sys/openbsd: neutralize yet another pf ioctl command

Disarms the latest reproducer[1] for the discovered "no output from test
machine" panic.

While here, tidy up and improve comments.

[1] https://syzkaller.appspot.com/bug?id=4c3b1ac22d6d7f1d9ebcad5469a28cb4562debda

4 files changed, 15 insertions, 5 deletions

diff --git a/sys/openbsd/dev_pf.txt b/sys/openbsd/dev_pf.txt
index 4dfd44aec..93ce99b06 100644
--- a/sys/openbsd/dev_pf.txt
+++ b/sys/openbsd/dev_pf.txt
@@ -9,7 +9,8 @@ include <net/if.h>
 
 include <net/pfvar.h>
 
-# This ioctl is restricted in SanitizeCall(), see init.go.
+# The following ioctl commands are restricted in neutralize(), see init.go.
+_ = DIOCCLRSTATES
 _ = DIOCKILLSTATES
 
 resource fd_pf[fd]
diff --git a/sys/openbsd/dev_pf_amd64.const b/sys/openbsd/dev_pf_amd64.const
index f5a32c62a..1a68d3d6e 100644
--- a/sys/openbsd/dev_pf_amd64.const
+++ b/sys/openbsd/dev_pf_amd64.const
@@ -1,4 +1,5 @@
 # AUTOGENERATED FILE
 AT_FDCWD = 18446744073709551516
+DIOCCLRSTATES = 3235922962
 DIOCKILLSTATES = 3235922985
 SYS_openat = 321
diff --git a/sys/openbsd/init.go b/sys/openbsd/init.go
index 6948139aa..f24f06273 100644
--- a/sys/openbsd/init.go
+++ b/sys/openbsd/init.go
@@ -15,6 +15,7 @@ func InitTarget(target *prog.Target) {
 	arch := &arch{
 		unix:           targets.MakeUnixNeutralizer(target),
 		DIOCKILLSTATES: target.GetConst("DIOCKILLSTATES"),
+		DIOCCLRSTATES:  target.GetConst("DIOCCLRSTATES"),
 		S_IFMT:         target.GetConst("S_IFMT"),
 		S_IFCHR:        target.GetConst("S_IFCHR"),
 	}
@@ -26,6 +27,7 @@ func InitTarget(target *prog.Target) {
 
 type arch struct {
 	unix           *targets.UnixNeutralizer
+	DIOCCLRSTATES  uint64
 	DIOCKILLSTATES uint64
 	S_IFMT         uint64
 	S_IFCHR        uint64
@@ -94,11 +96,11 @@ func (arch *arch) neutralize(c *prog.Call) {
 			flags.Val &= ^f
 		}
 	case "ioctl":
-		// Performing the following ioctl on a /dev/pf file descriptor
-		// causes the ssh VM connection to die. For now, just rewire it
-		// to an invalid command.
+		// Performing the following ioctl commands on a /dev/pf file
+		// descriptor causes the ssh VM connection to die. For now, just
+		// rewire them to an invalid command.
 		request := c.Args[1].(*prog.ConstArg)
-		if request.Val == arch.DIOCKILLSTATES {
+		if request.Val == arch.DIOCCLRSTATES || request.Val == arch.DIOCKILLSTATES {
 			request.Val = 0
 		}
 	case "mknodat":
diff --git a/sys/openbsd/init_test.go b/sys/openbsd/init_test.go
index 8ca641f16..c4ec0c0bb 100644
--- a/sys/openbsd/init_test.go
+++ b/sys/openbsd/init_test.go
@@ -20,11 +20,17 @@ func TestNeutralize(t *testing.T) {
 			In:  `fchflags(0x0, 0x60004)`,
 			Out: `fchflags(0x0, 0x0)`,
 		},
+		// Note, a random ioctl description used since only the command
+		// is of importance.
 		{
 			In:  `ioctl$BIOCSDIRFILT(0x0, 0xc0e04429, 0x0)`,
 			Out: `ioctl$BIOCSDIRFILT(0x0, 0x0, 0x0)`,
 		},
 		{
+			In:  `ioctl$BIOCSDIRFILT(0x0, 0xc0e04412, 0x0)`,
+			Out: `ioctl$BIOCSDIRFILT(0x0, 0x0, 0x0)`,
+		},
+		{
 			// major=22, minor=232
 			In:  `mknodat(0x0, 0x0, 0x0, 0x16e8)`,
 			Out: `mknodat(0x0, 0x0, 0x0, 0x202)`,