diff --git a/CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch b/CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
new file mode 100644
index 0000000..81a64c7
--- /dev/null
+++ b/CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
@@ -0,0 +1,96 @@
+From 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Wed, 17 May 2017 22:54:11 -0400
+Subject: [PATCH] ipv6: Check ip6_find_1stfragopt() return value properly.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not use unsigned variables to see if it returns a negative
+error or not.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/ipv6/ip6_offload.c | 9 ++++-----
+ net/ipv6/ip6_output.c  | 7 +++----
+ net/ipv6/udp_offload.c | 8 +++++---
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index eab36abc9f22..280268f1dd7b 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+ 	const struct net_offload *ops;
+ 	int proto;
+ 	struct frag_hdr *fptr;
+-	unsigned int unfrag_ip6hlen;
+ 	unsigned int payload_len;
+ 	u8 *prevhdr;
+ 	int offset = 0;
+@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+ 		skb->network_header = (u8 *)ipv6h - skb->head;
+ 
+ 		if (udpfrag) {
+-			unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+-			if (unfrag_ip6hlen < 0)
+-				return ERR_PTR(unfrag_ip6hlen);
+-			fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
++			int err = ip6_find_1stfragopt(skb, &prevhdr);
++			if (err < 0)
++				return ERR_PTR(err);
++			fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
+ 			fptr->frag_off = htons(offset);
+ 			if (skb->next)
+ 				fptr->frag_off |= htons(IP6_MF);
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 01deecda2f84..d4a31becbd25 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -597,11 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ 	int ptr, offset = 0, err = 0;
+ 	u8 *prevhdr, nexthdr = 0;
+ 
+-	hlen = ip6_find_1stfragopt(skb, &prevhdr);
+-	if (hlen < 0) {
+-		err = hlen;
++	err = ip6_find_1stfragopt(skb, &prevhdr);
++	if (err < 0)
+ 		goto fail;
+-	}
++	hlen = err;
+ 	nexthdr = *prevhdr;
+ 
+ 	mtu = ip6_skb_dst_mtu(skb);
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index b348cff47395..a2267f80febb 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ 	u8 frag_hdr_sz = sizeof(struct frag_hdr);
+ 	__wsum csum;
+ 	int tnl_hlen;
++	int err;
+ 
+ 	mss = skb_shinfo(skb)->gso_size;
+ 	if (unlikely(skb->len <= mss))
+@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ 		/* Find the unfragmentable header and shift it left by frag_hdr_sz
+ 		 * bytes to insert fragment header.
+ 		 */
+-		unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+-		if (unfrag_ip6hlen < 0)
+-			return ERR_PTR(unfrag_ip6hlen);
++		err = ip6_find_1stfragopt(skb, &prevhdr);
++		if (err < 0)
++			return ERR_PTR(err);
++		unfrag_ip6hlen = err;
+ 		nexthdr = *prevhdr;
+ 		*prevhdr = NEXTHDR_FRAGMENT;
+ 		unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
+-- 
+2.11.0
+
diff --git a/Makefile b/Makefile
index 53699a3..13eb974 100644
--- a/Makefile
+++ b/Makefile
@@ -237,6 +237,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNEL_SRC_SUBMODULE} | submodules
 	cd ${KERNEL_SRC}; patch -p1 < ../0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch # DoS from within (unpriv) containers
 	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-8890-dccp-tcp-do-not-inherit-mc_list-from-parent.patch
 	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
+	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
 	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9075-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
 	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9076_9077-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
 	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9242-ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch