If fw_loadpage fails, the size passed to free(9) is bogus. Always pass
the size returned by load_firmware instead. I hit this a few days ago,
ok?
Index: rtwn.c
===================================================================
RCS file: /d/cvs/src/sys/dev/ic/rtwn.c,v
retrieving revision 1.12
diff -u -p -p -u -r1.12 rtwn.c
--- rtwn.c 26 Jan 2017 10:57:37 -0000 1.12
+++ rtwn.c 30 Jan 2017 12:08:56 -0000
@@ -1439,14 +1439,15 @@ rtwn_load_firmware(struct rtwn_softc *sc
{
const struct r92c_fw_hdr *hdr;
u_char *fw, *ptr;
- size_t len;
+ size_t len0, len;
uint32_t reg;
int mlen, ntries, page, error;
/* Read firmware image from the filesystem. */
- error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len);
+ error = sc->sc_ops.load_firmware(sc->sc_ops.cookie, &fw, &len0);
if (error)
return (error);
+ len = len0;
if (len < sizeof(*hdr)) {
printf("%s: firmware too short\n", sc->sc_pdev->dv_xname);
error = EINVAL;
@@ -1537,7 +1538,7 @@ rtwn_load_firmware(struct rtwn_softc *sc
goto fail;
}
fail:
- free(fw, M_DEVBUF, len);
+ free(fw, M_DEVBUF, len0);
return (error);
}
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
