In this function, il_sta is assigned to rs_sta, and rs_sta is dereferenced at several points. If il_sta is NULL, this can lead to null-pointer dereferences. To fix this issue, add an early check for il_sta and return if it is NULL, consistent with the handling in il3945_rs_tx_status(). Signed-off-by: Tuo Li --- drivers/net/wireless/intel/iwlegacy/3945-rs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlegacy/3945-rs.c b/drivers/net/wireless/intel/iwlegacy/3945-rs.c index 1826c37c090c..c13268093a6e 100644 --- a/drivers/net/wireless/intel/iwlegacy/3945-rs.c +++ b/drivers/net/wireless/intel/iwlegacy/3945-rs.c @@ -626,8 +626,13 @@ il3945_rs_get_rate(void *il_r, struct ieee80211_sta *sta, void *il_sta, D_RATE("enter\n"); + if (!il_sta) { + D_RATE("leave: No STA il data available!\n"); + return; + } + /* Treat uninitialized rate scaling data same as non-existing. */ - if (rs_sta && !rs_sta->il) { + if (!rs_sta->il) { D_RATE("Rate scaling information not initialized yet.\n"); il_sta = NULL; } -- 2.43.0