In pool_free_old(), one code path was not clearing a "next" pointer,

so the code could try to free an extent twice in certain circumstances.

diff --git a/lib/pool_alloc.c b/lib/pool_alloc.c
index e1ce50b..0fb3122 100644 (file)
--- a/lib/pool_alloc.c
+++ b/lib/pool_alloc.c
@@ -255,6 +255,7 @@ pool_free_old(alloc_pool_t p, void *addr)
                                cur->free -= skew;
                        }
                        next = cur->next;
+                       cur->next = NULL;
                }
        } else {
                next = cur->next;