pf: do not remove kifs that are referenced by rules

Even if a kif doesn't have an ifp or if_group pointer we still can't delete it if it's referenced by a rule. In other words: we must check rulerefs as well. While we're here also teach pfi_kif_unref() not to remove kifs with flags. Reported-by: syzbot+b31d1d7e12c5d4d42f28@syzkaller.appspotmail.com MFC after: 2 weeks
freebsd · Oct 13, 2020 · a91340b · a91340b
1 parent 9ba70f4
commit a91340b
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
@@ -282,8 +282,10 @@ pfi_kif_unref(struct pfi_kif *kif)
 	if (kif->pfik_rulerefs > 0)
 		return;
 
-	/* kif referencing an existing ifnet or group should exist. */
-	if (kif->pfik_ifp != NULL || kif->pfik_group != NULL || kif == V_pfi_all)
+	/* kif referencing an existing ifnet or group or holding flags should
+	 * exist. */
+	if (kif->pfik_ifp != NULL || kif->pfik_group != NULL ||
+	    kif == V_pfi_all || kif->pfik_flags != 0)
 		return;
 
 	RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif);
@@ -833,7 +835,7 @@ pfi_clear_flags(const char *name, int flags)
 		p->pfik_flags &= ~flags;
 
 		if (p->pfik_ifp == NULL && p->pfik_group == NULL &&
-		    p->pfik_flags == 0) {
+		    p->pfik_flags == 0 && p->pfik_rulerefs == 0) {
 			/* Delete this kif. */
 			RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p);
 			free(p, PFI_MTYPE);