if_bge.c callout freed before allocation

[Emmanuel Dreyfus <manu%netbsd.org@localhost>]

hello

If bge configuration goes wrong, we call bge_release_resources() 
and free the callout while it may not have been allocated. The 
patch below works this around. Ok to commit? I am not sure bge_flags
is the right place to store this flag.

--- sys/dev/pci/if_bgereg.h     9 Feb 2024 22:08:35 -0000       1.98
+++ sys/dev/pci/if_bgereg.h     5 May 2025 08:25:17 -0000
@@ -2681,8 +2681,9 @@
 #define BGEF_40BIT_BUG         0x00100000
 #define BGEF_TAGGED_STATUS     0x00200000
 #define BGEF_RX_ALIGNBUG       0x00400000
 #define BGEF_RDMA_BUG          0x00800000
+#define BGEF_CALLOUT_VALID     0x10000000
 #define BGEF_TXRING_VALID      0x20000000
 #define BGEF_RXRING_VALID      0x40000000
 #define BGEF_JUMBO_RXRING_VALID        0x80000000
 
--- sys/dev/pci/if_bge.c        10 Nov 2024 11:44:08 -0000      1.397
+++ sys/dev/pci/if_bge.c        5 May 2025 08:25:17 -0000
@@ -4079,8 +4081,9 @@
 #endif /* BGE_EVENT_COUNTERS */
        DPRINTFN(5, ("callout_init\n"));
        callout_init(&sc->bge_timeout, CALLOUT_MPSAFE);
        callout_setfunc(&sc->bge_timeout, bge_tick, sc);
+       sc->bge_flags |= BGEF_CALLOUT_VALID;
 
        if (pmf_device_register(self, NULL, NULL))
                pmf_class_network_register(self, ifp);
        else
@@ -4136,9 +4139,12 @@
        /* Detach sysctl */
        if (sc->bge_log != NULL)
                sysctl_teardown(&sc->bge_log);
 
-       callout_destroy(&sc->bge_timeout);
+       if (sc->bge_flags & BGEF_CALLOUT_VALID) {
+               callout_destroy(&sc->bge_timeout);
+               sc->bge_flags &= ~BGEF_CALLOUT_VALID;
+       }
 
 #ifdef BGE_EVENT_COUNTERS
        /* Detach event counters. */
        evcnt_detach(&sc->bge_ev_intr);


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost