From b29b68d652b7d0a164ddc4abeb13d801c0a351ce Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi.kivity@gmail.com>
Date: Wed, 9 Jan 2013 18:02:58 +0200
Subject: [PATCH] mempool: fix corruption with almost-page-sized objects

When we free the last object in a page, we free the page itself, removing
it from the pool's page list.  However, pages with no free objects are not
present on the free page list, causing corruption.

The only condition this can happen is if there is exactly one object on a
page; so it's simultaneously the last allocated and the last freed object.
---
 mempool.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mempool.cc b/mempool.cc
index 904779de2..bcad57279 100644
--- a/mempool.cc
+++ b/mempool.cc
@@ -86,7 +86,9 @@ void pool::free(void* object)
     auto obj = static_cast<free_object*>(object);
     auto header = to_header(obj);
     if (!--header->nalloc) {
-        _free.erase(_free.iterator_to(*header));
+        if (header->local_free) {
+            _free.erase(_free.iterator_to(*header));
+        }
         // FIXME: add hysteresis
         free_page(header);
     } else {
-- 
GitLab