tcp: fix more NULL deref after prequeue changes

	arg.iov[0].iov_base = (unsigned char *)&rep;

	arg.iov[0].iov_len  = sizeof(rep.th);

	net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);

#ifdef CONFIG_TCP_MD5SIG

	hash_location = tcp_parse_md5sig_option(th);

	if (!sk && hash_location) {

		 * Incoming packet is checked with md5 hash with finding key,

		 * no RST generated if md5 hash doesn't match.

		 */

		sk1 = __inet_lookup_listener(dev_net(skb_dst(skb)->dev),

		sk1 = __inet_lookup_listener(net,

					     &tcp_hashinfo, ip_hdr(skb)->saddr,

					     th->source, ip_hdr(skb)->daddr,

					     ntohs(th->source), inet_iif(skb));

	if (sk)

		arg.bound_dev_if = sk->sk_bound_dev_if;

	net = dev_net(skb_dst(skb)->dev);

	arg.tos = ip_hdr(skb)->tos;

	ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk),

			      skb, &TCP_SKB_CB(skb)->header.h4.opt,

	.queue_hash_add =	inet6_csk_reqsk_queue_hash_add,

};

static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,

				 u32 tsval, u32 tsecr, int oif,

				 struct tcp_md5sig_key *key, int rst, u8 tclass,

				 u32 label)

static void tcp_v6_send_response(struct sock *sk, struct sk_buff *skb, u32 seq,

				 u32 ack, u32 win, u32 tsval, u32 tsecr,

				 int oif, struct tcp_md5sig_key *key, int rst,

				 u8 tclass, u32 label)

{

	const struct tcphdr *th = tcp_hdr(skb);

	struct tcphdr *t1;

	struct sk_buff *buff;

	struct flowi6 fl6;

	struct net *net = dev_net(skb_dst(skb)->dev);

	struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);

	struct sock *ctl_sk = net->ipv6.tcp_sk;

	unsigned int tot_len = sizeof(struct tcphdr);

	struct dst_entry *dst;

			  (th->doff << 2);

	oif = sk ? sk->sk_bound_dev_if : 0;

	tcp_v6_send_response(skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);

	tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);

#ifdef CONFIG_TCP_MD5SIG

release_sk1:

#endif

}

static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack,

			    u32 win, u32 tsval, u32 tsecr, int oif,

static void tcp_v6_send_ack(struct sock *sk, struct sk_buff *skb, u32 seq,

			    u32 ack, u32 win, u32 tsval, u32 tsecr, int oif,

			    struct tcp_md5sig_key *key, u8 tclass,

			    u32 label)

{

	tcp_v6_send_response(skb, seq, ack, win, tsval, tsecr, oif, key, 0, tclass,

			     label);

	tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0,

			     tclass, label);

}

static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)

	struct inet_timewait_sock *tw = inet_twsk(sk);

	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);

	tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,

	tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,

			tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,

			tcp_time_stamp + tcptw->tw_ts_offset,

			tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),

	/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV

	 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.

	 */

	tcp_v6_send_ack(skb, (sk->sk_state == TCP_LISTEN) ?

	tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?

			tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,

			tcp_rsk(req)->rcv_nxt,

			req->rcv_wnd, tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,

			tcp_rsk(req)->rcv_nxt, req->rcv_wnd,

			tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,

			tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),

			0, 0);

}