Message ID | a8180973-3ded-3644-585a-169589a37642@omp.ru |
---|---|
State | New |
Headers | show |
Series | usb: gadget: function: rndis: limit # of RNDIS instances to 1000 | expand |
Index: usb/drivers/usb/gadget/function/rndis.c =================================================================== --- usb.orig/drivers/usb/gadget/function/rndis.c +++ usb/drivers/usb/gadget/function/rndis.c @@ -865,7 +865,7 @@ EXPORT_SYMBOL_GPL(rndis_msg_parser); static inline int rndis_get_nr(void) { - return ida_simple_get(&rndis_ida, 0, 0, GFP_KERNEL); + return ida_simple_get(&rndis_ida, 0, 1000, GFP_KERNEL); } static inline void rndis_put_nr(int nr)
As follows from #define NAME_TEMPLATE, the procfs code in the RNDIS driver expects the # of instances to be 3-digit decimal, while the driver calls ida_simple_get() passing 0 as the 'end' argument which results in actual max instance # of INT_MAX. Limit the maximum # of RNDIS instances to 1000 which is still a lot! :-) Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> --- This patch is against the 'next' branch of Felipe Balbi's 'usb.git' repo... drivers/usb/gadget/function/rndis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)