sandbox: vm: fix bad array index in replenish_free_page_list

sandbox/vm/zone.c

@@ -164,27 +164,16 @@ static int replenish_free_page_list(vm_zone_t *z, vm_page_order_t order)
 	   take a page, split it in half, and add the sub-pages
 	   to the next order's free list. */
 	for (vm_page_order_t i = first_order_with_free; i > order; i--) {
-		queue_entry_t *pg_entry = queue_pop_front(&z->z_free_pages[order]);
+		queue_entry_t *pg_entry = queue_pop_front(&z->z_free_pages[i]);
 		vm_page_t *pg = QUEUE_CONTAINER(vm_page_t, p_free_list, pg_entry);
 
 		vm_page_t *a, *b;
 		vm_page_split(pg, &a, &b);
 
-		queue_push_back(&z->z_free_pages[order - 1], &a->p_free_list);
-		queue_push_back(&z->z_free_pages[order - 1], &b->p_free_list);
+		queue_push_back(&z->z_free_pages[i - 1], &a->p_free_list);
+		queue_push_back(&z->z_free_pages[i - 1], &b->p_free_list);
 	}
 
-	/* handle the last order separately. if the requested order is 0 (4K)
-	   handling it within the for-loop would cause an underflow */
-	queue_entry_t *pg_entry = queue_pop_front(&z->z_free_pages[order + 1]);
-	vm_page_t *pg = QUEUE_CONTAINER(vm_page_t, p_free_list, pg_entry);
-
-	vm_page_t *a, *b;
-	vm_page_split(pg, &a, &b);
-
-	queue_push_back(&z->z_free_pages[order - 1], &a->p_free_list);
-	queue_push_back(&z->z_free_pages[order - 1], &b->p_free_list);
-
 	return 0;
 }