[PATCH 6.6.y] smb: client: fix page cache corruption from in-place encryption in SMB2_write

[PATCH 6.6.y] smb: client: fix page cache corruption from in-place encryption in SMB2_write

[Bharath SM]

SMB2_write() passes data kvecs inline in rq_iov by setting
rqst.rq_nvec = n_vec + 1. When SMB3 encryption is negotiated,
smb3_init_transform_rq() -> crypt_message() encrypts data in the
kvec buffers in-place.

For synchronous writes through cifs_write(), the kvec buffers point
directly into the page cache via kmap(). In-place encryption overwrites
the page cache with ciphertext. If the send fails with a replayable
error such as -EAGAIN (e.g., from a connection reset), SMB2_write()
retries the write using the same iov[1] buffer. Since iov[1] now
contains ciphertext from the first attempt, the retry encrypts and
sends ciphertext-as-data to the server, resulting in data corruption.

The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted page cache data.

The sync path can be reached during partial-page O_WRONLY writes when
the page is not in cache (common for append workloads with repeated
open/write/close patterns).

The async write path (smb2_async_writev) is not affected because it
passes data via rqst.rq_iter, which the encryption layer handles
without modifying the source buffers.

Fix by setting rq_nvec = 1 (header only) and moving data kvecs into
rq_iter via iov_iter_kvec().

Signed-off-by: Bharath SM <bharathsm@microsoft.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Cc: stable@vger.kernel.org
---
 fs/smb/client/smb2pdu.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index a8890ae21714..a88a19dec494 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5072,7 +5072,11 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,
 
 	memset(&rqst, 0, sizeof(struct smb_rqst));
 	rqst.rq_iov = iov;
-	rqst.rq_nvec = n_vec + 1;
+	rqst.rq_nvec = 1;
+	iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
+		      io_parms->length);
+	rqst.rq_iter_size = io_parms->length;
+
 
 	if (retries)
 		smb2_set_replay(server, &rqst);
-- 
2.45.4

Re: [PATCH 6.6.y] smb: client: fix page cache corruption from in-place encryption in SMB2_write

[Greg KH]

On Wed, Mar 04, 2026 at 07:34:52PM +0530, Bharath SM wrote:
> SMB2_write() passes data kvecs inline in rq_iov by setting
> rqst.rq_nvec = n_vec + 1. When SMB3 encryption is negotiated,
> smb3_init_transform_rq() -> crypt_message() encrypts data in the
> kvec buffers in-place.
> 
> For synchronous writes through cifs_write(), the kvec buffers point
> directly into the page cache via kmap(). In-place encryption overwrites
> the page cache with ciphertext. If the send fails with a replayable
> error such as -EAGAIN (e.g., from a connection reset), SMB2_write()
> retries the write using the same iov[1] buffer. Since iov[1] now
> contains ciphertext from the first attempt, the retry encrypts and
> sends ciphertext-as-data to the server, resulting in data corruption.
> 
> The corruption is most likely to be observed when connections are
> unstable, as reconnects trigger write retries that re-send the
> already-encrypted page cache data.
> 
> The sync path can be reached during partial-page O_WRONLY writes when
> the page is not in cache (common for append workloads with repeated
> open/write/close patterns).
> 
> The async write path (smb2_async_writev) is not affected because it
> passes data via rqst.rq_iter, which the encryption layer handles
> without modifying the source buffers.
> 
> Fix by setting rq_nvec = 1 (header only) and moving data kvecs into
> rq_iter via iov_iter_kvec().
> 
> Signed-off-by: Bharath SM <bharathsm@microsoft.com>
> Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
> Cc: stable@vger.kernel.org
> ---
>  fs/smb/client/smb2pdu.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> index a8890ae21714..a88a19dec494 100644
> --- a/fs/smb/client/smb2pdu.c
> +++ b/fs/smb/client/smb2pdu.c
> @@ -5072,7 +5072,11 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,
>  
>  	memset(&rqst, 0, sizeof(struct smb_rqst));
>  	rqst.rq_iov = iov;
> -	rqst.rq_nvec = n_vec + 1;
> +	rqst.rq_nvec = 1;
> +	iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
> +		      io_parms->length);
> +	rqst.rq_iter_size = io_parms->length;
> +
>  
>  	if (retries)
>  		smb2_set_replay(server, &rqst);
> -- 
> 2.45.4
> 

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

Re: [PATCH 6.6.y] smb: client: fix page cache corruption from in-place encryption in SMB2_write

[Bharath SM]

On Wed, Mar 4, 2026 at 6:22 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Wed, Mar 04, 2026 at 07:34:52PM +0530, Bharath SM wrote:
> > SMB2_write() passes data kvecs inline in rq_iov by setting
> > rqst.rq_nvec = n_vec + 1. When SMB3 encryption is negotiated,
> > smb3_init_transform_rq() -> crypt_message() encrypts data in the
> > kvec buffers in-place.
> >
> > For synchronous writes through cifs_write(), the kvec buffers point
> > directly into the page cache via kmap(). In-place encryption overwrites
> > the page cache with ciphertext. If the send fails with a replayable
> > error such as -EAGAIN (e.g., from a connection reset), SMB2_write()
> > retries the write using the same iov[1] buffer. Since iov[1] now
> > contains ciphertext from the first attempt, the retry encrypts and
> > sends ciphertext-as-data to the server, resulting in data corruption.
> >
> > The corruption is most likely to be observed when connections are
> > unstable, as reconnects trigger write retries that re-send the
> > already-encrypted page cache data.
> >
> > The sync path can be reached during partial-page O_WRONLY writes when
> > the page is not in cache (common for append workloads with repeated
> > open/write/close patterns).
> >
> > The async write path (smb2_async_writev) is not affected because it
> > passes data via rqst.rq_iter, which the encryption layer handles
> > without modifying the source buffers.
> >
> > Fix by setting rq_nvec = 1 (header only) and moving data kvecs into
> > rq_iter via iov_iter_kvec().
> >
> > Signed-off-by: Bharath SM <bharathsm@microsoft.com>
> > Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
> > Cc: stable@vger.kernel.org
> > ---
> >  fs/smb/client/smb2pdu.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> > index a8890ae21714..a88a19dec494 100644
> > --- a/fs/smb/client/smb2pdu.c
> > +++ b/fs/smb/client/smb2pdu.c
> > @@ -5072,7 +5072,11 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,
> >
> >       memset(&rqst, 0, sizeof(struct smb_rqst));
> >       rqst.rq_iov = iov;
> > -     rqst.rq_nvec = n_vec + 1;
> > +     rqst.rq_nvec = 1;
> > +     iov_iter_kvec(&rqst.rq_iter, ITER_SOURCE, &iov[1], n_vec,
> > +                   io_parms->length);
> > +     rqst.rq_iter_size = io_parms->length;
> > +
> >
> >       if (retries)
> >               smb2_set_replay(server, &rqst);
> > --
> > 2.45.4
> >
>
> <formletter>
>
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read:
>     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.

Thanks Geg for your comments.I have submitted a modified patch to
mainline with cc: stable@vger.kernel.org
"smb: client: fix in-place encryption corruption in SMB2_write()"
d78840a6a38d312dc1a51a65317bb67e46f0b929
Please help adding this patch to stable kernels >=6.3.