release 6.15.3

debian/patches/patchset-pf/smb/0009-ksmbd-fix-null-pointer-dereference-in-destroy_previo.patch

@@ -0,0 +1,45 @@
+From 9d330e139e9993f2489fcfe3048c8e737085646d Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Jun 2025 10:12:43 +0900
+Subject: ksmbd: fix null pointer dereference in destroy_previous_session
+
+If client set ->PreviousSessionId on kerberos session setup stage,
+NULL pointer dereference error will happen. Since sess->user is not
+set yet, It can pass the user argument as NULL to destroy_previous_session.
+sess->user will be set in ksmbd_krb5_authenticate(). So this patch move
+calling destroy_previous_session() after ksmbd_krb5_authenticate().
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/server/smb2pdu.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1607,17 +1607,18 @@ static int krb5_authenticate(struct ksmb
+ 	out_len = work->response_sz -
+ 		(le16_to_cpu(rsp->SecurityBufferOffset) + 4);
+ 
+-	/* Check previous session */
+-	prev_sess_id = le64_to_cpu(req->PreviousSessionId);
+-	if (prev_sess_id && prev_sess_id != sess->id)
+-		destroy_previous_session(conn, sess->user, prev_sess_id);
+-
+ 	retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
+ 					 out_blob, &out_len);
+ 	if (retval) {
+ 		ksmbd_debug(SMB, "krb5 authentication failed\n");
+ 		return -EINVAL;
+ 	}
++
++	/* Check previous session */
++	prev_sess_id = le64_to_cpu(req->PreviousSessionId);
++	if (prev_sess_id && prev_sess_id != sess->id)
++		destroy_previous_session(conn, sess->user, prev_sess_id);
++
+ 	rsp->SecurityBufferLength = cpu_to_le16(out_len);
+ 
+ 	if ((conn->sign || server_conf.enforced_signing) ||