wifi: mac80211: Fix uninitialized variable with __free() in ieee80211_ml_epcs()

The cleanup attribute runs kfree() when the variable goes out of scope.
There is a possibility that the link_elems variable is uninitialized
if the loop ends before an assignment is made to this variable.
This leads to uninitialized variable bug.

Fix this by assigning link_elems to NULL.

Signed-off-by: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250609213231.eeacd3738a7b.I0f876fa1359daeec47ab3aef098255a9c23efd70@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d26dcee5683abd8b7ac8d41821619cd99ebbc1a8..0ed68182f79b5ed2c67066aec1b0cd310c6d5c4c 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -10705,8 +10705,8 @@ static void ieee80211_ml_epcs(struct ieee80211_sub_if_data *sdata,
         */
        for_each_mle_subelement(sub, (const u8 *)elems->ml_epcs,
                                elems->ml_epcs_len) {
+               struct ieee802_11_elems *link_elems __free(kfree) = NULL;
                struct ieee80211_link_data *link;
-               struct ieee802_11_elems *link_elems __free(kfree);
                u8 *pos = (void *)sub->data;
                u16 control;
                ssize_t len;