If fw_loadpage fails, the size passed to free(9) is bogus. Always pass the size returned by load_firmware instead. I hit this a few days ago, ok?
Index: rtwn.c =================================================================== RCS file: /d/cvs/src/sys/dev/ic/rtwn.c,v retrieving revision 1.12 diff -u -p -p -u -r1.12 rtwn.c --- rtwn.c 26 Jan 2017 10:57:37 -0000 1.12 +++ rtwn.c 30 Jan 2017 12:08:56 -0000 @@ -1439,14 +1439,15 @@ rtwn_load_firmware(struct rtwn_softc *sc { const struct r92c_fw_hdr *hdr; u_char *fw, *ptr; - size_t len; + size_t len0, len; uint32_t reg; int mlen, ntries, page, error; /* Read firmware image from the filesystem. */ - error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len); + error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len0); if (error) return (error); + len = len0; if (len < sizeof(*hdr)) { printf("%s: firmware too short\n", sc->sc_pdev->dv_xname); error = EINVAL; @@ -1537,7 +1538,7 @@ rtwn_load_firmware(struct rtwn_softc *sc goto fail; } fail: - free(fw, M_DEVBUF, len); + free(fw, M_DEVBUF, len0); return (error); } -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE