Syzkaller found a dereference in igmp_leavegroup() where inm->inm_rti
is NULL. It should be set in rti_fill(), but is not if malloc(9)
fails. There is no rollback after malloc failure so the field stays
uninitialized. The code is only called from ioctl, setsockopt or
a task. Malloc should wait instead of failing, otherwise syscalls
would be unreliable. While there also put an M_WAIT in the init
code. During init malloc must not fail.
OK mvs@
Reported-by: syzbot+e22326057ccf34908d78@syzkaller.appspotmail.com
projects / openbsd / commit