svn commit: r367057 - stable/12/sys/netpfil/pf

[Kristof Provost]

Author: kp
Date: Mon Oct 26 13:23:40 2020
New Revision: 367057
URL: https://svnweb.freebsd.org/changeset/base/367057

Log:
  MFC r366667:
  
  pf: do not remove kifs that are referenced by rules
  
  Even if a kif doesn't have an ifp or if_group pointer we still can't delete it
  if it's referenced by a rule. In other words: we must check rulerefs as well.
  
  While we're here also teach pfi_kif_unref() not to remove kifs with flags.
  
  Reported-by: syzbot+b31d1d7e12c5d4d42f28 at syzkaller.appspotmail.com

Modified:
  stable/12/sys/netpfil/pf/pf_if.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netpfil/pf/pf_if.c
==============================================================================
--- stable/12/sys/netpfil/pf/pf_if.c	Mon Oct 26 13:22:55 2020	(r367056)
+++ stable/12/sys/netpfil/pf/pf_if.c	Mon Oct 26 13:23:40 2020	(r367057)
@@ -258,8 +258,10 @@ pfi_kif_unref(struct pfi_kif *kif)
 	if (kif->pfik_rulerefs > 0)
 		return;
 
-	/* kif referencing an existing ifnet or group should exist. */
-	if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || kif == V_pfi_all)
+	/* kif referencing an existing ifnet or group or holding flags should
+	 * exist. */
+	if (kif->pfik_ifp != NULL || kif->pfik_group != NULL ||
+	    kif == V_pfi_all || kif->pfik_flags != 0)
 		return;
 
 	RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif);
@@ -814,7 +816,7 @@ pfi_clear_flags(const char *name, int flags)
 		p->pfik_flags &= ~flags;
 
 		if (p->pfik_ifp == NULL && p->pfik_group == NULL &&
-		    p->pfik_flags == 0) {
+		    p->pfik_flags == 0 && p->pfik_rulerefs == 0) {
 			/* Delete this kif. */
 			RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p);
 			free(p, PFI_MTYPE);