This is a note to let you know that I've just added the patch titled ipv6: raw: Deduct extension header length in rawv6_push_pending_frames to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From cb3e9864cdbe35ff6378966660edbcbac955fe17 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Date: Tue, 10 Jan 2023 08:59:06 +0800 Subject: ipv6: raw: Deduct extension header length in rawv6_push_pending_frames From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> commit cb3e9864cdbe35ff6378966660edbcbac955fe17 upstream. The total cork length created by ip6_append_data includes extension headers, so we must exclude them when comparing them against the IPV6_CHECKSUM offset which does not include extension headers. Reported-by: Kyle Zeng <zengyhkyle@xxxxxxxxx> Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory") Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv6/raw.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -544,6 +544,7 @@ csum_copy_err: static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6, struct raw6_sock *rp) { + struct ipv6_txoptions *opt; struct sk_buff *skb; int err = 0; int offset; @@ -561,6 +562,9 @@ static int rawv6_push_pending_frames(str offset = rp->offset; total_len = inet_sk(sk)->cork.base.length; + opt = inet6_sk(sk)->cork.opt; + total_len -= opt ? opt->opt_flen : 0; + if (offset >= total_len - 1) { err = -EINVAL; ip6_flush_pending_frames(sk); Patches currently in stable-queue which might be from herbert@xxxxxxxxxxxxxxxxxxx are queue-4.19/crypto-tcrypt-fix-multibuffer-skcipher-speed-test-me.patch queue-4.19/crypto-img-hash-fix-variable-dereferenced-before-che.patch queue-4.19/ipv6-raw-deduct-extension-header-length-in-rawv6_push_pending_frames.patch queue-4.19/crypto-ccree-make-cc_debugfs_global_fini-available-f.patch queue-4.19/crypto-n2-add-missing-hash-statesize.patch queue-4.19/hwrng-geode-fix-pci-device-refcount-leak.patch queue-4.19/hwrng-amd-fix-pci-device-refcount-leak.patch