From c2222ab4a712847a19f021f0fd67ed4aa8c5555f Mon Sep 17 00:00:00 2001
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Wed, 6 Jul 2016 10:29:29 +0000
Subject: [PATCH] Only set the ipfilter running state to 'not running' if we
 are doing the teardown.  ipf_destroy_all() may free ipfmain in case of
 ipf_dynamic_softc being true, thus we are avoiding a possible memory modified
 after free as well.

Reported by:	Coverity
Coverity CID:	1357320
Approved by:	re (hrs)
MFC after:	10 days
---
 sys/contrib/ipfilter/netinet/mlfk_ipl.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
index d8c40cdf79ef..371391154513 100644
--- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
@@ -291,13 +291,14 @@ vnet_ipf_uninit(void)
 		return;
 
 	if (V_ipfmain.ipf_running >= 0) {
+
 		if (ipfdetach(&V_ipfmain) != 0)
 			return;
 
+		V_ipfmain.ipf_running = -2;
+
 		ipf_destroy_all(&V_ipfmain);
 	}
-
-	V_ipfmain.ipf_running = -2;
 }
 VNET_SYSUNINIT(vnet_ipf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
     vnet_ipf_uninit, NULL);