diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -828,8 +828,8 @@
 #endif
 
 	inp = sotoinpcb(so);
+	INP_WLOCK_ASSERT(inp);
 	inp->inp_inc.inc_fibnum = so->so_fibnum;
-	INP_WLOCK(inp);
 	/*
 	 * Exclusive pcbinfo lock is not required in syncache socket case even
 	 * if two inpcb locks can be acquired simultaneously:
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -202,7 +202,13 @@
 		goto out;
 	}
 	tp->t_state = TCPS_CLOSED;
-	INP_WUNLOCK(inp);
+	/*
+	 * Unlock the inp when being called from so_create(), but do not
+	 * when being called from sonewconn().
+	 * sonewconn() expects the inp to be locked.
+	 */
+	if (so->so_listen == NULL)
+		INP_WUNLOCK(inp);
 	TCPSTATES_INC(TCPS_CLOSED);
 out:
 	TCPDEBUG2(PRU_ATTACH);