diff --git a/net/sunrpc/auth_gss/gss_spkm3_mech.c b/net/sunrpc/auth_gss/gss_spkm3_mech.c
index 3d0432aa45c1..88dcb52d171b 100644
--- a/net/sunrpc/auth_gss/gss_spkm3_mech.c
+++ b/net/sunrpc/auth_gss/gss_spkm3_mech.c
@@ -152,9 +152,8 @@ gss_import_sec_context_spkm3(const void *p, size_t len,
         const void *end = (const void *)((const char *)p + len);
         struct  spkm3_ctx *ctx;
 
-        if (!(ctx = kmalloc(sizeof(*ctx), GFP_KERNEL)))
+        if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL)))
                 goto out_err;
-        memset(ctx, 0, sizeof(*ctx));
 
         p = simple_get_netobj(p, end, &ctx->ctx_id);
         if (IS_ERR(p))
diff --git a/net/sunrpc/auth_gss/gss_spkm3_token.c b/net/sunrpc/auth_gss/gss_spkm3_token.c
index af0d7ce74686..854a983ccf26 100644
--- a/net/sunrpc/auth_gss/gss_spkm3_token.c
+++ b/net/sunrpc/auth_gss/gss_spkm3_token.c
@@ -90,10 +90,9 @@ asn1_bitstring_len(struct xdr_netobj *in, int *enclen, int *zerobits)
 int
 decode_asn1_bitstring(struct xdr_netobj *out, char *in, int enclen, int explen)
 {
-        if (!(out->data = kmalloc(explen,GFP_KERNEL)))
+        if (!(out->data = kzalloc(explen,GFP_KERNEL)))
                 return 0;
         out->len = explen;
-        memset(out->data, 0, explen);
         memcpy(out->data, in, enclen);
         return 1;
 }
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 7026b0866b7b..00cb388ece03 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -71,7 +71,12 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
         new = detail->alloc();
         if (!new)
                 return NULL;
+        /* must fully initialise 'new', else
+         * we might get lose if we need to
+         * cache_put it soon.
+         */
         cache_init(new);
+        detail->init(new, key);
 
         write_lock(&detail->hash_lock);
 
@@ -85,7 +90,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
                         return tmp;
                 }
         }
-        detail->init(new, key);
         new->next = *head;
         *head = new;
         detail->entries++;
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index aa8965e9d307..3e19d321067a 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -125,10 +125,9 @@ rpc_new_client(struct rpc_xprt *xprt, char *servname,
                 goto out_err;
 
         err = -ENOMEM;
-        clnt = kmalloc(sizeof(*clnt), GFP_KERNEL);
+        clnt = kzalloc(sizeof(*clnt), GFP_KERNEL);
         if (!clnt)
                 goto out_err;
-        memset(clnt, 0, sizeof(*clnt));
         atomic_set(&clnt->cl_users, 0);
         atomic_set(&clnt->cl_count, 1);
         clnt->cl_parent = clnt;
@@ -184,8 +183,7 @@ rpc_new_client(struct rpc_xprt *xprt, char *servname,
 
 out_no_auth:
         if (!IS_ERR(clnt->cl_dentry)) {
-                rpc_rmdir(clnt->cl_pathname);
-                dput(clnt->cl_dentry);
+                rpc_rmdir(clnt->cl_dentry);
                 rpc_put_mount();
         }
 out_no_path:
@@ -252,10 +250,8 @@ rpc_clone_client(struct rpc_clnt *clnt)
         new->cl_autobind = 0;
         new->cl_oneshot = 0;
         new->cl_dead = 0;
-        if (!IS_ERR(new->cl_dentry)) {
+        if (!IS_ERR(new->cl_dentry))
                 dget(new->cl_dentry);
-                rpc_get_mount();
-        }
         rpc_init_rtt(&new->cl_rtt_default, clnt->cl_xprt->timeout.to_initval);
         if (new->cl_auth)
                 atomic_inc(&new->cl_auth->au_count);
@@ -318,11 +314,15 @@ rpc_destroy_client(struct rpc_clnt *clnt)
                 clnt->cl_auth = NULL;
         }
         if (clnt->cl_parent != clnt) {
+                if (!IS_ERR(clnt->cl_dentry))
+                        dput(clnt->cl_dentry);
                 rpc_destroy_client(clnt->cl_parent);
                 goto out_free;
         }
-        if (clnt->cl_pathname[0])
-                rpc_rmdir(clnt->cl_pathname);
+        if (!IS_ERR(clnt->cl_dentry)) {
+                rpc_rmdir(clnt->cl_dentry);
+                rpc_put_mount();
+        }
         if (clnt->cl_xprt) {
                 xprt_destroy(clnt->cl_xprt);
                 clnt->cl_xprt = NULL;
@@ -332,10 +332,6 @@ rpc_destroy_client(struct rpc_clnt *clnt)
 out_free:
         rpc_free_iostats(clnt->cl_metrics);
         clnt->cl_metrics = NULL;
-        if (!IS_ERR(clnt->cl_dentry)) {
-                dput(clnt->cl_dentry);
-                rpc_put_mount();
-        }
         kfree(clnt);
         return 0;
 }
@@ -922,26 +918,43 @@ call_transmit(struct rpc_task *task)
         task->tk_status = xprt_prepare_transmit(task);
         if (task->tk_status != 0)
                 return;
+        task->tk_action = call_transmit_status;
         /* Encode here so that rpcsec_gss can use correct sequence number. */
         if (rpc_task_need_encode(task)) {
-                task->tk_rqstp->rq_bytes_sent = 0;
+                BUG_ON(task->tk_rqstp->rq_bytes_sent != 0);
                 call_encode(task);
                 /* Did the encode result in an error condition? */
                 if (task->tk_status != 0)
-                        goto out_nosend;
+                        return;
         }
-        task->tk_action = call_transmit_status;
         xprt_transmit(task);
         if (task->tk_status < 0)
                 return;
-        if (!task->tk_msg.rpc_proc->p_decode) {
-                task->tk_action = rpc_exit_task;
-                rpc_wake_up_task(task);
-        }
-        return;
-out_nosend:
-        /* release socket write lock before attempting to handle error */
-        xprt_abort_transmit(task);
+        /*
+         * On success, ensure that we call xprt_end_transmit() before sleeping
+         * in order to allow access to the socket to other RPC requests.
+         */
+        call_transmit_status(task);
+        if (task->tk_msg.rpc_proc->p_decode != NULL)
+                return;
+        task->tk_action = rpc_exit_task;
+        rpc_wake_up_task(task);
+}
+
+/*
+ * 5a.  Handle cleanup after a transmission
+ */
+static void
+call_transmit_status(struct rpc_task *task)
+{
+        task->tk_action = call_status;
+        /*
+         * Special case: if we've been waiting on the socket's write_space()
+         * callback, then don't call xprt_end_transmit().
+         */
+        if (task->tk_status == -EAGAIN)
+                return;
+        xprt_end_transmit(task);
         rpc_task_force_reencode(task);
 }
 
@@ -993,18 +1006,7 @@ call_status(struct rpc_task *task)
 }
 
 /*
- * 6a.  Handle transmission errors.
- */
-static void
-call_transmit_status(struct rpc_task *task)
-{
-        if (task->tk_status != -EAGAIN)
-                rpc_task_force_reencode(task);
-        call_status(task);
-}
-
-/*
- * 6b.  Handle RPC timeout
+ * 6a.  Handle RPC timeout
  *      We do not release the request slot, so we keep using the
  *      same XID for all retransmits.
  */
@@ -1179,6 +1181,17 @@ call_verify(struct rpc_task *task)
         u32     *p = iov->iov_base, n;
         int error = -EACCES;
 
+        if ((task->tk_rqstp->rq_rcv_buf.len & 3) != 0) {
+                /* RFC-1014 says that the representation of XDR data must be a
+                 * multiple of four bytes
+                 * - if it isn't pointer subtraction in the NFS client may give
+                 *   undefined results
+                 */
+                printk(KERN_WARNING
+                       "call_verify: XDR representation not a multiple of"
+                       " 4 bytes: 0x%x\n", task->tk_rqstp->rq_rcv_buf.len);
+                goto out_eio;
+        }
         if ((len -= 3) < 0)
                 goto out_overflow;
         p += 1; /* skip XID */
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index dc6cb93c8830..0b1a1ac8a4bc 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -539,6 +539,7 @@ repeat:
                                 rpc_close_pipes(dentry->d_inode);
                                 simple_unlink(dir, dentry);
                         }
+                        inode_dir_notify(dir, DN_DELETE);
                         dput(dentry);
                 } while (n);
                 goto repeat;
@@ -610,8 +611,8 @@ __rpc_rmdir(struct inode *dir, struct dentry *dentry)
         int error;
 
         shrink_dcache_parent(dentry);
-        if (dentry->d_inode)
-                rpc_close_pipes(dentry->d_inode);
+        if (d_unhashed(dentry))
+                return 0;
         if ((error = simple_rmdir(dir, dentry)) != 0)
                 return error;
         if (!error) {
@@ -667,10 +668,11 @@ rpc_mkdir(char *path, struct rpc_clnt *rpc_client)
                         RPCAUTH_info, RPCAUTH_EOF);
         if (error)
                 goto err_depopulate;
+        dget(dentry);
 out:
         mutex_unlock(&dir->i_mutex);
         rpc_release_path(&nd);
-        return dget(dentry);
+        return dentry;
 err_depopulate:
         rpc_depopulate(dentry);
         __rpc_rmdir(dir, dentry);
@@ -683,28 +685,20 @@ err_dput:
 }
 
 int
-rpc_rmdir(char *path)
+rpc_rmdir(struct dentry *dentry)
 {
-        struct nameidata nd;
-        struct dentry *dentry;
+        struct dentry *parent;
         struct inode *dir;
         int error;
 
-        if ((error = rpc_lookup_parent(path, &nd)) != 0)
-                return error;
-        dir = nd.dentry->d_inode;
+        parent = dget_parent(dentry);
+        dir = parent->d_inode;
         mutex_lock_nested(&dir->i_mutex, I_MUTEX_PARENT);
-        dentry = lookup_one_len(nd.last.name, nd.dentry, nd.last.len);
-        if (IS_ERR(dentry)) {
-                error = PTR_ERR(dentry);
-                goto out_release;
-        }
         rpc_depopulate(dentry);
         error = __rpc_rmdir(dir, dentry);
         dput(dentry);
-out_release:
         mutex_unlock(&dir->i_mutex);
-        rpc_release_path(&nd);
+        dput(parent);
         return error;
 }
 
@@ -731,10 +725,11 @@ rpc_mkpipe(char *path, void *private, struct rpc_pipe_ops *ops, int flags)
         rpci->flags = flags;
         rpci->ops = ops;
         inode_dir_notify(dir, DN_CREATE);
+        dget(dentry);
 out:
         mutex_unlock(&dir->i_mutex);
         rpc_release_path(&nd);
-        return dget(dentry);
+        return dentry;
 err_dput:
         dput(dentry);
         dentry = ERR_PTR(-ENOMEM);
@@ -744,32 +739,26 @@ err_dput:
 }
 
 int
-rpc_unlink(char *path)
+rpc_unlink(struct dentry *dentry)
 {
-        struct nameidata nd;
-        struct dentry *dentry;
+        struct dentry *parent;
         struct inode *dir;
-        int error;
+        int error = 0;
 
-        if ((error = rpc_lookup_parent(path, &nd)) != 0)
-                return error;
-        dir = nd.dentry->d_inode;
+        parent = dget_parent(dentry);
+        dir = parent->d_inode;
         mutex_lock_nested(&dir->i_mutex, I_MUTEX_PARENT);
-        dentry = lookup_one_len(nd.last.name, nd.dentry, nd.last.len);
-        if (IS_ERR(dentry)) {
-                error = PTR_ERR(dentry);
-                goto out_release;
-        }
-        d_drop(dentry);
-        if (dentry->d_inode) {
-                rpc_close_pipes(dentry->d_inode);
-                error = simple_unlink(dir, dentry);
+        if (!d_unhashed(dentry)) {
+                d_drop(dentry);
+                if (dentry->d_inode) {
+                        rpc_close_pipes(dentry->d_inode);
+                        error = simple_unlink(dir, dentry);
+                }
+                inode_dir_notify(dir, DN_DELETE);
         }
         dput(dentry);
-        inode_dir_notify(dir, DN_DELETE);
-out_release:
         mutex_unlock(&dir->i_mutex);
-        rpc_release_path(&nd);
+        dput(parent);
         return error;
 }
 
diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c
index 15c2db26767b..bd98124c3a64 100644
--- a/net/sunrpc/stats.c
+++ b/net/sunrpc/stats.c
@@ -114,13 +114,8 @@ void svc_seq_show(struct seq_file *seq, const struct svc_stat *statp) {
  */
 struct rpc_iostats *rpc_alloc_iostats(struct rpc_clnt *clnt)
 {
-        unsigned int ops = clnt->cl_maxproc;
-        size_t size = ops * sizeof(struct rpc_iostats);
         struct rpc_iostats *new;
-
-        new = kmalloc(size, GFP_KERNEL);
-        if (new)
-                memset(new, 0 , size);
+        new = kcalloc(clnt->cl_maxproc, sizeof(struct rpc_iostats), GFP_KERNEL);
         return new;
 }
 EXPORT_SYMBOL(rpc_alloc_iostats);
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index 01ba60a49572..b76a227dd3ad 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -32,9 +32,8 @@ svc_create(struct svc_program *prog, unsigned int bufsize)
         int vers;
         unsigned int xdrsize;
 
-        if (!(serv = kmalloc(sizeof(*serv), GFP_KERNEL)))
+        if (!(serv = kzalloc(sizeof(*serv), GFP_KERNEL)))
                 return NULL;
-        memset(serv, 0, sizeof(*serv));
         serv->sv_name      = prog->pg_name;
         serv->sv_program   = prog;
         serv->sv_nrthreads = 1;
@@ -159,11 +158,10 @@ svc_create_thread(svc_thread_fn func, struct svc_serv *serv)
         struct svc_rqst *rqstp;
         int             error = -ENOMEM;
 
-        rqstp = kmalloc(sizeof(*rqstp), GFP_KERNEL);
+        rqstp = kzalloc(sizeof(*rqstp), GFP_KERNEL);
         if (!rqstp)
                 goto out;
 
-        memset(rqstp, 0, sizeof(*rqstp));
         init_waitqueue_head(&rqstp->rq_wait);
 
         if (!(rqstp->rq_argp = kmalloc(serv->sv_xdrsize, GFP_KERNEL))
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index a27905a0ad27..d9a95732df46 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -1322,11 +1322,10 @@ svc_setup_socket(struct svc_serv *serv, struct socket *sock,
         struct sock     *inet;
 
         dprintk("svc: svc_setup_socket %p\n", sock);
-        if (!(svsk = kmalloc(sizeof(*svsk), GFP_KERNEL))) {
+        if (!(svsk = kzalloc(sizeof(*svsk), GFP_KERNEL))) {
                 *errp = -ENOMEM;
                 return NULL;
         }
-        memset(svsk, 0, sizeof(*svsk));
 
         inet = sock->sk;
 
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 49174f0d0a3e..6ac45103a272 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -191,7 +191,6 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
         do {
                 /* Are any pointers crossing a page boundary? */
                 if (pgto_base == 0) {
-                        flush_dcache_page(*pgto);
                         pgto_base = PAGE_CACHE_SIZE;
                         pgto--;
                 }
@@ -211,11 +210,11 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
                 vto = kmap_atomic(*pgto, KM_USER0);
                 vfrom = kmap_atomic(*pgfrom, KM_USER1);
                 memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+                flush_dcache_page(*pgto);
                 kunmap_atomic(vfrom, KM_USER1);
                 kunmap_atomic(vto, KM_USER0);
 
         } while ((len -= copy) != 0);
-        flush_dcache_page(*pgto);
 }
 
 /*
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 02060d0e7be8..e8c2bc4977f3 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -707,12 +707,9 @@ out_unlock:
         return err;
 }
 
-void
-xprt_abort_transmit(struct rpc_task *task)
+void xprt_end_transmit(struct rpc_task *task)
 {
-        struct rpc_xprt *xprt = task->tk_xprt;
-
-        xprt_release_write(xprt, task);
+        xprt_release_write(task->tk_xprt, task);
 }
 
 /**
@@ -761,8 +758,6 @@ void xprt_transmit(struct rpc_task *task)
                         task->tk_status = -ENOTCONN;
                 else if (!req->rq_received)
                         rpc_sleep_on(&xprt->pending, task, NULL, xprt_timer);
-
-                xprt->ops->release_xprt(xprt, task);
                 spin_unlock_bh(&xprt->transport_lock);
                 return;
         }
@@ -772,18 +767,8 @@ void xprt_transmit(struct rpc_task *task)
          *       schedq, and being picked up by a parallel run of rpciod().
          */
         task->tk_status = status;
-
-        switch (status) {
-        case -ECONNREFUSED:
+        if (status == -ECONNREFUSED)
                 rpc_sleep_on(&xprt->sending, task, NULL, NULL);
-        case -EAGAIN:
-        case -ENOTCONN:
-                return;
-        default:
-                break;
-        }
-        xprt_release_write(xprt, task);
-        return;
 }
 
 static inline void do_xprt_reserve(struct rpc_task *task)
@@ -908,9 +893,8 @@ static struct rpc_xprt *xprt_setup(int proto, struct sockaddr_in *ap, struct rpc
         struct rpc_xprt *xprt;
         struct rpc_rqst *req;
 
-        if ((xprt = kmalloc(sizeof(struct rpc_xprt), GFP_KERNEL)) == NULL)
+        if ((xprt = kzalloc(sizeof(struct rpc_xprt), GFP_KERNEL)) == NULL)
                 return ERR_PTR(-ENOMEM);
-        memset(xprt, 0, sizeof(*xprt)); /* Nnnngh! */
 
         xprt->addr = *ap;
 
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 21006b109101..441bd53f5eca 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -414,6 +414,33 @@ static int xs_tcp_send_request(struct rpc_task *task)
 }
 
 /**
+ * xs_tcp_release_xprt - clean up after a tcp transmission
+ * @xprt: transport
+ * @task: rpc task
+ *
+ * This cleans up if an error causes us to abort the transmission of a request.
+ * In this case, the socket may need to be reset in order to avoid confusing
+ * the server.
+ */
+static void xs_tcp_release_xprt(struct rpc_xprt *xprt, struct rpc_task *task)
+{
+        struct rpc_rqst *req;
+
+        if (task != xprt->snd_task)
+                return;
+        if (task == NULL)
+                goto out_release;
+        req = task->tk_rqstp;
+        if (req->rq_bytes_sent == 0)
+                goto out_release;
+        if (req->rq_bytes_sent == req->rq_snd_buf.len)
+                goto out_release;
+        set_bit(XPRT_CLOSE_WAIT, &task->tk_xprt->state);
+out_release:
+        xprt_release_xprt(xprt, task);
+}
+
+/**
  * xs_close - close a socket
  * @xprt: transport
  *
@@ -1250,7 +1277,7 @@ static struct rpc_xprt_ops xs_udp_ops = {
 
 static struct rpc_xprt_ops xs_tcp_ops = {
         .reserve_xprt           = xprt_reserve_xprt,
-        .release_xprt           = xprt_release_xprt,
+        .release_xprt           = xs_tcp_release_xprt,
         .set_port               = xs_set_port,
         .connect                = xs_connect,
         .buf_alloc              = rpc_malloc,
@@ -1276,10 +1303,9 @@ int xs_setup_udp(struct rpc_xprt *xprt, struct rpc_timeout *to)
 
         xprt->max_reqs = xprt_udp_slot_table_entries;
         slot_table_size = xprt->max_reqs * sizeof(xprt->slot[0]);
-        xprt->slot = kmalloc(slot_table_size, GFP_KERNEL);
+        xprt->slot = kzalloc(slot_table_size, GFP_KERNEL);
         if (xprt->slot == NULL)
                 return -ENOMEM;
-        memset(xprt->slot, 0, slot_table_size);
 
         xprt->prot = IPPROTO_UDP;
         xprt->port = xs_get_random_port();
@@ -1318,10 +1344,9 @@ int xs_setup_tcp(struct rpc_xprt *xprt, struct rpc_timeout *to)
 
         xprt->max_reqs = xprt_tcp_slot_table_entries;
         slot_table_size = xprt->max_reqs * sizeof(xprt->slot[0]);
-        xprt->slot = kmalloc(slot_table_size, GFP_KERNEL);
+        xprt->slot = kzalloc(slot_table_size, GFP_KERNEL);
         if (xprt->slot == NULL)
                 return -ENOMEM;
-        memset(xprt->slot, 0, slot_table_size);
 
         xprt->prot = IPPROTO_TCP;
         xprt->port = xs_get_random_port();
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 7ef17a449cfd..75a5968c2139 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -665,11 +665,9 @@ int tipc_bearer_init(void)
         int res;
 
         write_lock_bh(&tipc_net_lock);
-        tipc_bearers = kmalloc(MAX_BEARERS * sizeof(struct bearer), GFP_ATOMIC);
-        media_list = kmalloc(MAX_MEDIA * sizeof(struct media), GFP_ATOMIC);
+        tipc_bearers = kcalloc(MAX_BEARERS, sizeof(struct bearer), GFP_ATOMIC);
+        media_list = kcalloc(MAX_MEDIA, sizeof(struct media), GFP_ATOMIC);
         if (tipc_bearers && media_list) {
-                memset(tipc_bearers, 0, MAX_BEARERS * sizeof(struct bearer));
-                memset(media_list, 0, MAX_MEDIA * sizeof(struct media));
                 res = TIPC_OK;
         } else {
                 kfree(tipc_bearers);
diff --git a/net/tipc/cluster.c b/net/tipc/cluster.c
index 1dcb6940e338..b46b5188a9fd 100644
--- a/net/tipc/cluster.c
+++ b/net/tipc/cluster.c
@@ -57,29 +57,25 @@ struct cluster *tipc_cltr_create(u32 addr)
         struct _zone *z_ptr;
         struct cluster *c_ptr;
         int max_nodes; 
-        int alloc;
 
-        c_ptr = (struct cluster *)kmalloc(sizeof(*c_ptr), GFP_ATOMIC);
+        c_ptr = kzalloc(sizeof(*c_ptr), GFP_ATOMIC);
         if (c_ptr == NULL) {
                 warn("Cluster creation failure, no memory\n");
                 return NULL;
         }
-        memset(c_ptr, 0, sizeof(*c_ptr));
 
         c_ptr->addr = tipc_addr(tipc_zone(addr), tipc_cluster(addr), 0);
         if (in_own_cluster(addr))
                 max_nodes = LOWEST_SLAVE + tipc_max_slaves;
         else
                 max_nodes = tipc_max_nodes + 1;
-        alloc = sizeof(void *) * (max_nodes + 1);
 
-        c_ptr->nodes = (struct node **)kmalloc(alloc, GFP_ATOMIC);
+        c_ptr->nodes = kcalloc(max_nodes + 1, sizeof(void*), GFP_ATOMIC);
         if (c_ptr->nodes == NULL) {
                 warn("Cluster creation failure, no memory for node area\n");
                 kfree(c_ptr);
                 return NULL;
         }
-        memset(c_ptr->nodes, 0, alloc);
 
         if (in_own_cluster(addr))
                 tipc_local_nodes = c_ptr->nodes;
diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index 2b8441203120..ee94de92ae99 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -295,7 +295,7 @@ struct link_req *tipc_disc_init_link_req(struct bearer *b_ptr,
 {
         struct link_req *req;
 
-        req = (struct link_req *)kmalloc(sizeof(*req), GFP_ATOMIC);
+        req = kmalloc(sizeof(*req), GFP_ATOMIC);
         if (!req)
                 return NULL;
 
diff --git a/net/tipc/link.c b/net/tipc/link.c
index c10e18a49b96..693f02eca6d6 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -417,12 +417,11 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
         struct tipc_msg *msg;
         char *if_name;
 
-        l_ptr = (struct link *)kmalloc(sizeof(*l_ptr), GFP_ATOMIC);
+        l_ptr = kzalloc(sizeof(*l_ptr), GFP_ATOMIC);
         if (!l_ptr) {
                 warn("Link creation failed, no memory\n");
                 return NULL;
         }
-        memset(l_ptr, 0, sizeof(*l_ptr));
 
         l_ptr->addr = peer;
         if_name = strchr(b_ptr->publ.name, ':') + 1;
diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c
index a6926ff07bcc..049242ea5c38 100644
--- a/net/tipc/name_table.c
+++ b/net/tipc/name_table.c
@@ -117,14 +117,12 @@ static struct publication *publ_create(u32 type, u32 lower, u32 upper,
                                        u32 scope, u32 node, u32 port_ref,   
                                        u32 key)
 {
-        struct publication *publ =
-                (struct publication *)kmalloc(sizeof(*publ), GFP_ATOMIC);
+        struct publication *publ = kzalloc(sizeof(*publ), GFP_ATOMIC);
         if (publ == NULL) {
                 warn("Publication creation failure, no memory\n");
                 return NULL;
         }
 
-        memset(publ, 0, sizeof(*publ));
         publ->type = type;
         publ->lower = lower;
         publ->upper = upper;
@@ -144,11 +142,7 @@ static struct publication *publ_create(u32 type, u32 lower, u32 upper,
 
 static struct sub_seq *tipc_subseq_alloc(u32 cnt)
 {
-        u32 sz = cnt * sizeof(struct sub_seq);
-        struct sub_seq *sseq = (struct sub_seq *)kmalloc(sz, GFP_ATOMIC);
-
-        if (sseq)
-                memset(sseq, 0, sz);
+        struct sub_seq *sseq = kcalloc(cnt, sizeof(struct sub_seq), GFP_ATOMIC);
         return sseq;
 }
 
@@ -160,8 +154,7 @@ static struct sub_seq *tipc_subseq_alloc(u32 cnt)
 
 static struct name_seq *tipc_nameseq_create(u32 type, struct hlist_head *seq_head)
 {
-        struct name_seq *nseq = 
-                (struct name_seq *)kmalloc(sizeof(*nseq), GFP_ATOMIC);
+        struct name_seq *nseq = kzalloc(sizeof(*nseq), GFP_ATOMIC);
         struct sub_seq *sseq = tipc_subseq_alloc(1);
 
         if (!nseq || !sseq) {
@@ -171,7 +164,6 @@ static struct name_seq *tipc_nameseq_create(u32 type, struct hlist_head *seq_hea
                 return NULL;
         }
 
-        memset(nseq, 0, sizeof(*nseq));
         spin_lock_init(&nseq->lock);
         nseq->type = type;
         nseq->sseqs = sseq;
@@ -1060,7 +1052,7 @@ int tipc_nametbl_init(void)
 {
         int array_size = sizeof(struct hlist_head) * tipc_nametbl_size;
 
-        table.types = (struct hlist_head *)kmalloc(array_size, GFP_ATOMIC);
+        table.types = kmalloc(array_size, GFP_ATOMIC);
         if (!table.types)
                 return -ENOMEM;
 
diff --git a/net/tipc/net.c b/net/tipc/net.c
index e5a359ab4930..a991bf8a7f74 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -160,14 +160,11 @@ void tipc_net_send_external_routes(u32 dest)
 
 static int net_init(void)
 {
-        u32 sz = sizeof(struct _zone *) * (tipc_max_zones + 1);
-
         memset(&tipc_net, 0, sizeof(tipc_net));
-        tipc_net.zones = (struct _zone **)kmalloc(sz, GFP_ATOMIC);
+        tipc_net.zones = kcalloc(tipc_max_zones + 1, sizeof(struct _zone *), GFP_ATOMIC);
         if (!tipc_net.zones) {
                 return -ENOMEM;
         }
-        memset(tipc_net.zones, 0, sz);
         return TIPC_OK;
 }
 
diff --git a/net/tipc/port.c b/net/tipc/port.c
index 3251c8d8e53c..b9c8c6b9e94f 100644
--- a/net/tipc/port.c
+++ b/net/tipc/port.c
@@ -226,12 +226,11 @@ u32 tipc_createport_raw(void *usr_handle,
         struct tipc_msg *msg;
         u32 ref;
 
-        p_ptr = kmalloc(sizeof(*p_ptr), GFP_ATOMIC);
+        p_ptr = kzalloc(sizeof(*p_ptr), GFP_ATOMIC);
         if (!p_ptr) {
                 warn("Port creation failed, no memory\n");
                 return 0;
         }
-        memset(p_ptr, 0, sizeof(*p_ptr));
         ref = tipc_ref_acquire(p_ptr, &p_ptr->publ.lock);
         if (!ref) {
                 warn("Port creation failed, reference table exhausted\n");
@@ -1058,7 +1057,7 @@ int tipc_createport(u32 user_ref,
         struct port *p_ptr; 
         u32 ref;
 
-        up_ptr = (struct user_port *)kmalloc(sizeof(*up_ptr), GFP_ATOMIC);
+        up_ptr = kmalloc(sizeof(*up_ptr), GFP_ATOMIC);
         if (!up_ptr) {
                 warn("Port creation failed, no memory\n");
                 return -ENOMEM;
diff --git a/net/tipc/ref.c b/net/tipc/ref.c
index 596d3c8ff750..e6d6ae22ea49 100644
--- a/net/tipc/ref.c
+++ b/net/tipc/ref.c
@@ -79,7 +79,7 @@ int tipc_ref_table_init(u32 requested_size, u32 start)
         while (sz < requested_size) {
                 sz <<= 1;
         }
-        table = (struct reference *)vmalloc(sz * sizeof(struct reference));
+        table = vmalloc(sz * sizeof(*table));
         if (table == NULL)
                 return -ENOMEM;
 
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index e19b4bcd67ec..c51600ba5f4a 100644
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -393,12 +393,11 @@ static void subscr_named_msg_event(void *usr_handle,
 
         /* Create subscriber object */
 
-        subscriber = kmalloc(sizeof(struct subscriber), GFP_ATOMIC);
+        subscriber = kzalloc(sizeof(struct subscriber), GFP_ATOMIC);
         if (subscriber == NULL) {
                 warn("Subscriber rejected, no memory\n");
                 return;
         }
-        memset(subscriber, 0, sizeof(struct subscriber));
         INIT_LIST_HEAD(&subscriber->subscription_list);
         INIT_LIST_HEAD(&subscriber->subscriber_list);
         subscriber->ref = tipc_ref_acquire(subscriber, &subscriber->lock);
diff --git a/net/tipc/user_reg.c b/net/tipc/user_reg.c
index 1e3ae57c7228..04d1b9be9c51 100644
--- a/net/tipc/user_reg.c
+++ b/net/tipc/user_reg.c
@@ -82,9 +82,8 @@ static int reg_init(void)
         
         spin_lock_bh(&reg_lock);
         if (!users) {
-                users = (struct tipc_user *)kmalloc(USER_LIST_SIZE, GFP_ATOMIC);
+                users = kzalloc(USER_LIST_SIZE, GFP_ATOMIC);
                 if (users) {
-                        memset(users, 0, USER_LIST_SIZE);
                         for (i = 1; i <= MAX_USERID; i++) {
                                 users[i].next = i - 1;
                         }
diff --git a/net/tipc/zone.c b/net/tipc/zone.c
index 316c4872ff5b..f5b00ea2d5ac 100644
--- a/net/tipc/zone.c
+++ b/net/tipc/zone.c
@@ -52,13 +52,12 @@ struct _zone *tipc_zone_create(u32 addr)
                 return NULL;
         }
 
-        z_ptr = (struct _zone *)kmalloc(sizeof(*z_ptr), GFP_ATOMIC);
+        z_ptr = kzalloc(sizeof(*z_ptr), GFP_ATOMIC);
         if (!z_ptr) {
                 warn("Zone creation failed, insufficient memory\n");
                 return NULL;
         }
 
-        memset(z_ptr, 0, sizeof(*z_ptr));
         z_num = tipc_zone(addr);
         z_ptr->addr = tipc_addr(z_num, 0, 0);
         tipc_net.zones[z_num] = z_ptr;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index f70475bfb62a..de6ec519272e 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -128,23 +128,17 @@ static atomic_t unix_nr_socks = ATOMIC_INIT(0);
 #define UNIX_ABSTRACT(sk)       (unix_sk(sk)->addr->hash != UNIX_HASH_SIZE)
 
 #ifdef CONFIG_SECURITY_NETWORK
-static void unix_get_peersec_dgram(struct sk_buff *skb)
+static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-        int err;
-
-        err = security_socket_getpeersec_dgram(skb, UNIXSECDATA(skb),
-                                               UNIXSECLEN(skb));
-        if (err)
-                *(UNIXSECDATA(skb)) = NULL;
+        memcpy(UNIXSID(skb), &scm->secid, sizeof(u32));
 }
 
 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-        scm->secdata = *UNIXSECDATA(skb);
-        scm->seclen = *UNIXSECLEN(skb);
+        scm->secid = *UNIXSID(skb);
 }
 #else
-static inline void unix_get_peersec_dgram(struct sk_buff *skb)
+static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 { }
 
 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
@@ -663,11 +657,10 @@ static int unix_autobind(struct socket *sock)
                 goto out;
 
         err = -ENOMEM;
-        addr = kmalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL);
+        addr = kzalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL);
         if (!addr)
                 goto out;
 
-        memset(addr, 0, sizeof(*addr) + sizeof(short) + 16);
         addr->name->sun_family = AF_UNIX;
         atomic_set(&addr->refcnt, 1);
 
@@ -1323,8 +1316,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
         memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
         if (siocb->scm->fp)
                 unix_attach_fds(siocb->scm, skb);
-
-        unix_get_peersec_dgram(skb);
+        unix_get_secdata(siocb->scm, skb);
 
         skb->h.raw = skb->data;
         err = memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len);
diff --git a/net/wanrouter/af_wanpipe.c b/net/wanrouter/af_wanpipe.c
index a690cf773b6a..6f39faa15832 100644
--- a/net/wanrouter/af_wanpipe.c
+++ b/net/wanrouter/af_wanpipe.c
@@ -370,12 +370,11 @@ static int wanpipe_listen_rcv (struct sk_buff *skb,  struct sock *sk)
          * used by the ioctl call to read call information
          * and to execute commands. 
          */     
-        if ((mbox_ptr = kmalloc(sizeof(mbox_cmd_t), GFP_ATOMIC)) == NULL) {
+        if ((mbox_ptr = kzalloc(sizeof(mbox_cmd_t), GFP_ATOMIC)) == NULL) {
                 wanpipe_kill_sock_irq (newsk);
                 release_device(dev);            
                 return -ENOMEM;
         }
-        memset(mbox_ptr, 0, sizeof(mbox_cmd_t));
         memcpy(mbox_ptr,skb->data,skb->len);
 
         /* Register the lcn on which incoming call came
@@ -507,11 +506,10 @@ static struct sock *wanpipe_alloc_socket(void)
         if ((sk = sk_alloc(PF_WANPIPE, GFP_ATOMIC, &wanpipe_proto, 1)) == NULL)
                 return NULL;
 
-        if ((wan_opt = kmalloc(sizeof(struct wanpipe_opt), GFP_ATOMIC)) == NULL) {
+        if ((wan_opt = kzalloc(sizeof(struct wanpipe_opt), GFP_ATOMIC)) == NULL) {
                 sk_free(sk);
                 return NULL;
         }
-        memset(wan_opt, 0x00, sizeof(struct wanpipe_opt));
 
         wp_sk(sk) = wan_opt;
 
@@ -2011,10 +2009,9 @@ static int set_ioctl_cmd (struct sock *sk, void *arg)
 
                 dev_put(dev);
                 
-                if ((mbox_ptr = kmalloc(sizeof(mbox_cmd_t), GFP_ATOMIC)) == NULL)
+                if ((mbox_ptr = kzalloc(sizeof(mbox_cmd_t), GFP_ATOMIC)) == NULL)
                         return -ENOMEM;
 
-                memset(mbox_ptr, 0, sizeof(mbox_cmd_t));
                 wp_sk(sk)->mbox = mbox_ptr;
 
                 wanpipe_link_driver(dev,sk);
diff --git a/net/wanrouter/wanmain.c b/net/wanrouter/wanmain.c
index ad8e8a797790..9479659277ae 100644
--- a/net/wanrouter/wanmain.c
+++ b/net/wanrouter/wanmain.c
@@ -642,18 +642,16 @@ static int wanrouter_device_new_if(struct wan_device *wandev,
 
         if (cnf->config_id == WANCONFIG_MPPP) {
 #ifdef CONFIG_WANPIPE_MULTPPP
-                pppdev = kmalloc(sizeof(struct ppp_device), GFP_KERNEL);
+                pppdev = kzalloc(sizeof(struct ppp_device), GFP_KERNEL);
                 err = -ENOBUFS;
                 if (pppdev == NULL)
                         goto out;
-                memset(pppdev, 0, sizeof(struct ppp_device));
-                pppdev->dev = kmalloc(sizeof(struct net_device), GFP_KERNEL);
+                pppdev->dev = kzalloc(sizeof(struct net_device), GFP_KERNEL);
                 if (pppdev->dev == NULL) {
                         kfree(pppdev);
                         err = -ENOBUFS;
                         goto out;
                 }
-                memset(pppdev->dev, 0, sizeof(struct net_device));
                 err = wandev->new_if(wandev, (struct net_device *)pppdev, cnf);
                 dev = pppdev->dev;
 #else
@@ -663,11 +661,10 @@ static int wanrouter_device_new_if(struct wan_device *wandev,
                 goto out;
 #endif
         } else {
-                dev = kmalloc(sizeof(struct net_device), GFP_KERNEL);
+                dev = kzalloc(sizeof(struct net_device), GFP_KERNEL);
                 err = -ENOBUFS;
                 if (dev == NULL)
                         goto out;
-                memset(dev, 0, sizeof(struct net_device));
                 err = wandev->new_if(wandev, dev, cnf);
         }
 
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 405b741dff43..3da67ca2c3ce 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -307,10 +307,9 @@ struct xfrm_policy *xfrm_policy_alloc(gfp_t gfp)
 {
         struct xfrm_policy *policy;
 
-        policy = kmalloc(sizeof(struct xfrm_policy), gfp);
+        policy = kzalloc(sizeof(struct xfrm_policy), gfp);
 
         if (policy) {
-                memset(policy, 0, sizeof(struct xfrm_policy));
                 atomic_set(&policy->refcnt, 1);
                 rwlock_init(&policy->lock);
                 init_timer(&policy->timer);
@@ -1135,12 +1134,33 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
 }
 EXPORT_SYMBOL(__xfrm_route_forward);
 
+/* Optimize later using cookies and generation ids. */
+
 static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
 {
-        /* If it is marked obsolete, which is how we even get here,
-         * then we have purged it from the policy bundle list and we
-         * did that for a good reason.
+        /* Code (such as __xfrm4_bundle_create()) sets dst->obsolete
+         * to "-1" to force all XFRM destinations to get validated by
+         * dst_ops->check on every use.  We do this because when a
+         * normal route referenced by an XFRM dst is obsoleted we do
+         * not go looking around for all parent referencing XFRM dsts
+         * so that we can invalidate them.  It is just too much work.
+         * Instead we make the checks here on every use.  For example:
+         *
+         *      XFRM dst A --> IPv4 dst X
+         *
+         * X is the "xdst->route" of A (X is also the "dst->path" of A
+         * in this example).  If X is marked obsolete, "A" will not
+         * notice.  That's what we are validating here via the
+         * stale_bundle() check.
+         *
+         * When a policy's bundle is pruned, we dst_free() the XFRM
+         * dst which causes it's ->obsolete field to be set to a
+         * positive non-zero integer.  If an XFRM dst has been pruned
+         * like this, we want to force a new route lookup.
          */
+        if (dst->obsolete < 0 && !stale_bundle(dst))
+                return dst;
+
         return NULL;
 }
 
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 43f00fc28a3d..0021aad5db43 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -194,10 +194,9 @@ struct xfrm_state *xfrm_state_alloc(void)
 {
         struct xfrm_state *x;
 
-        x = kmalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
+        x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
 
         if (x) {
-                memset(x, 0, sizeof(struct xfrm_state));
                 atomic_set(&x->refcnt, 1);
                 atomic_set(&x->tunnel_users, 0);
                 INIT_LIST_HEAD(&x->bydst);