From ab46b7cd13fe40bfa32e13fe8396aeb5143b2d08 Mon Sep 17 00:00:00 2001
From: Max Wash <mbswash@gmail.com>
Date: Thu, 2 Feb 2023 16:47:32 +0000
Subject: [PATCH] sandbox: vm: fix bad array index in replenish_free_page_list

---
 sandbox/vm/zone.c | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/sandbox/vm/zone.c b/sandbox/vm/zone.c
index 67c082f..9945bdc 100644
--- a/sandbox/vm/zone.c
+++ b/sandbox/vm/zone.c
@@ -164,27 +164,16 @@ static int replenish_free_page_list(vm_zone_t *z, vm_page_order_t order)
 	   take a page, split it in half, and add the sub-pages
 	   to the next order's free list. */
 	for (vm_page_order_t i = first_order_with_free; i > order; i--) {
-		queue_entry_t *pg_entry = queue_pop_front(&z->z_free_pages[order]);
+		queue_entry_t *pg_entry = queue_pop_front(&z->z_free_pages[i]);
 		vm_page_t *pg = QUEUE_CONTAINER(vm_page_t, p_free_list, pg_entry);
 
 		vm_page_t *a, *b;
 		vm_page_split(pg, &a, &b);
 
-		queue_push_back(&z->z_free_pages[order - 1], &a->p_free_list);
-		queue_push_back(&z->z_free_pages[order - 1], &b->p_free_list);
+		queue_push_back(&z->z_free_pages[i - 1], &a->p_free_list);
+		queue_push_back(&z->z_free_pages[i - 1], &b->p_free_list);
 	}
 
-	/* handle the last order separately. if the requested order is 0 (4K)
-	   handling it within the for-loop would cause an underflow */
-	queue_entry_t *pg_entry = queue_pop_front(&z->z_free_pages[order + 1]);
-	vm_page_t *pg = QUEUE_CONTAINER(vm_page_t, p_free_list, pg_entry);
-
-	vm_page_t *a, *b;
-	vm_page_split(pg, &a, &b);
-
-	queue_push_back(&z->z_free_pages[order - 1], &a->p_free_list);
-	queue_push_back(&z->z_free_pages[order - 1], &b->p_free_list);
-
 	return 0;
 }