12976 system panics with error in IP module
Reviewed by: Andy Fiddaman <andy@omniosce.org>
Reviewed by: Paul Winder <p.winder@me.com>

@@ -19,10 +19,11 @@
  * CDDL HEADER END
  */
 /*
  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2019 OmniOS Community Edition (OmniOSce) Association.
+ * Copyright 2020 Joyent, Inc.
  */
 
 /*
  * IP PACKET CLASSIFIER
  *

@@ -2743,11 +2744,15 @@
         if ((connp->conn_state_flags & CONN_CLOSING)) {
                 mutex_exit(&connp->conn_lock);
                 return (NULL);
         }
 
-        mutex_exit(&connp->conn_lock);
+        /*
+         * Continue to hold conn_lock because we don't want to race with an
+         * in-progress close, which will have set-to-NULL (and destroyed
+         * upper_handle, aka sonode (and vnode)) BEFORE setting CONN_CLOSING.
+         */
 
         if (connp->conn_upper_handle != NULL) {
                 vn = (*connp->conn_upcalls->su_get_vnode)
                     (connp->conn_upper_handle);
         } else if (!IPCL_IS_NONSTR(connp) && connp->conn_rq != NULL) {

@@ -2755,10 +2760,12 @@
                 if (vn != NULL)
                         VN_HOLD(vn);
                 flags |= MIB2_SOCKINFO_STREAM;
         }
 
+        mutex_exit(&connp->conn_lock);
+
         if (vn == NULL || VOP_GETATTR(vn, &attr, 0, CRED(), NULL) != 0) {
                 if (vn != NULL)
                         VN_RELE(vn);
                 return (NULL);
         }