!160 [sync] PR-150: fixed use-after-free detected by Coverity

From: @openeuler-sync-bot 
Reviewed-by: @swf504 
Signed-off-by: @swf504

0023-Fix-probe-core-dump-while-admin-cmd-timeout.patch

@@ -0,0 +1,34 @@
+From c89931a6c3e7041dd7b6378438a48046cc5d5d57 Mon Sep 17 00:00:00 2001
+From: Zht-Try <zhanghongtao22@huawei.com>
+Date: Tue, 5 Mar 2024 19:59:10 +0800
+Subject: [PATCH] Fix probe core dump while admin cmd timeout
+
+Signed-off-by: zhanghongtao <zhanghongtao22@huawei.com>
+---
+ module/bdev/nvme/bdev_nvme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/module/bdev/nvme/bdev_nvme.c b/module/bdev/nvme/bdev_nvme.c
+index e9d730d..425436f 100644
+--- a/module/bdev/nvme/bdev_nvme.c
++++ b/module/bdev/nvme/bdev_nvme.c
+@@ -1592,6 +1592,8 @@ nvme_bdev_ctrlr_create(struct spdk_nvme_ctrlr *ctrlr,
+ 	spdk_nvme_ctrlr_register_aer_callback(ctrlr, aer_cb, nvme_bdev_ctrlr);
+ 	spdk_nvme_ctrlr_set_remove_cb(ctrlr, remove_cb, nvme_bdev_ctrlr);
+ 
++	TAILQ_INSERT_HEAD(&nvme_bdev_ctrlr->trids, trid_entry, link);
++
+ 	if (spdk_nvme_ctrlr_get_flags(nvme_bdev_ctrlr->ctrlr) &
+ 	    SPDK_NVME_CTRLR_SECURITY_SEND_RECV_SUPPORTED) {
+ 		nvme_bdev_ctrlr->opal_dev = spdk_opal_dev_construct(nvme_bdev_ctrlr->ctrlr);
+@@ -1600,7 +1602,6 @@ nvme_bdev_ctrlr_create(struct spdk_nvme_ctrlr *ctrlr,
+ 		}
+ 	}
+ 
+-	TAILQ_INSERT_HEAD(&nvme_bdev_ctrlr->trids, trid_entry, link);
+ 	return 0;
+ 
+ err_init_ocssd:
+-- 
+2.33.0
+

0024-Fix-build-warning.patch

@@ -0,0 +1,129 @@
+From d3fdb05328531608736cf68880b9f39da6f3b9cd Mon Sep 17 00:00:00 2001
+From: wangxiaomeng <wangxiaomeng@kylinos.cn>
+Date: Thu, 14 Mar 2024 17:19:12 +0800
+Subject: [PATCH] Fix build warning
+
+---
+ app/spdk_top/spdk_top.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/app/spdk_top/spdk_top.c b/app/spdk_top/spdk_top.c
+index 3c0a889..d72c26f 100644
+--- a/app/spdk_top/spdk_top.c
++++ b/app/spdk_top/spdk_top.c
+@@ -674,7 +674,7 @@ print_max_len(WINDOW *win, int row, uint16_t col, uint16_t max_len, enum str_ali
+ 		snprintf(&tmp_str[max_str - DOTS_STR_LEN - 2], DOTS_STR_LEN, "%s", dots);
+ 	}
+ 
+-	mvwprintw(win, row, col, tmp_str);
++	mvwprintw(win, row, col, "%s", tmp_str);
+ 
+ 	refresh();
+ 	wrefresh(win);
+@@ -1937,19 +1937,19 @@ display_thread(struct rpc_thread_info *thread_info)
+ 
+ 	print_left(thread_win, 3, THREAD_WIN_FIRST_COL, THREAD_WIN_WIDTH,
+ 		   "Core:                Idle [us]:            Busy [us]:", COLOR_PAIR(5));
+-	mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 6, "%" PRIu64,
++	mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 6, "%d",
+ 		  thread_info->core_num);
+ 
+ 	if (g_interval_data) {
+ 		get_time_str(g_thread_history[thread_info->id].idle, idle_time);
+-		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 32, idle_time);
++		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 32, "%s", idle_time);
+ 		get_time_str(g_thread_history[thread_info->id].busy, busy_time);
+-		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 54, busy_time);
++		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 54, "%s", busy_time);
+ 	} else {
+ 		get_time_str(thread_info->idle, idle_time);
+-		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 32, idle_time);
++		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 32, "%s", idle_time);
+ 		get_time_str(thread_info->busy, busy_time);
+-		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 54, busy_time);
++		mvwprintw(thread_win, 3, THREAD_WIN_FIRST_COL + 54, "%s", busy_time);
+ 	}
+ 
+ 	print_left(thread_win, 4, THREAD_WIN_FIRST_COL, THREAD_WIN_WIDTH,
+@@ -1979,7 +1979,7 @@ display_thread(struct rpc_thread_info *thread_info)
+ 				mvwprintw(thread_win, current_row, THREAD_WIN_FIRST_COL, "%s", poller->name);
+ 				mvwprintw(thread_win, current_row, THREAD_WIN_FIRST_COL + 33, "Active");
+ 				snprintf(run_count, MAX_POLLER_COUNT_STR_LEN, "%" PRIu64, poller->run_count);
+-				mvwprintw(thread_win, current_row, THREAD_WIN_FIRST_COL + 41, run_count);
++				mvwprintw(thread_win, current_row, THREAD_WIN_FIRST_COL + 41, "%s", run_count);
+ 				current_row++;
+ 			}
+ 			pollers = &thread->timed_pollers;
+@@ -2108,20 +2108,20 @@ show_core(uint8_t current_page)
+ 		get_time_str(core_info[core_number]->idle, idle_time);
+ 		get_time_str(core_info[core_number]->busy, busy_time);
+ 	}
+-	mvwprintw(core_win, 3, CORE_WIN_FIRST_COL + 20, idle_time);
++	mvwprintw(core_win, 3, CORE_WIN_FIRST_COL + 20, "%s", idle_time);
+ 
+ 	print_left(core_win, 5, 1, CORE_WIN_WIDTH, "Poller count:          Busy time:", COLOR_PAIR(5));
+ 	mvwprintw(core_win, 5, CORE_WIN_FIRST_COL, "%" PRIu64,
+ 		  g_cores_history[core_number].pollers_count);
+ 
+-	mvwprintw(core_win, 5, CORE_WIN_FIRST_COL + 20, busy_time);
++	mvwprintw(core_win, 5, CORE_WIN_FIRST_COL + 20, "%s", busy_time);
+ 
+ 	mvwhline(core_win, 4, 1, ACS_HLINE, CORE_WIN_WIDTH - 2);
+ 	mvwhline(core_win, 6, 1, ACS_HLINE, CORE_WIN_WIDTH - 2);
+ 	print_left(core_win, 7, 1, CORE_WIN_WIDTH, "Threads on this core", COLOR_PAIR(5));
+ 
+ 	for (j = 0; j < core_info[core_number]->threads.threads_count; j++) {
+-		mvwprintw(core_win, j + 8, 1, core_info[core_number]->threads.thread[j].name);
++		mvwprintw(core_win, j + 8, 1, "%s", core_info[core_number]->threads.thread[j].name);
+ 	}
+ 
+ 	refresh();
+@@ -2132,7 +2132,7 @@ show_core(uint8_t current_page)
+ 	while (!stop_loop) {
+ 		for (j = 0; j < core_info[core_number]->threads.threads_count; j++) {
+ 			if (j != current_threads_row) {
+-				mvwprintw(core_win, j + 8, 1, core_info[core_number]->threads.thread[j].name);
++				mvwprintw(core_win, j + 8, 1, "%s", core_info[core_number]->threads.thread[j].name);
+ 			} else {
+ 				print_left(core_win, j + 8, 1, CORE_WIN_WIDTH - 2,
+ 					   core_info[core_number]->threads.thread[j].name, COLOR_PAIR(2));
+@@ -2204,9 +2204,9 @@ show_poller(uint8_t current_page)
+ 	mvwaddch(poller_win, 2, POLLER_WIN_WIDTH, ACS_RTEE);
+ 
+ 	print_left(poller_win, 3, 2, POLLER_WIN_WIDTH, "Type:                  On thread:", COLOR_PAIR(5));
+-	mvwprintw(poller_win, 3, POLLER_WIN_FIRST_COL,
++	mvwprintw(poller_win, 3, POLLER_WIN_FIRST_COL, "%s",
+ 		  poller_type_str[pollers[poller_number]->type]);
+-	mvwprintw(poller_win, 3, POLLER_WIN_FIRST_COL + 23, pollers[poller_number]->thread_name);
++	mvwprintw(poller_win, 3, POLLER_WIN_FIRST_COL + 23, "%s", pollers[poller_number]->thread_name);
+ 
+ 	print_left(poller_win, 4, 2, POLLER_WIN_WIDTH, "Run count:", COLOR_PAIR(5));
+ 
+@@ -2221,7 +2221,7 @@ show_poller(uint8_t current_page)
+ 	if (pollers[poller_number]->period_ticks != 0) {
+ 		print_left(poller_win, 4, 28, POLLER_WIN_WIDTH, "Period:", COLOR_PAIR(5));
+ 		get_time_str(g_pollers_history[poller_number].period_ticks, poller_period);
+-		mvwprintw(poller_win, 4, POLLER_WIN_FIRST_COL + 23, poller_period);
++		mvwprintw(poller_win, 4, POLLER_WIN_FIRST_COL + 23, "%s", poller_period);
+ 	}
+ 	mvwhline(poller_win, 5, 1, ACS_HLINE, POLLER_WIN_WIDTH - 2);
+ 	print_in_middle(poller_win, 6, 1, POLLER_WIN_WIDTH - 7, "Status:", COLOR_PAIR(5));
+@@ -2374,13 +2374,13 @@ show_stats(void)
+ 			time_last = time_now.tv_sec;
+ 			rc = get_data();
+ 			if (rc) {
+-				mvprintw(g_max_row - 1, g_max_col - strlen(refresh_error) - 2, refresh_error);
++				mvprintw(g_max_row - 1, g_max_col - strlen(refresh_error) - 2, "%s", refresh_error);
+ 			}
+ 
+ 			max_pages = refresh_tab(active_tab, current_page);
+ 
+ 			snprintf(current_page_str, CURRENT_PAGE_STR_LEN - 1, "Page: %d/%d", current_page + 1, max_pages);
+-			mvprintw(g_max_row - 1, 1, current_page_str);
++			mvprintw(g_max_row - 1, 1, "%s", current_page_str);
+ 
+ 			free_data();
+ 
+-- 
+2.33.0
+

0025-ut-rdma-Fix-GCC-10.2.0-warning.patch

@@ -0,0 +1,94 @@
+From dd5d0c45dcfc51acc80f47be0367e25c10b9436f Mon Sep 17 00:00:00 2001
+From: Alexey Marchuk <alexeymar@mellanox.com>
+Date: Wed, 14 Apr 2021 11:27:38 +0300
+Subject: [PATCH] ut/rdma: Fix GCC 10.2.0 warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+rdma_ut.c: In function ‘test_spdk_nvmf_rdma_request_parse_sgl_with_md’:
+rdma_ut.c:1152:54: warning: array subscript 10 is outside array bounds of ‘struct spdk_nvmf_rdma_request_data[1]’ [-Warray-bounds]
+ 1152 |  aligned_buffer = (void *)((uintptr_t)((char *)&data + NVMF_DATA_BUFFER_MASK) &
+      |                                       ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
+rdma_ut.c:834:37: note: while referencing ‘data’
+  834 |  struct spdk_nvmf_rdma_request_data data;
+      |                                     ^~~~
+
+The fix is to use array instead of spdk_nvmf_rdma_request_data
+structure
+
+Change-Id: I81bd311d26037dcb9340d85abcb4ea45b20a5171
+Reported-by: G.Balaji <gbalajieie@gmail.com>
+Signed-off-by: Alexey Marchuk <alexeymar@mellanox.com>
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/7365
+Community-CI: Broadcom CI
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: <dongx.yi@intel.com>
+Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
+Reviewed-by: Jim Harris <james.r.harris@intel.com>
+---
+ test/unit/lib/nvmf/rdma.c/rdma_ut.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/test/unit/lib/nvmf/rdma.c/rdma_ut.c b/test/unit/lib/nvmf/rdma.c/rdma_ut.c
+index 8674f52..eb46a4c 100644
+--- a/test/unit/lib/nvmf/rdma.c/rdma_ut.c
++++ b/test/unit/lib/nvmf/rdma.c/rdma_ut.c
+@@ -836,7 +836,8 @@ test_spdk_nvmf_rdma_request_parse_sgl_with_md(void)
+ 	union nvmf_h2c_msg cmd;
+ 	struct spdk_nvme_sgl_descriptor *sgl;
+ 	struct spdk_nvme_sgl_descriptor sgl_desc[SPDK_NVMF_MAX_SGL_ENTRIES] = {{0}};
+-	struct spdk_nvmf_rdma_request_data data;
++	char data_buffer[8192];
++	struct spdk_nvmf_rdma_request_data *data = (struct spdk_nvmf_rdma_request_data *)data_buffer;
+ 	char data2_buffer[8192];
+ 	struct spdk_nvmf_rdma_request_data *data2 = (struct spdk_nvmf_rdma_request_data *)data2_buffer;
+ 	const uint32_t data_bs = 512;
+@@ -844,7 +845,7 @@ test_spdk_nvmf_rdma_request_parse_sgl_with_md(void)
+ 	int rc, i;
+ 	void *aligned_buffer;
+ 
+-	data.wr.sg_list = data.sgl;
++	data->wr.sg_list = data->sgl;
+ 	STAILQ_INIT(&group.group.buf_cache);
+ 	group.group.buf_cache_size = 0;
+ 	group.group.buf_cache_count = 0;
+@@ -1153,8 +1154,8 @@ test_spdk_nvmf_rdma_request_parse_sgl_with_md(void)
+ 	sgl->unkeyed.subtype = SPDK_NVME_SGL_SUBTYPE_OFFSET;
+ 	sgl->address = 0;
+ 	rdma_req.recv->buf = (void *)&sgl_desc;
+-	MOCK_SET(spdk_mempool_get, &data);
+-	aligned_buffer = (void *)((uintptr_t)((char *)&data + NVMF_DATA_BUFFER_MASK) &
++	MOCK_SET(spdk_mempool_get, data_buffer);
++	aligned_buffer = (void *)((uintptr_t)(data_buffer + NVMF_DATA_BUFFER_MASK) &
+ 				  ~NVMF_DATA_BUFFER_MASK);
+ 
+ 	/* part 1: 2 segments each with 1 wr. io_unit_size is aligned with data_bs + md_size */
+@@ -1190,17 +1191,17 @@ test_spdk_nvmf_rdma_request_parse_sgl_with_md(void)
+ 
+ 	CU_ASSERT(rdma_req.data.wr.wr.rdma.rkey == 0x44);
+ 	CU_ASSERT(rdma_req.data.wr.wr.rdma.remote_addr == 0x4000);
+-	CU_ASSERT(rdma_req.data.wr.next == &data.wr);
+-	CU_ASSERT(data.wr.wr.rdma.rkey == 0x44);
+-	CU_ASSERT(data.wr.wr.rdma.remote_addr == 0x4000 + data_bs * 4);
+-	CU_ASSERT(data.wr.num_sge == 4);
++	CU_ASSERT(rdma_req.data.wr.next == &data->wr);
++	CU_ASSERT(data->wr.wr.rdma.rkey == 0x44);
++	CU_ASSERT(data->wr.wr.rdma.remote_addr == 0x4000 + data_bs * 4);
++	CU_ASSERT(data->wr.num_sge == 4);
+ 	for (i = 0; i < 4; ++i) {
+-		CU_ASSERT(data.wr.sg_list[i].addr == (uintptr_t)((unsigned char *)aligned_buffer) + i *
++		CU_ASSERT(data->wr.sg_list[i].addr == (uintptr_t)((unsigned char *)aligned_buffer) + i *
+ 			  (data_bs + md_size));
+-		CU_ASSERT(data.wr.sg_list[i].length == data_bs);
++		CU_ASSERT(data->wr.sg_list[i].length == data_bs);
+ 	}
+ 
+-	CU_ASSERT(data.wr.next == &rdma_req.rsp.wr);
++	CU_ASSERT(data->wr.next == &rdma_req.rsp.wr);
+ }
+ 
+ int main(int argc, char **argv)
+-- 
+2.33.0
+

0026-lib-nvme-add-mutex-before-submit-admin-request.patch

@@ -0,0 +1,57 @@
+From 4224fc348bc320803ee7af2d091353cfb0f5981b Mon Sep 17 00:00:00 2001
+From: Marcin Spiewak <marcin.spiewak@intel.com>
+Date: Wed, 20 Mar 2024 16:59:06 +0100
+Subject: [PATCH] lib/nvme: add mutex before submit admin request
+
+Conflict:NA
+Reference:https://github.com/spdk/spdk/commit/4224fc348bc320803ee7af2d091353cfb0f5981b
+
+In nvme_ctrlr_cmd_identify(), the call to
+nvme_ctrlr_submit_admin_request() shall be
+preceeded by taking ctrlr->ctrlr_lock mutex,
+like in other places in the code.
+
+Change-Id: Ibd4ef2aa02d906dac853e537df9a837974b6c358
+Signed-off-by: Marcin Spiewak <marcin.spiewak@intel.com>
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/22419
+Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: Jim Harris <jim.harris@samsung.com>
+---
+ lib/nvme/nvme_ctrlr_cmd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nvme/nvme_ctrlr_cmd.c b/lib/nvme/nvme_ctrlr_cmd.c
+index bcc92b29c..2f00ef83c 100644
+--- a/lib/nvme/nvme_ctrlr_cmd.c
++++ b/lib/nvme/nvme_ctrlr_cmd.c
+@@ -152,11 +152,14 @@ nvme_ctrlr_cmd_identify(struct spdk_nvme_ctrlr *ctrlr, uint8_t cns, uint16_t cnt
+ {
+ 	struct nvme_request *req;
+ 	struct spdk_nvme_cmd *cmd;
++	int		     rc;
+ 
++	nvme_robust_mutex_lock(&ctrlr->ctrlr_lock);
+ 	req = nvme_allocate_request_user_copy(ctrlr->adminq,
+ 					      payload, payload_size,
+ 					      cb_fn, cb_arg, false);
+ 	if (req == NULL) {
++		nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ 		return -ENOMEM;
+ 	}
+ 
+@@ -167,7 +170,10 @@ nvme_ctrlr_cmd_identify(struct spdk_nvme_ctrlr *ctrlr, uint8_t cns, uint16_t cnt
+ 	cmd->cdw11_bits.identify.csi = csi;
+ 	cmd->nsid = nsid;
+ 
+-	return nvme_ctrlr_submit_admin_request(ctrlr, req);
++	rc = nvme_ctrlr_submit_admin_request(ctrlr, req);
++
++	nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
++	return rc;
+ }
+ 
+ int
+-- 
+2.27.0
+

0027--nvme-cuse-Add-ctrlr_lock-for-cuse-register-and-unreg.patch

@@ -0,0 +1,98 @@
+From 253cca4fc3a89c38e79d2e940c5a0b7bb082afcc Mon Sep 17 00:00:00 2001
+From: Zhanghongtao2417 <651380626@qq.com>
+Date: Fri, 26 Apr 2024 22:01:25 +0800
+Subject: [PATCH] nvme/cuse: Add ctrlr_lock for cuse register and unregister
+
+conflicts:
+lib/nvme/nvme_io_msg.c  nvme_io_msg_ctrlr_update
+
+spdk_nvme_cuse_unregister and spdk_nvme_ctrlr_process_admin_completions
+ running at the same time, concurrently operate external_io_msgs.
+So we add locks to protect.
+
+Fixes #3353
+
+Change-Id: Id5176975676c29a475e8e2a0d7c93e44646c00dc
+Signed-off-by: Zhanghongtao2417 <651380626@qq.com>
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/22927
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Community-CI: Mellanox Build Bot
+Reviewed-by: Jim Harris <jim.harris@samsung.com>
+Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
+---
+ lib/nvme/nvme_io_msg.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/nvme/nvme_io_msg.c b/lib/nvme/nvme_io_msg.c
+index 94c4d071c..e11e67c85 100644
+--- a/lib/nvme/nvme_io_msg.c
++++ b/lib/nvme/nvme_io_msg.c
+@@ -111,13 +111,16 @@ nvme_io_msg_ctrlr_register(struct spdk_nvme_ctrlr *ctrlr,
+ 		return -EINVAL;
+ 	}
+ 
++	nvme_robust_mutex_lock(&ctrlr->ctrlr_lock);
+ 	if (nvme_io_msg_is_producer_registered(ctrlr, io_msg_producer)) {
++		nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ 		return -EEXIST;
+ 	}
+ 
+ 	if (!STAILQ_EMPTY(&ctrlr->io_producers) || ctrlr->is_resetting) {
+ 		/* There are registered producers - IO messaging already started */
+ 		STAILQ_INSERT_TAIL(&ctrlr->io_producers, io_msg_producer, link);
++		nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ 		return 0;
+ 	}
+ 
+@@ -129,6 +132,7 @@ nvme_io_msg_ctrlr_register(struct spdk_nvme_ctrlr *ctrlr,
+ 	ctrlr->external_io_msgs = spdk_ring_create(SPDK_RING_TYPE_MP_SC, 65536, SPDK_ENV_SOCKET_ID_ANY);
+ 	if (!ctrlr->external_io_msgs) {
+ 		SPDK_ERRLOG("Unable to allocate memory for message ring\n");
++		nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ 		return -ENOMEM;
+ 	}
+ 
+@@ -137,10 +141,12 @@ nvme_io_msg_ctrlr_register(struct spdk_nvme_ctrlr *ctrlr,
+ 		SPDK_ERRLOG("spdk_nvme_ctrlr_alloc_io_qpair() failed\n");
+ 		spdk_ring_free(ctrlr->external_io_msgs);
+ 		ctrlr->external_io_msgs = NULL;
++		nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ 		return -ENOMEM;
+ 	}
+ 
+ 	STAILQ_INSERT_TAIL(&ctrlr->io_producers, io_msg_producer, link);
++	nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ 
+ 	return 0;
+ }
+@@ -156,9 +162,11 @@ nvme_io_msg_ctrlr_update(struct spdk_nvme_ctrlr *ctrlr)
+ 	struct nvme_io_msg_producer *io_msg_producer;
+ 
+ 	/* Update all producers */
++	nvme_robust_mutex_lock(&ctrlr->ctrlr_lock);
+ 	STAILQ_FOREACH(io_msg_producer, &ctrlr->io_producers, link) {
+ 		io_msg_producer->update(ctrlr);
+ 	}
++	nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ }
+ 
+ void
+@@ -195,7 +203,9 @@ nvme_io_msg_ctrlr_unregister(struct spdk_nvme_ctrlr *ctrlr,
+ {
+ 	assert(io_msg_producer != NULL);
+ 
++	nvme_robust_mutex_lock(&ctrlr->ctrlr_lock);
+ 	if (!nvme_io_msg_is_producer_registered(ctrlr, io_msg_producer)) {
++		nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ 		return;
+ 	}
+ 
+@@ -203,4 +213,5 @@ nvme_io_msg_ctrlr_unregister(struct spdk_nvme_ctrlr *ctrlr,
+ 	if (STAILQ_EMPTY(&ctrlr->io_producers)) {
+ 		nvme_io_msg_ctrlr_detach(ctrlr);
+ 	}
++	nvme_robust_mutex_unlock(&ctrlr->ctrlr_lock);
+ }
+-- 
+2.33.0
+

0028-fixed-use-after-free-detected-by-Coverity.patch

@@ -0,0 +1,43 @@
+From 19cfba7624a31bc5790a335158244b29657e9253 Mon Sep 17 00:00:00 2001
+From: Marcin Spiewak <marcin.spiewak@intel.com>
+Date: Fri, 19 Jan 2024 12:30:41 +0100
+Subject: [PATCH] lib/nvme: fixed use-after-free detected by Coverity
+
+If cuse_nvme_ctrlr_update_namespaces(ctrlr_device) fails,
+the cuse_nvme_ctrlr_stop(ctrlr_device) function is called. This
+function frees ctrl_device, and also clears/frees bit arrays,
+so there is no need to jump to clear_and_free label, as these
+operations ale already done. Just return with appropriate error
+code.
+If there is a jump, we will try to access already freed memory
+(ctrl_device->index) in line 1213
+
+Change-Id: I4217c3783a22781feabbae9735d44479c5f511d9
+Signed-off-by: Marcin Spiewak <marcin.spiewak@intel.com>
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/21518
+Community-CI: Mellanox Build Bot
+Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+
+---
+ lib/nvme/nvme_cuse.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/nvme/nvme_cuse.c b/lib/nvme/nvme_cuse.c
+index 62d1422..0a78b8e 100644
+--- a/lib/nvme/nvme_cuse.c
++++ b/lib/nvme/nvme_cuse.c
+@@ -904,8 +904,7 @@ nvme_cuse_start(struct spdk_nvme_ctrlr *ctrlr)
+ 	if (cuse_nvme_ctrlr_update_namespaces(ctrlr_device) < 0) {
+ 		SPDK_ERRLOG("Cannot start CUSE namespace devices.");
+ 		cuse_nvme_ctrlr_stop(ctrlr_device);
+-		rv = -1;
+-		goto err3;
++		return -1;
+ 	}
+ 
+ 	return 0;
+-- 
+2.27.0
+

spdk.spec

@@ -3,7 +3,7 @@
 
 Name: spdk
 Version: 21.01.1
-Release: 10
+Release: 15
 Summary: Set of libraries and utilities for high performance user-mode storage
 License: BSD and MIT
 URL: http://spdk.io
@@ -30,6 +30,12 @@ Patch19: 0019-build-Specify-the-target-build-architecture-for-LOON.patch
 Patch20: 0020-configure-add-CONFIG_HAVE_ARC4RANDOM.patch
 Patch21: 0021-lib-bdev-return-error-when-failing-to-get-resource.patch
 Patch22: 0022-Fix-the-build-error-ppc64le-gnu-gcc-does-not-support.patch
+Patch23: 0023-Fix-probe-core-dump-while-admin-cmd-timeout.patch
+Patch24: 0024-Fix-build-warning.patch
+Patch25: 0025-ut-rdma-Fix-GCC-10.2.0-warning.patch
+Patch26: 0026-lib-nvme-add-mutex-before-submit-admin-request.patch
+Patch27: 0027--nvme-cuse-Add-ctrlr_lock-for-cuse-register-and-unreg.patch
+Patch28: 0028-fixed-use-after-free-detected-by-Coverity.patch
 
 %define package_version %{version}-%{release}
 
@@ -47,7 +53,7 @@ Patch22: 0022-Fix-the-build-error-ppc64le-gnu-gcc-does-not-support.patch
 ExclusiveArch: x86_64 aarch64 loongarch64 ppc64le
 
 BuildRequires: gcc gcc-c++ make
-BuildRequires: dpdk-devel, numactl-devel, ncurses-devel
+BuildRequires: dpdk-devel >= 21.11, numactl-devel, ncurses-devel
 BuildRequires: libiscsi-devel, libaio-devel, openssl-devel, libuuid-devel
 BuildRequires: libibverbs-devel, librdmacm-devel
 BuildRequires: CUnit, CUnit-devel
@@ -200,6 +206,21 @@ mv doc/output/html/ %{install_docdir}
 
 
 %changelog
+* Mon May 20 2024 yanshuai <yanshuai01@kylinos.cn> - 21.01.1-15
+- lib/nvme: fixed use-after-free detected by Coverity
+
+* Mon May 20 2024 Hongtao Zhang <zhanghongtao22@huawei.com> - 21.01.1-14
+- nvme/cuse: Add ctrlr_lock for cuse register and unregister
+
+* Mon Apr 29 2024 Hongtao Zhang <zhanghongtao22@huawei.com> - 21.01.1-13
+- lib/nvme: add mutex before submit admin request
+
+* Fri Mar 15 2024 wangxiaomeng <wangxiaomeng@kylinos.cn> - 21.01.1-12
+- Fix build warning
+
+* Wed Mar 6 2024 Hongtao Zhang <zhanghongtao22@huawei.com> - 21.01.1-11
+- Fix probe core dump while admin cmd timeout
+
 * Mon Mar  4 2024 Ren Zhijie <zhijie.ren@shingroup.cn> - 21.01.1-10
 - Add support for ppc64le