89 files changed, 520 insertions, 148 deletions
diff --git a/arch/x86_64/kernel/functionlist b/arch/x86_64/kernel/functionlist
index 2bcebdc3eedb..01fa23580c85 100644
--- a/arch/x86_64/kernel/functionlist
+++ b/arch/x86_64/kernel/functionlist
@@ -384,7 +384,6 @@
 *(.text.__end_that_request_first)
 *(.text.wake_up_bit)
 *(.text.unuse_mm)
-*(.text.skb_release_data)
 *(.text.shrink_icache_memory)
 *(.text.sched_balance_self)
 *(.text.__pmd_alloc)
diff --git a/drivers/atm/he.c b/drivers/atm/he.c
index fde9334059af..a486eb1f1640 100644
--- a/drivers/atm/he.c
+++ b/drivers/atm/he.c
@@ -1018,7 +1018,7 @@ he_init_irq(struct he_dev *he_dev)
        return 0;
 }
-static int __init
+static int __devinit
 he_start(struct atm_dev *dev)
 {
        struct he_dev *he_dev;
diff --git a/drivers/atm/idt77105.c b/drivers/atm/idt77105.c
index 0aabfc2a59d9..325325afabec 100644
--- a/drivers/atm/idt77105.c
+++ b/drivers/atm/idt77105.c
@@ -358,7 +358,7 @@ static const struct atmphy_ops idt77105_ops = {
 };
-int idt77105_init(struct atm_dev *dev)
+int __devinit idt77105_init(struct atm_dev *dev)
 {
        dev->phy = &idt77105_ops;
        return 0;
diff --git a/drivers/atm/idt77105.h b/drivers/atm/idt77105.h
index 8ba8218aaefe..3fd2bc899761 100644
--- a/drivers/atm/idt77105.h
+++ b/drivers/atm/idt77105.h
@@ -76,7 +76,7 @@
 #define IDT77105_CTRSEL_RHEC    0x01    /* W, Rx HEC Error Counter */
 #ifdef __KERNEL__
-int idt77105_init(struct atm_dev *dev) __init;
+int idt77105_init(struct atm_dev *dev);
 #endif
 /*
diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
index 2e2e50e1167a..333a7bc609d2 100644
--- a/drivers/atm/iphase.c
+++ b/drivers/atm/iphase.c
@@ -2284,7 +2284,7 @@ static int reset_sar(struct atm_dev *dev)
 }  
          
          
-static int __init ia_init(struct atm_dev *dev)
+static int __devinit ia_init(struct atm_dev *dev)
 {  
        IADEV *iadev;  
        unsigned long real_base;
@@ -2480,7 +2480,7 @@ static void ia_free_rx(IADEV *iadev)
                          iadev->rx_dle_dma);  
 }
-static int __init ia_start(struct atm_dev *dev)
+static int __devinit ia_start(struct atm_dev *dev)
 {  
        IADEV *iadev;  
        int error;  
diff --git a/drivers/atm/suni.c b/drivers/atm/suni.c
index b1d063cc4fbe..f04f39c00833 100644
--- a/drivers/atm/suni.c
+++ b/drivers/atm/suni.c
@@ -289,7 +289,7 @@ static const struct atmphy_ops suni_ops = {
 };
-int suni_init(struct atm_dev *dev)
+int __devinit suni_init(struct atm_dev *dev)
 {
        unsigned char mri;
diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
index 7635736cc791..d55b0f7939a6 100644
--- a/drivers/net/bnx2.c
+++ b/drivers/net/bnx2.c
@@ -57,8 +57,8 @@
 #define DRV_MODULE_NAME         "bnx2"
 #define PFX DRV_MODULE_NAME     ": "
-#define DRV_MODULE_VERSION      "1.4.42"
+#define DRV_MODULE_VERSION      "1.4.43"
-#define DRV_MODULE_RELDATE      "June 12, 2006"
+#define DRV_MODULE_RELDATE      "June 28, 2006"
 #define RUN_AT(x) (jiffies + (x))
@@ -1676,7 +1676,7 @@ bnx2_tx_int(struct bnx2 *bp)
                tx_free_bd += last + 1;
-                dev_kfree_skb_irq(skb);
+                dev_kfree_skb(skb);
                hw_cons = bp->hw_tx_cons =
                        sblk->status_tx_quick_consumer_index0;
@@ -1824,7 +1824,7 @@ reuse_rx:
                if ((len > (bp->dev->mtu + ETH_HLEN)) &&
                        (ntohs(skb->protocol) != 0x8100)) {
-                        dev_kfree_skb_irq(skb);
+                        dev_kfree_skb(skb);
                        goto next_rx;
                }
@@ -3643,7 +3643,7 @@ bnx2_free_tx_skbs(struct bnx2 *bp)
                                skb_shinfo(skb)->frags[j].size,
                                PCI_DMA_TODEVICE);
                }
-                dev_kfree_skb_any(skb);
+                dev_kfree_skb(skb);
                i += j + 1;
        }
@@ -3669,7 +3669,7 @@ bnx2_free_rx_skbs(struct bnx2 *bp)
                rx_buf->skb = NULL;
-                dev_kfree_skb_any(skb);
+                dev_kfree_skb(skb);
        }
 }
@@ -3999,7 +3999,7 @@ bnx2_run_loopback(struct bnx2 *bp, int loopback_mode)
        udelay(5);
        pci_unmap_single(bp->pdev, map, pkt_size, PCI_DMA_TODEVICE);
-        dev_kfree_skb_irq(skb);
+        dev_kfree_skb(skb);
        if (bp->status_blk->status_tx_quick_consumer_index0 != bp->tx_prod) {
                goto loopback_test_done;
@@ -4541,7 +4541,7 @@ bnx2_close(struct net_device *dev)
        bnx2_netif_stop(bp);
        del_timer_sync(&bp->timer);
        if (bp->flags & NO_WOL_FLAG)
-                reset_code = BNX2_DRV_MSG_CODE_UNLOAD;
+                reset_code = BNX2_DRV_MSG_CODE_UNLOAD_LNK_DN;
        else if (bp->wol)
                reset_code = BNX2_DRV_MSG_CODE_SUSPEND_WOL;
        else
@@ -5128,6 +5128,16 @@ bnx2_set_rx_csum(struct net_device *dev, u32 data)
        return 0;
 }
+static int
+bnx2_set_tso(struct net_device *dev, u32 data)
+{
+        if (data)
+                dev->features |= NETIF_F_TSO | NETIF_F_TSO_ECN;
+        else
+                dev->features &= ~(NETIF_F_TSO | NETIF_F_TSO_ECN);
+        return 0;
+}
 #define BNX2_NUM_STATS 46
 static struct {
@@ -5445,7 +5455,7 @@ static struct ethtool_ops bnx2_ethtool_ops = {
        .set_sg                 = ethtool_op_set_sg,
 #ifdef BCM_TSO
        .get_tso                = ethtool_op_get_tso,
-        .set_tso                = ethtool_op_set_tso,
+        .set_tso                = bnx2_set_tso,
 #endif
        .self_test_count        = bnx2_self_test_count,
        .self_test              = bnx2_self_test,
@@ -5926,7 +5936,7 @@ bnx2_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
        dev->features |= NETIF_F_HW_VLAN_TX | NETIF_F_HW_VLAN_RX;
 #endif
 #ifdef BCM_TSO
-        dev->features |= NETIF_F_TSO;
+        dev->features |= NETIF_F_TSO | NETIF_F_TSO_ECN;
 #endif
        netif_carrier_off(bp->dev);
@@ -5968,7 +5978,7 @@ bnx2_suspend(struct pci_dev *pdev, pm_message_t state)
        netif_device_detach(dev);
        del_timer_sync(&bp->timer);
        if (bp->flags & NO_WOL_FLAG)
-                reset_code = BNX2_DRV_MSG_CODE_UNLOAD;
+                reset_code = BNX2_DRV_MSG_CODE_UNLOAD_LNK_DN;
        else if (bp->wol)
                reset_code = BNX2_DRV_MSG_CODE_SUSPEND_WOL;
        else
diff --git a/drivers/net/bnx2.h b/drivers/net/bnx2.h
index 5845e334941b..658c5ee95c73 100644
--- a/drivers/net/bnx2.h
+++ b/drivers/net/bnx2.h
@@ -4174,6 +4174,7 @@ struct fw_info {
 #define BNX2_DRV_MSG_CODE_PULSE                  0x06000000
 #define BNX2_DRV_MSG_CODE_DIAG                   0x07000000
 #define BNX2_DRV_MSG_CODE_SUSPEND_NO_WOL         0x09000000
+#define BNX2_DRV_MSG_CODE_UNLOAD_LNK_DN          0x0b000000
 #define BNX2_DRV_MSG_DATA                        0x00ff0000
 #define BNX2_DRV_MSG_DATA_WAIT0                  0x00010000
diff --git a/drivers/net/irda/Kconfig b/drivers/net/irda/Kconfig
index d2ce4896abff..e9e6d99a9add 100644
--- a/drivers/net/irda/Kconfig
+++ b/drivers/net/irda/Kconfig
@@ -350,7 +350,7 @@ config TOSHIBA_FIR
 config AU1000_FIR
        tristate "Alchemy Au1000 SIR/FIR"
-        depends on MIPS_AU1000 && IRDA
+        depends on SOC_AU1000 && IRDA
 config SMC_IRCC_FIR
        tristate "SMSC IrCC (EXPERIMENTAL)"
diff --git a/drivers/net/irda/mcs7780.c b/drivers/net/irda/mcs7780.c
index 754297fc8f22..47f6f64d604c 100644
--- a/drivers/net/irda/mcs7780.c
+++ b/drivers/net/irda/mcs7780.c
@@ -101,7 +101,7 @@ static int transceiver_type = MCS_TSC_VISHAY;
 module_param(transceiver_type, int, 0444);
 MODULE_PARM_DESC(transceiver_type, "IR transceiver type, see mcs7780.h.");
-struct usb_driver mcs_driver = {
+static struct usb_driver mcs_driver = {
        .name = "mcs7780",
        .probe = mcs_probe,
        .disconnect = mcs_disconnect,
diff --git a/include/asm-alpha/socket.h b/include/asm-alpha/socket.h
index b5193229132a..d22ab97ea72e 100644
--- a/include/asm-alpha/socket.h
+++ b/include/asm-alpha/socket.h
@@ -51,6 +51,7 @@
 #define SCM_TIMESTAMP           SO_TIMESTAMP
 #define SO_PEERSEC              30
+#define SO_PASSSEC              34
 /* Security levels - as per NRL IPv6 - don't actually do anything */
 #define SO_SECURITY_AUTHENTICATION              19
diff --git a/include/asm-arm/socket.h b/include/asm-arm/socket.h
index 3c51da6438c9..19f7df702b06 100644
--- a/include/asm-arm/socket.h
+++ b/include/asm-arm/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-arm26/socket.h b/include/asm-arm26/socket.h
index 3c51da6438c9..19f7df702b06 100644
--- a/include/asm-arm26/socket.h
+++ b/include/asm-arm26/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-cris/socket.h b/include/asm-cris/socket.h
index 8b1da3e58c55..01cfdf1d6d33 100644
--- a/include/asm-cris/socket.h
+++ b/include/asm-cris/socket.h
@@ -50,6 +50,7 @@
 #define SO_ACCEPTCONN          30
 #define SO_PEERSEC             31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-frv/socket.h b/include/asm-frv/socket.h
index 7177f8b9817c..31db18fc871f 100644
--- a/include/asm-frv/socket.h
+++ b/include/asm-frv/socket.h
@@ -48,6 +48,7 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-h8300/socket.h b/include/asm-h8300/socket.h
index d98cf85bafc1..ebc830fee0d0 100644
--- a/include/asm-h8300/socket.h
+++ b/include/asm-h8300/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-i386/socket.h b/include/asm-i386/socket.h
index 802ae76195b7..5755d57c4e95 100644
--- a/include/asm-i386/socket.h
+++ b/include/asm-i386/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-ia64/socket.h b/include/asm-ia64/socket.h
index a255006fb7b5..d638ef3d50c3 100644
--- a/include/asm-ia64/socket.h
+++ b/include/asm-ia64/socket.h
@@ -57,5 +57,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC             31
+#define SO_PASSSEC              34
 #endif /* _ASM_IA64_SOCKET_H */
diff --git a/include/asm-m32r/socket.h b/include/asm-m32r/socket.h
index 8b6680f223c0..acdf748fcdc8 100644
--- a/include/asm-m32r/socket.h
+++ b/include/asm-m32r/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* _ASM_M32R_SOCKET_H */
diff --git a/include/asm-m68k/socket.h b/include/asm-m68k/socket.h
index f578ca4b776a..a5966ec005ae 100644
--- a/include/asm-m68k/socket.h
+++ b/include/asm-m68k/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC             31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-mips/socket.h b/include/asm-mips/socket.h
index 0bb31e5aaca6..36ebe4e186a7 100644
--- a/include/asm-mips/socket.h
+++ b/include/asm-mips/socket.h
@@ -69,6 +69,7 @@ To add: #define SO_REUSEPORT 0x0200	/* Allow local address and port reuse.  */
 #define SO_PEERSEC              30
 #define SO_SNDBUFFORCE          31
 #define SO_RCVBUFFORCE          33
+#define SO_PASSSEC              34
 #ifdef __KERNEL__
diff --git a/include/asm-parisc/socket.h b/include/asm-parisc/socket.h
index 1bf54dc53c10..ce2eae1708b5 100644
--- a/include/asm-parisc/socket.h
+++ b/include/asm-parisc/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           0x401c
 #define SO_PEERSEC              0x401d
+#define SO_PASSSEC              0x401e
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-powerpc/socket.h b/include/asm-powerpc/socket.h
index e4b8177d4acc..c8b1da50e72d 100644
--- a/include/asm-powerpc/socket.h
+++ b/include/asm-powerpc/socket.h
@@ -55,5 +55,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif  /* _ASM_POWERPC_SOCKET_H */
diff --git a/include/asm-s390/socket.h b/include/asm-s390/socket.h
index 15a5298c8744..1778a49a74c5 100644
--- a/include/asm-s390/socket.h
+++ b/include/asm-s390/socket.h
@@ -56,5 +56,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-sh/socket.h b/include/asm-sh/socket.h
index 553904ff9336..ca70362eb563 100644
--- a/include/asm-sh/socket.h
+++ b/include/asm-sh/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* __ASM_SH_SOCKET_H */
diff --git a/include/asm-sparc/socket.h b/include/asm-sparc/socket.h
index 4e0ce3a35ea9..f6c4e5baf3f7 100644
--- a/include/asm-sparc/socket.h
+++ b/include/asm-sparc/socket.h
@@ -48,6 +48,7 @@
 #define SCM_TIMESTAMP           SO_TIMESTAMP
 #define SO_PEERSEC              0x001e
+#define SO_PASSSEC              0x001f
 /* Security levels - as per NRL IPv6 - don't actually do anything */
 #define SO_SECURITY_AUTHENTICATION              0x5001
diff --git a/include/asm-sparc64/socket.h b/include/asm-sparc64/socket.h
index 59987dad3359..754d46a50af3 100644
--- a/include/asm-sparc64/socket.h
+++ b/include/asm-sparc64/socket.h
@@ -48,6 +48,7 @@
 #define SCM_TIMESTAMP           SO_TIMESTAMP
 #define SO_PEERSEC              0x001e
+#define SO_PASSSEC              0x001f
 /* Security levels - as per NRL IPv6 - don't actually do anything */
 #define SO_SECURITY_AUTHENTICATION              0x5001
diff --git a/include/asm-v850/socket.h b/include/asm-v850/socket.h
index 0240d366a0a4..0dfe55ac2ef2 100644
--- a/include/asm-v850/socket.h
+++ b/include/asm-v850/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif /* __V850_SOCKET_H__ */
diff --git a/include/asm-x86_64/socket.h b/include/asm-x86_64/socket.h
index f2cdbeae5d5b..b46702607933 100644
--- a/include/asm-x86_64/socket.h
+++ b/include/asm-x86_64/socket.h
@@ -48,5 +48,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC             31
+#define SO_PASSSEC              34
 #endif /* _ASM_SOCKET_H */
diff --git a/include/asm-xtensa/socket.h b/include/asm-xtensa/socket.h
index 00f83f3a6d72..971d231be60e 100644
--- a/include/asm-xtensa/socket.h
+++ b/include/asm-xtensa/socket.h
@@ -59,5 +59,6 @@
 #define SO_ACCEPTCONN           30
 #define SO_PEERSEC              31
+#define SO_PASSSEC              34
 #endif  /* _XTENSA_SOCKET_H */
diff --git a/include/linux/atmdev.h b/include/linux/atmdev.h
index 1eb238affb12..41788a31c438 100644
--- a/include/linux/atmdev.h
+++ b/include/linux/atmdev.h
@@ -7,6 +7,7 @@
 #define LINUX_ATMDEV_H
+#include <linux/device.h>
 #include <linux/atmapi.h>
 #include <linux/atm.h>
 #include <linux/atmioc.h>
@@ -358,6 +359,7 @@ struct atm_dev {
        struct proc_dir_entry *proc_entry; /* proc entry */
        char *proc_name;                /* proc entry name */
 #endif
+        struct class_device class_dev;  /* sysfs class device */
        struct list_head dev_list;      /* linkage */
 };
@@ -459,7 +461,7 @@ static inline void atm_dev_put(struct atm_dev *dev)
                BUG_ON(!test_bit(ATM_DF_REMOVED, &dev->flags));
                if (dev->ops->dev_close)
                        dev->ops->dev_close(dev);
-                kfree(dev);
+                class_device_put(&dev->class_dev);
        }
 }
diff --git a/include/linux/net.h b/include/linux/net.h
index 385e68f5bd93..b20c53c74413 100644
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -61,6 +61,7 @@ typedef enum {
 #define SOCK_ASYNC_WAITDATA     1
 #define SOCK_NOSPACE            2
 #define SOCK_PASSCRED           3
+#define SOCK_PASSSEC            4
 #ifndef ARCH_HAS_SOCKET_TYPES
 /**
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 03cd7551a7a1..aa2d3c12c4d8 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -315,6 +315,8 @@ struct net_device
 #define NETIF_F_GSO_SHIFT       16
 #define NETIF_F_TSO             (SKB_GSO_TCPV4 << NETIF_F_GSO_SHIFT)
 #define NETIF_F_UFO             (SKB_GSO_UDPV4 << NETIF_F_GSO_SHIFT)
+#define NETIF_F_GSO_ROBUST      (SKB_GSO_DODGY << NETIF_F_GSO_SHIFT)
+#define NETIF_F_TSO_ECN         (SKB_GSO_TCPV4_ECN << NETIF_F_GSO_SHIFT)
 #define NETIF_F_GEN_CSUM        (NETIF_F_NO_CSUM | NETIF_F_HW_CSUM)
 #define NETIF_F_ALL_CSUM        (NETIF_F_IP_CSUM | NETIF_F_GEN_CSUM)
@@ -543,7 +545,8 @@ struct packet_type {
                                         struct net_device *,
                                         struct packet_type *,
                                         struct net_device *);
-        struct sk_buff          *(*gso_segment)(struct sk_buff *skb, int sg);
+        struct sk_buff          *(*gso_segment)(struct sk_buff *skb,
+                                                int features);
        void                    *af_packet_priv;
        struct list_head        list;
 };
@@ -968,7 +971,7 @@ extern int		netdev_max_backlog;
 extern int              weight_p;
 extern int              netdev_set_master(struct net_device *dev, struct net_device *master);
 extern int skb_checksum_help(struct sk_buff *skb, int inward);
-extern struct sk_buff *skb_gso_segment(struct sk_buff *skb, int sg);
+extern struct sk_buff *skb_gso_segment(struct sk_buff *skb, int features);
 #ifdef CONFIG_BUG
 extern void netdev_rx_csum_fault(struct net_device *dev);
 #else
@@ -988,11 +991,16 @@ extern void dev_seq_stop(struct seq_file *seq, void *v);
 extern void linkwatch_run_queue(void);
+static inline int skb_gso_ok(struct sk_buff *skb, int features)
+{
+        int feature = skb_shinfo(skb)->gso_size ?
+                      skb_shinfo(skb)->gso_type << NETIF_F_GSO_SHIFT : 0;
+        return (features & feature) == feature;
+}
 static inline int netif_needs_gso(struct net_device *dev, struct sk_buff *skb)
 {
-        int feature = skb_shinfo(skb)->gso_type << NETIF_F_GSO_SHIFT;
+        return !skb_gso_ok(skb, dev->features);
-        return skb_shinfo(skb)->gso_size &&
-               (dev->features & feature) != feature;
 }
 #endif /* __KERNEL__ */
diff --git a/include/linux/security.h b/include/linux/security.h
index 51805806f974..c7ea15716dce 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -67,7 +67,7 @@ struct xfrm_state;
 struct xfrm_user_sec_ctx;
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
-extern int cap_netlink_recv(struct sk_buff *skb);
+extern int cap_netlink_recv(struct sk_buff *skb, int cap);
 /*
 * Values used in the task_security_ops calls
@@ -656,6 +656,7 @@ struct swap_info_struct;
 *      Check permission before processing the received netlink message in
 *      @skb.
 *      @skb contains the sk_buff structure for the netlink message.
+ *      @cap indicates the capability required
 *      Return 0 if permission is granted.
 *
 * Security hooks for Unix domain networking.
@@ -1266,7 +1267,7 @@ struct security_operations {
                          struct sembuf * sops, unsigned nsops, int alter);
        int (*netlink_send) (struct sock * sk, struct sk_buff * skb);
-        int (*netlink_recv) (struct sk_buff * skb);
+        int (*netlink_recv) (struct sk_buff * skb, int cap);
        /* allow module stacking */
        int (*register_security) (const char *name,
@@ -2032,9 +2033,9 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb)
        return security_ops->netlink_send(sk, skb);
 }
-static inline int security_netlink_recv(struct sk_buff * skb)
+static inline int security_netlink_recv(struct sk_buff * skb, int cap)
 {
-        return security_ops->netlink_recv(skb);
+        return security_ops->netlink_recv(skb, cap);
 }
 /* prototypes */
@@ -2670,9 +2671,9 @@ static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb)
        return cap_netlink_send (sk, skb);
 }
-static inline int security_netlink_recv (struct sk_buff *skb)
+static inline int security_netlink_recv (struct sk_buff *skb, int cap)
 {
-        return cap_netlink_recv (skb);
+        return cap_netlink_recv (skb, cap);
 }
 static inline struct dentry *securityfs_create_dir(const char *name,
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 16eef03ce0eb..59918be91d0a 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -172,6 +172,12 @@ enum {
 enum {
        SKB_GSO_TCPV4 = 1 << 0,
        SKB_GSO_UDPV4 = 1 << 1,
+        /* This indicates the skb is from an untrusted source. */
+        SKB_GSO_DODGY = 1 << 2,
+        /* This indicates the tcp segment has CWR set. */
+        SKB_GSO_TCPV4_ECN = 1 << 3,
 };
 /** 
@@ -1298,8 +1304,7 @@ extern void	       skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to);
 extern void            skb_split(struct sk_buff *skb,
                                 struct sk_buff *skb1, const u32 len);
-extern void            skb_release_data(struct sk_buff *skb);
+extern struct sk_buff *skb_segment(struct sk_buff *skb, int features);
-extern struct sk_buff *skb_segment(struct sk_buff *skb, int sg);
 static inline void *skb_header_pointer(const struct sk_buff *skb, int offset,
                                       int len, void *buffer)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 795f81f9ec7f..5ba72d95280c 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -53,10 +53,16 @@ struct unix_address {
 struct unix_skb_parms {
        struct ucred            creds;          /* Skb credentials      */
        struct scm_fp_list      *fp;            /* Passed files         */
+#ifdef CONFIG_SECURITY_NETWORK
+        char                    *secdata;       /* Security context     */
+        u32                     seclen;         /* Security length      */
+#endif
 };
 #define UNIXCB(skb)     (*(struct unix_skb_parms*)&((skb)->cb))
 #define UNIXCREDS(skb)  (&UNIXCB((skb)).creds)
+#define UNIXSECDATA(skb)        (&UNIXCB((skb)).secdata)
+#define UNIXSECLEN(skb)         (&UNIXCB((skb)).seclen)
 #define unix_state_rlock(s)     spin_lock(&unix_sk(s)->lock)
 #define unix_state_runlock(s)   spin_unlock(&unix_sk(s)->lock)
diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
index 75b5b9333fc7..1925c65e617b 100644
--- a/include/net/pkt_sched.h
+++ b/include/net/pkt_sched.h
@@ -169,17 +169,23 @@ psched_tod_diff(int delta_sec, int bound)
 #define PSCHED_TADD2(tv, delta, tv_res) \
 ({ \
-           int __delta = (tv).tv_usec + (delta); \
+           int __delta = (delta); \
-           (tv_res).tv_sec = (tv).tv_sec; \
+           (tv_res) = (tv); \
-           if (__delta > USEC_PER_SEC) { (tv_res).tv_sec++; __delta -= USEC_PER_SEC; } \
+           while(__delta >= USEC_PER_SEC){ \
+                 (tv_res).tv_sec++; \
+                 __delta -= USEC_PER_SEC; \
+           } \
           (tv_res).tv_usec = __delta; \
 })
 #define PSCHED_TADD(tv, delta) \
 ({ \
-           (tv).tv_usec += (delta); \
+           int __delta = (delta); \
-           if ((tv).tv_usec > USEC_PER_SEC) { (tv).tv_sec++; \
+           while(__delta >= USEC_PER_SEC){ \
-                 (tv).tv_usec -= USEC_PER_SEC; } \
+                 (tv).tv_sec++; \
+                 __delta -= USEC_PER_SEC; \
+           } \
+           (tv).tv_usec = __delta; \
 })
 /* Set/check that time is in the "past perfect";
diff --git a/include/net/protocol.h b/include/net/protocol.h
index 3b6dc15c68a5..40b6b9c9973f 100644
--- a/include/net/protocol.h
+++ b/include/net/protocol.h
@@ -36,7 +36,8 @@
 struct net_protocol {
        int                     (*handler)(struct sk_buff *skb);
        void                    (*err_handler)(struct sk_buff *skb, u32 info);
-        struct sk_buff         *(*gso_segment)(struct sk_buff *skb, int sg);
+        struct sk_buff         *(*gso_segment)(struct sk_buff *skb,
+                                               int features);
        int                     no_policy;
 };
diff --git a/include/net/scm.h b/include/net/scm.h
index 540619cb7160..02daa097cdcd 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -19,6 +19,10 @@ struct scm_cookie
 {
        struct ucred            creds;          /* Skb credentials      */
        struct scm_fp_list      *fp;            /* Passed files         */
+#ifdef CONFIG_SECURITY_NETWORK
+        char                    *secdata;       /* Security context     */
+        u32                     seclen;         /* Security length      */
+#endif
        unsigned long           seq;            /* Connection seqno     */
 };
@@ -48,6 +52,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
        return __scm_send(sock, msg, scm);
 }
+#ifdef CONFIG_SECURITY_NETWORK
+static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
+{
+        if (test_bit(SOCK_PASSSEC, &sock->flags) && scm->secdata != NULL)
+                put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, scm->seclen, scm->secdata);
+}
+#else
+static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
+{ }
+#endif /* CONFIG_SECURITY_NETWORK */
 static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg,
                                struct scm_cookie *scm, int flags)
 {
@@ -62,6 +77,8 @@ static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg,
        if (test_bit(SOCK_PASSCRED, &sock->flags))
                put_cmsg(msg, SOL_SOCKET, SCM_CREDENTIALS, sizeof(scm->creds), &scm->creds);
+        scm_passec(sock, msg, scm);
        if (!scm->fp)
                return;
        
diff --git a/include/net/sock.h b/include/net/sock.h
index 2d8d6adf1616..7136bae48c2f 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -383,7 +383,6 @@ enum sock_flags {
        SOCK_USE_WRITE_QUEUE, /* whether to call sk->sk_write_space in sock_wfree */
        SOCK_DBG, /* %SO_DEBUG setting */
        SOCK_RCVTSTAMP, /* %SO_TIMESTAMP setting */
-        SOCK_NO_LARGESEND, /* whether to sent large segments or not */
        SOCK_LOCALROUTE, /* route locally only, %SO_DONTROUTE setting */
        SOCK_QUEUE_SHRUNK, /* write queue has been shrunk recently */
 };
@@ -1033,7 +1032,7 @@ static inline void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
        if (sk->sk_route_caps & NETIF_F_GSO)
                sk->sk_route_caps |= NETIF_F_TSO;
        if (sk->sk_route_caps & NETIF_F_TSO) {
-                if (sock_flag(sk, SOCK_NO_LARGESEND) || dst->header_len)
+                if (dst->header_len)
                        sk->sk_route_caps &= ~NETIF_F_TSO;
                else 
                        sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
diff --git a/include/net/tcp.h b/include/net/tcp.h
index ca3d38dfc00b..624921e76332 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1086,7 +1086,7 @@ extern struct request_sock_ops tcp_request_sock_ops;
 extern int tcp_v4_destroy_sock(struct sock *sk);
-extern struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int sg);
+extern struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features);
 #ifdef CONFIG_PROC_FS
 extern int  tcp4_proc_init(void);
diff --git a/include/net/tcp_ecn.h b/include/net/tcp_ecn.h
index c6b84397448d..7bb366f70934 100644
--- a/include/net/tcp_ecn.h
+++ b/include/net/tcp_ecn.h
@@ -31,10 +31,9 @@ static inline void TCP_ECN_send_syn(struct sock *sk, struct tcp_sock *tp,
                                    struct sk_buff *skb)
 {
        tp->ecn_flags = 0;
-        if (sysctl_tcp_ecn && !(sk->sk_route_caps & NETIF_F_TSO)) {
+        if (sysctl_tcp_ecn) {
                TCP_SKB_CB(skb)->flags |= TCPCB_FLAG_ECE|TCPCB_FLAG_CWR;
                tp->ecn_flags = TCP_ECN_OK;
-                sock_set_flag(sk, SOCK_NO_LARGESEND);
        }
 }
@@ -56,6 +55,9 @@ static inline void TCP_ECN_send(struct sock *sk, struct tcp_sock *tp,
                        if (tp->ecn_flags&TCP_ECN_QUEUE_CWR) {
                                tp->ecn_flags &= ~TCP_ECN_QUEUE_CWR;
                                skb->h.th->cwr = 1;
+                                if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4)
+                                        skb_shinfo(skb)->gso_type |=
+                                                SKB_GSO_TCPV4_ECN;
                        }
                } else {
                        /* ACK or retransmitted segment: clear ECT|CE */
diff --git a/kernel/audit.c b/kernel/audit.c
index 82443fb433ef..d417ca1db79b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -445,7 +445,7 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi,
 * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
 * control messages.
 */
-static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
+static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 {
        int err = 0;
@@ -459,13 +459,13 @@ static int audit_netlink_ok(kernel_cap_t eff_cap, u16 msg_type)
        case AUDIT_DEL:
        case AUDIT_DEL_RULE:
        case AUDIT_SIGNAL_INFO:
-                if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL))
+                if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
                        err = -EPERM;
                break;
        case AUDIT_USER:
        case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
        case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
-                if (!cap_raised(eff_cap, CAP_AUDIT_WRITE))
+                if (security_netlink_recv(skb, CAP_AUDIT_WRITE))
                        err = -EPERM;
                break;
        default:  /* bad msg */
@@ -488,7 +488,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        char                    *ctx;
        u32                     len;
-        err = audit_netlink_ok(NETLINK_CB(skb).eff_cap, msg_type);
+        err = audit_netlink_ok(skb, msg_type);
        if (err)
                return err;
diff --git a/net/atm/Makefile b/net/atm/Makefile
index d5818751f6ba..89656d6c0b90 100644
--- a/net/atm/Makefile
+++ b/net/atm/Makefile
@@ -2,7 +2,7 @@
 # Makefile for the ATM Protocol Families.
 #
-atm-y           := addr.o pvc.o signaling.o svc.o ioctl.o common.o atm_misc.o raw.o resources.o
+atm-y           := addr.o pvc.o signaling.o svc.o ioctl.o common.o atm_misc.o raw.o resources.o atm_sysfs.o
 mpoa-objs       := mpc.o mpoa_caches.o mpoa_proc.o
 obj-$(CONFIG_ATM) += atm.o
diff --git a/net/atm/atm_sysfs.c b/net/atm/atm_sysfs.c
new file mode 100644
index 000000000000..5df4b9a068bb
--- /dev/null
+++ b/net/atm/atm_sysfs.c
@@ -0,0 +1,176 @@
+/* ATM driver model support. */
+#include <linux/config.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/kobject.h>
+#include <linux/atmdev.h>
+#include "common.h"
+#include "resources.h"
+#define to_atm_dev(cldev) container_of(cldev, struct atm_dev, class_dev)
+static ssize_t show_type(struct class_device *cdev, char *buf)
+{
+        struct atm_dev *adev = to_atm_dev(cdev);
+        return sprintf(buf, "%s\n", adev->type);
+}
+static ssize_t show_address(struct class_device *cdev, char *buf)
+{
+        char *pos = buf;
+        struct atm_dev *adev = to_atm_dev(cdev);
+        int i;
+        for (i = 0; i < (ESI_LEN - 1); i++)
+                pos += sprintf(pos, "%02x:", adev->esi[i]);
+        pos += sprintf(pos, "%02x\n", adev->esi[i]);
+        return pos - buf;
+}
+static ssize_t show_atmaddress(struct class_device *cdev, char *buf)
+{
+        unsigned long flags;
+        char *pos = buf;
+        struct atm_dev *adev = to_atm_dev(cdev);
+        struct atm_dev_addr *aaddr;
+        int bin[] = { 1, 2, 10, 6, 1 }, *fmt = bin;
+        int i, j;
+        spin_lock_irqsave(&adev->lock, flags);
+        list_for_each_entry(aaddr, &adev->local, entry) {
+                for(i = 0, j = 0; i < ATM_ESA_LEN; ++i, ++j) {
+                        if (j == *fmt) {
+                                pos += sprintf(pos, ".");
+                                ++fmt;
+                                j = 0;
+                        }
+                        pos += sprintf(pos, "%02x", aaddr->addr.sas_addr.prv[i]);
+                }
+                pos += sprintf(pos, "\n");
+        }
+        spin_unlock_irqrestore(&adev->lock, flags);
+        return pos - buf;
+}
+static ssize_t show_carrier(struct class_device *cdev, char *buf)
+{
+        char *pos = buf;
+        struct atm_dev *adev = to_atm_dev(cdev);
+        pos += sprintf(pos, "%d\n",
+                       adev->signal == ATM_PHY_SIG_LOST ? 0 : 1);
+                
+        return pos - buf;
+}
+static ssize_t show_link_rate(struct class_device *cdev, char *buf)
+{
+        char *pos = buf;
+        struct atm_dev *adev = to_atm_dev(cdev);
+        int link_rate;
+        /* show the link rate, not the data rate */
+        switch (adev->link_rate) {
+                case ATM_OC3_PCR:
+                        link_rate = 155520000;
+                        break;
+                case ATM_OC12_PCR:
+                        link_rate = 622080000;
+                        break;
+                case ATM_25_PCR:
+                        link_rate = 25600000;
+                        break;
+                default:
+                        link_rate = adev->link_rate * 8 * 53;
+        }
+        pos += sprintf(pos, "%d\n", link_rate);
+                
+        return pos - buf;
+}
+static CLASS_DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
+static CLASS_DEVICE_ATTR(atmaddress, S_IRUGO, show_atmaddress, NULL);
+static CLASS_DEVICE_ATTR(carrier, S_IRUGO, show_carrier, NULL);
+static CLASS_DEVICE_ATTR(type, S_IRUGO, show_type, NULL);
+static CLASS_DEVICE_ATTR(link_rate, S_IRUGO, show_link_rate, NULL);
+static struct class_device_attribute *atm_attrs[] = {
+        &class_device_attr_atmaddress,
+        &class_device_attr_address,
+        &class_device_attr_carrier,
+        &class_device_attr_type,
+        &class_device_attr_link_rate,
+        NULL
+};
+static int atm_uevent(struct class_device *cdev, char **envp, int num_envp, char *buf, int size)
+{
+        struct atm_dev *adev;
+        int i = 0, len = 0;
+        if (!cdev)
+                return -ENODEV;
+        adev = to_atm_dev(cdev);
+        if (!adev)
+                return -ENODEV;
+        if (add_uevent_var(envp, num_envp, &i, buf, size, &len,
+                           "NAME=%s%d", adev->type, adev->number))
+                return -ENOMEM;
+        envp[i] = NULL;
+        return 0;
+}
+static void atm_release(struct class_device *cdev)
+{
+        struct atm_dev *adev = to_atm_dev(cdev);
+        kfree(adev);
+}
+static struct class atm_class = {
+        .name           = "atm",
+        .release        = atm_release,
+        .uevent         = atm_uevent,
+};
+int atm_register_sysfs(struct atm_dev *adev)
+{
+        struct class_device *cdev = &adev->class_dev;
+        int i, err;
+        cdev->class = &atm_class;
+        class_set_devdata(cdev, adev);
+        snprintf(cdev->class_id, BUS_ID_SIZE, "%s%d", adev->type, adev->number);
+        err = class_device_register(cdev);
+        if (err < 0)
+                return err;
+        for (i = 0; atm_attrs[i]; i++)
+                class_device_create_file(cdev, atm_attrs[i]);
+        return 0;
+}
+void atm_unregister_sysfs(struct atm_dev *adev)
+{
+        struct class_device *cdev = &adev->class_dev;
+        class_device_del(cdev);
+}
+int __init atm_sysfs_init(void)
+{
+        return class_register(&atm_class);
+}
+void __exit atm_sysfs_exit(void)
+{
+        class_unregister(&atm_class);
+}
diff --git a/net/atm/common.c b/net/atm/common.c
index ae002220fa99..35ab1a61e831 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -791,8 +791,14 @@ static int __init atm_init(void)
                printk(KERN_ERR "atm_proc_init() failed with %d\n",error);
                goto out_atmsvc_exit;
        }
+        if ((error = atm_sysfs_init()) < 0) {
+                printk(KERN_ERR "atm_sysfs_init() failed with %d\n",error);
+                goto out_atmproc_exit;
+        }
 out:
        return error;
+out_atmproc_exit:
+        atm_proc_exit();
 out_atmsvc_exit:
        atmsvc_exit();
 out_atmpvc_exit:
@@ -805,6 +811,7 @@ out_unregister_vcc_proto:
 static void __exit atm_exit(void)
 {
        atm_proc_exit();
+        atm_sysfs_exit();
        atmsvc_exit();
        atmpvc_exit();
        proto_unregister(&vcc_proto);
diff --git a/net/atm/common.h b/net/atm/common.h
index 4887c317cefe..a422da7788fb 100644
--- a/net/atm/common.h
+++ b/net/atm/common.h
@@ -28,6 +28,8 @@ int atmpvc_init(void);
 void atmpvc_exit(void);
 int atmsvc_init(void);
 void atmsvc_exit(void);
+int atm_sysfs_init(void);
+void atm_sysfs_exit(void);
 #ifdef CONFIG_PROC_FS
 int atm_proc_init(void);
diff --git a/net/atm/resources.c b/net/atm/resources.c
index 18ac80698f83..534baf704056 100644
--- a/net/atm/resources.c
+++ b/net/atm/resources.c
@@ -114,14 +114,27 @@ struct atm_dev *atm_dev_register(const char *type, const struct atmdev_ops *ops,
                printk(KERN_ERR "atm_dev_register: "
                       "atm_proc_dev_register failed for dev %s\n",
                       type);
-                mutex_unlock(&atm_dev_mutex);
+                goto out_fail;
-                kfree(dev);
+        }
-                return NULL;
+        if (atm_register_sysfs(dev) < 0) {
+                printk(KERN_ERR "atm_dev_register: "
+                       "atm_register_sysfs failed for dev %s\n",
+                       type);
+                atm_proc_dev_deregister(dev);
+                goto out_fail;
        }
        list_add_tail(&dev->dev_list, &atm_devs);
-        mutex_unlock(&atm_dev_mutex);
+out:
+        mutex_unlock(&atm_dev_mutex);
        return dev;
+out_fail:
+        kfree(dev);
+        dev = NULL;
+        goto out;
 }
@@ -140,6 +153,7 @@ void atm_dev_deregister(struct atm_dev *dev)
        mutex_unlock(&atm_dev_mutex);
        atm_dev_release_vccs(dev);
+        atm_unregister_sysfs(dev);
        atm_proc_dev_deregister(dev);
        atm_dev_put(dev);
diff --git a/net/atm/resources.h b/net/atm/resources.h
index ac7222fee7a8..644989980c37 100644
--- a/net/atm/resources.h
+++ b/net/atm/resources.h
@@ -43,4 +43,6 @@ static inline void atm_proc_dev_deregister(struct atm_dev *dev)
 #endif /* CONFIG_PROC_FS */
+int atm_register_sysfs(struct atm_dev *adev);
+void atm_unregister_sysfs(struct atm_dev *adev);
 #endif
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 2afdc7c0736c..f8dbcee80eba 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -184,6 +184,6 @@ void br_dev_setup(struct net_device *dev)
        dev->set_mac_address = br_set_mac_address;
        dev->priv_flags = IFF_EBRIDGE;
-        dev->features = NETIF_F_SG | NETIF_F_FRAGLIST
+        dev->features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_HIGHDMA |
-                | NETIF_F_HIGHDMA | NETIF_F_TSO | NETIF_F_NO_CSUM;
+                        NETIF_F_TSO | NETIF_F_NO_CSUM | NETIF_F_GSO_ROBUST;
 }
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 07956ecf545e..f55ef682ef84 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -392,7 +392,8 @@ void br_features_recompute(struct net_bridge *br)
                features &= feature;
        }
-        br->dev->features = features | checksum | NETIF_F_LLTX;
+        br->dev->features = features | checksum | NETIF_F_LLTX |
+                            NETIF_F_GSO_ROBUST;
 }
 /* called with RTNL */
diff --git a/net/core/dev.c b/net/core/dev.c
index f1c52cbd6ef7..08976b08df5b 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1190,11 +1190,14 @@ out:
 /**
 *      skb_gso_segment - Perform segmentation on skb.
 *      @skb: buffer to segment
- *      @sg: whether scatter-gather is supported on the target.
+ *      @features: features for the output path (see dev->features)
 *
 *      This function segments the given skb and returns a list of segments.
+ *
+ *      It may return NULL if the skb requires no segmentation.  This is
+ *      only possible when GSO is used for verifying header integrity.
 */
-struct sk_buff *skb_gso_segment(struct sk_buff *skb, int sg)
+struct sk_buff *skb_gso_segment(struct sk_buff *skb, int features)
 {
        struct sk_buff *segs = ERR_PTR(-EPROTONOSUPPORT);
        struct packet_type *ptype;
@@ -1210,12 +1213,14 @@ struct sk_buff *skb_gso_segment(struct sk_buff *skb, int sg)
        rcu_read_lock();
        list_for_each_entry_rcu(ptype, &ptype_base[ntohs(type) & 15], list) {
                if (ptype->type == type && !ptype->dev && ptype->gso_segment) {
-                        segs = ptype->gso_segment(skb, sg);
+                        segs = ptype->gso_segment(skb, features);
                        break;
                }
        }
        rcu_read_unlock();
+        __skb_push(skb, skb->data - skb->mac.raw);
        return segs;
 }
@@ -1234,7 +1239,6 @@ void netdev_rx_csum_fault(struct net_device *dev)
 EXPORT_SYMBOL(netdev_rx_csum_fault);
 #endif
-#ifdef CONFIG_HIGHMEM
 /* Actually, we should eliminate this check as soon as we know, that:
 * 1. IOMMU is present and allows to map all the memory.
 * 2. No high memory really exists on this machine.
@@ -1242,6 +1246,7 @@ EXPORT_SYMBOL(netdev_rx_csum_fault);
 static inline int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
 {
+#ifdef CONFIG_HIGHMEM
        int i;
        if (dev->features & NETIF_F_HIGHDMA)
@@ -1251,11 +1256,9 @@ static inline int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
                if (PageHighMem(skb_shinfo(skb)->frags[i].page))
                        return 1;
+#endif
        return 0;
 }
-#else
-#define illegal_highdma(dev, skb)       (0)
-#endif
 struct dev_gso_cb {
        void (*destructor)(struct sk_buff *skb);
@@ -1291,9 +1294,15 @@ static int dev_gso_segment(struct sk_buff *skb)
 {
        struct net_device *dev = skb->dev;
        struct sk_buff *segs;
+        int features = dev->features & ~(illegal_highdma(dev, skb) ?
+                                         NETIF_F_SG : 0);
+        segs = skb_gso_segment(skb, features);
+        /* Verifying header integrity only. */
+        if (!segs)
+                return 0;
-        segs = skb_gso_segment(skb, dev->features & NETIF_F_SG &&
-                                    !illegal_highdma(dev, skb));
        if (unlikely(IS_ERR(segs)))
                return PTR_ERR(segs);
@@ -1310,13 +1319,17 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
                if (netdev_nit)
                        dev_queue_xmit_nit(skb, dev);
-                if (!netif_needs_gso(dev, skb))
+                if (netif_needs_gso(dev, skb)) {
-                        return dev->hard_start_xmit(skb, dev);
+                        if (unlikely(dev_gso_segment(skb)))
+                                goto out_kfree_skb;
+                        if (skb->next)
+                                goto gso;
+                }
-                if (unlikely(dev_gso_segment(skb)))
+                return dev->hard_start_xmit(skb, dev);
-                        goto out_kfree_skb;
        }
+gso:
        do {
                struct sk_buff *nskb = skb->next;
                int rc;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 3fcfa9c59e1f..f25aac17497a 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -663,7 +663,7 @@ rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *errp)
        sz_idx = type>>2;
        kind = type&3;
-        if (kind != 2 && security_netlink_recv(skb)) {
+        if (kind != 2 && security_netlink_recv(skb, CAP_NET_ADMIN)) {
                *errp = -EPERM;
                return -1;
        }
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6edbb90cbcec..a1c9ecf4f1e0 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -272,7 +272,7 @@ static void skb_clone_fraglist(struct sk_buff *skb)
                skb_get(list);
 }
-void skb_release_data(struct sk_buff *skb)
+static void skb_release_data(struct sk_buff *skb)
 {
        if (!skb->cloned ||
            !atomic_sub_return(skb->nohdr ? (1 << SKB_DATAREF_SHIFT) + 1 : 1,
@@ -1848,13 +1848,13 @@ EXPORT_SYMBOL_GPL(skb_pull_rcsum);
 /**
 *      skb_segment - Perform protocol segmentation on skb.
 *      @skb: buffer to segment
- *      @sg: whether scatter-gather can be used for generated segments
+ *      @features: features for the output path (see dev->features)
 *
 *      This function performs segmentation on the given skb.  It returns
 *      the segment at the given position.  It returns NULL if there are
 *      no more segments to generate, or when an error is encountered.
 */
-struct sk_buff *skb_segment(struct sk_buff *skb, int sg)
+struct sk_buff *skb_segment(struct sk_buff *skb, int features)
 {
        struct sk_buff *segs = NULL;
        struct sk_buff *tail = NULL;
@@ -1863,6 +1863,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int sg)
        unsigned int offset = doffset;
        unsigned int headroom;
        unsigned int len;
+        int sg = features & NETIF_F_SG;
        int nfrags = skb_shinfo(skb)->nr_frags;
        int err = -ENOMEM;
        int i = 0;
diff --git a/net/core/sock.c b/net/core/sock.c
index 5d820c376653..204a8dec65cc 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -565,6 +565,13 @@ set_rcvbuf:
                        ret = -ENONET;
                        break;
+                case SO_PASSSEC:
+                        if (valbool)
+                                set_bit(SOCK_PASSSEC, &sock->flags);
+                        else
+                                clear_bit(SOCK_PASSSEC, &sock->flags);
+                        break;
                /* We implement the SO_SNDLOWAT etc to
                   not be settable (1003.1g 5.3) */
                default:
@@ -723,6 +730,10 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
                        v.val = sk->sk_state == TCP_LISTEN;
                        break;
+                case SO_PASSSEC:
+                        v.val = test_bit(SOCK_PASSSEC, &sock->flags) ? 1 : 0;
+                        break;
                case SO_PEERSEC:
                        return security_socket_getpeersec_stream(sock, optval, optlen, len);
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 74133ecd7700..8b99bd33540d 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -107,7 +107,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
        if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
                return;
-        if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
+        if (security_netlink_recv(skb, CAP_NET_ADMIN))
                RCV_SKB_FAIL(-EPERM);
        /* Eventually we might send routing messages too */
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 461216b47948..8d157157bf8e 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1097,7 +1097,7 @@ int inet_sk_rebuild_header(struct sock *sk)
 EXPORT_SYMBOL(inet_sk_rebuild_header);
-static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int sg)
+static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct iphdr *iph;
@@ -1126,10 +1126,10 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int sg)
        rcu_read_lock();
        ops = rcu_dereference(inet_protos[proto]);
        if (ops && ops->gso_segment)
-                segs = ops->gso_segment(skb, sg);
+                segs = ops->gso_segment(skb, features);
        rcu_read_unlock();
-        if (IS_ERR(segs))
+        if (!segs || unlikely(IS_ERR(segs)))
                goto out;
        skb = segs;
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index e1d7f5fbc526..ef0b5aac5838 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -332,7 +332,7 @@ config IP_NF_MATCH_HASHLIMIT
        help
          This option adds a new iptables `hashlimit' match.  
-          As opposed to `limit', this match dynamically crates a hash table
+          As opposed to `limit', this match dynamically creates a hash table
          of limit buckets, based on your selection of source/destination
          ip addresses and/or ports.
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index d0d19192026d..ad39bf640567 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1120,7 +1120,8 @@ int arpt_register_table(struct arpt_table *table,
                return ret;
        }
-        if (xt_register_table(table, &bootstrap, newinfo) != 0) {
+        ret = xt_register_table(table, &bootstrap, newinfo);
+        if (ret != 0) {
                xt_free_table_info(newinfo);
                return ret;
        }
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index b93f0494362f..198ac36db861 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -457,11 +457,19 @@ dev_cmp(struct ipq_queue_entry *entry, unsigned long ifindex)
        if (entry->info->indev)
                if (entry->info->indev->ifindex == ifindex)
                        return 1;
-                        
        if (entry->info->outdev)
                if (entry->info->outdev->ifindex == ifindex)
                        return 1;
+#ifdef CONFIG_BRIDGE_NETFILTER
+        if (entry->skb->nf_bridge) {
+                if (entry->skb->nf_bridge->physindev &&
+                    entry->skb->nf_bridge->physindev->ifindex == ifindex)
+                        return 1;
+                if (entry->skb->nf_bridge->physoutdev &&
+                    entry->skb->nf_bridge->physoutdev->ifindex == ifindex)
+                        return 1;
+        }
+#endif
        return 0;
 }
@@ -507,7 +515,7 @@ ipq_rcv_skb(struct sk_buff *skb)
        if (type <= IPQM_BASE)
                return;
                
-        if (security_netlink_recv(skb))
+        if (security_netlink_recv(skb, CAP_NET_ADMIN))
                RCV_SKB_FAIL(-EPERM);
        
        write_lock_bh(&queue_lock);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 706c0025ec5e..7aaaf92efb59 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -2113,7 +2113,8 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
                return ret;
        }
-        if (xt_register_table(table, &bootstrap, newinfo) != 0) {
+        ret = xt_register_table(table, &bootstrap, newinfo);
+        if (ret != 0) {
                xt_free_table_info(newinfo);
                return ret;
        }
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index c04176be7ed1..0336422c88a0 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2145,7 +2145,7 @@ int compat_tcp_getsockopt(struct sock *sk, int level, int optname,
 EXPORT_SYMBOL(compat_tcp_getsockopt);
 #endif
-struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int sg)
+struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct tcphdr *th;
@@ -2166,10 +2166,14 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int sg)
        if (!pskb_may_pull(skb, thlen))
                goto out;
+        segs = NULL;
+        if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST))
+                goto out;
        oldlen = (u16)~skb->len;
        __skb_pull(skb, thlen);
-        segs = skb_segment(skb, sg);
+        segs = skb_segment(skb, features);
        if (IS_ERR(segs))
                goto out;
diff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c
index c148c1081880..b56399c7cc12 100644
--- a/net/ipv4/tcp_diag.c
+++ b/net/ipv4/tcp_diag.c
@@ -26,7 +26,10 @@ static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
        const struct tcp_sock *tp = tcp_sk(sk);
        struct tcp_info *info = _info;
-        r->idiag_rqueue = tp->rcv_nxt - tp->copied_seq;
+        if (sk->sk_state == TCP_LISTEN)
+                r->idiag_rqueue = sk->sk_ack_backlog;
+        else
+                r->idiag_rqueue = tp->rcv_nxt - tp->copied_seq;
        r->idiag_wqueue = tp->write_seq - tp->snd_una;
        if (info != NULL)
                tcp_get_info(sk, info);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 94fe5b1f9dcb..7fa0b4a8a389 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4178,8 +4178,6 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
                 */
                TCP_ECN_rcv_synack(tp, th);
-                if (tp->ecn_flags&TCP_ECN_OK)
-                        sock_set_flag(sk, SOCK_NO_LARGESEND);
                tp->snd_wl1 = TCP_SKB_CB(skb)->seq;
                tcp_ack(sk, skb, FLAG_SLOWPATH);
@@ -4322,8 +4320,6 @@ discard:
                tp->max_window = tp->snd_wnd;
                TCP_ECN_rcv_syn(tp, th);
-                if (tp->ecn_flags&TCP_ECN_OK)
-                        sock_set_flag(sk, SOCK_NO_LARGESEND);
                tcp_mtup_init(sk);
                tcp_sync_mss(sk, icsk->icsk_pmtu_cookie);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 25ecc6e2478b..4c6ef47eb1c3 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1726,7 +1726,8 @@ static void get_tcp4_sock(struct sock *sp, char *tmpbuf, int i)
        sprintf(tmpbuf, "%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX "
                        "%08X %5d %8d %lu %d %p %u %u %u %u %d",
                i, src, srcp, dest, destp, sp->sk_state,
-                tp->write_seq - tp->snd_una, tp->rcv_nxt - tp->copied_seq,
+                tp->write_seq - tp->snd_una,
+                (sp->sk_state == TCP_LISTEN) ? sp->sk_ack_backlog : (tp->rcv_nxt - tp->copied_seq),
                timer_active,
                jiffies_to_clock_t(timer_expires - jiffies),
                icsk->icsk_retransmits,
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 2b9b7f6c7f7c..54b2ef7d3efe 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -440,8 +440,6 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
                        newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len;
                newtp->rx_opt.mss_clamp = req->mss;
                TCP_ECN_openreq_child(newtp, req);
-                if (newtp->ecn_flags&TCP_ECN_OK)
-                        sock_set_flag(newsk, SOCK_NO_LARGESEND);
                TCP_INC_STATS_BH(TCP_MIB_PASSIVEOPENS);
        }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index bdd71db8bf90..5a7cb4a9c867 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2044,8 +2044,6 @@ struct sk_buff * tcp_make_synack(struct sock *sk, struct dst_entry *dst,
        memset(th, 0, sizeof(struct tcphdr));
        th->syn = 1;
        th->ack = 1;
-        if (dst->dev->features&NETIF_F_TSO)
-                ireq->ecn_ok = 0;
        TCP_ECN_make_synack(req, th);
        th->source = inet_sk(sk)->sport;
        th->dest = ireq->rmt_port;
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index b4b7d441af25..968a14be0d05 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -505,7 +505,7 @@ ipq_rcv_skb(struct sk_buff *skb)
        if (type <= IPQM_BASE)
                return;
        
-        if (security_netlink_recv(skb))
+        if (security_netlink_recv(skb, CAP_NET_ADMIN))
                RCV_SKB_FAIL(-EPERM);   
        write_lock_bh(&queue_lock);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 2e72f89a7019..0b5bd5587a3e 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1281,7 +1281,8 @@ int ip6t_register_table(struct xt_table *table,
                return ret;
        }
-        if (xt_register_table(table, &bootstrap, newinfo) != 0) {
+        ret = xt_register_table(table, &bootstrap, newinfo);
+        if (ret != 0) {
                xt_free_table_info(newinfo);
                return ret;
        }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index a50eb306e9e2..b36d5b2e7c30 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1469,7 +1469,8 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
                   dest->s6_addr32[0], dest->s6_addr32[1],
                   dest->s6_addr32[2], dest->s6_addr32[3], destp,
                   sp->sk_state, 
-                   tp->write_seq-tp->snd_una, tp->rcv_nxt-tp->copied_seq,
+                   tp->write_seq-tp->snd_una,
+                   (sp->sk_state == TCP_LISTEN) ? sp->sk_ack_backlog : (tp->rcv_nxt - tp->copied_seq),
                   timer_active,
                   jiffies_to_clock_t(timer_expires - jiffies),
                   icsk->icsk_retransmits,
diff --git a/net/irda/irlan/irlan_client.c b/net/irda/irlan/irlan_client.c
index f8e6cb0db04b..95cf1234ea17 100644
--- a/net/irda/irlan/irlan_client.c
+++ b/net/irda/irlan/irlan_client.c
@@ -173,13 +173,14 @@ void irlan_client_discovery_indication(discinfo_t *discovery,
        rcu_read_lock();
        self = irlan_get_any();
        if (self) {
-                IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
+                IRDA_ASSERT(self->magic == IRLAN_MAGIC, goto out;);
                IRDA_DEBUG(1, "%s(), Found instance (%08x)!\n", __FUNCTION__ ,
                      daddr);
                
                irlan_client_wakeup(self, saddr, daddr);
        }
+IRDA_ASSERT_LABEL(out:)
        rcu_read_unlock();
 }
        
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index b1622b7de1cf..42a178aa30f9 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -411,7 +411,10 @@ config NETFILTER_XT_MATCH_STATISTIC
        tristate '"statistic" match support'
        depends on NETFILTER_XTABLES
        help
-          statistic module
+          This option adds a `statistic' match, which allows you to match
+          on packets periodically or randomly with a given percentage.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_STRING
        tristate  '"string" match support'
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index b8c7c567c9df..af4845971f70 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -29,6 +29,7 @@
 #include <linux/errno.h>
 #include <linux/netlink.h>
 #include <linux/spinlock.h>
+#include <linux/interrupt.h>
 #include <linux/notifier.h>
 #include <linux/netfilter.h>
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 0c6da496cfa9..0839b701b930 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -28,6 +28,8 @@
 #include <linux/sctp.h>
 #include <linux/string.h>
 #include <linux/seq_file.h>
+#include <linux/spinlock.h>
+#include <linux/interrupt.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_protocol.h>
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index b88e82a1a987..ec9f0efea6bb 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -229,7 +229,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb,
                 NFNL_SUBSYS_ID(nlh->nlmsg_type),
                 NFNL_MSG_TYPE(nlh->nlmsg_type));
-        if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
+        if (security_netlink_recv(skb, CAP_NET_ADMIN)) {
                DEBUGP("missing CAP_NET_ADMIN\n");
                *errp = -EPERM;
                return -1;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 86a4ac33de34..49ef41e34c48 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -680,11 +680,19 @@ dev_cmp(struct nfqnl_queue_entry *entry, unsigned long ifindex)
        if (entinf->indev)
                if (entinf->indev->ifindex == ifindex)
                        return 1;
-                        
        if (entinf->outdev)
                if (entinf->outdev->ifindex == ifindex)
                        return 1;
+#ifdef CONFIG_BRIDGE_NETFILTER
+        if (entry->skb->nf_bridge) {
+                if (entry->skb->nf_bridge->physindev &&
+                    entry->skb->nf_bridge->physindev->ifindex == ifindex)
+                        return 1;
+                if (entry->skb->nf_bridge->physoutdev &&
+                    entry->skb->nf_bridge->physoutdev->ifindex == ifindex)
+                        return 1;
+        }
+#endif
        return 0;
 }
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 9316c753692f..843383e01d41 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -151,7 +151,7 @@ match(const struct sk_buff *skb,
                && SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) 
                        && (ntohs(sh->dest) <= info->dpts[1])), 
                        XT_SCTP_DEST_PORTS, info->flags, info->invflags)
-                && SCCHECK(match_packet(skb, protoff,
+                && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t),
                                        info->chunkmap, info->chunk_match_type,
                                        info->flag_info, info->flag_count, 
                                        hotdrop),
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1b61dac9c873..a9a63aa68936 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -260,7 +260,7 @@ static int __init xt_tcpudp_init(void)
        return ret;
 out_unreg_udp:
-        xt_unregister_match(&tcp_matchstruct);
+        xt_unregister_match(&udp_matchstruct);
 out_unreg_tcp6:
        xt_unregister_match(&tcp6_matchstruct);
 out_unreg_tcp:
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index f329b72578f5..edf084becd5e 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -320,7 +320,7 @@ static int genl_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
                goto errout;
        }
-        if ((ops->flags & GENL_ADMIN_PERM) && security_netlink_recv(skb)) {
+        if ((ops->flags & GENL_ADMIN_PERM) && security_netlink_recv(skb, CAP_NET_ADMIN)) {
                err = -EPERM;
                goto errout;
        }
diff --git a/net/tipc/core.c b/net/tipc/core.c
index 5003acb15919..0539a8362858 100644
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -191,7 +191,8 @@ static int __init tipc_init(void)
        int res;
        tipc_log_reinit(CONFIG_TIPC_LOG);
-        info("Activated (compiled " __DATE__ " " __TIME__ ")\n");
+        info("Activated (version " TIPC_MOD_VER 
+             " compiled " __DATE__ " " __TIME__ ")\n");
        tipc_own_addr = 0;
        tipc_remote_management = 1;
diff --git a/net/tipc/link.c b/net/tipc/link.c
index d64658053746..c6831c75cfa4 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2,7 +2,7 @@
 * net/tipc/link.c: TIPC link code
 * 
 * Copyright (c) 1996-2006, Ericsson AB
- * Copyright (c) 2004-2005, Wind River Systems
+ * Copyright (c) 2004-2006, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -988,17 +988,18 @@ static int link_bundle_buf(struct link *l_ptr,
        struct tipc_msg *bundler_msg = buf_msg(bundler);
        struct tipc_msg *msg = buf_msg(buf);
        u32 size = msg_size(msg);
-        u32 to_pos = align(msg_size(bundler_msg));
+        u32 bundle_size = msg_size(bundler_msg);
-        u32 rest = link_max_pkt(l_ptr) - to_pos;
+        u32 to_pos = align(bundle_size);
+        u32 pad = to_pos - bundle_size;
        if (msg_user(bundler_msg) != MSG_BUNDLER)
                return 0;
        if (msg_type(bundler_msg) != OPEN_MSG)
                return 0;
-        if (rest < align(size))
+        if (skb_tailroom(bundler) < (pad + size))
                return 0;
-        skb_put(bundler, (to_pos - msg_size(bundler_msg)) + size);
+        skb_put(bundler, pad + size);
        memcpy(bundler->data + to_pos, buf->data, size);
        msg_set_size(bundler_msg, to_pos + size);
        msg_set_msgcnt(bundler_msg, msg_msgcnt(bundler_msg) + 1);
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 861322b935da..fc6d09630ccd 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -2,7 +2,7 @@
 * net/tipc/node.c: TIPC node management routines
 * 
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005-2006, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -592,6 +592,7 @@ struct sk_buff *tipc_node_get_nodes(const void *req_tlv_area, int req_tlv_space)
        struct sk_buff *buf;
        struct node *n_ptr;
        struct tipc_node_info node_info;
+        u32 payload_size;
        if (!TLV_CHECK(req_tlv_area, req_tlv_space, TIPC_TLV_NET_ADDR))
                return tipc_cfg_reply_error_string(TIPC_CFG_TLV_ERROR);
@@ -608,8 +609,11 @@ struct sk_buff *tipc_node_get_nodes(const void *req_tlv_area, int req_tlv_space)
        /* For now, get space for all other nodes 
           (will need to modify this when slave nodes are supported */
-        buf = tipc_cfg_reply_alloc(TLV_SPACE(sizeof(node_info)) *
+        payload_size = TLV_SPACE(sizeof(node_info)) * (tipc_max_nodes - 1);
-                                   (tipc_max_nodes - 1));
+        if (payload_size > 32768u)
+                return tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
+                                                   " (too many nodes)");
+        buf = tipc_cfg_reply_alloc(payload_size);
        if (!buf)
                return NULL;
@@ -633,6 +637,7 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space)
        struct sk_buff *buf;
        struct node *n_ptr;
        struct tipc_link_info link_info;
+        u32 payload_size;
        if (!TLV_CHECK(req_tlv_area, req_tlv_space, TIPC_TLV_NET_ADDR))
                return tipc_cfg_reply_error_string(TIPC_CFG_TLV_ERROR);
@@ -645,12 +650,15 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space)
        if (!tipc_nodes)
                return tipc_cfg_reply_none();
+        
-        /* For now, get space for 2 links to all other nodes + bcast link 
+        /* Get space for all unicast links + multicast link */
-           (will need to modify this when slave nodes are supported */
+        payload_size = TLV_SPACE(sizeof(link_info)) *
-        buf = tipc_cfg_reply_alloc(TLV_SPACE(sizeof(link_info)) *
+                (tipc_net.zones[tipc_zone(tipc_own_addr)]->links + 1);
-                                   (2 * (tipc_max_nodes - 1) + 1));
+        if (payload_size > 32768u)
+                return tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
+                                                   " (too many links)");
+        buf = tipc_cfg_reply_alloc(payload_size);
        if (!buf)
                return NULL;
diff --git a/net/tipc/zone.h b/net/tipc/zone.h
index 267999c5a240..5ab3d08602e2 100644
--- a/net/tipc/zone.h
+++ b/net/tipc/zone.h
@@ -2,7 +2,7 @@
 * net/tipc/zone.h: Include file for TIPC zone management routines
 * 
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005-2006, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -45,7 +45,7 @@
 * struct _zone - TIPC zone structure
 * @addr: network address of zone
 * @clusters: array of pointers to all clusters within zone
- * @links: (used for inter-zone communication)
+ * @links: number of (unicast) links to zone
 */
 
 struct _zone {
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index d901465ce013..fd11d4048b52 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -128,6 +128,30 @@ static atomic_t unix_nr_socks = ATOMIC_INIT(0);
 #define UNIX_ABSTRACT(sk)       (unix_sk(sk)->addr->hash != UNIX_HASH_SIZE)
+#ifdef CONFIG_SECURITY_NETWORK
+static void unix_get_peersec_dgram(struct sk_buff *skb)
+{
+        int err;
+        err = security_socket_getpeersec_dgram(skb, UNIXSECDATA(skb),
+                                               UNIXSECLEN(skb));
+        if (err)
+                *(UNIXSECDATA(skb)) = NULL;
+}
+static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
+{
+        scm->secdata = *UNIXSECDATA(skb);
+        scm->seclen = *UNIXSECLEN(skb);
+}
+#else
+static void unix_get_peersec_dgram(struct sk_buff *skb)
+{ }
+static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
+{ }
+#endif /* CONFIG_SECURITY_NETWORK */
 /*
 *  SMP locking strategy:
 *    hash table is protected with spinlock unix_table_lock
@@ -1291,6 +1315,8 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        if (siocb->scm->fp)
                unix_attach_fds(siocb->scm, skb);
+        unix_get_peersec_dgram(skb);
        skb->h.raw = skb->data;
        err = memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len);
        if (err)
@@ -1570,6 +1596,7 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
                memset(&tmp_scm, 0, sizeof(tmp_scm));
        }
        siocb->scm->creds = *UNIXCREDS(skb);
+        unix_set_secdata(siocb->scm, skb);
        if (!(flags & MSG_PEEK))
        {
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 17b29ec3c417..43f00fc28a3d 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1164,8 +1164,6 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu)
        return res;
 }
-EXPORT_SYMBOL(xfrm_state_mtu);
 int xfrm_init_state(struct xfrm_state *x)
 {
        struct xfrm_state_afinfo *afinfo;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c21dc26141ea..3e6a722d072e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1435,7 +1435,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, int *err
        link = &xfrm_dispatch[type];
        /* All operations require privileges, even GET */
-        if (security_netlink_recv(skb)) {
+        if (security_netlink_recv(skb, CAP_NET_ADMIN)) {
                *errp = -EPERM;
                return -1;
        }
diff --git a/security/commoncap.c b/security/commoncap.c
index 841eb4e5c62b..57673ee07ceb 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -33,9 +33,9 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
 EXPORT_SYMBOL(cap_netlink_send);
-int cap_netlink_recv(struct sk_buff *skb)
+int cap_netlink_recv(struct sk_buff *skb, int cap)
 {
-        if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
+        if (!cap_raised(NETLINK_CB(skb).eff_cap, cap))
                return -EPERM;
        return 0;
 }
diff --git a/security/dummy.c b/security/dummy.c
index 310fcdf7b749..913540808577 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -675,9 +675,9 @@ static int dummy_netlink_send (struct sock *sk, struct sk_buff *skb)
        return 0;
 }
-static int dummy_netlink_recv (struct sk_buff *skb)
+static int dummy_netlink_recv (struct sk_buff *skb, int cap)
 {
-        if (!cap_raised (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN))
+        if (!cap_raised (NETLINK_CB (skb).eff_cap, cap))
                return -EPERM;
        return 0;
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 28832e689800..b85afcf38527 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -69,6 +69,7 @@
 #include <linux/sysctl.h>
 #include <linux/audit.h>
 #include <linux/string.h>
+#include <linux/selinux.h>
 #include "avc.h"
 #include "objsec.h"
@@ -3420,7 +3421,13 @@ out:
 static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, u32 *seclen)
 {
        int err = 0;
-        u32 peer_sid = selinux_socket_getpeer_dgram(skb);
+        u32 peer_sid;
+        if (skb->sk->sk_family == PF_UNIX)
+                selinux_get_inode_sid(SOCK_INODE(skb->sk->sk_socket),
+                                      &peer_sid);
+        else
+                peer_sid = selinux_socket_getpeer_dgram(skb);
        if (peer_sid == SECSID_NULL)
                return -EINVAL;
@@ -3432,8 +3439,6 @@ static int selinux_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata,
        return 0;
 }
 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 {
        return sk_alloc_security(sk, family, priority);
@@ -3641,32 +3646,32 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum,
 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
 {
-        struct task_security_struct *tsec;
-        struct av_decision avd;
        int err;
        err = secondary_ops->netlink_send(sk, skb);
        if (err)
                return err;
-        tsec = current->security;
-        avd.allowed = 0;
-        avc_has_perm_noaudit(tsec->sid, tsec->sid,
-                                SECCLASS_CAPABILITY, ~0, &avd);
-        cap_mask(NETLINK_CB(skb).eff_cap, avd.allowed);
        if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
                err = selinux_nlmsg_perm(sk, skb);
        return err;
 }
-static int selinux_netlink_recv(struct sk_buff *skb)
+static int selinux_netlink_recv(struct sk_buff *skb, int capability)
 {
-        if (!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
+        int err;
-                return -EPERM;
+        struct avc_audit_data ad;
-        return 0;
+        err = secondary_ops->netlink_recv(skb, capability);
+        if (err)
+                return err;
+        AVC_AUDIT_DATA_INIT(&ad, CAP);
+        ad.u.cap = capability;
+        return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
+                            SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
 }
 static int ipc_alloc_security(struct task_struct *task,