--- tcp_subr.c	2011-09-26 11:30:56.000000000 -0700
+++ tcp_subr.c	2011-09-28 11:20:01.000000000 -0700
@@ -1116,53 +1178,52 @@
 	if (error)
 		return (error);
 
 	inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK);
 	if (inp_list == NULL)
 		return (ENOMEM);
 
 	INP_INFO_RLOCK(&V_tcbinfo);
 	for (inp = LIST_FIRST(V_tcbinfo.ipi_listhead), i = 0;
 	    inp != NULL && i < n; inp = LIST_NEXT(inp, inp_list)) {
-		INP_WLOCK(inp);
+		in_pcbref(inp);
+		inp_list[i++] = inp;
+	}
+	INP_INFO_RUNLOCK(&V_tcbinfo);
+	n = i;
+
+	error = 0;
+	for (i = 0; i < n; i++) {
+		inp = inp_list[i];
+		INP_RLOCK(inp);
 		if (inp->inp_gencnt <= gencnt) {
+			struct xtcpcb xt;
+			void *inp_ppcb;
+
 			/*
 			 * XXX: This use of cr_cansee(), introduced with
 			 * TCP state changes, is not quite right, but for
 			 * now, better than nothing.
 			 */
 			if (inp->inp_flags & INP_TIMEWAIT) {
 				if (intotw(inp) != NULL)
 					error = cr_cansee(req->td->td_ucred,
 					    intotw(inp)->tw_cred);
 				else
 					error = EINVAL;	/* Skip this inp. */
 			} else
 				error = cr_canseeinpcb(req->td->td_ucred, inp);
-			if (error == 0) {
-				in_pcbref(inp);
-				inp_list[i++] = inp;
+			if (error) {
+				error = 0;
+				INP_RUNLOCK(inp);
+				continue;
 			}
-		}
-		INP_WUNLOCK(inp);
-	}
-	INP_INFO_RUNLOCK(&V_tcbinfo);
-	n = i;
-
-	error = 0;
-	for (i = 0; i < n; i++) {
-		inp = inp_list[i];
-		INP_RLOCK(inp);
-		if (inp->inp_gencnt <= gencnt) {
-			struct xtcpcb xt;
-			void *inp_ppcb;
-
 			bzero(&xt, sizeof(xt));
 			xt.xt_len = sizeof xt;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xt.xt_inp, sizeof *inp);
 			inp_ppcb = inp->inp_ppcb;
 			if (inp_ppcb == NULL)
 				bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
 			else if (inp->inp_flags & INP_TIMEWAIT) {
 				bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
 				xt.xt_tp.t_state = TCPS_TIME_WAIT;