Merge r205010 from head to stable/8:

Update nfsrv_getsocksndseq() for changes in TCP internals since FreeBSD 6.x:

  - so_pcb is now guaranteed to be non-NULL and valid if a valid socket
    reference is held.

  - Need to check INP_TIMEWAIT and INP_DROPPED before assuming inp_ppcb is a
    tcpcb, as it might be a tcptw or NULL otherwise.

  - tp can never be NULL by the end of the function, so only check
    TCPS_ESTABLISHED before extracting tcpcb fields.

  The NFS server arguably incorporates too many assumptions about TCP
  internals, but fixing that is left for another day.

  Reviewed by:		bz
  Reviewed and tested by:	rmacklem
  Sponsored by:		Juniper Networks

Approved by:	re (kib)

sys/fs/nfsserver/nfs_nfsdport.c

@@ -2674,24 +2674,23 @@ nfsrv_getsocksndseq(struct socket *so, tcp_seq *maxp, tcp_seq *unap)
 {
 	struct inpcb *inp;
 	struct tcpcb *tp;
-	int error = EPIPE;
 
-	INP_INFO_RLOCK(&V_tcbinfo);
 	inp = sotoinpcb(so);
-	if (inp == NULL) {
-		INP_INFO_RUNLOCK(&V_tcbinfo);
-		return (error);
-	}
+	KASSERT(inp != NULL, ("nfsrv_getsocksndseq: inp == NULL"));
 	INP_RLOCK(inp);
-	INP_INFO_RUNLOCK(&V_tcbinfo);
-	tp = intotcpcb(inp);
-	if (tp != NULL && tp->t_state == TCPS_ESTABLISHED) {
-		*maxp = tp->snd_max;
-		*unap = tp->snd_una;
-		error = 0;
+	if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
+		INP_RUNLOCK(inp);
+		return (EPIPE);
 	}
+	tp = intotcpcb(inp);
+	if (tp->t_state != TCPS_ESTABLISHED) {
+		INP_RUNLOCK(inp);
+		return (EPIPE);
+	}
+	*maxp = tp->snd_max;
+	*unap = tp->snd_una;
 	INP_RUNLOCK(inp);
-	return (error);
+	return (0);
 }
 
 /*