Re: [PATCH v2] wifi: iwlegacy: 3945-rs: fix possible null-pointer dereferences in il3945_rs_get_rate()

[Tuo Li]

Hi Johannes,

On Thu, Jan 8, 2026 at 8:02 PM Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
> I can apply this if you want, but for the record,
>
> > > +++ b/drivers/net/wireless/intel/iwlegacy/3945-rs.c
> > > @@ -626,10 +626,15 @@ il3945_rs_get_rate(void *il_r, struct ieee80211_sta *sta, void *il_sta,
> > >
> > >     D_RATE("enter\n");
> > >
> > > +   if (!il_sta) {
> > > +           D_RATE("leave: No STA il data to update!\n");
> > > +           return;
> > > +   }
> > > +
>
> I don't see how this would be possible. _Maybe_ the other one, but I
> can't figure out any scenario in mac80211 where it could happen either.
>
> johannes

Thanks for the clarification.

I don't have a concrete mac80211 execution path that would result in
il_sta being NULL here either. This issue was reported by a static
analysis tool, and after reviewing the code I noticed that the handling is
not consistent with il3945_rs_tx_status(), which is why I submitted this
patch to add a defensive check.

If you believe this situation cannot occur in practice and the additional
check is unnecessary, I'm fine with dropping this change.

Thanks for taking the time to review this.

Best regards,
Tuo