kiblnd_close_conn() takes a write lock before calling kiblnd_close_conn_locked() which changes the state of the connection to something other than established.

kiblnd_launch_tx() takes a read lock and calls kiblnd_get_conn_locked() which gets a connection off the connection list on the peer. then it unlocks and calls kiblnd_queue_tx().

When it unlocks there is a potential race where the kiblnd_close_conn() could be called and the connection state set to CLOSING before kiblnd_queue_tx_locked() is called, which asserts that the connection is in ESTABLISHED state.

This area needs more investigation to ensure any races are closed and that connection locking is handled correctly