Index: madwifi-trunk-r3776/ath/if_ath.c
===================================================================
--- madwifi-trunk-r3776.orig/ath/if_ath.c	2008-07-17 02:23:00.000000000 +0200
+++ madwifi-trunk-r3776/ath/if_ath.c	2008-07-17 02:28:06.000000000 +0200
@@ -3334,7 +3334,6 @@
 	struct ath_softc *sc = dev->priv;
 	struct ieee80211_node *ni = NULL;
 	struct ath_buf *bf = NULL;
-	struct ether_header *eh;
 	ath_bufhead bf_head;
 	struct ath_buf *tbf;
 	struct sk_buff *tskb;
@@ -3349,6 +3348,7 @@
 	*/
 	int requeue = 0;
 #ifdef ATH_SUPERG_FF
+	struct ether_header *eh;
 	unsigned int pktlen;
 	struct ieee80211com *ic = &sc->sc_ic;
 	struct ath_txq *txq = NULL;
Index: madwifi-trunk-r3776/net80211/ieee80211_output.c
===================================================================
--- madwifi-trunk-r3776.orig/net80211/ieee80211_output.c	2008-07-17 00:21:29.000000000 +0200
+++ madwifi-trunk-r3776/net80211/ieee80211_output.c	2008-07-17 02:35:10.000000000 +0200
@@ -280,7 +280,7 @@
 	 * normal vap. */
 	if (vap->iv_xrvap && (ni == vap->iv_bss) &&
 	    vap->iv_xrvap->iv_sta_assoc) {
-		struct sk_buff *skb1 = skb_copy(skb, GFP_ATOMIC);
+		struct sk_buff *skb1 = skb_clone(skb, GFP_ATOMIC);
 		if (skb1) {
 			memset(SKB_CB(skb1), 0, sizeof(struct ieee80211_cb));
 #ifdef IEEE80211_DEBUG_REFCNT
@@ -561,7 +561,7 @@
 	struct ieee80211_key *key, struct sk_buff *skb, int ismulticast)
 {
 	/* XXX pre-calculate per node? */
-	int need_headroom = LLC_SNAPFRAMELEN + hdrsize + IEEE80211_ADDR_LEN;
+	int need_headroom = LLC_SNAPFRAMELEN + hdrsize;
 	int need_tailroom = 0;
 #ifdef ATH_SUPERG_FF
 	int isff = ATH_FF_MAGIC_PRESENT(skb);
@@ -603,109 +603,56 @@
 				need_tailroom += cip->ic_miclen;
 	}
 
-	if (skb_shared(skb)) {
-		/* Take our own reference to the node in the clone */
-		ieee80211_ref_node(SKB_NI(skb));
-		/* Unshare the node, decrementing users in the old skb */
-		skb = skb_unshare(skb, GFP_ATOMIC);
+	need_headroom -= skb_headroom(skb);
+	if (isff)
+		need_tailroom -= skb_tailroom(skb2);
+	else
+		need_tailroom -= skb_tailroom(skb);
+
+	if (need_headroom < 0)
+		need_headroom = 0;
+	if (need_tailroom < 0)
+		need_tailroom = 0;
+
+	if (skb_cloned(skb) || (need_headroom > 0) ||
+		(!isff && (need_tailroom > 0))) {
+
+		if (pskb_expand_head(skb, need_headroom, need_tailroom, GFP_ATOMIC)) {
+			IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
+				"%s: cannot expand storage (tail)\n", __func__);
+			goto error;
+		}
 	}
 
 #ifdef ATH_SUPERG_FF
 	if (isff) {
-		if (skb == NULL) {
-			IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
-				"%s: cannot unshare for encapsulation\n",
-				__func__);
-			vap->iv_stats.is_tx_nobuf++;
-			ieee80211_dev_kfree_skb(&skb2);
-
-			return NULL;
-		}
+		inter_headroom -= skb_headroom(skb2);
+		if (inter_headroom < 0)
+			inter_headroom = 0;
+		if ((skb_cloned(skb2) ||
+			(inter_headroom > 0) || (need_tailroom > 0))) {
 
-		/* first skb header */
-		if (skb_headroom(skb) < need_headroom) {
-			struct sk_buff *tmp = skb;
-			skb = skb_realloc_headroom(skb, need_headroom);
-			if (skb == NULL) {
+			if (pskb_expand_head(skb2, inter_headroom,
+				need_tailroom, GFP_ATOMIC)) {
 				IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
-					"%s: cannot expand storage (head1)\n",
-					__func__);
-				vap->iv_stats.is_tx_nobuf++;
-				ieee80211_dev_kfree_skb(&skb2);
-				return NULL;
-			} else
-				ieee80211_skb_copy_noderef(tmp, skb);
-			ieee80211_dev_kfree_skb(&tmp);
-			/* NB: cb[] area was copied, but not next ptr. must do that
-			 *     prior to return on success. */
-		}
-
-		/* second skb with header and tail adjustments possible */
-		if (skb_tailroom(skb2) < need_tailroom) {
-			int n = 0;
-			if (inter_headroom > skb_headroom(skb2))
-				n = inter_headroom - skb_headroom(skb2);
-			if (pskb_expand_head(skb2, n,
-			    need_tailroom - skb_tailroom(skb2), GFP_ATOMIC)) {
-				ieee80211_dev_kfree_skb(&skb2);
-				IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
-					"%s: cannot expand storage (tail2)\n",
-					__func__);
-				vap->iv_stats.is_tx_nobuf++;
-				/* this shouldn't happen, but don't send first ff either */
-				ieee80211_dev_kfree_skb(&skb);
+					"%s: cannot expand storage (tail)\n", __func__);
+				goto error;
 			}
-		} else if (skb_headroom(skb2) < inter_headroom) {
-			struct sk_buff *tmp = skb2;
-
-			skb2 = skb_realloc_headroom(skb2, inter_headroom);
-			if (skb2 == NULL) {
-				IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
-					"%s: cannot expand storage (head2)\n",
-					__func__);
-				vap->iv_stats.is_tx_nobuf++;
-				/* this shouldn't happen, but don't send first ff either */
-				ieee80211_dev_kfree_skb(&skb);
-				skb = NULL;
-			} else
-				ieee80211_skb_copy_noderef(tmp, skb);
-			ieee80211_dev_kfree_skb(&tmp);
 		}
-		if (skb) {
-			skb->next = skb2;
-		}
-		return skb;
+		skb->next = skb2;
 	}
 #endif /* ATH_SUPERG_FF */
-	if (skb == NULL) {
-		IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
-			"%s: cannot unshare for encapsulation\n", __func__);
-		vap->iv_stats.is_tx_nobuf++;
-	} else if (skb_tailroom(skb) < need_tailroom) {
-		int n = 0;
-		if (need_headroom > skb_headroom(skb))
-			n = need_headroom - skb_headroom(skb);
-		if (pskb_expand_head(skb, n, need_tailroom - 
-					skb_tailroom(skb), GFP_ATOMIC)) {
-			IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
-				"%s: cannot expand storage (tail)\n", __func__);
-			vap->iv_stats.is_tx_nobuf++;
-			ieee80211_dev_kfree_skb(&skb);
-		}
-	} else if (skb_headroom(skb) < need_headroom) {
-		struct sk_buff *tmp = skb;
-		skb = skb_realloc_headroom(skb, need_headroom);
-		/* Increment reference count after copy */
-		if (skb == NULL) {
-			IEEE80211_DPRINTF(vap, IEEE80211_MSG_OUTPUT,
-				"%s: cannot expand storage (head)\n", __func__);
-			vap->iv_stats.is_tx_nobuf++;
-		} else
-			ieee80211_skb_copy_noderef(tmp, skb);
-		ieee80211_dev_kfree_skb(&tmp);
-	}
 
 	return skb;
+
+error:
+	vap->iv_stats.is_tx_nobuf++;
+	ieee80211_dev_kfree_skb(&skb);
+#ifdef ATH_SUPERG_FF
+	if (skb2)
+		ieee80211_dev_kfree_skb(&skb2);
+#endif
+	return NULL;
 }
 
 #define	KEY_UNDEFINED(k)	((k).wk_cipher == &ieee80211_cipher_none)
Index: madwifi-trunk-r3776/net80211/ieee80211_input.c
===================================================================
--- madwifi-trunk-r3776.orig/net80211/ieee80211_input.c	2008-07-17 02:20:52.000000000 +0200
+++ madwifi-trunk-r3776/net80211/ieee80211_input.c	2008-07-17 02:30:28.000000000 +0200
@@ -713,7 +713,7 @@
 			/* ether_type must be length as FF frames are always LLC/SNAP encap'd */ 
 			frame_len = ntohs(eh_tmp->ether_type); 
 
-			skb1 = skb_copy(skb, GFP_ATOMIC);
+			skb1 = skb_clone(skb, GFP_ATOMIC);
 			if (skb1 == NULL)
 				goto err;
 			ieee80211_skb_copy_noderef(skb, skb1);
@@ -1118,7 +1118,7 @@
 
 		if (ETHER_IS_MULTICAST(eh->ether_dhost) && !netif_queue_stopped(dev)) {
 			/* Create a SKB for the BSS to send out. */
-			skb1 = skb_copy(skb, GFP_ATOMIC);
+			skb1 = skb_clone(skb, GFP_ATOMIC);
 			if (skb1)
 				SKB_NI(skb1) = ieee80211_ref_node(vap->iv_bss); 
 		}
@@ -2265,7 +2265,7 @@
 	if (filter_type && ((vap->app_filter & filter_type) == filter_type)) {
 		struct sk_buff *skb1;
 
-		skb1 = skb_copy(skb, GFP_ATOMIC);
+		skb1 = skb_clone(skb, GFP_ATOMIC);
 		if (skb1 == NULL)
 			return;
 		/* We duplicate the reference after skb_copy */