conflux_mark_all_for_close() gets called with e.g. ```unlinked->cfx->nonce``` and then with its ```nonce``` argument, it does ``` if (unlinked) { unlinked_close_or_free(unlinked); } /* In case it gets freed, be safe here. */ unlinked = NULL; /* Close the linked set. It will free itself upon the close of * the last leg. */ conflux_t *linked = linked_pool_get(nonce, is_client); ``` When nonce is part of unlinked->cfx that gets freed, we shouldn't try to use it after that. Compare to linked_circuit_closed() where we make a local copy first: ``` /* Keep the nonce so we can use it through out the rest of the function in * case we nullify the conflux object before. Reason is that in the case of a * full teardown, this function becomes basically recursive and so we must * nullify the conflux object of this circuit now before the recursiveness * starts leading to all legs being removed and thus not noticing if we are * the last or the first. * * Not the prettiest but that is the price to pay to live in the C-tor maze * and protected by balrogs. */ memcpy(nonce, circ->conflux->nonce, sizeof(nonce)); ``` so we seemed aware of the issue, we just didn't handle it in all cases. Bug found while working with a nice person who does not request credit.