From FreeBSD:

> Fix a very rare error condition:  The code to free VM back to the kernel
> as done after a quasi-recursive call to free() had modified what we
> thought we knew about the last chunk of pages.
> This bug manifested itself when I did a "make obj" from src/usr.sbin/lpr,
> then make would coredump in the lpd directory.

1 files changed, 4 insertions, 3 deletions

diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c
index 780980e7cb..bff70c7b54 100644
--- a/src/lib/libc/stdlib/malloc.c
+++ b/src/lib/libc/stdlib/malloc.c
@@ -8,7 +8,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$OpenBSD: malloc.c,v 1.12 1996/09/16 05:43:40 tholo Exp $";
+static char rcsid[] = "$OpenBSD: malloc.c,v 1.13 1996/09/19 20:38:48 tholo Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 /*
@@ -1019,7 +1019,7 @@ free_pages(ptr, index, info)
     struct pginfo *info;
 {
     int i;
-    struct pgfree *pf,*pt;
+    struct pgfree *pf,*pt=0;
     u_long l;
     void *tail;
 
@@ -1090,7 +1090,6 @@ free_pages(ptr, index, info)
                 pf->next = pt->next;
                 if (pf->next)
                     pf->next->prev = pf;
-                free(pt);
             }
         } else if (pf->page == tail) {
             /* Prepend to entry */
@@ -1132,6 +1131,8 @@ free_pages(ptr, index, info)
 
         /* XXX: We could realloc/shrink the pagedir here I guess. */
     }
+    if (pt)
+        free(pt);
 }
 
 /*