commit 8315f1ea26626b1b2c814c35032944bca8615fa8
Author: Randall Stewart <rrs@FreeBSD.org>
Date:   Fri Jul 31 10:03:32 2020 +0000

    The recent changes to move the ref count increment
    back from the end of the function created an issue.
    If one of the routines returns NULL during setup
    we have inp's with extra references (which is why
    the increment was at the end).
    
    Also the stack switch return code was being ignored
    and actually has meaning if the stack cannot take over
    it should return NULL.
    
    Fix both of these situation by being sure to test the
    return code and of course in any case of return NULL (there
    are 3) make sure we properly reduce the ref count.
    
    Sponsored by:   Netflix Inc.
    Differential Revision:  https://reviews.freebsd.org/D25903

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 777fd7200cc..bf4b413bd4d 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1713,6 +1713,7 @@ tcp_newtcpcb(struct inpcb *inp)
 		if (CC_ALGO(tp)->cb_init(tp->ccv) > 0) {
 			if (tp->t_fb->tfb_tcp_fb_fini)
 				(*tp->t_fb->tfb_tcp_fb_fini)(tp, 1);
+			in_pcbrele_wlocked(inp);
 			refcount_release(&tp->t_fb->tfb_refcnt);
 			uma_zfree(V_tcpcb_zone, tm);
 			return (NULL);
@@ -1723,6 +1724,7 @@ tcp_newtcpcb(struct inpcb *inp)
 	if (khelp_init_osd(HELPER_CLASS_TCP, tp->osd)) {
 		if (tp->t_fb->tfb_tcp_fb_fini)
 			(*tp->t_fb->tfb_tcp_fb_fini)(tp, 1);
+		in_pcbrele_wlocked(inp);
 		refcount_release(&tp->t_fb->tfb_refcnt);
 		uma_zfree(V_tcpcb_zone, tm);
 		return (NULL);
@@ -1783,7 +1785,12 @@ tcp_newtcpcb(struct inpcb *inp)
 	tcp_log_tcpcbinit(tp);
 #endif
 	if (tp->t_fb->tfb_tcp_fb_init) {
-		(*tp->t_fb->tfb_tcp_fb_init)(tp);
+		if ((*tp->t_fb->tfb_tcp_fb_init)(tp)) {
+			refcount_release(&tp->t_fb->tfb_refcnt);
+			in_pcbrele_wlocked(inp);
+			uma_zfree(V_tcpcb_zone, tm);
+			return (NULL);
+		}
 	}
 #ifdef STATS
 	if (V_tcp_perconn_stats_enable == 1)
commit c201ce0b4a747d517e0a7f9cfaa66afb1fdad426
Author: Richard Scheffenegger <rscheff@FreeBSD.org>
Date:   Tue Jul 7 12:10:59 2020 +0000

    Fix KASSERT during tcp_newtcpcb when low on memory
    
    While testing with system default cc set to cubic, and
    running a memory exhaustion validation, FreeBSD panics for a
    missing inpcb reference / lock.
    
    Reviewed by:    rgrimes (mentor), tuexen (mentor)
    Approved by:    rgrimes (mentor), tuexen (mentor)
    MFC after:      3 weeks
    Sponsored by:   NetApp, Inc.
    Differential Revision:  https://reviews.freebsd.org/D25583

diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 05e4133461f..777fd7200cc 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1702,6 +1702,12 @@ tcp_newtcpcb(struct inpcb *inp)
 	KASSERT(!STAILQ_EMPTY(&cc_list), ("cc_list is empty!"));
 	CC_ALGO(tp) = CC_DEFAULT();
 	CC_LIST_RUNLOCK();
+	/*
+	 * The tcpcb will hold a reference on its inpcb until tcp_discardcb()
+	 * is called.
+	 */
+	in_pcbref(inp);	/* Reference for tcpcb */
+	tp->t_inpcb = inp;
 
 	if (CC_ALGO(tp)->cb_init != NULL)
 		if (CC_ALGO(tp)->cb_init(tp->ccv) > 0) {
@@ -1746,12 +1752,6 @@ tcp_newtcpcb(struct inpcb *inp)
 	if (V_tcp_do_sack)
 		tp->t_flags |= TF_SACK_PERMIT;
 	TAILQ_INIT(&tp->snd_holes);
-	/*
-	 * The tcpcb will hold a reference on its inpcb until tcp_discardcb()
-	 * is called.
-	 */
-	in_pcbref(inp);	/* Reference for tcpcb */
-	tp->t_inpcb = inp;
 
 	/*
 	 * Init srtt to TCPTV_SRTTBASE (0), so we can tell that we have no