From patchwork Wed Feb 1 12:04:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Metzmacher X-Patchwork-Id: 1735510 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=linux-cifs-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (3072-bit key; secure) header.d=samba.org header.i=@samba.org header.a=rsa-sha256 header.s=42 header.b=uD62bWS4; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P6LGh5lGmz23gY for ; Wed, 1 Feb 2023 23:05:48 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231612AbjBAMFr (ORCPT ); Wed, 1 Feb 2023 07:05:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230261AbjBAMFq (ORCPT ); Wed, 1 Feb 2023 07:05:46 -0500 Received: from hr2.samba.org (hr2.samba.org [IPv6:2a01:4f8:192:486::2:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D6E312CC60 for ; Wed, 1 Feb 2023 04:05:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=samba.org; s=42; h=Message-Id:Date:Cc:To:From; bh=/gS+o52Nxg0TkWEyh5LB7+Cdq/QCMDiQwBueylw1go4=; b=uD62bWS4ted3NH9SrMUGEIG8NE k0IhVofaOJkq1yV7w1XqtAW/E1wv1KrAdyrELcXe4FTyzgLeSZhWjTp/2eipmVxLAUn8bJIv/iMYR ER7cJyeMmc2ROnzpb30GReSLc6FtFUhKX/TZUzcNn4rgysiaGjm5yxYWhwY5MZyj0R/Uiu2CLsr3Z rG8PFwF+xwF8MYmUWOtNdoEYuEs1pUmWRO8ibfqVgDXORtHD/E0oMr9LD2Z38yYZXKZTtG9Zi+Ltj ChOF7H2KN76yMdsTUxV60Ps+QEJDcRqf9r/bH9Y4QJlc6lJF+pWwWEHZg7rFXa5pCfBqg04BOMw4+ WLTzjQu9DhySRzjoVgWdPTQd4yZCf3qfw3vuseTxLaq194E2Ga+KKp0kxlcnhQj+B5jkG2ePjLPeD kXg+pYlAtckLVbXAA3q14LL+A+ihE2rBSy/4IYxUxs/Odj+eSWziH/V7QTqngQaylZMYrT6EHTUc7 i5+C5C4Q4JAl+hV4D0pJ38BB; Received: from [127.0.0.2] (localhost [127.0.0.1]) by hr2.samba.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__CHACHA20_POLY1305:256) (Exim) id 1pNBry-00BE6R-Iv; Wed, 01 Feb 2023 12:05:42 +0000 From: Stefan Metzmacher To: linux-cifs@vger.kernel.org Cc: Stefan Metzmacher , Steve French , Tom Talpey , Long Li , Namjae Jeon , David Howells , stable@vger.kernel.org Subject: [PATCH 3/3] cifs: don't try to use rdma offload on encrypted connections Date: Wed, 1 Feb 2023 13:04:43 +0100 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org The aim of using encryption on a connection is to keep the data confidential, so we must not use plaintext rdma offload for that data! It seems that current windows servers and ksmbd would allow this, but that's no reason to expose the users data in plaintext! And servers hopefully reject this in future. Note modern windows servers support signed or encrypted offload, see MS-SMB2 2.2.3.1.6 SMB2_RDMA_TRANSFORM_CAPABILITIES, but we don't support that yet. Signed-off-by: Stefan Metzmacher Cc: Steve French Cc: Tom Talpey Cc: Long Li Cc: Namjae Jeon Cc: David Howells Cc: linux-cifs@vger.kernel.org Cc: stable@vger.kernel.org --- fs/cifs/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 6a4d621241dd..c5cb2639b3f1 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -4081,6 +4081,10 @@ static inline bool smb3_use_rdma_offload(struct cifs_io_parms *io_parms) if (server->sign) return false; + /* we don't support encrypted offload yet */ + if (smb3_encryption_required(tcon)) + return false; + /* offload also has its overhead, so only do it if desired */ if (io_parms->length < server->smbd_conn->rdma_readwrite_threshold) return false;