diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -681,6 +681,7 @@
 bool	in_pcbrele(struct inpcb *, inp_lookup_t);
 bool	in_pcbrele_rlocked(struct inpcb *);
 bool	in_pcbrele_wlocked(struct inpcb *);
+bool	in_pcbrele_rlock(struct inpcb *inp);
 
 typedef bool inp_match_t(const struct inpcb *, void *);
 struct inpcb_iterator {
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1744,6 +1744,23 @@
 	    in_pcbrele_rlocked(inp) : in_pcbrele_wlocked(inp));
 }
 
+/*
+ * Dereference and rlock inp, for which the caller must own the
+ * reference.  Returns true if inp no longer usable, false otherwise.
+ */
+bool
+in_pcbrele_rlock(struct inpcb *inp)
+{
+	INP_RLOCK(inp);
+	if (in_pcbrele_rlocked(inp))
+		return (true);
+	if ((inp->inp_flags & INP_FREED) != 0) {
+		INP_RUNLOCK(inp);
+		return (true);
+	}
+	return (false);
+}
+
 /*
  * Unconditionally schedule an inpcb to be freed by decrementing its
  * reference count, which should occur only after the inpcb has been detached
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -2720,8 +2720,12 @@
 				    ksr->snd_tag->sw->snd_tag_status_str !=
 				    NULL) {
 					sz = SND_TAG_STATUS_MAXLEN;
+					in_pcbref(inp);
+					INP_RUNLOCK(inp);
 					ksr->snd_tag->sw->snd_tag_status_str(
 					    ksr->snd_tag, NULL, &sz);
+					if (in_pcbrele_rlock(inp))
+						return (EDEADLK);
 					len += sz;
 				}
 			}
@@ -2739,8 +2743,11 @@
 				    kss->snd_tag->sw->snd_tag_status_str !=
 				    NULL) {
 					sz = SND_TAG_STATUS_MAXLEN;
+					INP_RUNLOCK(inp);
 					kss->snd_tag->sw->snd_tag_status_str(
 					    kss->snd_tag, NULL, &sz);
+					if (in_pcbrele_rlock(inp))
+						return (EDEADLK);
 					len += sz;
 				}
 			}
@@ -2811,8 +2818,11 @@
 			if (ksr->snd_tag != NULL &&
 			    ksr->snd_tag->sw->snd_tag_status_str != NULL) {
 				sz = SND_TAG_STATUS_MAXLEN;
+				INP_RUNLOCK(inp);
 				ksr->snd_tag->sw->snd_tag_status_str(
 				    ksr->snd_tag, buf + len, &sz);
+				if (in_pcbrele_rlock(inp))
+					return (EDEADLK);
 				len += sz;
 			}
 		}
@@ -2828,8 +2838,11 @@
 			if (kss->snd_tag != NULL &&
 			    kss->snd_tag->sw->snd_tag_status_str != NULL) {
 				sz = SND_TAG_STATUS_MAXLEN;
+				INP_RUNLOCK(inp);
 				kss->snd_tag->sw->snd_tag_status_str(
 				    kss->snd_tag, buf + len, &sz);
+				if (in_pcbrele_rlock(inp))
+					return (EDEADLK);
 				len += sz;
 			}
 		}
@@ -2858,12 +2871,23 @@
 static int
 tcp_ktlslist1(SYSCTL_HANDLER_ARGS, bool export_keys)
 {
-	int res;
+	int repeats, error;
 
-	sx_xlock(&ktlslist_lock);
-	res = tcp_ktlslist_locked(oidp, arg1, arg2, req, export_keys);
-	sx_xunlock(&ktlslist_lock);
-	return (res);
+	for (repeats = 0; repeats < 100; repeats++) {
+		if (sx_xlock_sig(&ktlslist_lock))
+			return (EINTR);
+		error = tcp_ktlslist_locked(oidp, arg1, arg2, req,
+		    export_keys);
+		sx_xunlock(&ktlslist_lock);
+		if (error != EDEADLK)
+			break;
+		if (sig_intr() != 0) {
+			error = EINTR;
+			break;
+		}
+		req->oldidx = 0;
+	}
+	return (error);
 }
 	
 static int