diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
index f6aca9cd749..7619db7c22d 100644
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -526,6 +526,14 @@ user_ldt_free(struct thread *td)
 	}
 
 	mdp->md_ldt = NULL;
+	user_ldt_deref(pldt);
+}
+
+void
+user_ldt_deref(struct proc_ldt *pldt)
+{
+
+	mtx_assert(&dt_lock, MA_OWNED);
 	if (--pldt->ldt_refcnt == 0) {
 		mtx_unlock_spin(&dt_lock);
 		kmem_free(kernel_map, (vm_offset_t)pldt->ldt_base,
diff --git a/sys/i386/i386/vm_machdep.c b/sys/i386/i386/vm_machdep.c
index 71a995263d4..36873a83fb3 100644
--- a/sys/i386/i386/vm_machdep.c
+++ b/sys/i386/i386/vm_machdep.c
@@ -158,17 +158,17 @@ cpu_fork(td1, p2, td2, flags)
 		if ((flags & RFMEM) == 0) {
 			/* unshare user LDT */
 			struct mdproc *mdp1 = &p1->p_md;
-			struct proc_ldt *pldt;
+			struct proc_ldt *pldt, *pldt1;
 
 			mtx_lock_spin(&dt_lock);
-			if ((pldt = mdp1->md_ldt) != NULL &&
-			    pldt->ldt_refcnt > 1) {
-				pldt = user_ldt_alloc(mdp1, pldt->ldt_len);
+			if ((pldt1 = mdp1->md_ldt) != NULL &&
+			    pldt1->ldt_refcnt > 1) {
+				pldt = user_ldt_alloc(mdp1, pldt1->ldt_len);
 				if (pldt == NULL)
 					panic("could not copy LDT");
 				mdp1->md_ldt = pldt;
 				set_user_ldt(mdp1);
-				user_ldt_free(td1);
+				user_ldt_deref(pldt1);
 			} else
 				mtx_unlock_spin(&dt_lock);
 		}
diff --git a/sys/i386/include/proc.h b/sys/i386/include/proc.h
index d33f7be6529..1e0b9f9db10 100644
--- a/sys/i386/include/proc.h
+++ b/sys/i386/include/proc.h
@@ -71,6 +71,7 @@ struct mdproc {
 void 	set_user_ldt(struct mdproc *);
 struct 	proc_ldt *user_ldt_alloc(struct mdproc *, int);
 void 	user_ldt_free(struct thread *);
+void	user_ldt_deref(struct proc_ldt *pldt);
 
 extern struct mtx dt_lock;