I wrote:

| This code looks suspicious... shouldn't we unlock before sorwakeup?
|
| 		/* NOTE: this was TCP_REASS() macro, but used only once */
| 		TCP_REASS_LOCK(tp);
| 		if (th->th_seq == tp->rcv_nxt &&
| 		    tp->segq.lh_first == NULL &&
| 		    tp->t_state == TCPS_ESTABLISHED) {
| 			TCP_SETUP_ACK(tp, th);
| 			tp->rcv_nxt += tlen;
| 			tiflags = th->th_flags & TH_FIN;
| 			tcpstat.tcps_rcvpack++;\
| 			tcpstat.tcps_rcvbyte += tlen;\
| 			sbappend(&(so)->so_rcv, m);
| =>			sorwakeup(so);
| 		} else {
| 			tiflags = tcp_reass(tp, th, m, &tlen);
| 			tp->t_flags |= TF_ACKNOW;
| 		}
| 		TCP_REASS_UNLOCK(tp);

Inserting a TCP_REASS_UNLOCK before the call to sorwakeup() [ => above ]
has gotten rid of the (fully reproducible) panic.  Hopefully my belief
that this doesn't lead to other nastiness is correct...

	Sean.