--- a/usr/src/uts/common/inet/ip/sadb.c	Mon Oct 12 12:49:44 2009 -0600
+++ b/usr/src/uts/common/inet/ip/sadb.c	Mon Oct 12 15:52:05 2009 -0400
@@ -6597,6 +6597,8 @@
 	int err;
 	ipsec_policy_head_t *polhead;
 
+	*diagnostic = 0;
+
 	/* Check for inner selectors and act appropriately */
 
 	if (innsrcext != NULL) {
@@ -6734,7 +6736,7 @@
 	ipsec_tun_pol_t *itp = NULL;
 	ipsec_policy_t *pp = NULL;
 	ipsec_selector_t sel, isel;
-	mblk_t *retmp;
+	mblk_t *retmp = NULL;
 	ip_stack_t	*ipst = ns->netstack_ip;
 
 	/* Normalize addresses */
@@ -6884,19 +6886,16 @@
 	if (pp != NULL) {
 		IPPOL_REFRELE(pp, ns);
 	}
+	ASSERT(err == 0 && diagnostic == 0);
+	if (retmp == NULL)
+		err = ENOMEM;
+bail:
 	if (itp != NULL) {
 		ITP_REFRELE(itp, ns);
 	}
-	if (retmp != NULL) {
-		return (retmp);
-	} else {
-		err = ENOMEM;
-		diagnostic = 0;
-	}
-bail:
 	samsg->sadb_msg_errno = (uint8_t)err;
 	samsg->sadb_x_msg_diagnostic = (uint16_t)diagnostic;
-	return (NULL);
+	return (retmp);
 }
 
 /*

--- a/usr/src/uts/common/inet/ip/spdsock.c	Mon Oct 12 12:49:44 2009 -0600
+++ b/usr/src/uts/common/inet/ip/spdsock.c	Mon Oct 12 15:52:05 2009 -0400
@@ -2151,13 +2151,11 @@
 					active = (spmsg->spd_msg_spdid ==
 					    SPD_ACTIVE);
 					audit_pf_policy(SPD_CLONE, cr,
-					    ns, ITP_NAME(itp), active, ENOENT,
-					    cpid);
+					    ns, NULL, active, ENOENT, cpid);
 				}
 				return;
 			}
 			spdsock_clone_node(itp, &error, NULL);
-			ITP_REFRELE(itp, ns);
 			if (audit_active) {
 				boolean_t active;
 				spd_msg_t *spmsg = (spd_msg_t *)mp->b_rptr;
@@ -2169,6 +2167,7 @@
 				audit_pf_policy(SPD_CLONE, cr, ns,
 				    ITP_NAME(itp), active, error, cpid);
 			}
+			ITP_REFRELE(itp, ns);
 		}
 	} else {
 		error = ipsec_clone_system_policy(ns);