---
--- Based on andre@'s original patch available from:
--- http://people.freebsd.org/~andre/tcp_reass.c-logdebug+missingsegment-20110802.diff
---
Index: tcp_reass.c
===================================================================
--- tcp_reass.c	(revision 224238)
+++ tcp_reass.c	(working copy)
@@ -174,7 +174,9 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
 	struct tseg_qent *nq;
 	struct tseg_qent *te = NULL;
 	struct socket *so = tp->t_inpcb->inp_socket;
+	char *s = NULL;
 	int flags;
+	struct tseg_qent tqs;
 
 	INP_WLOCK_ASSERT(tp->t_inpcb);
 
@@ -212,19 +214,39 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
 		TCPSTAT_INC(tcps_rcvmemdrop);
 		m_freem(m);
 		*tlenp = 0;
+		if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) {
+			log(LOG_DEBUG, "%s; %s: queue limit reached, segment dropped\n",
+			    s, __func__);
+			free(s, M_TCPLOG);
+		}
 		return (0);
 	}
 
 	/*
 	 * Allocate a new queue entry. If we can't, or hit the zone limit
 	 * just drop the pkt.
+	 *
+	 * Use a backup structure on the stack for the missing segment when
+	 * the zone is exhausted to avoid the connection stalling.
 	 */
 	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
-	if (te == NULL) {
+	if (te == NULL && th->th_seq != tp->rcv_nxt) {
 		TCPSTAT_INC(tcps_rcvmemdrop);
 		m_freem(m);
 		*tlenp = 0;
+		if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) {
+			log(LOG_DEBUG, "%s; %s: global zone limit reached, "
+			    "segment dropped\n", s, __func__);
+			free(s, M_TCPLOG);
+		}
 		return (0);
+	} else if (th->th_seq == tp->rcv_nxt) {
+		te = &tqs;
+		if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) {
+			log(LOG_DEBUG, "%s; %s: global zone limit reached, "
+			    "using stack for missing segment\n", s, __func__);
+			free(s, M_TCPLOG);
+		}
 	}
 	tp->t_segqlen++;
 
@@ -244,6 +266,9 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
 	 */
 	if (p != NULL) {
 		int i;
+
+		KASSERT(te != &tqs, "Important TCP reass assumption broke: "
+		    "p != NULL && te == &tqs");
 		/* conversion to int (in i) handles seq wraparound */
 		i = p->tqe_th->th_seq + p->tqe_len - th->th_seq;
 		if (i > 0) {
@@ -301,6 +326,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
 	if (p == NULL) {
 		LIST_INSERT_HEAD(&tp->t_segq, te, tqe_q);
 	} else {
+		KASSERT(te != &tqs, "Important TCP reass assumption broke: "
+		    "te == &tqs but is not being inserted at head of list.");
 		LIST_INSERT_AFTER(p, te, tqe_q);
 	}
 
@@ -309,8 +336,11 @@ present:
 	 * Present data to user, advancing rcv_nxt through
 	 * completed sequence space.
 	 */
-	if (!TCPS_HAVEESTABLISHED(tp->t_state))
+	if (!TCPS_HAVEESTABLISHED(tp->t_state)) {
+		KASSERT(te != &tqs, "Important TCP reass assumption broke: "
+		    "te == &tqs && !TCPS_HAVEESTABLISHED.");
 		return (0);
+	}
 	q = LIST_FIRST(&tp->t_segq);
 	if (!q || q->tqe_th->th_seq != tp->rcv_nxt)
 		return (0);
@@ -324,7 +354,8 @@ present:
 			m_freem(q->tqe_m);
 		else
 			sbappendstream_locked(&so->so_rcv, q->tqe_m);
-		uma_zfree(V_tcp_reass_zone, q);
+		if (q != &tqs)
+			uma_zfree(V_tcp_reass_zone, q);
 		tp->t_segqlen--;
 		q = nq;
 	} while (q && q->tqe_th->th_seq == tp->rcv_nxt);