182 files changed, 2334 insertions, 3381 deletions
diff --git a/net/802/tr.c b/net/802/tr.c
index afd8385c0c9c..e9dc803f2fe0 100644
--- a/net/802/tr.c
+++ b/net/802/tr.c
@@ -643,6 +643,5 @@ static int __init rif_init(void)
 module_init(rif_init);
-EXPORT_SYMBOL(tr_source_route);
 EXPORT_SYMBOL(tr_type_trans);
 EXPORT_SYMBOL(alloc_trdev);
diff --git a/net/atm/clip.c b/net/atm/clip.c
index 3ab4e7947bab..72d852982664 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -2,7 +2,6 @@
 /* Written 1995-2000 by Werner Almesberger, EPFL LRC/ICA */
 #include <linux/config.h>
 #include <linux/string.h>
 #include <linux/errno.h>
@@ -54,24 +53,24 @@ static struct net_device *clip_devs;
 static struct atm_vcc *atmarpd;
 static struct neigh_table clip_tbl;
 static struct timer_list idle_timer;
-static int start_timer = 1;
-static int to_atmarpd(enum atmarp_ctrl_type type,int itf,unsigned long ip)
+static int to_atmarpd(enum atmarp_ctrl_type type, int itf, unsigned long ip)
 {
        struct sock *sk;
        struct atmarp_ctrl *ctrl;
        struct sk_buff *skb;
-        DPRINTK("to_atmarpd(%d)\n",type);
+        DPRINTK("to_atmarpd(%d)\n", type);
-        if (!atmarpd) return -EUNATCH;
+        if (!atmarpd)
+                return -EUNATCH;
        skb = alloc_skb(sizeof(struct atmarp_ctrl),GFP_ATOMIC);
-        if (!skb) return -ENOMEM;
+        if (!skb)
+                return -ENOMEM;
        ctrl = (struct atmarp_ctrl *) skb_put(skb,sizeof(struct atmarp_ctrl));
        ctrl->type = type;
        ctrl->itf_num = itf;
        ctrl->ip = ip;
-        atm_force_charge(atmarpd,skb->truesize);
+        atm_force_charge(atmarpd, skb->truesize);
        sk = sk_atm(atmarpd);
        skb_queue_tail(&sk->sk_receive_queue, skb);
@@ -79,26 +78,24 @@ static int to_atmarpd(enum atmarp_ctrl_type type,int itf,unsigned long ip)
        return 0;
 }
+static void link_vcc(struct clip_vcc *clip_vcc, struct atmarp_entry *entry)
-static void link_vcc(struct clip_vcc *clip_vcc,struct atmarp_entry *entry)
 {
-        DPRINTK("link_vcc %p to entry %p (neigh %p)\n",clip_vcc,entry,
+        DPRINTK("link_vcc %p to entry %p (neigh %p)\n", clip_vcc, entry,
-            entry->neigh);
+                entry->neigh);
        clip_vcc->entry = entry;
-        clip_vcc->xoff = 0; /* @@@ may overrun buffer by one packet */
+        clip_vcc->xoff = 0;     /* @@@ may overrun buffer by one packet */
        clip_vcc->next = entry->vccs;
        entry->vccs = clip_vcc;
        entry->neigh->used = jiffies;
 }
 static void unlink_clip_vcc(struct clip_vcc *clip_vcc)
 {
        struct atmarp_entry *entry = clip_vcc->entry;
        struct clip_vcc **walk;
        if (!entry) {
-                printk(KERN_CRIT "!clip_vcc->entry (clip_vcc %p)\n",clip_vcc);
+                printk(KERN_CRIT "!clip_vcc->entry (clip_vcc %p)\n", clip_vcc);
                return;
        }
        spin_lock_bh(&entry->neigh->dev->xmit_lock);    /* block clip_start_xmit() */
@@ -107,24 +104,24 @@ static void unlink_clip_vcc(struct clip_vcc *clip_vcc)
                if (*walk == clip_vcc) {
                        int error;
-                        *walk = clip_vcc->next; /* atomic */
+                        *walk = clip_vcc->next; /* atomic */
                        clip_vcc->entry = NULL;
                        if (clip_vcc->xoff)
                                netif_wake_queue(entry->neigh->dev);
                        if (entry->vccs)
                                goto out;
-                        entry->expires = jiffies-1;
+                        entry->expires = jiffies - 1;
-                                /* force resolution or expiration */
+                        /* force resolution or expiration */
                        error = neigh_update(entry->neigh, NULL, NUD_NONE,
                                             NEIGH_UPDATE_F_ADMIN);
                        if (error)
                                printk(KERN_CRIT "unlink_clip_vcc: "
-                                    "neigh_update failed with %d\n",error);
+                                       "neigh_update failed with %d\n", error);
                        goto out;
                }
        printk(KERN_CRIT "ATMARP: unlink_clip_vcc failed (entry %p, vcc "
-          "0x%p)\n",entry,clip_vcc);
+               "0x%p)\n", entry, clip_vcc);
-out:
+      out:
        spin_unlock_bh(&entry->neigh->dev->xmit_lock);
 }
@@ -153,13 +150,13 @@ static int neigh_check_cb(struct neighbour *n)
                DPRINTK("destruction postponed with ref %d\n",
                        atomic_read(&n->refcnt));
-                while ((skb = skb_dequeue(&n->arp_queue)) != NULL) 
+                while ((skb = skb_dequeue(&n->arp_queue)) != NULL)
                        dev_kfree_skb(skb);
                return 0;
        }
-        DPRINTK("expired neigh %p\n",n);
+        DPRINTK("expired neigh %p\n", n);
        return 1;
 }
@@ -167,7 +164,7 @@ static void idle_timer_check(unsigned long dummy)
 {
        write_lock(&clip_tbl.lock);
        __neigh_for_each_release(&clip_tbl, neigh_check_cb);
-        mod_timer(&idle_timer, jiffies+CLIP_CHECK_INTERVAL*HZ);
+        mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ);
        write_unlock(&clip_tbl.lock);
 }
@@ -177,13 +174,13 @@ static int clip_arp_rcv(struct sk_buff *skb)
        DPRINTK("clip_arp_rcv\n");
        vcc = ATM_SKB(skb)->vcc;
-        if (!vcc || !atm_charge(vcc,skb->truesize)) {
+        if (!vcc || !atm_charge(vcc, skb->truesize)) {
                dev_kfree_skb_any(skb);
                return 0;
        }
-        DPRINTK("pushing to %p\n",vcc);
+        DPRINTK("pushing to %p\n", vcc);
-        DPRINTK("using %p\n",CLIP_VCC(vcc)->old_push);
+        DPRINTK("using %p\n", CLIP_VCC(vcc)->old_push);
-        CLIP_VCC(vcc)->old_push(vcc,skb);
+        CLIP_VCC(vcc)->old_push(vcc, skb);
        return 0;
 }
@@ -193,34 +190,38 @@ static const unsigned char llc_oui[] = {
        0x03,   /* Ctrl: Unnumbered Information Command PDU */
        0x00,   /* OUI: EtherType */
        0x00,
-        0x00 };
+        0x00
+};
-static void clip_push(struct atm_vcc *vcc,struct sk_buff *skb)
+static void clip_push(struct atm_vcc *vcc, struct sk_buff *skb)
 {
        struct clip_vcc *clip_vcc = CLIP_VCC(vcc);
        DPRINTK("clip push\n");
        if (!skb) {
-                DPRINTK("removing VCC %p\n",clip_vcc);
+                DPRINTK("removing VCC %p\n", clip_vcc);
-                if (clip_vcc->entry) unlink_clip_vcc(clip_vcc);
+                if (clip_vcc->entry)
-                clip_vcc->old_push(vcc,NULL); /* pass on the bad news */
+                        unlink_clip_vcc(clip_vcc);
+                clip_vcc->old_push(vcc, NULL);  /* pass on the bad news */
                kfree(clip_vcc);
                return;
        }
-        atm_return(vcc,skb->truesize);
+        atm_return(vcc, skb->truesize);
        skb->dev = clip_vcc->entry ? clip_vcc->entry->neigh->dev : clip_devs;
-                /* clip_vcc->entry == NULL if we don't have an IP address yet */
+        /* clip_vcc->entry == NULL if we don't have an IP address yet */
        if (!skb->dev) {
                dev_kfree_skb_any(skb);
                return;
        }
        ATM_SKB(skb)->vcc = vcc;
        skb->mac.raw = skb->data;
-        if (!clip_vcc->encap || skb->len < RFC1483LLC_LEN || memcmp(skb->data,
+        if (!clip_vcc->encap
-            llc_oui,sizeof(llc_oui))) skb->protocol = htons(ETH_P_IP);
+            || skb->len < RFC1483LLC_LEN
+            || memcmp(skb->data, llc_oui, sizeof (llc_oui)))
+                skb->protocol = htons(ETH_P_IP);
        else {
                skb->protocol = ((u16 *) skb->data)[3];
-                skb_pull(skb,RFC1483LLC_LEN);
+                skb_pull(skb, RFC1483LLC_LEN);
                if (skb->protocol == htons(ETH_P_ARP)) {
                        PRIV(skb->dev)->stats.rx_packets++;
                        PRIV(skb->dev)->stats.rx_bytes += skb->len;
@@ -235,58 +236,54 @@ static void clip_push(struct atm_vcc *vcc,struct sk_buff *skb)
        netif_rx(skb);
 }
 /*
 * Note: these spinlocks _must_not_ block on non-SMP. The only goal is that
 * clip_pop is atomic with respect to the critical section in clip_start_xmit.
 */
+static void clip_pop(struct atm_vcc *vcc, struct sk_buff *skb)
-static void clip_pop(struct atm_vcc *vcc,struct sk_buff *skb)
 {
        struct clip_vcc *clip_vcc = CLIP_VCC(vcc);
        struct net_device *dev = skb->dev;
        int old;
        unsigned long flags;
-        DPRINTK("clip_pop(vcc %p)\n",vcc);
+        DPRINTK("clip_pop(vcc %p)\n", vcc);
-        clip_vcc->old_pop(vcc,skb);
+        clip_vcc->old_pop(vcc, skb);
        /* skb->dev == NULL in outbound ARP packets */
-        if (!dev) return;
+        if (!dev)
-        spin_lock_irqsave(&PRIV(dev)->xoff_lock,flags);
+                return;
-        if (atm_may_send(vcc,0)) {
+        spin_lock_irqsave(&PRIV(dev)->xoff_lock, flags);
-                old = xchg(&clip_vcc->xoff,0);
+        if (atm_may_send(vcc, 0)) {
-                if (old) netif_wake_queue(dev);
+                old = xchg(&clip_vcc->xoff, 0);
+                if (old)
+                        netif_wake_queue(dev);
        }
-        spin_unlock_irqrestore(&PRIV(dev)->xoff_lock,flags);
+        spin_unlock_irqrestore(&PRIV(dev)->xoff_lock, flags);
 }
 static void clip_neigh_destroy(struct neighbour *neigh)
 {
-        DPRINTK("clip_neigh_destroy (neigh %p)\n",neigh);
+        DPRINTK("clip_neigh_destroy (neigh %p)\n", neigh);
        if (NEIGH2ENTRY(neigh)->vccs)
                printk(KERN_CRIT "clip_neigh_destroy: vccs != NULL !!!\n");
        NEIGH2ENTRY(neigh)->vccs = (void *) 0xdeadbeef;
 }
+static void clip_neigh_solicit(struct neighbour *neigh, struct sk_buff *skb)
-static void clip_neigh_solicit(struct neighbour *neigh,struct sk_buff *skb)
 {
-        DPRINTK("clip_neigh_solicit (neigh %p, skb %p)\n",neigh,skb);
+        DPRINTK("clip_neigh_solicit (neigh %p, skb %p)\n", neigh, skb);
-        to_atmarpd(act_need,PRIV(neigh->dev)->number,NEIGH2ENTRY(neigh)->ip);
+        to_atmarpd(act_need, PRIV(neigh->dev)->number, NEIGH2ENTRY(neigh)->ip);
 }
+static void clip_neigh_error(struct neighbour *neigh, struct sk_buff *skb)
-static void clip_neigh_error(struct neighbour *neigh,struct sk_buff *skb)
 {
 #ifndef CONFIG_ATM_CLIP_NO_ICMP
-        icmp_send(skb,ICMP_DEST_UNREACH,ICMP_HOST_UNREACH,0);
+        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
 #endif
        kfree_skb(skb);
 }
 static struct neigh_ops clip_neigh_ops = {
        .family =               AF_INET,
        .solicit =              clip_neigh_solicit,
@@ -297,7 +294,6 @@ static struct neigh_ops clip_neigh_ops = {
        .queue_xmit =           dev_queue_xmit,
 };
 static int clip_constructor(struct neighbour *neigh)
 {
        struct atmarp_entry *entry = NEIGH2ENTRY(neigh);
@@ -305,9 +301,10 @@ static int clip_constructor(struct neighbour *neigh)
        struct in_device *in_dev;
        struct neigh_parms *parms;
-        DPRINTK("clip_constructor (neigh %p, entry %p)\n",neigh,entry);
+        DPRINTK("clip_constructor (neigh %p, entry %p)\n", neigh, entry);
        neigh->type = inet_addr_type(entry->ip);
-        if (neigh->type != RTN_UNICAST) return -EINVAL;
+        if (neigh->type != RTN_UNICAST)
+                return -EINVAL;
        rcu_read_lock();
        in_dev = __in_dev_get_rcu(dev);
@@ -326,13 +323,13 @@ static int clip_constructor(struct neighbour *neigh)
            neigh->ops->connected_output : neigh->ops->output;
        entry->neigh = neigh;
        entry->vccs = NULL;
-        entry->expires = jiffies-1;
+        entry->expires = jiffies - 1;
        return 0;
 }
 static u32 clip_hash(const void *pkey, const struct net_device *dev)
 {
-        return jhash_2words(*(u32 *)pkey, dev->ifindex, clip_tbl.hash_rnd);
+        return jhash_2words(*(u32 *) pkey, dev->ifindex, clip_tbl.hash_rnd);
 }
 static struct neigh_table clip_tbl = {
@@ -366,7 +363,6 @@ static struct neigh_table clip_tbl = {
        .gc_thresh3     = 1024,
 };
 /* @@@ copy bh locking from arp.c -- need to bh-enable atm code before */
 /*
@@ -376,15 +372,13 @@ static struct neigh_table clip_tbl = {
 * clip_setentry.
 */
+static int clip_encap(struct atm_vcc *vcc, int mode)
-static int clip_encap(struct atm_vcc *vcc,int mode)
 {
        CLIP_VCC(vcc)->encap = mode;
        return 0;
 }
+static int clip_start_xmit(struct sk_buff *skb, struct net_device *dev)
-static int clip_start_xmit(struct sk_buff *skb,struct net_device *dev)
 {
        struct clip_priv *clip_priv = PRIV(dev);
        struct atmarp_entry *entry;
@@ -392,7 +386,7 @@ static int clip_start_xmit(struct sk_buff *skb,struct net_device *dev)
        int old;
        unsigned long flags;
-        DPRINTK("clip_start_xmit (skb %p)\n",skb);
+        DPRINTK("clip_start_xmit (skb %p)\n", skb);
        if (!skb->dst) {
                printk(KERN_ERR "clip_start_xmit: skb->dst == NULL\n");
                dev_kfree_skb(skb);
@@ -401,9 +395,9 @@ static int clip_start_xmit(struct sk_buff *skb,struct net_device *dev)
        }
        if (!skb->dst->neighbour) {
 #if 0
-                skb->dst->neighbour = clip_find_neighbour(skb->dst,1);
+                skb->dst->neighbour = clip_find_neighbour(skb->dst, 1);
                if (!skb->dst->neighbour) {
-                        dev_kfree_skb(skb); /* lost that one */
+                        dev_kfree_skb(skb);     /* lost that one */
                        clip_priv->stats.tx_dropped++;
                        return 0;
                }
@@ -417,73 +411,73 @@ static int clip_start_xmit(struct sk_buff *skb,struct net_device *dev)
        if (!entry->vccs) {
                if (time_after(jiffies, entry->expires)) {
                        /* should be resolved */
-                        entry->expires = jiffies+ATMARP_RETRY_DELAY*HZ;
+                        entry->expires = jiffies + ATMARP_RETRY_DELAY * HZ;
-                        to_atmarpd(act_need,PRIV(dev)->number,entry->ip);
+                        to_atmarpd(act_need, PRIV(dev)->number, entry->ip);
                }
                if (entry->neigh->arp_queue.qlen < ATMARP_MAX_UNRES_PACKETS)
-                        skb_queue_tail(&entry->neigh->arp_queue,skb);
+                        skb_queue_tail(&entry->neigh->arp_queue, skb);
                else {
                        dev_kfree_skb(skb);
                        clip_priv->stats.tx_dropped++;
                }
                return 0;
        }
-        DPRINTK("neigh %p, vccs %p\n",entry,entry->vccs);
+        DPRINTK("neigh %p, vccs %p\n", entry, entry->vccs);
        ATM_SKB(skb)->vcc = vcc = entry->vccs->vcc;
-        DPRINTK("using neighbour %p, vcc %p\n",skb->dst->neighbour,vcc);
+        DPRINTK("using neighbour %p, vcc %p\n", skb->dst->neighbour, vcc);
        if (entry->vccs->encap) {
                void *here;
-                here = skb_push(skb,RFC1483LLC_LEN);
+                here = skb_push(skb, RFC1483LLC_LEN);
-                memcpy(here,llc_oui,sizeof(llc_oui));
+                memcpy(here, llc_oui, sizeof(llc_oui));
                ((u16 *) here)[3] = skb->protocol;
        }
        atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
        ATM_SKB(skb)->atm_options = vcc->atm_options;
        entry->vccs->last_use = jiffies;
-        DPRINTK("atm_skb(%p)->vcc(%p)->dev(%p)\n",skb,vcc,vcc->dev);
+        DPRINTK("atm_skb(%p)->vcc(%p)->dev(%p)\n", skb, vcc, vcc->dev);
-        old = xchg(&entry->vccs->xoff,1); /* assume XOFF ... */
+        old = xchg(&entry->vccs->xoff, 1);      /* assume XOFF ... */
        if (old) {
                printk(KERN_WARNING "clip_start_xmit: XOFF->XOFF transition\n");
                return 0;
        }
        clip_priv->stats.tx_packets++;
        clip_priv->stats.tx_bytes += skb->len;
-        (void) vcc->send(vcc,skb);
+        vcc->send(vcc, skb);
-        if (atm_may_send(vcc,0)) {
+        if (atm_may_send(vcc, 0)) {
                entry->vccs->xoff = 0;
                return 0;
        }
-        spin_lock_irqsave(&clip_priv->xoff_lock,flags);
+        spin_lock_irqsave(&clip_priv->xoff_lock, flags);
-        netif_stop_queue(dev); /* XOFF -> throttle immediately */
+        netif_stop_queue(dev);  /* XOFF -> throttle immediately */
        barrier();
        if (!entry->vccs->xoff)
                netif_start_queue(dev);
-                /* Oh, we just raced with clip_pop. netif_start_queue should be
+        /* Oh, we just raced with clip_pop. netif_start_queue should be
-                   good enough, because nothing should really be asleep because
+           good enough, because nothing should really be asleep because
-                   of the brief netif_stop_queue. If this isn't true or if it
+           of the brief netif_stop_queue. If this isn't true or if it
-                   changes, use netif_wake_queue instead. */
+           changes, use netif_wake_queue instead. */
-        spin_unlock_irqrestore(&clip_priv->xoff_lock,flags);
+        spin_unlock_irqrestore(&clip_priv->xoff_lock, flags);
        return 0;
 }
 static struct net_device_stats *clip_get_stats(struct net_device *dev)
 {
        return &PRIV(dev)->stats;
 }
+static int clip_mkip(struct atm_vcc *vcc, int timeout)
-static int clip_mkip(struct atm_vcc *vcc,int timeout)
 {
        struct clip_vcc *clip_vcc;
        struct sk_buff_head copy;
        struct sk_buff *skb;
-        if (!vcc->push) return -EBADFD;
+        if (!vcc->push)
-        clip_vcc = kmalloc(sizeof(struct clip_vcc),GFP_KERNEL);
+                return -EBADFD;
-        if (!clip_vcc) return -ENOMEM;
+        clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL);
-        DPRINTK("mkip clip_vcc %p vcc %p\n",clip_vcc,vcc);
+        if (!clip_vcc)
+                return -ENOMEM;
+        DPRINTK("mkip clip_vcc %p vcc %p\n", clip_vcc, vcc);
        clip_vcc->vcc = vcc;
        vcc->user_back = clip_vcc;
        set_bit(ATM_VF_IS_CLIP, &vcc->flags);
@@ -491,7 +485,7 @@ static int clip_mkip(struct atm_vcc *vcc,int timeout)
        clip_vcc->xoff = 0;
        clip_vcc->encap = 1;
        clip_vcc->last_use = jiffies;
-        clip_vcc->idle_timeout = timeout*HZ;
+        clip_vcc->idle_timeout = timeout * HZ;
        clip_vcc->old_push = vcc->push;
        clip_vcc->old_pop = vcc->pop;
        vcc->push = clip_push;
@@ -501,27 +495,25 @@ static int clip_mkip(struct atm_vcc *vcc,int timeout)
        /* re-process everything received between connection setup and MKIP */
        while ((skb = skb_dequeue(&copy)) != NULL)
                if (!clip_devs) {
-                        atm_return(vcc,skb->truesize);
+                        atm_return(vcc, skb->truesize);
                        kfree_skb(skb);
-                }
+                } else {
-                else {
                        unsigned int len = skb->len;
-                        clip_push(vcc,skb);
+                        clip_push(vcc, skb);
                        PRIV(skb->dev)->stats.rx_packets--;
                        PRIV(skb->dev)->stats.rx_bytes -= len;
                }
        return 0;
 }
+static int clip_setentry(struct atm_vcc *vcc, u32 ip)
-static int clip_setentry(struct atm_vcc *vcc,u32 ip)
 {
        struct neighbour *neigh;
        struct atmarp_entry *entry;
        int error;
        struct clip_vcc *clip_vcc;
-        struct flowi fl = { .nl_u = { .ip4_u = { .daddr = ip, .tos = 1 } } };
+        struct flowi fl = { .nl_u = { .ip4_u = { .daddr = ip, .tos = 1}} };
        struct rtable *rt;
        if (vcc->push != clip_push) {
@@ -538,28 +530,29 @@ static int clip_setentry(struct atm_vcc *vcc,u32 ip)
                unlink_clip_vcc(clip_vcc);
                return 0;
        }
-        error = ip_route_output_key(&rt,&fl);
+        error = ip_route_output_key(&rt, &fl);
-        if (error) return error;
+        if (error)
-        neigh = __neigh_lookup(&clip_tbl,&ip,rt->u.dst.dev,1);
+                return error;
+        neigh = __neigh_lookup(&clip_tbl, &ip, rt->u.dst.dev, 1);
        ip_rt_put(rt);
        if (!neigh)
                return -ENOMEM;
        entry = NEIGH2ENTRY(neigh);
        if (entry != clip_vcc->entry) {
-                if (!clip_vcc->entry) DPRINTK("setentry: add\n");
+                if (!clip_vcc->entry)
+                        DPRINTK("setentry: add\n");
                else {
                        DPRINTK("setentry: update\n");
                        unlink_clip_vcc(clip_vcc);
                }
-                link_vcc(clip_vcc,entry);
+                link_vcc(clip_vcc, entry);
        }
-        error = neigh_update(neigh, llc_oui, NUD_PERMANENT, 
+        error = neigh_update(neigh, llc_oui, NUD_PERMANENT,
-                             NEIGH_UPDATE_F_OVERRIDE|NEIGH_UPDATE_F_ADMIN);
+                             NEIGH_UPDATE_F_OVERRIDE | NEIGH_UPDATE_F_ADMIN);
        neigh_release(neigh);
        return error;
 }
 static void clip_setup(struct net_device *dev)
 {
        dev->hard_start_xmit = clip_start_xmit;
@@ -568,15 +561,14 @@ static void clip_setup(struct net_device *dev)
        dev->type = ARPHRD_ATM;
        dev->hard_header_len = RFC1483LLC_LEN;
        dev->mtu = RFC1626_MTU;
-        dev->tx_queue_len = 100; /* "normal" queue (packets) */
+        dev->tx_queue_len = 100;        /* "normal" queue (packets) */
-            /* When using a "real" qdisc, the qdisc determines the queue */
+        /* When using a "real" qdisc, the qdisc determines the queue */
-            /* length. tx_queue_len is only used for the default case, */
+        /* length. tx_queue_len is only used for the default case, */
-            /* without any more elaborate queuing. 100 is a reasonable */
+        /* without any more elaborate queuing. 100 is a reasonable */
-            /* compromise between decent burst-tolerance and protection */
+        /* compromise between decent burst-tolerance and protection */
-            /* against memory hogs. */
+        /* against memory hogs. */
 }
 static int clip_create(int number)
 {
        struct net_device *dev;
@@ -585,19 +577,19 @@ static int clip_create(int number)
        if (number != -1) {
                for (dev = clip_devs; dev; dev = PRIV(dev)->next)
-                        if (PRIV(dev)->number == number) return -EEXIST;
+                        if (PRIV(dev)->number == number)
-        }
+                                return -EEXIST;
-        else {
+        } else {
                number = 0;
                for (dev = clip_devs; dev; dev = PRIV(dev)->next)
                        if (PRIV(dev)->number >= number)
-                                number = PRIV(dev)->number+1;
+                                number = PRIV(dev)->number + 1;
        }
        dev = alloc_netdev(sizeof(struct clip_priv), "", clip_setup);
        if (!dev)
                return -ENOMEM;
        clip_priv = PRIV(dev);
-        sprintf(dev->name,"atm%d",number);
+        sprintf(dev->name, "atm%d", number);
        spin_lock_init(&clip_priv->xoff_lock);
        clip_priv->number = number;
        error = register_netdev(dev);
@@ -607,53 +599,48 @@ static int clip_create(int number)
        }
        clip_priv->next = clip_devs;
        clip_devs = dev;
-        DPRINTK("registered (net:%s)\n",dev->name);
+        DPRINTK("registered (net:%s)\n", dev->name);
        return number;
 }
+static int clip_device_event(struct notifier_block *this, unsigned long event,
-static int clip_device_event(struct notifier_block *this,unsigned long event,
+                             void *arg)
-    void *dev)
 {
+        struct net_device *dev = arg;
+        if (event == NETDEV_UNREGISTER) {
+                neigh_ifdown(&clip_tbl, dev);
+                return NOTIFY_DONE;
+        }
        /* ignore non-CLIP devices */
-        if (((struct net_device *) dev)->type != ARPHRD_ATM ||
+        if (dev->type != ARPHRD_ATM || dev->hard_start_xmit != clip_start_xmit)
-            ((struct net_device *) dev)->hard_start_xmit != clip_start_xmit)
                return NOTIFY_DONE;
        switch (event) {
-                case NETDEV_UP:
+        case NETDEV_UP:
-                        DPRINTK("clip_device_event NETDEV_UP\n");
+                DPRINTK("clip_device_event NETDEV_UP\n");
-                        (void) to_atmarpd(act_up,PRIV(dev)->number,0);
+                to_atmarpd(act_up, PRIV(dev)->number, 0);
-                        break;
+                break;
-                case NETDEV_GOING_DOWN:
+        case NETDEV_GOING_DOWN:
-                        DPRINTK("clip_device_event NETDEV_DOWN\n");
+                DPRINTK("clip_device_event NETDEV_DOWN\n");
-                        (void) to_atmarpd(act_down,PRIV(dev)->number,0);
+                to_atmarpd(act_down, PRIV(dev)->number, 0);
-                        break;
+                break;
-                case NETDEV_CHANGE:
+        case NETDEV_CHANGE:
-                case NETDEV_CHANGEMTU:
+        case NETDEV_CHANGEMTU:
-                        DPRINTK("clip_device_event NETDEV_CHANGE*\n");
+                DPRINTK("clip_device_event NETDEV_CHANGE*\n");
-                        (void) to_atmarpd(act_change,PRIV(dev)->number,0);
+                to_atmarpd(act_change, PRIV(dev)->number, 0);
-                        break;
+                break;
-                case NETDEV_REBOOT:
-                case NETDEV_REGISTER:
-                case NETDEV_DOWN:
-                        DPRINTK("clip_device_event %ld\n",event);
-                        /* ignore */
-                        break;
-                default:
-                        printk(KERN_WARNING "clip_device_event: unknown event "
-                            "%ld\n",event);
-                        break;
        }
        return NOTIFY_DONE;
 }
+static int clip_inet_event(struct notifier_block *this, unsigned long event,
-static int clip_inet_event(struct notifier_block *this,unsigned long event,
+                           void *ifa)
-    void *ifa)
 {
        struct in_device *in_dev;
-        in_dev = ((struct in_ifaddr *) ifa)->ifa_dev;
+        in_dev = ((struct in_ifaddr *)ifa)->ifa_dev;
        if (!in_dev || !in_dev->dev) {
                printk(KERN_WARNING "clip_inet_event: no device\n");
                return NOTIFY_DONE;
@@ -662,23 +649,20 @@ static int clip_inet_event(struct notifier_block *this,unsigned long event,
         * Transitions are of the down-change-up type, so it's sufficient to
         * handle the change on up.
         */
-        if (event != NETDEV_UP) return NOTIFY_DONE;
+        if (event != NETDEV_UP)
-        return clip_device_event(this,NETDEV_CHANGE,in_dev->dev);
+                return NOTIFY_DONE;
+        return clip_device_event(this, NETDEV_CHANGE, in_dev->dev);
 }
 static struct notifier_block clip_dev_notifier = {
-        clip_device_event,
+        .notifier_call = clip_device_event,
-        NULL,
-        0
 };
 static struct notifier_block clip_inet_notifier = {
-        clip_inet_event,
+        .notifier_call = clip_inet_event,
-        NULL,
-        0
 };
@@ -686,14 +670,12 @@ static struct notifier_block clip_inet_notifier = {
 static void atmarpd_close(struct atm_vcc *vcc)
 {
        DPRINTK("atmarpd_close\n");
-        atmarpd = NULL; /* assumed to be atomic */
-        barrier();
+        rtnl_lock();
-        unregister_inetaddr_notifier(&clip_inet_notifier);
+        atmarpd = NULL;
-        unregister_netdevice_notifier(&clip_dev_notifier);
-        if (skb_peek(&sk_atm(vcc)->sk_receive_queue))
-                printk(KERN_ERR "atmarpd_close: closing with requests "
-                    "pending\n");
        skb_queue_purge(&sk_atm(vcc)->sk_receive_queue);
+        rtnl_unlock();
        DPRINTK("(done)\n");
        module_put(THIS_MODULE);
 }
@@ -714,14 +696,14 @@ static struct atm_dev atmarpd_dev = {
 static int atm_init_atmarp(struct atm_vcc *vcc)
 {
-        if (atmarpd) return -EADDRINUSE;
+        rtnl_lock();
-        if (start_timer) {
+        if (atmarpd) {
-                start_timer = 0;
+                rtnl_unlock();
-                init_timer(&idle_timer);
+                return -EADDRINUSE;
-                idle_timer.expires = jiffies+CLIP_CHECK_INTERVAL*HZ;
-                idle_timer.function = idle_timer_check;
-                add_timer(&idle_timer);
        }
+        mod_timer(&idle_timer, jiffies+CLIP_CHECK_INTERVAL*HZ);
        atmarpd = vcc;
        set_bit(ATM_VF_META,&vcc->flags);
        set_bit(ATM_VF_READY,&vcc->flags);
@@ -731,10 +713,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc)
        vcc->push = NULL;
        vcc->pop = NULL; /* crash */
        vcc->push_oam = NULL; /* crash */
-        if (register_netdevice_notifier(&clip_dev_notifier))
+        rtnl_unlock();
-                printk(KERN_ERR "register_netdevice_notifier failed\n");
-        if (register_inetaddr_notifier(&clip_inet_notifier))
-                printk(KERN_ERR "register_inetaddr_notifier failed\n");
        return 0;
 }
@@ -744,53 +723,53 @@ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
        int err = 0;
        switch (cmd) {
-                case SIOCMKCLIP:
+        case SIOCMKCLIP:
-                case ATMARPD_CTRL:
+        case ATMARPD_CTRL:
-                case ATMARP_MKIP:
+        case ATMARP_MKIP:
-                case ATMARP_SETENTRY:
+        case ATMARP_SETENTRY:
-                case ATMARP_ENCAP:
+        case ATMARP_ENCAP:
-                        if (!capable(CAP_NET_ADMIN))
+                if (!capable(CAP_NET_ADMIN))
-                                return -EPERM;
+                        return -EPERM;
-                        break;
+                break;
-                default:
+        default:
-                        return -ENOIOCTLCMD;
+                return -ENOIOCTLCMD;
        }
        switch (cmd) {
-                case SIOCMKCLIP:
+        case SIOCMKCLIP:
-                        err = clip_create(arg);
+                err = clip_create(arg);
-                        break;
+                break;
-                case ATMARPD_CTRL:
+        case ATMARPD_CTRL:
-                        err = atm_init_atmarp(vcc);
+                err = atm_init_atmarp(vcc);
-                        if (!err) {
+                if (!err) {
-                                sock->state = SS_CONNECTED;
+                        sock->state = SS_CONNECTED;
-                                __module_get(THIS_MODULE);
+                        __module_get(THIS_MODULE);
-                        }
+                }
-                        break;
+                break;
-                case ATMARP_MKIP:
+        case ATMARP_MKIP:
-                        err = clip_mkip(vcc ,arg);
+                err = clip_mkip(vcc, arg);
-                        break;
+                break;
-                case ATMARP_SETENTRY:
+        case ATMARP_SETENTRY:
-                        err = clip_setentry(vcc, arg);
+                err = clip_setentry(vcc, arg);
-                        break;
+                break;
-                case ATMARP_ENCAP:
+        case ATMARP_ENCAP:
-                        err = clip_encap(vcc, arg);
+                err = clip_encap(vcc, arg);
-                        break;
+                break;
        }
        return err;
 }
 static struct atm_ioctl clip_ioctl_ops = {
-        .owner  = THIS_MODULE,
+        .owner = THIS_MODULE,
-        .ioctl  = clip_ioctl,
+        .ioctl = clip_ioctl,
 };
 #ifdef CONFIG_PROC_FS
 static void svc_addr(struct seq_file *seq, struct sockaddr_atmsvc *addr)
 {
-        static int code[] = { 1,2,10,6,1,0 };
+        static int code[] = { 1, 2, 10, 6, 1, 0 };
-        static int e164[] = { 1,8,4,6,1,0 };
+        static int e164[] = { 1, 8, 4, 6, 1, 0 };
        if (*addr->sas_addr.pub) {
                seq_printf(seq, "%s", addr->sas_addr.pub);
@@ -809,7 +788,7 @@ static void svc_addr(struct seq_file *seq, struct sockaddr_atmsvc *addr)
                for (i = 0; fields[i]; i++) {
                        for (j = fields[i]; j; j--)
                                seq_printf(seq, "%02X", *prv++);
-                        if (fields[i+1])
+                        if (fields[i + 1])
                                seq_putc(seq, '.');
                }
        }
@@ -828,8 +807,7 @@ static void atmarp_info(struct seq_file *seq, struct net_device *dev,
        svc = ((clip_vcc == SEQ_NO_VCC_TOKEN) ||
               (sk_atm(clip_vcc->vcc)->sk_family == AF_ATMSVC));
-        llc = ((clip_vcc == SEQ_NO_VCC_TOKEN) ||
+        llc = ((clip_vcc == SEQ_NO_VCC_TOKEN) || clip_vcc->encap);
-               clip_vcc->encap);
        if (clip_vcc == SEQ_NO_VCC_TOKEN)
                exp = entry->neigh->used;
@@ -839,10 +817,7 @@ static void atmarp_info(struct seq_file *seq, struct net_device *dev,
        exp = (jiffies - exp) / HZ;
        seq_printf(seq, "%-6s%-4s%-4s%5ld ",
-                   dev->name,
+                   dev->name, svc ? "SVC" : "PVC", llc ? "LLC" : "NULL", exp);
-                   svc ? "SVC" : "PVC",
-                   llc ? "LLC" : "NULL",
-                   exp);
        off = scnprintf(buf, sizeof(buf) - 1, "%d.%d.%d.%d",
                        NIPQUAD(entry->ip));
@@ -860,8 +835,7 @@ static void atmarp_info(struct seq_file *seq, struct net_device *dev,
        } else if (!svc) {
                seq_printf(seq, "%d.%d.%d\n",
                           clip_vcc->vcc->dev->number,
-                           clip_vcc->vcc->vpi,
+                           clip_vcc->vcc->vpi, clip_vcc->vcc->vci);
-                           clip_vcc->vcc->vci);
        } else {
                svc_addr(seq, &clip_vcc->vcc->remote);
                seq_putc(seq, '\n');
@@ -894,7 +868,7 @@ static struct clip_vcc *clip_seq_next_vcc(struct atmarp_entry *e,
 }
 static void *clip_seq_vcc_walk(struct clip_seq_state *state,
-                               struct atmarp_entry *e, loff_t *pos)
+                               struct atmarp_entry *e, loff_t * pos)
 {
        struct clip_vcc *vcc = state->vcc;
@@ -911,24 +885,24 @@ static void *clip_seq_vcc_walk(struct clip_seq_state *state,
        return vcc;
 }
-  
 static void *clip_seq_sub_iter(struct neigh_seq_state *_state,
-                               struct neighbour *n, loff_t *pos)
+                               struct neighbour *n, loff_t * pos)
 {
-        struct clip_seq_state *state = (struct clip_seq_state *) _state;
+        struct clip_seq_state *state = (struct clip_seq_state *)_state;
        return clip_seq_vcc_walk(state, NEIGH2ENTRY(n), pos);
 }
-static void *clip_seq_start(struct seq_file *seq, loff_t *pos)
+static void *clip_seq_start(struct seq_file *seq, loff_t * pos)
 {
        return neigh_seq_start(seq, pos, &clip_tbl, NEIGH_SEQ_NEIGH_ONLY);
 }
 static int clip_seq_show(struct seq_file *seq, void *v)
 {
-        static char atm_arp_banner[] = 
+        static char atm_arp_banner[] =
-                "IPitf TypeEncp Idle IP address      ATM address\n";
+            "IPitf TypeEncp Idle IP address      ATM address\n";
        if (v == SEQ_START_TOKEN) {
                seq_puts(seq, atm_arp_banner);
@@ -939,7 +913,7 @@ static int clip_seq_show(struct seq_file *seq, void *v)
                atmarp_info(seq, n->dev, NEIGH2ENTRY(n), vcc);
        }
-        return 0;
+        return 0;
 }
 static struct seq_operations arp_seq_ops = {
@@ -988,20 +962,19 @@ static struct file_operations arp_seq_fops = {
 static int __init atm_clip_init(void)
 {
-        neigh_table_init(&clip_tbl);
+        struct proc_dir_entry *p;
+        neigh_table_init_no_netlink(&clip_tbl);
        clip_tbl_hook = &clip_tbl;
        register_atm_ioctl(&clip_ioctl_ops);
+        register_netdevice_notifier(&clip_dev_notifier);
+        register_inetaddr_notifier(&clip_inet_notifier);
-#ifdef CONFIG_PROC_FS
+        setup_timer(&idle_timer, idle_timer_check, 0);
-{
-        struct proc_dir_entry *p;
        p = create_proc_entry("arp", S_IRUGO, atm_proc_root);
        if (p)
                p->proc_fops = &arp_seq_fops;
-}
-#endif
        return 0;
 }
@@ -1012,13 +985,15 @@ static void __exit atm_clip_exit(void)
        remove_proc_entry("arp", atm_proc_root);
+        unregister_inetaddr_notifier(&clip_inet_notifier);
+        unregister_netdevice_notifier(&clip_dev_notifier);
        deregister_atm_ioctl(&clip_ioctl_ops);
        /* First, stop the idle timer, so it stops banging
         * on the table.
         */
-        if (start_timer == 0)
+        del_timer_sync(&idle_timer);
-                del_timer(&idle_timer);
        /* Next, purge the table, so that the device
         * unregister loop below does not hang due to
@@ -1042,5 +1017,6 @@ static void __exit atm_clip_exit(void)
 module_init(atm_clip_init);
 module_exit(atm_clip_exit);
+MODULE_AUTHOR("Werner Almesberger");
+MODULE_DESCRIPTION("Classical/IP over ATM interface");
 MODULE_LICENSE("GPL");
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index dbf9b47681f7..a2e0dd047e9f 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -228,6 +228,8 @@ ax25_cb *ax25_find_cb(ax25_address *src_addr, ax25_address *dest_addr,
        return NULL;
 }
+EXPORT_SYMBOL(ax25_find_cb);
 void ax25_send_to_raw(ax25_address *addr, struct sk_buff *skb, int proto)
 {
        ax25_cb *s;
@@ -424,6 +426,26 @@ static int ax25_ctl_ioctl(const unsigned int cmd, void __user *arg)
        return 0;
 }
+static void ax25_fillin_cb_from_dev(ax25_cb *ax25, ax25_dev *ax25_dev)
+{
+        ax25->rtt     = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]) / 2;
+        ax25->t1      = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]);
+        ax25->t2      = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
+        ax25->t3      = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
+        ax25->n2      = ax25_dev->values[AX25_VALUES_N2];
+        ax25->paclen  = ax25_dev->values[AX25_VALUES_PACLEN];
+        ax25->idle    = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
+        ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
+        if (ax25_dev->values[AX25_VALUES_AXDEFMODE]) {
+                ax25->modulus = AX25_EMODULUS;
+                ax25->window  = ax25_dev->values[AX25_VALUES_EWINDOW];
+        } else {
+                ax25->modulus = AX25_MODULUS;
+                ax25->window  = ax25_dev->values[AX25_VALUES_WINDOW];
+        }
+}
 /*
 *      Fill in a created AX.25 created control block with the default
 *      values for a particular device.
@@ -433,39 +455,28 @@ void ax25_fillin_cb(ax25_cb *ax25, ax25_dev *ax25_dev)
        ax25->ax25_dev = ax25_dev;
        if (ax25->ax25_dev != NULL) {
-                ax25->rtt     = ax25_dev->values[AX25_VALUES_T1] / 2;
+                ax25_fillin_cb_from_dev(ax25, ax25_dev);
-                ax25->t1      = ax25_dev->values[AX25_VALUES_T1];
+                return;
-                ax25->t2      = ax25_dev->values[AX25_VALUES_T2];
+        }
-                ax25->t3      = ax25_dev->values[AX25_VALUES_T3];
-                ax25->n2      = ax25_dev->values[AX25_VALUES_N2];
+        /*
-                ax25->paclen  = ax25_dev->values[AX25_VALUES_PACLEN];
+         * No device, use kernel / AX.25 spec default values
-                ax25->idle    = ax25_dev->values[AX25_VALUES_IDLE];
+         */
-                ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
+        ax25->rtt     = msecs_to_jiffies(AX25_DEF_T1) / 2;
+        ax25->t1      = msecs_to_jiffies(AX25_DEF_T1);
-                if (ax25_dev->values[AX25_VALUES_AXDEFMODE]) {
+        ax25->t2      = msecs_to_jiffies(AX25_DEF_T2);
-                        ax25->modulus = AX25_EMODULUS;
+        ax25->t3      = msecs_to_jiffies(AX25_DEF_T3);
-                        ax25->window  = ax25_dev->values[AX25_VALUES_EWINDOW];
+        ax25->n2      = AX25_DEF_N2;
-                } else {
+        ax25->paclen  = AX25_DEF_PACLEN;
-                        ax25->modulus = AX25_MODULUS;
+        ax25->idle    = msecs_to_jiffies(AX25_DEF_IDLE);
-                        ax25->window  = ax25_dev->values[AX25_VALUES_WINDOW];
+        ax25->backoff = AX25_DEF_BACKOFF;
-                }
+        if (AX25_DEF_AXDEFMODE) {
+                ax25->modulus = AX25_EMODULUS;
+                ax25->window  = AX25_DEF_EWINDOW;
        } else {
-                ax25->rtt     = AX25_DEF_T1 / 2;
+                ax25->modulus = AX25_MODULUS;
-                ax25->t1      = AX25_DEF_T1;
+                ax25->window  = AX25_DEF_WINDOW;
-                ax25->t2      = AX25_DEF_T2;
-                ax25->t3      = AX25_DEF_T3;
-                ax25->n2      = AX25_DEF_N2;
-                ax25->paclen  = AX25_DEF_PACLEN;
-                ax25->idle    = AX25_DEF_IDLE;
-                ax25->backoff = AX25_DEF_BACKOFF;
-                if (AX25_DEF_AXDEFMODE) {
-                        ax25->modulus = AX25_EMODULUS;
-                        ax25->window  = AX25_DEF_EWINDOW;
-                } else {
-                        ax25->modulus = AX25_MODULUS;
-                        ax25->window  = AX25_DEF_WINDOW;
-                }
        }
 }
@@ -1979,24 +1990,6 @@ static struct notifier_block ax25_dev_notifier = {
        .notifier_call =ax25_device_event,
 };
-EXPORT_SYMBOL(ax25_hard_header);
-EXPORT_SYMBOL(ax25_rebuild_header);
-EXPORT_SYMBOL(ax25_findbyuid);
-EXPORT_SYMBOL(ax25_find_cb);
-EXPORT_SYMBOL(ax25_linkfail_register);
-EXPORT_SYMBOL(ax25_linkfail_release);
-EXPORT_SYMBOL(ax25_listen_register);
-EXPORT_SYMBOL(ax25_listen_release);
-EXPORT_SYMBOL(ax25_protocol_register);
-EXPORT_SYMBOL(ax25_protocol_release);
-EXPORT_SYMBOL(ax25_send_frame);
-EXPORT_SYMBOL(ax25_uid_policy);
-EXPORT_SYMBOL(ax25cmp);
-EXPORT_SYMBOL(ax2asc);
-EXPORT_SYMBOL(asc2ax);
-EXPORT_SYMBOL(null_ax25_address);
-EXPORT_SYMBOL(ax25_display_timer);
 static int __init ax25_init(void)
 {
        int rc = proto_register(&ax25_proto, 0);
diff --git a/net/ax25/ax25_addr.c b/net/ax25/ax25_addr.c
index 0164a155b8c4..5f0896ad0042 100644
--- a/net/ax25/ax25_addr.c
+++ b/net/ax25/ax25_addr.c
@@ -11,6 +11,7 @@
 #include <linux/socket.h>
 #include <linux/in.h>
 #include <linux/kernel.h>
+#include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/timer.h>
 #include <linux/string.h>
@@ -33,6 +34,8 @@
 */
 ax25_address null_ax25_address = {{0x40, 0x40, 0x40, 0x40, 0x40, 0x40, 0x00}};
+EXPORT_SYMBOL(null_ax25_address);
 /*
 *      ax25 -> ascii conversion
 */
@@ -64,6 +67,8 @@ char *ax2asc(char *buf, ax25_address *a)
 }
+EXPORT_SYMBOL(ax2asc);
 /*
 *      ascii -> ax25 conversion
 */
@@ -97,6 +102,8 @@ void asc2ax(ax25_address *addr, char *callsign)
        addr->ax25_call[6] &= 0x1E;
 }
+EXPORT_SYMBOL(asc2ax);
 /*
 *      Compare two ax.25 addresses
 */
@@ -116,6 +123,8 @@ int ax25cmp(ax25_address *a, ax25_address *b)
        return 2;                       /* Partial match */
 }
+EXPORT_SYMBOL(ax25cmp);
 /*
 *      Compare two AX.25 digipeater paths.
 */
diff --git a/net/ax25/ax25_ds_timer.c b/net/ax25/ax25_ds_timer.c
index 061083efc1dc..5961459935eb 100644
--- a/net/ax25/ax25_ds_timer.c
+++ b/net/ax25/ax25_ds_timer.c
@@ -61,7 +61,8 @@ void ax25_ds_set_timer(ax25_dev *ax25_dev)
                return;
        del_timer(&ax25_dev->dama.slave_timer);
-        ax25_dev->dama.slave_timeout = ax25_dev->values[AX25_VALUES_DS_TIMEOUT] / 10;
+        ax25_dev->dama.slave_timeout =
+                msecs_to_jiffies(ax25_dev->values[AX25_VALUES_DS_TIMEOUT]) / 10;
        ax25_ds_add_timer(ax25_dev);
 }
diff --git a/net/ax25/ax25_iface.c b/net/ax25/ax25_iface.c
index d68aff100729..3bb152710b77 100644
--- a/net/ax25/ax25_iface.c
+++ b/net/ax25/ax25_iface.c
@@ -12,6 +12,7 @@
 #include <linux/socket.h>
 #include <linux/in.h>
 #include <linux/kernel.h>
+#include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/spinlock.h>
 #include <linux/timer.h>
@@ -74,6 +75,8 @@ int ax25_protocol_register(unsigned int pid,
        return 1;
 }
+EXPORT_SYMBOL(ax25_protocol_register);
 void ax25_protocol_release(unsigned int pid)
 {
        struct protocol_struct *s, *protocol;
@@ -106,6 +109,8 @@ void ax25_protocol_release(unsigned int pid)
        write_unlock(&protocol_list_lock);
 }
+EXPORT_SYMBOL(ax25_protocol_release);
 int ax25_linkfail_register(void (*func)(ax25_cb *, int))
 {
        struct linkfail_struct *linkfail;
@@ -123,6 +128,8 @@ int ax25_linkfail_register(void (*func)(ax25_cb *, int))
        return 1;
 }
+EXPORT_SYMBOL(ax25_linkfail_register);
 void ax25_linkfail_release(void (*func)(ax25_cb *, int))
 {
        struct linkfail_struct *s, *linkfail;
@@ -155,6 +162,8 @@ void ax25_linkfail_release(void (*func)(ax25_cb *, int))
        spin_unlock_bh(&linkfail_lock);
 }
+EXPORT_SYMBOL(ax25_linkfail_release);
 int ax25_listen_register(ax25_address *callsign, struct net_device *dev)
 {
        struct listen_struct *listen;
@@ -176,6 +185,8 @@ int ax25_listen_register(ax25_address *callsign, struct net_device *dev)
        return 1;
 }
+EXPORT_SYMBOL(ax25_listen_register);
 void ax25_listen_release(ax25_address *callsign, struct net_device *dev)
 {
        struct listen_struct *s, *listen;
@@ -208,6 +219,8 @@ void ax25_listen_release(ax25_address *callsign, struct net_device *dev)
        spin_unlock_bh(&listen_lock);
 }
+EXPORT_SYMBOL(ax25_listen_release);
 int (*ax25_protocol_function(unsigned int pid))(struct sk_buff *, ax25_cb *)
 {
        int (*res)(struct sk_buff *, ax25_cb *) = NULL;
diff --git a/net/ax25/ax25_ip.c b/net/ax25/ax25_ip.c
index d643dac3eccc..a0b534f80f17 100644
--- a/net/ax25/ax25_ip.c
+++ b/net/ax25/ax25_ip.c
@@ -12,6 +12,7 @@
 #include <linux/socket.h>
 #include <linux/in.h>
 #include <linux/kernel.h>
+#include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/timer.h>
 #include <linux/string.h>
@@ -221,3 +222,5 @@ int ax25_rebuild_header(struct sk_buff *skb)
 #endif
+EXPORT_SYMBOL(ax25_hard_header);
+EXPORT_SYMBOL(ax25_rebuild_header);
diff --git a/net/ax25/ax25_out.c b/net/ax25/ax25_out.c
index 5fc048dcd39a..5d99852b239c 100644
--- a/net/ax25/ax25_out.c
+++ b/net/ax25/ax25_out.c
@@ -14,6 +14,7 @@
 #include <linux/socket.h>
 #include <linux/in.h>
 #include <linux/kernel.h>
+#include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/timer.h>
 #include <linux/string.h>
@@ -104,6 +105,8 @@ ax25_cb *ax25_send_frame(struct sk_buff *skb, int paclen, ax25_address *src, ax2
        return ax25;                    /* We had to create it */
 }
+EXPORT_SYMBOL(ax25_send_frame);
 /*
 *      All outgoing AX.25 I frames pass via this routine. Therefore this is
 *      where the fragmentation of frames takes place. If fragment is set to
diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c
index f04f8630fd28..5ac98250797b 100644
--- a/net/ax25/ax25_route.c
+++ b/net/ax25/ax25_route.c
@@ -360,7 +360,7 @@ struct file_operations ax25_route_fops = {
 /*
 *      Find AX.25 route
 *
- *      Only routes with a refernce rout of zero can be destroyed.
+ *      Only routes with a reference count of zero can be destroyed.
 */
 static ax25_route *ax25_get_route(ax25_address *addr, struct net_device *dev)
 {
diff --git a/net/ax25/ax25_timer.c b/net/ax25/ax25_timer.c
index 7a6b50a14554..ec254057f212 100644
--- a/net/ax25/ax25_timer.c
+++ b/net/ax25/ax25_timer.c
@@ -18,6 +18,7 @@
 #include <linux/socket.h>
 #include <linux/in.h>
 #include <linux/kernel.h>
+#include <linux/module.h>
 #include <linux/jiffies.h>
 #include <linux/timer.h>
 #include <linux/string.h>
@@ -137,6 +138,8 @@ unsigned long ax25_display_timer(struct timer_list *timer)
        return timer->expires - jiffies;
 }
+EXPORT_SYMBOL(ax25_display_timer);
 static void ax25_heartbeat_expiry(unsigned long param)
 {
        int proto = AX25_PROTO_STD_SIMPLEX;
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c
index b8b5854bce9a..5e9a81e8b214 100644
--- a/net/ax25/ax25_uid.c
+++ b/net/ax25/ax25_uid.c
@@ -49,6 +49,8 @@ static DEFINE_RWLOCK(ax25_uid_lock);
 int ax25_uid_policy = 0;
+EXPORT_SYMBOL(ax25_uid_policy);
 ax25_uid_assoc *ax25_findbyuid(uid_t uid)
 {
        ax25_uid_assoc *ax25_uid, *res = NULL;
@@ -67,6 +69,8 @@ ax25_uid_assoc *ax25_findbyuid(uid_t uid)
        return res;
 }
+EXPORT_SYMBOL(ax25_findbyuid);
 int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
 {
        ax25_uid_assoc *ax25_uid;
diff --git a/net/ax25/sysctl_net_ax25.c b/net/ax25/sysctl_net_ax25.c
index 894a22558d9d..bdb64c36df12 100644
--- a/net/ax25/sysctl_net_ax25.c
+++ b/net/ax25/sysctl_net_ax25.c
@@ -18,14 +18,14 @@ static int min_backoff[1],		max_backoff[] = {2};
 static int min_conmode[1],              max_conmode[] = {2};
 static int min_window[] = {1},          max_window[] = {7};
 static int min_ewindow[] = {1},         max_ewindow[] = {63};
-static int min_t1[] = {1},              max_t1[] = {30 * HZ};
+static int min_t1[] = {1},              max_t1[] = {30000};
-static int min_t2[] = {1},              max_t2[] = {20 * HZ};
+static int min_t2[] = {1},              max_t2[] = {20000};
-static int min_t3[1],                   max_t3[] = {3600 * HZ};
+static int min_t3[1],                   max_t3[] = {3600000};
-static int min_idle[1],                 max_idle[] = {65535 * HZ};
+static int min_idle[1],                 max_idle[] = {65535000};
 static int min_n2[] = {1},              max_n2[] = {31};
 static int min_paclen[] = {1},          max_paclen[] = {512};
 static int min_proto[1],                max_proto[] = { AX25_PROTO_MAX };
-static int min_ds_timeout[1],           max_ds_timeout[] = {65535 * HZ};
+static int min_ds_timeout[1],           max_ds_timeout[] = {65535000};
 static struct ctl_table_header *ax25_table_header;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 6b61323ce23c..0c2d13ad69bb 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -255,7 +255,7 @@ static inline int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
        }
        if ((err = hci_send_sco(conn->hcon, skb)) < 0)
-                goto fail;
+                return err;
        return count;
diff --git a/net/bridge/br.c b/net/bridge/br.c
index 22d806cf40ca..12da21afb9ca 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -55,7 +55,7 @@ static int __init br_init(void)
 static void __exit br_deinit(void)
 {
-        llc_sap_close(br_stp_sap);
+        rcu_assign_pointer(br_stp_sap->rcv_func, NULL);
 #ifdef CONFIG_BRIDGE_NETFILTER
        br_netfilter_fini();
@@ -67,6 +67,7 @@ static void __exit br_deinit(void)
        synchronize_net();
+        llc_sap_put(br_stp_sap);
        br_fdb_get_hook = NULL;
        br_fdb_put_hook = NULL;
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 2d24fb400e0c..56f3aa47e758 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -16,6 +16,7 @@
 #include <linux/kernel.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
+#include <linux/if_vlan.h>
 #include <linux/netfilter_bridge.h>
 #include "br_private.h"
@@ -29,10 +30,15 @@ static inline int should_deliver(const struct net_bridge_port *p,
        return 1;
 }
+static inline unsigned packet_length(const struct sk_buff *skb)
+{
+        return skb->len - (skb->protocol == htons(ETH_P_8021Q) ? VLAN_HLEN : 0);
+}
 int br_dev_queue_push_xmit(struct sk_buff *skb)
 {
        /* drop mtu oversized packets except tso */
-        if (skb->len > skb->dev->mtu && !skb_shinfo(skb)->tso_size)
+        if (packet_length(skb) > skb->dev->mtu && !skb_shinfo(skb)->tso_size)
                kfree_skb(skb);
        else {
 #ifdef CONFIG_BRIDGE_NETFILTER
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 59eef42d4a42..f5d47bf4f967 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -300,34 +300,22 @@ int br_add_bridge(const char *name)
        rtnl_lock();
        if (strchr(dev->name, '%')) {
                ret = dev_alloc_name(dev, dev->name);
-                if (ret < 0)
+                if (ret < 0) {
-                        goto err1;
+                        free_netdev(dev);
+                        goto out;
+                }
        }
        ret = register_netdevice(dev);
        if (ret)
-                goto err2;
+                goto out;
-        /* network device kobject is not setup until
-         * after rtnl_unlock does it's hotplug magic.
-         * so hold reference to avoid race.
-         */
-        dev_hold(dev);
-        rtnl_unlock();
        ret = br_sysfs_addbr(dev);
-        dev_put(dev);
+        if (ret)
+                unregister_netdevice(dev);
-        if (ret) 
-                unregister_netdev(dev);
 out:
-        return ret;
- err2:
-        free_netdev(dev);
- err1:
        rtnl_unlock();
-        goto out;
+        return ret;
 }
 int br_del_bridge(const char *name)
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index b7766562d72c..bfa4d8c333f7 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -66,6 +66,7 @@ int br_handle_frame_finish(struct sk_buff *skb)
        }
        if (is_multicast_ether_addr(dest)) {
+                br->statistics.multicast++;
                br_flood_forward(br, skb, !passedup);
                if (!passedup)
                        br_pass_frame_up(br, skb);
@@ -125,9 +126,6 @@ int br_handle_frame(struct net_bridge_port *p, struct sk_buff **pskb)
        struct sk_buff *skb = *pskb;
        const unsigned char *dest = eth_hdr(skb)->h_dest;
-        if (p->state == BR_STATE_DISABLED)
-                goto err;
        if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
                goto err;
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index f29450b788be..3da9264449f7 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -765,6 +765,15 @@ out:
        return NF_STOLEN;
 }
+static int br_nf_dev_queue_xmit(struct sk_buff *skb)
+{
+        if (skb->protocol == htons(ETH_P_IP) &&
+            skb->len > skb->dev->mtu &&
+            !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
+                return ip_fragment(skb, br_dev_queue_push_xmit);
+        else
+                return br_dev_queue_push_xmit(skb);
+}
 /* PF_BRIDGE/POST_ROUTING ********************************************/
 static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
@@ -824,7 +833,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
                realoutdev = nf_bridge->netoutdev;
 #endif
        NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev,
-                br_dev_queue_push_xmit);
+                br_nf_dev_queue_xmit);
        return NF_STOLEN;
@@ -869,7 +878,7 @@ static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
        if ((out->hard_start_xmit == br_dev_xmit &&
             okfn != br_nf_forward_finish &&
-             okfn != br_nf_local_out_finish && okfn != br_dev_queue_push_xmit)
+             okfn != br_nf_local_out_finish && okfn != br_nf_dev_queue_xmit)
 #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
            || ((out->priv_flags & IFF_802_1Q_VLAN) &&
                VLAN_DEV_INFO(out)->real_dev->hard_start_xmit == br_dev_xmit)
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index d159c92cca84..466ed3440b74 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -168,7 +168,7 @@ static void ebt_log(const struct sk_buff *skb, unsigned int hooknr,
        if (info->bitmask & EBT_LOG_NFLOG)
                nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li,
-                              info->prefix);
+                              "%s", info->prefix);
        else
                ebt_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li,
                               info->prefix);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 01eae97c53d9..3a13ed643459 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -824,14 +824,14 @@ static int translate_table(struct ebt_replace *repl,
        if (udc_cnt) {
                /* this will get free'd in do_replace()/ebt_register_table()
                   if an error occurs */
-                newinfo->chainstack = (struct ebt_chainstack **)
+                newinfo->chainstack =
-                   vmalloc((highest_possible_processor_id()+1) 
+                        vmalloc((highest_possible_processor_id()+1)
-                                                * sizeof(struct ebt_chainstack));
+                                        * sizeof(*(newinfo->chainstack)));
                if (!newinfo->chainstack)
                        return -ENOMEM;
-                for_each_cpu(i) {
+                for_each_possible_cpu(i) {
                        newinfo->chainstack[i] =
-                           vmalloc(udc_cnt * sizeof(struct ebt_chainstack));
+                          vmalloc(udc_cnt * sizeof(*(newinfo->chainstack[0])));
                        if (!newinfo->chainstack[i]) {
                                while (i)
                                        vfree(newinfo->chainstack[--i]);
@@ -841,8 +841,7 @@ static int translate_table(struct ebt_replace *repl,
                        }
                }
-                cl_s = (struct ebt_cl_stack *)
+                cl_s = vmalloc(udc_cnt * sizeof(*cl_s));
-                   vmalloc(udc_cnt * sizeof(struct ebt_cl_stack));
                if (!cl_s)
                        return -ENOMEM;
                i = 0; /* the i'th udc */
@@ -901,7 +900,7 @@ static void get_counters(struct ebt_counter *oldcounters,
               sizeof(struct ebt_counter) * nentries);
        /* add other counters to those of cpu 0 */
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                if (cpu == 0)
                        continue;
                counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
@@ -944,8 +943,7 @@ static int do_replace(void __user *user, unsigned int len)
        countersize = COUNTER_OFFSET(tmp.nentries) * 
                                        (highest_possible_processor_id()+1);
-        newinfo = (struct ebt_table_info *)
+        newinfo = vmalloc(sizeof(*newinfo) + countersize);
-           vmalloc(sizeof(struct ebt_table_info) + countersize);
        if (!newinfo)
                return -ENOMEM;
@@ -967,8 +965,7 @@ static int do_replace(void __user *user, unsigned int len)
        /* the user wants counters back
           the check on the size is done later, when we have the lock */
        if (tmp.num_counters) {
-                counterstmp = (struct ebt_counter *)
+                counterstmp = vmalloc(tmp.num_counters * sizeof(*counterstmp));
-                   vmalloc(tmp.num_counters * sizeof(struct ebt_counter));
                if (!counterstmp) {
                        ret = -ENOMEM;
                        goto free_entries;
@@ -1036,7 +1033,7 @@ static int do_replace(void __user *user, unsigned int len)
        vfree(table->entries);
        if (table->chainstack) {
-                for_each_cpu(i)
+                for_each_possible_cpu(i)
                        vfree(table->chainstack[i]);
                vfree(table->chainstack);
        }
@@ -1054,7 +1051,7 @@ free_counterstmp:
        vfree(counterstmp);
        /* can be initialized in translate_table() */
        if (newinfo->chainstack) {
-                for_each_cpu(i)
+                for_each_possible_cpu(i)
                        vfree(newinfo->chainstack[i]);
                vfree(newinfo->chainstack);
        }
@@ -1148,8 +1145,7 @@ int ebt_register_table(struct ebt_table *table)
        countersize = COUNTER_OFFSET(table->table->nentries) *
                                        (highest_possible_processor_id()+1);
-        newinfo = (struct ebt_table_info *)
+        newinfo = vmalloc(sizeof(*newinfo) + countersize);
-           vmalloc(sizeof(struct ebt_table_info) + countersize);
        ret = -ENOMEM;
        if (!newinfo)
                return -ENOMEM;
@@ -1201,7 +1197,7 @@ free_unlock:
        mutex_unlock(&ebt_mutex);
 free_chainstack:
        if (newinfo->chainstack) {
-                for_each_cpu(i)
+                for_each_possible_cpu(i)
                        vfree(newinfo->chainstack[i]);
                vfree(newinfo->chainstack);
        }
@@ -1224,7 +1220,7 @@ void ebt_unregister_table(struct ebt_table *table)
        mutex_unlock(&ebt_mutex);
        vfree(table->private->entries);
        if (table->private->chainstack) {
-                for_each_cpu(i)
+                for_each_possible_cpu(i)
                        vfree(table->private->chainstack[i]);
                vfree(table->private->chainstack);
        }
@@ -1247,8 +1243,7 @@ static int update_counters(void __user *user, unsigned int len)
        if (hlp.num_counters == 0)
                return -EINVAL;
-        if ( !(tmp = (struct ebt_counter *)
+        if (!(tmp = vmalloc(hlp.num_counters * sizeof(*tmp)))) {
-           vmalloc(hlp.num_counters * sizeof(struct ebt_counter))) ){
                MEMPRINT("Update_counters && nomemory\n");
                return -ENOMEM;
        }
@@ -1377,8 +1372,7 @@ static int copy_everything_to_user(struct ebt_table *t, void __user *user,
                        BUGPRINT("Num_counters wrong\n");
                        return -EINVAL;
                }
-                counterstmp = (struct ebt_counter *)
+                counterstmp = vmalloc(nentries * sizeof(*counterstmp));
-                   vmalloc(nentries * sizeof(struct ebt_counter));
                if (!counterstmp) {
                        MEMPRINT("Couldn't copy counters, out of memory\n");
                        return -ENOMEM;
diff --git a/net/core/dev.c b/net/core/dev.c
index 434220d093aa..4fba549caf29 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -127,7 +127,7 @@
 *             sure which should go first, but I bet it won't make much
 *             difference if we are running VLANs.  The good news is that
 *             this protocol won't be in the list unless compiled in, so
- *             the average user (w/out VLANs) will not be adversly affected.
+ *             the average user (w/out VLANs) will not be adversely affected.
 *             --BLG
 *
 *              0800    IP
@@ -149,7 +149,7 @@ static struct list_head ptype_base[16];	/* 16 way hashed list */
 static struct list_head ptype_all;              /* Taps */
 /*
- * The @dev_base list is protected by @dev_base_lock and the rtln
+ * The @dev_base list is protected by @dev_base_lock and the rtnl
 * semaphore.
 *
 * Pure readers hold dev_base_lock for reading.
@@ -193,7 +193,7 @@ static inline struct hlist_head *dev_index_hash(int ifindex)
 *      Our notifier list
 */
-static BLOCKING_NOTIFIER_HEAD(netdev_chain);
+static RAW_NOTIFIER_HEAD(netdev_chain);
 /*
 *      Device drivers call our routines to queue packets here. We empty the
@@ -641,10 +641,12 @@ int dev_valid_name(const char *name)
 *      @name: name format string
 *
 *      Passed a format string - eg "lt%d" it will try and find a suitable
- *      id. Not efficient for many devices, not called a lot. The caller
+ *      id. It scans list of devices to build up a free map, then chooses
- *      must hold the dev_base or rtnl lock while allocating the name and
+ *      the first empty slot. The caller must hold the dev_base or rtnl lock
- *      adding the device in order to avoid duplicates. Returns the number
+ *      while allocating the name and adding the device in order to avoid
- *      of the unit assigned or a negative errno code.
+ *      duplicates.
+ *      Limited to bits_per_byte * page size devices (ie 32K on most platforms).
+ *      Returns the number of the unit assigned or a negative errno code.
 */
 int dev_alloc_name(struct net_device *dev, const char *name)
@@ -736,7 +738,7 @@ int dev_change_name(struct net_device *dev, char *newname)
        if (!err) {
                hlist_del(&dev->name_hlist);
                hlist_add_head(&dev->name_hlist, dev_name_hash(dev->name));
-                blocking_notifier_call_chain(&netdev_chain,
+                raw_notifier_call_chain(&netdev_chain,
                                NETDEV_CHANGENAME, dev);
        }
@@ -744,14 +746,14 @@ int dev_change_name(struct net_device *dev, char *newname)
 }
 /**
- *      netdev_features_change - device changes fatures
+ *      netdev_features_change - device changes features
 *      @dev: device to cause notification
 *
 *      Called to indicate a device has changed features.
 */
 void netdev_features_change(struct net_device *dev)
 {
-        blocking_notifier_call_chain(&netdev_chain, NETDEV_FEAT_CHANGE, dev);
+        raw_notifier_call_chain(&netdev_chain, NETDEV_FEAT_CHANGE, dev);
 }
 EXPORT_SYMBOL(netdev_features_change);
@@ -766,7 +768,7 @@ EXPORT_SYMBOL(netdev_features_change);
 void netdev_state_change(struct net_device *dev)
 {
        if (dev->flags & IFF_UP) {
-                blocking_notifier_call_chain(&netdev_chain,
+                raw_notifier_call_chain(&netdev_chain,
                                NETDEV_CHANGE, dev);
                rtmsg_ifinfo(RTM_NEWLINK, dev, 0);
        }
@@ -864,7 +866,7 @@ int dev_open(struct net_device *dev)
                /*
                 *      ... and announce new interface.
                 */
-                blocking_notifier_call_chain(&netdev_chain, NETDEV_UP, dev);
+                raw_notifier_call_chain(&netdev_chain, NETDEV_UP, dev);
        }
        return ret;
 }
@@ -887,7 +889,7 @@ int dev_close(struct net_device *dev)
         *      Tell people we are going down, so that they can
         *      prepare to death, when device is still operating.
         */
-        blocking_notifier_call_chain(&netdev_chain, NETDEV_GOING_DOWN, dev);
+        raw_notifier_call_chain(&netdev_chain, NETDEV_GOING_DOWN, dev);
        dev_deactivate(dev);
@@ -924,7 +926,7 @@ int dev_close(struct net_device *dev)
        /*
         * Tell people we are down
         */
-        blocking_notifier_call_chain(&netdev_chain, NETDEV_DOWN, dev);
+        raw_notifier_call_chain(&netdev_chain, NETDEV_DOWN, dev);
        return 0;
 }
@@ -955,7 +957,7 @@ int register_netdevice_notifier(struct notifier_block *nb)
        int err;
        rtnl_lock();
-        err = blocking_notifier_chain_register(&netdev_chain, nb);
+        err = raw_notifier_chain_register(&netdev_chain, nb);
        if (!err) {
                for (dev = dev_base; dev; dev = dev->next) {
                        nb->notifier_call(nb, NETDEV_REGISTER, dev);
@@ -983,7 +985,7 @@ int unregister_netdevice_notifier(struct notifier_block *nb)
        int err;
        rtnl_lock();
-        err = blocking_notifier_chain_unregister(&netdev_chain, nb);
+        err = raw_notifier_chain_unregister(&netdev_chain, nb);
        rtnl_unlock();
        return err;
 }
@@ -994,12 +996,12 @@ int unregister_netdevice_notifier(struct notifier_block *nb)
 *      @v:   pointer passed unmodified to notifier function
 *
 *      Call all network notifier blocks.  Parameters and return value
- *      are as for blocking_notifier_call_chain().
+ *      are as for raw_notifier_call_chain().
 */
 int call_netdevice_notifiers(unsigned long val, void *v)
 {
-        return blocking_notifier_call_chain(&netdev_chain, val, v);
+        return raw_notifier_call_chain(&netdev_chain, val, v);
 }
 /* When > 0 there are consumers of rx skb time stamps */
@@ -2196,7 +2198,7 @@ int netdev_set_master(struct net_device *slave, struct net_device *master)
 *      @dev: device
 *      @inc: modifier
 *
- *      Add or remove promsicuity from a device. While the count in the device
+ *      Add or remove promiscuity from a device. While the count in the device
 *      remains above zero the interface remains promiscuous. Once it hits zero
 *      the device reverts back to normal filtering operation. A negative inc
 *      value is used to drop promiscuity on the device.
@@ -2308,7 +2310,7 @@ int dev_change_flags(struct net_device *dev, unsigned flags)
        if (dev->flags & IFF_UP &&
            ((old_flags ^ dev->flags) &~ (IFF_UP | IFF_PROMISC | IFF_ALLMULTI |
                                          IFF_VOLATILE)))
-                blocking_notifier_call_chain(&netdev_chain,
+                raw_notifier_call_chain(&netdev_chain,
                                NETDEV_CHANGE, dev);
        if ((flags ^ dev->gflags) & IFF_PROMISC) {
@@ -2353,7 +2355,7 @@ int dev_set_mtu(struct net_device *dev, int new_mtu)
        else
                dev->mtu = new_mtu;
        if (!err && dev->flags & IFF_UP)
-                blocking_notifier_call_chain(&netdev_chain,
+                raw_notifier_call_chain(&netdev_chain,
                                NETDEV_CHANGEMTU, dev);
        return err;
 }
@@ -2370,7 +2372,7 @@ int dev_set_mac_address(struct net_device *dev, struct sockaddr *sa)
                return -ENODEV;
        err = dev->set_mac_address(dev, sa);
        if (!err)
-                blocking_notifier_call_chain(&netdev_chain,
+                raw_notifier_call_chain(&netdev_chain,
                                NETDEV_CHANGEADDR, dev);
        return err;
 }
@@ -2427,7 +2429,7 @@ static int dev_ifsioc(struct ifreq *ifr, unsigned int cmd)
                                return -EINVAL;
                        memcpy(dev->broadcast, ifr->ifr_hwaddr.sa_data,
                               min(sizeof ifr->ifr_hwaddr.sa_data, (size_t) dev->addr_len));
-                        blocking_notifier_call_chain(&netdev_chain,
+                        raw_notifier_call_chain(&netdev_chain,
                                            NETDEV_CHANGEADDR, dev);
                        return 0;
@@ -2698,7 +2700,8 @@ int dev_ioctl(unsigned int cmd, void __user *arg)
                                /* If command is `set a parameter', or
                                 * `get the encoding parameters', check if
                                 * the user has the right to do it */
-                                if (IW_IS_SET(cmd) || cmd == SIOCGIWENCODE) {
+                                if (IW_IS_SET(cmd) || cmd == SIOCGIWENCODE
+                                    || cmd == SIOCGIWENCODEEXT) {
                                        if (!capable(CAP_NET_ADMIN))
                                                return -EPERM;
                                }
@@ -2776,6 +2779,8 @@ int register_netdevice(struct net_device *dev)
        BUG_ON(dev_boot_phase);
        ASSERT_RTNL();
+        might_sleep();
        /* When net_device's are persistent, this will be fatal. */
        BUG_ON(dev->reg_state != NETREG_UNINITIALIZED);
@@ -2862,6 +2867,11 @@ int register_netdevice(struct net_device *dev)
        if (!dev->rebuild_header)
                dev->rebuild_header = default_rebuild_header;
+        ret = netdev_register_sysfs(dev);
+        if (ret)
+                goto out_err;
+        dev->reg_state = NETREG_REGISTERED;
        /*
         *      Default initial state at registry is that the
         *      device is present.
@@ -2877,14 +2887,11 @@ int register_netdevice(struct net_device *dev)
        hlist_add_head(&dev->name_hlist, head);
        hlist_add_head(&dev->index_hlist, dev_index_hash(dev->ifindex));
        dev_hold(dev);
-        dev->reg_state = NETREG_REGISTERING;
        write_unlock_bh(&dev_base_lock);
        /* Notify protocols, that a new device appeared. */
-        blocking_notifier_call_chain(&netdev_chain, NETDEV_REGISTER, dev);
+        raw_notifier_call_chain(&netdev_chain, NETDEV_REGISTER, dev);
-        /* Finish registration after unlock */
-        net_set_todo(dev);
        ret = 0;
 out:
@@ -2960,7 +2967,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
                        rtnl_lock();
                        /* Rebroadcast unregister notification */
-                        blocking_notifier_call_chain(&netdev_chain,
+                        raw_notifier_call_chain(&netdev_chain,
                                            NETDEV_UNREGISTER, dev);
                        if (test_bit(__LINK_STATE_LINKWATCH_PENDING,
@@ -3007,7 +3014,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
 *
 * We are invoked by rtnl_unlock() after it drops the semaphore.
 * This allows us to deal with problems:
- * 1) We can create/delete sysfs objects which invoke hotplug
+ * 1) We can delete sysfs objects which invoke hotplug
 *    without deadlocking with linkwatch via keventd.
 * 2) Since we run with the RTNL semaphore not held, we can sleep
 *    safely in order to wait for the netdev refcnt to drop to zero.
@@ -3016,8 +3023,6 @@ static DEFINE_MUTEX(net_todo_run_mutex);
 void netdev_run_todo(void)
 {
        struct list_head list = LIST_HEAD_INIT(list);
-        int err;
        /* Need to guard against multiple cpu's getting out of order. */
        mutex_lock(&net_todo_run_mutex);
@@ -3040,40 +3045,29 @@ void netdev_run_todo(void)
                        = list_entry(list.next, struct net_device, todo_list);
                list_del(&dev->todo_list);
-                switch(dev->reg_state) {
+                if (unlikely(dev->reg_state != NETREG_UNREGISTERING)) {
-                case NETREG_REGISTERING:
+                        printk(KERN_ERR "network todo '%s' but state %d\n",
-                        err = netdev_register_sysfs(dev);
+                               dev->name, dev->reg_state);
-                        if (err)
+                        dump_stack();
-                                printk(KERN_ERR "%s: failed sysfs registration (%d)\n",
+                        continue;
-                                       dev->name, err);
+                }
-                        dev->reg_state = NETREG_REGISTERED;
-                        break;
-                case NETREG_UNREGISTERING:
-                        netdev_unregister_sysfs(dev);
-                        dev->reg_state = NETREG_UNREGISTERED;
-                        netdev_wait_allrefs(dev);
-                        /* paranoia */
+                netdev_unregister_sysfs(dev);
-                        BUG_ON(atomic_read(&dev->refcnt));
+                dev->reg_state = NETREG_UNREGISTERED;
-                        BUG_TRAP(!dev->ip_ptr);
-                        BUG_TRAP(!dev->ip6_ptr);
-                        BUG_TRAP(!dev->dn_ptr);
+                netdev_wait_allrefs(dev);
-                        /* It must be the very last action, 
+                /* paranoia */
-                         * after this 'dev' may point to freed up memory.
+                BUG_ON(atomic_read(&dev->refcnt));
-                         */
+                BUG_TRAP(!dev->ip_ptr);
-                        if (dev->destructor)
+                BUG_TRAP(!dev->ip6_ptr);
-                                dev->destructor(dev);
+                BUG_TRAP(!dev->dn_ptr);
-                        break;
-                default:
+                /* It must be the very last action,
-                        printk(KERN_ERR "network todo '%s' but state %d\n",
+                 * after this 'dev' may point to freed up memory.
-                               dev->name, dev->reg_state);
+                 */
-                        break;
+                if (dev->destructor)
-                }
+                        dev->destructor(dev);
        }
 out:
@@ -3100,12 +3094,11 @@ struct net_device *alloc_netdev(int sizeof_priv, const char *name,
        alloc_size = (sizeof(*dev) + NETDEV_ALIGN_CONST) & ~NETDEV_ALIGN_CONST;
        alloc_size += sizeof_priv + NETDEV_ALIGN_CONST;
-        p = kmalloc(alloc_size, GFP_KERNEL);
+        p = kzalloc(alloc_size, GFP_KERNEL);
        if (!p) {
                printk(KERN_ERR "alloc_dev: Unable to allocate device.\n");
                return NULL;
        }
-        memset(p, 0, alloc_size);
        dev = (struct net_device *)
                (((long)p + NETDEV_ALIGN_CONST) & ~NETDEV_ALIGN_CONST);
@@ -3131,7 +3124,7 @@ EXPORT_SYMBOL(alloc_netdev);
 void free_netdev(struct net_device *dev)
 {
 #ifdef CONFIG_SYSFS
-        /*  Compatiablity with error handling in drivers */
+        /*  Compatibility with error handling in drivers */
        if (dev->reg_state == NETREG_UNINITIALIZED) {
                kfree((char *)dev - dev->padded);
                return;
@@ -3216,7 +3209,7 @@ int unregister_netdevice(struct net_device *dev)
        /* Notify protocols, that we are about to destroy
           this device. They should clean all the things.
        */
-        blocking_notifier_call_chain(&netdev_chain, NETDEV_UNREGISTER, dev);
+        raw_notifier_call_chain(&netdev_chain, NETDEV_UNREGISTER, dev);
        
        /*
         *      Flush the multicast chain
@@ -3347,7 +3340,7 @@ static int __init net_dev_init(void)
         *      Initialise the packet receive queues.
         */
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                struct softnet_data *queue;
                queue = &per_cpu(softnet_data, i);
diff --git a/net/core/dv.c b/net/core/dv.c
index cf581407538c..29ee77f15932 100644
--- a/net/core/dv.c
+++ b/net/core/dv.c
@@ -55,15 +55,12 @@ int alloc_divert_blk(struct net_device *dev)
        dev->divert = NULL;
        if (dev->type == ARPHRD_ETHER) {
-                dev->divert = (struct divert_blk *)
+                dev->divert = kzalloc(alloc_size, GFP_KERNEL);
-                        kmalloc(alloc_size, GFP_KERNEL);
                if (dev->divert == NULL) {
                        printk(KERN_INFO "divert: unable to allocate divert_blk for %s\n",
                               dev->name);
                        return -ENOMEM;
                }
-                memset(dev->divert, 0, sizeof(struct divert_blk));
                dev_hold(dev);
        }
diff --git a/net/core/filter.c b/net/core/filter.c
index 93fbd01d2259..5b4486a60cf6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -34,6 +34,7 @@
 #include <linux/timer.h>
 #include <asm/system.h>
 #include <asm/uaccess.h>
+#include <asm/unaligned.h>
 #include <linux/filter.h>
 /* No hurry in this branch */
@@ -177,7 +178,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
 load_w:
                        ptr = load_pointer(skb, k, 4, &tmp);
                        if (ptr != NULL) {
-                                A = ntohl(*(u32 *)ptr);
+                                A = ntohl(get_unaligned((u32 *)ptr));
                                continue;
                        }
                        break;
@@ -186,7 +187,7 @@ load_w:
 load_h:
                        ptr = load_pointer(skb, k, 2, &tmp);
                        if (ptr != NULL) {
-                                A = ntohs(*(u16 *)ptr);
+                                A = ntohs(get_unaligned((u16 *)ptr));
                                continue;
                        }
                        break;
diff --git a/net/core/flow.c b/net/core/flow.c
index 55789f832eda..2191af5f26ac 100644
--- a/net/core/flow.c
+++ b/net/core/flow.c
@@ -79,7 +79,7 @@ static void flow_cache_new_hashrnd(unsigned long arg)
 {
        int i;
-        for_each_cpu(i)
+        for_each_possible_cpu(i)
                flow_hash_rnd_recalc(i) = 1;
        flow_hash_rnd_timer.expires = jiffies + FLOW_HASH_RND_PERIOD;
@@ -318,12 +318,10 @@ static void __devinit flow_cache_cpu_prepare(int cpu)
                /* NOTHING */;
        flow_table(cpu) = (struct flow_cache_entry **)
-                __get_free_pages(GFP_KERNEL, order);
+                __get_free_pages(GFP_KERNEL|__GFP_ZERO, order);
        if (!flow_table(cpu))
                panic("NET: failed to allocate flow cache order %lu\n", order);
-        memset(flow_table(cpu), 0, PAGE_SIZE << order);
        flow_hash_rnd_recalc(cpu) = 1;
        flow_count(cpu) = 0;
@@ -363,7 +361,7 @@ static int __init flow_cache_init(void)
        flow_hash_rnd_timer.expires = jiffies + FLOW_HASH_RND_PERIOD;
        add_timer(&flow_hash_rnd_timer);
-        for_each_cpu(i)
+        for_each_possible_cpu(i)
                flow_cache_cpu_prepare(i);
        hotcpu_notifier(flow_cache_cpu, 0);
diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
index b07c029e8219..3cad026764f0 100644
--- a/net/core/gen_estimator.c
+++ b/net/core/gen_estimator.c
@@ -159,11 +159,10 @@ int gen_new_estimator(struct gnet_stats_basic *bstats,
        if (parm->interval < -2 || parm->interval > 3)
                return -EINVAL;
-        est = kmalloc(sizeof(*est), GFP_KERNEL);
+        est = kzalloc(sizeof(*est), GFP_KERNEL);
        if (est == NULL)
                return -ENOBUFS;
-        memset(est, 0, sizeof(*est));
        est->interval = parm->interval + 2;
        est->bstats = bstats;
        est->rate_est = rate_est;
diff --git a/net/core/link_watch.c b/net/core/link_watch.c
index 341de44c7ed1..646937cc2d84 100644
--- a/net/core/link_watch.c
+++ b/net/core/link_watch.c
@@ -170,13 +170,13 @@ void linkwatch_fire_event(struct net_device *dev)
                spin_unlock_irqrestore(&lweventlist_lock, flags);
                if (!test_and_set_bit(LW_RUNNING, &linkwatch_flags)) {
-                        unsigned long thisevent = jiffies;
+                        unsigned long delay = linkwatch_nextevent - jiffies;
-                        if (thisevent >= linkwatch_nextevent) {
+                        /* If we wrap around we'll delay it by at most HZ. */
+                        if (!delay || delay > HZ)
                                schedule_work(&linkwatch_work);
-                        } else {
+                        else
-                                schedule_delayed_work(&linkwatch_work, linkwatch_nextevent - thisevent);
+                                schedule_delayed_work(&linkwatch_work, delay);
-                        }
                }
        }
 }
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 0c8666872d10..50a8c73caf97 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -284,14 +284,11 @@ static struct neighbour **neigh_hash_alloc(unsigned int entries)
        struct neighbour **ret;
        if (size <= PAGE_SIZE) {
-                ret = kmalloc(size, GFP_ATOMIC);
+                ret = kzalloc(size, GFP_ATOMIC);
        } else {
                ret = (struct neighbour **)
-                        __get_free_pages(GFP_ATOMIC, get_order(size));
+                      __get_free_pages(GFP_ATOMIC|__GFP_ZERO, get_order(size));
        }
-        if (ret)
-                memset(ret, 0, size);
        return ret;
 }
@@ -1089,8 +1086,7 @@ static void neigh_hh_init(struct neighbour *n, struct dst_entry *dst,
                if (hh->hh_type == protocol)
                        break;
-        if (!hh && (hh = kmalloc(sizeof(*hh), GFP_ATOMIC)) != NULL) {
+        if (!hh && (hh = kzalloc(sizeof(*hh), GFP_ATOMIC)) != NULL) {
-                memset(hh, 0, sizeof(struct hh_cache));
                rwlock_init(&hh->hh_lock);
                hh->hh_type = protocol;
                atomic_set(&hh->hh_refcnt, 0);
@@ -1330,8 +1326,7 @@ void neigh_parms_destroy(struct neigh_parms *parms)
        kfree(parms);
 }
+void neigh_table_init_no_netlink(struct neigh_table *tbl)
-void neigh_table_init(struct neigh_table *tbl)
 {
        unsigned long now = jiffies;
        unsigned long phsize;
@@ -1366,13 +1361,11 @@ void neigh_table_init(struct neigh_table *tbl)
        tbl->hash_buckets = neigh_hash_alloc(tbl->hash_mask + 1);
        phsize = (PNEIGH_HASHMASK + 1) * sizeof(struct pneigh_entry *);
-        tbl->phash_buckets = kmalloc(phsize, GFP_KERNEL);
+        tbl->phash_buckets = kzalloc(phsize, GFP_KERNEL);
        if (!tbl->hash_buckets || !tbl->phash_buckets)
                panic("cannot allocate neighbour cache hashes");
-        memset(tbl->phash_buckets, 0, phsize);
        get_random_bytes(&tbl->hash_rnd, sizeof(tbl->hash_rnd));
        rwlock_init(&tbl->lock);
@@ -1389,10 +1382,27 @@ void neigh_table_init(struct neigh_table *tbl)
        tbl->last_flush = now;
        tbl->last_rand  = now + tbl->parms.reachable_time * 20;
+}
+void neigh_table_init(struct neigh_table *tbl)
+{
+        struct neigh_table *tmp;
+        neigh_table_init_no_netlink(tbl);
        write_lock(&neigh_tbl_lock);
+        for (tmp = neigh_tables; tmp; tmp = tmp->next) {
+                if (tmp->family == tbl->family)
+                        break;
+        }
        tbl->next       = neigh_tables;
        neigh_tables    = tbl;
        write_unlock(&neigh_tbl_lock);
+        if (unlikely(tmp)) {
+                printk(KERN_ERR "NEIGH: Registering multiple tables for "
+                       "family %d\n", tbl->family);
+                dump_stack();
+        }
 }
 int neigh_table_clear(struct neigh_table *tbl)
@@ -1633,7 +1643,7 @@ static int neightbl_fill_info(struct neigh_table *tbl, struct sk_buff *skb,
                memset(&ndst, 0, sizeof(ndst));
-                for_each_cpu(cpu) {
+                for_each_possible_cpu(cpu) {
                        struct neigh_statistics *st;
                        st = per_cpu_ptr(tbl->stats, cpu);
@@ -2663,6 +2673,7 @@ EXPORT_SYMBOL(neigh_rand_reach_time);
 EXPORT_SYMBOL(neigh_resolve_output);
 EXPORT_SYMBOL(neigh_table_clear);
 EXPORT_SYMBOL(neigh_table_init);
+EXPORT_SYMBOL(neigh_table_init_no_netlink);
 EXPORT_SYMBOL(neigh_update);
 EXPORT_SYMBOL(neigh_update_hhs);
 EXPORT_SYMBOL(pneigh_enqueue);
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 21b68464cabb..47a6fceb6771 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -29,7 +29,7 @@ static const char fmt_ulong[] = "%lu\n";
 static inline int dev_isalive(const struct net_device *dev) 
 {
-        return dev->reg_state == NETREG_REGISTERED;
+        return dev->reg_state <= NETREG_REGISTERED;
 }
 /* use same locking rules as GIF* ioctl's */
@@ -165,7 +165,7 @@ static ssize_t show_operstate(struct class_device *dev, char *buf)
                operstate = IF_OPER_DOWN;
        read_unlock(&dev_base_lock);
-        if (operstate >= sizeof(operstates))
+        if (operstate >= ARRAY_SIZE(operstates))
                return -EINVAL; /* should not happen */
        return sprintf(buf, "%s\n", operstates[operstate]);
@@ -445,58 +445,33 @@ static struct class net_class = {
 void netdev_unregister_sysfs(struct net_device * net)
 {
-        struct class_device * class_dev = &(net->class_dev);
+        class_device_del(&(net->class_dev));
-        if (net->get_stats)
-                sysfs_remove_group(&class_dev->kobj, &netstat_group);
-#ifdef WIRELESS_EXT
-        if (net->get_wireless_stats || (net->wireless_handlers &&
-                        net->wireless_handlers->get_wireless_stats))
-                sysfs_remove_group(&class_dev->kobj, &wireless_group);
-#endif
-        class_device_del(class_dev);
 }
 /* Create sysfs entries for network device. */
 int netdev_register_sysfs(struct net_device *net)
 {
        struct class_device *class_dev = &(net->class_dev);
-        int ret;
+        struct attribute_group **groups = net->sysfs_groups;
+        class_device_initialize(class_dev);
        class_dev->class = &net_class;
        class_dev->class_data = net;
+        class_dev->groups = groups;
+        BUILD_BUG_ON(BUS_ID_SIZE < IFNAMSIZ);
        strlcpy(class_dev->class_id, net->name, BUS_ID_SIZE);
-        if ((ret = class_device_register(class_dev)))
-                goto out;
-        if (net->get_stats &&
+        if (net->get_stats)
-            (ret = sysfs_create_group(&class_dev->kobj, &netstat_group)))
+                *groups++ = &netstat_group;
-                goto out_unreg; 
 #ifdef WIRELESS_EXT
-        if (net->get_wireless_stats || (net->wireless_handlers &&
+        if (net->get_wireless_stats
-                        net->wireless_handlers->get_wireless_stats)) {
+            || (net->wireless_handlers && net->wireless_handlers->get_wireless_stats))
-                ret = sysfs_create_group(&class_dev->kobj, &wireless_group);
+                *groups++ = &wireless_group;
-                if (ret)
-                        goto out_cleanup;
-        }
-        return 0;
-out_cleanup:
-        if (net->get_stats)
-                sysfs_remove_group(&class_dev->kobj, &netstat_group);
-#else
-        return 0;
 #endif
-out_unreg:
+        return class_device_add(class_dev);
-        printk(KERN_WARNING "%s: sysfs attribute registration failed %d\n",
-               net->name, ret);
-        class_device_unregister(class_dev);
-out:
-        return ret;
 }
 int netdev_sysfs_init(void)
diff --git a/net/core/request_sock.c b/net/core/request_sock.c
index 1e44eda1fda9..79ebd75fbe4d 100644
--- a/net/core/request_sock.c
+++ b/net/core/request_sock.c
@@ -38,13 +38,11 @@ int reqsk_queue_alloc(struct request_sock_queue *queue,
 {
        const int lopt_size = sizeof(struct listen_sock) +
                              nr_table_entries * sizeof(struct request_sock *);
-        struct listen_sock *lopt = kmalloc(lopt_size, GFP_KERNEL);
+        struct listen_sock *lopt = kzalloc(lopt_size, GFP_KERNEL);
        if (lopt == NULL)
                return -ENOMEM;
-        memset(lopt, 0, lopt_size);
        for (lopt->max_qlen_log = 6;
             (1 << lopt->max_qlen_log) < sysctl_max_syn_backlog;
             lopt->max_qlen_log++);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 09464fa8d72f..fb3770f9c094 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -112,6 +112,14 @@ void skb_under_panic(struct sk_buff *skb, int sz, void *here)
        BUG();
 }
+void skb_truesize_bug(struct sk_buff *skb)
+{
+        printk(KERN_ERR "SKB BUG: Invalid truesize (%u) "
+               "len=%u, sizeof(sk_buff)=%Zd\n",
+               skb->truesize, skb->len, sizeof(struct sk_buff));
+}
+EXPORT_SYMBOL(skb_truesize_bug);
 /*      Allocate a new skbuff. We do this ourselves so we can fill in a few
 *      'private' fields and also do memory statistics to find all the
 *      [BEEP] leaks.
diff --git a/net/core/stream.c b/net/core/stream.c
index 35e25259fd95..e9489696f694 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -176,6 +176,7 @@ void sk_stream_rfree(struct sk_buff *skb)
 {
        struct sock *sk = skb->sk;
+        skb_truesize_check(skb);
        atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
        sk->sk_forward_alloc += skb->truesize;
 }
diff --git a/net/core/utils.c b/net/core/utils.c
index fdc4f38bc46c..4f96f389243d 100644
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -121,7 +121,7 @@ void __init net_random_init(void)
 {
        int i;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                struct nrnd_state *state = &per_cpu(net_rand_state,i);
                __net_srandom(state, i+jiffies);
        }
@@ -133,7 +133,7 @@ static int net_random_reseed(void)
        unsigned long seed[NR_CPUS];
        get_random_bytes(seed, sizeof(seed));
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                struct nrnd_state *state = &per_cpu(net_rand_state,i);
                __net_srandom(state, seed[i]);
        }
diff --git a/net/core/wireless.c b/net/core/wireless.c
index 81d6995fcfdb..d2bc72d318f7 100644
--- a/net/core/wireless.c
+++ b/net/core/wireless.c
@@ -1726,6 +1726,14 @@ int wireless_rtnetlink_get(struct net_device *	dev,
        if(!IW_IS_GET(request->cmd))
                return -EOPNOTSUPP;
+        /* If command is `get the encoding parameters', check if
+         * the user has the right to do it */
+        if (request->cmd == SIOCGIWENCODE ||
+            request->cmd == SIOCGIWENCODEEXT) {
+                if (!capable(CAP_NET_ADMIN))
+                        return -EPERM;
+        }
        /* Special cases */
        if(request->cmd == SIOCGIWSTATS)
                /* Get Wireless Stats */
diff --git a/net/dccp/ackvec.c b/net/dccp/ackvec.c
index b5981e5f6b00..8c211c58893b 100644
--- a/net/dccp/ackvec.c
+++ b/net/dccp/ackvec.c
@@ -452,6 +452,7 @@ found:
                                              (unsigned long long)
                                              avr->dccpavr_ack_ackno);
                                dccp_ackvec_throw_record(av, avr);
+                                break;
                        }
                        /*
                         * If it wasn't received, continue scanning... we might
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 29047995c695..f2c011fd2ba1 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -498,7 +498,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
                goto drop;
        if (dccp_parse_options(sk, skb))
-                goto drop;
+                goto drop_and_free;
        dccp_openreq_init(req, &dp, skb);
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 1ff7328b0e17..2e0ee8355c41 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -848,6 +848,7 @@ static int dccp_close_state(struct sock *sk)
 void dccp_close(struct sock *sk, long timeout)
 {
        struct sk_buff *skb;
+        int state;
        lock_sock(sk);
@@ -882,6 +883,11 @@ void dccp_close(struct sock *sk, long timeout)
        sk_stream_wait_close(sk, timeout);
 adjudge_to_death:
+        state = sk->sk_state;
+        sock_hold(sk);
+        sock_orphan(sk);
+        atomic_inc(sk->sk_prot->orphan_count);
        /*
         * It is the last release_sock in its life. It will remove backlog.
         */
@@ -894,8 +900,9 @@ adjudge_to_death:
        bh_lock_sock(sk);
        BUG_TRAP(!sock_owned_by_user(sk));
-        sock_hold(sk);
+        /* Have we already been destroyed by a softirq or backlog? */
-        sock_orphan(sk);
+        if (state != DCCP_CLOSED && sk->sk_state == DCCP_CLOSED)
+                goto out;
        /*
         * The last release_sock may have processed the CLOSE or RESET
@@ -915,12 +922,12 @@ adjudge_to_death:
 #endif
        }
-        atomic_inc(sk->sk_prot->orphan_count);
        if (sk->sk_state == DCCP_CLOSED)
                inet_csk_destroy_sock(sk);
        /* Otherwise, socket is reprieved until protocol close. */
+out:
        bh_unlock_sock(sk);
        local_bh_enable();
        sock_put(sk);
diff --git a/net/decnet/dn_neigh.c b/net/decnet/dn_neigh.c
index 7c8692c26bfe..66e230c3b328 100644
--- a/net/decnet/dn_neigh.c
+++ b/net/decnet/dn_neigh.c
@@ -493,7 +493,6 @@ struct elist_cb_state {
 static void neigh_elist_cb(struct neighbour *neigh, void *_info)
 {
        struct elist_cb_state *s = _info;
-        struct dn_dev *dn_db;
        struct dn_neigh *dn;
        if (neigh->dev != s->dev)
@@ -503,10 +502,6 @@ static void neigh_elist_cb(struct neighbour *neigh, void *_info)
        if (!(dn->flags & (DN_NDFLAG_R1|DN_NDFLAG_R2)))
                return;
-        dn_db = (struct dn_dev *) s->dev->dn_ptr;
-        if (dn_db->parms.forwarding == 1 && (dn->flags & DN_NDFLAG_R2))
-                return;
        if (s->t == s->n)
                s->rs = dn_find_slot(s->ptr, s->n, dn->priority);
        else
diff --git a/net/ethernet/Makefile b/net/ethernet/Makefile
index 69b74a9a0fc3..7cef1d8ace27 100644
--- a/net/ethernet/Makefile
+++ b/net/ethernet/Makefile
@@ -3,6 +3,5 @@
 #
 obj-y                                   += eth.o
-obj-$(CONFIG_SYSCTL)                    += sysctl_net_ether.o
 obj-$(subst m,y,$(CONFIG_IPX))          += pe2.o
 obj-$(subst m,y,$(CONFIG_ATALK))        += pe2.o
diff --git a/net/ethernet/sysctl_net_ether.c b/net/ethernet/sysctl_net_ether.c
deleted file mode 100644
index 66b39fc342d2..000000000000
--- a/net/ethernet/sysctl_net_ether.c
+++ /dev/null
@@ -1,14 +0,0 @@
-/* -*- linux-c -*-
- * sysctl_net_ether.c: sysctl interface to net Ethernet subsystem.
- *
- * Begun April 1, 1996, Mike Shaver.
- * Added /proc/sys/net/ether directory entry (empty =) ). [MS]
- */
-#include <linux/mm.h>
-#include <linux/sysctl.h>
-#include <linux/if_ether.h>
-ctl_table ether_table[] = {
-        {0}
-};
diff --git a/net/ieee80211/ieee80211_crypt_tkip.c b/net/ieee80211/ieee80211_crypt_tkip.c
index 93def94c1b32..3fa5df2e1f0b 100644
--- a/net/ieee80211/ieee80211_crypt_tkip.c
+++ b/net/ieee80211/ieee80211_crypt_tkip.c
@@ -501,8 +501,11 @@ static int michael_mic(struct ieee80211_tkip_data *tkey, u8 * key, u8 * hdr,
 static void michael_mic_hdr(struct sk_buff *skb, u8 * hdr)
 {
        struct ieee80211_hdr_4addr *hdr11;
+        u16 stype;
        hdr11 = (struct ieee80211_hdr_4addr *)skb->data;
+        stype  = WLAN_FC_GET_STYPE(le16_to_cpu(hdr11->frame_ctl));
        switch (le16_to_cpu(hdr11->frame_ctl) &
                (IEEE80211_FCTL_FROMDS | IEEE80211_FCTL_TODS)) {
        case IEEE80211_FCTL_TODS:
@@ -523,7 +526,13 @@ static void michael_mic_hdr(struct sk_buff *skb, u8 * hdr)
                break;
        }
-        hdr[12] = 0;            /* priority */
+        if (stype & IEEE80211_STYPE_QOS_DATA) {
+                const struct ieee80211_hdr_3addrqos *qoshdr =
+                        (struct ieee80211_hdr_3addrqos *)skb->data;
+                hdr[12] = le16_to_cpu(qoshdr->qos_ctl) & IEEE80211_QCTL_TID;
+        } else
+                hdr[12] = 0;            /* priority */
        hdr[13] = hdr[14] = hdr[15] = 0;        /* reserved */
 }
diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c
index 604b7b0097bc..2bf567fd5a17 100644
--- a/net/ieee80211/ieee80211_rx.c
+++ b/net/ieee80211/ieee80211_rx.c
@@ -369,7 +369,6 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
        /* Put this code here so that we avoid duplicating it in all
         * Rx paths. - Jean II */
-#ifdef CONFIG_WIRELESS_EXT
 #ifdef IW_WIRELESS_SPY          /* defined in iw_handler.h */
        /* If spy monitoring on */
        if (ieee->spy_data.spy_number > 0) {
@@ -398,7 +397,6 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
                wireless_spy_update(ieee->dev, hdr->addr2, &wstats);
        }
 #endif                          /* IW_WIRELESS_SPY */
-#endif                          /* CONFIG_WIRELESS_EXT */
 #ifdef NOT_YET
        hostap_update_rx_stats(local->ap, hdr, rx_stats);
@@ -1692,8 +1690,8 @@ void ieee80211_rx_mgt(struct ieee80211_device *ieee,
                                     WLAN_FC_GET_STYPE(le16_to_cpu
                                                       (header->frame_ctl)));
-                IEEE80211_WARNING("%s: IEEE80211_REASSOC_REQ received\n",
+                IEEE80211_DEBUG_MGMT("%s: IEEE80211_REASSOC_REQ received\n",
-                                  ieee->dev->name);
+                                     ieee->dev->name);
                if (ieee->handle_reassoc_request != NULL)
                        ieee->handle_reassoc_request(ieee->dev,
                                                    (struct ieee80211_reassoc_request *)
@@ -1705,8 +1703,8 @@ void ieee80211_rx_mgt(struct ieee80211_device *ieee,
                                     WLAN_FC_GET_STYPE(le16_to_cpu
                                                       (header->frame_ctl)));
-                IEEE80211_WARNING("%s: IEEE80211_ASSOC_REQ received\n",
+                IEEE80211_DEBUG_MGMT("%s: IEEE80211_ASSOC_REQ received\n",
-                                  ieee->dev->name);
+                                     ieee->dev->name);
                if (ieee->handle_assoc_request != NULL)
                        ieee->handle_assoc_request(ieee->dev);
                break;
@@ -1722,10 +1720,10 @@ void ieee80211_rx_mgt(struct ieee80211_device *ieee,
                IEEE80211_DEBUG_MGMT("received UNKNOWN (%d)\n",
                                     WLAN_FC_GET_STYPE(le16_to_cpu
                                                       (header->frame_ctl)));
-                IEEE80211_WARNING("%s: Unknown management packet: %d\n",
+                IEEE80211_DEBUG_MGMT("%s: Unknown management packet: %d\n",
-                                  ieee->dev->name,
+                                     ieee->dev->name,
-                                  WLAN_FC_GET_STYPE(le16_to_cpu
+                                     WLAN_FC_GET_STYPE(le16_to_cpu
-                                                    (header->frame_ctl)));
+                                                       (header->frame_ctl)));
                break;
        }
 }
diff --git a/net/ieee80211/ieee80211_tx.c b/net/ieee80211/ieee80211_tx.c
index 8b4332f53394..6a5de1b84459 100644
--- a/net/ieee80211/ieee80211_tx.c
+++ b/net/ieee80211/ieee80211_tx.c
@@ -220,13 +220,43 @@ static struct ieee80211_txb *ieee80211_alloc_txb(int nr_frags, int txb_size,
        return txb;
 }
+static int ieee80211_classify(struct sk_buff *skb)
+{
+        struct ethhdr *eth;
+        struct iphdr *ip;
+        eth = (struct ethhdr *)skb->data;
+        if (eth->h_proto != __constant_htons(ETH_P_IP))
+                return 0;
+        ip = skb->nh.iph;
+        switch (ip->tos & 0xfc) {
+        case 0x20:
+                return 2;
+        case 0x40:
+                return 1;
+        case 0x60:
+                return 3;
+        case 0x80:
+                return 4;
+        case 0xa0:
+                return 5;
+        case 0xc0:
+                return 6;
+        case 0xe0:
+                return 7;
+        default:
+                return 0;
+        }
+}
 /* Incoming skb is converted to a txb which consists of
 * a block of 802.11 fragment packets (stored as skbs) */
 int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct ieee80211_device *ieee = netdev_priv(dev);
        struct ieee80211_txb *txb = NULL;
-        struct ieee80211_hdr_3addr *frag_hdr;
+        struct ieee80211_hdr_3addrqos *frag_hdr;
        int i, bytes_per_frag, nr_frags, bytes_last_frag, frag_size,
            rts_required;
        unsigned long flags;
@@ -234,9 +264,10 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
        int ether_type, encrypt, host_encrypt, host_encrypt_msdu, host_build_iv;
        int bytes, fc, hdr_len;
        struct sk_buff *skb_frag;
-        struct ieee80211_hdr_3addr header = {   /* Ensure zero initialized */
+        struct ieee80211_hdr_3addrqos header = {/* Ensure zero initialized */
                .duration_id = 0,
-                .seq_ctl = 0
+                .seq_ctl = 0,
+                .qos_ctl = 0
        };
        u8 dest[ETH_ALEN], src[ETH_ALEN];
        struct ieee80211_crypt_data *crypt;
@@ -282,12 +313,6 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
        memcpy(dest, skb->data, ETH_ALEN);
        memcpy(src, skb->data + ETH_ALEN, ETH_ALEN);
-        /* Advance the SKB to the start of the payload */
-        skb_pull(skb, sizeof(struct ethhdr));
-        /* Determine total amount of storage required for TXB packets */
-        bytes = skb->len + SNAP_SIZE + sizeof(u16);
        if (host_encrypt || host_build_iv)
                fc = IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA |
                    IEEE80211_FCTL_PROTECTED;
@@ -306,9 +331,23 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
                memcpy(header.addr2, src, ETH_ALEN);
                memcpy(header.addr3, ieee->bssid, ETH_ALEN);
        }
-        header.frame_ctl = cpu_to_le16(fc);
        hdr_len = IEEE80211_3ADDR_LEN;
+        if (ieee->is_qos_active && ieee->is_qos_active(dev, skb)) {
+                fc |= IEEE80211_STYPE_QOS_DATA;
+                hdr_len += 2;
+                skb->priority = ieee80211_classify(skb);
+                header.qos_ctl |= skb->priority & IEEE80211_QCTL_TID;
+        }
+        header.frame_ctl = cpu_to_le16(fc);
+        /* Advance the SKB to the start of the payload */
+        skb_pull(skb, sizeof(struct ethhdr));
+        /* Determine total amount of storage required for TXB packets */
+        bytes = skb->len + SNAP_SIZE + sizeof(u16);
        /* Encrypt msdu first on the whole data packet. */
        if ((host_encrypt || host_encrypt_msdu) &&
            crypt && crypt->ops && crypt->ops->encrypt_msdu) {
@@ -402,7 +441,7 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
        if (rts_required) {
                skb_frag = txb->fragments[0];
                frag_hdr =
-                    (struct ieee80211_hdr_3addr *)skb_put(skb_frag, hdr_len);
+                    (struct ieee80211_hdr_3addrqos *)skb_put(skb_frag, hdr_len);
                /*
                 * Set header frame_ctl to the RTS.
@@ -433,7 +472,7 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
                                    crypt->ops->extra_mpdu_prefix_len);
                frag_hdr =
-                    (struct ieee80211_hdr_3addr *)skb_put(skb_frag, hdr_len);
+                    (struct ieee80211_hdr_3addrqos *)skb_put(skb_frag, hdr_len);
                memcpy(frag_hdr, &header, hdr_len);
                /* If this is not the last fragment, then add the MOREFRAGS
@@ -516,7 +555,8 @@ int ieee80211_xmit(struct sk_buff *skb, struct net_device *dev)
 /* Incoming 802.11 strucure is converted to a TXB
 * a block of 802.11 fragment packets (stored as skbs) */
 int ieee80211_tx_frame(struct ieee80211_device *ieee,
-                       struct ieee80211_hdr *frame, int len)
+                       struct ieee80211_hdr *frame, int hdr_len, int total_len,
+                       int encrypt_mpdu)
 {
        struct ieee80211_txb *txb = NULL;
        unsigned long flags;
@@ -526,6 +566,9 @@ int ieee80211_tx_frame(struct ieee80211_device *ieee,
        spin_lock_irqsave(&ieee->lock, flags);
+        if (encrypt_mpdu && !ieee->sec.encrypt)
+                encrypt_mpdu = 0;
        /* If there is no driver handler to take the TXB, dont' bother
         * creating it... */
        if (!ieee->hard_start_xmit) {
@@ -533,32 +576,41 @@ int ieee80211_tx_frame(struct ieee80211_device *ieee,
                goto success;
        }
-        if (unlikely(len < 24)) {
+        if (unlikely(total_len < 24)) {
                printk(KERN_WARNING "%s: skb too small (%d).\n",
-                       ieee->dev->name, len);
+                       ieee->dev->name, total_len);
                goto success;
        }
+        if (encrypt_mpdu)
+                frame->frame_ctl |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
        /* When we allocate the TXB we allocate enough space for the reserve
         * and full fragment bytes (bytes_per_frag doesn't include prefix,
         * postfix, header, FCS, etc.) */
-        txb = ieee80211_alloc_txb(1, len, ieee->tx_headroom, GFP_ATOMIC);
+        txb = ieee80211_alloc_txb(1, total_len, ieee->tx_headroom, GFP_ATOMIC);
        if (unlikely(!txb)) {
                printk(KERN_WARNING "%s: Could not allocate TXB\n",
                       ieee->dev->name);
                goto failed;
        }
        txb->encrypted = 0;
-        txb->payload_size = len;
+        txb->payload_size = total_len;
        skb_frag = txb->fragments[0];
-        memcpy(skb_put(skb_frag, len), frame, len);
+        memcpy(skb_put(skb_frag, total_len), frame, total_len);
        if (ieee->config &
            (CFG_IEEE80211_COMPUTE_FCS | CFG_IEEE80211_RESERVE_FCS))
                skb_put(skb_frag, 4);
+        /* To avoid overcomplicating things, we do the corner-case frame
+         * encryption in software. The only real situation where encryption is
+         * needed here is during software-based shared key authentication. */
+        if (encrypt_mpdu)
+                ieee80211_encrypt_fragment(ieee, skb_frag, hdr_len);
      success:
        spin_unlock_irqrestore(&ieee->lock, flags);
diff --git a/net/ieee80211/ieee80211_wx.c b/net/ieee80211/ieee80211_wx.c
index b885fd189403..a78c4f845f66 100644
--- a/net/ieee80211/ieee80211_wx.c
+++ b/net/ieee80211/ieee80211_wx.c
@@ -50,7 +50,8 @@ static char *ieee80211_translate_scan(struct ieee80211_device *ieee,
        char *p;
        struct iw_event iwe;
        int i, j;
-        u8 max_rate, rate;
+        char *current_val;      /* For rates */
+        u8 rate;
        /* First entry *MUST* be the AP MAC address */
        iwe.cmd = SIOCGIWAP;
@@ -107,9 +108,13 @@ static char *ieee80211_translate_scan(struct ieee80211_device *ieee,
        start = iwe_stream_add_point(start, stop, &iwe, network->ssid);
        /* Add basic and extended rates */
-        max_rate = 0;
+        /* Rate : stuffing multiple values in a single event require a bit
-        p = custom;
+         * more of magic - Jean II */
-        p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): ");
+        current_val = start + IW_EV_LCP_LEN;
+        iwe.cmd = SIOCGIWRATE;
+        /* Those two flags are ignored... */
+        iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
        for (i = 0, j = 0; i < network->rates_len;) {
                if (j < network->rates_ex_len &&
                    ((network->rates_ex[j] & 0x7F) <
@@ -117,28 +122,21 @@ static char *ieee80211_translate_scan(struct ieee80211_device *ieee,
                        rate = network->rates_ex[j++] & 0x7F;
                else
                        rate = network->rates[i++] & 0x7F;
-                if (rate > max_rate)
+                /* Bit rate given in 500 kb/s units (+ 0x80) */
-                        max_rate = rate;
+                iwe.u.bitrate.value = ((rate & 0x7f) * 500000);
-                p += snprintf(p, MAX_CUSTOM_LEN - (p - custom),
+                /* Add new value to event */
-                              "%d%s ", rate >> 1, (rate & 1) ? ".5" : "");
+                current_val = iwe_stream_add_value(start, current_val, stop, &iwe, IW_EV_PARAM_LEN);
        }
        for (; j < network->rates_ex_len; j++) {
                rate = network->rates_ex[j] & 0x7F;
-                p += snprintf(p, MAX_CUSTOM_LEN - (p - custom),
+                /* Bit rate given in 500 kb/s units (+ 0x80) */
-                              "%d%s ", rate >> 1, (rate & 1) ? ".5" : "");
+                iwe.u.bitrate.value = ((rate & 0x7f) * 500000);
-                if (rate > max_rate)
+                /* Add new value to event */
-                        max_rate = rate;
+                current_val = iwe_stream_add_value(start, current_val, stop, &iwe, IW_EV_PARAM_LEN);
        }
+        /* Check if we added any rate */
-        iwe.cmd = SIOCGIWRATE;
+        if((current_val - start) > IW_EV_LCP_LEN)
-        iwe.u.bitrate.fixed = iwe.u.bitrate.disabled = 0;
+                start = current_val;
-        iwe.u.bitrate.value = max_rate * 500000;
-        start = iwe_stream_add_event(start, stop, &iwe, IW_EV_PARAM_LEN);
-        iwe.cmd = IWEVCUSTOM;
-        iwe.u.data.length = p - custom;
-        if (iwe.u.data.length)
-                start = iwe_stream_add_point(start, stop, &iwe, custom);
        /* Add quality statistics */
        iwe.cmd = IWEVQUAL;
@@ -505,7 +503,7 @@ int ieee80211_wx_get_encode(struct ieee80211_device *ieee,
        len = sec->key_sizes[key];
        memcpy(keybuf, sec->keys[key], len);
-        erq->length = (len >= 0 ? len : 0);
+        erq->length = len;
        erq->flags |= IW_ENCODE_ENABLED;
        if (ieee->open_wep)
diff --git a/net/ieee80211/softmac/Kconfig b/net/ieee80211/softmac/Kconfig
index 6cd9f3427be6..2811651cb134 100644
--- a/net/ieee80211/softmac/Kconfig
+++ b/net/ieee80211/softmac/Kconfig
@@ -1,6 +1,8 @@
 config IEEE80211_SOFTMAC
        tristate "Software MAC add-on to the IEEE 802.11 networking stack"
        depends on IEEE80211 && EXPERIMENTAL
+        select WIRELESS_EXT
+        select IEEE80211_CRYPT_WEP
        ---help---
        This option enables the hardware independent software MAC addon
        for the IEEE 802.11 networking stack.
diff --git a/net/ieee80211/softmac/ieee80211softmac_assoc.c b/net/ieee80211/softmac/ieee80211softmac_assoc.c
index be61de78dfa4..5e9a90651d04 100644
--- a/net/ieee80211/softmac/ieee80211softmac_assoc.c
+++ b/net/ieee80211/softmac/ieee80211softmac_assoc.c
@@ -51,11 +51,12 @@ ieee80211softmac_assoc(struct ieee80211softmac_device *mac, struct ieee80211soft
        spin_lock_irqsave(&mac->lock, flags);
        mac->associnfo.associating = 1;
        mac->associated = 0; /* just to make sure */
-        spin_unlock_irqrestore(&mac->lock, flags);
        /* Set a timer for timeout */
        /* FIXME: make timeout configurable */
-        schedule_delayed_work(&mac->associnfo.timeout, 5 * HZ);
+        if (likely(mac->running))
+                schedule_delayed_work(&mac->associnfo.timeout, 5 * HZ);
+        spin_unlock_irqrestore(&mac->lock, flags);
 }
 void
@@ -81,50 +82,52 @@ ieee80211softmac_assoc_timeout(void *d)
        ieee80211softmac_call_events(mac, IEEE80211SOFTMAC_EVENT_ASSOCIATE_TIMEOUT, NULL);
 }
-/* Sends out a disassociation request to the desired AP */
+void
-static void
+ieee80211softmac_disassoc(struct ieee80211softmac_device *mac)
-ieee80211softmac_disassoc(struct ieee80211softmac_device *mac, u16 reason)
 {
        unsigned long flags;
+        spin_lock_irqsave(&mac->lock, flags);
+        if (mac->associnfo.associating)
+                cancel_delayed_work(&mac->associnfo.timeout);
+        netif_carrier_off(mac->dev);
+        mac->associated = 0;
+        mac->associnfo.bssvalid = 0;
+        mac->associnfo.associating = 0;
+        ieee80211softmac_init_txrates(mac);
+        ieee80211softmac_call_events_locked(mac, IEEE80211SOFTMAC_EVENT_DISASSOCIATED, NULL);
+        spin_unlock_irqrestore(&mac->lock, flags);
+}
+/* Sends out a disassociation request to the desired AP */
+void
+ieee80211softmac_send_disassoc_req(struct ieee80211softmac_device *mac, u16 reason)
+{
        struct ieee80211softmac_network *found;
        if (mac->associnfo.bssvalid && mac->associated) {
                found = ieee80211softmac_get_network_by_bssid(mac, mac->associnfo.bssid);
                if (found)
                        ieee80211softmac_send_mgt_frame(mac, found, IEEE80211_STYPE_DISASSOC, reason);
-        } else if (mac->associnfo.associating) {
-                cancel_delayed_work(&mac->associnfo.timeout);
        }
-        /* Change our state */
+        ieee80211softmac_disassoc(mac);
-        spin_lock_irqsave(&mac->lock, flags);
-        /* Do NOT clear bssvalid as that will break ieee80211softmac_assoc_work! */
-        mac->associated = 0;
-        mac->associnfo.associating = 0;
-        spin_unlock_irqrestore(&mac->lock, flags);
 }
 static inline int
 we_support_all_basic_rates(struct ieee80211softmac_device *mac, u8 *from, u8 from_len)
 {
-        int idx, search, found;
+        int idx;
-        u8 rate, search_rate;
+        u8 rate;
        for (idx = 0; idx < (from_len); idx++) {
                rate = (from)[idx];
                if (!(rate & IEEE80211_BASIC_RATE_MASK))
                        continue;
-                found = 0;
                rate &= ~IEEE80211_BASIC_RATE_MASK;
-                for (search = 0; search < mac->ratesinfo.count; search++) {
+                if (!ieee80211softmac_ratesinfo_rate_supported(&mac->ratesinfo, rate))
-                        search_rate = mac->ratesinfo.rates[search];
-                        search_rate &= ~IEEE80211_BASIC_RATE_MASK;
-                        if (rate == search_rate) {
-                                found = 1;
-                                break;
-                        }
-                }
-                if (!found)
                        return 0;
        }
        return 1;
@@ -143,6 +146,12 @@ network_matches_request(struct ieee80211softmac_device *mac, struct ieee80211_ne
        if (!we_support_all_basic_rates(mac, net->rates_ex, net->rates_ex_len))
                return 0;
+        /* assume that users know what they're doing ...
+         * (note we don't let them select a net we're incompatible with) */
+        if (mac->associnfo.bssfixed) {
+                return !memcmp(mac->associnfo.bssid, net->bssid, ETH_ALEN);
+        }
        /* if 'ANY' network requested, take any that doesn't have privacy enabled */
        if (mac->associnfo.req_essid.len == 0 
            && !(net->capability & WLAN_CAPABILITY_PRIVACY))
@@ -155,12 +164,28 @@ network_matches_request(struct ieee80211softmac_device *mac, struct ieee80211_ne
 }
 static void
-ieee80211softmac_assoc_notify(struct net_device *dev, void *context)
+ieee80211softmac_assoc_notify_scan(struct net_device *dev, int event_type, void *context)
 {
        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
        ieee80211softmac_assoc_work((void*)mac);
 }
+static void
+ieee80211softmac_assoc_notify_auth(struct net_device *dev, int event_type, void *context)
+{
+        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
+        switch (event_type) {
+        case IEEE80211SOFTMAC_EVENT_AUTHENTICATED:
+                ieee80211softmac_assoc_work((void*)mac);
+                break;
+        case IEEE80211SOFTMAC_EVENT_AUTH_FAILED:
+        case IEEE80211SOFTMAC_EVENT_AUTH_TIMEOUT:
+                ieee80211softmac_disassoc(mac);
+                break;
+        }
+}
 /* This function is called to handle userspace requests (asynchronously) */
 void
 ieee80211softmac_assoc_work(void *d)
@@ -168,14 +193,18 @@ ieee80211softmac_assoc_work(void *d)
        struct ieee80211softmac_device *mac = (struct ieee80211softmac_device *)d;
        struct ieee80211softmac_network *found = NULL;
        struct ieee80211_network *net = NULL, *best = NULL;
+        int bssvalid;
        unsigned long flags;
-        
+        /* ieee80211_disassoc might clear this */
+        bssvalid = mac->associnfo.bssvalid;
        /* meh */
        if (mac->associated)
-                ieee80211softmac_disassoc(mac, WLAN_REASON_DISASSOC_STA_HAS_LEFT);
+                ieee80211softmac_send_disassoc_req(mac, WLAN_REASON_DISASSOC_STA_HAS_LEFT);
        /* try to find the requested network in our list, if we found one already */
-        if (mac->associnfo.bssvalid)
+        if (bssvalid || mac->associnfo.bssfixed)
                found = ieee80211softmac_get_network_by_bssid(mac, mac->associnfo.bssid);       
        
        /* Search the ieee80211 networks for this network if we didn't find it by bssid,
@@ -236,23 +265,29 @@ ieee80211softmac_assoc_work(void *d)
                         * Maybe we can hope to have more memory after scanning finishes ;)
                         */
                        dprintk(KERN_INFO PFX "Associate: Scanning for networks first.\n");
-                        ieee80211softmac_notify(mac->dev, IEEE80211SOFTMAC_EVENT_SCAN_FINISHED, ieee80211softmac_assoc_notify, NULL);
+                        ieee80211softmac_notify(mac->dev, IEEE80211SOFTMAC_EVENT_SCAN_FINISHED, ieee80211softmac_assoc_notify_scan, NULL);
                        if (ieee80211softmac_start_scan(mac))
                                dprintk(KERN_INFO PFX "Associate: failed to initiate scan. Is device up?\n");
                        return;
-                }
+                } else {
-                else {
                        spin_lock_irqsave(&mac->lock, flags);
                        mac->associnfo.associating = 0;
                        mac->associated = 0;
                        spin_unlock_irqrestore(&mac->lock, flags);
                        dprintk(KERN_INFO PFX "Unable to find matching network after scan!\n");
+                        /* reset the retry counter for the next user request since we
+                         * break out and don't reschedule ourselves after this point. */
+                        mac->associnfo.scan_retry = IEEE80211SOFTMAC_ASSOC_SCAN_RETRY_LIMIT;
                        ieee80211softmac_call_events(mac, IEEE80211SOFTMAC_EVENT_ASSOCIATE_NET_NOT_FOUND, NULL);
                        return;
                }
        }
-        
+        /* reset the retry counter for the next user request since we
+         * now found a net and will try to associate to it, but not
+         * schedule this function again. */
+        mac->associnfo.scan_retry = IEEE80211SOFTMAC_ASSOC_SCAN_RETRY_LIMIT;
        mac->associnfo.bssvalid = 1;
        memcpy(mac->associnfo.bssid, found->bssid, ETH_ALEN);
        /* copy the ESSID for displaying it */
@@ -265,7 +300,7 @@ ieee80211softmac_assoc_work(void *d)
                 * otherwise adding the notification would be racy. */
                if (!ieee80211softmac_auth_req(mac, found)) {
                        dprintk(KERN_INFO PFX "cannot associate without being authenticated, requested authentication\n");
-                        ieee80211softmac_notify_internal(mac, IEEE80211SOFTMAC_EVENT_ANY, found, ieee80211softmac_assoc_notify, NULL, GFP_KERNEL);
+                        ieee80211softmac_notify_internal(mac, IEEE80211SOFTMAC_EVENT_ANY, found, ieee80211softmac_assoc_notify_auth, NULL, GFP_KERNEL);
                } else {
                        printkl(KERN_WARNING PFX "Not authenticated, but requesting authentication failed. Giving up to associate\n");
                        ieee80211softmac_call_events(mac, IEEE80211SOFTMAC_EVENT_ASSOCIATE_FAILED, found);
@@ -283,6 +318,9 @@ ieee80211softmac_associated(struct ieee80211softmac_device *mac,
        struct ieee80211softmac_network *net)
 {
        mac->associnfo.associating = 0;
+        mac->associnfo.supported_rates = net->supported_rates;
+        ieee80211softmac_recalc_txrates(mac);
        mac->associated = 1;
        if (mac->set_bssid_filter)
                mac->set_bssid_filter(mac->dev, net->bssid);
@@ -306,6 +344,9 @@ ieee80211softmac_handle_assoc_response(struct net_device * dev,
        u16 status = le16_to_cpup(&resp->status);
        struct ieee80211softmac_network *network = NULL;
        unsigned long flags;
+        if (unlikely(!mac->running))
+                return -ENODEV;
        
        spin_lock_irqsave(&mac->lock, flags);
@@ -363,19 +404,22 @@ ieee80211softmac_handle_disassoc(struct net_device * dev,
                                 struct ieee80211_disassoc *disassoc)
 {
        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
-        unsigned long flags;
+        if (unlikely(!mac->running))
+                return -ENODEV;
        if (memcmp(disassoc->header.addr2, mac->associnfo.bssid, ETH_ALEN))
                return 0;
        if (memcmp(disassoc->header.addr1, mac->dev->dev_addr, ETH_ALEN))
                return 0;
        dprintk(KERN_INFO PFX "got disassoc frame\n");
-        netif_carrier_off(dev);
+        ieee80211softmac_disassoc(mac);
-        spin_lock_irqsave(&mac->lock, flags);
-        mac->associnfo.bssvalid = 0;
+        /* try to reassociate */
-        mac->associated = 0;
        schedule_work(&mac->associnfo.work);
-        spin_unlock_irqrestore(&mac->lock, flags);
-        
        return 0;
 }
@@ -386,11 +430,15 @@ ieee80211softmac_handle_reassoc_req(struct net_device * dev,
        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
        struct ieee80211softmac_network *network;
+        if (unlikely(!mac->running))
+                return -ENODEV;
        network = ieee80211softmac_get_network_by_bssid(mac, resp->header.addr3);
        if (!network) {
                dprintkl(KERN_INFO PFX "reassoc request from unknown network\n");
                return 0;
        }
-        ieee80211softmac_assoc(mac, network);
+        schedule_work(&mac->associnfo.work);
        return 0;
 }
diff --git a/net/ieee80211/softmac/ieee80211softmac_auth.c b/net/ieee80211/softmac/ieee80211softmac_auth.c
index 9a0eac6c61eb..90b8484e509b 100644
--- a/net/ieee80211/softmac/ieee80211softmac_auth.c
+++ b/net/ieee80211/softmac/ieee80211softmac_auth.c
@@ -86,6 +86,11 @@ ieee80211softmac_auth_queue(void *data)
                
                /* Lock and set flags */
                spin_lock_irqsave(&mac->lock, flags);
+                if (unlikely(!mac->running)) {
+                        /* Prevent reschedule on workqueue flush */
+                        spin_unlock_irqrestore(&mac->lock, flags);
+                        return;
+                }
                net->authenticated = 0;
                net->authenticating = 1;
                /* add a timeout call so we eventually give up waiting for an auth reply */
@@ -102,6 +107,7 @@ ieee80211softmac_auth_queue(void *data)
        printkl(KERN_WARNING PFX "Authentication timed out with "MAC_FMT"\n", MAC_ARG(net->bssid));
        /* Remove this item from the queue */
        spin_lock_irqsave(&mac->lock, flags);
+        net->authenticating = 0;
        ieee80211softmac_call_events_locked(mac, IEEE80211SOFTMAC_EVENT_AUTH_TIMEOUT, net);
        cancel_delayed_work(&auth->work); /* just to make sure... */
        list_del(&auth->list);
@@ -124,6 +130,9 @@ ieee80211softmac_auth_resp(struct net_device *dev, struct ieee80211_auth *auth)
        unsigned long flags;
        u8 * data;
        
+        if (unlikely(!mac->running))
+                return -ENODEV;
        /* Find correct auth queue item */
        spin_lock_irqsave(&mac->lock, flags);
        list_for_each(list_ptr, &mac->auth_queue) {
@@ -204,13 +213,13 @@ ieee80211softmac_auth_resp(struct net_device *dev, struct ieee80211_auth *auth)
                        aq->state = IEEE80211SOFTMAC_AUTH_SHARED_RESPONSE; 
                        spin_unlock_irqrestore(&mac->lock, flags);
-                        /* Switch to correct channel for this network */
+                        /* Send our response */
-                        mac->set_channel(mac->dev, net->channel);
-                        
-                        /* Send our response (How to encrypt?) */
                        ieee80211softmac_send_mgt_frame(mac, aq->net, IEEE80211_STYPE_AUTH, aq->state);
-                        break;
+                        return 0;
                case IEEE80211SOFTMAC_AUTH_SHARED_PASS:
+                        kfree(net->challenge);
+                        net->challenge = NULL;
+                        net->challenge_len = 0;
                        /* Check the status code of the response */
                        switch(auth->status) {
                        case WLAN_STATUS_SUCCESS:
@@ -221,6 +230,7 @@ ieee80211softmac_auth_resp(struct net_device *dev, struct ieee80211_auth *auth)
                                spin_unlock_irqrestore(&mac->lock, flags);
                                printkl(KERN_NOTICE PFX "Shared Key Authentication completed with "MAC_FMT"\n", 
                                        MAC_ARG(net->bssid));
+                                ieee80211softmac_call_events(mac, IEEE80211SOFTMAC_EVENT_AUTHENTICATED, net);
                                break;
                        default:
                                printkl(KERN_NOTICE PFX "Shared Key Authentication with "MAC_FMT" failed, error code: %i\n", 
@@ -271,6 +281,9 @@ ieee80211softmac_deauth_from_net(struct ieee80211softmac_device *mac,
        struct list_head *list_ptr;
        unsigned long flags;
+        /* deauthentication implies disassociation */
+        ieee80211softmac_disassoc(mac);
        /* Lock and reset status flags */
        spin_lock_irqsave(&mac->lock, flags);
        net->authenticating = 0;
@@ -298,8 +311,6 @@ ieee80211softmac_deauth_from_net(struct ieee80211softmac_device *mac,
        
        /* can't transmit data right now... */
        netif_carrier_off(mac->dev);
-        /* let's try to re-associate */
-        schedule_work(&mac->associnfo.work);
        spin_unlock_irqrestore(&mac->lock, flags);
 }
@@ -338,6 +349,9 @@ ieee80211softmac_deauth_resp(struct net_device *dev, struct ieee80211_deauth *de
        struct ieee80211softmac_network *net = NULL;
        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
        
+        if (unlikely(!mac->running))
+                return -ENODEV;
        if (!deauth) {
                dprintk("deauth without deauth packet. eek!\n");
                return 0;
@@ -360,5 +374,8 @@ ieee80211softmac_deauth_resp(struct net_device *dev, struct ieee80211_deauth *de
        }
        ieee80211softmac_deauth_from_net(mac, net);
+        /* let's try to re-associate */
+        schedule_work(&mac->associnfo.work);
        return 0;
 }
diff --git a/net/ieee80211/softmac/ieee80211softmac_event.c b/net/ieee80211/softmac/ieee80211softmac_event.c
index 0a52bbda1e4c..f34fa2ef666b 100644
--- a/net/ieee80211/softmac/ieee80211softmac_event.c
+++ b/net/ieee80211/softmac/ieee80211softmac_event.c
@@ -38,7 +38,8 @@
 * The event context is private and can only be used from
 * within this module. Its meaning varies with the event
 * type:
- *  SCAN_FINISHED:      no special meaning
+ *  SCAN_FINISHED,
+ *  DISASSOCIATED:      NULL
 *  ASSOCIATED,
 *  ASSOCIATE_FAILED,
 *  ASSOCIATE_TIMEOUT,
@@ -59,14 +60,15 @@
 */
 static char *event_descriptions[IEEE80211SOFTMAC_EVENT_LAST+1] = {
-        "scan finished",
+        NULL, /* scan finished */
-        "associated",
+        NULL, /* associated */
        "associating failed",
        "associating timed out",
        "authenticated",
        "authenticating failed",
        "authenticating timed out",
        "associating failed because no suitable network was found",
+        NULL, /* disassociated */
 };
@@ -76,7 +78,7 @@ ieee80211softmac_notify_callback(void *d)
        struct ieee80211softmac_event event = *(struct ieee80211softmac_event*) d;
        kfree(d);
        
-        event.fun(event.mac->dev, event.context);
+        event.fun(event.mac->dev, event.event_type, event.context);
 }
 int
@@ -128,13 +130,36 @@ void
 ieee80211softmac_call_events_locked(struct ieee80211softmac_device *mac, int event, void *event_ctx)
 {
        struct ieee80211softmac_event *eventptr, *tmp;
-        union iwreq_data wrqu;
+        struct ieee80211softmac_network *network;
-        char *msg;
        
        if (event >= 0) {
-                msg = event_descriptions[event];
+                union iwreq_data wrqu;
-                wrqu.data.length = strlen(msg);
+                int we_event;
-                wireless_send_event(mac->dev, IWEVCUSTOM, &wrqu, msg);
+                char *msg = NULL;
+                memset(&wrqu, '\0', sizeof (union iwreq_data));
+                switch(event) {
+                case IEEE80211SOFTMAC_EVENT_ASSOCIATED:
+                        network = (struct ieee80211softmac_network *)event_ctx;
+                        memcpy(wrqu.ap_addr.sa_data, &network->bssid[0], ETH_ALEN);
+                        /* fall through */
+                case IEEE80211SOFTMAC_EVENT_DISASSOCIATED:
+                        wrqu.ap_addr.sa_family = ARPHRD_ETHER;
+                        we_event = SIOCGIWAP;
+                        break;
+                case IEEE80211SOFTMAC_EVENT_SCAN_FINISHED:
+                        we_event = SIOCGIWSCAN;
+                        break;
+                default:
+                        msg = event_descriptions[event];
+                        if (!msg)
+                                msg = "SOFTMAC EVENT BUG";
+                        wrqu.data.length = strlen(msg);
+                        we_event = IWEVCUSTOM;
+                        break;
+                }
+                wireless_send_event(mac->dev, we_event, &wrqu, msg);
        }
        if (!list_empty(&mac->events))
@@ -142,6 +167,9 @@ ieee80211softmac_call_events_locked(struct ieee80211softmac_device *mac, int eve
                        if ((eventptr->event_type == event || eventptr->event_type == -1)
                                && (eventptr->event_context == NULL || eventptr->event_context == event_ctx)) {
                                list_del(&eventptr->list);
+                                /* User may have subscribed to ANY event, so
+                                 * we tell them which event triggered it. */
+                                eventptr->event_type = event;
                                schedule_work(&eventptr->work);
                        }
                }
diff --git a/net/ieee80211/softmac/ieee80211softmac_io.c b/net/ieee80211/softmac/ieee80211softmac_io.c
index febc51dbb412..09541611e48c 100644
--- a/net/ieee80211/softmac/ieee80211softmac_io.c
+++ b/net/ieee80211/softmac/ieee80211softmac_io.c
@@ -149,6 +149,56 @@ ieee80211softmac_hdr_3addr(struct ieee80211softmac_device *mac,
         * shouldn't the sequence number be in ieee80211? */
 }
+static u16
+ieee80211softmac_capabilities(struct ieee80211softmac_device *mac,
+        struct ieee80211softmac_network *net)
+{
+        u16 capability = 0;
+        /* ESS and IBSS bits are set according to the current mode */
+        switch (mac->ieee->iw_mode) {
+        case IW_MODE_INFRA:
+                capability = cpu_to_le16(WLAN_CAPABILITY_ESS);
+                break;
+        case IW_MODE_ADHOC:
+                capability = cpu_to_le16(WLAN_CAPABILITY_IBSS);
+                break;
+        case IW_MODE_AUTO:
+                capability = net->capabilities &
+                        (WLAN_CAPABILITY_ESS|WLAN_CAPABILITY_IBSS);
+                break;
+        default:
+                /* bleh. we don't ever go to these modes */
+                printk(KERN_ERR PFX "invalid iw_mode!\n");
+                break;
+        }
+        /* CF Pollable / CF Poll Request */
+        /* Needs to be implemented, for now, the 0's == not supported */
+        /* Privacy Bit */
+        capability |= mac->ieee->sec.level ?
+                cpu_to_le16(WLAN_CAPABILITY_PRIVACY) : 0;
+        /* Short Preamble */
+        /* Always supported: we probably won't ever be powering devices which
+         * dont support this... */
+        capability |= WLAN_CAPABILITY_SHORT_PREAMBLE;
+        /* PBCC */
+        /* Not widely used */
+        /* Channel Agility */
+        /* Not widely used */
+        /* Short Slot */
+        /* Will be implemented later */
+        /* DSSS-OFDM */
+        /* Not widely used */
+        return capability;
+}
 /*****************************************************************************
 * Create Management packets
@@ -179,15 +229,6 @@ ieee80211softmac_assoc_req(struct ieee80211_assoc_request **pkt,
                return 0;
        ieee80211softmac_hdr_3addr(mac, &((*pkt)->header), IEEE80211_STYPE_ASSOC_REQ, net->bssid, net->bssid);
-        /* Fill in capability Info */
-        (*pkt)->capability = (mac->ieee->iw_mode == IW_MODE_MASTER) || (mac->ieee->iw_mode == IW_MODE_INFRA) ?
-                cpu_to_le16(WLAN_CAPABILITY_ESS) :
-                cpu_to_le16(WLAN_CAPABILITY_IBSS);
-        /* Need to add this
-        (*pkt)->capability |= mac->ieee->short_slot ? 
-                        cpu_to_le16(WLAN_CAPABILITY_SHORT_SLOT_TIME) : 0;
-         */
-        (*pkt)->capability |= mac->ieee->sec.level ? cpu_to_le16(WLAN_CAPABILITY_PRIVACY) : 0;
        /* Fill in Listen Interval (?) */
        (*pkt)->listen_interval = cpu_to_le16(10);
        
@@ -227,17 +268,9 @@ ieee80211softmac_reassoc_req(struct ieee80211_reassoc_request **pkt,
                return 0;
        ieee80211softmac_hdr_3addr(mac, &((*pkt)->header), IEEE80211_STYPE_REASSOC_REQ, net->bssid, net->bssid);
-        /* Fill in capability Info */
+        /* Fill in the capabilities */
-        (*pkt)->capability = mac->ieee->iw_mode == IW_MODE_MASTER ? 
+        (*pkt)->capability = ieee80211softmac_capabilities(mac, net);
-                                cpu_to_le16(WLAN_CAPABILITY_ESS) :
-                                cpu_to_le16(WLAN_CAPABILITY_IBSS);
-        /*
-        (*pkt)->capability |= mac->ieee->short_slot ? 
-                        cpu_to_le16(WLAN_CAPABILITY_SHORT_SLOT_TIME) : 0;
-         */
-        (*pkt)->capability |= mac->ieee->sec.level ?
-                        cpu_to_le16(WLAN_CAPABILITY_PRIVACY) : 0;
-                
        /* Fill in Listen Interval (?) */
        (*pkt)->listen_interval = cpu_to_le16(10);
        /* Fill in the current AP MAC */
@@ -256,26 +289,27 @@ ieee80211softmac_reassoc_req(struct ieee80211_reassoc_request **pkt,
 static u32
 ieee80211softmac_auth(struct ieee80211_auth **pkt, 
        struct ieee80211softmac_device *mac, struct ieee80211softmac_network *net,
-        u16 transaction, u16 status)
+        u16 transaction, u16 status, int *encrypt_mpdu)
 {
        u8 *data;
+        int auth_mode = mac->ieee->sec.auth_mode;
+        int is_shared_response = (auth_mode == WLAN_AUTH_SHARED_KEY
+                && transaction == IEEE80211SOFTMAC_AUTH_SHARED_RESPONSE);
        /* Allocate Packet */
        (*pkt) = (struct ieee80211_auth *)ieee80211softmac_alloc_mgt(
                2 +             /* Auth Algorithm */
                2 +             /* Auth Transaction Seq */
                2 +             /* Status Code */
                 /* Challenge Text IE */
-                mac->ieee->open_wep ? 0 : 
+                is_shared_response ? 0 : 1 + 1 + net->challenge_len
-                1 + 1 + WLAN_AUTH_CHALLENGE_LEN
+        );
-        );      
        if (unlikely((*pkt) == NULL))
                return 0;
        ieee80211softmac_hdr_3addr(mac, &((*pkt)->header), IEEE80211_STYPE_AUTH, net->bssid, net->bssid);
                
        /* Algorithm */
-        (*pkt)->algorithm = mac->ieee->open_wep ? 
+        (*pkt)->algorithm = cpu_to_le16(auth_mode);
-                cpu_to_le16(WLAN_AUTH_OPEN) :
-                cpu_to_le16(WLAN_AUTH_SHARED_KEY);
        /* Transaction */
        (*pkt)->transaction = cpu_to_le16(transaction);
        /* Status */
@@ -283,18 +317,20 @@ ieee80211softmac_auth(struct ieee80211_auth **pkt,
        
        data = (u8 *)(*pkt)->info_element;
        /* Challenge Text */
-        if(!mac->ieee->open_wep){
+        if (is_shared_response) {
                *data = MFIE_TYPE_CHALLENGE;
                data++;
                
                /* Copy the challenge in */
-                // *data = challenge length
+                *data = net->challenge_len;
-                // data += sizeof(u16);
+                data++;
-                // memcpy(data, challenge, challenge length);
+                memcpy(data, net->challenge, net->challenge_len);
-                // data += challenge length;
+                data += net->challenge_len;
-                
-                /* Add the full size to the packet length */
+                /* Make sure this frame gets encrypted with the shared key */
-        }
+                *encrypt_mpdu = 1;
+        } else
+                *encrypt_mpdu = 0;
        /* Return the packet size */
        return (data - (u8 *)(*pkt));
@@ -384,6 +420,7 @@ ieee80211softmac_send_mgt_frame(struct ieee80211softmac_device *mac,
 {
        void *pkt = NULL;
        u32 pkt_size = 0;
+        int encrypt_mpdu = 0;
        switch(type) {
        case IEEE80211_STYPE_ASSOC_REQ:
@@ -393,7 +430,7 @@ ieee80211softmac_send_mgt_frame(struct ieee80211softmac_device *mac,
                pkt_size = ieee80211softmac_reassoc_req((struct ieee80211_reassoc_request **)(&pkt), mac, (struct ieee80211softmac_network *)ptrarg);
                break;
        case IEEE80211_STYPE_AUTH:
-                pkt_size = ieee80211softmac_auth((struct ieee80211_auth **)(&pkt), mac, (struct ieee80211softmac_network *)ptrarg, (u16)(arg & 0xFFFF), (u16) (arg >> 16));
+                pkt_size = ieee80211softmac_auth((struct ieee80211_auth **)(&pkt), mac, (struct ieee80211softmac_network *)ptrarg, (u16)(arg & 0xFFFF), (u16) (arg >> 16), &encrypt_mpdu);
                break;
        case IEEE80211_STYPE_DISASSOC:
        case IEEE80211_STYPE_DEAUTH:
@@ -422,52 +459,8 @@ ieee80211softmac_send_mgt_frame(struct ieee80211softmac_device *mac,
         * or get rid of it alltogether?
         * Does this work for you now?
         */
-        ieee80211_tx_frame(mac->ieee, (struct ieee80211_hdr *)pkt, pkt_size);
+        ieee80211_tx_frame(mac->ieee, (struct ieee80211_hdr *)pkt,
+                IEEE80211_3ADDR_LEN, pkt_size, encrypt_mpdu);
-        kfree(pkt);
-        return 0;
-}
-/* Create an rts/cts frame */
-static u32
-ieee80211softmac_rts_cts(struct ieee80211_hdr_2addr **pkt,
-        struct ieee80211softmac_device *mac, struct ieee80211softmac_network *net, 
-        u32 type)
-{
-        /* Allocate Packet */
-        (*pkt) = kmalloc(IEEE80211_2ADDR_LEN, GFP_ATOMIC);      
-        memset(*pkt, 0, IEEE80211_2ADDR_LEN);
-        if((*pkt) == NULL)
-                return 0;
-        ieee80211softmac_hdr_2addr(mac, (*pkt), type, net->bssid);
-        return IEEE80211_2ADDR_LEN;
-}
-/* Sends a control packet */
-static int
-ieee80211softmac_send_ctl_frame(struct ieee80211softmac_device *mac,
-        struct ieee80211softmac_network *net, u32 type, u32 arg)
-{
-        void *pkt = NULL;
-        u32 pkt_size = 0;
-        
-        switch(type) {
-        case IEEE80211_STYPE_RTS:
-        case IEEE80211_STYPE_CTS:
-                pkt_size = ieee80211softmac_rts_cts((struct ieee80211_hdr_2addr **)(&pkt), mac, net, type);
-                break;
-        default:
-                printkl(KERN_DEBUG PFX "Unsupported Control Frame type: %i\n", type);
-                return -EINVAL;
-        }
-        if(pkt_size == 0)
-                return -ENOMEM;
-        
-        /* Send the packet to the ieee80211 layer for tx */
-        ieee80211_tx_frame(mac->ieee, (struct ieee80211_hdr *) pkt, pkt_size);
        kfree(pkt);
        return 0;
diff --git a/net/ieee80211/softmac/ieee80211softmac_module.c b/net/ieee80211/softmac/ieee80211softmac_module.c
index 60f06a31f0d1..4b2e57d12418 100644
--- a/net/ieee80211/softmac/ieee80211softmac_module.c
+++ b/net/ieee80211/softmac/ieee80211softmac_module.c
@@ -26,6 +26,7 @@
 #include "ieee80211softmac_priv.h"
 #include <linux/sort.h>
+#include <linux/etherdevice.h>
 struct net_device *alloc_ieee80211softmac(int sizeof_priv)
 {
@@ -45,6 +46,8 @@ struct net_device *alloc_ieee80211softmac(int sizeof_priv)
        softmac->ieee->handle_disassoc = ieee80211softmac_handle_disassoc;
        softmac->scaninfo = NULL;
+        softmac->associnfo.scan_retry = IEEE80211SOFTMAC_ASSOC_SCAN_RETRY_LIMIT;
        /* TODO: initialise all the other callbacks in the ieee struct
         *       (once they're written)
         */
@@ -59,14 +62,6 @@ struct net_device *alloc_ieee80211softmac(int sizeof_priv)
        softmac->wait_for_scan = ieee80211softmac_wait_for_scan_implementation;
        softmac->stop_scan = ieee80211softmac_stop_scan_implementation;
-        //TODO: The mcast rate has to be assigned dynamically somewhere (in scanning, association. Not sure...)
-        //      It has to be set to the highest rate all stations in the current network can handle.
-        softmac->txrates.mcast_rate = IEEE80211_CCK_RATE_1MB;
-        softmac->txrates.mcast_fallback = IEEE80211_CCK_RATE_1MB;
-        /* This is reassigned in ieee80211softmac_start to sane values. */
-        softmac->txrates.default_rate = IEEE80211_CCK_RATE_1MB;
-        softmac->txrates.default_fallback = IEEE80211_CCK_RATE_1MB;
        /* to start with, we can't send anything ... */
        netif_carrier_off(dev);
        
@@ -87,6 +82,8 @@ ieee80211softmac_clear_pending_work(struct ieee80211softmac_device *sm)
        ieee80211softmac_wait_for_scan(sm);
        
        spin_lock_irqsave(&sm->lock, flags);
+        sm->running = 0;
        /* Free all pending assoc work items */
        cancel_delayed_work(&sm->associnfo.work);
        
@@ -166,15 +163,82 @@ static void ieee80211softmac_start_check_rates(struct ieee80211softmac_device *m
        }
 }
-void ieee80211softmac_start(struct net_device *dev)
+int ieee80211softmac_ratesinfo_rate_supported(struct ieee80211softmac_ratesinfo *ri, u8 rate)
+{
+        int search;
+        u8 search_rate;
+        for (search = 0; search < ri->count; search++) {
+                search_rate = ri->rates[search];
+                search_rate &= ~IEEE80211_BASIC_RATE_MASK;
+                if (rate == search_rate)
+                        return 1;
+        }
+        return 0;
+}
+/* Finds the highest rate which is:
+ *  1. Present in ri (optionally a basic rate)
+ *  2. Supported by the device
+ *  3. Less than or equal to the user-defined rate
+ */
+static u8 highest_supported_rate(struct ieee80211softmac_device *mac,
+        struct ieee80211softmac_ratesinfo *ri, int basic_only)
+{
+        u8 user_rate = mac->txrates.user_rate;
+        int i;
+        if (ri->count == 0) {
+                dprintk(KERN_ERR PFX "empty ratesinfo?\n");
+                return IEEE80211_CCK_RATE_1MB;
+        }
+        for (i = ri->count - 1; i >= 0; i--) {
+                u8 rate = ri->rates[i];
+                if (basic_only && !(rate & IEEE80211_BASIC_RATE_MASK))
+                        continue;
+                rate &= ~IEEE80211_BASIC_RATE_MASK;
+                if (rate > user_rate)
+                        continue;
+                if (ieee80211softmac_ratesinfo_rate_supported(&mac->ratesinfo, rate))
+                        return rate;
+        }
+        /* If we haven't found a suitable rate by now, just trust the user */
+        return user_rate;
+}
+void ieee80211softmac_recalc_txrates(struct ieee80211softmac_device *mac)
+{
+        struct ieee80211softmac_txrates *txrates = &mac->txrates;
+        struct ieee80211softmac_txrates oldrates;
+        u32 change = 0;
+        if (mac->txrates_change)
+                oldrates = mac->txrates;
+        change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT;
+        txrates->default_rate = highest_supported_rate(mac, &mac->associnfo.supported_rates, 0);
+        change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT_FBACK;
+        txrates->default_fallback = lower_rate(mac, txrates->default_rate);
+        change |= IEEE80211SOFTMAC_TXRATECHG_MCAST;
+        txrates->mcast_rate = highest_supported_rate(mac, &mac->associnfo.supported_rates, 1);
+        if (mac->txrates_change)
+                mac->txrates_change(mac->dev, change, &oldrates);
+}
+void ieee80211softmac_init_txrates(struct ieee80211softmac_device *mac)
 {
-        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
        struct ieee80211_device *ieee = mac->ieee;
        u32 change = 0;
+        struct ieee80211softmac_txrates *txrates = &mac->txrates;
        struct ieee80211softmac_txrates oldrates;
-        ieee80211softmac_start_check_rates(mac);
        /* TODO: We need some kind of state machine to lower the default rates
         *       if we loose too many packets.
         */
@@ -189,19 +253,36 @@ void ieee80211softmac_start(struct net_device *dev)
           more reliable. Note similar logic in
           ieee80211softmac_wx_set_rate() */     
        if (ieee->modulation & IEEE80211_CCK_MODULATION) {
-                mac->txrates.default_rate = IEEE80211_CCK_RATE_11MB;
+                txrates->user_rate = IEEE80211_CCK_RATE_11MB;
-                change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT;
-                mac->txrates.default_fallback = IEEE80211_CCK_RATE_5MB;
-                change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT_FBACK;
        } else if (ieee->modulation & IEEE80211_OFDM_MODULATION) {
-                mac->txrates.default_rate = IEEE80211_OFDM_RATE_54MB;
+                txrates->user_rate = IEEE80211_OFDM_RATE_54MB;
-                change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT;
-                mac->txrates.default_fallback = IEEE80211_OFDM_RATE_24MB;
-                change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT_FBACK;
        } else
                assert(0);
+        txrates->default_rate = IEEE80211_CCK_RATE_1MB;
+        change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT;
+        txrates->default_fallback = IEEE80211_CCK_RATE_1MB;
+        change |= IEEE80211SOFTMAC_TXRATECHG_DEFAULT_FBACK;
+        txrates->mcast_rate = IEEE80211_CCK_RATE_1MB;
+        change |= IEEE80211SOFTMAC_TXRATECHG_MCAST;
+        txrates->mgt_mcast_rate = IEEE80211_CCK_RATE_1MB;
+        change |= IEEE80211SOFTMAC_TXRATECHG_MGT_MCAST;
        if (mac->txrates_change)
-                mac->txrates_change(dev, change, &oldrates);
+                mac->txrates_change(mac->dev, change, &oldrates);
+        mac->running = 1;
+}
+void ieee80211softmac_start(struct net_device *dev)
+{
+        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
+        ieee80211softmac_start_check_rates(mac);
+        ieee80211softmac_init_txrates(mac);
 }
 EXPORT_SYMBOL_GPL(ieee80211softmac_start);
diff --git a/net/ieee80211/softmac/ieee80211softmac_priv.h b/net/ieee80211/softmac/ieee80211softmac_priv.h
index 65d9816c8ecc..fa1f8e3acfc0 100644
--- a/net/ieee80211/softmac/ieee80211softmac_priv.h
+++ b/net/ieee80211/softmac/ieee80211softmac_priv.h
@@ -116,7 +116,10 @@ ieee80211softmac_get_network_by_essid(struct ieee80211softmac_device *mac,
        struct ieee80211softmac_essid *essid);
 /* Rates related */
+int ieee80211softmac_ratesinfo_rate_supported(struct ieee80211softmac_ratesinfo *ri, u8 rate);
 u8 ieee80211softmac_lower_rate_delta(struct ieee80211softmac_device *mac, u8 rate, int delta);
+void ieee80211softmac_init_txrates(struct ieee80211softmac_device *mac);
+void ieee80211softmac_recalc_txrates(struct ieee80211softmac_device *mac);
 static inline u8 lower_rate(struct ieee80211softmac_device *mac, u8 rate) {
        return ieee80211softmac_lower_rate_delta(mac, rate, 1);
 }
@@ -150,6 +153,8 @@ int ieee80211softmac_handle_disassoc(struct net_device * dev,
 int ieee80211softmac_handle_reassoc_req(struct net_device * dev,
                                        struct ieee80211_reassoc_request * reassoc);
 void ieee80211softmac_assoc_timeout(void *d);
+void ieee80211softmac_send_disassoc_req(struct ieee80211softmac_device *mac, u16 reason);
+void ieee80211softmac_disassoc(struct ieee80211softmac_device *mac);
 /* some helper functions */
 static inline int ieee80211softmac_scan_handlers_check_self(struct ieee80211softmac_device *sm)
diff --git a/net/ieee80211/softmac/ieee80211softmac_scan.c b/net/ieee80211/softmac/ieee80211softmac_scan.c
index bb9ab8b45d09..d31cf77498c4 100644
--- a/net/ieee80211/softmac/ieee80211softmac_scan.c
+++ b/net/ieee80211/softmac/ieee80211softmac_scan.c
@@ -47,6 +47,7 @@ ieee80211softmac_start_scan(struct ieee80211softmac_device *sm)
        sm->scanning = 1;
        spin_unlock_irqrestore(&sm->lock, flags);
+        netif_tx_disable(sm->ieee->dev);
        ret = sm->start_scan(sm->dev);
        if (ret) {
                spin_lock_irqsave(&sm->lock, flags);
@@ -114,7 +115,15 @@ void ieee80211softmac_scan(void *d)
                        // TODO: is this if correct, or should we do this only if scanning from assoc request?
                        if (sm->associnfo.req_essid.len)
                                ieee80211softmac_send_mgt_frame(sm, &sm->associnfo.req_essid, IEEE80211_STYPE_PROBE_REQ, 0);
+                        spin_lock_irqsave(&sm->lock, flags);
+                        if (unlikely(!sm->running)) {
+                                /* Prevent reschedule on workqueue flush */
+                                spin_unlock_irqrestore(&sm->lock, flags);
+                                break;
+                        }
                        schedule_delayed_work(&si->softmac_scan, IEEE80211SOFTMAC_PROBE_DELAY);
+                        spin_unlock_irqrestore(&sm->lock, flags);
                        return;
                } else {
                        dprintk(PFX "Not probing Channel %d (not allowed here)\n", si->channels[current_channel_idx].channel);
@@ -239,6 +248,7 @@ void ieee80211softmac_scan_finished(struct ieee80211softmac_device *sm)
                if (net)
                        sm->set_channel(sm->dev, net->channel);
        }
+        netif_wake_queue(sm->ieee->dev);
        ieee80211softmac_call_events(sm, IEEE80211SOFTMAC_EVENT_SCAN_FINISHED, NULL);
 }
 EXPORT_SYMBOL_GPL(ieee80211softmac_scan_finished);
diff --git a/net/ieee80211/softmac/ieee80211softmac_wx.c b/net/ieee80211/softmac/ieee80211softmac_wx.c
index b559aa9b5507..22aa6199185b 100644
--- a/net/ieee80211/softmac/ieee80211softmac_wx.c
+++ b/net/ieee80211/softmac/ieee80211softmac_wx.c
@@ -27,7 +27,8 @@
 #include "ieee80211softmac_priv.h"
 #include <net/iw_handler.h>
+/* for is_broadcast_ether_addr and is_zero_ether_addr */
+#include <linux/etherdevice.h>
 int
 ieee80211softmac_wx_trigger_scan(struct net_device *net_dev,
@@ -41,13 +42,23 @@ ieee80211softmac_wx_trigger_scan(struct net_device *net_dev,
 EXPORT_SYMBOL_GPL(ieee80211softmac_wx_trigger_scan);
+/* if we're still scanning, return -EAGAIN so that userspace tools
+ * can get the complete scan results, otherwise return 0. */
 int
 ieee80211softmac_wx_get_scan_results(struct net_device *net_dev,
                                     struct iw_request_info *info,
                                     union iwreq_data *data,
                                     char *extra)
 {
+        unsigned long flags;
        struct ieee80211softmac_device *sm = ieee80211_priv(net_dev);
+        spin_lock_irqsave(&sm->lock, flags);
+        if (sm->scanning) {
+                spin_unlock_irqrestore(&sm->lock, flags);
+                return -EAGAIN;
+        }
+        spin_unlock_irqrestore(&sm->lock, flags);
        return ieee80211_wx_get_scan(sm->ieee, info, data, extra);
 }
 EXPORT_SYMBOL_GPL(ieee80211softmac_wx_get_scan_results);
@@ -73,7 +84,6 @@ ieee80211softmac_wx_set_essid(struct net_device *net_dev,
                        sm->associnfo.static_essid = 1;
                }
        }
-        sm->associnfo.scan_retry = IEEE80211SOFTMAC_ASSOC_SCAN_RETRY_LIMIT;
        /* set our requested ESSID length.
         * If applicable, we have already copied the data in */
@@ -201,8 +211,8 @@ ieee80211softmac_wx_set_rate(struct net_device *net_dev,
        if (is_ofdm && !(ieee->modulation & IEEE80211_OFDM_MODULATION))
                goto out_unlock;
-        mac->txrates.default_rate = rate;
+        mac->txrates.user_rate = rate;
-        mac->txrates.default_fallback = lower_rate(mac, rate);
+        ieee80211softmac_recalc_txrates(mac);
        err = 0;
 out_unlock:     
@@ -300,8 +310,6 @@ ieee80211softmac_wx_set_wap(struct net_device *net_dev,
                            char *extra)
 {
        struct ieee80211softmac_device *mac = ieee80211_priv(net_dev);
-        static const unsigned char any[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
-        static const unsigned char off[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
        unsigned long flags;
        /* sanity check */
@@ -310,10 +318,17 @@ ieee80211softmac_wx_set_wap(struct net_device *net_dev,
        }
        spin_lock_irqsave(&mac->lock, flags);
-        if (!memcmp(any, data->ap_addr.sa_data, ETH_ALEN) ||
+        if (is_broadcast_ether_addr(data->ap_addr.sa_data)) {
-            !memcmp(off, data->ap_addr.sa_data, ETH_ALEN)) {
+                /* the bssid we have is not to be fixed any longer,
-                schedule_work(&mac->associnfo.work);
+                 * and we should reassociate to the best AP. */
-                goto out;
+                mac->associnfo.bssfixed = 0;
+                /* force reassociation */
+                mac->associnfo.bssvalid = 0;
+                if (mac->associated)
+                        schedule_work(&mac->associnfo.work);
+        } else if (is_zero_ether_addr(data->ap_addr.sa_data)) {
+                /* the bssid we have is no longer fixed */
+                mac->associnfo.bssfixed = 0;
        } else {
                if (!memcmp(mac->associnfo.bssid, data->ap_addr.sa_data, ETH_ALEN)) {
                        if (mac->associnfo.associating || mac->associated) {
@@ -323,12 +338,14 @@ ieee80211softmac_wx_set_wap(struct net_device *net_dev,
                } else {
                        /* copy new value in data->ap_addr.sa_data to bssid */
                        memcpy(mac->associnfo.bssid, data->ap_addr.sa_data, ETH_ALEN);
-                }       
+                }
+                /* tell the other code that this bssid should be used no matter what */
+                mac->associnfo.bssfixed = 1;
                /* queue associate if new bssid or (old one again and not associated) */
                schedule_work(&mac->associnfo.work);
        }
-out:
+ out:
        spin_unlock_irqrestore(&mac->lock, flags);
        return 0;
 }
@@ -414,3 +431,35 @@ ieee80211softmac_wx_get_genie(struct net_device *dev,
 }
 EXPORT_SYMBOL_GPL(ieee80211softmac_wx_get_genie);
+int
+ieee80211softmac_wx_set_mlme(struct net_device *dev,
+                             struct iw_request_info *info,
+                             union iwreq_data *wrqu,
+                             char *extra)
+{
+        struct ieee80211softmac_device *mac = ieee80211_priv(dev);
+        struct iw_mlme *mlme = (struct iw_mlme *)extra;
+        u16 reason = cpu_to_le16(mlme->reason_code);
+        struct ieee80211softmac_network *net;
+        if (memcmp(mac->associnfo.bssid, mlme->addr.sa_data, ETH_ALEN)) {
+                printk(KERN_DEBUG PFX "wx_set_mlme: requested operation on net we don't use\n");
+                return -EINVAL;
+        }
+        switch (mlme->cmd) {
+        case IW_MLME_DEAUTH:
+                net = ieee80211softmac_get_network_by_bssid_locked(mac, mlme->addr.sa_data);
+                if (!net) {
+                        printk(KERN_DEBUG PFX "wx_set_mlme: we should know the net here...\n");
+                        return -EINVAL;
+                }
+                return ieee80211softmac_deauth_req(mac, net, reason);
+        case IW_MLME_DISASSOC:
+                ieee80211softmac_send_disassoc_req(mac, reason);
+                return 0;
+        default:
+                return -EOPNOTSUPP;
+        }
+}
+EXPORT_SYMBOL_GPL(ieee80211softmac_wx_set_mlme);
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index dc206f1f914f..0a277453526b 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1257,7 +1257,7 @@ out_unregister_udp_proto:
        goto out;
 }
-module_init(inet_init);
+fs_initcall(inet_init);
 /* ------------------------------------------------------------------------ */
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 041dadde31af..4749d504c629 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -928,7 +928,8 @@ static void parp_redo(struct sk_buff *skb)
 *      Receive an arp request from the device layer.
 */
-int arp_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
+static int arp_rcv(struct sk_buff *skb, struct net_device *dev,
+                   struct packet_type *pt, struct net_device *orig_dev)
 {
        struct arphdr *arp;
@@ -1417,7 +1418,6 @@ static int __init arp_proc_init(void)
 EXPORT_SYMBOL(arp_broken_ops);
 EXPORT_SYMBOL(arp_find);
-EXPORT_SYMBOL(arp_rcv);
 EXPORT_SYMBOL(arp_create);
 EXPORT_SYMBOL(arp_xmit);
 EXPORT_SYMBOL(arp_send);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 81c2f7885292..54419b27686f 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1556,7 +1556,6 @@ void __init devinet_init(void)
 #endif
 }
-EXPORT_SYMBOL(devinet_ioctl);
 EXPORT_SYMBOL(in_dev_finish_destroy);
 EXPORT_SYMBOL(inet_select_addr);
 EXPORT_SYMBOL(inetdev_by_index);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 4e3d3811dea2..cdde96390960 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -666,4 +666,3 @@ void __init ip_fib_init(void)
 }
 EXPORT_SYMBOL(inet_addr_type);
-EXPORT_SYMBOL(ip_rt_ioctl);
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index ccd3efc6a173..95a639f2e3db 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -50,7 +50,7 @@
 *              Patrick McHardy <kaber@trash.net>
 */
-#define VERSION "0.406"
+#define VERSION "0.407"
 #include <linux/config.h>
 #include <asm/uaccess.h>
@@ -314,11 +314,6 @@ static void __leaf_free_rcu(struct rcu_head *head)
        kfree(container_of(head, struct leaf, rcu));
 }
-static inline void free_leaf(struct leaf *leaf)
-{
-        call_rcu(&leaf->rcu, __leaf_free_rcu);
-}
 static void __leaf_info_free_rcu(struct rcu_head *head)
 {
        kfree(container_of(head, struct leaf_info, rcu));
@@ -357,7 +352,12 @@ static void __tnode_free_rcu(struct rcu_head *head)
 static inline void tnode_free(struct tnode *tn)
 {
-        call_rcu(&tn->rcu, __tnode_free_rcu);
+        if(IS_LEAF(tn)) {
+                struct leaf *l = (struct leaf *) tn;
+                call_rcu_bh(&l->rcu, __leaf_free_rcu);
+        }
+        else
+                call_rcu(&tn->rcu, __tnode_free_rcu);
 }
 static struct leaf *leaf_new(void)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 9831fd2c73a0..2a0455911ee0 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1107,7 +1107,7 @@ void __init icmp_init(struct net_proto_family *ops)
        struct inet_sock *inet;
        int i;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                int err;
                err = sock_create_kern(PF_INET, SOCK_RAW, IPPROTO_ICMP,
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index ef7366fc132f..ee9b5515b9ae 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -43,8 +43,6 @@ struct inet_bind_bucket *inet_bind_bucket_create(kmem_cache_t *cachep,
        return tb;
 }
-EXPORT_SYMBOL(inet_bind_bucket_create);
 /*
 * Caller must hold hashbucket lock for this tb with local BH disabled
 */
@@ -64,8 +62,6 @@ void inet_bind_hash(struct sock *sk, struct inet_bind_bucket *tb,
        inet_csk(sk)->icsk_bind_hash = tb;
 }
-EXPORT_SYMBOL(inet_bind_hash);
 /*
 * Get rid of any references to a local port held by the given sock.
 */
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 0923add122b4..9f0bb529ab70 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -116,6 +116,7 @@ sr_failed:
 too_many_hops:
        /* Tell the sender its packet died... */
+        IP_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
        icmp_send(skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0);
 drop:
        kfree_skb(skb);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 2a8adda15e11..da734c439179 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -304,13 +304,17 @@ out:
 /* Creation primitives. */
-static struct ipq *ip_frag_intern(unsigned int hash, struct ipq *qp_in)
+static struct ipq *ip_frag_intern(struct ipq *qp_in)
 {
        struct ipq *qp;
 #ifdef CONFIG_SMP
        struct hlist_node *n;
 #endif
+        unsigned int hash;
        write_lock(&ipfrag_lock);
+        hash = ipqhashfn(qp_in->id, qp_in->saddr, qp_in->daddr,
+                         qp_in->protocol);
 #ifdef CONFIG_SMP
        /* With SMP race we have to recheck hash table, because
         * such entry could be created on other cpu, while we
@@ -345,7 +349,7 @@ static struct ipq *ip_frag_intern(unsigned int hash, struct ipq *qp_in)
 }
 /* Add an entry to the 'ipq' queue for a newly received IP datagram. */
-static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph, u32 user)
+static struct ipq *ip_frag_create(struct iphdr *iph, u32 user)
 {
        struct ipq *qp;
@@ -371,7 +375,7 @@ static struct ipq *ip_frag_create(unsigned hash, struct iphdr *iph, u32 user)
        spin_lock_init(&qp->lock);
        atomic_set(&qp->refcnt, 1);
-        return ip_frag_intern(hash, qp);
+        return ip_frag_intern(qp);
 out_nomem:
        LIMIT_NETDEBUG(KERN_ERR "ip_frag_create: no memory left !\n");
@@ -387,11 +391,12 @@ static inline struct ipq *ip_find(struct iphdr *iph, u32 user)
        __u32 saddr = iph->saddr;
        __u32 daddr = iph->daddr;
        __u8 protocol = iph->protocol;
-        unsigned int hash = ipqhashfn(id, saddr, daddr, protocol);
+        unsigned int hash;
        struct ipq *qp;
        struct hlist_node *n;
        read_lock(&ipfrag_lock);
+        hash = ipqhashfn(id, saddr, daddr, protocol);
        hlist_for_each_entry(qp, n, &ipq_hash[hash], list) {
                if(qp->id == id         &&
                   qp->saddr == saddr   &&
@@ -405,7 +410,7 @@ static inline struct ipq *ip_find(struct iphdr *iph, u32 user)
        }
        read_unlock(&ipfrag_lock);
-        return ip_frag_create(hash, iph, user);
+        return ip_frag_create(iph, user);
 }
 /* Is the fragment too far ahead to be part of ipq? */
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 9981dcd68f11..ab99bebdcdc8 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -656,7 +656,7 @@ static int ipgre_rcv(struct sk_buff *skb)
                read_unlock(&ipgre_lock);
                return(0);
        }
-        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0);
+        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 drop:
        read_unlock(&ipgre_lock);
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 18d7fad474d7..c9026dbf4c93 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -337,7 +337,7 @@ static inline int ip_rcv_finish(struct sk_buff *skb)
         *      Initialise the virtual path cache for the packet. It describes
         *      how the packet travels inside Linux networking.
         */ 
-        if (likely(skb->dst == NULL)) {
+        if (skb->dst == NULL) {
                int err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
                                         skb->dev);
                if (unlikely(err)) {
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 9bebad07bf2e..cbcae6544622 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -209,7 +209,7 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
 void ip_options_fragment(struct sk_buff * skb) 
 {
-        unsigned char * optptr = skb->nh.raw;
+        unsigned char * optptr = skb->nh.raw + sizeof(struct iphdr);
        struct ip_options * opt = &(IPCB(skb)->opt);
        int  l = opt->optlen;
        int  optlen;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index f75ff1d96551..cff9c3a72daf 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -86,8 +86,6 @@
 int sysctl_ip_default_ttl = IPDEFTTL;
-static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*));
 /* Generate a checksum for an outgoing IP datagram. */
 __inline__ void ip_send_check(struct iphdr *iph)
 {
@@ -421,7 +419,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
 *      single device frame, and queue such a frame for sending.
 */
-static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
+int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
 {
        struct iphdr *iph;
        int raw = 0;
@@ -673,6 +671,8 @@ fail:
        return err;
 }
+EXPORT_SYMBOL(ip_fragment);
 int
 ip_generic_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
 {
@@ -904,7 +904,7 @@ alloc_new_skb:
                         * because we have no idea what fragment will be
                         * the last.
                         */
-                        if (datalen == length)
+                        if (datalen == length + fraggap)
                                alloclen += rt->u.dst.trailer_len;
                        if (transhdrlen) {
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 0a1d86a0f632..95278b22b669 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -210,7 +210,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
            skb->h.icmph->code != ICMP_FRAG_NEEDED)
                return;
-        spi = ntohl(ntohs(ipch->cpi));
+        spi = htonl(ntohs(ipch->cpi));
        x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr,
                              spi, IPPROTO_COMP, AF_INET);
        if (!x)
@@ -290,11 +290,8 @@ static void ipcomp_free_scratches(void)
        if (!scratches)
                return;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i)
-                void *scratch = *per_cpu_ptr(scratches, i);
+                vfree(*per_cpu_ptr(scratches, i));
-                if (scratch)
-                        vfree(scratch);
-        }
        free_percpu(scratches);
 }
@@ -313,7 +310,7 @@ static void **ipcomp_alloc_scratches(void)
        ipcomp_scratches = scratches;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                void *scratch = vmalloc(IPCOMP_SCRATCH_SIZE);
                if (!scratch)
                        return NULL;
@@ -344,7 +341,7 @@ static void ipcomp_free_tfms(struct crypto_tfm **tfms)
        if (!tfms)
                return;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                struct crypto_tfm *tfm = *per_cpu_ptr(tfms, cpu);
                crypto_free_tfm(tfm);
        }
@@ -384,7 +381,7 @@ static struct crypto_tfm **ipcomp_alloc_tfms(const char *alg_name)
        if (!tfms)
                goto error;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                struct crypto_tfm *tfm = crypto_alloc_tfm(alg_name, 0);
                if (!tfm)
                        goto error;
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index eef07b0916a3..ea398ee43f28 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -474,9 +474,6 @@ static int ipip_rcv(struct sk_buff *skb)
        struct iphdr *iph;
        struct ip_tunnel *tunnel;
-        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                goto out;
        iph = skb->nh.iph;
        read_lock(&ipip_lock);
@@ -508,7 +505,6 @@ static int ipip_rcv(struct sk_buff *skb)
        }
        read_unlock(&ipip_lock);
-out:
        return -1;
 }
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index b5ad9ac2fbcc..6a9e34b794bc 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -133,7 +133,7 @@ struct ip_rt_info {
        u_int8_t tos;
 };
-static void queue_save(const struct sk_buff *skb, struct nf_info *info)
+static void nf_ip_saveroute(const struct sk_buff *skb, struct nf_info *info)
 {
        struct ip_rt_info *rt_info = nf_info_reroute(info);
@@ -146,7 +146,7 @@ static void queue_save(const struct sk_buff *skb, struct nf_info *info)
        }
 }
-static int queue_reroute(struct sk_buff **pskb, const struct nf_info *info)
+static int nf_ip_reroute(struct sk_buff **pskb, const struct nf_info *info)
 {
        const struct ip_rt_info *rt_info = nf_info_reroute(info);
@@ -161,20 +161,54 @@ static int queue_reroute(struct sk_buff **pskb, const struct nf_info *info)
        return 0;
 }
-static struct nf_queue_rerouter ip_reroute = {
+unsigned int nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
-        .rer_size       = sizeof(struct ip_rt_info),
+                            unsigned int dataoff, u_int8_t protocol)
-        .save           = queue_save,
+{
-        .reroute        = queue_reroute,
+        struct iphdr *iph = skb->nh.iph;
+        unsigned int csum = 0;
+        switch (skb->ip_summed) {
+        case CHECKSUM_HW:
+                if (hook != NF_IP_PRE_ROUTING && hook != NF_IP_LOCAL_IN)
+                        break;
+                if ((protocol == 0 && !(u16)csum_fold(skb->csum)) ||
+                    !csum_tcpudp_magic(iph->saddr, iph->daddr,
+                                       skb->len - dataoff, protocol,
+                                       skb->csum)) {
+                        skb->ip_summed = CHECKSUM_UNNECESSARY;
+                        break;
+                }
+                /* fall through */
+        case CHECKSUM_NONE:
+                if (protocol == 0)
+                        skb->csum = 0;
+                else
+                        skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
+                                                       skb->len - dataoff,
+                                                       protocol, 0);
+                csum = __skb_checksum_complete(skb);
+        }
+        return csum;
+}
+EXPORT_SYMBOL(nf_ip_checksum);
+static struct nf_afinfo nf_ip_afinfo = {
+        .family         = AF_INET,
+        .checksum       = nf_ip_checksum,
+        .saveroute      = nf_ip_saveroute,
+        .reroute        = nf_ip_reroute,
+        .route_key_size = sizeof(struct ip_rt_info),
 };
 static int ipv4_netfilter_init(void)
 {
-        return nf_register_queue_rerouter(PF_INET, &ip_reroute);
+        return nf_register_afinfo(&nf_ip_afinfo);
 }
 static void ipv4_netfilter_fini(void)
 {
-        nf_unregister_queue_rerouter(PF_INET);
+        nf_unregister_afinfo(&nf_ip_afinfo);
 }
 module_init(ipv4_netfilter_init);
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 77855ccd6b43..d4072533da21 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -69,6 +69,7 @@ config IP_NF_CONNTRACK_NETLINK
        tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
        depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
        depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
+        depends on IP_NF_NAT=n || IP_NF_NAT
        help
          This option enables support for a netlink-based userspace interface
@@ -169,8 +170,8 @@ config IP_NF_PPTP
          Documentation/modules.txt.  If unsure, say `N'.
 config IP_NF_H323
-        tristate  'H.323 protocol support'
+        tristate  'H.323 protocol support (EXPERIMENTAL)'
-        depends on IP_NF_CONNTRACK
+        depends on IP_NF_CONNTRACK && EXPERIMENTAL
        help
          H.323 is a VoIP signalling protocol from ITU-T. As one of the most
          important VoIP protocols, it is widely used by voice hardware and
@@ -344,7 +345,7 @@ config IP_NF_TARGET_LOG
          To compile it as a module, choose M here.  If unsure, say N.
 config IP_NF_TARGET_ULOG
-        tristate "ULOG target support (OBSOLETE)"
+        tristate "ULOG target support"
        depends on IP_NF_IPTABLES
        ---help---
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index a44a5d73457d..d0d19192026d 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -646,7 +646,7 @@ static int translate_table(const char *name,
        }
        /* And one copy for every other CPU */
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                if (newinfo->entries[i] && newinfo->entries[i] != entry0)
                        memcpy(newinfo->entries[i], entry0, newinfo->size);
        }
@@ -696,7 +696,7 @@ static void get_counters(const struct xt_table_info *t,
                           counters,
                           &i);
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                if (cpu == curcpu)
                        continue;
                i = 0;
@@ -948,7 +948,7 @@ static int do_add_counters(void __user *user, unsigned int len)
        write_lock_bh(&t->lock);
        private = t->private;
-        if (private->number != paddc->num_counters) {
+        if (private->number != tmp.num_counters) {
                ret = -EINVAL;
                goto unlock_up_free;
        }
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index d0d379c7df9a..d7c472faa53b 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -181,33 +181,26 @@ static struct nf_hook_ops arpt_ops[] = {
 static int __init arptable_filter_init(void)
 {
-        int ret, i;
+        int ret;
        /* Register table */
        ret = arpt_register_table(&packet_filter, &initial_table.repl);
        if (ret < 0)
                return ret;
-        for (i = 0; i < ARRAY_SIZE(arpt_ops); i++)
+        ret = nf_register_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
-                if ((ret = nf_register_hook(&arpt_ops[i])) < 0)
+        if (ret < 0)
-                        goto cleanup_hooks;
+                goto cleanup_table;
        return ret;
-cleanup_hooks:
+cleanup_table:
-        while (--i >= 0)
-                nf_unregister_hook(&arpt_ops[i]);
        arpt_unregister_table(&packet_filter);
        return ret;
 }
 static void __exit arptable_filter_fini(void)
 {
-        unsigned int i;
+        nf_unregister_hooks(arpt_ops, ARRAY_SIZE(arpt_ops));
-        for (i = 0; i < ARRAY_SIZE(arpt_ops); i++)
-                nf_unregister_hook(&arpt_ops[i]);
        arpt_unregister_table(&packet_filter);
 }
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc18202b..a297da7bbef5 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -133,7 +133,7 @@ static void ip_ct_event_cache_flush(void)
        struct ip_conntrack_ecache *ecache;
        int cpu;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                ecache = &per_cpu(ip_conntrack_ecache, cpu);
                if (ecache->ct)
                        ip_conntrack_put(ecache->ct);
@@ -1318,6 +1318,7 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len)
                        .tuple.dst.u.tcp.port;
                sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
                        .tuple.dst.ip;
+                memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
                DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
                       NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index daeb1395faa4..518f581d39ec 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -9,37 +9,6 @@
 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
 *
 * For more information, please see http://nath323.sourceforge.net/
- *
- * Changes:
- *      2006-02-01 - initial version 0.1
- *
- *      2006-02-20 - version 0.2
- *        1. Changed source format to follow kernel conventions
- *        2. Deleted some unnecessary structures
- *        3. Minor fixes
- *
- *      2006-03-10 - version 0.3
- *        1. Added support for multiple TPKTs in one packet (suggested by
- *           Patrick McHardy)
- *        2. Avoid excessive stack usage (based on Patrick McHardy's patch)
- *        3. Added support for non-linear skb (based on Patrick McHardy's patch)
- *        4. Fixed missing H.245 module owner (Patrick McHardy)
- *        5. Avoid long RAS expectation chains (Patrick McHardy)
- *        6. Fixed incorrect __exit attribute (Patrick McHardy)
- *        7. Eliminated unnecessary return code
- *        8. Fixed incorrect use of NAT data from conntrack code (suggested by
- *           Patrick McHardy)
- *        9. Fixed TTL calculation error in RCF
- *        10. Added TTL support in RRQ
- *        11. Better support for separate TPKT header and data
- *
- *      2006-03-15 - version 0.4
- *        1. Added support for T.120 channels
- *        2. Added parameter gkrouted_only (suggested by Patrick McHardy)
- *        3. Splitted ASN.1 code and data (suggested by Patrick McHardy)
- *        4. Sort ASN.1 data to avoid forwarding declarations (suggested by
- *           Patrick McHardy)
- *        5. Reset next TPKT data length in get_tpkt_data()
 */
 #include <linux/config.h>
@@ -54,8 +23,6 @@
 #include <linux/netfilter_ipv4/ip_conntrack_h323.h>
 #include <linux/moduleparam.h>
-#include "ip_conntrack_helper_h323_asn1.h"
 #if 0
 #define DEBUGP printk
 #else
@@ -63,6 +30,10 @@
 #endif
 /* Parameters */
+static unsigned int default_rrq_ttl = 300;
+module_param(default_rrq_ttl, uint, 0600);
+MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ");
 static int gkrouted_only = 1;
 module_param(gkrouted_only, int, 0600);
 MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
@@ -191,6 +162,8 @@ static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct,
        /* Validate TPKT length */
        tpktlen = tpkt[2] * 256 + tpkt[3];
+        if (tpktlen < 4)
+                goto clear_out;
        if (tpktlen > tcpdatalen) {
                if (tcpdatalen == 4) {  /* Separate TPKT header */
                        /* Netmeeting sends TPKT header and data separately */
@@ -222,8 +195,8 @@ static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct,
 }
 /****************************************************************************/
-int get_h245_addr(unsigned char *data, H245_TransportAddress * addr,
+static int get_h245_addr(unsigned char *data, H245_TransportAddress * addr,
-                  u_int32_t * ip, u_int16_t * port)
+                         u_int32_t * ip, u_int16_t * port)
 {
        unsigned char *p;
@@ -1302,7 +1275,7 @@ static int process_rrq(struct sk_buff **pskb, struct ip_conntrack *ct,
                DEBUGP("ip_ct_ras: RRQ TTL = %u seconds\n", rrq->timeToLive);
                info->timeout = rrq->timeToLive;
        } else
-                info->timeout = 0;
+                info->timeout = default_rrq_ttl;
        return 0;
 }
@@ -1713,18 +1686,17 @@ static int __init init(void)
 module_init(init);
 module_exit(fini);
-EXPORT_SYMBOL(get_h245_addr);
+EXPORT_SYMBOL_GPL(get_h225_addr);
-EXPORT_SYMBOL(get_h225_addr);
+EXPORT_SYMBOL_GPL(ip_conntrack_h245_expect);
-EXPORT_SYMBOL(ip_conntrack_h245_expect);
+EXPORT_SYMBOL_GPL(ip_conntrack_q931_expect);
-EXPORT_SYMBOL(ip_conntrack_q931_expect);
+EXPORT_SYMBOL_GPL(set_h245_addr_hook);
-EXPORT_SYMBOL(set_h245_addr_hook);
+EXPORT_SYMBOL_GPL(set_h225_addr_hook);
-EXPORT_SYMBOL(set_h225_addr_hook);
+EXPORT_SYMBOL_GPL(set_sig_addr_hook);
-EXPORT_SYMBOL(set_sig_addr_hook);
+EXPORT_SYMBOL_GPL(set_ras_addr_hook);
-EXPORT_SYMBOL(set_ras_addr_hook);
+EXPORT_SYMBOL_GPL(nat_rtp_rtcp_hook);
-EXPORT_SYMBOL(nat_rtp_rtcp_hook);
+EXPORT_SYMBOL_GPL(nat_t120_hook);
-EXPORT_SYMBOL(nat_t120_hook);
+EXPORT_SYMBOL_GPL(nat_h245_hook);
-EXPORT_SYMBOL(nat_h245_hook);
+EXPORT_SYMBOL_GPL(nat_q931_hook);
-EXPORT_SYMBOL(nat_q931_hook);
 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
 MODULE_DESCRIPTION("H.323 connection tracking helper");
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
index afa525129b51..26dfecadb335 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
@@ -2,7 +2,7 @@
 * ip_conntrack_helper_h323_asn1.c - BER and PER decoding library for H.323
 *                                   conntrack/NAT module.
 *
- * Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@hotmail.com>
+ * Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@users.sourceforge.net>
 *
 * This source code is licensed under General Public License version 2.
 *
@@ -15,7 +15,7 @@
 #else
 #include <stdio.h>
 #endif
-#include "ip_conntrack_helper_h323_asn1.h"
+#include <linux/netfilter_ipv4/ip_conntrack_helper_h323_asn1.h>
 /* Trace Flag */
 #ifndef H323_TRACE
@@ -528,14 +528,15 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
                        /* Decode */
                        if ((err = (Decoders[son->type]) (bs, son, base,
-                                                          level + 1)) >
+                                                          level + 1)) <
-                            H323_ERROR_STOP)
+                            H323_ERROR_NONE)
                                return err;
                        bs->cur = beg + len;
                        bs->bit = 0;
                } else if ((err = (Decoders[son->type]) (bs, son, base,
-                                                         level + 1)))
+                                                         level + 1)) <
+                           H323_ERROR_NONE)
                        return err;
        }
@@ -554,7 +555,7 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
        /* Decode the extension components */
        for (opt = 0; opt < bmp2_len; opt++, i++, son++) {
-                if (son->attr & STOP) {
+                if (i < f->ub && son->attr & STOP) {
                        PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
                              son->name);
                        return H323_ERROR_STOP;
@@ -584,8 +585,8 @@ int decode_seq(bitstr_t * bs, field_t * f, char *base, int level)
                beg = bs->cur;
                if ((err = (Decoders[son->type]) (bs, son, base,
-                                                  level + 1)) >
+                                                  level + 1)) <
-                    H323_ERROR_STOP)
+                    H323_ERROR_NONE)
                        return err;
                bs->cur = beg + len;
@@ -660,18 +661,20 @@ int decode_seqof(bitstr_t * bs, field_t * f, char *base, int level)
                                                          i <
                                                          effective_count ?
                                                          base : NULL,
-                                                          level + 1)) >
+                                                          level + 1)) <
-                            H323_ERROR_STOP)
+                            H323_ERROR_NONE)
                                return err;
                        bs->cur = beg + len;
                        bs->bit = 0;
                } else
-                    if ((err = (Decoders[son->type]) (bs, son,
+                        if ((err = (Decoders[son->type]) (bs, son,
-                                                      i < effective_count ?
+                                                          i <
-                                                      base : NULL,
+                                                          effective_count ?
-                                                      level + 1)))
+                                                          base : NULL,
-                        return err;
+                                                          level + 1)) <
+                            H323_ERROR_NONE)
+                                return err;
                if (base)
                        base += son->offset;
@@ -703,6 +706,10 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
                type = get_bits(bs, f->sz);
        }
+        /* Write Type */
+        if (base)
+                *(unsigned *) base = type;
        /* Check Range */
        if (type >= f->ub) {    /* Newer version? */
                BYTE_ALIGN(bs);
@@ -712,10 +719,6 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
                return H323_ERROR_NONE;
        }
-        /* Write Type */
-        if (base)
-                *(unsigned *) base = type;
        /* Transfer to son level */
        son = &f->fields[type];
        if (son->attr & STOP) {
@@ -735,13 +738,14 @@ int decode_choice(bitstr_t * bs, field_t * f, char *base, int level)
                }
                beg = bs->cur;
-                if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) >
+                if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) <
-                    H323_ERROR_STOP)
+                    H323_ERROR_NONE)
                        return err;
                bs->cur = beg + len;
                bs->bit = 0;
-        } else if ((err = (Decoders[son->type]) (bs, son, base, level + 1)))
+        } else if ((err = (Decoders[son->type]) (bs, son, base, level + 1)) <
+                   H323_ERROR_NONE)
                return err;
        return H323_ERROR_NONE;
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.h b/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.h
deleted file mode 100644
index 0bd828081c0c..000000000000
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/****************************************************************************
- * ip_conntrack_helper_h323_asn1.h - BER and PER decoding library for H.323
- *                                   conntrack/NAT module.
- *
- * Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@hotmail.com>
- *
- * This source code is licensed under General Public License version 2.
- *
- *
- * This library is based on H.225 version 4, H.235 version 2 and H.245
- * version 7. It is extremely optimized to decode only the absolutely
- * necessary objects in a signal for Linux kernel NAT module use, so don't
- * expect it to be a full ASN.1 library.
- *
- * Features:
- *
- * 1. Small. The total size of code plus data is less than 20 KB (IA32).
- * 2. Fast. Decoding Netmeeting's Setup signal 1 million times on a PIII 866
- *    takes only 3.9 seconds.
- * 3. No memory allocation. It uses a static object. No need to initialize or
- *    cleanup.
- * 4. Thread safe.
- * 5. Support embedded architectures that has no misaligned memory access
- *    support.
- *
- * Limitations:
- *
- * 1. At most 30 faststart entries. Actually this is limited by ethernet's MTU.
- *    If a Setup signal contains more than 30 faststart, the packet size will
- *    very likely exceed the MTU size, then the TPKT will be fragmented. I
- *    don't know how to handle this in a Netfilter module. Anybody can help?
- *    Although I think 30 is enough for most of the cases.
- * 2. IPv4 addresses only.
- *
- ****************************************************************************/
-#ifndef _IP_CONNTRACK_HELPER_H323_ASN1_H_
-#define _IP_CONNTRACK_HELPER_H323_ASN1_H_
-/*****************************************************************************
- * H.323 Types
- ****************************************************************************/
-#include "ip_conntrack_helper_h323_types.h"
-typedef struct {
-        enum {
-                Q931_NationalEscape = 0x00,
-                Q931_Alerting = 0x01,
-                Q931_CallProceeding = 0x02,
-                Q931_Connect = 0x07,
-                Q931_ConnectAck = 0x0F,
-                Q931_Progress = 0x03,
-                Q931_Setup = 0x05,
-                Q931_SetupAck = 0x0D,
-                Q931_Resume = 0x26,
-                Q931_ResumeAck = 0x2E,
-                Q931_ResumeReject = 0x22,
-                Q931_Suspend = 0x25,
-                Q931_SuspendAck = 0x2D,
-                Q931_SuspendReject = 0x21,
-                Q931_UserInformation = 0x20,
-                Q931_Disconnect = 0x45,
-                Q931_Release = 0x4D,
-                Q931_ReleaseComplete = 0x5A,
-                Q931_Restart = 0x46,
-                Q931_RestartAck = 0x4E,
-                Q931_Segment = 0x60,
-                Q931_CongestionCtrl = 0x79,
-                Q931_Information = 0x7B,
-                Q931_Notify = 0x6E,
-                Q931_Status = 0x7D,
-                Q931_StatusEnquiry = 0x75,
-                Q931_Facility = 0x62
-        } MessageType;
-        H323_UserInformation UUIE;
-} Q931;
-/*****************************************************************************
- * Decode Functions Return Codes
- ****************************************************************************/
-#define H323_ERROR_NONE 0       /* Decoded successfully */
-#define H323_ERROR_STOP 1       /* Decoding stopped, not really an error */
-#define H323_ERROR_BOUND -1
-#define H323_ERROR_RANGE -2
-/*****************************************************************************
- * Decode Functions
- ****************************************************************************/
-int DecodeRasMessage(unsigned char *buf, size_t sz, RasMessage * ras);
-int DecodeQ931(unsigned char *buf, size_t sz, Q931 * q931);
-int DecodeMultimediaSystemControlMessage(unsigned char *buf, size_t sz,
-                                         MultimediaSystemControlMessage *
-                                         mscm);
-#endif
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323_types.h b/net/ipv4/netfilter/ip_conntrack_helper_h323_types.h
deleted file mode 100644
index cc98f7aa5abe..000000000000
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323_types.h
+++ /dev/null
@@ -1,938 +0,0 @@
-/* Generated by Jing Min Zhao's ASN.1 parser, Mar 15 2006
- *
- * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
- *
- * This source code is licensed under General Public License version 2.
- */
-typedef struct TransportAddress_ipAddress {     /* SEQUENCE */
-        int options;            /* No use */
-        unsigned ip;
-} TransportAddress_ipAddress;
-typedef struct TransportAddress {       /* CHOICE */
-        enum {
-                eTransportAddress_ipAddress,
-                eTransportAddress_ipSourceRoute,
-                eTransportAddress_ipxAddress,
-                eTransportAddress_ip6Address,
-                eTransportAddress_netBios,
-                eTransportAddress_nsap,
-                eTransportAddress_nonStandardAddress,
-        } choice;
-        union {
-                TransportAddress_ipAddress ipAddress;
-        };
-} TransportAddress;
-typedef struct DataProtocolCapability { /* CHOICE */
-        enum {
-                eDataProtocolCapability_nonStandard,
-                eDataProtocolCapability_v14buffered,
-                eDataProtocolCapability_v42lapm,
-                eDataProtocolCapability_hdlcFrameTunnelling,
-                eDataProtocolCapability_h310SeparateVCStack,
-                eDataProtocolCapability_h310SingleVCStack,
-                eDataProtocolCapability_transparent,
-                eDataProtocolCapability_segmentationAndReassembly,
-                eDataProtocolCapability_hdlcFrameTunnelingwSAR,
-                eDataProtocolCapability_v120,
-                eDataProtocolCapability_separateLANStack,
-                eDataProtocolCapability_v76wCompression,
-                eDataProtocolCapability_tcp,
-                eDataProtocolCapability_udp,
-        } choice;
-} DataProtocolCapability;
-typedef struct DataApplicationCapability_application {  /* CHOICE */
-        enum {
-                eDataApplicationCapability_application_nonStandard,
-                eDataApplicationCapability_application_t120,
-                eDataApplicationCapability_application_dsm_cc,
-                eDataApplicationCapability_application_userData,
-                eDataApplicationCapability_application_t84,
-                eDataApplicationCapability_application_t434,
-                eDataApplicationCapability_application_h224,
-                eDataApplicationCapability_application_nlpid,
-                eDataApplicationCapability_application_dsvdControl,
-                eDataApplicationCapability_application_h222DataPartitioning,
-                eDataApplicationCapability_application_t30fax,
-                eDataApplicationCapability_application_t140,
-                eDataApplicationCapability_application_t38fax,
-                eDataApplicationCapability_application_genericDataCapability,
-        } choice;
-        union {
-                DataProtocolCapability t120;
-        };
-} DataApplicationCapability_application;
-typedef struct DataApplicationCapability {      /* SEQUENCE */
-        int options;            /* No use */
-        DataApplicationCapability_application application;
-} DataApplicationCapability;
-typedef struct DataType {       /* CHOICE */
-        enum {
-                eDataType_nonStandard,
-                eDataType_nullData,
-                eDataType_videoData,
-                eDataType_audioData,
-                eDataType_data,
-                eDataType_encryptionData,
-                eDataType_h235Control,
-                eDataType_h235Media,
-                eDataType_multiplexedStream,
-        } choice;
-        union {
-                DataApplicationCapability data;
-        };
-} DataType;
-typedef struct UnicastAddress_iPAddress {       /* SEQUENCE */
-        int options;            /* No use */
-        unsigned network;
-} UnicastAddress_iPAddress;
-typedef struct UnicastAddress { /* CHOICE */
-        enum {
-                eUnicastAddress_iPAddress,
-                eUnicastAddress_iPXAddress,
-                eUnicastAddress_iP6Address,
-                eUnicastAddress_netBios,
-                eUnicastAddress_iPSourceRouteAddress,
-                eUnicastAddress_nsap,
-                eUnicastAddress_nonStandardAddress,
-        } choice;
-        union {
-                UnicastAddress_iPAddress iPAddress;
-        };
-} UnicastAddress;
-typedef struct H245_TransportAddress {  /* CHOICE */
-        enum {
-                eH245_TransportAddress_unicastAddress,
-                eH245_TransportAddress_multicastAddress,
-        } choice;
-        union {
-                UnicastAddress unicastAddress;
-        };
-} H245_TransportAddress;
-typedef struct H2250LogicalChannelParameters {  /* SEQUENCE */
-        enum {
-                eH2250LogicalChannelParameters_nonStandard = (1 << 31),
-                eH2250LogicalChannelParameters_associatedSessionID =
-                    (1 << 30),
-                eH2250LogicalChannelParameters_mediaChannel = (1 << 29),
-                eH2250LogicalChannelParameters_mediaGuaranteedDelivery =
-                    (1 << 28),
-                eH2250LogicalChannelParameters_mediaControlChannel =
-                    (1 << 27),
-                eH2250LogicalChannelParameters_mediaControlGuaranteedDelivery
-                    = (1 << 26),
-                eH2250LogicalChannelParameters_silenceSuppression = (1 << 25),
-                eH2250LogicalChannelParameters_destination = (1 << 24),
-                eH2250LogicalChannelParameters_dynamicRTPPayloadType =
-                    (1 << 23),
-                eH2250LogicalChannelParameters_mediaPacketization = (1 << 22),
-                eH2250LogicalChannelParameters_transportCapability =
-                    (1 << 21),
-                eH2250LogicalChannelParameters_redundancyEncoding = (1 << 20),
-                eH2250LogicalChannelParameters_source = (1 << 19),
-        } options;
-        H245_TransportAddress mediaChannel;
-        H245_TransportAddress mediaControlChannel;
-} H2250LogicalChannelParameters;
-typedef struct OpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters { /* CHOICE */
-        enum {
-                eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h222LogicalChannelParameters,
-                eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h223LogicalChannelParameters,
-                eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_v76LogicalChannelParameters,
-                eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters,
-                eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_none,
-        } choice;
-        union {
-                H2250LogicalChannelParameters h2250LogicalChannelParameters;
-        };
-} OpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters;
-typedef struct OpenLogicalChannel_forwardLogicalChannelParameters {     /* SEQUENCE */
-        enum {
-                eOpenLogicalChannel_forwardLogicalChannelParameters_portNumber
-                    = (1 << 31),
-                eOpenLogicalChannel_forwardLogicalChannelParameters_forwardLogicalChannelDependency
-                    = (1 << 30),
-                eOpenLogicalChannel_forwardLogicalChannelParameters_replacementFor
-                    = (1 << 29),
-        } options;
-        DataType dataType;
-        OpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters
-            multiplexParameters;
-} OpenLogicalChannel_forwardLogicalChannelParameters;
-typedef struct OpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters { /* CHOICE */
-        enum {
-                eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_h223LogicalChannelParameters,
-                eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_v76LogicalChannelParameters,
-                eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters,
-        } choice;
-        union {
-                H2250LogicalChannelParameters h2250LogicalChannelParameters;
-        };
-} OpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters;
-typedef struct OpenLogicalChannel_reverseLogicalChannelParameters {     /* SEQUENCE */
-        enum {
-                eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters
-                    = (1 << 31),
-                eOpenLogicalChannel_reverseLogicalChannelParameters_reverseLogicalChannelDependency
-                    = (1 << 30),
-                eOpenLogicalChannel_reverseLogicalChannelParameters_replacementFor
-                    = (1 << 29),
-        } options;
-        OpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters
-            multiplexParameters;
-} OpenLogicalChannel_reverseLogicalChannelParameters;
-typedef struct NetworkAccessParameters_networkAddress { /* CHOICE */
-        enum {
-                eNetworkAccessParameters_networkAddress_q2931Address,
-                eNetworkAccessParameters_networkAddress_e164Address,
-                eNetworkAccessParameters_networkAddress_localAreaAddress,
-        } choice;
-        union {
-                H245_TransportAddress localAreaAddress;
-        };
-} NetworkAccessParameters_networkAddress;
-typedef struct NetworkAccessParameters {        /* SEQUENCE */
-        enum {
-                eNetworkAccessParameters_distribution = (1 << 31),
-                eNetworkAccessParameters_externalReference = (1 << 30),
-                eNetworkAccessParameters_t120SetupProcedure = (1 << 29),
-        } options;
-        NetworkAccessParameters_networkAddress networkAddress;
-} NetworkAccessParameters;
-typedef struct OpenLogicalChannel {     /* SEQUENCE */
-        enum {
-                eOpenLogicalChannel_reverseLogicalChannelParameters =
-                    (1 << 31),
-                eOpenLogicalChannel_separateStack = (1 << 30),
-                eOpenLogicalChannel_encryptionSync = (1 << 29),
-        } options;
-        OpenLogicalChannel_forwardLogicalChannelParameters
-            forwardLogicalChannelParameters;
-        OpenLogicalChannel_reverseLogicalChannelParameters
-            reverseLogicalChannelParameters;
-        NetworkAccessParameters separateStack;
-} OpenLogicalChannel;
-typedef struct Setup_UUIE_fastStart {   /* SEQUENCE OF */
-        int count;
-        OpenLogicalChannel item[30];
-} Setup_UUIE_fastStart;
-typedef struct Setup_UUIE {     /* SEQUENCE */
-        enum {
-                eSetup_UUIE_h245Address = (1 << 31),
-                eSetup_UUIE_sourceAddress = (1 << 30),
-                eSetup_UUIE_destinationAddress = (1 << 29),
-                eSetup_UUIE_destCallSignalAddress = (1 << 28),
-                eSetup_UUIE_destExtraCallInfo = (1 << 27),
-                eSetup_UUIE_destExtraCRV = (1 << 26),
-                eSetup_UUIE_callServices = (1 << 25),
-                eSetup_UUIE_sourceCallSignalAddress = (1 << 24),
-                eSetup_UUIE_remoteExtensionAddress = (1 << 23),
-                eSetup_UUIE_callIdentifier = (1 << 22),
-                eSetup_UUIE_h245SecurityCapability = (1 << 21),
-                eSetup_UUIE_tokens = (1 << 20),
-                eSetup_UUIE_cryptoTokens = (1 << 19),
-                eSetup_UUIE_fastStart = (1 << 18),
-                eSetup_UUIE_mediaWaitForConnect = (1 << 17),
-                eSetup_UUIE_canOverlapSend = (1 << 16),
-                eSetup_UUIE_endpointIdentifier = (1 << 15),
-                eSetup_UUIE_multipleCalls = (1 << 14),
-                eSetup_UUIE_maintainConnection = (1 << 13),
-                eSetup_UUIE_connectionParameters = (1 << 12),
-                eSetup_UUIE_language = (1 << 11),
-                eSetup_UUIE_presentationIndicator = (1 << 10),
-                eSetup_UUIE_screeningIndicator = (1 << 9),
-                eSetup_UUIE_serviceControl = (1 << 8),
-                eSetup_UUIE_symmetricOperationRequired = (1 << 7),
-                eSetup_UUIE_capacity = (1 << 6),
-                eSetup_UUIE_circuitInfo = (1 << 5),
-                eSetup_UUIE_desiredProtocols = (1 << 4),
-                eSetup_UUIE_neededFeatures = (1 << 3),
-                eSetup_UUIE_desiredFeatures = (1 << 2),
-                eSetup_UUIE_supportedFeatures = (1 << 1),
-                eSetup_UUIE_parallelH245Control = (1 << 0),
-        } options;
-        TransportAddress h245Address;
-        TransportAddress destCallSignalAddress;
-        TransportAddress sourceCallSignalAddress;
-        Setup_UUIE_fastStart fastStart;
-} Setup_UUIE;
-typedef struct CallProceeding_UUIE_fastStart {  /* SEQUENCE OF */
-        int count;
-        OpenLogicalChannel item[30];
-} CallProceeding_UUIE_fastStart;
-typedef struct CallProceeding_UUIE {    /* SEQUENCE */
-        enum {
-                eCallProceeding_UUIE_h245Address = (1 << 31),
-                eCallProceeding_UUIE_callIdentifier = (1 << 30),
-                eCallProceeding_UUIE_h245SecurityMode = (1 << 29),
-                eCallProceeding_UUIE_tokens = (1 << 28),
-                eCallProceeding_UUIE_cryptoTokens = (1 << 27),
-                eCallProceeding_UUIE_fastStart = (1 << 26),
-                eCallProceeding_UUIE_multipleCalls = (1 << 25),
-                eCallProceeding_UUIE_maintainConnection = (1 << 24),
-                eCallProceeding_UUIE_fastConnectRefused = (1 << 23),
-                eCallProceeding_UUIE_featureSet = (1 << 22),
-        } options;
-        TransportAddress h245Address;
-        CallProceeding_UUIE_fastStart fastStart;
-} CallProceeding_UUIE;
-typedef struct Connect_UUIE_fastStart { /* SEQUENCE OF */
-        int count;
-        OpenLogicalChannel item[30];
-} Connect_UUIE_fastStart;
-typedef struct Connect_UUIE {   /* SEQUENCE */
-        enum {
-                eConnect_UUIE_h245Address = (1 << 31),
-                eConnect_UUIE_callIdentifier = (1 << 30),
-                eConnect_UUIE_h245SecurityMode = (1 << 29),
-                eConnect_UUIE_tokens = (1 << 28),
-                eConnect_UUIE_cryptoTokens = (1 << 27),
-                eConnect_UUIE_fastStart = (1 << 26),
-                eConnect_UUIE_multipleCalls = (1 << 25),
-                eConnect_UUIE_maintainConnection = (1 << 24),
-                eConnect_UUIE_language = (1 << 23),
-                eConnect_UUIE_connectedAddress = (1 << 22),
-                eConnect_UUIE_presentationIndicator = (1 << 21),
-                eConnect_UUIE_screeningIndicator = (1 << 20),
-                eConnect_UUIE_fastConnectRefused = (1 << 19),
-                eConnect_UUIE_serviceControl = (1 << 18),
-                eConnect_UUIE_capacity = (1 << 17),
-                eConnect_UUIE_featureSet = (1 << 16),
-        } options;
-        TransportAddress h245Address;
-        Connect_UUIE_fastStart fastStart;
-} Connect_UUIE;
-typedef struct Alerting_UUIE_fastStart {        /* SEQUENCE OF */
-        int count;
-        OpenLogicalChannel item[30];
-} Alerting_UUIE_fastStart;
-typedef struct Alerting_UUIE {  /* SEQUENCE */
-        enum {
-                eAlerting_UUIE_h245Address = (1 << 31),
-                eAlerting_UUIE_callIdentifier = (1 << 30),
-                eAlerting_UUIE_h245SecurityMode = (1 << 29),
-                eAlerting_UUIE_tokens = (1 << 28),
-                eAlerting_UUIE_cryptoTokens = (1 << 27),
-                eAlerting_UUIE_fastStart = (1 << 26),
-                eAlerting_UUIE_multipleCalls = (1 << 25),
-                eAlerting_UUIE_maintainConnection = (1 << 24),
-                eAlerting_UUIE_alertingAddress = (1 << 23),
-                eAlerting_UUIE_presentationIndicator = (1 << 22),
-                eAlerting_UUIE_screeningIndicator = (1 << 21),
-                eAlerting_UUIE_fastConnectRefused = (1 << 20),
-                eAlerting_UUIE_serviceControl = (1 << 19),
-                eAlerting_UUIE_capacity = (1 << 18),
-                eAlerting_UUIE_featureSet = (1 << 17),
-        } options;
-        TransportAddress h245Address;
-        Alerting_UUIE_fastStart fastStart;
-} Alerting_UUIE;
-typedef struct Information_UUIE_fastStart {     /* SEQUENCE OF */
-        int count;
-        OpenLogicalChannel item[30];
-} Information_UUIE_fastStart;
-typedef struct Information_UUIE {       /* SEQUENCE */
-        enum {
-                eInformation_UUIE_callIdentifier = (1 << 31),
-                eInformation_UUIE_tokens = (1 << 30),
-                eInformation_UUIE_cryptoTokens = (1 << 29),
-                eInformation_UUIE_fastStart = (1 << 28),
-                eInformation_UUIE_fastConnectRefused = (1 << 27),
-                eInformation_UUIE_circuitInfo = (1 << 26),
-        } options;
-        Information_UUIE_fastStart fastStart;
-} Information_UUIE;
-typedef struct FacilityReason { /* CHOICE */
-        enum {
-                eFacilityReason_routeCallToGatekeeper,
-                eFacilityReason_callForwarded,
-                eFacilityReason_routeCallToMC,
-                eFacilityReason_undefinedReason,
-                eFacilityReason_conferenceListChoice,
-                eFacilityReason_startH245,
-                eFacilityReason_noH245,
-                eFacilityReason_newTokens,
-                eFacilityReason_featureSetUpdate,
-                eFacilityReason_forwardedElements,
-                eFacilityReason_transportedInformation,
-        } choice;
-} FacilityReason;
-typedef struct Facility_UUIE_fastStart {        /* SEQUENCE OF */
-        int count;
-        OpenLogicalChannel item[30];
-} Facility_UUIE_fastStart;
-typedef struct Facility_UUIE {  /* SEQUENCE */
-        enum {
-                eFacility_UUIE_alternativeAddress = (1 << 31),
-                eFacility_UUIE_alternativeAliasAddress = (1 << 30),
-                eFacility_UUIE_conferenceID = (1 << 29),
-                eFacility_UUIE_callIdentifier = (1 << 28),
-                eFacility_UUIE_destExtraCallInfo = (1 << 27),
-                eFacility_UUIE_remoteExtensionAddress = (1 << 26),
-                eFacility_UUIE_tokens = (1 << 25),
-                eFacility_UUIE_cryptoTokens = (1 << 24),
-                eFacility_UUIE_conferences = (1 << 23),
-                eFacility_UUIE_h245Address = (1 << 22),
-                eFacility_UUIE_fastStart = (1 << 21),
-                eFacility_UUIE_multipleCalls = (1 << 20),
-                eFacility_UUIE_maintainConnection = (1 << 19),
-                eFacility_UUIE_fastConnectRefused = (1 << 18),
-                eFacility_UUIE_serviceControl = (1 << 17),
-                eFacility_UUIE_circuitInfo = (1 << 16),
-                eFacility_UUIE_featureSet = (1 << 15),
-                eFacility_UUIE_destinationInfo = (1 << 14),
-                eFacility_UUIE_h245SecurityMode = (1 << 13),
-        } options;
-        FacilityReason reason;
-        TransportAddress h245Address;
-        Facility_UUIE_fastStart fastStart;
-} Facility_UUIE;
-typedef struct Progress_UUIE_fastStart {        /* SEQUENCE OF */
-        int count;
-        OpenLogicalChannel item[30];
-} Progress_UUIE_fastStart;
-typedef struct Progress_UUIE {  /* SEQUENCE */
-        enum {
-                eProgress_UUIE_h245Address = (1 << 31),
-                eProgress_UUIE_h245SecurityMode = (1 << 30),
-                eProgress_UUIE_tokens = (1 << 29),
-                eProgress_UUIE_cryptoTokens = (1 << 28),
-                eProgress_UUIE_fastStart = (1 << 27),
-                eProgress_UUIE_multipleCalls = (1 << 26),
-                eProgress_UUIE_maintainConnection = (1 << 25),
-                eProgress_UUIE_fastConnectRefused = (1 << 24),
-        } options;
-        TransportAddress h245Address;
-        Progress_UUIE_fastStart fastStart;
-} Progress_UUIE;
-typedef struct H323_UU_PDU_h323_message_body {  /* CHOICE */
-        enum {
-                eH323_UU_PDU_h323_message_body_setup,
-                eH323_UU_PDU_h323_message_body_callProceeding,
-                eH323_UU_PDU_h323_message_body_connect,
-                eH323_UU_PDU_h323_message_body_alerting,
-                eH323_UU_PDU_h323_message_body_information,
-                eH323_UU_PDU_h323_message_body_releaseComplete,
-                eH323_UU_PDU_h323_message_body_facility,
-                eH323_UU_PDU_h323_message_body_progress,
-                eH323_UU_PDU_h323_message_body_empty,
-                eH323_UU_PDU_h323_message_body_status,
-                eH323_UU_PDU_h323_message_body_statusInquiry,
-                eH323_UU_PDU_h323_message_body_setupAcknowledge,
-                eH323_UU_PDU_h323_message_body_notify,
-        } choice;
-        union {
-                Setup_UUIE setup;
-                CallProceeding_UUIE callProceeding;
-                Connect_UUIE connect;
-                Alerting_UUIE alerting;
-                Information_UUIE information;
-                Facility_UUIE facility;
-                Progress_UUIE progress;
-        };
-} H323_UU_PDU_h323_message_body;
-typedef struct RequestMessage { /* CHOICE */
-        enum {
-                eRequestMessage_nonStandard,
-                eRequestMessage_masterSlaveDetermination,
-                eRequestMessage_terminalCapabilitySet,
-                eRequestMessage_openLogicalChannel,
-                eRequestMessage_closeLogicalChannel,
-                eRequestMessage_requestChannelClose,
-                eRequestMessage_multiplexEntrySend,
-                eRequestMessage_requestMultiplexEntry,
-                eRequestMessage_requestMode,
-                eRequestMessage_roundTripDelayRequest,
-                eRequestMessage_maintenanceLoopRequest,
-                eRequestMessage_communicationModeRequest,
-                eRequestMessage_conferenceRequest,
-                eRequestMessage_multilinkRequest,
-                eRequestMessage_logicalChannelRateRequest,
-        } choice;
-        union {
-                OpenLogicalChannel openLogicalChannel;
-        };
-} RequestMessage;
-typedef struct OpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters {      /* CHOICE */
-        enum {
-                eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters_h222LogicalChannelParameters,
-                eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters,
-        } choice;
-        union {
-                H2250LogicalChannelParameters h2250LogicalChannelParameters;
-        };
-} OpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters;
-typedef struct OpenLogicalChannelAck_reverseLogicalChannelParameters {  /* SEQUENCE */
-        enum {
-                eOpenLogicalChannelAck_reverseLogicalChannelParameters_portNumber
-                    = (1 << 31),
-                eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters
-                    = (1 << 30),
-                eOpenLogicalChannelAck_reverseLogicalChannelParameters_replacementFor
-                    = (1 << 29),
-        } options;
-        OpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters
-            multiplexParameters;
-} OpenLogicalChannelAck_reverseLogicalChannelParameters;
-typedef struct H2250LogicalChannelAckParameters {       /* SEQUENCE */
-        enum {
-                eH2250LogicalChannelAckParameters_nonStandard = (1 << 31),
-                eH2250LogicalChannelAckParameters_sessionID = (1 << 30),
-                eH2250LogicalChannelAckParameters_mediaChannel = (1 << 29),
-                eH2250LogicalChannelAckParameters_mediaControlChannel =
-                    (1 << 28),
-                eH2250LogicalChannelAckParameters_dynamicRTPPayloadType =
-                    (1 << 27),
-                eH2250LogicalChannelAckParameters_flowControlToZero =
-                    (1 << 26),
-                eH2250LogicalChannelAckParameters_portNumber = (1 << 25),
-        } options;
-        H245_TransportAddress mediaChannel;
-        H245_TransportAddress mediaControlChannel;
-} H2250LogicalChannelAckParameters;
-typedef struct OpenLogicalChannelAck_forwardMultiplexAckParameters {    /* CHOICE */
-        enum {
-                eOpenLogicalChannelAck_forwardMultiplexAckParameters_h2250LogicalChannelAckParameters,
-        } choice;
-        union {
-                H2250LogicalChannelAckParameters
-                    h2250LogicalChannelAckParameters;
-        };
-} OpenLogicalChannelAck_forwardMultiplexAckParameters;
-typedef struct OpenLogicalChannelAck {  /* SEQUENCE */
-        enum {
-                eOpenLogicalChannelAck_reverseLogicalChannelParameters =
-                    (1 << 31),
-                eOpenLogicalChannelAck_separateStack = (1 << 30),
-                eOpenLogicalChannelAck_forwardMultiplexAckParameters =
-                    (1 << 29),
-                eOpenLogicalChannelAck_encryptionSync = (1 << 28),
-        } options;
-        OpenLogicalChannelAck_reverseLogicalChannelParameters
-            reverseLogicalChannelParameters;
-        OpenLogicalChannelAck_forwardMultiplexAckParameters
-            forwardMultiplexAckParameters;
-} OpenLogicalChannelAck;
-typedef struct ResponseMessage {        /* CHOICE */
-        enum {
-                eResponseMessage_nonStandard,
-                eResponseMessage_masterSlaveDeterminationAck,
-                eResponseMessage_masterSlaveDeterminationReject,
-                eResponseMessage_terminalCapabilitySetAck,
-                eResponseMessage_terminalCapabilitySetReject,
-                eResponseMessage_openLogicalChannelAck,
-                eResponseMessage_openLogicalChannelReject,
-                eResponseMessage_closeLogicalChannelAck,
-                eResponseMessage_requestChannelCloseAck,
-                eResponseMessage_requestChannelCloseReject,
-                eResponseMessage_multiplexEntrySendAck,
-                eResponseMessage_multiplexEntrySendReject,
-                eResponseMessage_requestMultiplexEntryAck,
-                eResponseMessage_requestMultiplexEntryReject,
-                eResponseMessage_requestModeAck,
-                eResponseMessage_requestModeReject,
-                eResponseMessage_roundTripDelayResponse,
-                eResponseMessage_maintenanceLoopAck,
-                eResponseMessage_maintenanceLoopReject,
-                eResponseMessage_communicationModeResponse,
-                eResponseMessage_conferenceResponse,
-                eResponseMessage_multilinkResponse,
-                eResponseMessage_logicalChannelRateAcknowledge,
-                eResponseMessage_logicalChannelRateReject,
-        } choice;
-        union {
-                OpenLogicalChannelAck openLogicalChannelAck;
-        };
-} ResponseMessage;
-typedef struct MultimediaSystemControlMessage { /* CHOICE */
-        enum {
-                eMultimediaSystemControlMessage_request,
-                eMultimediaSystemControlMessage_response,
-                eMultimediaSystemControlMessage_command,
-                eMultimediaSystemControlMessage_indication,
-        } choice;
-        union {
-                RequestMessage request;
-                ResponseMessage response;
-        };
-} MultimediaSystemControlMessage;
-typedef struct H323_UU_PDU_h245Control {        /* SEQUENCE OF */
-        int count;
-        MultimediaSystemControlMessage item[4];
-} H323_UU_PDU_h245Control;
-typedef struct H323_UU_PDU {    /* SEQUENCE */
-        enum {
-                eH323_UU_PDU_nonStandardData = (1 << 31),
-                eH323_UU_PDU_h4501SupplementaryService = (1 << 30),
-                eH323_UU_PDU_h245Tunneling = (1 << 29),
-                eH323_UU_PDU_h245Control = (1 << 28),
-                eH323_UU_PDU_nonStandardControl = (1 << 27),
-                eH323_UU_PDU_callLinkage = (1 << 26),
-                eH323_UU_PDU_tunnelledSignallingMessage = (1 << 25),
-                eH323_UU_PDU_provisionalRespToH245Tunneling = (1 << 24),
-                eH323_UU_PDU_stimulusControl = (1 << 23),
-                eH323_UU_PDU_genericData = (1 << 22),
-        } options;
-        H323_UU_PDU_h323_message_body h323_message_body;
-        H323_UU_PDU_h245Control h245Control;
-} H323_UU_PDU;
-typedef struct H323_UserInformation {   /* SEQUENCE */
-        enum {
-                eH323_UserInformation_user_data = (1 << 31),
-        } options;
-        H323_UU_PDU h323_uu_pdu;
-} H323_UserInformation;
-typedef struct GatekeeperRequest {      /* SEQUENCE */
-        enum {
-                eGatekeeperRequest_nonStandardData = (1 << 31),
-                eGatekeeperRequest_gatekeeperIdentifier = (1 << 30),
-                eGatekeeperRequest_callServices = (1 << 29),
-                eGatekeeperRequest_endpointAlias = (1 << 28),
-                eGatekeeperRequest_alternateEndpoints = (1 << 27),
-                eGatekeeperRequest_tokens = (1 << 26),
-                eGatekeeperRequest_cryptoTokens = (1 << 25),
-                eGatekeeperRequest_authenticationCapability = (1 << 24),
-                eGatekeeperRequest_algorithmOIDs = (1 << 23),
-                eGatekeeperRequest_integrity = (1 << 22),
-                eGatekeeperRequest_integrityCheckValue = (1 << 21),
-                eGatekeeperRequest_supportsAltGK = (1 << 20),
-                eGatekeeperRequest_featureSet = (1 << 19),
-                eGatekeeperRequest_genericData = (1 << 18),
-        } options;
-        TransportAddress rasAddress;
-} GatekeeperRequest;
-typedef struct GatekeeperConfirm {      /* SEQUENCE */
-        enum {
-                eGatekeeperConfirm_nonStandardData = (1 << 31),
-                eGatekeeperConfirm_gatekeeperIdentifier = (1 << 30),
-                eGatekeeperConfirm_alternateGatekeeper = (1 << 29),
-                eGatekeeperConfirm_authenticationMode = (1 << 28),
-                eGatekeeperConfirm_tokens = (1 << 27),
-                eGatekeeperConfirm_cryptoTokens = (1 << 26),
-                eGatekeeperConfirm_algorithmOID = (1 << 25),
-                eGatekeeperConfirm_integrity = (1 << 24),
-                eGatekeeperConfirm_integrityCheckValue = (1 << 23),
-                eGatekeeperConfirm_featureSet = (1 << 22),
-                eGatekeeperConfirm_genericData = (1 << 21),
-        } options;
-        TransportAddress rasAddress;
-} GatekeeperConfirm;
-typedef struct RegistrationRequest_callSignalAddress {  /* SEQUENCE OF */
-        int count;
-        TransportAddress item[10];
-} RegistrationRequest_callSignalAddress;
-typedef struct RegistrationRequest_rasAddress { /* SEQUENCE OF */
-        int count;
-        TransportAddress item[10];
-} RegistrationRequest_rasAddress;
-typedef struct RegistrationRequest {    /* SEQUENCE */
-        enum {
-                eRegistrationRequest_nonStandardData = (1 << 31),
-                eRegistrationRequest_terminalAlias = (1 << 30),
-                eRegistrationRequest_gatekeeperIdentifier = (1 << 29),
-                eRegistrationRequest_alternateEndpoints = (1 << 28),
-                eRegistrationRequest_timeToLive = (1 << 27),
-                eRegistrationRequest_tokens = (1 << 26),
-                eRegistrationRequest_cryptoTokens = (1 << 25),
-                eRegistrationRequest_integrityCheckValue = (1 << 24),
-                eRegistrationRequest_keepAlive = (1 << 23),
-                eRegistrationRequest_endpointIdentifier = (1 << 22),
-                eRegistrationRequest_willSupplyUUIEs = (1 << 21),
-                eRegistrationRequest_maintainConnection = (1 << 20),
-                eRegistrationRequest_alternateTransportAddresses = (1 << 19),
-                eRegistrationRequest_additiveRegistration = (1 << 18),
-                eRegistrationRequest_terminalAliasPattern = (1 << 17),
-                eRegistrationRequest_supportsAltGK = (1 << 16),
-                eRegistrationRequest_usageReportingCapability = (1 << 15),
-                eRegistrationRequest_multipleCalls = (1 << 14),
-                eRegistrationRequest_supportedH248Packages = (1 << 13),
-                eRegistrationRequest_callCreditCapability = (1 << 12),
-                eRegistrationRequest_capacityReportingCapability = (1 << 11),
-                eRegistrationRequest_capacity = (1 << 10),
-                eRegistrationRequest_featureSet = (1 << 9),
-                eRegistrationRequest_genericData = (1 << 8),
-        } options;
-        RegistrationRequest_callSignalAddress callSignalAddress;
-        RegistrationRequest_rasAddress rasAddress;
-        unsigned timeToLive;
-} RegistrationRequest;
-typedef struct RegistrationConfirm_callSignalAddress {  /* SEQUENCE OF */
-        int count;
-        TransportAddress item[10];
-} RegistrationConfirm_callSignalAddress;
-typedef struct RegistrationConfirm {    /* SEQUENCE */
-        enum {
-                eRegistrationConfirm_nonStandardData = (1 << 31),
-                eRegistrationConfirm_terminalAlias = (1 << 30),
-                eRegistrationConfirm_gatekeeperIdentifier = (1 << 29),
-                eRegistrationConfirm_alternateGatekeeper = (1 << 28),
-                eRegistrationConfirm_timeToLive = (1 << 27),
-                eRegistrationConfirm_tokens = (1 << 26),
-                eRegistrationConfirm_cryptoTokens = (1 << 25),
-                eRegistrationConfirm_integrityCheckValue = (1 << 24),
-                eRegistrationConfirm_willRespondToIRR = (1 << 23),
-                eRegistrationConfirm_preGrantedARQ = (1 << 22),
-                eRegistrationConfirm_maintainConnection = (1 << 21),
-                eRegistrationConfirm_serviceControl = (1 << 20),
-                eRegistrationConfirm_supportsAdditiveRegistration = (1 << 19),
-                eRegistrationConfirm_terminalAliasPattern = (1 << 18),
-                eRegistrationConfirm_supportedPrefixes = (1 << 17),
-                eRegistrationConfirm_usageSpec = (1 << 16),
-                eRegistrationConfirm_featureServerAlias = (1 << 15),
-                eRegistrationConfirm_capacityReportingSpec = (1 << 14),
-                eRegistrationConfirm_featureSet = (1 << 13),
-                eRegistrationConfirm_genericData = (1 << 12),
-        } options;
-        RegistrationConfirm_callSignalAddress callSignalAddress;
-        unsigned timeToLive;
-} RegistrationConfirm;
-typedef struct UnregistrationRequest_callSignalAddress {        /* SEQUENCE OF */
-        int count;
-        TransportAddress item[10];
-} UnregistrationRequest_callSignalAddress;
-typedef struct UnregistrationRequest {  /* SEQUENCE */
-        enum {
-                eUnregistrationRequest_endpointAlias = (1 << 31),
-                eUnregistrationRequest_nonStandardData = (1 << 30),
-                eUnregistrationRequest_endpointIdentifier = (1 << 29),
-                eUnregistrationRequest_alternateEndpoints = (1 << 28),
-                eUnregistrationRequest_gatekeeperIdentifier = (1 << 27),
-                eUnregistrationRequest_tokens = (1 << 26),
-                eUnregistrationRequest_cryptoTokens = (1 << 25),
-                eUnregistrationRequest_integrityCheckValue = (1 << 24),
-                eUnregistrationRequest_reason = (1 << 23),
-                eUnregistrationRequest_endpointAliasPattern = (1 << 22),
-                eUnregistrationRequest_supportedPrefixes = (1 << 21),
-                eUnregistrationRequest_alternateGatekeeper = (1 << 20),
-                eUnregistrationRequest_genericData = (1 << 19),
-        } options;
-        UnregistrationRequest_callSignalAddress callSignalAddress;
-} UnregistrationRequest;
-typedef struct AdmissionRequest {       /* SEQUENCE */
-        enum {
-                eAdmissionRequest_callModel = (1 << 31),
-                eAdmissionRequest_destinationInfo = (1 << 30),
-                eAdmissionRequest_destCallSignalAddress = (1 << 29),
-                eAdmissionRequest_destExtraCallInfo = (1 << 28),
-                eAdmissionRequest_srcCallSignalAddress = (1 << 27),
-                eAdmissionRequest_nonStandardData = (1 << 26),
-                eAdmissionRequest_callServices = (1 << 25),
-                eAdmissionRequest_canMapAlias = (1 << 24),
-                eAdmissionRequest_callIdentifier = (1 << 23),
-                eAdmissionRequest_srcAlternatives = (1 << 22),
-                eAdmissionRequest_destAlternatives = (1 << 21),
-                eAdmissionRequest_gatekeeperIdentifier = (1 << 20),
-                eAdmissionRequest_tokens = (1 << 19),
-                eAdmissionRequest_cryptoTokens = (1 << 18),
-                eAdmissionRequest_integrityCheckValue = (1 << 17),
-                eAdmissionRequest_transportQOS = (1 << 16),
-                eAdmissionRequest_willSupplyUUIEs = (1 << 15),
-                eAdmissionRequest_callLinkage = (1 << 14),
-                eAdmissionRequest_gatewayDataRate = (1 << 13),
-                eAdmissionRequest_capacity = (1 << 12),
-                eAdmissionRequest_circuitInfo = (1 << 11),
-                eAdmissionRequest_desiredProtocols = (1 << 10),
-                eAdmissionRequest_desiredTunnelledProtocol = (1 << 9),
-                eAdmissionRequest_featureSet = (1 << 8),
-                eAdmissionRequest_genericData = (1 << 7),
-        } options;
-        TransportAddress destCallSignalAddress;
-        TransportAddress srcCallSignalAddress;
-} AdmissionRequest;
-typedef struct AdmissionConfirm {       /* SEQUENCE */
-        enum {
-                eAdmissionConfirm_irrFrequency = (1 << 31),
-                eAdmissionConfirm_nonStandardData = (1 << 30),
-                eAdmissionConfirm_destinationInfo = (1 << 29),
-                eAdmissionConfirm_destExtraCallInfo = (1 << 28),
-                eAdmissionConfirm_destinationType = (1 << 27),
-                eAdmissionConfirm_remoteExtensionAddress = (1 << 26),
-                eAdmissionConfirm_alternateEndpoints = (1 << 25),
-                eAdmissionConfirm_tokens = (1 << 24),
-                eAdmissionConfirm_cryptoTokens = (1 << 23),
-                eAdmissionConfirm_integrityCheckValue = (1 << 22),
-                eAdmissionConfirm_transportQOS = (1 << 21),
-                eAdmissionConfirm_willRespondToIRR = (1 << 20),
-                eAdmissionConfirm_uuiesRequested = (1 << 19),
-                eAdmissionConfirm_language = (1 << 18),
-                eAdmissionConfirm_alternateTransportAddresses = (1 << 17),
-                eAdmissionConfirm_useSpecifiedTransport = (1 << 16),
-                eAdmissionConfirm_circuitInfo = (1 << 15),
-                eAdmissionConfirm_usageSpec = (1 << 14),
-                eAdmissionConfirm_supportedProtocols = (1 << 13),
-                eAdmissionConfirm_serviceControl = (1 << 12),
-                eAdmissionConfirm_multipleCalls = (1 << 11),
-                eAdmissionConfirm_featureSet = (1 << 10),
-                eAdmissionConfirm_genericData = (1 << 9),
-        } options;
-        TransportAddress destCallSignalAddress;
-} AdmissionConfirm;
-typedef struct LocationRequest {        /* SEQUENCE */
-        enum {
-                eLocationRequest_endpointIdentifier = (1 << 31),
-                eLocationRequest_nonStandardData = (1 << 30),
-                eLocationRequest_sourceInfo = (1 << 29),
-                eLocationRequest_canMapAlias = (1 << 28),
-                eLocationRequest_gatekeeperIdentifier = (1 << 27),
-                eLocationRequest_tokens = (1 << 26),
-                eLocationRequest_cryptoTokens = (1 << 25),
-                eLocationRequest_integrityCheckValue = (1 << 24),
-                eLocationRequest_desiredProtocols = (1 << 23),
-                eLocationRequest_desiredTunnelledProtocol = (1 << 22),
-                eLocationRequest_featureSet = (1 << 21),
-                eLocationRequest_genericData = (1 << 20),
-                eLocationRequest_hopCount = (1 << 19),
-                eLocationRequest_circuitInfo = (1 << 18),
-        } options;
-        TransportAddress replyAddress;
-} LocationRequest;
-typedef struct LocationConfirm {        /* SEQUENCE */
-        enum {
-                eLocationConfirm_nonStandardData = (1 << 31),
-                eLocationConfirm_destinationInfo = (1 << 30),
-                eLocationConfirm_destExtraCallInfo = (1 << 29),
-                eLocationConfirm_destinationType = (1 << 28),
-                eLocationConfirm_remoteExtensionAddress = (1 << 27),
-                eLocationConfirm_alternateEndpoints = (1 << 26),
-                eLocationConfirm_tokens = (1 << 25),
-                eLocationConfirm_cryptoTokens = (1 << 24),
-                eLocationConfirm_integrityCheckValue = (1 << 23),
-                eLocationConfirm_alternateTransportAddresses = (1 << 22),
-                eLocationConfirm_supportedProtocols = (1 << 21),
-                eLocationConfirm_multipleCalls = (1 << 20),
-                eLocationConfirm_featureSet = (1 << 19),
-                eLocationConfirm_genericData = (1 << 18),
-                eLocationConfirm_circuitInfo = (1 << 17),
-                eLocationConfirm_serviceControl = (1 << 16),
-        } options;
-        TransportAddress callSignalAddress;
-        TransportAddress rasAddress;
-} LocationConfirm;
-typedef struct InfoRequestResponse_callSignalAddress {  /* SEQUENCE OF */
-        int count;
-        TransportAddress item[10];
-} InfoRequestResponse_callSignalAddress;
-typedef struct InfoRequestResponse {    /* SEQUENCE */
-        enum {
-                eInfoRequestResponse_nonStandardData = (1 << 31),
-                eInfoRequestResponse_endpointAlias = (1 << 30),
-                eInfoRequestResponse_perCallInfo = (1 << 29),
-                eInfoRequestResponse_tokens = (1 << 28),
-                eInfoRequestResponse_cryptoTokens = (1 << 27),
-                eInfoRequestResponse_integrityCheckValue = (1 << 26),
-                eInfoRequestResponse_needResponse = (1 << 25),
-                eInfoRequestResponse_capacity = (1 << 24),
-                eInfoRequestResponse_irrStatus = (1 << 23),
-                eInfoRequestResponse_unsolicited = (1 << 22),
-                eInfoRequestResponse_genericData = (1 << 21),
-        } options;
-        TransportAddress rasAddress;
-        InfoRequestResponse_callSignalAddress callSignalAddress;
-} InfoRequestResponse;
-typedef struct RasMessage {     /* CHOICE */
-        enum {
-                eRasMessage_gatekeeperRequest,
-                eRasMessage_gatekeeperConfirm,
-                eRasMessage_gatekeeperReject,
-                eRasMessage_registrationRequest,
-                eRasMessage_registrationConfirm,
-                eRasMessage_registrationReject,
-                eRasMessage_unregistrationRequest,
-                eRasMessage_unregistrationConfirm,
-                eRasMessage_unregistrationReject,
-                eRasMessage_admissionRequest,
-                eRasMessage_admissionConfirm,
-                eRasMessage_admissionReject,
-                eRasMessage_bandwidthRequest,
-                eRasMessage_bandwidthConfirm,
-                eRasMessage_bandwidthReject,
-                eRasMessage_disengageRequest,
-                eRasMessage_disengageConfirm,
-                eRasMessage_disengageReject,
-                eRasMessage_locationRequest,
-                eRasMessage_locationConfirm,
-                eRasMessage_locationReject,
-                eRasMessage_infoRequest,
-                eRasMessage_infoRequestResponse,
-                eRasMessage_nonStandardMessage,
-                eRasMessage_unknownMessageResponse,
-                eRasMessage_requestInProgress,
-                eRasMessage_resourcesAvailableIndicate,
-                eRasMessage_resourcesAvailableConfirm,
-                eRasMessage_infoRequestAck,
-                eRasMessage_infoRequestNak,
-                eRasMessage_serviceControlIndication,
-                eRasMessage_serviceControlResponse,
-        } choice;
-        union {
-                GatekeeperRequest gatekeeperRequest;
-                GatekeeperConfirm gatekeeperConfirm;
-                RegistrationRequest registrationRequest;
-                RegistrationConfirm registrationConfirm;
-                UnregistrationRequest unregistrationRequest;
-                AdmissionRequest admissionRequest;
-                AdmissionConfirm admissionConfirm;
-                LocationRequest locationRequest;
-                LocationConfirm locationConfirm;
-                InfoRequestResponse infoRequestResponse;
-        };
-} RasMessage;
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_pptp.c b/net/ipv4/netfilter/ip_conntrack_helper_pptp.c
index 7d3ba4302e9e..8ccfe17bb253 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_pptp.c
@@ -469,8 +469,8 @@ pptp_inbound_pkt(struct sk_buff **pskb,
                        DEBUGP("%s but no session\n", pptp_msg_name[msg]);
                        break;
                }
-                if (info->sstate != PPTP_CALL_IN_REP
+                if (info->cstate != PPTP_CALL_IN_REP
-                    && info->sstate != PPTP_CALL_IN_CONF) {
+                    && info->cstate != PPTP_CALL_IN_CONF) {
                        DEBUGP("%s but never sent IN_CALL_REPLY\n",
                                pptp_msg_name[msg]);
                        break;
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
index 3021af0910f1..d8b14a9010a6 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -224,25 +224,14 @@ icmp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
        }
        /* See ip_conntrack_proto_tcp.c */
-        if (hooknum != NF_IP_PRE_ROUTING)
+        if (hooknum == NF_IP_PRE_ROUTING &&
-                goto checksum_skipped;
+            nf_ip_checksum(skb, hooknum, skb->nh.iph->ihl * 4, 0)) {
+                if (LOG_INVALID(IPPROTO_ICMP))
-        switch (skb->ip_summed) {
+                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
-        case CHECKSUM_HW:
+                                      "ip_ct_icmp: bad ICMP checksum ");
-                if (!(u16)csum_fold(skb->csum)) 
+                return -NF_ACCEPT;
-                        break;
-                /* fall through */
-        case CHECKSUM_NONE:
-                skb->csum = 0;
-                if (__skb_checksum_complete(skb)) {
-                        if (LOG_INVALID(IPPROTO_ICMP))
-                                nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
-                                              "ip_ct_icmp: bad ICMP checksum ");
-                        return -NF_ACCEPT;
-                }
        }
-checksum_skipped:
        /*
         *      18 is the highest 'known' ICMP type. Anything else is a mystery
         *
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index 5259abd0fb42..0416073c5600 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -235,12 +235,15 @@ static int do_basic_checks(struct ip_conntrack *conntrack,
                        flag = 1;
                }
-                /* Cookie Ack/Echo chunks not the first OR 
+                /*
-                   Init / Init Ack / Shutdown compl chunks not the only chunks */
+                 * Cookie Ack/Echo chunks not the first OR
-                if ((sch->type == SCTP_CID_COOKIE_ACK 
+                 * Init / Init Ack / Shutdown compl chunks not the only chunks
+                 * OR zero-length.
+                 */
+                if (((sch->type == SCTP_CID_COOKIE_ACK
                        || sch->type == SCTP_CID_COOKIE_ECHO
                        || flag)
-                     && count !=0 ) {
+                      && count !=0) || !sch->length) {
                        DEBUGP("Basic checks failed\n");
                        return 1;
                }
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index e0dc37063545..062b252b58ad 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -870,11 +870,8 @@ static int tcp_error(struct sk_buff *skb,
         * and moreover root might send raw packets.
         */
        /* FIXME: Source route IP option packets --RR */
-        if (hooknum == NF_IP_PRE_ROUTING
+        if (hooknum == NF_IP_PRE_ROUTING &&
-            && skb->ip_summed != CHECKSUM_UNNECESSARY
+            nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_TCP)) {
-            && csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
-                                 skb->ip_summed == CHECKSUM_HW ? skb->csum
-                                 : skb_checksum(skb, iph->ihl*4, tcplen, 0))) {
                if (LOG_INVALID(IPPROTO_TCP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_tcp: bad TCP checksum ");
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
index 55b7d3210adf..70899868783b 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
@@ -120,11 +120,8 @@ static int udp_error(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
         * because the semantic of CHECKSUM_HW is different there 
         * and moreover root might send raw packets.
         * FIXME: Source route IP option packets --RR */
-        if (hooknum == NF_IP_PRE_ROUTING
+        if (hooknum == NF_IP_PRE_ROUTING &&
-            && skb->ip_summed != CHECKSUM_UNNECESSARY
+            nf_ip_checksum(skb, hooknum, iph->ihl * 4, IPPROTO_UDP)) {
-            && csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP,
-                                 skb->ip_summed == CHECKSUM_HW ? skb->csum
-                                 : skb_checksum(skb, iph->ihl*4, udplen, 0))) {
                if (LOG_INVALID(IPPROTO_UDP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                  "ip_ct_udp: bad UDP checksum ");
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 52076026db36..929d61f7be91 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -469,70 +469,63 @@ static unsigned int ip_conntrack_local(unsigned int hooknum,
 /* Connection tracking may drop packets, but never alters them, so
   make it the first hook. */
-static struct nf_hook_ops ip_conntrack_defrag_ops = {
+static struct nf_hook_ops ip_conntrack_ops[] = {
-        .hook           = ip_conntrack_defrag,
+        {
-        .owner          = THIS_MODULE,
+                .hook           = ip_conntrack_defrag,
-        .pf             = PF_INET,
+                .owner          = THIS_MODULE,
-        .hooknum        = NF_IP_PRE_ROUTING,
+                .pf             = PF_INET,
-        .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
+                .hooknum        = NF_IP_PRE_ROUTING,
-};
+                .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
+        },
-static struct nf_hook_ops ip_conntrack_in_ops = {
+        {
-        .hook           = ip_conntrack_in,
+                .hook           = ip_conntrack_in,
-        .owner          = THIS_MODULE,
+                .owner          = THIS_MODULE,
-        .pf             = PF_INET,
+                .pf             = PF_INET,
-        .hooknum        = NF_IP_PRE_ROUTING,
+                .hooknum        = NF_IP_PRE_ROUTING,
-        .priority       = NF_IP_PRI_CONNTRACK,
+                .priority       = NF_IP_PRI_CONNTRACK,
-};
+        },
+        {
-static struct nf_hook_ops ip_conntrack_defrag_local_out_ops = {
+                .hook           = ip_conntrack_defrag,
-        .hook           = ip_conntrack_defrag,
+                .owner          = THIS_MODULE,
-        .owner          = THIS_MODULE,
+                .pf             = PF_INET,
-        .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_OUT,
-        .hooknum        = NF_IP_LOCAL_OUT,
+                .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
-        .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
+        },
-};
+        {
+                .hook           = ip_conntrack_local,
-static struct nf_hook_ops ip_conntrack_local_out_ops = {
+                .owner          = THIS_MODULE,
-        .hook           = ip_conntrack_local,
+                .pf             = PF_INET,
-        .owner          = THIS_MODULE,
+                .hooknum        = NF_IP_LOCAL_OUT,
-        .pf             = PF_INET,
+                .priority       = NF_IP_PRI_CONNTRACK,
-        .hooknum        = NF_IP_LOCAL_OUT,
+        },
-        .priority       = NF_IP_PRI_CONNTRACK,
+        {
-};
+                .hook           = ip_conntrack_help,
+                .owner          = THIS_MODULE,
-/* helpers */
+                .pf             = PF_INET,
-static struct nf_hook_ops ip_conntrack_helper_out_ops = {
+                .hooknum        = NF_IP_POST_ROUTING,
-        .hook           = ip_conntrack_help,
+                .priority       = NF_IP_PRI_CONNTRACK_HELPER,
-        .owner          = THIS_MODULE,
+        },
-        .pf             = PF_INET,
+        {
-        .hooknum        = NF_IP_POST_ROUTING,
+                .hook           = ip_conntrack_help,
-        .priority       = NF_IP_PRI_CONNTRACK_HELPER,
+                .owner          = THIS_MODULE,
-};
+                .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_IN,
-static struct nf_hook_ops ip_conntrack_helper_in_ops = {
+                .priority       = NF_IP_PRI_CONNTRACK_HELPER,
-        .hook           = ip_conntrack_help,
+        },
-        .owner          = THIS_MODULE,
+        {
-        .pf             = PF_INET,
+                .hook           = ip_confirm,
-        .hooknum        = NF_IP_LOCAL_IN,
+                .owner          = THIS_MODULE,
-        .priority       = NF_IP_PRI_CONNTRACK_HELPER,
+                .pf             = PF_INET,
-};
+                .hooknum        = NF_IP_POST_ROUTING,
+                .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
-/* Refragmenter; last chance. */
+        },
-static struct nf_hook_ops ip_conntrack_out_ops = {
+        {
-        .hook           = ip_confirm,
+                .hook           = ip_confirm,
-        .owner          = THIS_MODULE,
+                .owner          = THIS_MODULE,
-        .pf             = PF_INET,
+                .pf             = PF_INET,
-        .hooknum        = NF_IP_POST_ROUTING,
+                .hooknum        = NF_IP_LOCAL_IN,
-        .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
+                .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
-};
+        },
-static struct nf_hook_ops ip_conntrack_local_in_ops = {
-        .hook           = ip_confirm,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET,
-        .hooknum        = NF_IP_LOCAL_IN,
-        .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
 };
 /* Sysctl support */
@@ -783,18 +776,46 @@ static ctl_table ip_ct_net_table[] = {
 EXPORT_SYMBOL(ip_ct_log_invalid);
 #endif /* CONFIG_SYSCTL */
-static int init_or_cleanup(int init)
+/* FIXME: Allow NULL functions and sub in pointers to generic for
+   them. --RR */
+int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
+{
+        int ret = 0;
+        write_lock_bh(&ip_conntrack_lock);
+        if (ip_ct_protos[proto->proto] != &ip_conntrack_generic_protocol) {
+                ret = -EBUSY;
+                goto out;
+        }
+        ip_ct_protos[proto->proto] = proto;
+ out:
+        write_unlock_bh(&ip_conntrack_lock);
+        return ret;
+}
+void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto)
+{
+        write_lock_bh(&ip_conntrack_lock);
+        ip_ct_protos[proto->proto] = &ip_conntrack_generic_protocol;
+        write_unlock_bh(&ip_conntrack_lock);
+        /* Somebody could be still looking at the proto in bh. */
+        synchronize_net();
+        /* Remove all contrack entries for this protocol */
+        ip_ct_iterate_cleanup(kill_proto, &proto->proto);
+}
+static int __init ip_conntrack_standalone_init(void)
 {
 #ifdef CONFIG_PROC_FS
        struct proc_dir_entry *proc, *proc_exp, *proc_stat;
 #endif
        int ret = 0;
-        if (!init) goto cleanup;
        ret = ip_conntrack_init();
        if (ret < 0)
-                goto cleanup_nothing;
+                return ret;
 #ifdef CONFIG_PROC_FS
        ret = -ENOMEM;
@@ -813,78 +834,25 @@ static int init_or_cleanup(int init)
        proc_stat->owner = THIS_MODULE;
 #endif
-        ret = nf_register_hook(&ip_conntrack_defrag_ops);
+        ret = nf_register_hooks(ip_conntrack_ops, ARRAY_SIZE(ip_conntrack_ops));
        if (ret < 0) {
-                printk("ip_conntrack: can't register pre-routing defrag hook.\n");
+                printk("ip_conntrack: can't register hooks.\n");
                goto cleanup_proc_stat;
        }
-        ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
-        if (ret < 0) {
-                printk("ip_conntrack: can't register local_out defrag hook.\n");
-                goto cleanup_defragops;
-        }
-        ret = nf_register_hook(&ip_conntrack_in_ops);
-        if (ret < 0) {
-                printk("ip_conntrack: can't register pre-routing hook.\n");
-                goto cleanup_defraglocalops;
-        }
-        ret = nf_register_hook(&ip_conntrack_local_out_ops);
-        if (ret < 0) {
-                printk("ip_conntrack: can't register local out hook.\n");
-                goto cleanup_inops;
-        }
-        ret = nf_register_hook(&ip_conntrack_helper_in_ops);
-        if (ret < 0) {
-                printk("ip_conntrack: can't register local in helper hook.\n");
-                goto cleanup_inandlocalops;
-        }
-        ret = nf_register_hook(&ip_conntrack_helper_out_ops);
-        if (ret < 0) {
-                printk("ip_conntrack: can't register postrouting helper hook.\n");
-                goto cleanup_helperinops;
-        }
-        ret = nf_register_hook(&ip_conntrack_out_ops);
-        if (ret < 0) {
-                printk("ip_conntrack: can't register post-routing hook.\n");
-                goto cleanup_helperoutops;
-        }
-        ret = nf_register_hook(&ip_conntrack_local_in_ops);
-        if (ret < 0) {
-                printk("ip_conntrack: can't register local in hook.\n");
-                goto cleanup_inoutandlocalops;
-        }
 #ifdef CONFIG_SYSCTL
        ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0);
        if (ip_ct_sysctl_header == NULL) {
                printk("ip_conntrack: can't register to sysctl.\n");
                ret = -ENOMEM;
-                goto cleanup_localinops;
+                goto cleanup_hooks;
        }
 #endif
        return ret;
- cleanup:
-        synchronize_net();
 #ifdef CONFIG_SYSCTL
-        unregister_sysctl_table(ip_ct_sysctl_header);
+ cleanup_hooks:
- cleanup_localinops:
+        nf_unregister_hooks(ip_conntrack_ops, ARRAY_SIZE(ip_conntrack_ops));
 #endif
-        nf_unregister_hook(&ip_conntrack_local_in_ops);
- cleanup_inoutandlocalops:
-        nf_unregister_hook(&ip_conntrack_out_ops);
- cleanup_helperoutops:
-        nf_unregister_hook(&ip_conntrack_helper_out_ops);
- cleanup_helperinops:
-        nf_unregister_hook(&ip_conntrack_helper_in_ops);
- cleanup_inandlocalops:
-        nf_unregister_hook(&ip_conntrack_local_out_ops);
- cleanup_inops:
-        nf_unregister_hook(&ip_conntrack_in_ops);
- cleanup_defraglocalops:
-        nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
- cleanup_defragops:
-        nf_unregister_hook(&ip_conntrack_defrag_ops);
 cleanup_proc_stat:
 #ifdef CONFIG_PROC_FS
        remove_proc_entry("ip_conntrack", proc_net_stat);
@@ -895,48 +863,22 @@ static int init_or_cleanup(int init)
 cleanup_init:
 #endif /* CONFIG_PROC_FS */
        ip_conntrack_cleanup();
- cleanup_nothing:
-        return ret;
-}
-/* FIXME: Allow NULL functions and sub in pointers to generic for
-   them. --RR */
-int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
-{
-        int ret = 0;
-        write_lock_bh(&ip_conntrack_lock);
-        if (ip_ct_protos[proto->proto] != &ip_conntrack_generic_protocol) {
-                ret = -EBUSY;
-                goto out;
-        }
-        ip_ct_protos[proto->proto] = proto;
- out:
-        write_unlock_bh(&ip_conntrack_lock);
        return ret;
 }
-void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto)
-{
-        write_lock_bh(&ip_conntrack_lock);
-        ip_ct_protos[proto->proto] = &ip_conntrack_generic_protocol;
-        write_unlock_bh(&ip_conntrack_lock);
-        
-        /* Somebody could be still looking at the proto in bh. */
-        synchronize_net();
-        /* Remove all contrack entries for this protocol */
-        ip_ct_iterate_cleanup(kill_proto, &proto->proto);
-}
-static int __init ip_conntrack_standalone_init(void)
-{
-        return init_or_cleanup(1);
-}
 static void __exit ip_conntrack_standalone_fini(void)
 {
-        init_or_cleanup(0);
+        synchronize_net();
+#ifdef CONFIG_SYSCTL
+        unregister_sysctl_table(ip_ct_sysctl_header);
+#endif
+        nf_unregister_hooks(ip_conntrack_ops, ARRAY_SIZE(ip_conntrack_ops));
+#ifdef CONFIG_PROC_FS
+        remove_proc_entry("ip_conntrack", proc_net_stat);
+        proc_net_remove("ip_conntrack_expect");
+        proc_net_remove("ip_conntrack");
+#endif /* CONFIG_PROC_FS */
+        ip_conntrack_cleanup();
 }
 module_init(ip_conntrack_standalone_init);
diff --git a/net/ipv4/netfilter/ip_nat_helper_h323.c b/net/ipv4/netfilter/ip_nat_helper_h323.c
index a0bc883928c0..d45663d137a7 100644
--- a/net/ipv4/netfilter/ip_nat_helper_h323.c
+++ b/net/ipv4/netfilter/ip_nat_helper_h323.c
@@ -7,24 +7,6 @@
 *
 * Based on the 'brute force' H.323 NAT module by
 * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * Changes:
- *      2006-02-01 - initial version 0.1
- *
- *      2006-02-20 - version 0.2
- *        1. Changed source format to follow kernel conventions
- *        2. Deleted some unnecessary structures
- *        3. Minor fixes
- *
- *      2006-03-10 - version 0.3
- *        1. Added support for multiple TPKTs in one packet (suggested by
- *           Patrick McHardy)
- *        2. Added support for non-linear skb (based on Patrick McHardy's patch)
- *        3. Eliminated unnecessary return code
- *
- *      2006-03-15 - version 0.4
- *        1. Added support for T.120 channels
- *        2. Added parameter gkrouted_only (suggested by Patrick McHardy)
 */
 #include <linux/module.h>
@@ -41,65 +23,12 @@
 #include <linux/netfilter_ipv4/ip_conntrack_h323.h>
 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include "ip_conntrack_helper_h323_asn1.h"
 #if 0
 #define DEBUGP printk
 #else
 #define DEBUGP(format, args...)
 #endif
-extern int get_h245_addr(unsigned char *data, H245_TransportAddress * addr,
-                         u_int32_t * ip, u_int16_t * port);
-extern int get_h225_addr(unsigned char *data, TransportAddress * addr,
-                         u_int32_t * ip, u_int16_t * port);
-extern void ip_conntrack_h245_expect(struct ip_conntrack *new,
-                                     struct ip_conntrack_expect *this);
-extern void ip_conntrack_q931_expect(struct ip_conntrack *new,
-                                     struct ip_conntrack_expect *this);
-extern int (*set_h245_addr_hook) (struct sk_buff ** pskb,
-                                  unsigned char **data, int dataoff,
-                                  H245_TransportAddress * addr,
-                                  u_int32_t ip, u_int16_t port);
-extern int (*set_h225_addr_hook) (struct sk_buff ** pskb,
-                                  unsigned char **data, int dataoff,
-                                  TransportAddress * addr,
-                                  u_int32_t ip, u_int16_t port);
-extern int (*set_sig_addr_hook) (struct sk_buff ** pskb,
-                                 struct ip_conntrack * ct,
-                                 enum ip_conntrack_info ctinfo,
-                                 unsigned char **data,
-                                 TransportAddress * addr, int count);
-extern int (*set_ras_addr_hook) (struct sk_buff ** pskb,
-                                 struct ip_conntrack * ct,
-                                 enum ip_conntrack_info ctinfo,
-                                 unsigned char **data,
-                                 TransportAddress * addr, int count);
-extern int (*nat_rtp_rtcp_hook) (struct sk_buff ** pskb,
-                                 struct ip_conntrack * ct,
-                                 enum ip_conntrack_info ctinfo,
-                                 unsigned char **data, int dataoff,
-                                 H245_TransportAddress * addr,
-                                 u_int16_t port, u_int16_t rtp_port,
-                                 struct ip_conntrack_expect * rtp_exp,
-                                 struct ip_conntrack_expect * rtcp_exp);
-extern int (*nat_t120_hook) (struct sk_buff ** pskb, struct ip_conntrack * ct,
-                             enum ip_conntrack_info ctinfo,
-                             unsigned char **data, int dataoff,
-                             H245_TransportAddress * addr, u_int16_t port,
-                             struct ip_conntrack_expect * exp);
-extern int (*nat_h245_hook) (struct sk_buff ** pskb, struct ip_conntrack * ct,
-                             enum ip_conntrack_info ctinfo,
-                             unsigned char **data, int dataoff,
-                             TransportAddress * addr, u_int16_t port,
-                             struct ip_conntrack_expect * exp);
-extern int (*nat_q931_hook) (struct sk_buff ** pskb, struct ip_conntrack * ct,
-                             enum ip_conntrack_info ctinfo,
-                             unsigned char **data, TransportAddress * addr,
-                             int idx, u_int16_t port,
-                             struct ip_conntrack_expect * exp);
 /****************************************************************************/
 static int set_addr(struct sk_buff **pskb,
                    unsigned char **data, int dataoff,
diff --git a/net/ipv4/netfilter/ip_nat_proto_gre.c b/net/ipv4/netfilter/ip_nat_proto_gre.c
index 6c4899d8046a..96ceabaec402 100644
--- a/net/ipv4/netfilter/ip_nat_proto_gre.c
+++ b/net/ipv4/netfilter/ip_nat_proto_gre.c
@@ -49,15 +49,15 @@ gre_in_range(const struct ip_conntrack_tuple *tuple,
             const union ip_conntrack_manip_proto *min,
             const union ip_conntrack_manip_proto *max)
 {
-        u_int32_t key;
+        __be16 key;
        if (maniptype == IP_NAT_MANIP_SRC)
                key = tuple->src.u.gre.key;
        else
                key = tuple->dst.u.gre.key;
-        return ntohl(key) >= ntohl(min->gre.key)
+        return ntohs(key) >= ntohs(min->gre.key)
-                && ntohl(key) <= ntohl(max->gre.key);
+                && ntohs(key) <= ntohs(max->gre.key);
 }
 /* generate unique tuple ... */
@@ -81,14 +81,14 @@ gre_unique_tuple(struct ip_conntrack_tuple *tuple,
                min = 1;
                range_size = 0xffff;
        } else {
-                min = ntohl(range->min.gre.key);
+                min = ntohs(range->min.gre.key);
-                range_size = ntohl(range->max.gre.key) - min + 1;
+                range_size = ntohs(range->max.gre.key) - min + 1;
        }
        DEBUGP("min = %u, range_size = %u\n", min, range_size); 
        for (i = 0; i < range_size; i++, key++) {
-                *keyptr = htonl(min + key % range_size);
+                *keyptr = htons(min + key % range_size);
                if (!ip_nat_used_tuple(tuple, conntrack))
                        return 1;
        }
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index efba8c4e42e0..1aba926c1cb0 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -279,7 +279,7 @@ static struct ipt_target ipt_dnat_reg = {
        .target         = ipt_dnat_target,
        .targetsize     = sizeof(struct ip_nat_multi_range_compat),
        .table          = "nat",
-        .hooks          = 1 << NF_IP_PRE_ROUTING,
+        .hooks          = (1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT),
        .checkentry     = ipt_dnat_checkentry,
 };
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index c62253845538..c33244263b90 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -768,6 +768,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
                        len *= sizeof(unsigned long);
                        *obj = kmalloc(sizeof(struct snmp_object) + len, GFP_ATOMIC);
                        if (*obj == NULL) {
+                                kfree(lp);
                                kfree(id);
                                if (net_ratelimit())
                                        printk("OOM in bsalg (%d)\n", __LINE__);
@@ -1003,12 +1004,12 @@ static unsigned char snmp_trap_decode(struct asn1_ctx *ctx,
                
        return 1;
+err_addr_free:
+        kfree((unsigned long *)trap->ip_address);
 err_id_free:
        kfree(trap->id);
-err_addr_free:
-        kfree((unsigned long *)trap->ip_address);
-        
        return 0;
 }
@@ -1126,11 +1127,10 @@ static int snmp_parse_mangle(unsigned char *msg,
                struct snmp_v1_trap trap;
                unsigned char ret = snmp_trap_decode(&ctx, &trap, map, check);
                
-                /* Discard trap allocations regardless */
+                if (ret) {
-                kfree(trap.id);
+                        kfree(trap.id);
-                kfree((unsigned long *)trap.ip_address);
+                        kfree((unsigned long *)trap.ip_address);
-                
+                } else 
-                if (!ret)
                        return ret;
                
        } else {
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index 3505b0de2e04..67e676783da9 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -219,8 +219,10 @@ ip_nat_out(unsigned int hooknum,
           const struct net_device *out,
           int (*okfn)(struct sk_buff *))
 {
+#ifdef CONFIG_XFRM
        struct ip_conntrack *ct;
        enum ip_conntrack_info ctinfo;
+#endif
        unsigned int ret;
        /* root is playing with raw sockets. */
@@ -299,69 +301,63 @@ ip_nat_adjust(unsigned int hooknum,
 /* We must be after connection tracking and before packet filtering. */
-/* Before packet filtering, change destination */
+static struct nf_hook_ops ip_nat_ops[] = {
-static struct nf_hook_ops ip_nat_in_ops = {
+        /* Before packet filtering, change destination */
-        .hook           = ip_nat_in,
+        {
-        .owner          = THIS_MODULE,
+                .hook           = ip_nat_in,
-        .pf             = PF_INET,
+                .owner          = THIS_MODULE,
-        .hooknum        = NF_IP_PRE_ROUTING,
+                .pf             = PF_INET,
-        .priority       = NF_IP_PRI_NAT_DST,
+                .hooknum        = NF_IP_PRE_ROUTING,
+                .priority       = NF_IP_PRI_NAT_DST,
+        },
+        /* After packet filtering, change source */
+        {
+                .hook           = ip_nat_out,
+                .owner          = THIS_MODULE,
+                .pf             = PF_INET,
+                .hooknum        = NF_IP_POST_ROUTING,
+                .priority       = NF_IP_PRI_NAT_SRC,
+        },
+        /* After conntrack, adjust sequence number */
+        {
+                .hook           = ip_nat_adjust,
+                .owner          = THIS_MODULE,
+                .pf             = PF_INET,
+                .hooknum        = NF_IP_POST_ROUTING,
+                .priority       = NF_IP_PRI_NAT_SEQ_ADJUST,
+        },
+        /* Before packet filtering, change destination */
+        {
+                .hook           = ip_nat_local_fn,
+                .owner          = THIS_MODULE,
+                .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_OUT,
+                .priority       = NF_IP_PRI_NAT_DST,
+        },
+        /* After packet filtering, change source */
+        {
+                .hook           = ip_nat_fn,
+                .owner          = THIS_MODULE,
+                .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_IN,
+                .priority       = NF_IP_PRI_NAT_SRC,
+        },
+        /* After conntrack, adjust sequence number */
+        {
+                .hook           = ip_nat_adjust,
+                .owner          = THIS_MODULE,
+                .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_IN,
+                .priority       = NF_IP_PRI_NAT_SEQ_ADJUST,
+        },
 };
-/* After packet filtering, change source */
+static int __init ip_nat_standalone_init(void)
-static struct nf_hook_ops ip_nat_out_ops = {
-        .hook           = ip_nat_out,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET,
-        .hooknum        = NF_IP_POST_ROUTING,
-        .priority       = NF_IP_PRI_NAT_SRC,
-};
-/* After conntrack, adjust sequence number */
-static struct nf_hook_ops ip_nat_adjust_out_ops = {
-        .hook           = ip_nat_adjust,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET,
-        .hooknum        = NF_IP_POST_ROUTING,
-        .priority       = NF_IP_PRI_NAT_SEQ_ADJUST,
-};
-/* Before packet filtering, change destination */
-static struct nf_hook_ops ip_nat_local_out_ops = {
-        .hook           = ip_nat_local_fn,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET,
-        .hooknum        = NF_IP_LOCAL_OUT,
-        .priority       = NF_IP_PRI_NAT_DST,
-};
-/* After packet filtering, change source for reply packets of LOCAL_OUT DNAT */
-static struct nf_hook_ops ip_nat_local_in_ops = {
-        .hook           = ip_nat_fn,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET,
-        .hooknum        = NF_IP_LOCAL_IN,
-        .priority       = NF_IP_PRI_NAT_SRC,
-};
-/* After conntrack, adjust sequence number */
-static struct nf_hook_ops ip_nat_adjust_in_ops = {
-        .hook           = ip_nat_adjust,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET,
-        .hooknum        = NF_IP_LOCAL_IN,
-        .priority       = NF_IP_PRI_NAT_SEQ_ADJUST,
-};
-static int init_or_cleanup(int init)
 {
        int ret = 0;
        need_conntrack();
-        if (!init) goto cleanup;
 #ifdef CONFIG_XFRM
        BUG_ON(ip_nat_decode_session != NULL);
        ip_nat_decode_session = nat_decode_session;
@@ -371,50 +367,13 @@ static int init_or_cleanup(int init)
                printk("ip_nat_init: can't setup rules.\n");
                goto cleanup_decode_session;
        }
-        ret = nf_register_hook(&ip_nat_in_ops);
+        ret = nf_register_hooks(ip_nat_ops, ARRAY_SIZE(ip_nat_ops));
        if (ret < 0) {
-                printk("ip_nat_init: can't register in hook.\n");
+                printk("ip_nat_init: can't register hooks.\n");
                goto cleanup_rule_init;
        }
-        ret = nf_register_hook(&ip_nat_out_ops);
-        if (ret < 0) {
-                printk("ip_nat_init: can't register out hook.\n");
-                goto cleanup_inops;
-        }
-        ret = nf_register_hook(&ip_nat_adjust_in_ops);
-        if (ret < 0) {
-                printk("ip_nat_init: can't register adjust in hook.\n");
-                goto cleanup_outops;
-        }
-        ret = nf_register_hook(&ip_nat_adjust_out_ops);
-        if (ret < 0) {
-                printk("ip_nat_init: can't register adjust out hook.\n");
-                goto cleanup_adjustin_ops;
-        }
-        ret = nf_register_hook(&ip_nat_local_out_ops);
-        if (ret < 0) {
-                printk("ip_nat_init: can't register local out hook.\n");
-                goto cleanup_adjustout_ops;
-        }
-        ret = nf_register_hook(&ip_nat_local_in_ops);
-        if (ret < 0) {
-                printk("ip_nat_init: can't register local in hook.\n");
-                goto cleanup_localoutops;
-        }
        return ret;
- cleanup:
-        nf_unregister_hook(&ip_nat_local_in_ops);
- cleanup_localoutops:
-        nf_unregister_hook(&ip_nat_local_out_ops);
- cleanup_adjustout_ops:
-        nf_unregister_hook(&ip_nat_adjust_out_ops);
- cleanup_adjustin_ops:
-        nf_unregister_hook(&ip_nat_adjust_in_ops);
- cleanup_outops:
-        nf_unregister_hook(&ip_nat_out_ops);
- cleanup_inops:
-        nf_unregister_hook(&ip_nat_in_ops);
 cleanup_rule_init:
        ip_nat_rule_cleanup();
 cleanup_decode_session:
@@ -425,14 +384,14 @@ static int init_or_cleanup(int init)
        return ret;
 }
-static int __init ip_nat_standalone_init(void)
-{
-        return init_or_cleanup(1);
-}
 static void __exit ip_nat_standalone_fini(void)
 {
-        init_or_cleanup(0);
+        nf_unregister_hooks(ip_nat_ops, ARRAY_SIZE(ip_nat_ops));
+        ip_nat_rule_cleanup();
+#ifdef CONFIG_XFRM
+        ip_nat_decode_session = NULL;
+        synchronize_net();
+#endif
 }
 module_init(ip_nat_standalone_init);
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 896a244f8f91..b93f0494362f 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -662,15 +662,11 @@ static struct nf_queue_handler nfqh = {
        .outfn  = &ipq_enqueue_packet,
 };
-static int
+static int __init ip_queue_init(void)
-init_or_cleanup(int init)
 {
        int status = -ENOMEM;
        struct proc_dir_entry *proc;
        
-        if (!init)
-                goto cleanup;
        netlink_register_notifier(&ipq_nl_notifier);
        ipqnl = netlink_kernel_create(NETLINK_FIREWALL, 0, ipq_rcv_sk,
                                      THIS_MODULE);
@@ -697,11 +693,6 @@ init_or_cleanup(int init)
        }
        return status;
-cleanup:
-        nf_unregister_queue_handlers(&nfqh);
-        synchronize_net();
-        ipq_flush(NF_DROP);
-        
 cleanup_sysctl:
        unregister_sysctl_table(ipq_sysctl_header);
        unregister_netdevice_notifier(&ipq_dev_notifier);
@@ -717,15 +708,21 @@ cleanup_netlink_notifier:
        return status;
 }
-static int __init ip_queue_init(void)
-{
-        
-        return init_or_cleanup(1);
-}
 static void __exit ip_queue_fini(void)
 {
-        init_or_cleanup(0);
+        nf_unregister_queue_handlers(&nfqh);
+        synchronize_net();
+        ipq_flush(NF_DROP);
+        unregister_sysctl_table(ipq_sysctl_header);
+        unregister_netdevice_notifier(&ipq_dev_notifier);
+        proc_net_remove(IPQ_PROC_FS_NAME);
+        sock_release(ipqnl->sk_socket);
+        mutex_lock(&ipqnl_mutex);
+        mutex_unlock(&ipqnl_mutex);
+        netlink_unregister_notifier(&ipq_nl_notifier);
 }
 MODULE_DESCRIPTION("IPv4 packet queue handler");
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index d5b8cdd361ce..cee3397ec277 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -735,7 +735,7 @@ translate_table(const char *name,
        }
        /* And one copy for every other CPU */
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                if (newinfo->entries[i] && newinfo->entries[i] != entry0)
                        memcpy(newinfo->entries[i], entry0, newinfo->size);
        }
@@ -788,7 +788,7 @@ get_counters(const struct xt_table_info *t,
                          counters,
                          &i);
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                if (cpu == curcpu)
                        continue;
                i = 0;
@@ -956,15 +956,16 @@ struct compat_ipt_standard_target
        compat_int_t verdict;
 };
-#define IPT_ST_OFFSET   (sizeof(struct ipt_standard_target) - \
-                                sizeof(struct compat_ipt_standard_target))
 struct compat_ipt_standard
 {
        struct compat_ipt_entry entry;
        struct compat_ipt_standard_target target;
 };
+#define IPT_ST_LEN              XT_ALIGN(sizeof(struct ipt_standard_target))
+#define IPT_ST_COMPAT_LEN       COMPAT_XT_ALIGN(sizeof(struct compat_ipt_standard_target))
+#define IPT_ST_OFFSET           (IPT_ST_LEN - IPT_ST_COMPAT_LEN)
 static int compat_ipt_standard_fn(void *target,
                void **dstptr, int *size, int convert)
 {
@@ -975,35 +976,29 @@ static int compat_ipt_standard_fn(void *target,
        ret = 0;
        switch (convert) {
                case COMPAT_TO_USER:
-                        pst = (struct ipt_standard_target *)target;
+                        pst = target;
                        memcpy(&compat_st.target, &pst->target,
-                                        sizeof(struct ipt_entry_target));
+                                sizeof(compat_st.target));
                        compat_st.verdict = pst->verdict;
                        if (compat_st.verdict > 0)
                                compat_st.verdict -=
                                        compat_calc_jump(compat_st.verdict);
-                        compat_st.target.u.user.target_size =
+                        compat_st.target.u.user.target_size = IPT_ST_COMPAT_LEN;
-                        sizeof(struct compat_ipt_standard_target);
+                        if (copy_to_user(*dstptr, &compat_st, IPT_ST_COMPAT_LEN))
-                        if (__copy_to_user(*dstptr, &compat_st,
-                                sizeof(struct compat_ipt_standard_target)))
                                ret = -EFAULT;
                        *size -= IPT_ST_OFFSET;
-                        *dstptr += sizeof(struct compat_ipt_standard_target);
+                        *dstptr += IPT_ST_COMPAT_LEN;
                        break;
                case COMPAT_FROM_USER:
-                        pcompat_st =
+                        pcompat_st = target;
-                                (struct compat_ipt_standard_target *)target;
+                        memcpy(&st.target, &pcompat_st->target, IPT_ST_COMPAT_LEN);
-                        memcpy(&st.target, &pcompat_st->target,
-                                        sizeof(struct ipt_entry_target));
                        st.verdict = pcompat_st->verdict;
                        if (st.verdict > 0)
                                st.verdict += compat_calc_jump(st.verdict);
-                        st.target.u.user.target_size =
+                        st.target.u.user.target_size = IPT_ST_LEN;
-                        sizeof(struct ipt_standard_target);
+                        memcpy(*dstptr, &st, IPT_ST_LEN);
-                        memcpy(*dstptr, &st,
-                                        sizeof(struct ipt_standard_target));
                        *size += IPT_ST_OFFSET;
-                        *dstptr += sizeof(struct ipt_standard_target);
+                        *dstptr += IPT_ST_LEN;
                        break;
                case COMPAT_CALC_SIZE:
                        *size += IPT_ST_OFFSET;
@@ -1446,7 +1441,7 @@ static int compat_copy_entry_to_user(struct ipt_entry *e,
        ret = -EFAULT;
        origsize = *size;
        ce = (struct compat_ipt_entry __user *)*dstptr;
-        if (__copy_to_user(ce, e, sizeof(struct ipt_entry)))
+        if (copy_to_user(ce, e, sizeof(struct ipt_entry)))
                goto out;
        *dstptr += sizeof(struct compat_ipt_entry);
@@ -1464,9 +1459,9 @@ static int compat_copy_entry_to_user(struct ipt_entry *e,
                goto out;
        ret = -EFAULT;
        next_offset = e->next_offset - (origsize - *size);
-        if (__put_user(target_offset, &ce->target_offset))
+        if (put_user(target_offset, &ce->target_offset))
                goto out;
-        if (__put_user(next_offset, &ce->next_offset))
+        if (put_user(next_offset, &ce->next_offset))
                goto out;
        return 0;
 out:
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index e4768a31718b..aad9d28c8d71 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -725,22 +725,17 @@ static struct file_operations clusterip_proc_fops = {
 #endif /* CONFIG_PROC_FS */
-static int init_or_cleanup(int fini)
+static int __init ipt_clusterip_init(void)
 {
        int ret;
-        if (fini)
+        ret = ipt_register_target(&clusterip_tgt);
-                goto cleanup;
+        if (ret < 0)
+                return ret;
-        if (ipt_register_target(&clusterip_tgt)) {
-                ret = -EINVAL;
-                goto cleanup_none;
-        }
-        if (nf_register_hook(&cip_arp_ops) < 0) {
+        ret = nf_register_hook(&cip_arp_ops);
-                ret = -EINVAL;
+        if (ret < 0)
                goto cleanup_target;
-        }
 #ifdef CONFIG_PROC_FS
        clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", proc_net);
@@ -753,31 +748,24 @@ static int init_or_cleanup(int fini)
        printk(KERN_NOTICE "ClusterIP Version %s loaded successfully\n",
                CLUSTERIP_VERSION);
        return 0;
-cleanup:
-        printk(KERN_NOTICE "ClusterIP Version %s unloading\n",
-                CLUSTERIP_VERSION);
-#ifdef CONFIG_PROC_FS
-        remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
-#endif
 cleanup_hook:
        nf_unregister_hook(&cip_arp_ops);
 cleanup_target:
        ipt_unregister_target(&clusterip_tgt);
-cleanup_none:
+        return ret;
-        return -EINVAL;
-}
-static int __init ipt_clusterip_init(void)
-{
-        return init_or_cleanup(0);
 }
 static void __exit ipt_clusterip_fini(void)
 {
-        init_or_cleanup(1);
+        printk(KERN_NOTICE "ClusterIP Version %s unloading\n",
+                CLUSTERIP_VERSION);
+#ifdef CONFIG_PROC_FS
+        remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
+#endif
+        nf_unregister_hook(&cip_arp_ops);
+        ipt_unregister_target(&clusterip_tgt);
 }
 module_init(ipt_clusterip_init);
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 39fd4c2a2386..b98f7b08b084 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -428,7 +428,7 @@ ipt_log_target(struct sk_buff **pskb,
        if (loginfo->logflags & IPT_LOG_NFLOG)
                nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
-                              loginfo->prefix);
+                              "%s", loginfo->prefix);
        else
                ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
                               loginfo->prefix);
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 4269a5440d43..0bba3c2bb786 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -106,7 +106,6 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        struct rtable *rt;
        u_int16_t tmp_port;
        u_int32_t tmp_addr;
-        unsigned int tcplen;
        int needs_ack;
        int hh_len;
@@ -124,13 +123,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
                return;
        /* Check checksum */
-        tcplen = oldskb->len - iph->ihl * 4;
+        if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
-        if (((hook != NF_IP_LOCAL_IN && oldskb->ip_summed != CHECKSUM_HW) ||
-             (hook == NF_IP_LOCAL_IN &&
-              oldskb->ip_summed != CHECKSUM_UNNECESSARY)) &&
-            csum_tcpudp_magic(iph->saddr, iph->daddr, tcplen, IPPROTO_TCP,
-                              oldskb->ip_summed == CHECKSUM_HW ? oldskb->csum :
-                              skb_checksum(oldskb, iph->ihl * 4, tcplen, 0)))
                return;
        if ((rt = route_reverse(oldskb, oth, hook)) == NULL)
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 143843285702..b847ee409efb 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -821,6 +821,7 @@ checkentry(const char *tablename,
        /* Create our proc 'status' entry. */
        curr_table->status_proc = create_proc_entry(curr_table->name, ip_list_perms, proc_net_ipt_recent);
        if (!curr_table->status_proc) {
+                vfree(hold);
                printk(KERN_INFO RECENT_NAME ": checkentry: unable to allocate for /proc entry.\n");
                /* Destroy the created table */
                spin_lock_bh(&recent_lock);
@@ -845,7 +846,6 @@ checkentry(const char *tablename,
                spin_unlock_bh(&recent_lock);
                vfree(curr_table->time_info);
                vfree(curr_table->hash_table);
-                vfree(hold);
                vfree(curr_table->table);
                vfree(curr_table);
                return 0;
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 3d80aefe9cfa..7f417484bfbf 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -157,37 +157,20 @@ static int __init iptable_filter_init(void)
                return ret;
        /* Register hooks */
-        ret = nf_register_hook(&ipt_ops[0]);
+        ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
        if (ret < 0)
                goto cleanup_table;
-        ret = nf_register_hook(&ipt_ops[1]);
-        if (ret < 0)
-                goto cleanup_hook0;
-        ret = nf_register_hook(&ipt_ops[2]);
-        if (ret < 0)
-                goto cleanup_hook1;
        return ret;
- cleanup_hook1:
-        nf_unregister_hook(&ipt_ops[1]);
- cleanup_hook0:
-        nf_unregister_hook(&ipt_ops[0]);
 cleanup_table:
        ipt_unregister_table(&packet_filter);
        return ret;
 }
 static void __exit iptable_filter_fini(void)
 {
-        unsigned int i;
+        nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
-        for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
-                nf_unregister_hook(&ipt_ops[i]);
        ipt_unregister_table(&packet_filter);
 }
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 412fc96cc896..397b95cc026b 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -211,49 +211,20 @@ static int __init iptable_mangle_init(void)
                return ret;
        /* Register hooks */
-        ret = nf_register_hook(&ipt_ops[0]);
+        ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
        if (ret < 0)
                goto cleanup_table;
-        ret = nf_register_hook(&ipt_ops[1]);
-        if (ret < 0)
-                goto cleanup_hook0;
-        ret = nf_register_hook(&ipt_ops[2]);
-        if (ret < 0)
-                goto cleanup_hook1;
-        ret = nf_register_hook(&ipt_ops[3]);
-        if (ret < 0)
-                goto cleanup_hook2;
-        ret = nf_register_hook(&ipt_ops[4]);
-        if (ret < 0)
-                goto cleanup_hook3;
        return ret;
- cleanup_hook3:
-        nf_unregister_hook(&ipt_ops[3]);
- cleanup_hook2:
-        nf_unregister_hook(&ipt_ops[2]);
- cleanup_hook1:
-        nf_unregister_hook(&ipt_ops[1]);
- cleanup_hook0:
-        nf_unregister_hook(&ipt_ops[0]);
 cleanup_table:
        ipt_unregister_table(&packet_mangler);
        return ret;
 }
 static void __exit iptable_mangle_fini(void)
 {
-        unsigned int i;
+        nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
-        for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
-                nf_unregister_hook(&ipt_ops[i]);
        ipt_unregister_table(&packet_mangler);
 }
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 03cc79a6160a..7912cce1e1b8 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -101,18 +101,18 @@ ipt_hook(unsigned int hook,
 /* 'raw' is the very first table. */
 static struct nf_hook_ops ipt_ops[] = {
        {
-          .hook = ipt_hook, 
+                .hook = ipt_hook,
-          .pf = PF_INET, 
+                .pf = PF_INET,
-          .hooknum = NF_IP_PRE_ROUTING, 
+                .hooknum = NF_IP_PRE_ROUTING,
-          .priority = NF_IP_PRI_RAW,
+                .priority = NF_IP_PRI_RAW,
-          .owner = THIS_MODULE,
+                .owner = THIS_MODULE,
        },
        {
-          .hook = ipt_hook, 
+                .hook = ipt_hook,
-          .pf = PF_INET, 
+                .pf = PF_INET,
-          .hooknum = NF_IP_LOCAL_OUT, 
+                .hooknum = NF_IP_LOCAL_OUT,
-          .priority = NF_IP_PRI_RAW,
+                .priority = NF_IP_PRI_RAW,
-          .owner = THIS_MODULE,
+                .owner = THIS_MODULE,
        },
 };
@@ -126,31 +126,20 @@ static int __init iptable_raw_init(void)
                return ret;
        /* Register hooks */
-        ret = nf_register_hook(&ipt_ops[0]);
+        ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
        if (ret < 0)
                goto cleanup_table;
-        ret = nf_register_hook(&ipt_ops[1]);
-        if (ret < 0)
-                goto cleanup_hook0;
        return ret;
- cleanup_hook0:
-        nf_unregister_hook(&ipt_ops[0]);
 cleanup_table:
        ipt_unregister_table(&packet_raw);
        return ret;
 }
 static void __exit iptable_raw_fini(void)
 {
-        unsigned int i;
+        nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
-        for (i = 0; i < sizeof(ipt_ops)/sizeof(struct nf_hook_ops); i++)
-                nf_unregister_hook(&ipt_ops[i]);
        ipt_unregister_table(&packet_raw);
 }
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 4afbc699d3ba..77d974443c7b 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -210,71 +210,63 @@ static unsigned int ipv4_conntrack_local(unsigned int hooknum,
 /* Connection tracking may drop packets, but never alters them, so
   make it the first hook. */
-static struct nf_hook_ops ipv4_conntrack_defrag_ops = {
+static struct nf_hook_ops ipv4_conntrack_ops[] = {
-        .hook           = ipv4_conntrack_defrag,
+        {
-        .owner          = THIS_MODULE,
+                .hook           = ipv4_conntrack_defrag,
-        .pf             = PF_INET,
+                .owner          = THIS_MODULE,
-        .hooknum        = NF_IP_PRE_ROUTING,
+                .pf             = PF_INET,
-        .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
+                .hooknum        = NF_IP_PRE_ROUTING,
-};
+                .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
+        },
-static struct nf_hook_ops ipv4_conntrack_in_ops = {
+        {
-        .hook           = ipv4_conntrack_in,
+                .hook           = ipv4_conntrack_in,
-        .owner          = THIS_MODULE,
+                .owner          = THIS_MODULE,
-        .pf             = PF_INET,
+                .pf             = PF_INET,
-        .hooknum        = NF_IP_PRE_ROUTING,
+                .hooknum        = NF_IP_PRE_ROUTING,
-        .priority       = NF_IP_PRI_CONNTRACK,
+                .priority       = NF_IP_PRI_CONNTRACK,
-};
+        },
+        {
-static struct nf_hook_ops ipv4_conntrack_defrag_local_out_ops = {
+                .hook           = ipv4_conntrack_defrag,
-        .hook           = ipv4_conntrack_defrag,
+                .owner          = THIS_MODULE,
-        .owner          = THIS_MODULE,
+                .pf             = PF_INET,
-        .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_OUT,
-        .hooknum        = NF_IP_LOCAL_OUT,
+                .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
-        .priority       = NF_IP_PRI_CONNTRACK_DEFRAG,
+        },
-};
+        {
+                .hook           = ipv4_conntrack_local,
-static struct nf_hook_ops ipv4_conntrack_local_out_ops = {
+                .owner          = THIS_MODULE,
-        .hook           = ipv4_conntrack_local,
+                .pf             = PF_INET,
-        .owner          = THIS_MODULE,
+                .hooknum        = NF_IP_LOCAL_OUT,
-        .pf             = PF_INET,
+                .priority       = NF_IP_PRI_CONNTRACK,
-        .hooknum        = NF_IP_LOCAL_OUT,
+        },
-        .priority       = NF_IP_PRI_CONNTRACK,
+        {
-};
+                .hook           = ipv4_conntrack_help,
+                .owner          = THIS_MODULE,
-/* helpers */
+                .pf             = PF_INET,
-static struct nf_hook_ops ipv4_conntrack_helper_out_ops = {
+                .hooknum        = NF_IP_POST_ROUTING,
-        .hook           = ipv4_conntrack_help,
+                .priority       = NF_IP_PRI_CONNTRACK_HELPER,
-        .owner          = THIS_MODULE,
+        },
-        .pf             = PF_INET,
+        {
-        .hooknum        = NF_IP_POST_ROUTING,
+                .hook           = ipv4_conntrack_help,
-        .priority       = NF_IP_PRI_CONNTRACK_HELPER,
+                .owner          = THIS_MODULE,
-};
+                .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_IN,
-static struct nf_hook_ops ipv4_conntrack_helper_in_ops = {
+                .priority       = NF_IP_PRI_CONNTRACK_HELPER,
-        .hook           = ipv4_conntrack_help,
+        },
-        .owner          = THIS_MODULE,
+        {
-        .pf             = PF_INET,
+                .hook           = ipv4_confirm,
-        .hooknum        = NF_IP_LOCAL_IN,
+                .owner          = THIS_MODULE,
-        .priority       = NF_IP_PRI_CONNTRACK_HELPER,
+                .pf             = PF_INET,
-};
+                .hooknum        = NF_IP_POST_ROUTING,
+                .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
+        },
-/* Refragmenter; last chance. */
+        {
-static struct nf_hook_ops ipv4_conntrack_out_ops = {
+                .hook           = ipv4_confirm,
-        .hook           = ipv4_confirm,
+                .owner          = THIS_MODULE,
-        .owner          = THIS_MODULE,
+                .pf             = PF_INET,
-        .pf             = PF_INET,
+                .hooknum        = NF_IP_LOCAL_IN,
-        .hooknum        = NF_IP_POST_ROUTING,
+                .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
-        .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
+        },
-};
-static struct nf_hook_ops ipv4_conntrack_local_in_ops = {
-        .hook           = ipv4_confirm,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET,
-        .hooknum        = NF_IP_LOCAL_IN,
-        .priority       = NF_IP_PRI_CONNTRACK_CONFIRM,
 };
 #ifdef CONFIG_SYSCTL
@@ -356,6 +348,7 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len)
                        .tuple.dst.u.tcp.port;
                sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
                        .tuple.dst.u3.ip;
+                memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
                DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
                       NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
@@ -440,16 +433,20 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = {
 extern struct nf_conntrack_protocol nf_conntrack_protocol_tcp4;
 extern struct nf_conntrack_protocol nf_conntrack_protocol_udp4;
 extern struct nf_conntrack_protocol nf_conntrack_protocol_icmp;
-static int init_or_cleanup(int init)
+MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
+MODULE_LICENSE("GPL");
+static int __init nf_conntrack_l3proto_ipv4_init(void)
 {
        int ret = 0;
-        if (!init) goto cleanup;
+        need_conntrack();
        ret = nf_register_sockopt(&so_getorigdst);
        if (ret < 0) {
                printk(KERN_ERR "Unable to register netfilter socket option\n");
-                goto cleanup_nothing;
+                return ret;
        }
        ret = nf_conntrack_protocol_register(&nf_conntrack_protocol_tcp4);
@@ -476,84 +473,26 @@ static int init_or_cleanup(int init)
                goto cleanup_icmp;
        }
-        ret = nf_register_hook(&ipv4_conntrack_defrag_ops);
+        ret = nf_register_hooks(ipv4_conntrack_ops,
+                                ARRAY_SIZE(ipv4_conntrack_ops));
        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register pre-routing defrag hook.\n");
+                printk("nf_conntrack_ipv4: can't register hooks.\n");
                goto cleanup_ipv4;
        }
-        ret = nf_register_hook(&ipv4_conntrack_defrag_local_out_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register local_out defrag hook.\n");
-                goto cleanup_defragops;
-        }
-        ret = nf_register_hook(&ipv4_conntrack_in_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register pre-routing hook.\n");
-                goto cleanup_defraglocalops;
-        }
-        ret = nf_register_hook(&ipv4_conntrack_local_out_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register local out hook.\n");
-                goto cleanup_inops;
-        }
-        ret = nf_register_hook(&ipv4_conntrack_helper_in_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register local helper hook.\n");
-                goto cleanup_inandlocalops;
-        }
-        ret = nf_register_hook(&ipv4_conntrack_helper_out_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register postrouting helper hook.\n");
-                goto cleanup_helperinops;
-        }
-        ret = nf_register_hook(&ipv4_conntrack_out_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register post-routing hook.\n");
-                goto cleanup_helperoutops;
-        }
-        ret = nf_register_hook(&ipv4_conntrack_local_in_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register local in hook.\n");
-                goto cleanup_inoutandlocalops;
-        }
 #ifdef CONFIG_SYSCTL
        nf_ct_ipv4_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
        if (nf_ct_ipv4_sysctl_header == NULL) {
                printk("nf_conntrack: can't register to sysctl.\n");
                ret = -ENOMEM;
-                goto cleanup_localinops;
+                goto cleanup_hooks;
        }
 #endif
        return ret;
- cleanup:
-        synchronize_net();
 #ifdef CONFIG_SYSCTL
-        unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
+ cleanup_hooks:
- cleanup_localinops:
+        nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
 #endif
-        nf_unregister_hook(&ipv4_conntrack_local_in_ops);
- cleanup_inoutandlocalops:
-        nf_unregister_hook(&ipv4_conntrack_out_ops);
- cleanup_helperoutops:
-        nf_unregister_hook(&ipv4_conntrack_helper_out_ops);
- cleanup_helperinops:
-        nf_unregister_hook(&ipv4_conntrack_helper_in_ops);
- cleanup_inandlocalops:
-        nf_unregister_hook(&ipv4_conntrack_local_out_ops);
- cleanup_inops:
-        nf_unregister_hook(&ipv4_conntrack_in_ops);
- cleanup_defraglocalops:
-        nf_unregister_hook(&ipv4_conntrack_defrag_local_out_ops);
- cleanup_defragops:
-        nf_unregister_hook(&ipv4_conntrack_defrag_ops);
 cleanup_ipv4:
        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
 cleanup_icmp:
@@ -564,22 +503,21 @@ static int init_or_cleanup(int init)
        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_tcp4);
 cleanup_sockopt:
        nf_unregister_sockopt(&so_getorigdst);
- cleanup_nothing:
        return ret;
 }
-MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
-MODULE_LICENSE("GPL");
-static int __init nf_conntrack_l3proto_ipv4_init(void)
-{
-        need_conntrack();
-        return init_or_cleanup(1);
-}
 static void __exit nf_conntrack_l3proto_ipv4_fini(void)
 {
-        init_or_cleanup(0);
+        synchronize_net();
+#ifdef CONFIG_SYSCTL
+        unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
+#endif
+        nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
+        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
+        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_icmp);
+        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_udp4);
+        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_tcp4);
+        nf_unregister_sockopt(&so_getorigdst);
 }
 module_init(nf_conntrack_l3proto_ipv4_init);
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 52dc175be39a..4b0d361cc6e6 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -235,30 +235,14 @@ icmp_error(struct sk_buff *skb, unsigned int dataoff,
        }
        /* See ip_conntrack_proto_tcp.c */
-        if (hooknum != NF_IP_PRE_ROUTING)
+        if (hooknum == NF_IP_PRE_ROUTING &&
-                goto checksum_skipped;
+            nf_ip_checksum(skb, hooknum, dataoff, 0)) {
-        switch (skb->ip_summed) {
-        case CHECKSUM_HW:
-                if (!(u16)csum_fold(skb->csum))
-                        break;
                if (LOG_INVALID(IPPROTO_ICMP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                                      "nf_ct_icmp: bad HW ICMP checksum ");
                return -NF_ACCEPT;
-        case CHECKSUM_NONE:
-                if ((u16)csum_fold(skb_checksum(skb, 0, skb->len, 0))) {
-                        if (LOG_INVALID(IPPROTO_ICMP))
-                                nf_log_packet(PF_INET, 0, skb, NULL, NULL,
-                                              NULL,
-                                              "nf_ct_icmp: bad ICMP checksum ");
-                        return -NF_ACCEPT;
-                }
-        default:
-                break;
        }
-checksum_skipped:
        /*
         *      18 is the highest 'known' ICMP type. Anything else is a mystery
         *
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index 1b167c4bb3be..d61e2a9d394d 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -49,7 +49,7 @@ static int fold_prot_inuse(struct proto *proto)
        int res = 0;
        int cpu;
-        for_each_cpu(cpu)
+        for_each_possible_cpu(cpu)
                res += proto->stats[cpu].inuse;
        return res;
@@ -91,7 +91,7 @@ fold_field(void *mib[], int offt)
        unsigned long res = 0;
        int i;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                res += *(((unsigned long *) per_cpu_ptr(mib[0], i)) + offt);
                res += *(((unsigned long *) per_cpu_ptr(mib[1], i)) + offt);
        }
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 94fcbc5e5a1b..cc9423de7311 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2741,7 +2741,10 @@ int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg)
        /* Reserve room for dummy headers, this skb can pass
           through good chunk of routing engine.
         */
-        skb->mac.raw = skb->data;
+        skb->mac.raw = skb->nh.raw = skb->data;
+        /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
+        skb->nh.iph->protocol = IPPROTO_ICMP;
        skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
        if (rta[RTA_SRC - 1])
@@ -3083,7 +3086,7 @@ static int ip_rt_acct_read(char *buffer, char **start, off_t offset,
                memcpy(dst, src, length);
                /* Add the other cpus in, one int at a time */
-                for_each_cpu(i) {
+                for_each_possible_cpu(i) {
                        unsigned int j;
                        src = ((u32 *) IP_RT_ACCT_CPU(i)) + offset;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 87f68e787d0c..e2b7b8055037 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1468,6 +1468,7 @@ void tcp_close(struct sock *sk, long timeout)
 {
        struct sk_buff *skb;
        int data_was_unread = 0;
+        int state;
        lock_sock(sk);
        sk->sk_shutdown = SHUTDOWN_MASK;
@@ -1544,6 +1545,11 @@ void tcp_close(struct sock *sk, long timeout)
        sk_stream_wait_close(sk, timeout);
 adjudge_to_death:
+        state = sk->sk_state;
+        sock_hold(sk);
+        sock_orphan(sk);
+        atomic_inc(sk->sk_prot->orphan_count);
        /* It is the last release_sock in its life. It will remove backlog. */
        release_sock(sk);
@@ -1555,8 +1561,9 @@ adjudge_to_death:
        bh_lock_sock(sk);
        BUG_TRAP(!sock_owned_by_user(sk));
-        sock_hold(sk);
+        /* Have we already been destroyed by a softirq or backlog? */
-        sock_orphan(sk);
+        if (state != TCP_CLOSE && sk->sk_state == TCP_CLOSE)
+                goto out;
        /*      This is a (useful) BSD violating of the RFC. There is a
         *      problem with TCP as specified in that the other end could
@@ -1584,7 +1591,6 @@ adjudge_to_death:
                        if (tmo > TCP_TIMEWAIT_LEN) {
                                inet_csk_reset_keepalive_timer(sk, tcp_fin_time(sk));
                        } else {
-                                atomic_inc(sk->sk_prot->orphan_count);
                                tcp_time_wait(sk, TCP_FIN_WAIT2, tmo);
                                goto out;
                        }
@@ -1603,7 +1609,6 @@ adjudge_to_death:
                        NET_INC_STATS_BH(LINUX_MIB_TCPABORTONMEMORY);
                }
        }
-        atomic_inc(sk->sk_prot->orphan_count);
        if (sk->sk_state == TCP_CLOSE)
                inet_csk_destroy_sock(sk);
diff --git a/net/ipv4/tcp_highspeed.c b/net/ipv4/tcp_highspeed.c
index e0e9d1383c7c..ba7c63ca5bb1 100644
--- a/net/ipv4/tcp_highspeed.c
+++ b/net/ipv4/tcp_highspeed.c
@@ -135,10 +135,11 @@ static void hstcp_cong_avoid(struct sock *sk, u32 adk, u32 rtt,
                /* Do additive increase */
                if (tp->snd_cwnd < tp->snd_cwnd_clamp) {
-                        tp->snd_cwnd_cnt += ca->ai;
+                        /* cwnd = cwnd + a(w) / cwnd */
+                        tp->snd_cwnd_cnt += ca->ai + 1;
                        if (tp->snd_cwnd_cnt >= tp->snd_cwnd) {
-                                tp->snd_cwnd++;
                                tp->snd_cwnd_cnt -= tp->snd_cwnd;
+                                tp->snd_cwnd++;
                        }
                }
        }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 195d83584558..b5521a9d3dc1 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1649,7 +1649,7 @@ static void tcp_update_scoreboard(struct sock *sk, struct tcp_sock *tp)
         * Hence, we can detect timed out packets during fast
         * retransmit without falling to slow start.
         */
-        if (tcp_head_timedout(sk, tp)) {
+        if (!IsReno(tp) && tcp_head_timedout(sk, tp)) {
                struct sk_buff *skb;
                skb = tp->scoreboard_skb_hint ? tp->scoreboard_skb_hint
@@ -4559,7 +4559,6 @@ discard:
 EXPORT_SYMBOL(sysctl_tcp_ecn);
 EXPORT_SYMBOL(sysctl_tcp_reordering);
-EXPORT_SYMBOL(sysctl_tcp_abc);
 EXPORT_SYMBOL(tcp_parse_options);
 EXPORT_SYMBOL(tcp_rcv_established);
 EXPORT_SYMBOL(tcp_rcv_state_process);
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 9e85c0416109..672950e54c49 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1859,5 +1859,4 @@ EXPORT_SYMBOL(tcp_proc_unregister);
 #endif
 EXPORT_SYMBOL(sysctl_local_port_range);
 EXPORT_SYMBOL(sysctl_tcp_low_latency);
-EXPORT_SYMBOL(sysctl_tcp_tw_reuse);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 9d79546d384e..f33c9dddaa12 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -59,9 +59,6 @@ int sysctl_tcp_tso_win_divisor = 3;
 int sysctl_tcp_mtu_probing = 0;
 int sysctl_tcp_base_mss = 512;
-EXPORT_SYMBOL(sysctl_tcp_mtu_probing);
-EXPORT_SYMBOL(sysctl_tcp_base_mss);
 static void update_send_head(struct sock *sk, struct tcp_sock *tp,
                             struct sk_buff *skb)
 {
@@ -468,7 +465,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
        TCP_INC_STATS(TCP_MIB_OUTSEGS);
        err = icsk->icsk_af_ops->queue_xmit(skb, 0);
-        if (unlikely(err <= 0))
+        if (likely(err <= 0))
                return err;
        tcp_enter_cwr(sk);
@@ -536,6 +533,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
        struct tcp_sock *tp = tcp_sk(sk);
        struct sk_buff *buff;
        int nsize, old_factor;
+        int nlen;
        u16 flags;
        BUG_ON(len > skb->len);
@@ -554,7 +552,11 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
        buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC);
        if (buff == NULL)
                return -ENOMEM; /* We'll just try again later. */
        sk_charge_skb(sk, buff);
+        nlen = skb->len - len - nsize;
+        buff->truesize += nlen;
+        skb->truesize -= nlen;
        /* Correct the sequence numbers. */
        TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len;
@@ -640,7 +642,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
 * eventually). The difference is that pulled data not copied, but
 * immediately discarded.
 */
-static unsigned char *__pskb_trim_head(struct sk_buff *skb, int len)
+static void __pskb_trim_head(struct sk_buff *skb, int len)
 {
        int i, k, eat;
@@ -665,7 +667,6 @@ static unsigned char *__pskb_trim_head(struct sk_buff *skb, int len)
        skb->tail = skb->data;
        skb->data_len -= len;
        skb->len = skb->data_len;
-        return skb->tail;
 }
 int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len)
@@ -674,12 +675,11 @@ int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len)
            pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
                return -ENOMEM;
-        if (len <= skb_headlen(skb)) {
+        /* If len == headlen, we avoid __skb_pull to preserve alignment. */
+        if (unlikely(len < skb_headlen(skb)))
                __skb_pull(skb, len);
-        } else {
+        else
-                if (__pskb_trim_head(skb, len-skb_headlen(skb)) == NULL)
+                __pskb_trim_head(skb, len - skb_headlen(skb));
-                        return -ENOMEM;
-        }
        TCP_SKB_CB(skb)->seq += len;
        skb->ip_summed = CHECKSUM_HW;
@@ -1040,7 +1040,8 @@ static int tso_fragment(struct sock *sk, struct sk_buff *skb, unsigned int len,
        if (unlikely(buff == NULL))
                return -ENOMEM;
-        buff->truesize = nlen;
+        sk_charge_skb(sk, buff);
+        buff->truesize += nlen;
        skb->truesize -= nlen;
        /* Correct the sequence numbers. */
diff --git a/net/ipv4/tunnel4.c b/net/ipv4/tunnel4.c
index 0d7d386dac22..8d30c48f090e 100644
--- a/net/ipv4/tunnel4.c
+++ b/net/ipv4/tunnel4.c
@@ -8,6 +8,8 @@
 #include <linux/mutex.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
+#include <net/icmp.h>
+#include <net/ip.h>
 #include <net/protocol.h>
 #include <net/xfrm.h>
@@ -70,10 +72,16 @@ static int tunnel4_rcv(struct sk_buff *skb)
 {
        struct xfrm_tunnel *handler;
+        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
+                goto drop;
        for (handler = tunnel4_handlers; handler; handler = handler->next)
                if (!handler->handler(skb))
                        return 0;
+        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+drop:
        kfree_skb(skb);
        return 0;
 }
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index e1b8f4b90d80..3e174c83bfe7 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -37,8 +37,6 @@ static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq)
 {
        switch (nexthdr) {
        case IPPROTO_IPIP:
-                if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                        return -EINVAL;
                *spi = skb->nh.iph->saddr;
                *seq = 0;
                return 0;
@@ -90,7 +88,7 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
                if (unlikely(x->km.state != XFRM_STATE_VALID))
                        goto drop_unlock;
-                if (x->encap->encap_type != encap_type)
+                if ((x->encap ? x->encap->encap_type : 0) != encap_type)
                        goto drop_unlock;
                if (x->props.replay_window && xfrm_replay_check(x, seq))
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 32ad229b4fed..4ef8efaf6a67 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -62,7 +62,7 @@ static void xfrm4_encap(struct sk_buff *skb)
        top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
                0 : (iph->frag_off & htons(IP_DF));
        if (!top_iph->frag_off)
-                __ip_select_ident(top_iph, dst, 0);
+                __ip_select_ident(top_iph, dst->child, 0);
        top_iph->ttl = dst_metric(dst->child, RTAX_HOPLIMIT);
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index f285bbf296e2..8604c747bca5 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -221,7 +221,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl)
                        if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
                                u16 *ipcomp_hdr = (u16 *)xprth;
-                                fl->fl_ipsec_spi = ntohl(ntohs(ipcomp_hdr[1]));
+                                fl->fl_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
                        }
                        break;
                default:
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 2a1e7e45b890..a18d4256372c 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -485,15 +485,27 @@ static struct tlvtype_proc tlvprochopopt_lst[] = {
        { -1, }
 };
-int ipv6_parse_hopopts(struct sk_buff *skb, int nhoff)
+int ipv6_parse_hopopts(struct sk_buff *skb)
 {
        struct inet6_skb_parm *opt = IP6CB(skb);
+        /*
+         * skb->nh.raw is equal to skb->data, and
+         * skb->h.raw - skb->nh.raw is always equal to
+         * sizeof(struct ipv6hdr) by definition of
+         * hop-by-hop options.
+         */
+        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) ||
+            !pskb_may_pull(skb, sizeof(struct ipv6hdr) + ((skb->h.raw[1] + 1) << 3))) {
+                kfree_skb(skb);
+                return -1;
+        }
        opt->hop = sizeof(struct ipv6hdr);
        if (ip6_parse_tlv(tlvprochopopt_lst, skb)) {
                skb->h.raw += (skb->h.raw[1]+1)<<3;
                opt->nhoff = sizeof(struct ipv6hdr);
-                return sizeof(struct ipv6hdr);
+                return 1;
        }
        return -1;
 }
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 21eb725e885f..1044b6fce0d5 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -717,7 +717,7 @@ int __init icmpv6_init(struct net_proto_family *ops)
        struct sock *sk;
        int err, i, j;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                err = sock_create_kern(PF_INET6, SOCK_RAW, IPPROTO_ICMPV6,
                                       &per_cpu(__icmpv6_socket, i));
                if (err < 0) {
@@ -763,7 +763,7 @@ void icmpv6_cleanup(void)
 {
        int i;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                sock_release(per_cpu(__icmpv6_socket, i));
        }
        inet6_del_protocol(&icmpv6_protocol, IPPROTO_ICMPV6);
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index f8f3a37a1494..eb2865d5ae28 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -173,6 +173,7 @@ int inet6_csk_xmit(struct sk_buff *skb, int ipfragok)
                if (err) {
                        sk->sk_err_soft = -err;
+                        kfree_skb(skb);
                        return err;
                }
@@ -181,6 +182,7 @@ int inet6_csk_xmit(struct sk_buff *skb, int ipfragok)
                if ((err = xfrm_lookup(&dst, &fl, sk, 0)) < 0) {
                        sk->sk_route_caps = 0;
+                        kfree_skb(skb);
                        return err;
                }
diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
index bb8ffb8a14c5..2ae84c961678 100644
--- a/net/ipv6/inet6_hashtables.c
+++ b/net/ipv6/inet6_hashtables.c
@@ -23,6 +23,86 @@
 #include <net/inet6_hashtables.h>
 #include <net/ip.h>
+void __inet6_hash(struct inet_hashinfo *hashinfo,
+                                struct sock *sk)
+{
+        struct hlist_head *list;
+        rwlock_t *lock;
+        BUG_TRAP(sk_unhashed(sk));
+        if (sk->sk_state == TCP_LISTEN) {
+                list = &hashinfo->listening_hash[inet_sk_listen_hashfn(sk)];
+                lock = &hashinfo->lhash_lock;
+                inet_listen_wlock(hashinfo);
+        } else {
+                unsigned int hash;
+                sk->sk_hash = hash = inet6_sk_ehashfn(sk);
+                hash &= (hashinfo->ehash_size - 1);
+                list = &hashinfo->ehash[hash].chain;
+                lock = &hashinfo->ehash[hash].lock;
+                write_lock(lock);
+        }
+        __sk_add_node(sk, list);
+        sock_prot_inc_use(sk->sk_prot);
+        write_unlock(lock);
+}
+EXPORT_SYMBOL(__inet6_hash);
+/*
+ * Sockets in TCP_CLOSE state are _always_ taken out of the hash, so
+ * we need not check it for TCP lookups anymore, thanks Alexey. -DaveM
+ *
+ * The sockhash lock must be held as a reader here.
+ */
+struct sock *__inet6_lookup_established(struct inet_hashinfo *hashinfo,
+                                           const struct in6_addr *saddr,
+                                           const u16 sport,
+                                           const struct in6_addr *daddr,
+                                           const u16 hnum,
+                                           const int dif)
+{
+        struct sock *sk;
+        const struct hlist_node *node;
+        const __u32 ports = INET_COMBINED_PORTS(sport, hnum);
+        /* Optimize here for direct hit, only listening connections can
+         * have wildcards anyways.
+         */
+        unsigned int hash = inet6_ehashfn(daddr, hnum, saddr, sport);
+        struct inet_ehash_bucket *head = inet_ehash_bucket(hashinfo, hash);
+        prefetch(head->chain.first);
+        read_lock(&head->lock);
+        sk_for_each(sk, node, &head->chain) {
+                /* For IPV6 do the cheaper port and family tests first. */
+                if (INET6_MATCH(sk, hash, saddr, daddr, ports, dif))
+                        goto hit; /* You sunk my battleship! */
+        }
+        /* Must check for a TIME_WAIT'er before going to listener hash. */
+        sk_for_each(sk, node, &(head + hashinfo->ehash_size)->chain) {
+                const struct inet_timewait_sock *tw = inet_twsk(sk);
+                if(*((__u32 *)&(tw->tw_dport))  == ports        &&
+                   sk->sk_family                == PF_INET6) {
+                        const struct inet6_timewait_sock *tw6 = inet6_twsk(sk);
+                        if (ipv6_addr_equal(&tw6->tw_v6_daddr, saddr)   &&
+                            ipv6_addr_equal(&tw6->tw_v6_rcv_saddr, daddr)       &&
+                            (!sk->sk_bound_dev_if || sk->sk_bound_dev_if == dif))
+                                goto hit;
+                }
+        }
+        read_unlock(&head->lock);
+        return NULL;
+hit:
+        sock_hold(sk);
+        read_unlock(&head->lock);
+        return sk;
+}
+EXPORT_SYMBOL(__inet6_lookup_established);
 struct sock *inet6_lookup_listener(struct inet_hashinfo *hashinfo,
                                   const struct in6_addr *daddr,
                                   const unsigned short hnum, const int dif)
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 29f73592e68e..aceee252503d 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -114,11 +114,10 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
        }
        if (hdr->nexthdr == NEXTHDR_HOP) {
-                if (ipv6_parse_hopopts(skb, IP6CB(skb)->nhoff) < 0) {
+                if (ipv6_parse_hopopts(skb) < 0) {
                        IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
                        return 0;
                }
-                hdr = skb->nh.ipv6h;
        }
        return NF_HOOK(PF_INET6,NF_IP6_PRE_ROUTING, skb, dev, NULL, ip6_rcv_finish);
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index ff9040c92556..a995796b5a57 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -519,9 +519,6 @@ ip6ip6_rcv(struct sk_buff *skb)
        struct ipv6hdr *ipv6h;
        struct ip6_tnl *t;
-        if (!pskb_may_pull(skb, sizeof (*ipv6h)))
-                goto discard;
        ipv6h = skb->nh.ipv6h;
        read_lock(&ip6ip6_lock);
@@ -529,8 +526,7 @@ ip6ip6_rcv(struct sk_buff *skb)
        if ((t = ip6ip6_tnl_lookup(&ipv6h->saddr, &ipv6h->daddr)) != NULL) {
                if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
                        read_unlock(&ip6ip6_lock);
-                        kfree_skb(skb);
+                        goto discard;
-                        return 0;
                }
                if (!(t->parms.flags & IP6_TNL_F_CAP_RCV)) {
@@ -557,9 +553,11 @@ ip6ip6_rcv(struct sk_buff *skb)
                return 0;
        }
        read_unlock(&ip6ip6_lock);
-        icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0, skb->dev);
-discard:
        return 1;
+discard:
+        kfree_skb(skb);
+        return 0;
 }
 static inline struct ipv6_txoptions *create_tel(__u8 encap_limit)
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 00f3fadfcca7..48636436028a 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -208,7 +208,7 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        if (type != ICMPV6_DEST_UNREACH && type != ICMPV6_PKT_TOOBIG)
                return;
-        spi = ntohl(ntohs(ipcomph->cpi));
+        spi = htonl(ntohs(ipcomph->cpi));
        x = xfrm_state_lookup((xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP, AF_INET6);
        if (!x)
                return;
@@ -290,7 +290,7 @@ static void ipcomp6_free_scratches(void)
        if (!scratches)
                return;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                void *scratch = *per_cpu_ptr(scratches, i);
                vfree(scratch);
@@ -313,7 +313,7 @@ static void **ipcomp6_alloc_scratches(void)
        ipcomp6_scratches = scratches;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                void *scratch = vmalloc(IPCOMP_SCRATCH_SIZE);
                if (!scratch)
                        return NULL;
@@ -344,7 +344,7 @@ static void ipcomp6_free_tfms(struct crypto_tfm **tfms)
        if (!tfms)
                return;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                struct crypto_tfm *tfm = *per_cpu_ptr(tfms, cpu);
                crypto_free_tfm(tfm);
        }
@@ -384,7 +384,7 @@ static struct crypto_tfm **ipcomp6_alloc_tfms(const char *alg_name)
        if (!tfms)
                goto error;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                struct crypto_tfm *tfm = crypto_alloc_tfm(alg_name, 0);
                if (!tfm)
                        goto error;
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index d750cfc019dc..395a417ba955 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -7,6 +7,7 @@
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
 #include <net/xfrm.h>
+#include <net/ip6_checksum.h>
 int ip6_route_me_harder(struct sk_buff *skb)
 {
@@ -54,7 +55,7 @@ struct ip6_rt_info {
        struct in6_addr saddr;
 };
-static void save(const struct sk_buff *skb, struct nf_info *info)
+static void nf_ip6_saveroute(const struct sk_buff *skb, struct nf_info *info)
 {
        struct ip6_rt_info *rt_info = nf_info_reroute(info);
@@ -66,7 +67,7 @@ static void save(const struct sk_buff *skb, struct nf_info *info)
        }
 }
-static int reroute(struct sk_buff **pskb, const struct nf_info *info)
+static int nf_ip6_reroute(struct sk_buff **pskb, const struct nf_info *info)
 {
        struct ip6_rt_info *rt_info = nf_info_reroute(info);
@@ -79,15 +80,50 @@ static int reroute(struct sk_buff **pskb, const struct nf_info *info)
        return 0;
 }
-static struct nf_queue_rerouter ip6_reroute = {
+unsigned int nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
-        .rer_size       = sizeof(struct ip6_rt_info),
+                             unsigned int dataoff, u_int8_t protocol)
-        .save           = &save,
+{
-        .reroute        = &reroute,
+        struct ipv6hdr *ip6h = skb->nh.ipv6h;
+        unsigned int csum = 0;
+        switch (skb->ip_summed) {
+        case CHECKSUM_HW:
+                if (hook != NF_IP6_PRE_ROUTING && hook != NF_IP6_LOCAL_IN)
+                        break;
+                if (!csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
+                                     skb->len - dataoff, protocol,
+                                     csum_sub(skb->csum,
+                                              skb_checksum(skb, 0,
+                                                           dataoff, 0)))) {
+                        skb->ip_summed = CHECKSUM_UNNECESSARY;
+                        break;
+                }
+                /* fall through */
+        case CHECKSUM_NONE:
+                skb->csum = ~csum_ipv6_magic(&ip6h->saddr, &ip6h->daddr,
+                                             skb->len - dataoff,
+                                             protocol,
+                                             csum_sub(0,
+                                                      skb_checksum(skb, 0,
+                                                                   dataoff, 0)));
+                csum = __skb_checksum_complete(skb);
+        }
+        return csum;
+}
+EXPORT_SYMBOL(nf_ip6_checksum);
+static struct nf_afinfo nf_ip6_afinfo = {
+        .family         = AF_INET6,
+        .checksum       = nf_ip6_checksum,
+        .saveroute      = nf_ip6_saveroute,
+        .reroute        = nf_ip6_reroute,
+        .route_key_size = sizeof(struct ip6_rt_info),
 };
 int __init ipv6_netfilter_init(void)
 {
-        return nf_register_queue_rerouter(PF_INET6, &ip6_reroute);
+        return nf_register_afinfo(&nf_ip6_afinfo);
 }
 /* This can be called from inet6_init() on errors, so it cannot
@@ -95,5 +131,5 @@ int __init ipv6_netfilter_init(void)
 */
 void ipv6_netfilter_fini(void)
 {
-        nf_unregister_queue_rerouter(PF_INET6);
+        nf_unregister_afinfo(&nf_ip6_afinfo);
 }
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index e81c6a9dab81..b4b7d441af25 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -658,15 +658,11 @@ static struct nf_queue_handler nfqh = {
        .outfn  = &ipq_enqueue_packet,
 };
-static int
+static int __init ip6_queue_init(void)
-init_or_cleanup(int init)
 {
        int status = -ENOMEM;
        struct proc_dir_entry *proc;
        
-        if (!init)
-                goto cleanup;
        netlink_register_notifier(&ipq_nl_notifier);
        ipqnl = netlink_kernel_create(NETLINK_IP6_FW, 0, ipq_rcv_sk,
                                      THIS_MODULE);
@@ -693,11 +689,6 @@ init_or_cleanup(int init)
        }
        return status;
-cleanup:
-        nf_unregister_queue_handlers(&nfqh);
-        synchronize_net();
-        ipq_flush(NF_DROP);
-        
 cleanup_sysctl:
        unregister_sysctl_table(ipq_sysctl_header);
        unregister_netdevice_notifier(&ipq_dev_notifier);
@@ -713,15 +704,21 @@ cleanup_netlink_notifier:
        return status;
 }
-static int __init ip6_queue_init(void)
-{
-        
-        return init_or_cleanup(1);
-}
 static void __exit ip6_queue_fini(void)
 {
-        init_or_cleanup(0);
+        nf_unregister_queue_handlers(&nfqh);
+        synchronize_net();
+        ipq_flush(NF_DROP);
+        unregister_sysctl_table(ipq_sysctl_header);
+        unregister_netdevice_notifier(&ipq_dev_notifier);
+        proc_net_remove(IPQ_PROC_FS_NAME);
+        sock_release(ipqnl->sk_socket);
+        mutex_lock(&ipqnl_mutex);
+        mutex_unlock(&ipqnl_mutex);
+        netlink_unregister_notifier(&ipq_nl_notifier);
 }
 MODULE_DESCRIPTION("IPv6 packet queue handler");
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 3ecf2db841f8..2e72f89a7019 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -288,19 +288,6 @@ ip6t_do_table(struct sk_buff **pskb,
        table_base = (void *)private->entries[smp_processor_id()];
        e = get_entry(table_base, private->hook_entry[hook]);
-#ifdef CONFIG_NETFILTER_DEBUG
-        /* Check noone else using our table */
-        if (((struct ip6t_entry *)table_base)->comefrom != 0xdead57ac
-            && ((struct ip6t_entry *)table_base)->comefrom != 0xeeeeeeec) {
-                printk("ASSERT: CPU #%u, %s comefrom(%p) = %X\n",
-                       smp_processor_id(),
-                       table->name,
-                       &((struct ip6t_entry *)table_base)->comefrom,
-                       ((struct ip6t_entry *)table_base)->comefrom);
-        }
-        ((struct ip6t_entry *)table_base)->comefrom = 0x57acc001;
-#endif
        /* For return from builtin chain */
        back = get_entry(table_base, private->underflow[hook]);
@@ -788,7 +775,7 @@ translate_table(const char *name,
        }
        /* And one copy for every other CPU */
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                if (newinfo->entries[i] && newinfo->entries[i] != entry0)
                        memcpy(newinfo->entries[i], entry0, newinfo->size);
        }
@@ -841,7 +828,7 @@ get_counters(const struct xt_table_info *t,
                           counters,
                           &i);
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                if (cpu == curcpu)
                        continue;
                i = 0;
@@ -1116,7 +1103,7 @@ do_add_counters(void __user *user, unsigned int len)
        write_lock_bh(&t->lock);
        private = t->private;
-        if (private->number != paddc->num_counters) {
+        if (private->number != tmp.num_counters) {
                ret = -EINVAL;
                goto unlock_up_free;
        }
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index a96c0de14b00..73c6300109d6 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -439,7 +439,7 @@ ip6t_log_target(struct sk_buff **pskb,
        if (loginfo->logflags & IP6T_LOG_NFLOG)
                nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
-                              loginfo->prefix);
+                              "%s", loginfo->prefix);
        else
                ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
                                loginfo->prefix);
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index 94dbdb8b458d..4f6b84c8f4ab 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -40,7 +40,7 @@ match(const struct sk_buff *skb,
        memset(eui64, 0, sizeof(eui64));
-        if (eth_hdr(skb)->h_proto == ntohs(ETH_P_IPV6)) {
+        if (eth_hdr(skb)->h_proto == htons(ETH_P_IPV6)) {
                if (skb->nh.ipv6h->version == 0x6) {
                        memcpy(eui64, eth_hdr(skb)->h_source, 3);
                        memcpy(eui64 + 5, eth_hdr(skb)->h_source + 3, 3);
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index e5e724d9ee60..60976c0c58e8 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -177,37 +177,20 @@ static int __init ip6table_filter_init(void)
                return ret;
        /* Register hooks */
-        ret = nf_register_hook(&ip6t_ops[0]);
+        ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
        if (ret < 0)
                goto cleanup_table;
-        ret = nf_register_hook(&ip6t_ops[1]);
-        if (ret < 0)
-                goto cleanup_hook0;
-        ret = nf_register_hook(&ip6t_ops[2]);
-        if (ret < 0)
-                goto cleanup_hook1;
        return ret;
- cleanup_hook1:
-        nf_unregister_hook(&ip6t_ops[1]);
- cleanup_hook0:
-        nf_unregister_hook(&ip6t_ops[0]);
 cleanup_table:
        ip6t_unregister_table(&packet_filter);
        return ret;
 }
 static void __exit ip6table_filter_fini(void)
 {
-        unsigned int i;
+        nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
-        for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
-                nf_unregister_hook(&ip6t_ops[i]);
        ip6t_unregister_table(&packet_filter);
 }
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index e1f0f6ae9841..03a13eab1dae 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -238,49 +238,20 @@ static int __init ip6table_mangle_init(void)
                return ret;
        /* Register hooks */
-        ret = nf_register_hook(&ip6t_ops[0]);
+        ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
        if (ret < 0)
                goto cleanup_table;
-        ret = nf_register_hook(&ip6t_ops[1]);
-        if (ret < 0)
-                goto cleanup_hook0;
-        ret = nf_register_hook(&ip6t_ops[2]);
-        if (ret < 0)
-                goto cleanup_hook1;
-        ret = nf_register_hook(&ip6t_ops[3]);
-        if (ret < 0)
-                goto cleanup_hook2;
-        ret = nf_register_hook(&ip6t_ops[4]);
-        if (ret < 0)
-                goto cleanup_hook3;
        return ret;
- cleanup_hook3:
-        nf_unregister_hook(&ip6t_ops[3]);
- cleanup_hook2:
-        nf_unregister_hook(&ip6t_ops[2]);
- cleanup_hook1:
-        nf_unregister_hook(&ip6t_ops[1]);
- cleanup_hook0:
-        nf_unregister_hook(&ip6t_ops[0]);
 cleanup_table:
        ip6t_unregister_table(&packet_mangler);
        return ret;
 }
 static void __exit ip6table_mangle_fini(void)
 {
-        unsigned int i;
+        nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
-        for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
-                nf_unregister_hook(&ip6t_ops[i]);
        ip6t_unregister_table(&packet_mangler);
 }
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 54d1fffd62ba..61a7c58e99f8 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -152,31 +152,20 @@ static int __init ip6table_raw_init(void)
                return ret;
        /* Register hooks */
-        ret = nf_register_hook(&ip6t_ops[0]);
+        ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
        if (ret < 0)
                goto cleanup_table;
-        ret = nf_register_hook(&ip6t_ops[1]);
-        if (ret < 0)
-                goto cleanup_hook0;
        return ret;
- cleanup_hook0:
-        nf_unregister_hook(&ip6t_ops[0]);
 cleanup_table:
        ip6t_unregister_table(&packet_raw);
        return ret;
 }
 static void __exit ip6table_raw_fini(void)
 {
-        unsigned int i;
+        nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
-        for (i = 0; i < sizeof(ip6t_ops)/sizeof(struct nf_hook_ops); i++)
-                nf_unregister_hook(&ip6t_ops[i]);
        ip6t_unregister_table(&packet_raw);
 }
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c8b5a96cbb0f..93bae36f2663 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -286,55 +286,49 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
        return ipv6_conntrack_in(hooknum, pskb, in, out, okfn);
 }
-/* Connection tracking may drop packets, but never alters them, so
+static struct nf_hook_ops ipv6_conntrack_ops[] = {
-   make it the first hook. */
+        {
-static struct nf_hook_ops ipv6_conntrack_defrag_ops = {
+                .hook           = ipv6_defrag,
-        .hook           = ipv6_defrag,
+                .owner          = THIS_MODULE,
-        .owner          = THIS_MODULE,
+                .pf             = PF_INET6,
-        .pf             = PF_INET6,
+                .hooknum        = NF_IP6_PRE_ROUTING,
-        .hooknum        = NF_IP6_PRE_ROUTING,
+                .priority       = NF_IP6_PRI_CONNTRACK_DEFRAG,
-        .priority       = NF_IP6_PRI_CONNTRACK_DEFRAG,
+        },
-};
+        {
+                .hook           = ipv6_conntrack_in,
-static struct nf_hook_ops ipv6_conntrack_in_ops = {
+                .owner          = THIS_MODULE,
-        .hook           = ipv6_conntrack_in,
+                .pf             = PF_INET6,
-        .owner          = THIS_MODULE,
+                .hooknum        = NF_IP6_PRE_ROUTING,
-        .pf             = PF_INET6,
+                .priority       = NF_IP6_PRI_CONNTRACK,
-        .hooknum        = NF_IP6_PRE_ROUTING,
+        },
-        .priority       = NF_IP6_PRI_CONNTRACK,
+        {
-};
+                .hook           = ipv6_conntrack_local,
+                .owner          = THIS_MODULE,
-static struct nf_hook_ops ipv6_conntrack_local_out_ops = {
+                .pf             = PF_INET6,
-        .hook           = ipv6_conntrack_local,
+                .hooknum        = NF_IP6_LOCAL_OUT,
-        .owner          = THIS_MODULE,
+                .priority       = NF_IP6_PRI_CONNTRACK,
-        .pf             = PF_INET6,
+        },
-        .hooknum        = NF_IP6_LOCAL_OUT,
+        {
-        .priority       = NF_IP6_PRI_CONNTRACK,
+                .hook           = ipv6_defrag,
-};
+                .owner          = THIS_MODULE,
+                .pf             = PF_INET6,
-static struct nf_hook_ops ipv6_conntrack_defrag_local_out_ops = {
+                .hooknum        = NF_IP6_LOCAL_OUT,
-        .hook           = ipv6_defrag,
+                .priority       = NF_IP6_PRI_CONNTRACK_DEFRAG,
-        .owner          = THIS_MODULE,
+        },
-        .pf             = PF_INET6,
+        {
-        .hooknum        = NF_IP6_LOCAL_OUT,
+                .hook           = ipv6_confirm,
-        .priority       = NF_IP6_PRI_CONNTRACK_DEFRAG,
+                .owner          = THIS_MODULE,
-};
+                .pf             = PF_INET6,
+                .hooknum        = NF_IP6_POST_ROUTING,
-/* Refragmenter; last chance. */
+                .priority       = NF_IP6_PRI_LAST,
-static struct nf_hook_ops ipv6_conntrack_out_ops = {
+        },
-        .hook           = ipv6_confirm,
+        {
-        .owner          = THIS_MODULE,
+                .hook           = ipv6_confirm,
-        .pf             = PF_INET6,
+                .owner          = THIS_MODULE,
-        .hooknum        = NF_IP6_POST_ROUTING,
+                .pf             = PF_INET6,
-        .priority       = NF_IP6_PRI_LAST,
+                .hooknum        = NF_IP6_LOCAL_IN,
-};
+                .priority       = NF_IP6_PRI_LAST-1,
+        },
-static struct nf_hook_ops ipv6_conntrack_local_in_ops = {
-        .hook           = ipv6_confirm,
-        .owner          = THIS_MODULE,
-        .pf             = PF_INET6,
-        .hooknum        = NF_IP6_LOCAL_IN,
-        .priority       = NF_IP6_PRI_LAST-1,
 };
 #ifdef CONFIG_SYSCTL
@@ -470,16 +464,21 @@ extern struct nf_conntrack_protocol nf_conntrack_protocol_udp6;
 extern struct nf_conntrack_protocol nf_conntrack_protocol_icmpv6;
 extern int nf_ct_frag6_init(void);
 extern void nf_ct_frag6_cleanup(void);
-static int init_or_cleanup(int init)
+MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
+static int __init nf_conntrack_l3proto_ipv6_init(void)
 {
        int ret = 0;
-        if (!init) goto cleanup;
+        need_conntrack();
        ret = nf_ct_frag6_init();
        if (ret < 0) {
                printk("nf_conntrack_ipv6: can't initialize frag6.\n");
-                goto cleanup_nothing;
+                return ret;
        }
        ret = nf_conntrack_protocol_register(&nf_conntrack_protocol_tcp6);
        if (ret < 0) {
@@ -505,71 +504,27 @@ static int init_or_cleanup(int init)
                goto cleanup_icmpv6;
        }
-        ret = nf_register_hook(&ipv6_conntrack_defrag_ops);
+        ret = nf_register_hooks(ipv6_conntrack_ops,
+                                ARRAY_SIZE(ipv6_conntrack_ops));
        if (ret < 0) {
                printk("nf_conntrack_ipv6: can't register pre-routing defrag "
                       "hook.\n");
                goto cleanup_ipv6;
        }
-        ret = nf_register_hook(&ipv6_conntrack_defrag_local_out_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register local_out defrag "
-                       "hook.\n");
-                goto cleanup_defragops;
-        }
-        ret = nf_register_hook(&ipv6_conntrack_in_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register pre-routing hook.\n");
-                goto cleanup_defraglocalops;
-        }
-        ret = nf_register_hook(&ipv6_conntrack_local_out_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register local out hook.\n");
-                goto cleanup_inops;
-        }
-        ret = nf_register_hook(&ipv6_conntrack_out_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register post-routing hook.\n");
-                goto cleanup_inandlocalops;
-        }
-        ret = nf_register_hook(&ipv6_conntrack_local_in_ops);
-        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register local in hook.\n");
-                goto cleanup_inoutandlocalops;
-        }
 #ifdef CONFIG_SYSCTL
        nf_ct_ipv6_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
        if (nf_ct_ipv6_sysctl_header == NULL) {
                printk("nf_conntrack: can't register to sysctl.\n");
                ret = -ENOMEM;
-                goto cleanup_localinops;
+                goto cleanup_hooks;
        }
 #endif
        return ret;
- cleanup:
-        synchronize_net();
 #ifdef CONFIG_SYSCTL
-        unregister_sysctl_table(nf_ct_ipv6_sysctl_header);
+ cleanup_hooks:
- cleanup_localinops:
+        nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
 #endif
-        nf_unregister_hook(&ipv6_conntrack_local_in_ops);
- cleanup_inoutandlocalops:
-        nf_unregister_hook(&ipv6_conntrack_out_ops);
- cleanup_inandlocalops:
-        nf_unregister_hook(&ipv6_conntrack_local_out_ops);
- cleanup_inops:
-        nf_unregister_hook(&ipv6_conntrack_in_ops);
- cleanup_defraglocalops:
-        nf_unregister_hook(&ipv6_conntrack_defrag_local_out_ops);
- cleanup_defragops:
-        nf_unregister_hook(&ipv6_conntrack_defrag_ops);
 cleanup_ipv6:
        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
 cleanup_icmpv6:
@@ -580,23 +535,21 @@ static int init_or_cleanup(int init)
        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_tcp6);
 cleanup_frag6:
        nf_ct_frag6_cleanup();
- cleanup_nothing:
        return ret;
 }
-MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
-static int __init nf_conntrack_l3proto_ipv6_init(void)
-{
-        need_conntrack();
-        return init_or_cleanup(1);
-}
 static void __exit nf_conntrack_l3proto_ipv6_fini(void)
 {
-        init_or_cleanup(0);
+        synchronize_net();
+#ifdef CONFIG_SYSCTL
+        unregister_sysctl_table(nf_ct_ipv6_sysctl_header);
+#endif
+        nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
+        nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
+        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_icmpv6);
+        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_udp6);
+        nf_conntrack_protocol_unregister(&nf_conntrack_protocol_tcp6);
+        nf_ct_frag6_cleanup();
 }
 module_init(nf_conntrack_l3proto_ipv6_init);
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 09945c333055..86c6703265d0 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -233,21 +233,13 @@ icmpv6_error(struct sk_buff *skb, unsigned int dataoff,
                return -NF_ACCEPT;
        }
-        if (hooknum != NF_IP6_PRE_ROUTING)
+        if (hooknum == NF_IP6_PRE_ROUTING &&
-                goto skipped;
+            nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
-        /* Ignore it if the checksum's bogus. */
-        if (csum_ipv6_magic(&skb->nh.ipv6h->saddr, &skb->nh.ipv6h->daddr,
-                            skb->len - dataoff, IPPROTO_ICMPV6,
-                            skb_checksum(skb, dataoff,
-                                         skb->len - dataoff, 0))) {
                nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
                              "nf_ct_icmpv6: ICMPv6 checksum failed\n");
                return -NF_ACCEPT;
        }
-skipped:
        /* is not error message ? */
        if (icmp6h->icmp6_type >= 128)
                return NF_ACCEPT;
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index 4238b1ed8860..779ddf77f4d4 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -38,7 +38,7 @@ static int fold_prot_inuse(struct proto *proto)
        int res = 0;
        int cpu;
-        for_each_cpu(cpu)
+        for_each_possible_cpu(cpu)
                res += proto->stats[cpu].inuse;
        return res;
@@ -140,7 +140,7 @@ fold_field(void *mib[], int offt)
        unsigned long res = 0;
        int i;
 
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                res += *(((unsigned long *)per_cpu_ptr(mib[0], i)) + offt);
                res += *(((unsigned long *)per_cpu_ptr(mib[1], i)) + offt);
        }
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index b67a45fb93e9..eef985e010ea 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -121,6 +121,10 @@ static __inline__ void fq_unlink(struct frag_queue *fq)
        write_unlock(&ip6_frag_lock);
 }
+/*
+ * callers should be careful not to use the hash value outside the ipfrag_lock
+ * as doing so could race with ipfrag_hash_rnd being recalculated.
+ */
 static unsigned int ip6qhashfn(u32 id, struct in6_addr *saddr,
                               struct in6_addr *daddr)
 {
@@ -324,15 +328,16 @@ out:
 /* Creation primitives. */
-static struct frag_queue *ip6_frag_intern(unsigned int hash,
+static struct frag_queue *ip6_frag_intern(struct frag_queue *fq_in)
-                                          struct frag_queue *fq_in)
 {
        struct frag_queue *fq;
+        unsigned int hash;
 #ifdef CONFIG_SMP
        struct hlist_node *n;
 #endif
        write_lock(&ip6_frag_lock);
+        hash = ip6qhashfn(fq_in->id, &fq_in->saddr, &fq_in->daddr);
 #ifdef CONFIG_SMP
        hlist_for_each_entry(fq, n, &ip6_frag_hash[hash], list) {
                if (fq->id == fq_in->id && 
@@ -362,7 +367,7 @@ static struct frag_queue *ip6_frag_intern(unsigned int hash,
 static struct frag_queue *
-ip6_frag_create(unsigned int hash, u32 id, struct in6_addr *src, struct in6_addr *dst)
+ip6_frag_create(u32 id, struct in6_addr *src, struct in6_addr *dst)
 {
        struct frag_queue *fq;
@@ -379,7 +384,7 @@ ip6_frag_create(unsigned int hash, u32 id, struct in6_addr *src, struct in6_addr
        spin_lock_init(&fq->lock);
        atomic_set(&fq->refcnt, 1);
-        return ip6_frag_intern(hash, fq);
+        return ip6_frag_intern(fq);
 oom:
        IP6_INC_STATS_BH(IPSTATS_MIB_REASMFAILS);
@@ -391,9 +396,10 @@ fq_find(u32 id, struct in6_addr *src, struct in6_addr *dst)
 {
        struct frag_queue *fq;
        struct hlist_node *n;
-        unsigned int hash = ip6qhashfn(id, src, dst);
+        unsigned int hash;
        read_lock(&ip6_frag_lock);
+        hash = ip6qhashfn(id, src, dst);
        hlist_for_each_entry(fq, n, &ip6_frag_hash[hash], list) {
                if (fq->id == id && 
                    ipv6_addr_equal(src, &fq->saddr) &&
@@ -405,7 +411,7 @@ fq_find(u32 id, struct in6_addr *src, struct in6_addr *dst)
        }
        read_unlock(&ip6_frag_lock);
-        return ip6_frag_create(hash, id, src, dst);
+        return ip6_frag_create(id, src, dst);
 }
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 79078747a646..8a777932786d 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -280,10 +280,13 @@ static int inline rt6_check_neigh(struct rt6_info *rt)
 {
        struct neighbour *neigh = rt->rt6i_nexthop;
        int m = 0;
-        if (neigh) {
+        if (rt->rt6i_flags & RTF_NONEXTHOP ||
+            !(rt->rt6i_flags & RTF_GATEWAY))
+                m = 1;
+        else if (neigh) {
                read_lock_bh(&neigh->lock);
                if (neigh->nud_state & NUD_VALID)
-                        m = 1;
+                        m = 2;
                read_unlock_bh(&neigh->lock);
        }
        return m;
@@ -292,15 +295,18 @@ static int inline rt6_check_neigh(struct rt6_info *rt)
 static int rt6_score_route(struct rt6_info *rt, int oif,
                           int strict)
 {
-        int m = rt6_check_dev(rt, oif);
+        int m, n;
+                
+        m = rt6_check_dev(rt, oif);
        if (!m && (strict & RT6_SELECT_F_IFACE))
                return -1;
 #ifdef CONFIG_IPV6_ROUTER_PREF
        m |= IPV6_DECODE_PREF(IPV6_EXTRACT_PREF(rt->rt6i_flags)) << 2;
 #endif
-        if (rt6_check_neigh(rt))
+        n = rt6_check_neigh(rt);
+        if (n > 1)
                m |= 16;
-        else if (strict & RT6_SELECT_F_REACHABLE)
+        else if (!n && strict & RT6_SELECT_F_REACHABLE)
                return -1;
        return m;
 }
@@ -317,7 +323,7 @@ static struct rt6_info *rt6_select(struct rt6_info **head, int oif,
                  __FUNCTION__, head, head ? *head : NULL, oif);
        for (rt = rt0, metric = rt0->rt6i_metric;
-             rt && rt->rt6i_metric == metric;
+             rt && rt->rt6i_metric == metric && (!last || rt != rt0);
             rt = rt->u.next) {
                int m;
@@ -343,9 +349,12 @@ static struct rt6_info *rt6_select(struct rt6_info **head, int oif,
            (strict & RT6_SELECT_F_REACHABLE) &&
            last && last != rt0) {
                /* no entries matched; do round-robin */
+                static spinlock_t lock = SPIN_LOCK_UNLOCKED;
+                spin_lock(&lock);
                *head = rt0->u.next;
                rt0->u.next = last->u.next;
                last->u.next = rt0;
+                spin_unlock(&lock);
        }
        RT6_TRACE("%s() => %p, score=%d\n",
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index c2d3e17beae6..6578c3080f47 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -397,7 +397,7 @@ static int ipip6_rcv(struct sk_buff *skb)
                return 0;
        }
-        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0);
+        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
        kfree_skb(skb);
        read_unlock(&ipip6_lock);
 out:
diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c
index 5659b52284bd..0ef9a35798d1 100644
--- a/net/ipv6/tunnel6.c
+++ b/net/ipv6/tunnel6.c
@@ -19,11 +19,13 @@
 *              YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
 */
+#include <linux/icmpv6.h>
 #include <linux/init.h>
 #include <linux/module.h>
 #include <linux/mutex.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
+#include <net/ipv6.h>
 #include <net/protocol.h>
 #include <net/xfrm.h>
@@ -87,10 +89,16 @@ static int tunnel6_rcv(struct sk_buff **pskb)
        struct sk_buff *skb = *pskb;
        struct xfrm6_tunnel *handler;
+        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
+                goto drop;
        for (handler = tunnel6_handlers; handler; handler = handler->next)
                if (!handler->handler(skb))
                        return 0;
+        icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, skb->dev);
+drop:
        kfree_skb(skb);
        return 0;
 }
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 91cce8b2d7a5..88c840f1beb6 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -191,16 +191,18 @@ error:
 static inline void
 _decode_session6(struct sk_buff *skb, struct flowi *fl)
 {
-        u16 offset = sizeof(struct ipv6hdr);
+        u16 offset = skb->h.raw - skb->nh.raw;
        struct ipv6hdr *hdr = skb->nh.ipv6h;
-        struct ipv6_opt_hdr *exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset);
+        struct ipv6_opt_hdr *exthdr;
-        u8 nexthdr = skb->nh.ipv6h->nexthdr;
+        u8 nexthdr = skb->nh.raw[IP6CB(skb)->nhoff];
        memset(fl, 0, sizeof(struct flowi));
        ipv6_addr_copy(&fl->fl6_dst, &hdr->daddr);
        ipv6_addr_copy(&fl->fl6_src, &hdr->saddr);
        while (pskb_may_pull(skb, skb->nh.raw + offset + 1 - skb->data)) {
+                exthdr = (struct ipv6_opt_hdr*)(skb->nh.raw + offset);
                switch (nexthdr) {
                case NEXTHDR_ROUTING:
                case NEXTHDR_HOP:
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index 2dbf134d5266..811d998725bc 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -944,9 +944,9 @@ out:
        return rc;
 }
-static int ipx_map_frame_type(unsigned char type)
+static __be16 ipx_map_frame_type(unsigned char type)
 {
-        int rc = 0;
+        __be16 rc = 0;
        switch (type) {
        case IPX_FRAME_ETHERII: rc = htons(ETH_P_IPX);          break;
diff --git a/net/ipx/ipx_route.c b/net/ipx/ipx_route.c
index 67774448efd9..a394c6fe19a2 100644
--- a/net/ipx/ipx_route.c
+++ b/net/ipx/ipx_route.c
@@ -119,7 +119,7 @@ out:
        return rc;
 }
-static int ipxrtr_delete(long net)
+static int ipxrtr_delete(__u32 net)
 {
        struct ipx_route *r, *tmp;
        int rc;
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 254f90746900..2d2e2b1919f4 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -544,7 +544,8 @@ static void iriap_getvaluebyclass_response(struct iriap_cb *self,
 {
        struct sk_buff *tx_skb;
        int n;
-        __u32 tmp_be32, tmp_be16;
+        __u32 tmp_be32;
+        __be16 tmp_be16;
        __u8 *fp;
        IRDA_DEBUG(4, "%s()\n", __FUNCTION__);
diff --git a/net/irda/irias_object.c b/net/irda/irias_object.c
index c6d169fbdceb..82e665c79991 100644
--- a/net/irda/irias_object.c
+++ b/net/irda/irias_object.c
@@ -257,7 +257,6 @@ struct ias_attrib *irias_find_attrib(struct ias_object *obj, char *name)
        /* Unsafe (locking), attrib might change */
        return attrib;
 }
-EXPORT_SYMBOL(irias_find_attrib);
 /*
 * Function irias_add_attribute (obj, attrib)
@@ -484,7 +483,6 @@ struct ias_value *irias_new_string_value(char *string)
        return value;
 }
-EXPORT_SYMBOL(irias_new_string_value);
 /*
 * Function irias_new_octseq_value (octets, len)
@@ -519,7 +517,6 @@ struct ias_value *irias_new_octseq_value(__u8 *octseq , int len)
        memcpy(value->t.oct_seq, octseq , len);
        return value;
 }
-EXPORT_SYMBOL(irias_new_octseq_value);
 struct ias_value *irias_new_missing_value(void)
 {
diff --git a/net/irda/irlap.c b/net/irda/irlap.c
index 7029618f5719..a16528657b4c 100644
--- a/net/irda/irlap.c
+++ b/net/irda/irlap.c
@@ -884,7 +884,8 @@ static void irlap_change_speed(struct irlap_cb *self, __u32 speed, int now)
        if (now) {
                /* Send down empty frame to trigger speed change */
                skb = dev_alloc_skb(0);
-                irlap_queue_xmit(self, skb);
+                if (skb)
+                        irlap_queue_xmit(self, skb);
        }
 }
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index 8f3addf0724c..d62e0f9b9da3 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -118,7 +118,8 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
                u16 pdulen = eth_hdr(skb)->h_proto,
                    data_size = ntohs(pdulen) - llc_len;
-                skb_trim(skb, data_size);
+                if (unlikely(pskb_trim_rcsum(skb, data_size)))
+                        return 0;
        }
        return 1;
 }
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 1ceb1a6c254b..8455a32ea5c4 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -27,6 +27,29 @@
 #include "nf_internals.h"
+static DEFINE_SPINLOCK(afinfo_lock);
+struct nf_afinfo *nf_afinfo[NPROTO];
+EXPORT_SYMBOL(nf_afinfo);
+int nf_register_afinfo(struct nf_afinfo *afinfo)
+{
+        spin_lock(&afinfo_lock);
+        rcu_assign_pointer(nf_afinfo[afinfo->family], afinfo);
+        spin_unlock(&afinfo_lock);
+        return 0;
+}
+EXPORT_SYMBOL_GPL(nf_register_afinfo);
+void nf_unregister_afinfo(struct nf_afinfo *afinfo)
+{
+        spin_lock(&afinfo_lock);
+        rcu_assign_pointer(nf_afinfo[afinfo->family], NULL);
+        spin_unlock(&afinfo_lock);
+        synchronize_rcu();
+}
+EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
 /* In this code, we can be waiting indefinitely for userspace to
 * service a packet if a hook returns NF_QUEUE.  We could keep a count
 * of skbuffs queued for userspace, and not deregister a hook unless
@@ -63,6 +86,34 @@ void nf_unregister_hook(struct nf_hook_ops *reg)
 }
 EXPORT_SYMBOL(nf_unregister_hook);
+int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
+{
+        unsigned int i;
+        int err = 0;
+        for (i = 0; i < n; i++) {
+                err = nf_register_hook(&reg[i]);
+                if (err)
+                        goto err;
+        }
+        return err;
+err:
+        if (i > 0)
+                nf_unregister_hooks(reg, i);
+        return err;
+}
+EXPORT_SYMBOL(nf_register_hooks);
+void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
+{
+        unsigned int i;
+        for (i = 0; i < n; i++)
+                nf_unregister_hook(&reg[i]);
+}
+EXPORT_SYMBOL(nf_unregister_hooks);
 unsigned int nf_iterate(struct list_head *head,
                        struct sk_buff **skb,
                        int hook,
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 56389c83557c..f9b83f91371a 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -146,7 +146,7 @@ static void nf_ct_event_cache_flush(void)
        struct nf_conntrack_ecache *ecache;
        int cpu;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                ecache = &per_cpu(nf_conntrack_ecache, cpu);
                if (ecache->ct)
                        nf_ct_put(ecache->ct);
@@ -178,9 +178,6 @@ static struct {
        /* allocated slab cache + modules which uses this slab cache */
        int use;
-        /* Initialization */
-        int (*init_conntrack)(struct nf_conn *, u_int32_t);
 } nf_ct_cache[NF_CT_F_NUM];
 /* protect members of nf_ct_cache except of "use" */
@@ -208,10 +205,8 @@ nf_ct_proto_find_get(u_int16_t l3proto, u_int8_t protocol)
        preempt_disable();
        p = __nf_ct_proto_find(l3proto, protocol);
-        if (p) {
+        if (!try_module_get(p->me))
-                if (!try_module_get(p->me))
+                p = &nf_conntrack_generic_protocol;
-                        p = &nf_conntrack_generic_protocol;
-        }
        preempt_enable();
        
        return p;
@@ -229,10 +224,8 @@ nf_ct_l3proto_find_get(u_int16_t l3proto)
        preempt_disable();
        p = __nf_ct_l3proto_find(l3proto);
-        if (p) {
+        if (!try_module_get(p->me))
-                if (!try_module_get(p->me))
+                p = &nf_conntrack_generic_l3proto;
-                        p = &nf_conntrack_generic_l3proto;
-        }
        preempt_enable();
        return p;
diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c
index 7de4f06c63c5..3fc58e454d4e 100644
--- a/net/netfilter/nf_conntrack_l3proto_generic.c
+++ b/net/netfilter/nf_conntrack_l3proto_generic.c
@@ -94,5 +94,4 @@ struct nf_conntrack_l3proto nf_conntrack_generic_l3proto = {
        .print_conntrack = generic_print_conntrack,
        .prepare         = generic_prepare,
        .get_features    = generic_get_features,
-        .me              = THIS_MODULE,
 };
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 9cccc325b687..0c6da496cfa9 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -240,12 +240,15 @@ static int do_basic_checks(struct nf_conn *conntrack,
                        flag = 1;
                }
-                /* Cookie Ack/Echo chunks not the first OR 
+                /*
-                   Init / Init Ack / Shutdown compl chunks not the only chunks */
+                 * Cookie Ack/Echo chunks not the first OR
-                if ((sch->type == SCTP_CID_COOKIE_ACK 
+                 * Init / Init Ack / Shutdown compl chunks not the only chunks
+                 * OR zero-length.
+                 */
+                if (((sch->type == SCTP_CID_COOKIE_ACK
                        || sch->type == SCTP_CID_COOKIE_ECHO
                        || flag)
-                     && count !=0 ) {
+                      && count !=0) || !sch->length) {
                        DEBUGP("Basic checks failed\n");
                        return 1;
                }
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 6492ed66fb3c..69899f27d26a 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -799,8 +799,7 @@ static int tcp_error(struct sk_buff *skb,
                     unsigned int dataoff,
                     enum ip_conntrack_info *ctinfo,
                     int pf,
-                     unsigned int hooknum,
+                     unsigned int hooknum)
-                     int(*csum)(const struct sk_buff *,unsigned int))
 {
        struct tcphdr _tcph, *th;
        unsigned int tcplen = skb->len - dataoff;
@@ -830,9 +829,8 @@ static int tcp_error(struct sk_buff *skb,
         */
        /* FIXME: Source route IP option packets --RR */
        if (((pf == PF_INET && hooknum == NF_IP_PRE_ROUTING) ||
-             (pf == PF_INET6 && hooknum  == NF_IP6_PRE_ROUTING))
+             (pf == PF_INET6 && hooknum  == NF_IP6_PRE_ROUTING)) &&
-            && skb->ip_summed != CHECKSUM_UNNECESSARY
+            nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
-            && csum(skb, dataoff)) {
                if (LOG_INVALID(IPPROTO_TCP))
                        nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
                                  "nf_ct_tcp: bad TCP checksum ");
@@ -851,44 +849,6 @@ static int tcp_error(struct sk_buff *skb,
        return NF_ACCEPT;
 }
-static int csum4(const struct sk_buff *skb, unsigned int dataoff)
-{
-        return csum_tcpudp_magic(skb->nh.iph->saddr, skb->nh.iph->daddr,
-                                 skb->len - dataoff, IPPROTO_TCP,
-                                 skb->ip_summed == CHECKSUM_HW ? skb->csum
-                                 : skb_checksum(skb, dataoff,
-                                                skb->len - dataoff, 0));
-}
-static int csum6(const struct sk_buff *skb, unsigned int dataoff)
-{
-        return csum_ipv6_magic(&skb->nh.ipv6h->saddr, &skb->nh.ipv6h->daddr,
-                               skb->len - dataoff, IPPROTO_TCP,
-                               skb->ip_summed == CHECKSUM_HW
-                               ? csum_sub(skb->csum,
-                                          skb_checksum(skb, 0, dataoff, 0))
-                               : skb_checksum(skb, dataoff, skb->len - dataoff,
-                                              0));
-}
-static int tcp_error4(struct sk_buff *skb,
-                      unsigned int dataoff,
-                      enum ip_conntrack_info *ctinfo,
-                      int pf,
-                      unsigned int hooknum)
-{
-        return tcp_error(skb, dataoff, ctinfo, pf, hooknum, csum4);
-}
-static int tcp_error6(struct sk_buff *skb,
-                      unsigned int dataoff,
-                      enum ip_conntrack_info *ctinfo,
-                      int pf,
-                      unsigned int hooknum)
-{
-        return tcp_error(skb, dataoff, ctinfo, pf, hooknum, csum6);
-}
 /* Returns verdict for packet, or -1 for invalid. */
 static int tcp_packet(struct nf_conn *conntrack,
                      const struct sk_buff *skb,
@@ -1218,7 +1178,7 @@ struct nf_conntrack_protocol nf_conntrack_protocol_tcp4 =
        .print_conntrack        = tcp_print_conntrack,
        .packet                 = tcp_packet,
        .new                    = tcp_new,
-        .error                  = tcp_error4,
+        .error                  = tcp_error,
 #if defined(CONFIG_NF_CT_NETLINK) || \
    defined(CONFIG_NF_CT_NETLINK_MODULE)
        .to_nfattr              = tcp_to_nfattr,
@@ -1239,7 +1199,7 @@ struct nf_conntrack_protocol nf_conntrack_protocol_tcp6 =
        .print_conntrack        = tcp_print_conntrack,
        .packet                 = tcp_packet,
        .new                    = tcp_new,
-        .error                  = tcp_error6,
+        .error                  = tcp_error,
 #if defined(CONFIG_NF_CT_NETLINK) || \
    defined(CONFIG_NF_CT_NETLINK_MODULE)
        .to_nfattr              = tcp_to_nfattr,
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 831d206344e0..d93edbfde9e3 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -103,8 +103,7 @@ static int udp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
 static int udp_error(struct sk_buff *skb, unsigned int dataoff,
                     enum ip_conntrack_info *ctinfo,
                     int pf,
-                     unsigned int hooknum,
+                     unsigned int hooknum)
-                     int (*csum)(const struct sk_buff *, unsigned int))
 {
        unsigned int udplen = skb->len - dataoff;
        struct udphdr _hdr, *hdr;
@@ -136,9 +135,8 @@ static int udp_error(struct sk_buff *skb, unsigned int dataoff,
         * and moreover root might send raw packets.
         * FIXME: Source route IP option packets --RR */
        if (((pf == PF_INET && hooknum == NF_IP_PRE_ROUTING) ||
-             (pf == PF_INET6 && hooknum == NF_IP6_PRE_ROUTING))
+             (pf == PF_INET6 && hooknum == NF_IP6_PRE_ROUTING)) &&
-            && skb->ip_summed != CHECKSUM_UNNECESSARY
+            nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) {
-            && csum(skb, dataoff)) {
                if (LOG_INVALID(IPPROTO_UDP))
                        nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
                                "nf_ct_udp: bad UDP checksum ");
@@ -148,44 +146,6 @@ static int udp_error(struct sk_buff *skb, unsigned int dataoff,
        return NF_ACCEPT;
 }
-static int csum4(const struct sk_buff *skb, unsigned int dataoff)
-{
-        return csum_tcpudp_magic(skb->nh.iph->saddr, skb->nh.iph->daddr,
-                                 skb->len - dataoff, IPPROTO_UDP,
-                                 skb->ip_summed == CHECKSUM_HW ? skb->csum
-                                 : skb_checksum(skb, dataoff,
-                                                skb->len - dataoff, 0));
-}
-static int csum6(const struct sk_buff *skb, unsigned int dataoff)
-{
-        return csum_ipv6_magic(&skb->nh.ipv6h->saddr, &skb->nh.ipv6h->daddr,
-                               skb->len - dataoff, IPPROTO_UDP,
-                               skb->ip_summed == CHECKSUM_HW
-                               ? csum_sub(skb->csum,
-                                          skb_checksum(skb, 0, dataoff, 0))
-                               : skb_checksum(skb, dataoff, skb->len - dataoff,
-                                              0));
-}
-static int udp_error4(struct sk_buff *skb,
-                      unsigned int dataoff,
-                      enum ip_conntrack_info *ctinfo,
-                      int pf,
-                      unsigned int hooknum)
-{
-        return udp_error(skb, dataoff, ctinfo, pf, hooknum, csum4);
-}
-static int udp_error6(struct sk_buff *skb,
-                      unsigned int dataoff,
-                      enum ip_conntrack_info *ctinfo,
-                      int pf,
-                      unsigned int hooknum)
-{
-        return udp_error(skb, dataoff, ctinfo, pf, hooknum, csum6);
-}
 struct nf_conntrack_protocol nf_conntrack_protocol_udp4 =
 {
        .l3proto                = PF_INET,
@@ -197,7 +157,7 @@ struct nf_conntrack_protocol nf_conntrack_protocol_udp4 =
        .print_conntrack        = udp_print_conntrack,
        .packet                 = udp_packet,
        .new                    = udp_new,
-        .error                  = udp_error4,
+        .error                  = udp_error,
 #if defined(CONFIG_NF_CT_NETLINK) || \
    defined(CONFIG_NF_CT_NETLINK_MODULE)
        .tuple_to_nfattr        = nf_ct_port_tuple_to_nfattr,
@@ -216,7 +176,7 @@ struct nf_conntrack_protocol nf_conntrack_protocol_udp6 =
        .print_conntrack        = udp_print_conntrack,
        .packet                 = udp_packet,
        .new                    = udp_new,
-        .error                  = udp_error6,
+        .error                  = udp_error,
 #if defined(CONFIG_NF_CT_NETLINK) || \
    defined(CONFIG_NF_CT_NETLINK_MODULE)
        .tuple_to_nfattr        = nf_ct_port_tuple_to_nfattr,
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index c72aa3cd22e4..408960c6a544 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -649,63 +649,6 @@ static ctl_table nf_ct_net_table[] = {
 EXPORT_SYMBOL(nf_ct_log_invalid);
 #endif /* CONFIG_SYSCTL */
-static int init_or_cleanup(int init)
-{
-#ifdef CONFIG_PROC_FS
-        struct proc_dir_entry *proc, *proc_exp, *proc_stat;
-#endif
-        int ret = 0;
-        if (!init) goto cleanup;
-        ret = nf_conntrack_init();
-        if (ret < 0)
-                goto cleanup_nothing;
-#ifdef CONFIG_PROC_FS
-        proc = proc_net_fops_create("nf_conntrack", 0440, &ct_file_ops);
-        if (!proc) goto cleanup_init;
-        proc_exp = proc_net_fops_create("nf_conntrack_expect", 0440,
-                                        &exp_file_ops);
-        if (!proc_exp) goto cleanup_proc;
-        proc_stat = create_proc_entry("nf_conntrack", S_IRUGO, proc_net_stat);
-        if (!proc_stat)
-                goto cleanup_proc_exp;
-        proc_stat->proc_fops = &ct_cpu_seq_fops;
-        proc_stat->owner = THIS_MODULE;
-#endif
-#ifdef CONFIG_SYSCTL
-        nf_ct_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
-        if (nf_ct_sysctl_header == NULL) {
-                printk("nf_conntrack: can't register to sysctl.\n");
-                ret = -ENOMEM;
-                goto cleanup_proc_stat;
-        }
-#endif
-        return ret;
- cleanup:
-#ifdef CONFIG_SYSCTL
-        unregister_sysctl_table(nf_ct_sysctl_header);
- cleanup_proc_stat:
-#endif
-#ifdef CONFIG_PROC_FS
-        remove_proc_entry("nf_conntrack", proc_net_stat);
- cleanup_proc_exp:
-        proc_net_remove("nf_conntrack_expect");
- cleanup_proc:
-        proc_net_remove("nf_conntrack");
- cleanup_init:
-#endif /* CNFIG_PROC_FS */
-        nf_conntrack_cleanup();
- cleanup_nothing:
-        return ret;
-}
 int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
 {
        int ret = 0;
@@ -808,12 +751,66 @@ void nf_conntrack_protocol_unregister(struct nf_conntrack_protocol *proto)
 static int __init nf_conntrack_standalone_init(void)
 {
-        return init_or_cleanup(1);
+#ifdef CONFIG_PROC_FS
+        struct proc_dir_entry *proc, *proc_exp, *proc_stat;
+#endif
+        int ret = 0;
+        ret = nf_conntrack_init();
+        if (ret < 0)
+                return ret;
+#ifdef CONFIG_PROC_FS
+        proc = proc_net_fops_create("nf_conntrack", 0440, &ct_file_ops);
+        if (!proc) goto cleanup_init;
+        proc_exp = proc_net_fops_create("nf_conntrack_expect", 0440,
+                                        &exp_file_ops);
+        if (!proc_exp) goto cleanup_proc;
+        proc_stat = create_proc_entry("nf_conntrack", S_IRUGO, proc_net_stat);
+        if (!proc_stat)
+                goto cleanup_proc_exp;
+        proc_stat->proc_fops = &ct_cpu_seq_fops;
+        proc_stat->owner = THIS_MODULE;
+#endif
+#ifdef CONFIG_SYSCTL
+        nf_ct_sysctl_header = register_sysctl_table(nf_ct_net_table, 0);
+        if (nf_ct_sysctl_header == NULL) {
+                printk("nf_conntrack: can't register to sysctl.\n");
+                ret = -ENOMEM;
+                goto cleanup_proc_stat;
+        }
+#endif
+        return ret;
+#ifdef CONFIG_SYSCTL
+ cleanup_proc_stat:
+#endif
+#ifdef CONFIG_PROC_FS
+        remove_proc_entry("nf_conntrack", proc_net_stat);
+ cleanup_proc_exp:
+        proc_net_remove("nf_conntrack_expect");
+ cleanup_proc:
+        proc_net_remove("nf_conntrack");
+ cleanup_init:
+#endif /* CNFIG_PROC_FS */
+        nf_conntrack_cleanup();
+        return ret;
 }
 static void __exit nf_conntrack_standalone_fini(void)
 {
-        init_or_cleanup(0);
+#ifdef CONFIG_SYSCTL
+        unregister_sysctl_table(nf_ct_sysctl_header);
+#endif
+#ifdef CONFIG_PROC_FS
+        remove_proc_entry("nf_conntrack", proc_net_stat);
+        proc_net_remove("nf_conntrack_expect");
+        proc_net_remove("nf_conntrack");
+#endif /* CNFIG_PROC_FS */
+        nf_conntrack_cleanup();
 }
 module_init(nf_conntrack_standalone_init);
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index d9f0d7ef103b..ee8f70889f47 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -17,7 +17,6 @@
 * for queueing and must reinject all packets it receives, no matter what.
 */
 static struct nf_queue_handler *queue_handler[NPROTO];
-static struct nf_queue_rerouter *queue_rerouter[NPROTO];
 static DEFINE_RWLOCK(queue_handler_lock);
@@ -59,32 +58,6 @@ int nf_unregister_queue_handler(int pf)
 }
 EXPORT_SYMBOL(nf_unregister_queue_handler);
-int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer)
-{
-        if (pf >= NPROTO)
-                return -EINVAL;
-        write_lock_bh(&queue_handler_lock);
-        rcu_assign_pointer(queue_rerouter[pf], rer);
-        write_unlock_bh(&queue_handler_lock);
-        return 0;
-}
-EXPORT_SYMBOL_GPL(nf_register_queue_rerouter);
-int nf_unregister_queue_rerouter(int pf)
-{
-        if (pf >= NPROTO)
-                return -EINVAL;
-        write_lock_bh(&queue_handler_lock);
-        rcu_assign_pointer(queue_rerouter[pf], NULL);
-        write_unlock_bh(&queue_handler_lock);
-        synchronize_rcu();
-        return 0;
-}
-EXPORT_SYMBOL_GPL(nf_unregister_queue_rerouter);
 void nf_unregister_queue_handlers(struct nf_queue_handler *qh)
 {
        int pf;
@@ -116,7 +89,7 @@ int nf_queue(struct sk_buff **skb,
        struct net_device *physindev = NULL;
        struct net_device *physoutdev = NULL;
 #endif
-        struct nf_queue_rerouter *rerouter;
+        struct nf_afinfo *afinfo;
        /* QUEUE == DROP if noone is waiting, to be safe. */
        read_lock(&queue_handler_lock);
@@ -126,7 +99,14 @@ int nf_queue(struct sk_buff **skb,
                return 1;
        }
-        info = kmalloc(sizeof(*info)+queue_rerouter[pf]->rer_size, GFP_ATOMIC);
+        afinfo = nf_get_afinfo(pf);
+        if (!afinfo) {
+                read_unlock(&queue_handler_lock);
+                kfree_skb(*skb);
+                return 1;
+        }
+        info = kmalloc(sizeof(*info) + afinfo->route_key_size, GFP_ATOMIC);
        if (!info) {
                if (net_ratelimit())
                        printk(KERN_ERR "OOM queueing packet %p\n",
@@ -158,10 +138,7 @@ int nf_queue(struct sk_buff **skb,
                if (physoutdev) dev_hold(physoutdev);
        }
 #endif
-        rerouter = rcu_dereference(queue_rerouter[pf]);
+        afinfo->saveroute(*skb, info);
-        if (rerouter)
-                rerouter->save(*skb, info);
        status = queue_handler[pf]->outfn(*skb, info, queuenum,
                                          queue_handler[pf]->data);
@@ -190,7 +167,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
 {
        struct list_head *elem = &info->elem->list;
        struct list_head *i;
-        struct nf_queue_rerouter *rerouter;
+        struct nf_afinfo *afinfo;
        rcu_read_lock();
@@ -228,8 +205,8 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
        }
        if (verdict == NF_ACCEPT) {
-                rerouter = rcu_dereference(queue_rerouter[info->pf]);
+                afinfo = nf_get_afinfo(info->pf);
-                if (rerouter && rerouter->reroute(&skb, info) < 0)
+                if (!afinfo || afinfo->reroute(&skb, info) < 0)
                        verdict = NF_DROP;
        }
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 3e3f5448bacb..61cdda4e5d3b 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -321,7 +321,7 @@ static int
 nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
 {
        spin_lock_bh(&inst->lock);
-        inst->flags = ntohs(flags);
+        inst->flags = flags;
        spin_unlock_bh(&inst->lock);
        return 0;
@@ -902,7 +902,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
        if (nfula[NFULA_CFG_FLAGS-1]) {
                u_int16_t flags =
                        *(u_int16_t *)NFA_DATA(nfula[NFULA_CFG_FLAGS-1]);
-                nfulnl_set_flags(inst, ntohl(flags));
+                nfulnl_set_flags(inst, ntohs(flags));
        }
 out_put:
@@ -1033,17 +1033,13 @@ static struct file_operations nful_file_ops = {
 #endif /* PROC_FS */
-static int
+static int __init nfnetlink_log_init(void)
-init_or_cleanup(int init)
 {
        int i, status = -ENOMEM;
 #ifdef CONFIG_PROC_FS
        struct proc_dir_entry *proc_nful;
 #endif
        
-        if (!init)
-                goto cleanup;
        for (i = 0; i < INSTANCE_BUCKETS; i++)
                INIT_HLIST_HEAD(&instance_table[i]);
        
@@ -1066,30 +1062,25 @@ init_or_cleanup(int init)
                goto cleanup_subsys;
        proc_nful->proc_fops = &nful_file_ops;
 #endif
        return status;
-cleanup:
-        nf_log_unregister_logger(&nfulnl_logger);
 #ifdef CONFIG_PROC_FS
-        remove_proc_entry("nfnetlink_log", proc_net_netfilter);
 cleanup_subsys:
-#endif
        nfnetlink_subsys_unregister(&nfulnl_subsys);
+#endif
 cleanup_netlink_notifier:
        netlink_unregister_notifier(&nfulnl_rtnl_notifier);
        return status;
 }
-static int __init nfnetlink_log_init(void)
-{
-        
-        return init_or_cleanup(1);
-}
 static void __exit nfnetlink_log_fini(void)
 {
-        init_or_cleanup(0);
+        nf_log_unregister_logger(&nfulnl_logger);
+#ifdef CONFIG_PROC_FS
+        remove_proc_entry("nfnetlink_log", proc_net_netfilter);
+#endif
+        nfnetlink_subsys_unregister(&nfulnl_subsys);
+        netlink_unregister_notifier(&nfulnl_rtnl_notifier);
 }
 MODULE_DESCRIPTION("netfilter userspace logging");
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index d0e62f68139f..86a4ac33de34 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1071,17 +1071,13 @@ static struct file_operations nfqnl_file_ops = {
 #endif /* PROC_FS */
-static int
+static int __init nfnetlink_queue_init(void)
-init_or_cleanup(int init)
 {
        int i, status = -ENOMEM;
 #ifdef CONFIG_PROC_FS
        struct proc_dir_entry *proc_nfqueue;
 #endif
        
-        if (!init)
-                goto cleanup;
        for (i = 0; i < INSTANCE_BUCKETS; i++)
                INIT_HLIST_HEAD(&instance_table[i]);
@@ -1101,31 +1097,26 @@ init_or_cleanup(int init)
 #endif
        register_netdevice_notifier(&nfqnl_dev_notifier);
        return status;
-cleanup:
-        nf_unregister_queue_handlers(&nfqh);
-        unregister_netdevice_notifier(&nfqnl_dev_notifier);
 #ifdef CONFIG_PROC_FS
-        remove_proc_entry("nfnetlink_queue", proc_net_netfilter);
 cleanup_subsys:
-#endif  
        nfnetlink_subsys_unregister(&nfqnl_subsys);
+#endif
 cleanup_netlink_notifier:
        netlink_unregister_notifier(&nfqnl_rtnl_notifier);
        return status;
 }
-static int __init nfnetlink_queue_init(void)
-{
-        
-        return init_or_cleanup(1);
-}
 static void __exit nfnetlink_queue_fini(void)
 {
-        init_or_cleanup(0);
+        nf_unregister_queue_handlers(&nfqh);
+        unregister_netdevice_notifier(&nfqnl_dev_notifier);
+#ifdef CONFIG_PROC_FS
+        remove_proc_entry("nfnetlink_queue", proc_net_netfilter);
+#endif
+        nfnetlink_subsys_unregister(&nfqnl_subsys);
+        netlink_unregister_notifier(&nfqnl_rtnl_notifier);
 }
 MODULE_DESCRIPTION("netfilter packet queue handler");
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index feb8a9e066b0..99293c63ff73 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -289,7 +289,7 @@ int xt_compat_match(void *match, void **dstptr, int *size, int convert)
                case COMPAT_TO_USER:
                        pm = (struct xt_entry_match *)match;
                        msize = pm->u.user.match_size;
-                        if (__copy_to_user(*dstptr, pm, msize)) {
+                        if (copy_to_user(*dstptr, pm, msize)) {
                                ret = -EFAULT;
                                break;
                        }
@@ -366,7 +366,7 @@ int xt_compat_target(void *target, void **dstptr, int *size, int convert)
                case COMPAT_TO_USER:
                        pt = (struct xt_entry_target *)target;
                        tsize = pt->u.user.target_size;
-                        if (__copy_to_user(*dstptr, pt, tsize)) {
+                        if (copy_to_user(*dstptr, pt, tsize)) {
                                ret = -EFAULT;
                                break;
                        }
@@ -413,7 +413,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
        newinfo->size = size;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                if (size <= PAGE_SIZE)
                        newinfo->entries[cpu] = kmalloc_node(size,
                                                        GFP_KERNEL,
@@ -436,7 +436,7 @@ void xt_free_table_info(struct xt_table_info *info)
 {
        int cpu;
-        for_each_cpu(cpu) {
+        for_each_possible_cpu(cpu) {
                if (info->size <= PAGE_SIZE)
                        kfree(info->entries[cpu]);
                else
@@ -529,6 +529,7 @@ int xt_register_table(struct xt_table *table,
        /* Simplifies replace_table code. */
        table->private = bootstrap;
+        rwlock_init(&table->lock);
        if (!xt_replace_table(table, 0, newinfo, &ret))
                goto unlock;
@@ -538,7 +539,6 @@ int xt_register_table(struct xt_table *table,
        /* save number of initial entries */
        private->initial_entries = private->number;
-        rwlock_init(&table->lock);
        list_prepend(&xt[table->af].tables, table);
        ret = 0;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 2a233ffcf618..3862e73d14d7 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -56,12 +56,12 @@
 #include <linux/mm.h>
 #include <linux/types.h>
 #include <linux/audit.h>
+#include <linux/selinux.h>
 #include <net/sock.h>
 #include <net/scm.h>
 #include <net/netlink.h>
-#define Nprintk(a...)
 #define NLGRPSZ(x)      (ALIGN(x, sizeof(unsigned long) * 8) / 8)
 struct netlink_sock {
@@ -1157,6 +1157,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
        NETLINK_CB(skb).dst_pid = dst_pid;
        NETLINK_CB(skb).dst_group = dst_group;
        NETLINK_CB(skb).loginuid = audit_get_loginuid(current->audit_context);
+        selinux_get_task_sid(current, &(NETLINK_CB(skb).sid));
        memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
        /* What can I do? Netlink is asynchronous, so that
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index d44981f5a619..3669cb953e6e 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -425,11 +425,16 @@ static int nr_create(struct socket *sock, int protocol)
        nr_init_timers(sk);
-        nr->t1     = sysctl_netrom_transport_timeout;
+        nr->t1     =
-        nr->t2     = sysctl_netrom_transport_acknowledge_delay;
+                msecs_to_jiffies(sysctl_netrom_transport_timeout);
-        nr->n2     = sysctl_netrom_transport_maximum_tries;
+        nr->t2     =
-        nr->t4     = sysctl_netrom_transport_busy_delay;
+                msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay);
-        nr->idle   = sysctl_netrom_transport_no_activity_timeout;
+        nr->n2     =
+                msecs_to_jiffies(sysctl_netrom_transport_maximum_tries);
+        nr->t4     =
+                msecs_to_jiffies(sysctl_netrom_transport_busy_delay);
+        nr->idle   =
+                msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout);
        nr->window = sysctl_netrom_transport_requested_window_size;
        nr->bpqext = 1;
@@ -1365,8 +1370,6 @@ static struct notifier_block nr_dev_notifier = {
 static struct net_device **dev_nr;
-static char banner[] __initdata = KERN_INFO "G4KLX NET/ROM for Linux. Version 0.7 for AX25.037 Linux 2.4\n";
 static int __init nr_proto_init(void)
 {
        int i;
@@ -1414,7 +1417,6 @@ static int __init nr_proto_init(void)
        }
                
        register_netdevice_notifier(&nr_dev_notifier);
-        printk(banner);
        ax25_protocol_register(AX25_P_NETROM, nr_route_frame);
        ax25_linkfail_register(nr_link_failed);
diff --git a/net/netrom/nr_dev.c b/net/netrom/nr_dev.c
index 509afddae569..621e5586ab03 100644
--- a/net/netrom/nr_dev.c
+++ b/net/netrom/nr_dev.c
@@ -185,7 +185,6 @@ static struct net_device_stats *nr_get_stats(struct net_device *dev)
 void nr_setup(struct net_device *dev)
 {
-        SET_MODULE_OWNER(dev);
        dev->mtu                = NR_MAX_PACKET_SIZE;
        dev->hard_start_xmit    = nr_xmit;
        dev->open               = nr_open;
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index ea65396d1619..55564efccf11 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -518,11 +518,11 @@ static int rose_create(struct socket *sock, int protocol)
        init_timer(&rose->timer);
        init_timer(&rose->idletimer);
-        rose->t1   = sysctl_rose_call_request_timeout;
+        rose->t1   = msecs_to_jiffies(sysctl_rose_call_request_timeout);
-        rose->t2   = sysctl_rose_reset_request_timeout;
+        rose->t2   = msecs_to_jiffies(sysctl_rose_reset_request_timeout);
-        rose->t3   = sysctl_rose_clear_request_timeout;
+        rose->t3   = msecs_to_jiffies(sysctl_rose_clear_request_timeout);
-        rose->hb   = sysctl_rose_ack_hold_back_timeout;
+        rose->hb   = msecs_to_jiffies(sysctl_rose_ack_hold_back_timeout);
-        rose->idle = sysctl_rose_no_activity_timeout;
+        rose->idle = msecs_to_jiffies(sysctl_rose_no_activity_timeout);
        rose->state = ROSE_STATE_0;
@@ -1469,8 +1469,6 @@ static struct notifier_block rose_dev_notifier = {
 static struct net_device **dev_rose;
-static const char banner[] = KERN_INFO "F6FBB/G4KLX ROSE for Linux. Version 0.62 for AX25.037 Linux 2.4\n";
 static int __init rose_proto_init(void)
 {
        int i;
@@ -1519,7 +1517,6 @@ static int __init rose_proto_init(void)
        sock_register(&rose_family_ops);
        register_netdevice_notifier(&rose_dev_notifier);
-        printk(banner);
        ax25_protocol_register(AX25_P_ROSE, rose_route_frame);
        ax25_linkfail_register(rose_link_failed);
diff --git a/net/rose/rose_dev.c b/net/rose/rose_dev.c
index d297af737d10..2a1bf8e119e5 100644
--- a/net/rose/rose_dev.c
+++ b/net/rose/rose_dev.c
@@ -135,7 +135,6 @@ static struct net_device_stats *rose_get_stats(struct net_device *dev)
 void rose_setup(struct net_device *dev)
 {
-        SET_MODULE_OWNER(dev);
        dev->mtu                = ROSE_MAX_PACKET_SIZE - 2;
        dev->hard_start_xmit    = rose_xmit;
        dev->open               = rose_open;
diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
index 09e9e9d04d92..bd86a63960ce 100644
--- a/net/rose/rose_link.c
+++ b/net/rose/rose_link.c
@@ -40,7 +40,8 @@ void rose_start_ftimer(struct rose_neigh *neigh)
        neigh->ftimer.data     = (unsigned long)neigh;
        neigh->ftimer.function = &rose_ftimer_expiry;
-        neigh->ftimer.expires  = jiffies + sysctl_rose_link_fail_timeout;
+        neigh->ftimer.expires  =
+                jiffies + msecs_to_jiffies(sysctl_rose_link_fail_timeout);
        add_timer(&neigh->ftimer);
 }
@@ -51,7 +52,8 @@ static void rose_start_t0timer(struct rose_neigh *neigh)
        neigh->t0timer.data     = (unsigned long)neigh;
        neigh->t0timer.function = &rose_t0timer_expiry;
-        neigh->t0timer.expires  = jiffies + sysctl_rose_restart_request_timeout;
+        neigh->t0timer.expires  =
+                jiffies + msecs_to_jiffies(sysctl_rose_restart_request_timeout);
        add_timer(&neigh->t0timer);
 }
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 8631b65a7312..a22542fa1bc8 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -48,8 +48,6 @@ static DEFINE_SPINLOCK(rose_route_list_lock);
 struct rose_neigh *rose_loopback_neigh;
-static void rose_remove_neigh(struct rose_neigh *);
 /*
 *      Add a new route to a node, and in the process add the node and the
 *      neighbour if it is new.
@@ -235,11 +233,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
        skb_queue_purge(&rose_neigh->queue);
-        spin_lock_bh(&rose_neigh_list_lock);
        if ((s = rose_neigh_list) == rose_neigh) {
                rose_neigh_list = rose_neigh->next;
-                spin_unlock_bh(&rose_neigh_list_lock);
                kfree(rose_neigh->digipeat);
                kfree(rose_neigh);
                return;
@@ -248,7 +243,6 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
        while (s != NULL && s->next != NULL) {
                if (s->next == rose_neigh) {
                        s->next = rose_neigh->next;
-                        spin_unlock_bh(&rose_neigh_list_lock);
                        kfree(rose_neigh->digipeat);
                        kfree(rose_neigh);
                        return;
@@ -256,7 +250,6 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
                s = s->next;
        }
-        spin_unlock_bh(&rose_neigh_list_lock);
 }
 /*
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 6056d20ef429..37640c6fc014 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -69,6 +69,11 @@ ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook)
        DPRINTK("ipt_init_target: found %s\n", target->name);
        t->u.kernel.target = target;
+        ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
+                              table, hook, 0, 0);
+        if (ret)
+                return ret;
        if (t->u.kernel.target->checkentry
            && !t->u.kernel.target->checkentry(table, NULL,
                                               t->u.kernel.target, t->data,
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index fa877f8f652c..24c348fa8922 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -66,7 +66,7 @@ static __inline__ struct tcf_police * tcf_police_lookup(u32 index)
 }
 #ifdef CONFIG_NET_CLS_ACT
-static int tcf_generic_walker(struct sk_buff *skb, struct netlink_callback *cb,
+static int tcf_act_police_walker(struct sk_buff *skb, struct netlink_callback *cb,
                              int type, struct tc_action *a)
 {
        struct tcf_police *p;
@@ -113,7 +113,7 @@ rtattr_failure:
 }
 static inline int
-tcf_hash_search(struct tc_action *a, u32 index)
+tcf_act_police_hash_search(struct tc_action *a, u32 index)
 {
        struct tcf_police *p = tcf_police_lookup(index);
@@ -387,9 +387,9 @@ static struct tc_action_ops act_police_ops = {
        .act            =       tcf_act_police,
        .dump           =       tcf_act_police_dump,
        .cleanup        =       tcf_act_police_cleanup,
-        .lookup         =       tcf_hash_search,
+        .lookup         =       tcf_act_police_hash_search,
        .init           =       tcf_act_police_locate,
-        .walk           =       tcf_generic_walker
+        .walk           =       tcf_act_police_walker
 };
 static int __init
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 31eb83717c26..138ea92ed268 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -193,8 +193,10 @@ static void dev_watchdog(unsigned long arg)
                    netif_running(dev) &&
                    netif_carrier_ok(dev)) {
                        if (netif_queue_stopped(dev) &&
-                            (jiffies - dev->trans_start) > dev->watchdog_timeo) {
+                            time_after(jiffies, dev->trans_start + dev->watchdog_timeo)) {
-                                printk(KERN_INFO "NETDEV WATCHDOG: %s: transmit timed out\n", dev->name);
+                                printk(KERN_INFO "NETDEV WATCHDOG: %s: transmit timed out\n",
+                                       dev->name);
                                dev->tx_timeout(dev);
                        }
                        if (!mod_timer(&dev->watchdog_timer, jiffies + dev->watchdog_timeo))
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 91132f6871d7..f1c7bd29f2cd 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -974,10 +974,10 @@ hfsc_adjust_levels(struct hfsc_class *cl)
        do {
                level = 0;
                list_for_each_entry(p, &cl->children, siblings) {
-                        if (p->level > level)
+                        if (p->level >= level)
-                                level = p->level;
+                                level = p->level + 1;
                }
-                cl->level = level + 1;
+                cl->level = level;
        } while ((cl = cl->cl_parent) != NULL);
 }
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 7228d30512c7..5a4a4d0ae502 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -167,7 +167,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        if (count == 0) {
                sch->qstats.drops++;
                kfree_skb(skb);
-                return NET_XMIT_DROP;
+                return NET_XMIT_BYPASS;
        }
        /*
diff --git a/net/sctp/input.c b/net/sctp/input.c
index d117ebc75cf8..1662f9cc869e 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -73,6 +73,8 @@ static struct sctp_association *__sctp_lookup_association(
                                        const union sctp_addr *peer,
                                        struct sctp_transport **pt);
+static void sctp_add_backlog(struct sock *sk, struct sk_buff *skb);
 /* Calculate the SCTP checksum of an SCTP packet.  */
 static inline int sctp_rcv_checksum(struct sk_buff *skb)
@@ -186,7 +188,6 @@ int sctp_rcv(struct sk_buff *skb)
         */
        if (sk->sk_bound_dev_if && (sk->sk_bound_dev_if != af->skb_iif(skb)))
        {
-                sock_put(sk);
                if (asoc) {
                        sctp_association_put(asoc);
                        asoc = NULL;
@@ -197,7 +198,6 @@ int sctp_rcv(struct sk_buff *skb)
                sk = sctp_get_ctl_sock();
                ep = sctp_sk(sk)->ep;
                sctp_endpoint_hold(ep);
-                sock_hold(sk);
                rcvr = &ep->base;
        }
@@ -253,25 +253,18 @@ int sctp_rcv(struct sk_buff *skb)
         */
        sctp_bh_lock_sock(sk);
-        /* It is possible that the association could have moved to a different
-         * socket if it is peeled off. If so, update the sk.
-         */ 
-        if (sk != rcvr->sk) {
-                sctp_bh_lock_sock(rcvr->sk);
-                sctp_bh_unlock_sock(sk);
-                sk = rcvr->sk;
-        }
        if (sock_owned_by_user(sk))
-                sk_add_backlog(sk, skb);
+                sctp_add_backlog(sk, skb);
        else
-                sctp_backlog_rcv(sk, skb);
+                sctp_inq_push(&chunk->rcvr->inqueue, chunk);
-        /* Release the sock and the sock ref we took in the lookup calls.
-         * The asoc/ep ref will be released in sctp_backlog_rcv.
-         */
        sctp_bh_unlock_sock(sk);
-        sock_put(sk);
+        /* Release the asoc/ep ref we took in the lookup calls. */
+        if (asoc)
+                sctp_association_put(asoc);
+        else
+                sctp_endpoint_put(ep);
        return 0;
@@ -280,8 +273,7 @@ discard_it:
        return 0;
 discard_release:
-        /* Release any structures we may be holding. */
+        /* Release the asoc/ep ref we took in the lookup calls. */
-        sock_put(sk);
        if (asoc)
                sctp_association_put(asoc);
        else
@@ -290,56 +282,87 @@ discard_release:
        goto discard_it;
 }
-/* Handle second half of inbound skb processing.  If the sock was busy,
+/* Process the backlog queue of the socket.  Every skb on
- * we may have need to delay processing until later when the sock is
+ * the backlog holds a ref on an association or endpoint.
- * released (on the backlog).   If not busy, we call this routine
+ * We hold this ref throughout the state machine to make
- * directly from the bottom half.
+ * sure that the structure we need is still around.
 */
 int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb)
 {
        struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk;
-        struct sctp_inq *inqueue = NULL;
+        struct sctp_inq *inqueue = &chunk->rcvr->inqueue;
        struct sctp_ep_common *rcvr = NULL;
+        int backloged = 0;
        rcvr = chunk->rcvr;
-        BUG_TRAP(rcvr->sk == sk);
+        /* If the rcvr is dead then the association or endpoint
+         * has been deleted and we can safely drop the chunk
-        if (rcvr->dead) {
+         * and refs that we are holding.
-                sctp_chunk_free(chunk);
+         */
-        } else {
+        if (rcvr->dead) {
-                inqueue = &chunk->rcvr->inqueue;
+                sctp_chunk_free(chunk);
-                sctp_inq_push(inqueue, chunk);
+                goto done;
-        }
+        }
-        /* Release the asoc/ep ref we took in the lookup calls in sctp_rcv. */ 
+        if (unlikely(rcvr->sk != sk)) {
-        if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type)
+                /* In this case, the association moved from one socket to
-                sctp_association_put(sctp_assoc(rcvr));
+                 * another.  We are currently sitting on the backlog of the
-        else
+                 * old socket, so we need to move.
-                sctp_endpoint_put(sctp_ep(rcvr));
+                 * However, since we are here in the process context we
-  
+                 * need to take make sure that the user doesn't own
+                 * the new socket when we process the packet.
+                 * If the new socket is user-owned, queue the chunk to the
+                 * backlog of the new socket without dropping any refs.
+                 * Otherwise, we can safely push the chunk on the inqueue.
+                 */
+                sk = rcvr->sk;
+                sctp_bh_lock_sock(sk);
+                if (sock_owned_by_user(sk)) {
+                        sk_add_backlog(sk, skb);
+                        backloged = 1;
+                } else
+                        sctp_inq_push(inqueue, chunk);
+                sctp_bh_unlock_sock(sk);
+                /* If the chunk was backloged again, don't drop refs */
+                if (backloged)
+                        return 0;
+        } else {
+                sctp_inq_push(inqueue, chunk);
+        }
+done:
+        /* Release the refs we took in sctp_add_backlog */
+        if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type)
+                sctp_association_put(sctp_assoc(rcvr));
+        else if (SCTP_EP_TYPE_SOCKET == rcvr->type)
+                sctp_endpoint_put(sctp_ep(rcvr));
+        else
+                BUG();
        return 0;
 }
-void sctp_backlog_migrate(struct sctp_association *assoc, 
+static void sctp_add_backlog(struct sock *sk, struct sk_buff *skb)
-                          struct sock *oldsk, struct sock *newsk)
 {
-        struct sk_buff *skb;
+        struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk;
-        struct sctp_chunk *chunk;
+        struct sctp_ep_common *rcvr = chunk->rcvr;
-        skb = oldsk->sk_backlog.head;
+        /* Hold the assoc/ep while hanging on the backlog queue.
-        oldsk->sk_backlog.head = oldsk->sk_backlog.tail = NULL;
+         * This way, we know structures we need will not disappear from us
-        while (skb != NULL) {
+         */
-                struct sk_buff *next = skb->next;
+        if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type)
+                sctp_association_hold(sctp_assoc(rcvr));
-                chunk = SCTP_INPUT_CB(skb)->chunk;
+        else if (SCTP_EP_TYPE_SOCKET == rcvr->type)
-                skb->next = NULL;
+                sctp_endpoint_hold(sctp_ep(rcvr));
-                if (&assoc->base == chunk->rcvr)
+        else
-                        sk_add_backlog(newsk, skb);
+                BUG();
-                else
-                        sk_add_backlog(oldsk, skb);
+        sk_add_backlog(sk, skb);
-                skb = next;
-        }
 }
 /* Handle icmp frag needed error. */
@@ -412,7 +435,7 @@ struct sock *sctp_err_lookup(int family, struct sk_buff *skb,
        union sctp_addr daddr;
        struct sctp_af *af;
        struct sock *sk = NULL;
-        struct sctp_association *asoc = NULL;
+        struct sctp_association *asoc;
        struct sctp_transport *transport = NULL;
        *app = NULL; *tpp = NULL;
@@ -453,7 +476,6 @@ struct sock *sctp_err_lookup(int family, struct sk_buff *skb,
        return sk;
 out:
-        sock_put(sk);
        if (asoc)
                sctp_association_put(asoc);
        return NULL;
@@ -463,7 +485,6 @@ out:
 void sctp_err_finish(struct sock *sk, struct sctp_association *asoc)
 {
        sctp_bh_unlock_sock(sk);
-        sock_put(sk);
        if (asoc)
                sctp_association_put(asoc);
 }
@@ -490,7 +511,7 @@ void sctp_v4_err(struct sk_buff *skb, __u32 info)
        int type = skb->h.icmph->type;
        int code = skb->h.icmph->code;
        struct sock *sk;
-        struct sctp_association *asoc;
+        struct sctp_association *asoc = NULL;
        struct sctp_transport *transport;
        struct inet_sock *inet;
        char *saveip, *savesctp;
@@ -716,7 +737,6 @@ static struct sctp_endpoint *__sctp_rcv_lookup_endpoint(const union sctp_addr *l
 hit:
        sctp_endpoint_hold(ep);
-        sock_hold(epb->sk);
        read_unlock(&head->lock);
        return ep;
 }
@@ -818,7 +838,6 @@ static struct sctp_association *__sctp_lookup_association(
 hit:
        *pt = transport;
        sctp_association_hold(asoc);
-        sock_hold(epb->sk);
        read_unlock(&head->lock);
        return asoc;
 }
@@ -846,7 +865,6 @@ int sctp_has_association(const union sctp_addr *laddr,
        struct sctp_transport *transport;
        if ((asoc = sctp_lookup_association(laddr, paddr, &transport))) {
-                sock_put(asoc->base.sk);
                sctp_association_put(asoc);
                return 1;
        }
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 297b8951463e..cf0c767d43ae 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -149,6 +149,7 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
                /* This is the first chunk in the packet.  */
                chunk->singleton = 1;
                ch = (sctp_chunkhdr_t *) chunk->skb->data;
+                chunk->data_accepted = 0;
        }
        chunk->chunk_hdr = ch;
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index d47a52c303a8..5b3b0e0ae7e5 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -69,7 +69,7 @@ fold_field(void *mib[], int nr)
        unsigned long res = 0;
        int i;
-        for_each_cpu(i) {
+        for_each_possible_cpu(i) {
                res +=
                    *((unsigned long *) (((void *) per_cpu_ptr(mib[0], i)) +
                                         sizeof (unsigned long) * nr));
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 8d1dc24bab4c..c5beb2ad7ef7 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -498,10 +498,6 @@ static void sctp_cmd_assoc_failed(sctp_cmd_seq_t *commands,
        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
                        SCTP_STATE(SCTP_STATE_CLOSED));
-        /* Set sk_err to ECONNRESET on a 1-1 style socket. */
-        if (!sctp_style(asoc->base.sk, UDP))
-                asoc->base.sk->sk_err = ECONNRESET; 
        /* SEND_FAILED sent later when cleaning up the association. */
        asoc->outqueue.error = error;
        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
@@ -838,6 +834,15 @@ static void sctp_cmd_del_non_primary(struct sctp_association *asoc)
        return;
 }
+/* Helper function to set sk_err on a 1-1 style socket. */
+static void sctp_cmd_set_sk_err(struct sctp_association *asoc, int error)
+{
+        struct sock *sk = asoc->base.sk;
+        if (!sctp_style(sk, UDP))
+                sk->sk_err = error;
+}
 /* These three macros allow us to pull the debugging code out of the
 * main flow of sctp_do_sm() to keep attention focused on the real
 * functionality there.
@@ -1458,6 +1463,9 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                        local_cork = 0;
                        asoc->peer.retran_path = t;
                        break;
+                case SCTP_CMD_SET_SK_ERR:
+                        sctp_cmd_set_sk_err(asoc, cmd->obj.error);
+                        break;
                default:
                        printk(KERN_WARNING "Impossible command: %u, %p\n",
                               cmd->verb, cmd->obj.ptr);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 2b9a832b29a7..8bc279219a72 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -93,7 +93,7 @@ static sctp_disposition_t sctp_sf_shut_8_4_5(const struct sctp_endpoint *ep,
 static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk);
 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
-                                           __u16 error,
+                                           __u16 error, int sk_err,
                                           const struct sctp_association *asoc,
                                           struct sctp_transport *transport);
@@ -448,7 +448,7 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
        __u32 init_tag;
        struct sctp_chunk *err_chunk;
        struct sctp_packet *packet;
-        sctp_disposition_t ret;
+        __u16 error;
        if (!sctp_vtag_verify(chunk, asoc))
                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
@@ -480,11 +480,9 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
                        goto nomem;
                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
-                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+                return sctp_stop_t1_and_abort(commands, SCTP_ERROR_INV_PARAM,
-                                SCTP_STATE(SCTP_STATE_CLOSED));
+                                              ECONNREFUSED, asoc,
-                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
+                                              chunk->transport);
-                sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB, SCTP_NULL());
-                return SCTP_DISPOSITION_DELETE_TCB;
        }
        /* Verify the INIT chunk before processing it. */
@@ -511,27 +509,16 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
                                sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT,
                                                SCTP_PACKET(packet));
                                SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS);
-                                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+                                error = SCTP_ERROR_INV_PARAM;
-                                                SCTP_STATE(SCTP_STATE_CLOSED));
-                                sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB,
-                                                SCTP_NULL());
-                                return SCTP_DISPOSITION_CONSUME;
                        } else {
-                                sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+                                error = SCTP_ERROR_NO_RESOURCE;
-                                                SCTP_STATE(SCTP_STATE_CLOSED));
-                                sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB,
-                                                SCTP_NULL());
-                                return SCTP_DISPOSITION_NOMEM;
                        }
                } else {
-                        ret = sctp_sf_tabort_8_4_8(ep, asoc, type, arg,
+                        sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
-                                                   commands);
+                        error = SCTP_ERROR_INV_PARAM;
-                        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
-                                        SCTP_STATE(SCTP_STATE_CLOSED));
-                        sctp_add_cmd_sf(commands, SCTP_CMD_DELETE_TCB,
-                                        SCTP_NULL());
-                        return ret;
                }
+                return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED,
+                                                asoc, chunk->transport);
        }
        /* Tag the variable length parameters.  Note that we never
@@ -636,8 +623,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
         */
        chunk->subh.cookie_hdr =
                (struct sctp_signed_cookie *)chunk->skb->data;
-        skb_pull(chunk->skb,
+        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
-                 ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t));
+                                         sizeof(sctp_chunkhdr_t)))
+                goto nomem;
        /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
         * "Z" will reply with a COOKIE ACK chunk after building a TCB
@@ -885,6 +873,8 @@ sctp_disposition_t sctp_sf_sendbeat_8_3(const struct sctp_endpoint *ep,
        struct sctp_transport *transport = (struct sctp_transport *) arg;
        if (asoc->overall_error_count >= asoc->max_retrans) {
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ETIMEDOUT));
                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_NO_ERROR));
@@ -965,7 +955,8 @@ sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
         */
        chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
        paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
-        skb_pull(chunk->skb, paylen);
+        if (!pskb_pull(chunk->skb, paylen))
+                goto nomem;
        reply = sctp_make_heartbeat_ack(asoc, chunk,
                                        chunk->subh.hb_hdr, paylen);
@@ -1028,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
                                                  commands);
        hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
+        /* Make sure that the length of the parameter is what we expect */
+        if (ntohs(hbinfo->param_hdr.length) !=
+                                    sizeof(sctp_sender_hb_info_t)) {
+                return SCTP_DISPOSITION_DISCARD;
+        }
        from_addr = hbinfo->daddr;
        link = sctp_assoc_lookup_paddr(asoc, &from_addr);
@@ -1860,8 +1857,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
         * are in good shape.
         */
        chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
-        skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
+        if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
-                 sizeof(sctp_chunkhdr_t));
+                                        sizeof(sctp_chunkhdr_t)))
+                goto nomem;
        /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
         * of a duplicate COOKIE ECHO match the Verification Tags of the
@@ -2123,6 +2121,8 @@ static sctp_disposition_t sctp_sf_do_5_2_6_stale(const struct sctp_endpoint *ep,
        int attempts = asoc->init_err_counter + 1;
        if (attempts > asoc->max_init_attempts) {
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ETIMEDOUT));
                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
                                SCTP_U32(SCTP_ERROR_STALE_COOKIE));
                return SCTP_DISPOSITION_DELETE_TCB;
@@ -2259,6 +2259,7 @@ sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
+        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
        /* ASSOC_FAILED will DELETE_TCB. */
        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, SCTP_U32(error));
        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
@@ -2303,7 +2304,8 @@ sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
-        return sctp_stop_t1_and_abort(commands, error, asoc, chunk->transport);
+        return sctp_stop_t1_and_abort(commands, error, ECONNREFUSED, asoc,
+                                      chunk->transport);
 }
 /*
@@ -2315,7 +2317,8 @@ sctp_disposition_t sctp_sf_cookie_wait_icmp_abort(const struct sctp_endpoint *ep
                                        void *arg,
                                        sctp_cmd_seq_t *commands)
 {
-        return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR, asoc,
+        return sctp_stop_t1_and_abort(commands, SCTP_ERROR_NO_ERROR,
+                                      ENOPROTOOPT, asoc,
                                      (struct sctp_transport *)arg);
 }
@@ -2340,7 +2343,7 @@ sctp_disposition_t sctp_sf_cookie_echoed_abort(const struct sctp_endpoint *ep,
 * This is common code called by several sctp_sf_*_abort() functions above.
 */
 static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
-                                           __u16 error,
+                                           __u16 error, int sk_err,
                                           const struct sctp_association *asoc,
                                           struct sctp_transport *transport)
 {
@@ -2350,6 +2353,7 @@ static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands,
        SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
        sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
                        SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
+        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(sk_err));
        /* CMD_INIT_FAILED will DELETE_TCB. */
        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
                        SCTP_U32(error));
@@ -3333,6 +3337,8 @@ sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,
                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ECONNABORTED));
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_ASCONF_ACK));
                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
@@ -3359,6 +3365,8 @@ sctp_disposition_t sctp_sf_do_asconf_ack(const struct sctp_endpoint *ep,
                 * processing the rest of the chunks in the packet.
                 */
                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ECONNABORTED));
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_ASCONF_ACK));
                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
@@ -3711,9 +3719,13 @@ static sctp_disposition_t sctp_sf_violation_chunklen(
        if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) {
                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
                                SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ECONNREFUSED));
                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
                                SCTP_U32(SCTP_ERROR_PROTO_VIOLATION));
        } else {
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ECONNABORTED));
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_PROTO_VIOLATION));
                SCTP_DEC_STATS(SCTP_MIB_CURRESTAB);
@@ -4031,6 +4043,8 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort(
         * TCB.  This is a departure from our typical NOMEM handling.
         */
+        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                        SCTP_ERROR(ECONNABORTED));
        /* Delete the established association. */
        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                        SCTP_U32(SCTP_ERROR_USER_ABORT));
@@ -4172,6 +4186,8 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
         * TCB.  This is a departure from our typical NOMEM handling.
         */
+        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                        SCTP_ERROR(ECONNREFUSED));
        /* Delete the established association. */
        sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
                        SCTP_U32(SCTP_ERROR_USER_ABORT));
@@ -4540,6 +4556,8 @@ sctp_disposition_t sctp_sf_do_6_3_3_rtx(const struct sctp_endpoint *ep,
        struct sctp_transport *transport = arg;
        if (asoc->overall_error_count >= asoc->max_retrans) {
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ETIMEDOUT));
                /* CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_NO_ERROR));
@@ -4659,6 +4677,8 @@ sctp_disposition_t sctp_sf_t1_init_timer_expire(const struct sctp_endpoint *ep,
                SCTP_DEBUG_PRINTK("Giving up on INIT, attempts: %d"
                                  " max_init_attempts: %d\n",
                                  attempts, asoc->max_init_attempts);
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ETIMEDOUT));
                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
                                SCTP_U32(SCTP_ERROR_NO_ERROR));
                return SCTP_DISPOSITION_DELETE_TCB;
@@ -4708,6 +4728,8 @@ sctp_disposition_t sctp_sf_t1_cookie_timer_expire(const struct sctp_endpoint *ep
                sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
        } else {
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ETIMEDOUT));
                sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED,
                                SCTP_U32(SCTP_ERROR_NO_ERROR));
                return SCTP_DISPOSITION_DELETE_TCB;
@@ -4739,6 +4761,8 @@ sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep,
        SCTP_DEBUG_PRINTK("Timer T2 expired.\n");
        if (asoc->overall_error_count >= asoc->max_retrans) {
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ETIMEDOUT));
                /* Note:  CMD_ASSOC_FAILED calls CMD_DELETE_TCB. */
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_NO_ERROR));
@@ -4814,6 +4838,8 @@ sctp_disposition_t sctp_sf_t4_timer_expire(
        if (asoc->overall_error_count >= asoc->max_retrans) {
                sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
                                SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ETIMEDOUT));
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_NO_ERROR));
                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
@@ -4867,6 +4893,8 @@ sctp_disposition_t sctp_sf_t5_timer_expire(const struct sctp_endpoint *ep,
                goto nomem;
        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(reply));
+        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                        SCTP_ERROR(ETIMEDOUT));
        sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                        SCTP_U32(SCTP_ERROR_NO_ERROR));
@@ -5151,7 +5179,9 @@ static int sctp_eat_data(const struct sctp_association *asoc,
        int tmp;
        __u32 tsn;
        int account_value;
+        struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
        struct sock *sk = asoc->base.sk;
+        int rcvbuf_over = 0;
        data_hdr = chunk->subh.data_hdr = (sctp_datahdr_t *)chunk->skb->data;
        skb_pull(chunk->skb, sizeof(sctp_datahdr_t));
@@ -5162,10 +5192,16 @@ static int sctp_eat_data(const struct sctp_association *asoc,
        /* ASSERT:  Now skb->data is really the user data.  */
        /*
-         * if we are established, and we have used up our receive
+         * If we are established, and we have used up our receive buffer
-         * buffer memory, drop the frame
+         * memory, think about droping the frame.
-         */
+         * Note that we have an opportunity to improve performance here.
-        if (asoc->state == SCTP_STATE_ESTABLISHED) {
+         * If we accept one chunk from an skbuff, we have to keep all the
+         * memory of that skbuff around until the chunk is read into user
+         * space. Therefore, once we accept 1 chunk we may as well accept all
+         * remaining chunks in the skbuff. The data_accepted flag helps us do
+         * that.
+         */
+        if ((asoc->state == SCTP_STATE_ESTABLISHED) && (!chunk->data_accepted)) {
                /*
                 * If the receive buffer policy is 1, then each
                 * association can allocate up to sk_rcvbuf bytes
@@ -5176,9 +5212,25 @@ static int sctp_eat_data(const struct sctp_association *asoc,
                        account_value = atomic_read(&asoc->rmem_alloc);
                else
                        account_value = atomic_read(&sk->sk_rmem_alloc);
+                if (account_value > sk->sk_rcvbuf) {
-                if (account_value > sk->sk_rcvbuf)
+                        /*
-                        return SCTP_IERROR_IGNORE_TSN;
+                         * We need to make forward progress, even when we are
+                         * under memory pressure, so we always allow the
+                         * next tsn after the ctsn ack point to be accepted.
+                         * This lets us avoid deadlocks in which we have to
+                         * drop frames that would otherwise let us drain the
+                         * receive queue.
+                         */
+                        if ((sctp_tsnmap_get_ctsn(map) + 1) != tsn)
+                                return SCTP_IERROR_IGNORE_TSN;
+                        /*
+                         * We're going to accept the frame but we should renege
+                         * to make space for it. This will send us down that
+                         * path later in this function.
+                         */
+                        rcvbuf_over = 1;
+                }
        }
        /* Process ECN based congestion.
@@ -5226,6 +5278,7 @@ static int sctp_eat_data(const struct sctp_association *asoc,
        datalen -= sizeof(sctp_data_chunk_t);
        deliver = SCTP_CMD_CHUNK_ULP;
+        chunk->data_accepted = 1;
        /* Think about partial delivery. */
        if ((datalen >= asoc->rwnd) && (!asoc->ulpq.pd_mode)) {
@@ -5242,7 +5295,8 @@ static int sctp_eat_data(const struct sctp_association *asoc,
         * large spill over.
         */
        if (!asoc->rwnd || asoc->rwnd_over ||
-            (datalen > asoc->rwnd + asoc->frag_point)) {
+            (datalen > asoc->rwnd + asoc->frag_point) ||
+            rcvbuf_over) {
                /* If this is the next TSN, consider reneging to make
                 * room.   Note: Playing nice with a confused sender.  A
@@ -5250,8 +5304,8 @@ static int sctp_eat_data(const struct sctp_association *asoc,
                 * space and in the future we may want to detect and
                 * do more drastic reneging.
                 */
-                if (sctp_tsnmap_has_gap(&asoc->peer.tsn_map) &&
+                if (sctp_tsnmap_has_gap(map) &&
-                    (sctp_tsnmap_get_ctsn(&asoc->peer.tsn_map) + 1) == tsn) {
+                    (sctp_tsnmap_get_ctsn(map) + 1) == tsn) {
                        SCTP_DEBUG_PRINTK("Reneging for tsn:%u\n", tsn);
                        deliver = SCTP_CMD_RENEGE;
                } else {
@@ -5280,6 +5334,8 @@ static int sctp_eat_data(const struct sctp_association *asoc,
                 * processing the rest of the chunks in the packet.
                 */
                sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET,SCTP_NULL());
+                sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR,
+                                SCTP_ERROR(ECONNABORTED));
                sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
                                SCTP_U32(SCTP_ERROR_NO_DATA));
                SCTP_INC_STATS(SCTP_MIB_ABORTEDS);
diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c
index 75ef10408764..8bcca5676151 100644
--- a/net/sctp/sm_statetable.c
+++ b/net/sctp/sm_statetable.c
@@ -366,9 +366,9 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
        /* SCTP_STATE_EMPTY */ \
        {.fn = sctp_sf_ootb, .name = "sctp_sf_ootb"}, \
        /* SCTP_STATE_CLOSED */ \
-        {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
+        {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
        /* SCTP_STATE_COOKIE_WAIT */ \
-        {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
+        {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
        /* SCTP_STATE_COOKIE_ECHOED */ \
        {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \
        /* SCTP_STATE_ESTABLISHED */ \
@@ -380,7 +380,7 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
        /* SCTP_STATE_SHUTDOWN_RECEIVED */ \
        {.fn = sctp_sf_do_ecne, .name = "sctp_sf_do_ecne"}, \
        /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \
-        {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
+        {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
 } /* TYPE_SCTP_ECN_ECNE */
 #define TYPE_SCTP_ECN_CWR { \
@@ -401,7 +401,7 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
        /* SCTP_STATE_SHUTDOWN_RECEIVED */ \
        {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
        /* SCTP_STATE_SHUTDOWN_ACK_SENT */ \
-        {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
+        {.fn = sctp_sf_discard_chunk, .name = "sctp_sf_discard_chunk"}, \
 } /* TYPE_SCTP_ECN_CWR */
 #define TYPE_SCTP_SHUTDOWN_COMPLETE { \
@@ -647,7 +647,7 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
        /* SCTP_STATE_EMPTY */ \
        {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
        /* SCTP_STATE_CLOSED */ \
-        {.fn = sctp_sf_bug, .name = "sctp_sf_bug"}, \
+        {.fn = sctp_sf_error_closed, .name = "sctp_sf_error_closed"}, \
        /* SCTP_STATE_COOKIE_WAIT */ \
        {.fn = sctp_sf_do_prm_requestheartbeat,               \
         .name = "sctp_sf_do_prm_requestheartbeat"},          \
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index b6e4b89539b3..174d4d35e951 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1057,6 +1057,7 @@ static int __sctp_connect(struct sock* sk,
        inet_sk(sk)->dport = htons(asoc->peer.port);
        af = sctp_get_af_specific(to.sa.sa_family);
        af->to_sk_daddr(&to, sk);
+        sk->sk_err = 0;
        timeo = sock_sndtimeo(sk, sk->sk_socket->file->f_flags & O_NONBLOCK);
        err = sctp_wait_for_connect(asoc, &timeo);
@@ -1228,7 +1229,7 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
        ep = sctp_sk(sk)->ep;
-        /* Walk all associations on a socket, not on an endpoint.  */
+        /* Walk all associations on an endpoint.  */
        list_for_each_safe(pos, temp, &ep->asocs) {
                asoc = list_entry(pos, struct sctp_association, asocs);
@@ -1241,13 +1242,13 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
                        if (sctp_state(asoc, CLOSED)) {
                                sctp_unhash_established(asoc);
                                sctp_association_free(asoc);
+                                continue;
+                        }
+                }
-                        } else if (sock_flag(sk, SOCK_LINGER) &&
+                if (sock_flag(sk, SOCK_LINGER) && !sk->sk_lingertime)
-                                   !sk->sk_lingertime)
+                        sctp_primitive_ABORT(asoc, NULL);
-                                sctp_primitive_ABORT(asoc, NULL);
+                else
-                        else
-                                sctp_primitive_SHUTDOWN(asoc, NULL);
-                } else
                        sctp_primitive_SHUTDOWN(asoc, NULL);
        }
@@ -5317,6 +5318,7 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
                 */
                sctp_release_sock(sk);
                current_timeo = schedule_timeout(current_timeo);
+                BUG_ON(sk != asoc->base.sk);
                sctp_lock_sock(sk);
                *timeo_p = current_timeo;
@@ -5604,12 +5606,14 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
         */
        newsp->type = type;
-        spin_lock_bh(&oldsk->sk_lock.slock);
+        /* Mark the new socket "in-use" by the user so that any packets
-        /* Migrate the backlog from oldsk to newsk. */
+         * that may arrive on the association after we've moved it are
-        sctp_backlog_migrate(assoc, oldsk, newsk);
+         * queued to the backlog.  This prevents a potential race between
-        /* Migrate the association to the new socket. */
+         * backlog processing on the old socket and new-packet processing
+         * on the new socket.
+         */
+        sctp_lock_sock(newsk);
        sctp_assoc_migrate(assoc, newsk);
-        spin_unlock_bh(&oldsk->sk_lock.slock);
        /* If the association on the newsk is already closed before accept()
         * is called, set RCV_SHUTDOWN flag.
@@ -5618,6 +5622,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
                newsk->sk_shutdown |= RCV_SHUTDOWN;
        newsk->sk_state = SCTP_SS_ESTABLISHED;
+        sctp_release_sock(newsk);
 }
 /* This proto struct describes the ULP interface for SCTP.  */
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index 2080b2d28c98..575e556aeb3e 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -279,6 +279,7 @@ static inline void sctp_ulpq_store_reasm(struct sctp_ulpq *ulpq,
 static struct sctp_ulpevent *sctp_make_reassembled_event(struct sk_buff_head *queue, struct sk_buff *f_frag, struct sk_buff *l_frag)
 {
        struct sk_buff *pos;
+        struct sk_buff *new = NULL;
        struct sctp_ulpevent *event;
        struct sk_buff *pnext, *last;
        struct sk_buff *list = skb_shinfo(f_frag)->frag_list;
@@ -297,11 +298,33 @@ static struct sctp_ulpevent *sctp_make_reassembled_event(struct sk_buff_head *qu
         */
        if (last)
                last->next = pos;
-        else
+        else {
-                skb_shinfo(f_frag)->frag_list = pos;
+                if (skb_cloned(f_frag)) {
+                        /* This is a cloned skb, we can't just modify
+                         * the frag_list.  We need a new skb to do that.
+                         * Instead of calling skb_unshare(), we'll do it
+                         * ourselves since we need to delay the free.
+                         */
+                        new = skb_copy(f_frag, GFP_ATOMIC);
+                        if (!new)
+                                return NULL;    /* try again later */
+                        new->sk = f_frag->sk;
+                        skb_shinfo(new)->frag_list = pos;
+                } else
+                        skb_shinfo(f_frag)->frag_list = pos;
+        }
        /* Remove the first fragment from the reassembly queue.  */
        __skb_unlink(f_frag, queue);
+        /* if we did unshare, then free the old skb and re-assign */
+        if (new) {
+                kfree_skb(f_frag);
+                f_frag = new;
+        }
        while (pos) {
                pnext = pos->next;
diff --git a/net/socket.c b/net/socket.c
index b807f360e02c..02948b622bd2 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -119,10 +119,6 @@ static ssize_t sock_writev(struct file *file, const struct iovec *vector,
 static ssize_t sock_sendpage(struct file *file, struct page *page,
                             int offset, size_t size, loff_t *ppos, int more);
-extern ssize_t generic_splice_sendpage(struct inode *inode, struct file *out,
-                                size_t len, unsigned int flags);
 /*
 *      Socket files have a set of 'special' operations as well as the generic file ones. These don't appear
 *      in the operation structures but are done directly via the socketcall() multiplexor.
@@ -271,6 +267,8 @@ int move_addr_to_user(void *kaddr, int klen, void __user *uaddr, int __user *ule
                return -EINVAL;
        if(len)
        {
+                if (audit_sockaddr(klen, kaddr))
+                        return -ENOMEM;
                if(copy_to_user(uaddr,kaddr,len))
                        return -EFAULT;
        }
@@ -494,6 +492,7 @@ static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed)
        struct file *file;
        struct socket *sock;
+        *err = -EBADF;
        file = fget_light(fd, fput_needed);
        if (file) {
                sock = sock_from_file(file, err);
@@ -2136,7 +2135,7 @@ void socket_seq_show(struct seq_file *seq)
        int cpu;
        int counter = 0;
-        for_each_cpu(cpu)
+        for_each_possible_cpu(cpu)
                counter += per_cpu(sockets_in_use, cpu);
        /* It can be negative, by the way. 8) */
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 900ef31f5a0e..519ebc17c028 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -794,7 +794,6 @@ gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags)
 out_err:
        dprintk("RPC:      gss_create_cred failed with error %d\n", err);
-        if (cred) gss_destroy_cred(&cred->gc_base);
        return ERR_PTR(err);
 }
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index 97c981fa6b8e..76b969e6904f 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -212,7 +212,6 @@ make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
        char                            *cksumname;
        struct crypto_tfm               *tfm = NULL; /* XXX add to ctx? */
        struct scatterlist              sg[1];
-        u32                             code = GSS_S_FAILURE;
        switch (cksumtype) {
                case CKSUMTYPE_RSA_MD5:
@@ -221,13 +220,11 @@ make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
                default:
                        dprintk("RPC:      krb5_make_checksum:"
                                " unsupported checksum %d", cksumtype);
-                        goto out;
+                        return GSS_S_FAILURE;
        }
        if (!(tfm = crypto_alloc_tfm(cksumname, CRYPTO_TFM_REQ_MAY_SLEEP)))
-                goto out;
+                return GSS_S_FAILURE;
        cksum->len = crypto_tfm_alg_digestsize(tfm);
-        if ((cksum->data = kmalloc(cksum->len, GFP_KERNEL)) == NULL)
-                goto out;
        crypto_digest_init(tfm);
        sg_set_buf(sg, header, hdrlen);
@@ -235,10 +232,8 @@ make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
        process_xdr_buf(body, body_offset, body->len - body_offset,
                        checksummer, tfm);
        crypto_digest_final(tfm, cksum->data);
-        code = 0;
-out:
        crypto_free_tfm(tfm);
-        return code;
+        return 0;
 }
 EXPORT_SYMBOL(make_checksum);
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 4d7eb9e704da..d51e316c5821 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1122,18 +1122,20 @@ svcauth_gss_release(struct svc_rqst *rqstp)
                                        integ_len))
                        BUG();
                if (resbuf->page_len == 0
-                        && resbuf->tail[0].iov_len + RPC_MAX_AUTH_SIZE
+                        && resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE
                                < PAGE_SIZE) {
                        BUG_ON(resbuf->tail[0].iov_len);
                        /* Use head for everything */
                        resv = &resbuf->head[0];
                } else if (resbuf->tail[0].iov_base == NULL) {
-                        /* copied from nfsd4_encode_read */
+                        if (resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE
-                        svc_take_page(rqstp);
+                                        > PAGE_SIZE)
-                        resbuf->tail[0].iov_base = page_address(rqstp
+                                goto out_err;
-                                        ->rq_respages[rqstp->rq_resused-1]);
+                        resbuf->tail[0].iov_base =
-                        rqstp->rq_restailpage = rqstp->rq_resused-1;
+                                resbuf->head[0].iov_base
+                                + resbuf->head[0].iov_len;
                        resbuf->tail[0].iov_len = 0;
+                        rqstp->rq_restailpage = 0;
                        resv = &resbuf->tail[0];
                } else {
                        resv = &resbuf->tail[0];
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 3ac4193a78ed..7026b0866b7b 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -159,6 +159,7 @@ struct cache_head *sunrpc_cache_update(struct cache_detail *detail,
                detail->update(tmp, new);
        tmp->next = *head;
        *head = tmp;
+        detail->entries++;
        cache_get(tmp);
        is_new = cache_fresh_locked(tmp, new->expiry_time);
        cache_fresh_locked(old, 0);
diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c
index dea529666d69..15c2db26767b 100644
--- a/net/sunrpc/stats.c
+++ b/net/sunrpc/stats.c
@@ -176,7 +176,8 @@ void rpc_count_iostats(struct rpc_task *task)
        op_metrics->om_execute += execute;
 }
-void _print_name(struct seq_file *seq, unsigned int op, struct rpc_procinfo *procs)
+static void _print_name(struct seq_file *seq, unsigned int op,
+                        struct rpc_procinfo *procs)
 {
        if (procs[op].p_name)
                seq_printf(seq, "\t%12s: ", procs[op].p_name);
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index 55538f6b60ff..58a1b6b42ddd 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -37,14 +37,6 @@ struct ctl_table net_table[] = {
                .mode           = 0555,
                .child          = core_table,
        },
-#ifdef CONFIG_NET
-        {
-                .ctl_name       = NET_ETHER,
-                .procname       = "ethernet",
-                .mode           = 0555,
-                .child          = ether_table,
-        },
-#endif
 #ifdef CONFIG_INET
        {
                .ctl_name       = NET_IPV4,
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 953307a9df1d..a3bbc891f959 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -229,8 +229,7 @@ static void node_is_down(struct publication *publ)
                                     publ->node, publ->ref, publ->key);
        assert(p == publ);
        write_unlock_bh(&tipc_nametbl_lock);
-        if (publ)
+        kfree(publ);
-                kfree(publ);
 }
 /**
diff --git a/net/wanrouter/af_wanpipe.c b/net/wanrouter/af_wanpipe.c
index 8b9bf4a763b5..b1265187b4a8 100644
--- a/net/wanrouter/af_wanpipe.c
+++ b/net/wanrouter/af_wanpipe.c
@@ -55,12 +55,10 @@
 #include <asm/uaccess.h>
 #include <linux/module.h>
 #include <linux/init.h>
-#include <linux/wanpipe.h>
 #include <linux/if_wanpipe.h>
 #include <linux/pkt_sched.h>
 #include <linux/tcp_states.h>
 #include <linux/if_wanpipe_common.h>
-#include <linux/sdla_x25.h>
 #ifdef CONFIG_INET
 #include <net/inet_common.h>
diff --git a/net/x25/x25_timer.c b/net/x25/x25_timer.c
index 0a92e1da3922..71ff3088f6fe 100644
--- a/net/x25/x25_timer.c
+++ b/net/x25/x25_timer.c
@@ -114,8 +114,9 @@ static void x25_heartbeat_expiry(unsigned long param)
                        if (sock_flag(sk, SOCK_DESTROY) ||
                            (sk->sk_state == TCP_LISTEN &&
                             sock_flag(sk, SOCK_DEAD))) {
+                                bh_unlock_sock(sk);
                                x25_destroy_socket(sk);
-                                goto unlock;
+                                return;
                        }
                        break;
@@ -128,7 +129,6 @@ static void x25_heartbeat_expiry(unsigned long param)
        }
 restart_heartbeat:
        x25_start_heartbeat(sk);
-unlock:
        bh_unlock_sock(sk);
 }
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index b54971059f16..891a6090cc09 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -62,7 +62,7 @@ int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq)
        case IPPROTO_COMP:
                if (!pskb_may_pull(skb, sizeof(struct ip_comp_hdr)))
                        return -EINVAL;
-                *spi = ntohl(ntohs(*(u16*)(skb->h.raw + 2)));
+                *spi = htonl(ntohs(*(u16*)(skb->h.raw + 2)));
                *seq = 0;
                return 0;
        default:
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c3725fe2a8fb..b469c8b54613 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -57,12 +57,12 @@ int xfrm_register_type(struct xfrm_type *type, unsigned short family)
                return -EAFNOSUPPORT;
        typemap = afinfo->type_map;
-        write_lock(&typemap->lock);
+        write_lock_bh(&typemap->lock);
        if (likely(typemap->map[type->proto] == NULL))
                typemap->map[type->proto] = type;
        else
                err = -EEXIST;
-        write_unlock(&typemap->lock);
+        write_unlock_bh(&typemap->lock);
        xfrm_policy_put_afinfo(afinfo);
        return err;
 }
@@ -78,12 +78,12 @@ int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
                return -EAFNOSUPPORT;
        typemap = afinfo->type_map;
-        write_lock(&typemap->lock);
+        write_lock_bh(&typemap->lock);
        if (unlikely(typemap->map[type->proto] != type))
                err = -ENOENT;
        else
                typemap->map[type->proto] = NULL;
-        write_unlock(&typemap->lock);
+        write_unlock_bh(&typemap->lock);
        xfrm_policy_put_afinfo(afinfo);
        return err;
 }
@@ -1251,7 +1251,7 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
                return -EINVAL;
        if (unlikely(afinfo->family >= NPROTO))
                return -EAFNOSUPPORT;
-        write_lock(&xfrm_policy_afinfo_lock);
+        write_lock_bh(&xfrm_policy_afinfo_lock);
        if (unlikely(xfrm_policy_afinfo[afinfo->family] != NULL))
                err = -ENOBUFS;
        else {
@@ -1268,7 +1268,7 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
                        afinfo->garbage_collect = __xfrm_garbage_collect;
                xfrm_policy_afinfo[afinfo->family] = afinfo;
        }
-        write_unlock(&xfrm_policy_afinfo_lock);
+        write_unlock_bh(&xfrm_policy_afinfo_lock);
        return err;
 }
 EXPORT_SYMBOL(xfrm_policy_register_afinfo);
@@ -1280,7 +1280,7 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
                return -EINVAL;
        if (unlikely(afinfo->family >= NPROTO))
                return -EAFNOSUPPORT;
-        write_lock(&xfrm_policy_afinfo_lock);
+        write_lock_bh(&xfrm_policy_afinfo_lock);
        if (likely(xfrm_policy_afinfo[afinfo->family] != NULL)) {
                if (unlikely(xfrm_policy_afinfo[afinfo->family] != afinfo))
                        err = -EINVAL;
@@ -1294,7 +1294,7 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
                        afinfo->garbage_collect = NULL;
                }
        }
-        write_unlock(&xfrm_policy_afinfo_lock);
+        write_unlock_bh(&xfrm_policy_afinfo_lock);
        return err;
 }
 EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a8e14dc1b04e..93a2f36ad3db 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -805,16 +805,22 @@ void xfrm_replay_notify(struct xfrm_state *x, int event)
        case XFRM_REPLAY_UPDATE:
                if (x->replay_maxdiff &&
                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
-                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff))
+                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
-                        return;
+                        if (x->xflags & XFRM_TIME_DEFER)
+                                event = XFRM_REPLAY_TIMEOUT;
+                        else
+                                return;
+                }
                break;
        case XFRM_REPLAY_TIMEOUT:
                if ((x->replay.seq == x->preplay.seq) &&
                    (x->replay.bitmap == x->preplay.bitmap) &&
-                    (x->replay.oseq == x->preplay.oseq))
+                    (x->replay.oseq == x->preplay.oseq)) {
+                        x->xflags |= XFRM_TIME_DEFER;
                        return;
+                }
                break;
        }
@@ -825,8 +831,10 @@ void xfrm_replay_notify(struct xfrm_state *x, int event)
        km_state_notify(x, &c);
        if (x->replay_maxage &&
-            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
+            !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) {
                xfrm_state_hold(x);
+                x->xflags &= ~XFRM_TIME_DEFER;
+        }
 }
 EXPORT_SYMBOL(xfrm_replay_notify);
@@ -836,10 +844,15 @@ static void xfrm_replay_timer_handler(unsigned long data)
        spin_lock(&x->lock);
-        if (xfrm_aevent_is_on() && x->km.state == XFRM_STATE_VALID)
+        if (x->km.state == XFRM_STATE_VALID) {
-                xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
+                if (xfrm_aevent_is_on())
+                        xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
+                else
+                        x->xflags |= XFRM_TIME_DEFER;
+        }
        spin_unlock(&x->lock);
+        xfrm_state_put(x);
 }
 int xfrm_replay_check(struct xfrm_state *x, u32 seq)
@@ -1048,7 +1061,7 @@ int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
                return -EINVAL;
        if (unlikely(afinfo->family >= NPROTO))
                return -EAFNOSUPPORT;
-        write_lock(&xfrm_state_afinfo_lock);
+        write_lock_bh(&xfrm_state_afinfo_lock);
        if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
                err = -ENOBUFS;
        else {
@@ -1056,7 +1069,7 @@ int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
                afinfo->state_byspi = xfrm_state_byspi;
                xfrm_state_afinfo[afinfo->family] = afinfo;
        }
-        write_unlock(&xfrm_state_afinfo_lock);
+        write_unlock_bh(&xfrm_state_afinfo_lock);
        return err;
 }
 EXPORT_SYMBOL(xfrm_state_register_afinfo);
@@ -1068,7 +1081,7 @@ int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
                return -EINVAL;
        if (unlikely(afinfo->family >= NPROTO))
                return -EAFNOSUPPORT;
-        write_lock(&xfrm_state_afinfo_lock);
+        write_lock_bh(&xfrm_state_afinfo_lock);
        if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
                if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
                        err = -EINVAL;
@@ -1078,7 +1091,7 @@ int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
                        afinfo->state_bydst = NULL;
                }
        }
-        write_unlock(&xfrm_state_afinfo_lock);
+        write_unlock_bh(&xfrm_state_afinfo_lock);
        return err;
 }
 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);