Re: [PATCH 6.6.y] smb: client: fix page cache corruption from in-place encryption in SMB2_write

[Greg KH <gregkh@linuxfoundation.org>]

On Wed, Mar 04, 2026 at 07:34:52PM +0530, Bharath SM wrote:
> SMB2_write() passes data kvecs inline in rq_iov by setting
> rqst.rq_nvec = n_vec + 1. When SMB3 encryption is negotiated,
> smb3_init_transform_rq() -> crypt_message() encrypts data in the
> kvec buffers in-place.
> 
> For synchronous writes through cifs_write(), the kvec buffers point
> directly into the page cache via kmap(). In-place encryption overwrites
> the page cache with ciphertext. If the send fails with a replayable
> error such as -EAGAIN (e.g., from a connection reset), SMB2_write()
> retries the write using the same iov[1] buffer. Since iov[1] now
> contains ciphertext from the first attempt, the retry encrypts and
> sends ciphertext-as-data to the server, resulting in data corruption.
> 
> The corruption is most likely to be observed when connections are
> unstable, as reconnects trigger write retries that re-send the
> already-encrypted page cache data.
> 
> The sync path can be reached during partial-page O_WRONLY writes when
> the page is not in cache (common for append workloads with repeated
> open/write/close patterns).
> 
> The async write path (smb2_async_writev) is not affected because it
> passes data via rqst.rq_iter, which the encryption layer handles
> without modifying the source buffers.
> 
> Fix by setting rq_nvec = 1 (header only) and moving data kvecs into
> rq_iter via iov_iter_kvec().
> 
> Signed-off-by: Bharath SM <bharathsm@microsoft.com>
> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
> Cc: stable@vger.kernel.org
> ---
>  fs/smb/client/smb2pdu.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> index a8890ae21714..a88a19dec494 100644
> --- a/fs/smb/client/smb2pdu.c
> +++ b/fs/smb/client/smb2pdu.c
> @@ -5072,7 +5072,11 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,
>  
>  	memset(&rqst, 0, sizeof(struct smb_rqst));
>  	rqst.rq_iov = iov;
> -	rqst.rq_nvec = n_vec + 1;
> +	rqst.rq_nvec = 1;
> +	iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
> +		      io_parms->length);
> +	rqst.rq_iter_size = io_parms->length;
> +
>  
>  	if (retries)
>  		smb2_set_replay(server, &rqst);
> -- 
> 2.45.4
> 

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>