mmm, the user program may try to connect to a different remote address?

I think all syscalls are under bgl and tcp protocol threads are under
bgl.  Even if they are not under bgl, connection creation (e.g. link
inpcb into hash tabl) is serialized by the tcp thread on cpu0.
SS_ISCONNECTING checking in soconnect may be racy, but it probably is
not the cause of this panic, since so_state is 0.

Best Regards,
sephe