rfkill: copy the name into the rfkill struct

Some users of rfkill, like NFC and cfg80211, use a dynamic name when
allocating rfkill, in those cases dev_name(). Therefore, the pointer
passed to rfkill_alloc() might not be valid forever, I specifically
found the case that the rfkill name was quite obviously an invalid
pointer (or at least garbage) when the wiphy had been renamed.

Fix this by making a copy of the rfkill name in rfkill_alloc().

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index b41e9ea2ffff..f53bf3b6558b 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -49,7 +49,6 @@
 struct rfkill {
         spinlock_t              lock;
 
-        const char              *name;
         enum rfkill_type        type;
 
         unsigned long           state;
@@ -73,6 +72,7 @@ struct rfkill {
         struct delayed_work     poll_work;
         struct work_struct      uevent_work;
         struct work_struct      sync_work;
+        char                    name[];
 };
 #define to_rfkill(d)    container_of(d, struct rfkill, dev)
 
@@ -876,14 +876,14 @@ struct rfkill * __must_check rfkill_alloc(const char *name,
         if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
                 return NULL;
 
-        rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
+        rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
         if (!rfkill)
                 return NULL;
 
         spin_lock_init(&rfkill->lock);
         INIT_LIST_HEAD(&rfkill->node);
         rfkill->type = type;
-        rfkill->name = name;
+        strcpy(rfkill->name, name);
         rfkill->ops = ops;
         rfkill->data = ops_data;