From 4742f4ecba886c94fb925c1bab6d14e81295ce82 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 2 Aug 2018 15:01:03 +1000
Subject: [PATCH 1/2] unlink before unlock

---
 lib/isc/pk11.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index cfc5e52074..f3835b6641 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -401,6 +401,7 @@ free_session_list(pk11_sessionlist_t *slist) {
 	LOCK(&sessionlock);
 	while (!ISC_LIST_EMPTY(*slist)) {
 		sp = ISC_LIST_HEAD(*slist);
+		ISC_LIST_UNLINK(*slist, sp, link);
 		UNLOCK(&sessionlock);
 		if (sp->session != CK_INVALID_HANDLE) {
 			rv = pkcs_C_CloseSession(sp->session);
@@ -408,7 +409,6 @@ free_session_list(pk11_sessionlist_t *slist) {
 				ret = DST_R_CRYPTOFAILURE;
 		}
 		LOCK(&sessionlock);
-		ISC_LIST_UNLINK(*slist, sp, link);
 		pk11_mem_put(sp, sizeof(*sp));
 	}
 	UNLOCK(&sessionlock);

From 05531d3a867d0c9d98a09502e297b0d30a8daed3 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 24 Aug 2018 10:41:11 +1000
Subject: [PATCH 2/2] add CHANGES note

---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index bb30262b79..eae6157271 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
+			releasing the lock which is unsafe. [GL !589]
+
 5016.	[bug]		Named could assert with overlapping filter-aaaa and
 			dns64 acls. [GL #445]