*** tcp_subr.c	Mon Sep 26 11:30:56 2011
--- tcp_subr.c	Wed Sep 28 11:20:01 2011
***************
*** 1116,1168 ****
  	if (error)
  		return (error);
  
  	inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK);
  	if (inp_list == NULL)
  		return (ENOMEM);
  
  	INP_INFO_RLOCK(&V_tcbinfo);
  	for (inp = LIST_FIRST(V_tcbinfo.ipi_listhead), i = 0;
  	    inp != NULL && i < n; inp = LIST_NEXT(inp, inp_list)) {
! 		INP_WLOCK(inp);
  		if (inp->inp_gencnt <= gencnt) {
  			/*
  			 * XXX: This use of cr_cansee(), introduced with
  			 * TCP state changes, is not quite right, but for
  			 * now, better than nothing.
  			 */
  			if (inp->inp_flags & INP_TIMEWAIT) {
  				if (intotw(inp) != NULL)
  					error = cr_cansee(req->td->td_ucred,
  					    intotw(inp)->tw_cred);
  				else
  					error = EINVAL;	/* Skip this inp. */
  			} else
  				error = cr_canseeinpcb(req->td->td_ucred, inp);
! 			if (error == 0) {
! 				in_pcbref(inp);
! 				inp_list[i++] = inp;
  			}
- 		}
- 		INP_WUNLOCK(inp);
- 	}
- 	INP_INFO_RUNLOCK(&V_tcbinfo);
- 	n = i;
- 
- 	error = 0;
- 	for (i = 0; i < n; i++) {
- 		inp = inp_list[i];
- 		INP_RLOCK(inp);
- 		if (inp->inp_gencnt <= gencnt) {
- 			struct xtcpcb xt;
- 			void *inp_ppcb;
- 
  			bzero(&xt, sizeof(xt));
  			xt.xt_len = sizeof xt;
  			/* XXX should avoid extra copy */
  			bcopy(inp, &xt.xt_inp, sizeof *inp);
  			inp_ppcb = inp->inp_ppcb;
  			if (inp_ppcb == NULL)
  				bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
  			else if (inp->inp_flags & INP_TIMEWAIT) {
  				bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
  				xt.xt_tp.t_state = TCPS_TIME_WAIT;
--- 1178,1229 ----
  	if (error)
  		return (error);
  
  	inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK);
  	if (inp_list == NULL)
  		return (ENOMEM);
  
  	INP_INFO_RLOCK(&V_tcbinfo);
  	for (inp = LIST_FIRST(V_tcbinfo.ipi_listhead), i = 0;
  	    inp != NULL && i < n; inp = LIST_NEXT(inp, inp_list)) {
! 		in_pcbref(inp);
! 		inp_list[i++] = inp;
! 	}
! 	INP_INFO_RUNLOCK(&V_tcbinfo);
! 	n = i;
! 
! 	error = 0;
! 	for (i = 0; i < n; i++) {
! 		inp = inp_list[i];
! 		INP_RLOCK(inp);
  		if (inp->inp_gencnt <= gencnt) {
+ 			struct xtcpcb xt;
+ 			void *inp_ppcb;
+ 
  			/*
  			 * XXX: This use of cr_cansee(), introduced with
  			 * TCP state changes, is not quite right, but for
  			 * now, better than nothing.
  			 */
  			if (inp->inp_flags & INP_TIMEWAIT) {
  				if (intotw(inp) != NULL)
  					error = cr_cansee(req->td->td_ucred,
  					    intotw(inp)->tw_cred);
  				else
  					error = EINVAL;	/* Skip this inp. */
  			} else
  				error = cr_canseeinpcb(req->td->td_ucred, inp);
! 			if (error) {
! 				error = 0;
! 				INP_RUNLOCK(inp);
! 				continue;
  			}
  			bzero(&xt, sizeof(xt));
  			xt.xt_len = sizeof xt;
  			/* XXX should avoid extra copy */
  			bcopy(inp, &xt.xt_inp, sizeof *inp);
  			inp_ppcb = inp->inp_ppcb;
  			if (inp_ppcb == NULL)
  				bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
  			else if (inp->inp_flags & INP_TIMEWAIT) {
  				bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
  				xt.xt_tp.t_state = TCPS_TIME_WAIT;