Patch "cifs: don't try to use rdma offload on encrypted connections" has been added to the 6.1-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 06 Mar 2023 11:58:36 +0100

This is a note to let you know that I've just added the patch titled

    cifs: don't try to use rdma offload on encrypted connections

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cifs-don-t-try-to-use-rdma-offload-on-encrypted-connections.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 3891f6c7655a39065e44980f51ba46bb32be3133 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@xxxxxxxxx>
Date: Wed, 1 Feb 2023 16:21:41 +0100
Subject: cifs: don't try to use rdma offload on encrypted connections

From: Stefan Metzmacher <metze@xxxxxxxxx>

commit 3891f6c7655a39065e44980f51ba46bb32be3133 upstream.

The aim of using encryption on a connection is to keep
the data confidential, so we must not use plaintext rdma offload
for that data!

It seems that current windows servers and ksmbd would allow
this, but that's no reason to expose the users data in plaintext!
And servers hopefully reject this in future.

Note modern windows servers support signed or encrypted offload,
see MS-SMB2 2.2.3.1.6 SMB2_RDMA_TRANSFORM_CAPABILITIES, but we don't
support that yet.

Signed-off-by: Stefan Metzmacher <metze@xxxxxxxxx>
Cc: Steve French <smfrench@xxxxxxxxx>
Cc: Tom Talpey <tom@xxxxxxxxxx>
Cc: Long Li <longli@xxxxxxxxxxxxx>
Cc: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Cc: David Howells <dhowells@xxxxxxxxxx>
Cc: linux-cifs@xxxxxxxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/cifs/smb2pdu.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -4081,6 +4081,10 @@ static inline bool smb3_use_rdma_offload
 	if (server->sign)
 		return false;
 
+	/* we don't support encrypted offload yet */
+	if (smb3_encryption_required(tcon))
+		return false;
+
 	/* offload also has its overhead, so only do it if desired */
 	if (io_parms->length < server->smbd_conn->rdma_readwrite_threshold)
 		return false;


Patches currently in stable-queue which might be from metze@xxxxxxxxx are

queue-6.1/cifs-don-t-try-to-use-rdma-offload-on-encrypted-connections.patch
queue-6.1/cifs-introduce-cifs_io_parms-in-smb2_async_writev.patch
queue-6.1/cifs-split-out-smb3_use_rdma_offload-helper.patch






