summaryrefslogtreecommitdiffstats
path: root/net (follow)
Commit message (Collapse)AuthorAgeFilesLines
* [PATCH] ieee80211: TKIP requires CRC32Chuck Ebbert2006-07-271-0/+1
| | | | | | | | | | | | | ieee80211_crypt_tkip will not work without CRC32. LD .tmp_vmlinux1 net/built-in.o: In function `ieee80211_tkip_encrypt': net/ieee80211/ieee80211_crypt_tkip.c:349: undefined reference to `crc32_le' Reported by Toralf Foerster <toralf.foerster@gmx.de> Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] softmac: do shared key auth in workqueueDaniel Drake2006-07-271-6/+22
| | | | | | | | | | | | | | | | | | | Johann Uhrmann reported a bcm43xx crash and Michael Buesch tracked it down to a problem with the new shared key auth code (recursive calls into the driver) This patch (effectively Michael's patch with a couple of small modifications) solves the problem by sending the authentication challenge response frame from a workqueue entry. I also removed a lone \n from the bcm43xx messages relating to authentication mode - this small change was previously discussed but not patched in. Signed-off-by: Daniel Drake <dsd@gentoo.org> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [IPV4/IPV6]: Setting 0 for unused port field in RAW IP recvmsg().Tetsuo Handa2006-07-262-0/+2
| | | | | | | | | | | | | | | | From: Tetsuo Handa from-linux-kernel@i-love.sakura.ne.jp The recvmsg() for raw socket seems to return random u16 value from the kernel stack memory since port field is not initialized. But I'm not sure this patch is correct. Does raw socket return any information stored in port field? [ BSD defines RAW IP recvmsg to return a sin_port value of zero. This is described in Steven's TCP/IP Illustrated Volume 2 on page 1055, which is discussing the BSD rip_input() implementation. ] Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV4] ipmr: ip multicast route bug fix.Alexey Kuznetsov2006-07-261-6/+13
| | | | | | | | | | | | | | | IP multicast route code was reusing an skb which causes use after free and double free. From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Note, it is real skb_clone(), not alloc_skb(). Equeued skb contains the whole half-prepared netlink message plus room for the rest. It could be also skb_copy(), if we want to be puristic about mangling cloned data, but original copy is really not going to be used. Acked-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV4]: Clear the whole IPCB, this clears also IPCB(skb)->flags.Guillaume Chazarain2006-07-251-1/+1
| | | | | Signed-off-by: Guillaume Chazarain <guichaz@yahoo.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: Clean skb cb on IPv6 input.Guillaume Chazarain2006-07-251-0/+2
| | | | | | | | Clear the accumulated junk in IP6CB when starting to handle an IPV6 packet. Signed-off-by: Guillaume Chazarain <guichaz@yahoo.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: Demote xt_sctp to EXPERIMENTALPatrick McHardy2006-07-251-2/+2
| | | | | | | | After the recent problems with all the SCTP stuff it seems reasonable to mark this as experimental. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: bridge netfilter: add deferred output hooks to ↵Patrick McHardy2006-07-252-0/+20
| | | | | | | | | | | feature-removal-schedule Add bridge netfilter deferred output hooks to feature-removal-schedule and disable them by default. Until their removal they will be activated by the physdev match when needed. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: xt_pkttype: fix mismatches on locally generated packetsPhil Oester2006-07-251-1/+11
| | | | | | | | | | | | | | | | | Locally generated broadcast and multicast packets have pkttype set to PACKET_LOOPBACK instead of PACKET_BROADCAST or PACKET_MULTICAST. This causes the pkttype match to fail to match packets of either type. The below patch remedies this by using the daddr as a hint as to broadcast|multicast. While not pretty, this seems like the only way to solve the problem short of just noting this as a limitation of the match. This resolves netfilter bugzilla #484 Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: SNMP NAT: fix byteorder confusionPatrick McHardy2006-07-251-2/+2
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: conntrack: fix SYSCTL=n compileAdrian Bunk2006-07-252-4/+4
| | | | | | Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: nf_queue: handle NF_STOP and unknown verdicts in nf_reinjectPatrick McHardy2006-07-251-5/+4
| | | | | | | | | In case of an unknown verdict or NF_STOP the packet leaks. Unknown verdicts can happen when userspace is buggy. Reinject the packet in case of NF_STOP, drop on unknown verdicts. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETFILTER]: H.323 helper: fix possible NULL-ptr dereferencePatrick McHardy2006-07-251-1/+1
| | | | | | | | | | | An RCF message containing a timeout results in a NULL-ptr dereference if no RRQ has been seen before. Noticed by the "SATURN tool", reported by Thomas Dillig <tdillig@stanford.edu> and Isil Dillig <isil@stanford.edu>. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [VLAN]: Fix link state propagationStefan Rompf2006-07-241-5/+3
| | | | | | | | | | When the queue of the underlying device is stopped at initialization time or the device is marked "not present", the state will be propagated to the vlan device and never change. Based on an analysis by Patrick McHardy. Signed-off-by: Stefan Rompf <stefan@loplof.de> ACKed-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6] xfrm6_tunnel: Delete debugging code.David S. Miller2006-07-241-130/+10
| | | | | | | | | | | | | | It doesn't compile, and it's dubious in several regards: 1) is enabled by non-Kconfig controlled CONFIG_* value (noted by Randy Dunlap) 2) XFRM6_TUNNEL_SPI_MAGIC is defined after it's first use 3) the debugging messages print object pointer addresses which have no meaning without context So let's just get rid of it. Signed-off-by: David S. Miller <davem@davemloft.net>
* [Bluetooth] Correct RFCOMM channel MTU for broken implementationsMarcel Holtmann2006-07-241-2/+17
| | | | | | | | | | | Some Bluetooth RFCOMM implementations try to negotiate a bigger channel MTU than we can support for a particular session. The maximum MTU for a RFCOMM session is limited through the L2CAP layer. So if the other side proposes a channel MTU that is bigger than the underlying L2CAP MTU, we should reduce it to the L2CAP MTU of the session minus five bytes for the RFCOMM headers. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* [DCCP]: Fix default sequence window sizeIan McDonald2006-07-244-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When using the default sequence window size (100) I got the following in my logs: Jun 22 14:24:09 localhost kernel: [ 1492.114775] DCCP: Step 6 failed for DATA packet, (LSWL(6279674225) <= P.seqno(6279674749) <= S.SWH(6279674324)) and (P.ackno doesn't exist or LAWL(18798206530) <= P.ackno(1125899906842620) <= S.AWH(18798206548), sending SYNC... Jun 22 14:24:09 localhost kernel: [ 1492.115147] DCCP: Step 6 failed for DATA packet, (LSWL(6279674225) <= P.seqno(6279674750) <= S.SWH(6279674324)) and (P.ackno doesn't exist or LAWL(18798206530) <= P.ackno(1125899906842620) <= S.AWH(18798206549), sending SYNC... I went to alter the default sysctl and it didn't take for new sockets. Below patch fixes this. I think the default is too low but it is what the DCCP spec specifies. As a side effect of this my rx speed using iperf goes from about 2.8 Mbits/sec to 3.5. This is still far too slow but it is a step in the right direction. Compile tested only for IPv6 but not particularly complex change. Signed off by: Ian McDonald <ian.mcdonald@jandi.co.nz> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TIPC]: Removing useless castsPanagiotis Issaris2006-07-222-2/+2
| | | | | | | Removing useless casts Signed-off-by: Panagiotis Issaris <takis@issaris.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV4]: Fix nexthop realm dumping for multipath routesPatrick McHardy2006-07-221-4/+8
| | | | | | | | | | | | | Routing realms exist per nexthop, but are only returned to userspace for the first nexthop. This is due to the fact that iproute2 only allows to set the realm for the first nexthop and the kernel refuses multipath routes where only a single realm is present. Dump all realms for multipath routes to enable iproute to correctly display them. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: Conversions from kmalloc+memset to k(z|c)alloc.Panagiotis Issaris2006-07-2194-334/+154
| | | | | | Signed-off-by: Panagiotis Issaris <takis@issaris.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IrDA]: Use alloc_skb() in IrDA TX pathSamuel Ortiz2006-07-2112-35/+38
| | | | | | | | | As pointed out by Christoph Hellwig, dev_alloc_skb() is not intended to be used for allocating TX sk_buff. The IrDA stack was exclusively calling dev_alloc_skb() on the TX path, and this patch fixes that. Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [I/OAT]: net/core/user_dma.c should #include <net/netdma.h>Adrian Bunk2006-07-211-0/+1
| | | | | | | | | | | Every file should #include the headers containing the prototypes for its global functions. Especially in cases like this one where gcc can tell us through a compile error that the prototype was wrong... Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SCTP]: ADDIP: Don't use an address as source until it is ASCONF-ACKedSridhar Samudrala2006-07-215-22/+78
| | | | | | | This implements Rules D1 and D4 of Sec 4.3 in the ADDIP draft. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SCTP]: Set chunk->data_accepted only if we are going to accept it.Sridhar Samudrala2006-07-211-1/+2
| | | | | | | | Currently there is a code path in sctp_eat_data() where it is possible to set this flag even when we are dropping this chunk. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SCTP]: Verify all the paths to a peer via heartbeat before using them.Sridhar Samudrala2006-07-216-19/+47
| | | | | | | | This patch implements Path Initialization procedure as described in Sec 2.36 of RFC4460. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SCTP]: Unhash the endpoint in sctp_endpoint_free().Vlad Yasevich2006-07-211-5/+6
| | | | | | | | | This prevents a race between the close of a socket and receive of an incoming packet. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [SCTP]: Check for NULL arg to sctp_bucket_destroy().Sridhar Samudrala2006-07-211-1/+1
| | | | | Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [PKT_SCHED] netem: Fix slab corruption with netem (2nd try)Guillaume Chazarain2006-07-211-1/+3
| | | | | | | | | | | | | | | | | CONFIG_DEBUG_SLAB found the following bug: netem_enqueue() in sch_netem.c gets a pointer inside a slab object: struct netem_skb_cb *cb = (struct netem_skb_cb *)skb->cb; But then, the slab object may be freed: skb = skb_unshare(skb, GFP_ATOMIC) cb is still pointing inside the freed skb, so here is a patch to initialize cb later, and make it clear that initializing it sooner is a bad idea. [From Stephen Hemminger: leave cb unitialized in order to let gcc complain in case of use before initialization] Signed-off-by: Guillaume Chazarain <guichaz@yahoo.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV4]: Get rid of redundant IPCB->opts initialisationHerbert Xu2006-07-216-7/+0
| | | | | | | | Now that we always zero the IPCB->opts in ip_rcv, it is no longer necessary to do so before calling netif_rx for tunneled packets. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET] ethtool: fix oops by testing correct struct memberJeff Garzik2006-07-171-1/+1
| | | | | | Noticed by Willy Tarreau. Signed-off-by: Jeff Garzik <jeff@garzik.org>
* [PATCH] sch_htb compile fix.Dave Jones2006-07-151-1/+1
| | | | | | | | net/sched/sch_htb.c: In function 'htb_change_class': net/sched/sch_htb.c:1605: error: expected ';' before 'do_gettimeofday' Signed-off-by: Dave Jones <davej@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
* [PKT_SCHED] HTB: initialize upper bound properlyStephen Hemminger2006-07-151-2/+2
| | | | | | | | | | The upper bound for HTB time diff needs to be scaled to PSCHED units rather than just assuming usecs. The field mbuffer is used in TDIFF_SAFE(), as an upper bound. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Acked-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV4]: Clear skb cb on IP inputStephen Hemminger2006-07-141-0/+3
| | | | | | | | | | when data arrives at IP through loopback (and possibly other devices). So the field needs to be cleared before it confuses the route code. This was seen when running netem over loopback, but there are probably other device cases. Maybe this should go into stable? Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: Update frag_list in pskb_trimHerbert Xu2006-07-141-26/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | When pskb_trim has to defer to ___pksb_trim to trim the frag_list part of the packet, the frag_list is not updated to reflect the trimming. This will usually work fine until you hit something that uses the packet length or tail from the frag_list. Examples include esp_output and ip_fragment. Another problem caused by this is that you can end up with a linear packet with a frag_list attached. It is possible to get away with this if we audit everything to make sure that they always consult skb->len before going down onto frag_list. In fact we can do the samething for the paged part as well to avoid copying the data area of the skb. For now though, let's do the conservative fix and update frag_list. Many thanks to Marco Berizzi for helping me to track down this bug. This 4-year old bug took 3 months to track down. Marco was very patient indeed :) Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NET]: fix __sk_stream_mem_reclaimIan McDonald2006-07-131-9/+7
| | | | | | | | | | | __sk_stream_mem_reclaim is only called by sk_stream_mem_reclaim. As such the check on sk->sk_forward_alloc is not needed and can be removed. Signed-off-by: Ian McDonald <ian.mcdonald@jandi.co.nz> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [Bluetooth] Fix deadlock in the L2CAP layerMarcel Holtmann2006-07-131-9/+9
| | | | | | | | | | | The Bluetooth L2CAP layer has 2 locks that are used in softirq context, (one spinlock and one rwlock, where the softirq usage is readlock) but where not all usages of the lock were _bh safe. The patch below corrects this. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* [Bluetooth] Let BT_HIDP depend on INPUTMarcel Holtmann2006-07-131-2/+1
| | | | | | | | | | | | | | | | | This patch lets BT_HIDP depend on instead of select INPUT. This fixes the following warning during an s390 build: net/bluetooth/hidp/Kconfig:4:warning: 'select' used by config symbol 'BT_HIDP' refer to undefined symbol 'INPUT' A dependency on INPUT also implies !S390 (and therefore makes the explicit dependency obsolete) since INPUT is not available on s390. The practical difference should be nearly zero, since INPUT is always set to y unless EMBEDDED=y (or S390=y). Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* [Bluetooth] Remaining transitions to use kzalloc()Marcel Holtmann2006-07-137-25/+16
| | | | | | This patch makes the remaining transitions to use kzalloc(). Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* [IPV4]: Fix error handling for fib_insert_node callHerbert Xu2006-07-121-1/+1
| | | | | | | | The error handling around fib_insert_node was broken because we always zeroed the error before checking it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETROM] lockdep: fix false positiveRalf Baechle2006-07-121-0/+9
| | | | | | | | | | NETROM network devices are virtual network devices encapsulating NETROM frames into AX.25 which will be sent through an AX.25 device, so form a special "super class" of normal net devices; split their locks off into a separate class since they always nest. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [ROSE] lockdep: fix false positiveRalf Baechle2006-07-121-0/+9
| | | | | | | | | | ROSE network devices are virtual network devices encapsulating ROSE frames into AX.25 which will be sent through an AX.25 device, so form a special "super class" of normal net devices; split their locks off into a separate class since they always nest. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [AX.25]: Optimize AX.25 socket list lockRalf Baechle2006-07-123-13/+13
| | | | | | | | Right now all uses of the ax25_list_lock lock are _bh locks but knowing some code is only ever getting invoked from _bh context we can better. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPCOMP]: Fix truesize after decompressionHerbert Xu2006-07-122-2/+4
| | | | | | | | | | | | | | | The truesize check has uncovered the fact that we forgot to update truesize after pskb_expand_head. Unfortunately pskb_expand_head can't update it for us because it's used in all sorts of different contexts, some of which would not allow truesize to be updated by itself. So the solution for now is to simply update it in IPComp. This patch also changes skb_put to __skb_put since we've just expanded tailroom by exactly that amount so we know it's there (but gcc does not). Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: Use ipv6_addr_src_scope for link address sorting.YOSHIFUJI Hideaki2006-07-121-1/+2
| | | | | | | | | | | | | | | | | | | | | In the source address selection, the address must be sorted from global to node-local. But, ifp->scope is different from the scope for source address selection. 2001::1 fe80::1 ::1 ifp->scope 0 0x02 0x01 ipv6_addr_src_scope(&ifp->addr) 0x0e 0x02 0x01 So, we need to use ipv6_addr_src_scope(&ifp->addr) for sorting. And, for backward compatibility, addresses should be sorted from new one to old one. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Brian Haley <brian.haley@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* [TCP] tcp_highspeed: Fix AI updates.Xiaoliang (David) Wei2006-07-121-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | I think there is still a problem with the AIMD parameter update in HighSpeed TCP code. Line 125~138 of the code (net/ipv4/tcp_highspeed.c): /* Update AIMD parameters */ if (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd) { while (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd && ca->ai < HSTCP_AIMD_MAX - 1) ca->ai++; } else if (tp->snd_cwnd < hstcp_aimd_vals[ca->ai].cwnd) { while (tp->snd_cwnd > hstcp_aimd_vals[ca->ai].cwnd && ca->ai > 0) ca->ai--; In fact, the second part (decreasing ca->ai) never decreases since the while loop's inequality is in the reverse direction. This leads to unfairness with multiple flows (once a flow happens to enjoy a higher ca->ai, it keeps enjoying that even its cwnd decreases) Here is a tentative fix (I also added a comment, trying to keep the change clear): Acked-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [MAINTAINERS]: Add proper entry for TC classifierStephen Hemminger2006-07-121-2/+0
| | | | | Acked-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETROM]: Drop lock before calling nr_destroy_socketRalf Baechle2006-07-121-1/+1
| | | | | | | | nr_destroy_socket takes the socket lock itself so it should better be called with the socket unlocked. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [NETROM]: Fix locking order when establishing a NETROM circuit.Ralf Baechle2006-07-121-6/+6
| | | | | | | | | | When establishing a new circuit in nr_rx_frame the locks are taken in a different order than in the rest of the stack. This should be harmless but triggers lockdep. Either way, reordering the code a little solves the issue. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [AX.25]: Fix locking of ax25 protocol function list.Ralf Baechle2006-07-121-9/+9
| | | | | | | | Delivery of AX.25 frame to the layer 3 protocols happens in softirq context so locking needs to be bh-proof. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* [IPV6]: order addresses by scopeBrian Haley2006-07-121-3/+21
| | | | | | | | | | If IPv6 addresses are ordered by scope, then ipv6_dev_get_saddr() can break-out of the device addr_list for() loop when the candidate source address scope is less than the destination address scope. Signed-off-by: Brian Haley <brian.haley@hp.com> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>