74 files changed, 456 insertions, 328 deletions
diff --git a/net/Kconfig b/net/Kconfig
index a81aca43932f..67e39ad8b8b6 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -63,6 +63,7 @@ config INET
 if INET
 source "net/ipv4/Kconfig"
 source "net/ipv6/Kconfig"
+source "net/netlabel/Kconfig"
 endif # if INET
@@ -249,8 +250,6 @@ source "net/ieee80211/Kconfig"
 config WIRELESS_EXT
        bool
-source "net/netlabel/Kconfig"
 config FIB_RULES
        bool
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 708e2e0371af..485e35c3b28b 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1584,7 +1584,6 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
        if (usat->sat_addr.s_net || usat->sat_addr.s_node == ATADDR_ANYNODE) {
                rt = atrtr_find(&usat->sat_addr);
-                dev = rt->dev;
        } else {
                struct atalk_addr at_hint;
@@ -1592,7 +1591,6 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
                at_hint.s_net  = at->src_net;
                rt = atrtr_find(&at_hint);
-                dev = rt->dev;
        }
        if (!rt)
                return -ENETUNREACH;
diff --git a/net/atm/atm_sysfs.c b/net/atm/atm_sysfs.c
index c0a4ae28fcfa..62f6ed1f2f98 100644
--- a/net/atm/atm_sysfs.c
+++ b/net/atm/atm_sysfs.c
@@ -141,7 +141,7 @@ static struct class atm_class = {
 int atm_register_sysfs(struct atm_dev *adev)
 {
        struct class_device *cdev = &adev->class_dev;
-        int i, err;
+        int i, j, err;
        cdev->class = &atm_class;
        class_set_devdata(cdev, adev);
@@ -151,10 +151,19 @@ int atm_register_sysfs(struct atm_dev *adev)
        if (err < 0)
                return err;
-        for (i = 0; atm_attrs[i]; i++)
+        for (i = 0; atm_attrs[i]; i++) {
-                class_device_create_file(cdev, atm_attrs[i]);
+                err = class_device_create_file(cdev, atm_attrs[i]);
+                if (err)
+                        goto err_out;
+        }
        return 0;
+err_out:
+        for (j = 0; j < i; j++)
+                class_device_remove_file(cdev, atm_attrs[j]);
+        class_device_del(cdev);
+        return err;
 }
 void atm_unregister_sysfs(struct atm_dev *adev)
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index 96bcb2ff59ab..de9d1a9473f2 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -376,7 +376,7 @@ int br_sysfs_addbr(struct net_device *dev)
        err = sysfs_create_bin_file(brobj, &bridge_forward);
        if (err) {
-                pr_info("%s: can't create attribue file %s/%s\n",
+                pr_info("%s: can't create attribute file %s/%s\n",
                        __FUNCTION__, dev->name, bridge_forward.attr.name);
                goto out2;
        }
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 3df55b2bd91d..9f85666f29f7 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -86,7 +86,7 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
 static inline int ebt_dev_check(char *entry, const struct net_device *device)
 {
        int i = 0;
-        char *devname = device->name;
+        const char *devname = device->name;
        if (*entry == '\0')
                return 0;
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 9308af060b44..6589adb14cbf 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -340,6 +340,12 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
        udph->dest = htons(np->remote_port);
        udph->len = htons(udp_len);
        udph->check = 0;
+        udph->check = csum_tcpudp_magic(htonl(np->local_ip),
+                                        htonl(np->remote_ip),
+                                        udp_len, IPPROTO_UDP,
+                                        csum_partial((unsigned char *)udph, udp_len, 0));
+        if (udph->check == 0)
+                udph->check = -1;
        skb->nh.iph = iph = (struct iphdr *)skb_push(skb, sizeof(*iph));
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index dd023fd28304..733d86d0a4fb 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2304,6 +2304,12 @@ static void mpls_push(__be32 *mpls, struct pktgen_dev *pkt_dev)
        *mpls |= MPLS_STACK_BOTTOM;
 }
+static inline __be16 build_tci(unsigned int id, unsigned int cfi,
+                               unsigned int prio)
+{
+        return htons(id | (cfi << 12) | (prio << 13));
+}
 static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
                                        struct pktgen_dev *pkt_dev)
 {
@@ -2353,16 +2359,16 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
        if (pkt_dev->vlan_id != 0xffff) {
                if(pkt_dev->svlan_id != 0xffff) {
                        svlan_tci = (__be16 *)skb_put(skb, sizeof(__be16));
-                        *svlan_tci = htons(pkt_dev->svlan_id);
+                        *svlan_tci = build_tci(pkt_dev->svlan_id,
-                        *svlan_tci |= pkt_dev->svlan_p << 5;
+                                               pkt_dev->svlan_cfi,
-                        *svlan_tci |= pkt_dev->svlan_cfi << 4;
+                                               pkt_dev->svlan_p);
                        svlan_encapsulated_proto = (__be16 *)skb_put(skb, sizeof(__be16));
                        *svlan_encapsulated_proto = __constant_htons(ETH_P_8021Q);
                }
                vlan_tci = (__be16 *)skb_put(skb, sizeof(__be16));
-                *vlan_tci = htons(pkt_dev->vlan_id);
+                *vlan_tci = build_tci(pkt_dev->vlan_id,
-                *vlan_tci |= pkt_dev->vlan_p << 5;
+                                      pkt_dev->vlan_cfi,
-                *vlan_tci |= pkt_dev->vlan_cfi << 4;
+                                      pkt_dev->vlan_p);
                vlan_encapsulated_proto = (__be16 *)skb_put(skb, sizeof(__be16));
                *vlan_encapsulated_proto = __constant_htons(ETH_P_IP);
        }
@@ -2689,16 +2695,16 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev,
        if (pkt_dev->vlan_id != 0xffff) {
                if(pkt_dev->svlan_id != 0xffff) {
                        svlan_tci = (__be16 *)skb_put(skb, sizeof(__be16));
-                        *svlan_tci = htons(pkt_dev->svlan_id);
+                        *svlan_tci = build_tci(pkt_dev->svlan_id,
-                        *svlan_tci |= pkt_dev->svlan_p << 5;
+                                               pkt_dev->svlan_cfi,
-                        *svlan_tci |= pkt_dev->svlan_cfi << 4;
+                                               pkt_dev->svlan_p);
                        svlan_encapsulated_proto = (__be16 *)skb_put(skb, sizeof(__be16));
                        *svlan_encapsulated_proto = __constant_htons(ETH_P_8021Q);
                }
                vlan_tci = (__be16 *)skb_put(skb, sizeof(__be16));
-                *vlan_tci = htons(pkt_dev->vlan_id);
+                *vlan_tci = build_tci(pkt_dev->vlan_id,
-                *vlan_tci |= pkt_dev->vlan_p << 5;
+                                      pkt_dev->vlan_cfi,
-                *vlan_tci |= pkt_dev->vlan_cfi << 4;
+                                      pkt_dev->vlan_p);
                vlan_encapsulated_proto = (__be16 *)skb_put(skb, sizeof(__be16));
                *vlan_encapsulated_proto = __constant_htons(ETH_P_IPV6);
        }
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 3c23760c5827..b8b106358040 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -639,6 +639,7 @@ struct sk_buff *pskb_copy(struct sk_buff *skb, gfp_t gfp_mask)
        n->csum      = skb->csum;
        n->ip_summed = skb->ip_summed;
+        n->truesize += skb->data_len;
        n->data_len  = skb->data_len;
        n->len       = skb->len;
@@ -1946,7 +1947,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
        do {
                struct sk_buff *nskb;
                skb_frag_t *frag;
-                int hsize, nsize;
+                int hsize;
                int k;
                int size;
@@ -1957,11 +1958,10 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
                hsize = skb_headlen(skb) - offset;
                if (hsize < 0)
                        hsize = 0;
-                nsize = hsize + doffset;
+                if (hsize > len || !sg)
-                if (nsize > len + doffset || !sg)
+                        hsize = len;
-                        nsize = len + doffset;
-                nskb = alloc_skb(nsize + headroom, GFP_ATOMIC);
+                nskb = alloc_skb(hsize + doffset + headroom, GFP_ATOMIC);
                if (unlikely(!nskb))
                        goto err;
diff --git a/net/core/sock.c b/net/core/sock.c
index d472db4776c3..ee6cd2541d35 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1160,7 +1160,7 @@ static struct sk_buff *sock_alloc_send_pskb(struct sock *sk,
                        goto failure;
                if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
-                        skb = alloc_skb(header_len, sk->sk_allocation);
+                        skb = alloc_skb(header_len, gfp_mask);
                        if (skb) {
                                int npages;
                                int i;
diff --git a/net/dccp/Kconfig b/net/dccp/Kconfig
index e2a095d0fd80..ef8919cca74b 100644
--- a/net/dccp/Kconfig
+++ b/net/dccp/Kconfig
@@ -4,15 +4,15 @@ menu "DCCP Configuration (EXPERIMENTAL)"
 config IP_DCCP
        tristate "The DCCP Protocol (EXPERIMENTAL)"
        ---help---
-          Datagram Congestion Control Protocol
+          Datagram Congestion Control Protocol (RFC 4340)
-          From draft-ietf-dccp-spec-11 <http://www.icir.org/kohler/dcp/draft-ietf-dccp-spec-11.txt>.
+          From http://www.ietf.org/rfc/rfc4340.txt:
          The Datagram Congestion Control Protocol (DCCP) is a transport
          protocol that implements bidirectional, unicast connections of
          congestion-controlled, unreliable datagrams. It should be suitable
          for use by applications such as streaming media, Internet telephony,
-          and on-line games
+          and on-line games.
          To compile this protocol support as a module, choose M here: the
          module will be called dccp.
diff --git a/net/dccp/ackvec.c b/net/dccp/ackvec.c
index 4d176d33983f..f8208874ac7d 100644
--- a/net/dccp/ackvec.c
+++ b/net/dccp/ackvec.c
@@ -113,7 +113,7 @@ int dccp_insert_option_ackvec(struct sock *sk, struct sk_buff *skb)
        memcpy(to, from, len);
        /*
-         *      From draft-ietf-dccp-spec-11.txt:
+         *      From RFC 4340, A.2:
         *
         *      For each acknowledgement it sends, the HC-Receiver will add an
         *      acknowledgement record.  ack_seqno will equal the HC-Receiver
@@ -224,7 +224,7 @@ static inline int dccp_ackvec_set_buf_head_state(struct dccp_ackvec *av,
 }
 /*
- * Implements the draft-ietf-dccp-spec-11.txt Appendix A
+ * Implements the RFC 4340, Appendix A
 */
 int dccp_ackvec_add(struct dccp_ackvec *av, const struct sock *sk,
                    const u64 ackno, const u8 state)
@@ -237,7 +237,7 @@ int dccp_ackvec_add(struct dccp_ackvec *av, const struct sock *sk,
         * We may well decide to do buffer compression, etc, but for now lets
         * just drop.
         *
-         * From Appendix A:
+         * From Appendix A.1.1 (`New Packets'):
         *
         *      Of course, the circular buffer may overflow, either when the
         *      HC-Sender is sending data at a very high rate, when the
@@ -274,9 +274,9 @@ int dccp_ackvec_add(struct dccp_ackvec *av, const struct sock *sk,
                /*
                 * A.1.2.  Old Packets
                 *
-                 *      When a packet with Sequence Number S arrives, and
+                 *      When a packet with Sequence Number S <= buf_ackno
-                 *      S <= buf_ackno, the HC-Receiver will scan the table
+                 *      arrives, the HC-Receiver will scan the table for
-                 *      for the byte corresponding to S. (Indexing structures
+                 *      the byte corresponding to S. (Indexing structures
                 *      could reduce the complexity of this scan.)
                 */
                u64 delta = dccp_delta_seqno(ackno, av->dccpav_buf_ackno);
diff --git a/net/dccp/ackvec.h b/net/dccp/ackvec.h
index 2424effac7f6..cf8f20ce23a9 100644
--- a/net/dccp/ackvec.h
+++ b/net/dccp/ackvec.h
@@ -28,8 +28,7 @@
 /** struct dccp_ackvec - ack vector
 *
- * This data structure is the one defined in the DCCP draft
+ * This data structure is the one defined in RFC 4340, Appendix A.
- * Appendix A.
 *
 * @dccpav_buf_head - circular buffer head
 * @dccpav_buf_tail - circular buffer tail
diff --git a/net/dccp/ccids/Kconfig b/net/dccp/ccids/Kconfig
index 32752f750447..8533dabfb9f8 100644
--- a/net/dccp/ccids/Kconfig
+++ b/net/dccp/ccids/Kconfig
@@ -22,11 +22,11 @@ config IP_DCCP_CCID2
          for lost packets, would prefer CCID 2 to CCID 3.  On-line games may
          also prefer CCID 2.
-          CCID 2 is further described in:
+          CCID 2 is further described in RFC 4341,
-          http://www.icir.org/kohler/dccp/draft-ietf-dccp-ccid2-10.txt
+          http://www.ietf.org/rfc/rfc4341.txt
-          This text was extracted from:
+          This text was extracted from RFC 4340 (sec. 10.1),
-          http://www.icir.org/kohler/dccp/draft-ietf-dccp-spec-13.txt
+          http://www.ietf.org/rfc/rfc4340.txt
          If in doubt, say M.
@@ -53,15 +53,14 @@ config IP_DCCP_CCID3
          suitable than CCID 2 for applications such streaming media where a
          relatively smooth sending rate is of importance.
-          CCID 3 is further described in:
+          CCID 3 is further described in RFC 4342,
+          http://www.ietf.org/rfc/rfc4342.txt
-          http://www.icir.org/kohler/dccp/draft-ietf-dccp-ccid3-11.txt.
          The TFRC congestion control algorithms were initially described in
          RFC 3448.
-          This text was extracted from:
+          This text was extracted from RFC 4340 (sec. 10.2),
-          http://www.icir.org/kohler/dccp/draft-ietf-dccp-spec-13.txt
+          http://www.ietf.org/rfc/rfc4340.txt
          
          If in doubt, say M.
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index 2efb505aeb35..162032baeac0 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -23,7 +23,7 @@
 */
 /*
- * This implementation should follow: draft-ietf-dccp-ccid2-10.txt
+ * This implementation should follow RFC 4341
 *
 * BUGS:
 * - sequence number wrapping
@@ -352,14 +352,14 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, int more, int len)
 #ifdef CONFIG_IP_DCCP_CCID2_DEBUG
        ccid2_pr_debug("pipe=%d\n", hctx->ccid2hctx_pipe);
-        ccid2_pr_debug("Sent: seq=%llu\n", seq);
+        ccid2_pr_debug("Sent: seq=%llu\n", (unsigned long long)seq);
        do {
                struct ccid2_seq *seqp = hctx->ccid2hctx_seqt;
                while (seqp != hctx->ccid2hctx_seqh) {
                        ccid2_pr_debug("out seq=%llu acked=%d time=%lu\n",
-                                       seqp->ccid2s_seq, seqp->ccid2s_acked,
+                                       (unsigned long long)seqp->ccid2s_seq,
-                                       seqp->ccid2s_sent);
+                                       seqp->ccid2s_acked, seqp->ccid2s_sent);
                        seqp = seqp->ccid2s_next;
                }
        } while (0);
@@ -480,7 +480,8 @@ static inline void ccid2_new_ack(struct sock *sk,
                /* first measurement */
                if (hctx->ccid2hctx_srtt == -1) {
                        ccid2_pr_debug("R: %lu Time=%lu seq=%llu\n",
-                                       r, jiffies, seqp->ccid2s_seq);
+                                       r, jiffies,
+                                       (unsigned long long)seqp->ccid2s_seq);
                        ccid2_change_srtt(hctx, r);
                        hctx->ccid2hctx_rttvar = r >> 1;
                } else {
@@ -636,8 +637,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
                        u64 ackno_end_rl;
                        dccp_set_seqno(&ackno_end_rl, ackno - rl);
-                        ccid2_pr_debug("ackvec start:%llu end:%llu\n", ackno,
+                        ccid2_pr_debug("ackvec start:%llu end:%llu\n",
-                                       ackno_end_rl);
+                                       (unsigned long long)ackno,
+                                       (unsigned long long)ackno_end_rl);
                        /* if the seqno we are analyzing is larger than the
                         * current ackno, then move towards the tail of our
                         * seqnos.
@@ -672,7 +674,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
                                        seqp->ccid2s_acked = 1;
                                        ccid2_pr_debug("Got ack for %llu\n",
-                                                       seqp->ccid2s_seq);
+                                                       (unsigned long long)seqp->ccid2s_seq);
                                        ccid2_hc_tx_dec_pipe(sk);
                                }
                                if (seqp == hctx->ccid2hctx_seqt) {
@@ -718,7 +720,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
                while (1) {
                        if (!seqp->ccid2s_acked) {
                                ccid2_pr_debug("Packet lost: %llu\n",
-                                               seqp->ccid2s_seq);
+                                               (unsigned long long)seqp->ccid2s_seq);
                                /* XXX need to traverse from tail -> head in
                                 * order to detect multiple congestion events in
                                 * one ack vector.
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index 67d2dc0e7c67..cec23ad286de 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -379,8 +379,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, int more, int len)
                packet->dccphtx_seqno  = dp->dccps_gss;
                /*
                 * Check if win_count have changed
-                 * Algorithm in "8.1. Window Counter Valuer" in
+                 * Algorithm in "8.1. Window Counter Value" in RFC 4342.
-                 * draft-ietf-dccp-ccid3-11.txt
                 */
                quarter_rtt = timeval_delta(&now, &hctx->ccid3hctx_t_last_win_count);
                if (likely(hctx->ccid3hctx_rtt > 8))
diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h
index 0a21be437ed3..272e8584564e 100644
--- a/net/dccp/dccp.h
+++ b/net/dccp/dccp.h
@@ -50,7 +50,7 @@ extern void dccp_time_wait(struct sock *sk, int state, int timeo);
 #define DCCP_TIMEWAIT_LEN (60 * HZ) /* how long to wait to destroy TIME-WAIT
                                     * state, about 60 seconds */
-/* draft-ietf-dccp-spec-11.txt initial RTO value */
+/* RFC 1122, 4.2.3.1 initial RTO value */
 #define DCCP_TIMEOUT_INIT ((unsigned)(3 * HZ))
 /* Maximal interval between probes for local resources.  */
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 7f9dc6ac58c9..1d24881ac0ab 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -216,11 +216,11 @@ send_sync:
                dccp_send_sync(sk, DCCP_SKB_CB(skb)->dccpd_seq,
                               DCCP_PKT_SYNCACK);
                /*
-                 * From the draft:
+                 * From RFC 4340, sec. 5.7
                 *
                 * As with DCCP-Ack packets, DCCP-Sync and DCCP-SyncAck packets
                 * MAY have non-zero-length application data areas, whose
-                 * contents * receivers MUST ignore.
+                 * contents receivers MUST ignore.
                 */
                goto discard;
        }
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 7e746c4c1688..e08e7688a263 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -183,7 +183,7 @@ static inline void dccp_do_pmtu_discovery(struct sock *sk,
                dccp_sync_mss(sk, mtu);
                /*
-                 * From: draft-ietf-dccp-spec-11.txt
+                 * From RFC 4340, sec. 14.1:
                 *
                 *      DCCP-Sync packets are the best choice for upward
                 *      probing, since DCCP-Sync probes do not risk application
@@ -449,6 +449,8 @@ static inline u64 dccp_v4_init_sequence(const struct sock *sk,
                                           dccp_hdr(skb)->dccph_sport);
 }
+static struct request_sock_ops dccp_request_sock_ops;
 int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
 {
        struct inet_request_sock *ireq;
@@ -489,7 +491,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
        if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
                goto drop;
-        req = reqsk_alloc(sk->sk_prot->rsk_prot);
+        req = reqsk_alloc(&dccp_request_sock_ops);
        if (req == NULL)
                goto drop;
@@ -731,7 +733,7 @@ static void dccp_v4_ctl_send_reset(struct sk_buff *rxskb)
        dccp_hdr_reset(skb)->dccph_reset_code =
                                DCCP_SKB_CB(rxskb)->dccpd_reset_code;
-        /* See "8.3.1. Abnormal Termination" in draft-ietf-dccp-spec-11 */
+        /* See "8.3.1. Abnormal Termination" in RFC 4340 */
        seqno = 0;
        if (DCCP_SKB_CB(rxskb)->dccpd_ack_seq != DCCP_PKT_WITHOUT_ACK_SEQ)
                dccp_set_seqno(&seqno, DCCP_SKB_CB(rxskb)->dccpd_ack_seq + 1);
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 7171a78671aa..eb0ff7ab05ed 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -550,7 +550,7 @@ static void dccp_v6_ctl_send_reset(struct sk_buff *rxskb)
        dccp_hdr_reset(skb)->dccph_reset_code =
                                DCCP_SKB_CB(rxskb)->dccpd_reset_code;
-        /* See "8.3.1. Abnormal Termination" in draft-ietf-dccp-spec-11 */
+        /* See "8.3.1. Abnormal Termination" in RFC 4340 */
        seqno = 0;
        if (DCCP_SKB_CB(rxskb)->dccpd_ack_seq != DCCP_PKT_WITHOUT_ACK_SEQ)
                dccp_set_seqno(&seqno, DCCP_SKB_CB(rxskb)->dccpd_ack_seq + 1);
@@ -672,7 +672,6 @@ static struct sock *dccp_v6_hnd_req(struct sock *sk,struct sk_buff *skb)
 static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 {
-        struct inet_request_sock *ireq;
        struct dccp_sock dp;
        struct request_sock *req;
        struct dccp_request_sock *dreq;
@@ -701,7 +700,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
        if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
                goto drop;
-        req = inet6_reqsk_alloc(sk->sk_prot->rsk_prot);
+        req = inet6_reqsk_alloc(&dccp6_request_sock_ops);
        if (req == NULL)
                goto drop;
@@ -713,7 +712,6 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
                goto drop_and_free;
        ireq6 = inet6_rsk(req);
-        ireq = inet_rsk(req);
        ipv6_addr_copy(&ireq6->rmt_addr, &skb->nh.ipv6h->saddr);
        ipv6_addr_copy(&ireq6->loc_addr, &skb->nh.ipv6h->daddr);
        req->rcv_wnd    = dccp_feat_default_sequence_window;
@@ -997,6 +995,10 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
        if (sk->sk_state == DCCP_OPEN) { /* Fast path */
                if (dccp_rcv_established(sk, skb, dccp_hdr(skb), skb->len))
                        goto reset;
+                if (opt_skb) {
+                        /* This is where we would goto ipv6_pktoptions. */
+                        __kfree_skb(opt_skb);
+                }
                return 0;
        }
@@ -1021,6 +1023,10 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
        if (dccp_rcv_state_process(sk, skb, dccp_hdr(skb), skb->len))
                goto reset;
+        if (opt_skb) {
+                /* This is where we would goto ipv6_pktoptions. */
+                __kfree_skb(opt_skb);
+        }
        return 0;
 reset:
diff --git a/net/dccp/options.c b/net/dccp/options.c
index 07a34696ac97..fb0db1f7cd7b 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -215,7 +215,7 @@ int dccp_parse_options(struct sock *sk, struct sk_buff *skb)
                                      elapsed_time);
                        break;
                        /*
-                         * From draft-ietf-dccp-spec-11.txt:
+                         * From RFC 4340, sec. 10.3:
                         *
                         *      Option numbers 128 through 191 are for
                         *      options sent from the HC-Sender to the
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 3456cd331835..21f20f21dd32 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -166,7 +166,7 @@ static struct hlist_head *dn_find_list(struct sock *sk)
        if (scp->addr.sdn_flags & SDF_WILD)
                return hlist_empty(&dn_wild_sk) ? &dn_wild_sk : NULL;
-        return &dn_sk_hash[scp->addrloc & DN_SK_HASH_MASK];
+        return &dn_sk_hash[dn_ntohs(scp->addrloc) & DN_SK_HASH_MASK];
 }
 /* 
@@ -180,7 +180,7 @@ static int check_port(__le16 port)
        if (port == 0)
                return -1;
-        sk_for_each(sk, node, &dn_sk_hash[port & DN_SK_HASH_MASK]) {
+        sk_for_each(sk, node, &dn_sk_hash[dn_ntohs(port) & DN_SK_HASH_MASK]) {
                struct dn_scp *scp = DN_SK(sk);
                if (scp->addrloc == port)
                        return -1;
@@ -194,12 +194,12 @@ static unsigned short port_alloc(struct sock *sk)
 static unsigned short port = 0x2000;
        unsigned short i_port = port;
-        while(check_port(++port) != 0) {
+        while(check_port(dn_htons(++port)) != 0) {
                if (port == i_port)
                        return 0;
        }
-        scp->addrloc = port;
+        scp->addrloc = dn_htons(port);
        return 1;
 }
@@ -418,7 +418,7 @@ struct sock *dn_find_by_skb(struct sk_buff *skb)
        struct dn_scp *scp;
        read_lock(&dn_hash_lock);
-        sk_for_each(sk, node, &dn_sk_hash[cb->dst_port & DN_SK_HASH_MASK]) {
+        sk_for_each(sk, node, &dn_sk_hash[dn_ntohs(cb->dst_port) & DN_SK_HASH_MASK]) {
                scp = DN_SK(sk);
                if (cb->src != dn_saddr2dn(&scp->peer))
                        continue;
@@ -1016,13 +1016,14 @@ static void dn_access_copy(struct sk_buff *skb, struct accessdata_dn *acc)
 static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt)
 {
-        unsigned char *ptr = skb->data;
+        unsigned char *ptr = skb->data;
-        
+        u16 len = *ptr++; /* yes, it's 8bit on the wire */
-        opt->opt_optl   = *ptr++;
-        opt->opt_status = 0;
+        BUG_ON(len > 16); /* we've checked the contents earlier */
-        memcpy(opt->opt_data, ptr, opt->opt_optl);
+        opt->opt_optl   = dn_htons(len);
-        skb_pull(skb, dn_ntohs(opt->opt_optl) + 1);
+        opt->opt_status = 0;
+        memcpy(opt->opt_data, ptr, len);
+        skb_pull(skb, len + 1);
 }
 static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
diff --git a/net/decnet/dn_nsp_in.c b/net/decnet/dn_nsp_in.c
index 72ecc6e62ec4..7683d4f754d2 100644
--- a/net/decnet/dn_nsp_in.c
+++ b/net/decnet/dn_nsp_in.c
@@ -360,9 +360,9 @@ static void dn_nsp_conn_conf(struct sock *sk, struct sk_buff *skb)
                        scp->max_window = decnet_no_fc_max_cwnd;
                if (skb->len > 0) {
-                        unsigned char dlen = *skb->data;
+                        u16 dlen = *skb->data;
                        if ((dlen <= 16) && (dlen <= skb->len)) {
-                                scp->conndata_in.opt_optl = dn_htons((__u16)dlen);
+                                scp->conndata_in.opt_optl = dn_htons(dlen);
                                memcpy(scp->conndata_in.opt_data, skb->data + 1, dlen);
                        }
                }
@@ -404,9 +404,9 @@ static void dn_nsp_disc_init(struct sock *sk, struct sk_buff *skb)
        memset(scp->discdata_in.opt_data, 0, 16);
        if (skb->len > 0) {
-                unsigned char dlen = *skb->data;
+                u16 dlen = *skb->data;
                if ((dlen <= 16) && (dlen <= skb->len)) {
-                        scp->discdata_in.opt_optl = dn_htons((__u16)dlen);
+                        scp->discdata_in.opt_optl = dn_htons(dlen);
                        memcpy(scp->discdata_in.opt_data, skb->data + 1, dlen);
                }
        }
diff --git a/net/decnet/dn_nsp_out.c b/net/decnet/dn_nsp_out.c
index c2e21cd89b3c..b342e4e8f5f8 100644
--- a/net/decnet/dn_nsp_out.c
+++ b/net/decnet/dn_nsp_out.c
@@ -526,7 +526,7 @@ void dn_send_conn_conf(struct sock *sk, gfp_t gfp)
        struct nsp_conn_init_msg *msg;
        __u8 len = (__u8)dn_ntohs(scp->conndata_out.opt_optl);
-        if ((skb = dn_alloc_skb(sk, 50 + dn_ntohs(scp->conndata_out.opt_optl), gfp)) == NULL)
+        if ((skb = dn_alloc_skb(sk, 50 + len, gfp)) == NULL)
                return;
        msg = (struct nsp_conn_init_msg *)skb_put(skb, sizeof(*msg));
diff --git a/net/decnet/dn_rules.c b/net/decnet/dn_rules.c
index 3e0c882c90bf..590e0a72495c 100644
--- a/net/decnet/dn_rules.c
+++ b/net/decnet/dn_rules.c
@@ -124,8 +124,8 @@ static struct nla_policy dn_fib_rule_policy[FRA_MAX+1] __read_mostly = {
 static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
 {
        struct dn_fib_rule *r = (struct dn_fib_rule *)rule;
-        u16 daddr = fl->fld_dst;
+        __le16 daddr = fl->fld_dst;
-        u16 saddr = fl->fld_src;
+        __le16 saddr = fl->fld_src;
        if (((saddr ^ r->src) & r->srcmask) ||
            ((daddr ^ r->dst) & r->dstmask))
diff --git a/net/ieee80211/Kconfig b/net/ieee80211/Kconfig
index f7e84e9d13ad..a64be6cdf078 100644
--- a/net/ieee80211/Kconfig
+++ b/net/ieee80211/Kconfig
@@ -32,6 +32,7 @@ config IEEE80211_CRYPT_WEP
        depends on IEEE80211
        select CRYPTO
        select CRYPTO_ARC4
+        select CRYPTO_ECB
        select CRC32
        ---help---
        Include software based cipher suites in support of IEEE
@@ -58,6 +59,7 @@ config IEEE80211_CRYPT_TKIP
        depends on IEEE80211 && NET_RADIO
        select CRYPTO
        select CRYPTO_MICHAEL_MIC
+        select CRYPTO_ECB
        select CRC32
        ---help---
        Include software based cipher suites in support of IEEE 802.11i
diff --git a/net/ieee80211/ieee80211_rx.c b/net/ieee80211/ieee80211_rx.c
index 770704183a1b..2759312a4204 100644
--- a/net/ieee80211/ieee80211_rx.c
+++ b/net/ieee80211/ieee80211_rx.c
@@ -1078,12 +1078,12 @@ static int ieee80211_parse_info_param(struct ieee80211_info_element
        while (length >= sizeof(*info_element)) {
                if (sizeof(*info_element) + info_element->len > length) {
-                        IEEE80211_ERROR("Info elem: parse failed: "
+                        IEEE80211_DEBUG_MGMT("Info elem: parse failed: "
-                                        "info_element->len + 2 > left : "
+                                             "info_element->len + 2 > left : "
-                                        "info_element->len+2=%zd left=%d, id=%d.\n",
+                                             "info_element->len+2=%zd left=%d, id=%d.\n",
-                                        info_element->len +
+                                             info_element->len +
-                                        sizeof(*info_element),
+                                             sizeof(*info_element),
-                                        length, info_element->id);
+                                             length, info_element->id);
                        /* We stop processing but don't return an error here
                         * because some misbehaviour APs break this rule. ie.
                         * Orinoco AP1000. */
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index e2077a3aa8c0..6460233407c7 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1307,7 +1307,8 @@ int cipso_v4_socket_setattr(const struct socket *sock,
        /* We can't use ip_options_get() directly because it makes a call to
         * ip_options_get_alloc() which allocates memory with GFP_KERNEL and
-         * we can't block here. */
+         * we won't always have CAP_NET_RAW even though we _always_ want to
+         * set the IPOPT_CIPSO option. */
        opt_len = (buf_len + 3) & ~3;
        opt = kzalloc(sizeof(*opt) + opt_len, GFP_ATOMIC);
        if (opt == NULL) {
@@ -1317,11 +1318,9 @@ int cipso_v4_socket_setattr(const struct socket *sock,
        memcpy(opt->__data, buf, buf_len);
        opt->optlen = opt_len;
        opt->is_data = 1;
+        opt->cipso = sizeof(struct iphdr);
        kfree(buf);
        buf = NULL;
-        ret_val = ip_options_compile(opt, NULL);
-        if (ret_val != 0)
-                goto socket_setattr_failure;
        sk_inet = inet_sk(sk);
        if (sk_inet->is_icsk) {
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 8dabbfc31267..9f02917d6f45 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -443,7 +443,7 @@ int ip_options_compile(struct ip_options * opt, struct sk_buff * skb)
                                opt->router_alert = optptr - iph;
                        break;
                      case IPOPT_CIPSO:
-                        if (opt->cipso) {
+                        if ((!skb && !capable(CAP_NET_RAW)) || opt->cipso) {
                                pp_ptr = optptr;
                                goto error;
                        }
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index f8ce84759159..955a07abb91d 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -420,7 +420,7 @@ ic_rarp_recv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
 {
        struct arphdr *rarp;
        unsigned char *rarp_ptr;
-        unsigned long sip, tip;
+        u32 sip, tip;
        unsigned char *sha, *tha;               /* s for "source", t for "target" */
        struct ic_device *d;
diff --git a/net/ipv4/ipvs/ip_vs_ftp.c b/net/ipv4/ipvs/ip_vs_ftp.c
index 6d398f10aa91..687c1de1146f 100644
--- a/net/ipv4/ipvs/ip_vs_ftp.c
+++ b/net/ipv4/ipvs/ip_vs_ftp.c
@@ -200,7 +200,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
                from = n_cp->vaddr;
                port = n_cp->vport;
                sprintf(buf,"%d,%d,%d,%d,%d,%d", NIPQUAD(from),
-                        ntohs(port)&255, (ntohs(port)>>8)&255);
+                        (ntohs(port)>>8)&255, ntohs(port)&255);
                buf_len = strlen(buf);
                /*
diff --git a/net/ipv4/ipvs/ip_vs_proto_tcp.c b/net/ipv4/ipvs/ip_vs_proto_tcp.c
index bfe779e74590..6ff05c3a32e6 100644
--- a/net/ipv4/ipvs/ip_vs_proto_tcp.c
+++ b/net/ipv4/ipvs/ip_vs_proto_tcp.c
@@ -117,7 +117,7 @@ tcp_fast_csum_update(struct tcphdr *tcph, __be32 oldip, __be32 newip,
 {
        tcph->check =
                ip_vs_check_diff(~oldip, newip,
-                                 ip_vs_check_diff(oldport ^ htonl(0xFFFF),
+                                 ip_vs_check_diff(oldport ^ htons(0xFFFF),
                                                  newport, tcph->check));
 }
diff --git a/net/ipv4/ipvs/ip_vs_proto_udp.c b/net/ipv4/ipvs/ip_vs_proto_udp.c
index 54aa7603591f..691c8b637b29 100644
--- a/net/ipv4/ipvs/ip_vs_proto_udp.c
+++ b/net/ipv4/ipvs/ip_vs_proto_udp.c
@@ -122,10 +122,10 @@ udp_fast_csum_update(struct udphdr *uhdr, __be32 oldip, __be32 newip,
 {
        uhdr->check =
                ip_vs_check_diff(~oldip, newip,
-                                 ip_vs_check_diff(oldport ^ htonl(0xFFFF),
+                                 ip_vs_check_diff(oldport ^ htons(0xFFFF),
                                                  newport, uhdr->check));
        if (!uhdr->check)
-                uhdr->check = htonl(0xFFFF);
+                uhdr->check = -1;
 }
 static int
@@ -173,7 +173,7 @@ udp_snat_handler(struct sk_buff **pskb,
                                                cp->protocol,
                                                (*pskb)->csum);
                if (udph->check == 0)
-                        udph->check = htonl(0xFFFF);
+                        udph->check = -1;
                IP_VS_DBG(11, "O-pkt: %s O-csum=%d (+%zd)\n",
                          pp->name, udph->check,
                          (char*)&(udph->check) - (char*)udph);
@@ -228,7 +228,7 @@ udp_dnat_handler(struct sk_buff **pskb,
                                                cp->protocol,
                                                (*pskb)->csum);
                if (udph->check == 0)
-                        udph->check = 0xFFFF;
+                        udph->check = -1;
                (*pskb)->ip_summed = CHECKSUM_UNNECESSARY;
        }
        return 1;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 0849f1cced13..413c2d0a1f3d 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -466,7 +466,13 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
                return -EINVAL;
        }
+        if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
+                return -EINVAL;
        t = arpt_get_target(e);
+        if (e->target_offset + t->u.target_size > e->next_offset)
+                return -EINVAL;
        target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
                                                        t->u.user.revision),
                                         "arpt_%s", t->u.user.name);
@@ -621,20 +627,18 @@ static int translate_table(const char *name,
                }
        }
-        if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
-                duprintf("Looping hook\n");
-                return -ELOOP;
-        }
        /* Finally, each sanity check must pass */
        i = 0;
        ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
                                 check_entry, name, size, &i);
-        if (ret != 0) {
+        if (ret != 0)
-                ARPT_ENTRY_ITERATE(entry0, newinfo->size,
+                goto cleanup;
-                                   cleanup_entry, &i);
-                return ret;
+        ret = -ELOOP;
+        if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
+                duprintf("Looping hook\n");
+                goto cleanup;
        }
        /* And one copy for every other CPU */
@@ -643,6 +647,9 @@ static int translate_table(const char *name,
                        memcpy(newinfo->entries[i], entry0, newinfo->size);
        }
+        return 0;
+cleanup:
+        ARPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
        return ret;
 }
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index 7edad790478a..97556cc2e4e0 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -351,9 +351,10 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
        if (v->data_len < sizeof(*user_iph))
                return 0;
        diff = v->data_len - e->skb->len;
-        if (diff < 0)
+        if (diff < 0) {
-                skb_trim(e->skb, v->data_len);
+                if (pskb_trim(e->skb, v->data_len))
-        else if (diff > 0) {
+                        return -ENOMEM;
+        } else if (diff > 0) {
                if (v->data_len > 0xFFFF)
                        return -EINVAL;
                if (diff > skb_tailroom(e->skb)) {
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4b90927619b8..8a455439b128 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -547,12 +547,18 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
                return -EINVAL;
        }
+        if (e->target_offset + sizeof(struct ipt_entry_target) > e->next_offset)
+                return -EINVAL;
        j = 0;
        ret = IPT_MATCH_ITERATE(e, check_match, name, &e->ip, e->comefrom, &j);
        if (ret != 0)
                goto cleanup_matches;
        t = ipt_get_target(e);
+        ret = -EINVAL;
+        if (e->target_offset + t->u.target_size > e->next_offset)
+                        goto cleanup_matches;
        target = try_then_request_module(xt_find_target(AF_INET,
                                                     t->u.user.name,
                                                     t->u.user.revision),
@@ -712,19 +718,17 @@ translate_table(const char *name,
                }
        }
-        if (!mark_source_chains(newinfo, valid_hooks, entry0))
-                return -ELOOP;
        /* Finally, each sanity check must pass */
        i = 0;
        ret = IPT_ENTRY_ITERATE(entry0, newinfo->size,
                                check_entry, name, size, &i);
-        if (ret != 0) {
+        if (ret != 0)
-                IPT_ENTRY_ITERATE(entry0, newinfo->size,
+                goto cleanup;
-                                  cleanup_entry, &i);
-                return ret;
+        ret = -ELOOP;
-        }
+        if (!mark_source_chains(newinfo, valid_hooks, entry0))
+                goto cleanup;
        /* And one copy for every other CPU */
        for_each_possible_cpu(i) {
@@ -732,6 +736,9 @@ translate_table(const char *name,
                        memcpy(newinfo->entries[i], entry0, newinfo->size);
        }
+        return 0;
+cleanup:
+        IPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
        return ret;
 }
@@ -1463,6 +1470,10 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e,
                return -EINVAL;
        }
+        if (e->target_offset + sizeof(struct compat_xt_entry_target) >
+                                                                e->next_offset)
+                return -EINVAL;
        off = 0;
        entry_offset = (void *)e - (void *)base;
        j = 0;
@@ -1472,6 +1483,9 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e,
                goto cleanup_matches;
        t = ipt_get_target(e);
+        ret = -EINVAL;
+        if (e->target_offset + t->u.target_size > e->next_offset)
+                        goto cleanup_matches;
        target = try_then_request_module(xt_find_target(AF_INET,
                                                     t->u.user.name,
                                                     t->u.user.revision),
@@ -1513,7 +1527,7 @@ cleanup_matches:
 static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
        void **dstptr, compat_uint_t *size, const char *name,
-        const struct ipt_ip *ip, unsigned int hookmask, int *i)
+        const struct ipt_ip *ip, unsigned int hookmask)
 {
        struct ipt_entry_match *dm;
        struct ipt_match *match;
@@ -1526,22 +1540,13 @@ static inline int compat_copy_match_from_user(struct ipt_entry_match *m,
        ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm),
                             name, hookmask, ip->proto,
                             ip->invflags & IPT_INV_PROTO);
-        if (ret)
+        if (!ret && m->u.kernel.match->checkentry
-                goto err;
-        if (m->u.kernel.match->checkentry
            && !m->u.kernel.match->checkentry(name, ip, match, dm->data,
                                              hookmask)) {
                duprintf("ip_tables: check failed for `%s'.\n",
                         m->u.kernel.match->name);
                ret = -EINVAL;
-                goto err;
        }
-        (*i)++;
-        return 0;
-err:
-        module_put(m->u.kernel.match->me);
        return ret;
 }
@@ -1553,19 +1558,18 @@ static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
        struct ipt_target *target;
        struct ipt_entry *de;
        unsigned int origsize;
-        int ret, h, j;
+        int ret, h;
        ret = 0;
        origsize = *size;
        de = (struct ipt_entry *)*dstptr;
        memcpy(de, e, sizeof(struct ipt_entry));
-        j = 0;
        *dstptr += sizeof(struct compat_ipt_entry);
        ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size,
-                        name, &de->ip, de->comefrom, &j);
+                        name, &de->ip, de->comefrom);
        if (ret)
-                goto cleanup_matches;
+                goto err;
        de->target_offset = e->target_offset - (origsize - *size);
        t = ipt_get_target(e);
        target = t->u.kernel.target;
@@ -1599,12 +1603,7 @@ static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
                goto err;
        }
        ret = 0;
-        return ret;
 err:
-        module_put(t->u.kernel.target->me);
-cleanup_matches:
-        IPT_MATCH_ITERATE(e, cleanup_match, &j);
        return ret;
 }
@@ -1618,7 +1617,7 @@ translate_compat_table(const char *name,
                unsigned int *hook_entries,
                unsigned int *underflows)
 {
-        unsigned int i;
+        unsigned int i, j;
        struct xt_table_info *newinfo, *info;
        void *pos, *entry0, *entry1;
        unsigned int size;
@@ -1636,21 +1635,21 @@ translate_compat_table(const char *name,
        }
        duprintf("translate_compat_table: size %u\n", info->size);
-        i = 0;
+        j = 0;
        xt_compat_lock(AF_INET);
        /* Walk through entries, checking offsets. */
        ret = IPT_ENTRY_ITERATE(entry0, total_size,
                                check_compat_entry_size_and_hooks,
                                info, &size, entry0,
                                entry0 + total_size,
-                                hook_entries, underflows, &i, name);
+                                hook_entries, underflows, &j, name);
        if (ret != 0)
                goto out_unlock;
        ret = -EINVAL;
-        if (i != number) {
+        if (j != number) {
                duprintf("translate_compat_table: %u not %u entries\n",
-                         i, number);
+                         j, number);
                goto out_unlock;
        }
@@ -1709,8 +1708,10 @@ translate_compat_table(const char *name,
 free_newinfo:
        xt_free_table_info(newinfo);
 out:
+        IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j);
        return ret;
 out_unlock:
+        compat_flush_offsets();
        xt_compat_unlock(AF_INET);
        goto out;
 }
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index b430cf2a4f66..5c31dead2bdc 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -329,7 +329,7 @@ error:
        return err; 
 }
-static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
+static int raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
 {
        struct iovec *iov;
        u8 __user *type = NULL;
@@ -338,7 +338,7 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
        unsigned int i;
        if (!msg->msg_iov)
-                return;
+                return 0;
        for (i = 0; i < msg->msg_iovlen; i++) {
                iov = &msg->msg_iov[i];
@@ -360,8 +360,9 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                                code = iov->iov_base;
                        if (type && code) {
-                                get_user(fl->fl_icmp_type, type);
+                                if (get_user(fl->fl_icmp_type, type) ||
-                                get_user(fl->fl_icmp_code, code);
+                                    get_user(fl->fl_icmp_code, code))
+                                        return -EFAULT;
                                probed = 1;
                        }
                        break;
@@ -372,6 +373,7 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                if (probed)
                        break;
        }
+        return 0;
 }
 static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
@@ -480,8 +482,11 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                                    .proto = inet->hdrincl ? IPPROTO_RAW :
                                                             sk->sk_protocol,
                                  };
-                if (!inet->hdrincl)
+                if (!inet->hdrincl) {
-                        raw_probe_proto_opt(&fl, msg);
+                        err = raw_probe_proto_opt(&fl, msg);
+                        if (err)
+                                goto done;
+                }
                security_sk_classify_flow(sk, &fl);
                err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT));
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index e82a5be894b5..15061b314411 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -129,13 +129,6 @@ static int sysctl_tcp_congestion_control(ctl_table *table, int __user *name,
        return ret;
 }
-static int __init tcp_congestion_default(void)
-{
-        return tcp_set_default_congestion_control(CONFIG_DEFAULT_TCP_CONG);
-}
-late_initcall(tcp_congestion_default);
 ctl_table ipv4_table[] = {
        {
                .ctl_name       = NET_IPV4_TCP_TIMESTAMPS,
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 66e9a729f6df..c05e8edaf544 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2270,7 +2270,7 @@ void __init tcp_init(void)
                                        thash_entries,
                                        (num_physpages >= 128 * 1024) ?
                                        13 : 15,
-                                        HASH_HIGHMEM,
+                                        0,
                                        &tcp_hashinfo.ehash_size,
                                        NULL,
                                        0);
@@ -2286,7 +2286,7 @@ void __init tcp_init(void)
                                        tcp_hashinfo.ehash_size,
                                        (num_physpages >= 128 * 1024) ?
                                        13 : 15,
-                                        HASH_HIGHMEM,
+                                        0,
                                        &tcp_hashinfo.bhash_size,
                                        NULL,
                                        64 * 1024);
@@ -2316,9 +2316,10 @@ void __init tcp_init(void)
                sysctl_max_syn_backlog = 128;
        }
-        sysctl_tcp_mem[0] =  768 << order;
+        /* Allow no more than 3/4 kernel memory (usually less) allocated to TCP */
-        sysctl_tcp_mem[1] = 1024 << order;
+        sysctl_tcp_mem[0] = (1536 / sizeof (struct inet_bind_hashbucket)) << order;
-        sysctl_tcp_mem[2] = 1536 << order;
+        sysctl_tcp_mem[1] = sysctl_tcp_mem[0] * 4 / 3;
+        sysctl_tcp_mem[2] = sysctl_tcp_mem[0] * 2;
        limit = ((unsigned long)sysctl_tcp_mem[1]) << (PAGE_SHIFT - 7);
        max_share = min(4UL*1024*1024, limit);
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index af0aca1e6be6..1e2982f4acd4 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -131,6 +131,14 @@ int tcp_set_default_congestion_control(const char *name)
        return ret;
 }
+/* Set default value from kernel configuration at bootup */
+static int __init tcp_congestion_default(void)
+{
+        return tcp_set_default_congestion_control(CONFIG_DEFAULT_TCP_CONG);
+}
+late_initcall(tcp_congestion_default);
 /* Get current default congestion control */
 void tcp_get_default_congestion_control(char *name)
 {
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index a60ef38d75c6..6ad184802266 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -190,7 +190,7 @@ static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
         */
        /* change the unit from HZ to bictcp_HZ */
-        t = ((tcp_time_stamp + ca->delay_min - ca->epoch_start)
+        t = ((tcp_time_stamp + (ca->delay_min>>3) - ca->epoch_start)
             << BICTCP_HZ) / HZ;
        if (t < ca->bic_K)              /* t - K */
@@ -259,7 +259,7 @@ static inline void measure_delay(struct sock *sk)
            (s32)(tcp_time_stamp - ca->epoch_start) < HZ)
                return;
-        delay = tcp_time_stamp - tp->rx_opt.rcv_tsecr;
+        delay = (tcp_time_stamp - tp->rx_opt.rcv_tsecr)<<3;
        if (delay == 0)
                delay = 1;
@@ -366,7 +366,7 @@ static int __init cubictcp_register(void)
        beta_scale = 8*(BICTCP_BETA_SCALE+beta)/ 3 / (BICTCP_BETA_SCALE - beta);
-        cube_rtt_scale = (bic_scale << 3) / 10; /* 1024*c/rtt */
+        cube_rtt_scale = (bic_scale * 10);      /* 1024*c/rtt */
        /* calculate the "K" for (wmax-cwnd) = c/rtt * K^3
         *  so K = cubic_root( (wmax-cwnd)*rtt/c )
diff --git a/net/ipv4/tcp_htcp.c b/net/ipv4/tcp_htcp.c
index 682e7d5b6f2f..283be3cb4667 100644
--- a/net/ipv4/tcp_htcp.c
+++ b/net/ipv4/tcp_htcp.c
@@ -23,7 +23,7 @@ module_param(use_bandwidth_switch, int, 0644);
 MODULE_PARM_DESC(use_bandwidth_switch, "turn on/off bandwidth switcher");
 struct htcp {
-        u16     alpha;          /* Fixed point arith, << 7 */
+        u32     alpha;          /* Fixed point arith, << 7 */
        u8      beta;           /* Fixed point arith, << 7 */
        u8      modeswitch;     /* Delay modeswitch until we had at least one congestion event */
        u32     last_cong;      /* Time since last congestion event end */
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 8fcae7a6510b..f98ca30d7c1f 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -169,7 +169,6 @@ static __inline__ void rt6_release(struct rt6_info *rt)
 static struct fib6_table fib6_main_tbl = {
        .tb6_id         = RT6_TABLE_MAIN,
-        .tb6_lock       = RW_LOCK_UNLOCKED,
        .tb6_root       = {
                .leaf           = &ip6_null_entry,
                .fn_flags       = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO,
@@ -187,6 +186,12 @@ static void fib6_link_table(struct fib6_table *tb)
 {
        unsigned int h;
+        /*
+         * Initialize table lock at a single place to give lockdep a key,
+         * tables aren't visible prior to being linked to the list.
+         */
+        rwlock_init(&tb->tb6_lock);
        h = tb->tb6_id & (FIB_TABLE_HASHSZ - 1);
        /*
@@ -199,7 +204,6 @@ static void fib6_link_table(struct fib6_table *tb)
 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
 static struct fib6_table fib6_local_tbl = {
        .tb6_id         = RT6_TABLE_LOCAL,
-        .tb6_lock       = RW_LOCK_UNLOCKED,
        .tb6_root       = {
                .leaf           = &ip6_null_entry,
                .fn_flags       = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO,
@@ -213,7 +217,6 @@ static struct fib6_table *fib6_alloc_table(u32 id)
        table = kzalloc(sizeof(*table), GFP_ATOMIC);
        if (table != NULL) {
                table->tb6_id = id;
-                table->tb6_lock = RW_LOCK_UNLOCKED;
                table->tb6_root.leaf = &ip6_null_entry;
                table->tb6_root.fn_flags = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO;
        }
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 1d672b0547f2..6d4533b58dca 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -330,8 +330,10 @@ fl_create(struct in6_flowlabel_req *freq, char __user *optval, int optlen, int *
        fl->share = freq->flr_share;
        addr_type = ipv6_addr_type(&freq->flr_dst);
        if ((addr_type&IPV6_ADDR_MAPPED)
-            || addr_type == IPV6_ADDR_ANY)
+            || addr_type == IPV6_ADDR_ANY) {
+                err = -EINVAL;
                goto done;
+        }
        ipv6_addr_copy(&fl->dst, &freq->flr_dst);
        atomic_set(&fl->users, 1);
        switch (fl->share) {
@@ -587,6 +589,8 @@ static struct ip6_flowlabel *ip6fl_get_next(struct seq_file *seq, struct ip6_flo
        while (!fl) {
                if (++state->bucket <= FL_HASH_MASK)
                        fl = fl_ht[state->bucket];
+                else
+                        break;
        }
        return fl;
 }
@@ -623,9 +627,13 @@ static void ip6fl_seq_stop(struct seq_file *seq, void *v)
        read_unlock_bh(&ip6_fl_lock);
 }
-static void ip6fl_fl_seq_show(struct seq_file *seq, struct ip6_flowlabel *fl)
+static int ip6fl_seq_show(struct seq_file *seq, void *v)
 {
-        while(fl) {
+        if (v == SEQ_START_TOKEN)
+                seq_printf(seq, "%-5s %-1s %-6s %-6s %-6s %-8s %-32s %s\n",
+                           "Label", "S", "Owner", "Users", "Linger", "Expires", "Dst", "Opt");
+        else {
+                struct ip6_flowlabel *fl = v;
                seq_printf(seq,
                           "%05X %-1d %-6d %-6d %-6ld %-8ld " NIP6_SEQFMT " %-4d\n",
                           (unsigned)ntohl(fl->label),
@@ -636,17 +644,7 @@ static void ip6fl_fl_seq_show(struct seq_file *seq, struct ip6_flowlabel *fl)
                           (long)(fl->expires - jiffies)/HZ,
                           NIP6(fl->dst),
                           fl->opt ? fl->opt->opt_nflen : 0);
-                fl = fl->next;
        }
-}
-static int ip6fl_seq_show(struct seq_file *seq, void *v)
-{
-        if (v == SEQ_START_TOKEN)
-                seq_printf(seq, "%-5s %-1s %-6s %-6s %-6s %-8s %-32s %s\n",
-                           "Label", "S", "Owner", "Users", "Linger", "Expires", "Dst", "Opt");
-        else
-                ip6fl_fl_seq_show(seq, v);
        return 0;
 }
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 41a8a5f06602..73eb8c33e9f0 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1742,6 +1742,7 @@ int __init ndisc_init(struct net_proto_family *ops)
 void ndisc_cleanup(void)
 {
+        unregister_netdevice_notifier(&ndisc_netdev_notifier);
 #ifdef CONFIG_SYSCTL
        neigh_sysctl_unregister(&nd_tbl.parms);
 #endif
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 4bc4e5b33794..d7c45a9c15fe 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -40,7 +40,7 @@ config IP6_NF_QUEUE
          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_IPTABLES
-        tristate "IP6 tables support (required for filtering/masq/NAT)"
+        tristate "IP6 tables support (required for filtering)"
        depends on NETFILTER_XTABLES
        help
          ip6tables is a general, extensible packet identification framework.
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 9510c24ca8d2..9fec832ee08b 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -349,9 +349,10 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, struct ipq_queue_entry *e)
        if (v->data_len < sizeof(*user_iph))
                return 0;
        diff = v->data_len - e->skb->len;
-        if (diff < 0)
+        if (diff < 0) {
-                skb_trim(e->skb, v->data_len);
+                if (pskb_trim(e->skb, v->data_len))
-        else if (diff > 0) {
+                        return -ENOMEM;
+        } else if (diff > 0) {
                if (v->data_len > 0xFFFF)
                        return -EINVAL;
                if (diff > skb_tailroom(e->skb)) {
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 4ab368fa0b8f..204e02162d49 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -111,7 +111,7 @@ ip6_packet_match(const struct sk_buff *skb,
                 const char *outdev,
                 const struct ip6t_ip6 *ip6info,
                 unsigned int *protoff,
-                 int *fragoff)
+                 int *fragoff, int *hotdrop)
 {
        size_t i;
        unsigned long ret;
@@ -169,9 +169,11 @@ ip6_packet_match(const struct sk_buff *skb,
                unsigned short _frag_off;
                protohdr = ipv6_find_hdr(skb, protoff, -1, &_frag_off);
-                if (protohdr < 0)
+                if (protohdr < 0) {
+                        if (_frag_off == 0)
+                                *hotdrop = 1;
                        return 0;
+                }
                *fragoff = _frag_off;
                dprintf("Packet protocol %hi ?= %s%hi.\n",
@@ -290,7 +292,7 @@ ip6t_do_table(struct sk_buff **pskb,
                IP_NF_ASSERT(e);
                IP_NF_ASSERT(back);
                if (ip6_packet_match(*pskb, indev, outdev, &e->ipv6,
-                        &protoff, &offset)) {
+                        &protoff, &offset, &hotdrop)) {
                        struct ip6t_entry_target *t;
                        if (IP6T_MATCH_ITERATE(e, do_match,
@@ -584,12 +586,19 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
                return -EINVAL;
        }
+        if (e->target_offset + sizeof(struct ip6t_entry_target) >
+                                                                e->next_offset)
+                return -EINVAL;
        j = 0;
        ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, e->comefrom, &j);
        if (ret != 0)
                goto cleanup_matches;
        t = ip6t_get_target(e);
+        ret = -EINVAL;
+        if (e->target_offset + t->u.target_size > e->next_offset)
+                        goto cleanup_matches;
        target = try_then_request_module(xt_find_target(AF_INET6,
                                                        t->u.user.name,
                                                        t->u.user.revision),
@@ -749,19 +758,17 @@ translate_table(const char *name,
                }
        }
-        if (!mark_source_chains(newinfo, valid_hooks, entry0))
-                return -ELOOP;
        /* Finally, each sanity check must pass */
        i = 0;
        ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
                                check_entry, name, size, &i);
-        if (ret != 0) {
+        if (ret != 0)
-                IP6T_ENTRY_ITERATE(entry0, newinfo->size,
+                goto cleanup;
-                                  cleanup_entry, &i);
-                return ret;
+        ret = -ELOOP;
-        }
+        if (!mark_source_chains(newinfo, valid_hooks, entry0))
+                goto cleanup;
        /* And one copy for every other CPU */
        for_each_possible_cpu(i) {
@@ -769,6 +776,9 @@ translate_table(const char *name,
                        memcpy(newinfo->entries[i], entry0, newinfo->size);
        }
+        return 0;
+cleanup:
+        IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
        return ret;
 }
@@ -1438,6 +1448,9 @@ static void __exit ip6_tables_fini(void)
 * If target header is found, its offset is set in *offset and return protocol
 * number. Otherwise, return -1.
 *
+ * If the first fragment doesn't contain the final protocol header or
+ * NEXTHDR_NONE it is considered invalid.
+ *
 * Note that non-1st fragment is special case that "the protocol number
 * of last header" is "next header" field in Fragment header. In this case,
 * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
@@ -1461,12 +1474,12 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
                if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
                        if (target < 0)
                                break;
-                        return -1;
+                        return -ENOENT;
                }
                hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
                if (hp == NULL)
-                        return -1;
+                        return -EBADMSG;
                if (nexthdr == NEXTHDR_FRAGMENT) {
                        unsigned short _frag_off, *fp;
                        fp = skb_header_pointer(skb,
@@ -1475,18 +1488,18 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
                                                sizeof(_frag_off),
                                                &_frag_off);
                        if (fp == NULL)
-                                return -1;
+                                return -EBADMSG;
                        _frag_off = ntohs(*fp) & ~0x7;
                        if (_frag_off) {
                                if (target < 0 &&
                                    ((!ipv6_ext_hdr(hp->nexthdr)) ||
-                                     nexthdr == NEXTHDR_NONE)) {
+                                     hp->nexthdr == NEXTHDR_NONE)) {
                                        if (fragoff)
                                                *fragoff = _frag_off;
                                        return hp->nexthdr;
                                }
-                                return -1;
+                                return -ENOENT;
                        }
                        hdrlen = 8;
                } else if (nexthdr == NEXTHDR_AUTH)
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index ec1b1608156c..46486645eb75 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -54,9 +54,14 @@ match(const struct sk_buff *skb,
        const struct ip6t_ah *ahinfo = matchinfo;
        unsigned int ptr;
        unsigned int hdrlen = 0;
+        int err;
-        if (ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL) < 0)
+        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
+        if (err < 0) {
+                if (err != -ENOENT)
+                        *hotdrop = 1;
                return 0;
+        }
        ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
        if (ah == NULL) {
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 78d9c8b9e28a..cd22eaaccdca 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -52,9 +52,14 @@ match(const struct sk_buff *skb,
        struct frag_hdr _frag, *fh;
        const struct ip6t_frag *fraginfo = matchinfo;
        unsigned int ptr;
+        int err;
-        if (ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL) < 0)
+        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
+        if (err < 0) {
+                if (err != -ENOENT)
+                        *hotdrop = 1;
                return 0;
+        }
        fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
        if (fh == NULL) {
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index d32a205e3af2..3f25babe0440 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -65,9 +65,14 @@ match(const struct sk_buff *skb,
        u8 _opttype, *tp = NULL;
        u8 _optlen, *lp = NULL;
        unsigned int optlen;
+        int err;
-        if (ipv6_find_hdr(skb, &ptr, match->data, NULL) < 0)
+        err = ipv6_find_hdr(skb, &ptr, match->data, NULL);
+        if (err < 0) {
+                if (err != -ENOENT)
+                        *hotdrop = 1;
                return 0;
+        }
        oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
        if (oh == NULL) {
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index bcb2e168a5bc..54d7d14134fd 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -58,9 +58,14 @@ match(const struct sk_buff *skb,
        unsigned int hdrlen = 0;
        unsigned int ret = 0;
        struct in6_addr *ap, _addr;
+        int err;
-        if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL) < 0)
+        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
+        if (err < 0) {
+                if (err != -ENOENT)
+                        *hotdrop = 1;
                return 0;
+        }
        rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
        if (rh == NULL) {
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index d09329ca3267..d6dedc4aec77 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -604,7 +604,7 @@ error:
        return err; 
 }
-static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
+static int rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
 {
        struct iovec *iov;
        u8 __user *type = NULL;
@@ -616,7 +616,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
        int i;
        if (!msg->msg_iov)
-                return;
+                return 0;
        for (i = 0; i < msg->msg_iovlen; i++) {
                iov = &msg->msg_iov[i];
@@ -638,8 +638,9 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                                code = iov->iov_base;
                        if (type && code) {
-                                get_user(fl->fl_icmp_type, type);
+                                if (get_user(fl->fl_icmp_type, type) ||
-                                get_user(fl->fl_icmp_code, code);
+                                    get_user(fl->fl_icmp_code, code))
+                                        return -EFAULT;
                                probed = 1;
                        }
                        break;
@@ -650,7 +651,8 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                        /* check if type field is readable or not. */
                        if (iov->iov_len > 2 - len) {
                                u8 __user *p = iov->iov_base;
-                                get_user(fl->fl_mh_type, &p[2 - len]);
+                                if (get_user(fl->fl_mh_type, &p[2 - len]))
+                                        return -EFAULT;
                                probed = 1;
                        } else
                                len += iov->iov_len;
@@ -664,6 +666,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                if (probed)
                        break;
        }
+        return 0;
 }
 static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
@@ -787,7 +790,9 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
        opt = ipv6_fixup_options(&opt_space, opt);
        fl.proto = proto;
-        rawv6_probe_proto_opt(&fl, msg);
+        err = rawv6_probe_proto_opt(&fl, msg);
+        if (err)
+                goto out;
 
        ipv6_addr_copy(&fl.fl6_dst, daddr);
        if (ipv6_addr_any(&fl.fl6_src) && !ipv6_addr_any(&np->saddr))
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index b481a4d780c2..be699f85b2c7 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -854,3 +854,4 @@ int __init sit_init(void)
 module_init(sit_init);
 module_exit(sit_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("sit0");
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 7af227bb1551..7931e4f898d4 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -135,7 +135,7 @@ u32 xfrm6_tunnel_spi_lookup(xfrm_address_t *saddr)
        x6spi = __xfrm6_tunnel_spi_lookup(saddr);
        spi = x6spi ? x6spi->spi : 0;
        read_unlock_bh(&xfrm6_tunnel_spi_lock);
-        return spi;
+        return htonl(spi);
 }
 EXPORT_SYMBOL(xfrm6_tunnel_spi_lookup);
@@ -210,7 +210,7 @@ u32 xfrm6_tunnel_alloc_spi(xfrm_address_t *saddr)
                spi = __xfrm6_tunnel_alloc_spi(saddr);
        write_unlock_bh(&xfrm6_tunnel_spi_lock);
-        return spi;
+        return htonl(spi);
 }
 EXPORT_SYMBOL(xfrm6_tunnel_alloc_spi);
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index bef3f61569f7..76c661566dfd 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -83,13 +83,13 @@ DEFINE_SPINLOCK(ipx_interfaces_lock);
 struct ipx_interface *ipx_primary_net;
 struct ipx_interface *ipx_internal_net;
-extern int ipxrtr_add_route(__u32 network, struct ipx_interface *intrfc,
+extern int ipxrtr_add_route(__be32 network, struct ipx_interface *intrfc,
                            unsigned char *node);
 extern void ipxrtr_del_routes(struct ipx_interface *intrfc);
 extern int ipxrtr_route_packet(struct sock *sk, struct sockaddr_ipx *usipx,
                               struct iovec *iov, int len, int noblock);
 extern int ipxrtr_route_skb(struct sk_buff *skb);
-extern struct ipx_route *ipxrtr_lookup(__u32 net);
+extern struct ipx_route *ipxrtr_lookup(__be32 net);
 extern int ipxrtr_ioctl(unsigned int cmd, void __user *arg);
 #undef IPX_REFCNT_DEBUG
@@ -177,7 +177,7 @@ static void ipxitf_clear_primary_net(void)
 }
 static struct ipx_interface *__ipxitf_find_using_phys(struct net_device *dev,
-                                                      unsigned short datalink)
+                                                      __be16 datalink)
 {
        struct ipx_interface *i;
@@ -190,7 +190,7 @@ out:
 }
 static struct ipx_interface *ipxitf_find_using_phys(struct net_device *dev,
-                                                    unsigned short datalink)
+                                                    __be16 datalink)
 {
        struct ipx_interface *i;
@@ -202,7 +202,7 @@ static struct ipx_interface *ipxitf_find_using_phys(struct net_device *dev,
        return i;
 }
-struct ipx_interface *ipxitf_find_using_net(__u32 net)
+struct ipx_interface *ipxitf_find_using_net(__be32 net)
 {
        struct ipx_interface *i;
@@ -237,7 +237,7 @@ static void ipxitf_insert_socket(struct ipx_interface *intrfc, struct sock *sk)
 /* caller must hold intrfc->if_sklist_lock */
 static struct sock *__ipxitf_find_socket(struct ipx_interface *intrfc,
-                                         unsigned short port)
+                                         __be16 port)
 {
        struct sock *s;
        struct hlist_node *node;
@@ -252,7 +252,7 @@ found:
 /* caller must hold a reference to intrfc */
 static struct sock *ipxitf_find_socket(struct ipx_interface *intrfc,
-                                        unsigned short port)
+                                        __be16 port)
 {
        struct sock *s;
@@ -268,7 +268,7 @@ static struct sock *ipxitf_find_socket(struct ipx_interface *intrfc,
 #ifdef CONFIG_IPX_INTERN
 static struct sock *ipxitf_find_internal_socket(struct ipx_interface *intrfc,
                                                unsigned char *ipx_node,
-                                                unsigned short port)
+                                                __be16 port)
 {
        struct sock *s;
        struct hlist_node *node;
@@ -600,10 +600,10 @@ int ipxitf_send(struct ipx_interface *intrfc, struct sk_buff *skb, char *node)
        /* see if we need to include the netnum in the route list */
        if (IPX_SKB_CB(skb)->last_hop.index >= 0) {
-                u32 *last_hop = (u32 *)(((u8 *) skb->data) +
+                __be32 *last_hop = (__be32 *)(((u8 *) skb->data) +
                                sizeof(struct ipxhdr) +
                                IPX_SKB_CB(skb)->last_hop.index *
-                                sizeof(u32));
+                                sizeof(__be32));
                *last_hop = IPX_SKB_CB(skb)->last_hop.netnum;
                IPX_SKB_CB(skb)->last_hop.index = -1;
        }
@@ -772,7 +772,7 @@ static void ipxitf_discover_netnum(struct ipx_interface *intrfc,
                } else {
                        printk(KERN_WARNING "IPX: Network number collision "
                                "%lx\n        %s %s and %s %s\n",
-                                (unsigned long) htonl(cb->ipx_source_net),
+                                (unsigned long) ntohl(cb->ipx_source_net),
                                ipx_device_name(i),
                                ipx_frame_name(i->if_dlink_type),
                                ipx_device_name(intrfc),
@@ -812,7 +812,7 @@ static int ipxitf_pprop(struct ipx_interface *intrfc, struct sk_buff *skb)
        int i, rc = -EINVAL;
        struct ipx_interface *ifcs;
        char *c;
-        u32 *l;
+        __be32 *l;
        /* Illegal packet - too many hops or too short */
        /* We decide to throw it away: no broadcasting, no local processing.
@@ -833,7 +833,7 @@ static int ipxitf_pprop(struct ipx_interface *intrfc, struct sk_buff *skb)
                goto out;
        
        c = ((u8 *) ipx) + sizeof(struct ipxhdr);
-        l = (u32 *) c;
+        l = (__be32 *) c;
        /* Don't broadcast packet if already seen this net */
        for (i = 0; i < IPX_SKB_CB(skb)->ipx_tctrl; i++)
@@ -855,7 +855,7 @@ static int ipxitf_pprop(struct ipx_interface *intrfc, struct sk_buff *skb)
                /* That aren't in the list */
                if (ifcs == intrfc)
                        continue;
-                l = (__u32 *) c;
+                l = (__be32 *) c;
                /* don't consider the last entry in the packet list,
                 * it is our netnum, and it is not there yet */
                for (i = 0; i < IPX_SKB_CB(skb)->ipx_tctrl; i++)
@@ -885,8 +885,8 @@ static void ipxitf_insert(struct ipx_interface *intrfc)
                ipx_primary_net = intrfc;
 }
-static struct ipx_interface *ipxitf_alloc(struct net_device *dev, __u32 netnum,
+static struct ipx_interface *ipxitf_alloc(struct net_device *dev, __be32 netnum,
-                                          unsigned short dlink_type,
+                                          __be16 dlink_type,
                                          struct datalink_proto *dlink,
                                          unsigned char internal,
                                          int ipx_offset)
@@ -960,7 +960,7 @@ static __be16 ipx_map_frame_type(unsigned char type)
 static int ipxitf_create(struct ipx_interface_definition *idef)
 {
        struct net_device *dev;
-        unsigned short dlink_type = 0;
+        __be16 dlink_type = 0;
        struct datalink_proto *datalink = NULL;
        struct ipx_interface *intrfc;
        int rc;
@@ -1073,7 +1073,7 @@ out:
 static int ipxitf_delete(struct ipx_interface_definition *idef)
 {
        struct net_device *dev = NULL;
-        unsigned short dlink_type = 0;
+        __be16 dlink_type = 0;
        struct ipx_interface *intrfc;
        int rc = 0;
@@ -1110,7 +1110,7 @@ out:
 }
 static struct ipx_interface *ipxitf_auto_create(struct net_device *dev,
-                                                unsigned short dlink_type)
+                                                __be16 dlink_type)
 {
        struct ipx_interface *intrfc = NULL;
        struct datalink_proto *datalink;
@@ -1122,7 +1122,7 @@ static struct ipx_interface *ipxitf_auto_create(struct net_device *dev,
        if (dev->addr_len > IPX_NODE_LEN)
                goto out;
-        switch (htons(dlink_type)) {
+        switch (ntohs(dlink_type)) {
        case ETH_P_IPX:         datalink = pEII_datalink;       break;
        case ETH_P_802_2:       datalink = p8022_datalink;      break;
        case ETH_P_SNAP:        datalink = pSNAP_datalink;      break;
@@ -1234,27 +1234,27 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
 /* Note: We assume ipx_tctrl==0 and htons(length)==ipx_pktsize */
 /* This functions should *not* mess with packet contents */
-__u16 ipx_cksum(struct ipxhdr *packet, int length) 
+__be16 ipx_cksum(struct ipxhdr *packet, int length)
 {
        /* 
         *      NOTE: sum is a net byte order quantity, which optimizes the 
         *      loop. This only works on big and little endian machines. (I
         *      don't know of a machine that isn't.)
         */
-        /* start at ipx_dest - We skip the checksum field and start with
+        /* handle the first 3 words separately; checksum should be skipped
-         * ipx_type before the loop, not considering ipx_tctrl in the calc */
+         * and ipx_tctrl masked out */
-        __u16 *p = (__u16 *)&packet->ipx_dest;
+        __u16 *p = (__u16 *)packet;
-        __u32 i = (length >> 1) - 1; /* Number of complete words */
+        __u32 sum = p[1] + (p[2] & (__force u16)htons(0x00ff));
-        __u32 sum = packet->ipx_type << sizeof(packet->ipx_tctrl); 
+        __u32 i = (length >> 1) - 3; /* Number of remaining complete words */
-        /* Loop through all complete words except the checksum field,
+        /* Loop through them */
-         * ipx_type (accounted above) and ipx_tctrl (not used in the cksum) */
+        p += 3;
-        while (--i)
+        while (i--)
                sum += *p++;
        /* Add on the last part word if it exists */
        if (packet->ipx_pktsize & htons(1))
-                sum += ntohs(0xff00) & *p;
+                sum += (__force u16)htons(0xff00) & *p;
        /* Do final fixup */
        sum = (sum & 0xffff) + (sum >> 16);
@@ -1263,10 +1263,17 @@ __u16 ipx_cksum(struct ipxhdr *packet, int length)
        if (sum >= 0x10000)
                sum++;
-        return ~sum;
+        /*
+         * Leave 0 alone; we don't want 0xffff here.  Note that we can't get
+         * here with 0x10000, so this check is the same as ((__u16)sum)
+         */
+        if (sum)
+                sum = ~sum;
+        return (__force __be16)sum;
 }
-const char *ipx_frame_name(unsigned short frame)
+const char *ipx_frame_name(__be16 frame)
 {
        char* rc = "None";
@@ -1401,7 +1408,7 @@ out:
 /* caller must hold a reference to intrfc */
-static unsigned short ipx_first_free_socketnum(struct ipx_interface *intrfc)
+static __be16 ipx_first_free_socketnum(struct ipx_interface *intrfc)
 {
        unsigned short socketNum = intrfc->if_sknum;
@@ -1410,7 +1417,7 @@ static unsigned short ipx_first_free_socketnum(struct ipx_interface *intrfc)
        if (socketNum < IPX_MIN_EPHEMERAL_SOCKET)
                socketNum = IPX_MIN_EPHEMERAL_SOCKET;
-        while (__ipxitf_find_socket(intrfc, ntohs(socketNum)))
+        while (__ipxitf_find_socket(intrfc, htons(socketNum)))
                if (socketNum > IPX_MAX_EPHEMERAL_SOCKET)
                        socketNum = IPX_MIN_EPHEMERAL_SOCKET;
                else
@@ -1419,7 +1426,7 @@ static unsigned short ipx_first_free_socketnum(struct ipx_interface *intrfc)
        spin_unlock_bh(&intrfc->if_sklist_lock);
        intrfc->if_sknum = socketNum;
-        return ntohs(socketNum);
+        return htons(socketNum);
 }
 static int ipx_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
@@ -1473,7 +1480,7 @@ static int ipx_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                                                ipxs->port)) {
                        SOCK_DEBUG(sk,
                                "IPX: bind failed because port %X in use.\n",
-                                ntohs((int)addr->sipx_port));
+                                ntohs(addr->sipx_port));
                        goto out_put;
                }
        } else {
@@ -1488,7 +1495,7 @@ static int ipx_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                if (ipxitf_find_socket(intrfc, addr->sipx_port)) {
                        SOCK_DEBUG(sk,
                                "IPX: bind failed because port %X in use.\n",
-                                ntohs((int)addr->sipx_port));
+                                ntohs(addr->sipx_port));
                        goto out_put;
                }
        }
@@ -1665,7 +1672,7 @@ static int ipx_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_ty
        intrfc = ipxitf_find_using_phys(dev, pt->type);
        if (!intrfc) {
                if (ipxcfg_auto_create_interfaces &&
-                   ntohl(IPX_SKB_CB(skb)->ipx_dest_net)) {
+                   IPX_SKB_CB(skb)->ipx_dest_net) {
                        intrfc = ipxitf_auto_create(dev, pt->type);
                        if (intrfc)
                                ipxitf_hold(intrfc);
diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
index 4c0c71206e54..b7463dfca63e 100644
--- a/net/ipx/ipx_proc.c
+++ b/net/ipx/ipx_proc.c
@@ -260,22 +260,22 @@ static int ipx_seq_socket_show(struct seq_file *seq, void *v)
        ipxs = ipx_sk(s);
 #ifdef CONFIG_IPX_INTERN
        seq_printf(seq, "%08lX:%02X%02X%02X%02X%02X%02X:%04X  ",
-                   (unsigned long)htonl(ipxs->intrfc->if_netnum),
+                   (unsigned long)ntohl(ipxs->intrfc->if_netnum),
                   ipxs->node[0], ipxs->node[1], ipxs->node[2], ipxs->node[3],
-                   ipxs->node[4], ipxs->node[5], htons(ipxs->port));
+                   ipxs->node[4], ipxs->node[5], ntohs(ipxs->port));
 #else
-        seq_printf(seq, "%08lX:%04X  ", (unsigned long) htonl(ipxs->intrfc->if_netnum),
+        seq_printf(seq, "%08lX:%04X  ", (unsigned long) ntohl(ipxs->intrfc->if_netnum),
-                   htons(ipxs->port));
+                   ntohs(ipxs->port));
 #endif  /* CONFIG_IPX_INTERN */
        if (s->sk_state != TCP_ESTABLISHED)
                seq_printf(seq, "%-28s", "Not_Connected");
        else {
                seq_printf(seq, "%08lX:%02X%02X%02X%02X%02X%02X:%04X  ",
-                           (unsigned long)htonl(ipxs->dest_addr.net),
+                           (unsigned long)ntohl(ipxs->dest_addr.net),
                           ipxs->dest_addr.node[0], ipxs->dest_addr.node[1],
                           ipxs->dest_addr.node[2], ipxs->dest_addr.node[3],
                           ipxs->dest_addr.node[4], ipxs->dest_addr.node[5],
-                           htons(ipxs->dest_addr.sock));
+                           ntohs(ipxs->dest_addr.sock));
        }
        seq_printf(seq, "%08X  %08X  %02X     %03d\n",
diff --git a/net/ipx/ipx_route.c b/net/ipx/ipx_route.c
index a30dbb1e08fb..68560ee0d797 100644
--- a/net/ipx/ipx_route.c
+++ b/net/ipx/ipx_route.c
@@ -19,17 +19,17 @@ DEFINE_RWLOCK(ipx_routes_lock);
 extern struct ipx_interface *ipx_internal_net;
-extern __u16 ipx_cksum(struct ipxhdr *packet, int length);
+extern __be16 ipx_cksum(struct ipxhdr *packet, int length);
-extern struct ipx_interface *ipxitf_find_using_net(__u32 net);
+extern struct ipx_interface *ipxitf_find_using_net(__be32 net);
 extern int ipxitf_demux_socket(struct ipx_interface *intrfc,
                               struct sk_buff *skb, int copy);
 extern int ipxitf_demux_socket(struct ipx_interface *intrfc,
                               struct sk_buff *skb, int copy);
 extern int ipxitf_send(struct ipx_interface *intrfc, struct sk_buff *skb,
                       char *node);
-extern struct ipx_interface *ipxitf_find_using_net(__u32 net);
+extern struct ipx_interface *ipxitf_find_using_net(__be32 net);
-struct ipx_route *ipxrtr_lookup(__u32 net)
+struct ipx_route *ipxrtr_lookup(__be32 net)
 {
        struct ipx_route *r;
@@ -48,7 +48,7 @@ unlock:
 /*
 * Caller must hold a reference to intrfc
 */
-int ipxrtr_add_route(__u32 network, struct ipx_interface *intrfc,
+int ipxrtr_add_route(__be32 network, struct ipx_interface *intrfc,
                     unsigned char *node)
 {
        struct ipx_route *rt;
@@ -118,7 +118,7 @@ out:
        return rc;
 }
-static int ipxrtr_delete(__u32 net)
+static int ipxrtr_delete(__be32 net)
 {
        struct ipx_route *r, *tmp;
        int rc;
@@ -238,7 +238,7 @@ int ipxrtr_route_packet(struct sock *sk, struct sockaddr_ipx *usipx,
        /* Apply checksum. Not allowed on 802.3 links. */
        if (sk->sk_no_check || intrfc->if_dlink_type == htons(IPX_FRAME_8023))
-                ipx->ipx_checksum = 0xFFFF;
+                ipx->ipx_checksum = htons(0xFFFF);
        else
                ipx->ipx_checksum = ipx_cksum(ipx, len + sizeof(struct ipxhdr));
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 093b3ddc513c..836541e509fe 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1520,9 +1520,10 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
                if (iter(ct, data))
                        goto found;
        }
+        write_unlock_bh(&nf_conntrack_lock);
        return NULL;
 found:
-        atomic_inc(&nf_ct_tuplehash_to_ctrack(h)->ct_general.use);
+        atomic_inc(&ct->ct_general.use);
        write_unlock_bh(&nf_conntrack_lock);
        return ct;
 }
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index b59d3b2bde21..1e5207b80fe5 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -427,7 +427,7 @@ __build_packet_message(struct nfulnl_instance *inst,
        nfmsg->version = NFNETLINK_V0;
        nfmsg->res_id = htons(inst->group_num);
-        pmsg.hw_protocol        = htons(skb->protocol);
+        pmsg.hw_protocol        = skb->protocol;
        pmsg.hook               = hooknum;
        NFA_PUT(inst->skb, NFULA_PACKET_HDR, sizeof(pmsg), &pmsg);
@@ -544,7 +544,7 @@ __build_packet_message(struct nfulnl_instance *inst,
        }
        /* global sequence number */
        if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) {
-                tmp_uint = atomic_inc_return(&global_seq);
+                tmp_uint = htonl(atomic_inc_return(&global_seq));
                NFA_PUT(inst->skb, NFULA_SEQ_GLOBAL, sizeof(tmp_uint), &tmp_uint);
        }
@@ -878,7 +878,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                params = NFA_DATA(nfula[NFULA_CFG_MODE-1]);
                nfulnl_set_mode(inst, params->copy_mode,
-                                ntohs(params->copy_range));
+                                ntohl(params->copy_range));
        }
        if (nfula[NFULA_CFG_TIMEOUT-1]) {
@@ -896,8 +896,8 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
        }
        if (nfula[NFULA_CFG_QTHRESH-1]) {
-                u_int32_t qthresh = 
+                __be32 qthresh =
-                        *(u_int16_t *)NFA_DATA(nfula[NFULA_CFG_QTHRESH-1]);
+                        *(__be32 *)NFA_DATA(nfula[NFULA_CFG_QTHRESH-1]);
                nfulnl_set_qthresh(inst, ntohl(qthresh));
        }
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 8eb2473d83e1..e815a9aa6e95 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -414,7 +414,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
        nfmsg->res_id = htons(queue->queue_num);
        pmsg.packet_id          = htonl(entry->id);
-        pmsg.hw_protocol        = htons(entskb->protocol);
+        pmsg.hw_protocol        = entskb->protocol;
        pmsg.hook               = entinf->hook;
        NFA_PUT(skb, NFQA_PACKET_HDR, sizeof(pmsg), &pmsg);
@@ -622,9 +622,10 @@ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
        int diff;
        diff = data_len - e->skb->len;
-        if (diff < 0)
+        if (diff < 0) {
-                skb_trim(e->skb, data_len);
+                if (pskb_trim(e->skb, data_len))
-        else if (diff > 0) {
+                        return -ENOMEM;
+        } else if (diff > 0) {
                if (data_len > 0xFFFF)
                        return -EINVAL;
                if (diff > skb_tailroom(e->skb)) {
diff --git a/net/netlabel/Kconfig b/net/netlabel/Kconfig
index 9f7121ae13e9..56958c85f2b4 100644
--- a/net/netlabel/Kconfig
+++ b/net/netlabel/Kconfig
@@ -4,7 +4,7 @@
 config NETLABEL
        bool "NetLabel subsystem support"
-        depends on NET && SECURITY
+        depends on SECURITY
        default n
        ---help---
          NetLabel provides support for explicit network packet labeling
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index d56e0d21f919..d527c8977b1f 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1075,8 +1075,9 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
                        return -EINVAL;
                len = sizeof(int);
                val = nlk->flags & NETLINK_RECV_PKTINFO ? 1 : 0;
-                put_user(len, optlen);
+                if (put_user(len, optlen) ||
-                put_user(val, optval);
+                    put_user(val, optval))
+                        return -EFAULT;
                err = 0;
                break;
        default:
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 9b9c555c713f..4b52fa78935a 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1284,8 +1284,7 @@ static void htb_destroy_class(struct Qdisc *sch, struct htb_class *cl)
                                                  struct htb_class, sibling));
        /* note: this delete may happen twice (see htb_delete) */
-        if (!hlist_unhashed(&cl->hlist))
+        hlist_del_init(&cl->hlist);
-                hlist_del(&cl->hlist);
        list_del(&cl->sibling);
        if (cl->prio_activity)
@@ -1333,8 +1332,7 @@ static int htb_delete(struct Qdisc *sch, unsigned long arg)
        sch_tree_lock(sch);
        /* delete from hash and active; remainder in destroy_class */
-        if (!hlist_unhashed(&cl->hlist))
+        hlist_del_init(&cl->hlist);
-                hlist_del(&cl->hlist);
        if (cl->prio_activity)
                htb_deactivate(q, cl);
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 45939bafbdf8..0441876aa1e7 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -4,7 +4,7 @@
 *              This program is free software; you can redistribute it and/or
 *              modify it under the terms of the GNU General Public License
 *              as published by the Free Software Foundation; either version
- *              2 of the License, or (at your option) any later version.
+ *              2 of the License.
 *
 *              Many of the algorithms and ideas for this came from
 *              NIST Net which is not copyrighted. 
@@ -170,6 +170,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                return NET_XMIT_BYPASS;
        }
+        skb_orphan(skb);
        /*
         * If we need to duplicate packet, then re-insert at top of the
         * qdisc tree, since parent queuer expects that only one
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 27329ce9c311..ed0445fe85e7 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -346,11 +346,18 @@ void sctp_association_free(struct sctp_association *asoc)
        struct list_head *pos, *temp;
        int i;
-        list_del(&asoc->asocs);
+        /* Only real associations count against the endpoint, so
+         * don't bother for if this is a temporary association.
+         */
+        if (!asoc->temp) {
+                list_del(&asoc->asocs);
-        /* Decrement the backlog value for a TCP-style listening socket. */
+                /* Decrement the backlog value for a TCP-style listening
-        if (sctp_style(sk, TCP) && sctp_sstate(sk, LISTENING))
+                 * socket.
-                sk->sk_ack_backlog--;
+                 */
+                if (sctp_style(sk, TCP) && sctp_sstate(sk, LISTENING))
+                        sk->sk_ack_backlog--;
+        }
        /* Mark as dead, so other users can know this structure is
         * going away.
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 35c49ff2d062..9b6b394b66f6 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -144,6 +144,13 @@ void sctp_endpoint_add_asoc(struct sctp_endpoint *ep,
 {
        struct sock *sk = ep->base.sk;
+        /* If this is a temporary association, don't bother
+         * since we'll be removing it shortly and don't
+         * want anyone to find it anyway.
+         */
+        if (asoc->temp)
+                return;
        /* Now just add it to our list of asocs */
        list_add_tail(&asoc->asocs, &ep->asocs);
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 64f630102532..6d82f400d13c 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -135,6 +135,9 @@ int sctp_rcv(struct sk_buff *skb)
        SCTP_INC_STATS_BH(SCTP_MIB_INSCTPPACKS);
+        if (skb_linearize(skb))
+                goto discard_it;
        sh = (struct sctphdr *) skb->h.raw;
        /* Pull up the IP and SCTP headers. */
@@ -768,6 +771,9 @@ static void __sctp_hash_established(struct sctp_association *asoc)
 /* Add an association to the hash. Local BH-safe. */
 void sctp_hash_established(struct sctp_association *asoc)
 {
+        if (asoc->temp)
+                return;
        sctp_local_bh_disable();
        __sctp_hash_established(asoc);
        sctp_local_bh_enable();
@@ -801,6 +807,9 @@ static void __sctp_unhash_established(struct sctp_association *asoc)
 /* Remove association from the hash table.  Local BH-safe. */
 void sctp_unhash_established(struct sctp_association *asoc)
 {
+        if (asoc->temp)
+                return;
        sctp_local_bh_disable();
        __sctp_unhash_established(asoc);
        sctp_local_bh_enable();
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index fac7674438a4..5b4f82fd98f8 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -591,7 +591,7 @@ static struct sock *sctp_v4_create_accept_sk(struct sock *sk,
        newinet->dport = htons(asoc->peer.port);
        newinet->daddr = asoc->peer.primary_addr.v4.sin_addr.s_addr;
        newinet->pmtudisc = inet->pmtudisc;
-        newinet->id = 0;
+        newinet->id = asoc->next_tsn ^ jiffies;
        newinet->uc_ttl = -1;
        newinet->mc_loop = 1;
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9f34dec6ff8e..935bc9187fd8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3372,6 +3372,7 @@ SCTP_STATIC int sctp_do_peeloff(struct sctp_association *asoc,
 {
        struct sock *sk = asoc->base.sk;
        struct socket *sock;
+        struct inet_sock *inetsk;
        int err = 0;
        /* An association cannot be branched off from an already peeled-off
@@ -3389,6 +3390,14 @@ SCTP_STATIC int sctp_do_peeloff(struct sctp_association *asoc,
         * asoc to the newsk.
         */
        sctp_sock_migrate(sk, sock->sk, asoc, SCTP_SOCKET_UDP_HIGH_BANDWIDTH);
+        /* Make peeled-off sockets more like 1-1 accepted sockets.
+         * Set the daddr and initialize id to something more random
+         */
+        inetsk = inet_sk(sock->sk);
+        inetsk->daddr = asoc->peer.primary_addr.v4.sin_addr.s_addr;
+        inetsk->id = asoc->next_tsn ^ jiffies;
        *sockp = sock;
        return err;
diff --git a/net/sunrpc/svcauth.c b/net/sunrpc/svcauth.c
index 8f2320aded5c..ee9bb1522d5e 100644
--- a/net/sunrpc/svcauth.c
+++ b/net/sunrpc/svcauth.c
@@ -126,6 +126,7 @@ void auth_domain_put(struct auth_domain *dom)
        if (atomic_dec_and_lock(&dom->ref.refcount, &auth_domain_lock)) {
                hlist_del(&dom->hash);
                dom->flavour->domain_release(dom);
+                spin_unlock(&auth_domain_lock);
        }
 }
@@ -147,10 +148,8 @@ auth_domain_lookup(char *name, struct auth_domain *new)
                        return hp;
                }
        }
-        if (new) {
+        if (new)
                hlist_add_head(&new->hash, head);
-                kref_get(&new->ref);
-        }
        spin_unlock(&auth_domain_lock);
        return new;
 }
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 96521f16342b..64ca1f61dd94 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -299,9 +299,15 @@ void svc_reserve(struct svc_rqst *rqstp, int space)
 static inline void
 svc_sock_put(struct svc_sock *svsk)
 {
-        if (atomic_dec_and_test(&svsk->sk_inuse) && test_bit(SK_DEAD, &svsk->sk_flags)) {
+        if (atomic_dec_and_test(&svsk->sk_inuse) &&
+                        test_bit(SK_DEAD, &svsk->sk_flags)) {
                dprintk("svc: releasing dead socket\n");
-                sock_release(svsk->sk_sock);
+                if (svsk->sk_sock->file)
+                        sockfd_put(svsk->sk_sock);
+                else
+                        sock_release(svsk->sk_sock);
+                if (svsk->sk_info_authunix != NULL)
+                        svcauth_unix_info_release(svsk->sk_info_authunix);
                kfree(svsk);
        }
 }
@@ -1604,20 +1610,13 @@ svc_delete_socket(struct svc_sock *svsk)
                if (test_bit(SK_TEMP, &svsk->sk_flags))
                        serv->sv_tmpcnt--;
-        if (!atomic_read(&svsk->sk_inuse)) {
+        /* This atomic_inc should be needed - svc_delete_socket
-                spin_unlock_bh(&serv->sv_lock);
+         * should have the semantic of dropping a reference.
-                if (svsk->sk_sock->file)
+         * But it doesn't yet....
-                        sockfd_put(svsk->sk_sock);
+         */
-                else
+        atomic_inc(&svsk->sk_inuse);
-                        sock_release(svsk->sk_sock);
+        spin_unlock_bh(&serv->sv_lock);
-                if (svsk->sk_info_authunix != NULL)
+        svc_sock_put(svsk);
-                        svcauth_unix_info_release(svsk->sk_info_authunix);
-                kfree(svsk);
-        } else {
-                spin_unlock_bh(&serv->sv_lock);
-                dprintk(KERN_NOTICE "svc: server socket destroy delayed\n");
-                /* svsk->sk_server = NULL; */
-        }
 }
 /*
diff --git a/net/tipc/port.c b/net/tipc/port.c
index c1a1a76759b5..b7f3199523ca 100644
--- a/net/tipc/port.c
+++ b/net/tipc/port.c
@@ -1136,11 +1136,12 @@ int tipc_publish(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
        int res = -EINVAL;
        p_ptr = tipc_port_lock(ref);
+        if (!p_ptr)
+                return -EINVAL;
        dbg("tipc_publ %u, p_ptr = %x, conn = %x, scope = %x, "
            "lower = %u, upper = %u\n",
            ref, p_ptr, p_ptr->publ.connected, scope, seq->lower, seq->upper);
-        if (!p_ptr)
-                return -EINVAL;
        if (p_ptr->publ.connected)
                goto exit;
        if (seq->lower > seq->upper)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 84bbf8474f3e..899de9ed22a6 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -505,6 +505,14 @@ __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
                                                  x->id.proto, family);
 }
+static void xfrm_hash_grow_check(int have_hash_collision)
+{
+        if (have_hash_collision &&
+            (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
+            xfrm_state_num > xfrm_state_hmask)
+                schedule_work(&xfrm_hash_work);
+}
 struct xfrm_state *
 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 
                struct flowi *fl, struct xfrm_tmpl *tmpl,
@@ -598,6 +606,8 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
                        x->lft.hard_add_expires_seconds = XFRM_ACQ_EXPIRES;
                        x->timer.expires = jiffies + XFRM_ACQ_EXPIRES*HZ;
                        add_timer(&x->timer);
+                        xfrm_state_num++;
+                        xfrm_hash_grow_check(x->bydst.next != NULL);
                } else {
                        x->km.state = XFRM_STATE_DEAD;
                        xfrm_state_put(x);
@@ -614,14 +624,6 @@ out:
        return x;
 }
-static void xfrm_hash_grow_check(int have_hash_collision)
-{
-        if (have_hash_collision &&
-            (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
-            xfrm_state_num > xfrm_state_hmask)
-                schedule_work(&xfrm_hash_work);
-}
 static void __xfrm_state_insert(struct xfrm_state *x)
 {
        unsigned int h;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2b2e59d8ffbc..b43e7647e125 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -323,7 +323,7 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
        x->props.replay_window = p->replay_window;
        x->props.reqid = p->reqid;
        x->props.family = p->family;
-        x->props.saddr = p->saddr;
+        memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
        x->props.flags = p->flags;
 }
@@ -545,7 +545,7 @@ static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
        memcpy(&p->lft, &x->lft, sizeof(p->lft));
        memcpy(&p->curlft, &x->curlft, sizeof(p->curlft));
        memcpy(&p->stats, &x->stats, sizeof(p->stats));
-        p->saddr = x->props.saddr;
+        memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr));
        p->mode = x->props.mode;
        p->replay_window = x->props.replay_window;
        p->reqid = x->props.reqid;