dummynet tests: attempt to provoke wf2q+ use-after-free

Attempt to provoke known use-after-free issues with WF2Q+.

Sponsored by:	Rubicon Communications, LLC ("Netgate")

tests/sys/netpfil/common/dummynet.sh

@@ -203,6 +203,59 @@ codel_cleanup()
 	firewall_cleanup $1
 }
 
+wf2q_heap_head()
+{
+	atf_set descr 'Test WF2Q+, attempting to provoke use-after-free'
+	atf_set require.user root
+}
+
+wf2q_heap_body()
+{
+	fw=$1
+	firewall_init $fw
+	dummynet_init $fw
+
+       j=dummynet_wf2q_heap_${fw}_
+
+       epair=$(vnet_mkepair)
+       epair_other=$(vnet_mkepair)
+       vnet_mkjail ${j}a ${epair}a
+       vnet_mkjail ${j}b ${epair}b ${epair_other}b
+
+       jexec ${j}a ifconfig ${epair}a up mtu 9000
+       va=$(jexec ${j}a ifconfig vlan create vlan 42 vlandev ${epair}a)
+       jexec ${j}a ifconfig ${va} 192.0.2.1/24 up #mtu 8000
+
+       jexec ${j}b ifconfig ${epair}b up mtu 9000
+       vb=$(jexec ${j}b ifconfig vlan create vlan 42 vlandev ${epair}b)
+       jexec ${j}b ifconfig ${vb} 192.0.2.2/24 up #mtu 8000
+       jexec ${j}b ifconfig ${epair_other}b up
+
+       # Sanity check
+       atf_check -s exit:0 -o ignore \
+           jexec ${j}b ping -c 1 192.0.2.1
+
+       jexec ${j}b dnctl pipe 1 config bw 10Mb queue 100 delay 500 droptail
+       jexec ${j}b dnctl sched 1 config pipe 1 type wf2q+
+       jexec ${j}b dnctl queue 1 config pipe 1 droptail
+
+       firewall_config ${j}b ${fw} \
+               "pf"    \
+                       "pass dnqueue 1"
+
+       jexec ${j}a ping -f 192.0.2.2 &
+       sleep 1
+
+       jexec ${j}b ifconfig ${vb} destroy
+
+       sleep 2
+}
+
+wf2q_heap_cleanup()
+{
+	firewall_cleanup $1
+}
+
 queue_head()
 {
 	atf_set descr 'Basic queue test'
@@ -478,6 +531,8 @@ setup_tests		\
 	codel		\
 		ipfw	\
 		pf	\
+	wf2q_heap	\
+		pf	\
 	queue		\
 		ipfw	\
 		pf	\