--- Plug a TCP reassembly UMA zone leak introduced in r226113 by only using
--- the backup stack queue entry when the zone is exhausted, otherwise we leak a
--- zone allocation each time we plug a hole in the reassembly queue.
---
--- Reported by:	many on freebsd-stable@ (thread: "TCP Reassembly Issues")
--- Tested by:		?
---
Index: sys/netinet/tcp_reass.c
===================================================================
--- sys/netinet/tcp_reass.c	(revision 227986)
+++ sys/netinet/tcp_reass.c	(working copy)
@@ -233,24 +233,29 @@
 	 * when the zone is exhausted. Otherwise we may get stuck.
 	 */
 	te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
-	if (te == NULL && th->th_seq != tp->rcv_nxt) {
-		TCPSTAT_INC(tcps_rcvmemdrop);
-		m_freem(m);
-		*tlenp = 0;
-		if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) {
-			log(LOG_DEBUG, "%s; %s: global zone limit reached, "
-			    "segment dropped\n", s, __func__);
-			free(s, M_TCPLOG);
+	if (te == NULL) {
+		if (th->th_seq != tp->rcv_nxt) {
+			TCPSTAT_INC(tcps_rcvmemdrop);
+			m_freem(m);
+			*tlenp = 0;
+			if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL,
+			    NULL))) {
+				log(LOG_DEBUG, "%s; %s: global zone limit "
+				    "reached, segment dropped\n", s, __func__);
+				free(s, M_TCPLOG);
+			}
+			return (0);
+		} else {
+			bzero(&tqs, sizeof(struct tseg_qent));
+			te = &tqs;
+			if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL,
+			    NULL))) {
+				log(LOG_DEBUG,
+				    "%s; %s: global zone limit reached, using "
+				    "stack for missing segment\n", s, __func__);
+				free(s, M_TCPLOG);
+			}
 		}
-		return (0);
-	} else if (th->th_seq == tp->rcv_nxt) {
-		bzero(&tqs, sizeof(struct tseg_qent));
-		te = &tqs;
-		if ((s = tcp_log_addrs(&tp->t_inpcb->inp_inc, th, NULL, NULL))) {
-			log(LOG_DEBUG, "%s; %s: global zone limit reached, "
-			    "using stack for missing segment\n", s, __func__);
-			free(s, M_TCPLOG);
-		}
 	}
 	tp->t_segqlen++;