usb: gadget: function: rndis: limit # of RNDIS instances to 1000

As follows from #define NAME_TEMPLATE, the procfs code in the RNDIS driver
expects the # of instances to be 3-digit decimal, while the driver calls
ida_simple_get() passing 0 as the 'end' argument which results in actual
max instance # of INT_MAX.  Limit the maximum # of RNDIS instances to 1000
which is still a lot! :-)

Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Link: https://lore.kernel.org/r/a8180973-3ded-3644-585a-169589a37642@omp.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c
index 10ba339bcea470c2b79b6cf19b36020556b5945c..29bf8664bf582dfc685a2dca5b8ad21ffcc08ebf 100644 (file)
--- a/drivers/usb/gadget/function/rndis.c
+++ b/drivers/usb/gadget/function/rndis.c
@@ -869,7 +869,7 @@ EXPORT_SYMBOL_GPL(rndis_msg_parser);
 
 static inline int rndis_get_nr(void)
 {
-       return ida_simple_get(&rndis_ida, 0, 0, GFP_KERNEL);
+       return ida_simple_get(&rndis_ida, 0, 1000, GFP_KERNEL);
 }
 
 static inline void rndis_put_nr(int nr)