pf: Ensure that we don't use kif passed to pfi_kkif_attach()

Once a kif is passed to pfi_kkif_attach() we must ensure we never re-use
it for anything else.
Set the kif to NULL afterwards to guarantee this.

Reported-by: syzbot+be5d4f4a7a4c295e659a@syzkaller.appspotmail.com
MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")

sys/netpfil/pf/pf_if.c

@@ -486,6 +486,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af)
 		dyn->pfid_kif = pfi_kkif_attach(kif, IFG_ALL);
 	else
 		dyn->pfid_kif = pfi_kkif_attach(kif, aw->v.ifname);
+	kif = NULL;
 	pfi_kkif_ref(dyn->pfid_kif);
 
 	dyn->pfid_net = pfi_unmask(&aw->v.a.mask);

sys/netpfil/pf/pf_ioctl.c

@@ -2345,6 +2345,7 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 		rule->nr = 0;
 	if (rule->ifname[0]) {
 		rule->kif = pfi_kkif_attach(kif, rule->ifname);
+		kif = NULL;
 		pfi_kkif_ref(rule->kif);
 	} else
 		rule->kif = NULL;
@@ -2962,6 +2963,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			if (newrule->ifname[0]) {
 				newrule->kif = pfi_kkif_attach(kif,
 				    newrule->ifname);
+				kif = NULL;
 				pfi_kkif_ref(newrule->kif);
 			} else
 				newrule->kif = NULL;
@@ -3747,6 +3749,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		}
 		if (pa->ifname[0]) {
 			pa->kif = pfi_kkif_attach(kif, pa->ifname);
+			kif = NULL;
 			pfi_kkif_ref(pa->kif);
 		} else
 			pa->kif = NULL;