From: Greg Kroah-Hartman Date: Wed, 21 Feb 2024 11:11:10 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.19.307~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c47191aeb31f07009a751c706453c0bf0d263e0f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: fs-ntfs3-add-null-pointer-checks.patch net-bcmgenet-fix-eee-implementation.patch revert-selftests-bpf-test-tail-call-counting-with-bpf2bpf-and-data-on-stack.patch smb3-replace-smb2pdu-1-element-arrays-with-flex-arrays.patch --- diff --git a/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch b/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch deleted file mode 100644 index ca7e6aedf54..00000000000 --- a/queue-5.15/cifs-fix-off-by-one-in-smb2_query_info_init.patch +++ /dev/null @@ -1,58 +0,0 @@ -From harshit.m.mogalapalli@oracle.com Sun Jan 28 09:13:27 2024 -From: Harshit Mogalapalli -Date: Sun, 28 Jan 2024 09:07:58 -0800 -Subject: cifs: fix off-by-one in SMB2_query_info_init() -To: stable@vger.kernel.org -Cc: kovalev@altlinux.org, --cc=abuehaze@amazon.com, smfrench@gmail.com, greg@kroah.com, linux-cifs@vger.kernel.org, keescook@chromium.org, darren.kenny@oracle.com, pc@manguebit.com, nspmangalore@gmail.com, vegard.nossum@oracle.com, Harshit Mogalapalli -Message-ID: <20240128170759.2432089-1-harshit.m.mogalapalli@oracle.com> - -From: Harshit Mogalapalli - -Bug: After mounting the cifs fs, it complains with Resource temporarily -unavailable messages. - -[root@vm1 xfstests-dev]# ./check -g quick -s smb3 -TEST_DEV=///TEST is mounted but not a type cifs filesystem -[root@vm1 xfstests-dev]# df -df: /mnt/test: Resource temporarily unavailable - -Paul's analysis of the bug: - - Bug is related to an off-by-one in smb2_set_next_command() when - the client attempts to pad SMB2_QUERY_INFO request -- since it isn't - 8 byte aligned -- even though smb2_query_info_compound() doesn't - provide an extra iov for such padding. - - v5.15.y doesn't have - - eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") - - and the commit does - - if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) || - len > CIFSMaxBufSize)) - return -EINVAL; - - so sizeof(*req) will wrongly include the extra byte from - smb2_query_info_req::Buffer making @len unaligned and therefore causing - OOB in smb2_set_next_command(). - -Fixes: bfd18c0f570e4 ("smb: client: fix OOB in SMB2_query_info_init()") -Suggested-by: Paulo Alcantara -Signed-off-by: Harshit Mogalapalli -Signed-off-by: Greg Kroah-Hartman ---- - fs/cifs/smb2pdu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/cifs/smb2pdu.c -+++ b/fs/cifs/smb2pdu.c -@@ -3448,7 +3448,7 @@ SMB2_query_info_init(struct cifs_tcon *t - - iov[0].iov_base = (char *)req; - /* 1 for Buffer */ -- iov[0].iov_len = len; -+ iov[0].iov_len = len - 1; - return 0; - } - diff --git a/queue-5.15/fs-ntfs3-add-null-pointer-checks.patch b/queue-5.15/fs-ntfs3-add-null-pointer-checks.patch new file mode 100644 index 00000000000..f7834777a3b --- /dev/null +++ b/queue-5.15/fs-ntfs3-add-null-pointer-checks.patch @@ -0,0 +1,66 @@ +From fc4992458e0aa2d2e82a25c922e6ac36c2d91083 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Thu, 29 Dec 2022 15:44:43 +0400 +Subject: fs/ntfs3: Add null pointer checks + +From: Konstantin Komarov + +commit fc4992458e0aa2d2e82a25c922e6ac36c2d91083 upstream. + +Added null pointer checks in function ntfs_security_init. +Also added le32_to_cpu in functions ntfs_security_init and indx_read. + +Signed-off-by: Konstantin Komarov +Cc: "Doebel, Bjoern" +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/fsntfs.c | 16 ++++++++++------ + fs/ntfs3/index.c | 3 ++- + 2 files changed, 12 insertions(+), 7 deletions(-) + +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -1872,10 +1872,12 @@ int ntfs_security_init(struct ntfs_sb_in + goto out; + } + +- root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT)); +- if (root_sdh->type != ATTR_ZERO || ++ if(!(root_sdh = resident_data_ex(attr, sizeof(struct INDEX_ROOT))) || ++ root_sdh->type != ATTR_ZERO || + root_sdh->rule != NTFS_COLLATION_TYPE_SECURITY_HASH || +- offsetof(struct INDEX_ROOT, ihdr) + root_sdh->ihdr.used > attr->res.data_size) { ++ offsetof(struct INDEX_ROOT, ihdr) + ++ le32_to_cpu(root_sdh->ihdr.used) > ++ le32_to_cpu(attr->res.data_size)) { + err = -EINVAL; + goto out; + } +@@ -1891,10 +1893,12 @@ int ntfs_security_init(struct ntfs_sb_in + goto out; + } + +- root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT)); +- if (root_sii->type != ATTR_ZERO || ++ if(!(root_sii = resident_data_ex(attr, sizeof(struct INDEX_ROOT))) || ++ root_sii->type != ATTR_ZERO || + root_sii->rule != NTFS_COLLATION_TYPE_UINT || +- offsetof(struct INDEX_ROOT, ihdr) + root_sii->ihdr.used > attr->res.data_size) { ++ offsetof(struct INDEX_ROOT, ihdr) + ++ le32_to_cpu(root_sii->ihdr.used) > ++ le32_to_cpu(attr->res.data_size)) { + err = -EINVAL; + goto out; + } +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -1106,7 +1106,8 @@ ok: + } + + /* check for index header length */ +- if (offsetof(struct INDEX_BUFFER, ihdr) + ib->ihdr.used > bytes) { ++ if (offsetof(struct INDEX_BUFFER, ihdr) + le32_to_cpu(ib->ihdr.used) > ++ bytes) { + err = -EINVAL; + goto out; + } diff --git a/queue-5.15/net-bcmgenet-fix-eee-implementation.patch b/queue-5.15/net-bcmgenet-fix-eee-implementation.patch new file mode 100644 index 00000000000..89bc284a135 --- /dev/null +++ b/queue-5.15/net-bcmgenet-fix-eee-implementation.patch @@ -0,0 +1,142 @@ +From a9f31047baca57d47440c879cf259b86f900260c Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Tue, 6 Jun 2023 14:43:47 -0700 +Subject: net: bcmgenet: Fix EEE implementation + +From: Florian Fainelli + +commit a9f31047baca57d47440c879cf259b86f900260c upstream. + +We had a number of short comings: + +- EEE must be re-evaluated whenever the state machine detects a link + change as wight be switching from a link partner with EEE + enabled/disabled + +- tx_lpi_enabled controls whether EEE should be enabled/disabled for the + transmit path, which applies to the TBUF block + +- We do not need to forcibly enable EEE upon system resume, as the PHY + state machine will trigger a link event that will do that, too + +Fixes: 6ef398ea60d9 ("net: bcmgenet: add EEE support") +Signed-off-by: Florian Fainelli +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20230606214348.2408018-1-florian.fainelli@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++++++-------------- + drivers/net/ethernet/broadcom/genet/bcmgenet.h | 3 +++ + drivers/net/ethernet/broadcom/genet/bcmmii.c | 6 ++++++ + 3 files changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1248,7 +1248,8 @@ static void bcmgenet_get_ethtool_stats(s + } + } + +-static void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, ++ bool tx_lpi_enabled) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL; +@@ -1268,7 +1269,7 @@ static void bcmgenet_eee_enable_set(stru + + /* Enable EEE and switch to a 27Mhz clock automatically */ + reg = bcmgenet_readl(priv->base + off); +- if (enable) ++ if (tx_lpi_enabled) + reg |= TBUF_EEE_EN | TBUF_PM_EN; + else + reg &= ~(TBUF_EEE_EN | TBUF_PM_EN); +@@ -1289,6 +1290,7 @@ static void bcmgenet_eee_enable_set(stru + + priv->eee.eee_enabled = enable; + priv->eee.eee_active = enable; ++ priv->eee.tx_lpi_enabled = tx_lpi_enabled; + } + + static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_eee *e) +@@ -1304,6 +1306,7 @@ static int bcmgenet_get_eee(struct net_d + + e->eee_enabled = p->eee_enabled; + e->eee_active = p->eee_active; ++ e->tx_lpi_enabled = p->tx_lpi_enabled; + e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER); + + return phy_ethtool_get_eee(dev->phydev, e); +@@ -1313,7 +1316,6 @@ static int bcmgenet_set_eee(struct net_d + { + struct bcmgenet_priv *priv = netdev_priv(dev); + struct ethtool_eee *p = &priv->eee; +- int ret = 0; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1324,16 +1326,11 @@ static int bcmgenet_set_eee(struct net_d + p->eee_enabled = e->eee_enabled; + + if (!p->eee_enabled) { +- bcmgenet_eee_enable_set(dev, false); ++ bcmgenet_eee_enable_set(dev, false, false); + } else { +- ret = phy_init_eee(dev->phydev, 0); +- if (ret) { +- netif_err(priv, hw, dev, "EEE initialization failed\n"); +- return ret; +- } +- ++ p->eee_active = phy_init_eee(dev->phydev, false) >= 0; + bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); +- bcmgenet_eee_enable_set(dev, true); ++ bcmgenet_eee_enable_set(dev, p->eee_active, e->tx_lpi_enabled); + } + + return phy_ethtool_set_eee(dev->phydev, e); +@@ -4219,9 +4216,6 @@ static int bcmgenet_resume(struct device + if (!device_may_wakeup(d)) + phy_resume(dev->phydev); + +- if (priv->eee.eee_enabled) +- bcmgenet_eee_enable_set(dev, true); +- + bcmgenet_netif_start(dev); + + netif_device_attach(dev); +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -701,4 +701,7 @@ int bcmgenet_wol_power_down_cfg(struct b + void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv, + enum bcmgenet_power_mode mode); + ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, ++ bool tx_lpi_enabled); ++ + #endif /* __BCMGENET_H__ */ +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -25,6 +25,7 @@ + + #include "bcmgenet.h" + ++ + /* setup netdev link state when PHY link status change and + * update UMAC and RGMII block when link up + */ +@@ -102,6 +103,11 @@ void bcmgenet_mii_setup(struct net_devic + reg |= CMD_TX_EN | CMD_RX_EN; + } + bcmgenet_umac_writel(priv, reg, UMAC_CMD); ++ ++ priv->eee.eee_active = phy_init_eee(phydev, 0) >= 0; ++ bcmgenet_eee_enable_set(dev, ++ priv->eee.eee_enabled && priv->eee.eee_active, ++ priv->eee.tx_lpi_enabled); + } else { + /* done if nothing has changed */ + if (!status_changed) diff --git a/queue-5.15/revert-selftests-bpf-test-tail-call-counting-with-bpf2bpf-and-data-on-stack.patch b/queue-5.15/revert-selftests-bpf-test-tail-call-counting-with-bpf2bpf-and-data-on-stack.patch new file mode 100644 index 00000000000..a7be01c5e6e --- /dev/null +++ b/queue-5.15/revert-selftests-bpf-test-tail-call-counting-with-bpf2bpf-and-data-on-stack.patch @@ -0,0 +1,138 @@ +From samasth.norway.ananda@oracle.com Wed Feb 21 11:58:49 2024 +From: Samasth Norway Ananda +Date: Fri, 2 Feb 2024 17:12:28 -0800 +Subject: Revert "selftests/bpf: Test tail call counting with bpf2bpf and data on stack" +To: stable@vger.kernel.org +Cc: jakub@cloudflare.com, daniel@iogearbox.net, samasth.norway.ananda@oracle.com, alan.maguire@oracle.com +Message-ID: <20240203011229.3326803-1-samasth.norway.ananda@oracle.com> + +From: Samasth Norway Ananda + +This reverts commit 3eefb2fbf4ec1c1ff239b8b65e6e78aae335e4a6. + +libbpf support for "tc" progs doesn't exist for the linux-5.15.y tree. +This commit was backported too far back in upstream, to a kernel where +the libbpf support was not there for the test. + +Signed-off-by: Samasth Norway Ananda +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/prog_tests/tailcalls.c | 55 ------------------ + tools/testing/selftests/bpf/progs/tailcall_bpf2bpf6.c | 42 ------------- + 2 files changed, 97 deletions(-) + delete mode 100644 tools/testing/selftests/bpf/progs/tailcall_bpf2bpf6.c + +--- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c ++++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c +@@ -810,59 +810,6 @@ out: + bpf_object__close(obj); + } + +-#include "tailcall_bpf2bpf6.skel.h" +- +-/* Tail call counting works even when there is data on stack which is +- * not aligned to 8 bytes. +- */ +-static void test_tailcall_bpf2bpf_6(void) +-{ +- struct tailcall_bpf2bpf6 *obj; +- int err, map_fd, prog_fd, main_fd, data_fd, i, val; +- LIBBPF_OPTS(bpf_test_run_opts, topts, +- .data_in = &pkt_v4, +- .data_size_in = sizeof(pkt_v4), +- .repeat = 1, +- ); +- +- obj = tailcall_bpf2bpf6__open_and_load(); +- if (!ASSERT_OK_PTR(obj, "open and load")) +- return; +- +- main_fd = bpf_program__fd(obj->progs.entry); +- if (!ASSERT_GE(main_fd, 0, "entry prog fd")) +- goto out; +- +- map_fd = bpf_map__fd(obj->maps.jmp_table); +- if (!ASSERT_GE(map_fd, 0, "jmp_table map fd")) +- goto out; +- +- prog_fd = bpf_program__fd(obj->progs.classifier_0); +- if (!ASSERT_GE(prog_fd, 0, "classifier_0 prog fd")) +- goto out; +- +- i = 0; +- err = bpf_map_update_elem(map_fd, &i, &prog_fd, BPF_ANY); +- if (!ASSERT_OK(err, "jmp_table map update")) +- goto out; +- +- err = bpf_prog_test_run_opts(main_fd, &topts); +- ASSERT_OK(err, "entry prog test run"); +- ASSERT_EQ(topts.retval, 0, "tailcall retval"); +- +- data_fd = bpf_map__fd(obj->maps.bss); +- if (!ASSERT_GE(data_fd, 0, "bss map fd")) +- goto out; +- +- i = 0; +- err = bpf_map_lookup_elem(data_fd, &i, &val); +- ASSERT_OK(err, "bss map lookup"); +- ASSERT_EQ(val, 1, "done flag is set"); +- +-out: +- tailcall_bpf2bpf6__destroy(obj); +-} +- + void test_tailcalls(void) + { + if (test__start_subtest("tailcall_1")) +@@ -885,6 +832,4 @@ void test_tailcalls(void) + test_tailcall_bpf2bpf_4(false); + if (test__start_subtest("tailcall_bpf2bpf_5")) + test_tailcall_bpf2bpf_4(true); +- if (test__start_subtest("tailcall_bpf2bpf_6")) +- test_tailcall_bpf2bpf_6(); + } +--- a/tools/testing/selftests/bpf/progs/tailcall_bpf2bpf6.c ++++ /dev/null +@@ -1,42 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0 +-#include +-#include +- +-#define __unused __attribute__((unused)) +- +-struct { +- __uint(type, BPF_MAP_TYPE_PROG_ARRAY); +- __uint(max_entries, 1); +- __uint(key_size, sizeof(__u32)); +- __uint(value_size, sizeof(__u32)); +-} jmp_table SEC(".maps"); +- +-int done = 0; +- +-SEC("tc") +-int classifier_0(struct __sk_buff *skb __unused) +-{ +- done = 1; +- return 0; +-} +- +-static __noinline +-int subprog_tail(struct __sk_buff *skb) +-{ +- /* Don't propagate the constant to the caller */ +- volatile int ret = 1; +- +- bpf_tail_call_static(skb, &jmp_table, 0); +- return ret; +-} +- +-SEC("tc") +-int entry(struct __sk_buff *skb) +-{ +- /* Have data on stack which size is not a multiple of 8 */ +- volatile char arr[1] = {}; +- +- return subprog_tail(skb); +-} +- +-char __license[] SEC("license") = "GPL"; diff --git a/queue-5.15/series b/queue-5.15/series index 79d1f734746..bff89783ee3 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -92,7 +92,6 @@ drm-don-t-unref-the-same-fb-many-times-by-mistake-due-to-deadlock-handling.patch drm-bridge-nxp-ptn3460-fix-i2c_master_send-error-checking.patch drm-tidss-fix-atomic_flush-check.patch drm-bridge-nxp-ptn3460-simplify-some-error-checking.patch -cifs-fix-off-by-one-in-smb2_query_info_init.patch pm-core-remove-unnecessary-void-conversions.patch pm-sleep-fix-possible-deadlocks-in-core-system-wide-.patch bus-mhi-host-rename-struct-mhi_tre-to-struct-mhi_rin.patch @@ -467,3 +466,7 @@ dm-limit-the-number-of-targets-and-parameter-size-area.patch arm64-subscribe-microsoft-azure-cobalt-100-to-arm-neoverse-n2-errata.patch pm-runtime-have-devm_pm_runtime_enable-handle-pm_runtime_dont_use_autosuspend.patch drm-msm-dsi-enable-runtime-pm.patch +revert-selftests-bpf-test-tail-call-counting-with-bpf2bpf-and-data-on-stack.patch +net-bcmgenet-fix-eee-implementation.patch +fs-ntfs3-add-null-pointer-checks.patch +smb3-replace-smb2pdu-1-element-arrays-with-flex-arrays.patch diff --git a/queue-5.15/smb3-replace-smb2pdu-1-element-arrays-with-flex-arrays.patch b/queue-5.15/smb3-replace-smb2pdu-1-element-arrays-with-flex-arrays.patch new file mode 100644 index 00000000000..37f7df42dc8 --- /dev/null +++ b/queue-5.15/smb3-replace-smb2pdu-1-element-arrays-with-flex-arrays.patch @@ -0,0 +1,366 @@ +From eb3e28c1e89b4984308777231887e41aa8a0151f Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 17 Feb 2023 16:24:40 -0800 +Subject: smb3: Replace smb2pdu 1-element arrays with flex-arrays + +From: Kees Cook + +commit eb3e28c1e89b4984308777231887e41aa8a0151f upstream. + +The kernel is globally removing the ambiguous 0-length and 1-element +arrays in favor of flexible arrays, so that we can gain both compile-time +and run-time array bounds checking[1]. + +Replace the trailing 1-element array with a flexible array in the +following structures: + + struct smb2_err_rsp + struct smb2_tree_connect_req + struct smb2_negotiate_rsp + struct smb2_sess_setup_req + struct smb2_sess_setup_rsp + struct smb2_read_req + struct smb2_read_rsp + struct smb2_write_req + struct smb2_write_rsp + struct smb2_query_directory_req + struct smb2_query_directory_rsp + struct smb2_set_info_req + struct smb2_change_notify_rsp + struct smb2_create_rsp + struct smb2_query_info_req + struct smb2_query_info_rsp + +Replace the trailing 1-element array with a flexible array, but leave +the existing structure padding: + + struct smb2_file_all_info + struct smb2_lock_req + +Adjust all related size calculations to match the changes to sizeof(). + +No machine code output or .data section differences are produced after +these changes. + +[1] For lots of details, see both: + https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays + https://people.kernel.org/kees/bounded-flexible-arrays-in-c + +Cc: Steve French +Cc: Paulo Alcantara +Cc: Ronnie Sahlberg +Cc: Shyam Prasad N +Cc: Tom Talpey +Cc: Namjae Jeon +Cc: Sergey Senozhatsky +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Reviewed-by: Namjae Jeon +Signed-off-by: Kees Cook +Signed-off-by: Steve French +Signed-off-by: Vasiliy Kovalev +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2misc.c | 2 +- + fs/cifs/smb2ops.c | 14 +++++++------- + fs/cifs/smb2pdu.c | 13 ++++++------- + fs/cifs/smb2pdu.h | 42 ++++++++++++++++++++++++------------------ + 4 files changed, 38 insertions(+), 33 deletions(-) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -113,7 +113,7 @@ static __u32 get_neg_ctxt_len(struct smb + } else if (nc_offset + 1 == non_ctxlen) { + cifs_dbg(FYI, "no SPNEGO security blob in negprot rsp\n"); + size_of_pad_before_neg_ctxts = 0; +- } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE) ++ } else if (non_ctxlen == SMB311_NEGPROT_BASE_SIZE + 1) + /* has padding, but no SPNEGO blob */ + size_of_pad_before_neg_ctxts = nc_offset - non_ctxlen + 1; + else +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -5826,7 +5826,7 @@ struct smb_version_values smb20_values = + .header_size = sizeof(struct smb2_sync_hdr), + .header_preamble_size = 0, + .max_header_size = MAX_SMB2_HDR_SIZE, +- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, ++ .read_rsp_size = sizeof(struct smb2_read_rsp), + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, +@@ -5848,7 +5848,7 @@ struct smb_version_values smb21_values = + .header_size = sizeof(struct smb2_sync_hdr), + .header_preamble_size = 0, + .max_header_size = MAX_SMB2_HDR_SIZE, +- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, ++ .read_rsp_size = sizeof(struct smb2_read_rsp), + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, +@@ -5869,7 +5869,7 @@ struct smb_version_values smb3any_values + .header_size = sizeof(struct smb2_sync_hdr), + .header_preamble_size = 0, + .max_header_size = MAX_SMB2_HDR_SIZE, +- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, ++ .read_rsp_size = sizeof(struct smb2_read_rsp), + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, +@@ -5890,7 +5890,7 @@ struct smb_version_values smbdefault_val + .header_size = sizeof(struct smb2_sync_hdr), + .header_preamble_size = 0, + .max_header_size = MAX_SMB2_HDR_SIZE, +- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, ++ .read_rsp_size = sizeof(struct smb2_read_rsp), + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, +@@ -5911,7 +5911,7 @@ struct smb_version_values smb30_values = + .header_size = sizeof(struct smb2_sync_hdr), + .header_preamble_size = 0, + .max_header_size = MAX_SMB2_HDR_SIZE, +- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, ++ .read_rsp_size = sizeof(struct smb2_read_rsp), + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, +@@ -5932,7 +5932,7 @@ struct smb_version_values smb302_values + .header_size = sizeof(struct smb2_sync_hdr), + .header_preamble_size = 0, + .max_header_size = MAX_SMB2_HDR_SIZE, +- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, ++ .read_rsp_size = sizeof(struct smb2_read_rsp), + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, +@@ -5953,7 +5953,7 @@ struct smb_version_values smb311_values + .header_size = sizeof(struct smb2_sync_hdr), + .header_preamble_size = 0, + .max_header_size = MAX_SMB2_HDR_SIZE, +- .read_rsp_size = sizeof(struct smb2_read_rsp) - 1, ++ .read_rsp_size = sizeof(struct smb2_read_rsp), + .lock_cmd = SMB2_LOCK, + .cap_unix = 0, + .cap_nt_find = SMB2_NT_FIND, +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1327,7 +1327,7 @@ SMB2_sess_sendreceive(struct SMB2_sess_d + + /* Testing shows that buffer offset must be at location of Buffer[0] */ + req->SecurityBufferOffset = +- cpu_to_le16(sizeof(struct smb2_sess_setup_req) - 1 /* pad */); ++ cpu_to_le16(sizeof(struct smb2_sess_setup_req)); + req->SecurityBufferLength = cpu_to_le16(sess_data->iov[1].iov_len); + + memset(&rqst, 0, sizeof(struct smb_rqst)); +@@ -1826,8 +1826,7 @@ SMB2_tcon(const unsigned int xid, struct + iov[0].iov_len = total_len - 1; + + /* Testing shows that buffer offset must be at location of Buffer[0] */ +- req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req) +- - 1 /* pad */); ++ req->PathOffset = cpu_to_le16(sizeof(struct smb2_tree_connect_req)); + req->PathLength = cpu_to_le16(unc_path_len - 2); + iov[1].iov_base = unc_path; + iov[1].iov_len = unc_path_len; +@@ -4748,7 +4747,7 @@ int SMB2_query_directory_init(const unsi + memcpy(bufptr, &asteriks, len); + + req->FileNameOffset = +- cpu_to_le16(sizeof(struct smb2_query_directory_req) - 1); ++ cpu_to_le16(sizeof(struct smb2_query_directory_req)); + req->FileNameLength = cpu_to_le16(len); + /* + * BB could be 30 bytes or so longer if we used SMB2 specific +@@ -4945,7 +4944,7 @@ SMB2_set_info_init(struct cifs_tcon *tco + req->AdditionalInformation = cpu_to_le32(additional_info); + + req->BufferOffset = +- cpu_to_le16(sizeof(struct smb2_set_info_req) - 1); ++ cpu_to_le16(sizeof(struct smb2_set_info_req)); + req->BufferLength = cpu_to_le32(*size); + + memcpy(req->Buffer, *data, *size); +@@ -5177,9 +5176,9 @@ build_qfs_info_req(struct kvec *iov, str + req->VolatileFileId = volatile_fid; + /* 1 for pad */ + req->InputBufferOffset = +- cpu_to_le16(sizeof(struct smb2_query_info_req) - 1); ++ cpu_to_le16(sizeof(struct smb2_query_info_req)); + req->OutputBufferLength = cpu_to_le32( +- outbuf_len + sizeof(struct smb2_query_info_rsp) - 1); ++ outbuf_len + sizeof(struct smb2_query_info_rsp)); + + iov->iov_base = (char *)req; + iov->iov_len = total_len; +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -218,7 +218,7 @@ struct smb2_err_rsp { + __le16 StructureSize; + __le16 Reserved; /* MBZ */ + __le32 ByteCount; /* even if zero, at least one byte follows */ +- __u8 ErrorData[1]; /* variable length */ ++ __u8 ErrorData[]; /* variable length */ + } __packed; + + #define SYMLINK_ERROR_TAG 0x4c4d5953 +@@ -487,7 +487,7 @@ struct smb2_negotiate_rsp { + __le16 SecurityBufferOffset; + __le16 SecurityBufferLength; + __le32 NegotiateContextOffset; /* Pre:SMB3.1.1 was reserved/ignored */ +- __u8 Buffer[1]; /* variable length GSS security buffer */ ++ __u8 Buffer[]; /* variable length GSS security buffer */ + } __packed; + + /* Flags */ +@@ -504,7 +504,7 @@ struct smb2_sess_setup_req { + __le16 SecurityBufferOffset; + __le16 SecurityBufferLength; + __u64 PreviousSessionId; +- __u8 Buffer[1]; /* variable length GSS security buffer */ ++ __u8 Buffer[]; /* variable length GSS security buffer */ + } __packed; + + /* Currently defined SessionFlags */ +@@ -517,7 +517,7 @@ struct smb2_sess_setup_rsp { + __le16 SessionFlags; + __le16 SecurityBufferOffset; + __le16 SecurityBufferLength; +- __u8 Buffer[1]; /* variable length GSS security buffer */ ++ __u8 Buffer[]; /* variable length GSS security buffer */ + } __packed; + + struct smb2_logoff_req { +@@ -543,7 +543,7 @@ struct smb2_tree_connect_req { + __le16 Flags; /* Reserved MBZ for dialects prior to SMB3.1.1 */ + __le16 PathOffset; + __le16 PathLength; +- __u8 Buffer[1]; /* variable length */ ++ __u8 Buffer[]; /* variable length */ + } __packed; + + /* See MS-SMB2 section 2.2.9.2 */ +@@ -852,7 +852,7 @@ struct smb2_create_rsp { + __u64 VolatileFileId; /* opaque endianness */ + __le32 CreateContextsOffset; + __le32 CreateContextsLength; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + struct create_context { +@@ -1313,7 +1313,7 @@ struct smb2_read_plain_req { + __le32 RemainingBytes; + __le16 ReadChannelInfoOffset; + __le16 ReadChannelInfoLength; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + /* Read flags */ +@@ -1328,7 +1328,7 @@ struct smb2_read_rsp { + __le32 DataLength; + __le32 DataRemaining; + __u32 Flags; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + /* For write request Flags field below the following flags are defined: */ +@@ -1348,7 +1348,7 @@ struct smb2_write_req { + __le16 WriteChannelInfoOffset; + __le16 WriteChannelInfoLength; + __le32 Flags; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + struct smb2_write_rsp { +@@ -1359,7 +1359,7 @@ struct smb2_write_rsp { + __le32 DataLength; + __le32 DataRemaining; + __u32 Reserved2; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + /* notify flags */ +@@ -1395,7 +1395,7 @@ struct smb2_change_notify_rsp { + __le16 StructureSize; /* Must be 9 */ + __le16 OutputBufferOffset; + __le32 OutputBufferLength; +- __u8 Buffer[1]; /* array of file notify structs */ ++ __u8 Buffer[]; /* array of file notify structs */ + } __packed; + + #define SMB2_LOCKFLAG_SHARED_LOCK 0x0001 +@@ -1422,7 +1422,10 @@ struct smb2_lock_req { + __u64 PersistentFileId; /* opaque endianness */ + __u64 VolatileFileId; /* opaque endianness */ + /* Followed by at least one */ +- struct smb2_lock_element locks[1]; ++ union { ++ struct smb2_lock_element lock; ++ DECLARE_FLEX_ARRAY(struct smb2_lock_element, locks); ++ }; + } __packed; + + struct smb2_lock_rsp { +@@ -1478,7 +1481,7 @@ struct smb2_query_directory_req { + __le16 FileNameOffset; + __le16 FileNameLength; + __le32 OutputBufferLength; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + struct smb2_query_directory_rsp { +@@ -1486,7 +1489,7 @@ struct smb2_query_directory_rsp { + __le16 StructureSize; /* Must be 9 */ + __le16 OutputBufferOffset; + __le32 OutputBufferLength; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + /* Possible InfoType values */ +@@ -1527,7 +1530,7 @@ struct smb2_query_info_req { + __le32 Flags; + __u64 PersistentFileId; /* opaque endianness */ + __u64 VolatileFileId; /* opaque endianness */ +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + struct smb2_query_info_rsp { +@@ -1535,7 +1538,7 @@ struct smb2_query_info_rsp { + __le16 StructureSize; /* Must be 9 */ + __le16 OutputBufferOffset; + __le32 OutputBufferLength; +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + /* +@@ -1558,7 +1561,7 @@ struct smb2_set_info_req { + __le32 AdditionalInformation; + __u64 PersistentFileId; /* opaque endianness */ + __u64 VolatileFileId; /* opaque endianness */ +- __u8 Buffer[1]; ++ __u8 Buffer[]; + } __packed; + + struct smb2_set_info_rsp { +@@ -1761,7 +1764,10 @@ struct smb2_file_all_info { /* data bloc + __le32 Mode; + __le32 AlignmentRequirement; + __le32 FileNameLength; +- char FileName[1]; ++ union { ++ char __pad; /* Legacy structure padding */ ++ DECLARE_FLEX_ARRAY(char, FileName); ++ }; + } __packed; /* level 18 Query */ + + struct smb2_file_eof_info { /* encoding of request for level 10 */