Hello!
icmp_send routine calls ip_option_echo, which uses IPCB to take skbuff compiled IP options.
But icmp_send could be called from TCP level too (security_sock_rcv_skb - cipso_v4_error for INET stream connection, for example).
After moving IP header data to the end of the struct tcp_skb_cb, this could lead to memory corruption when IP options copying.
Thanks.