There have been vulnerabilities on the TCP/IP stack on a number of platforms (maybe all?), and that's a rather smaller attack surface.
EDIT: It also looks like ksmbd has already built itself a bit of a security history:
https://access.redhat.com/solutions/6991749
EDIT2: A bad security history:
https://lwn.net/Articles/871866/
The commit history for ksmbd shows a steady stream of fixes, as expected. Worryingly, though, many of the problems being fixed are clearly security issues — not a good thing in a network filesystem implementation. Examples include:
- The code to change ownership and permissions did not check existing file permissions first.
- Failure to validate data lengths could lead to access to invalid data.
- The server would blindly follow symbolic links during pathname lookup.
- Numerous failures to validate buffer lengths, such as this one or this one.
All of those fixes were applied after ksmbd landed in the mainline; there are others that came before. Currently, twelve fixes to ksmbd credit Coverity scans in their changelogs.
Those would worry me if they showed up in a production userspace network filesystem.
The above text says that the aim is to do RDMA, to let the NIC access memory directly, but I'd think that existing Linux zero-copy interfaces would be sufficient for that.
https://en.wikipedia.org/wiki/Zero-copy
So I'd think that the target workload has to be one where you can't just fetch a big chunk of pre-existing data, where you have to interject server-generated data in response to small requests, and even the overhead of switching to userspace to generate some kind of server-generated response is too high.
Which seems like a heck of a niche case.
But it obviously got approval from the kernel team.
googles
https://www.kernel.org/doc/html/next/filesystems/smb/ksmbd.html
I guess you could accelerate open and close too.
In all seriousness, I feel like if you're in such a niche situation that you can't afford the overhead of going to userspace for that, (a) there's likely room to optimize your application to request different things and (b) CIFS might not be the best option to be sharing data over the network either.