diff --git a/backport-libbpf-Fix-hypothetical-STT_SECTION-extern-NULL-deref-case.patch b/backport-libbpf-Fix-hypothetical-STT_SECTION-extern-NULL-deref-case.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f6cb0ce9338bee91e1366326e7b38225ad9c3816
--- /dev/null
+++ b/backport-libbpf-Fix-hypothetical-STT_SECTION-extern-NULL-deref-case.patch
@@ -0,0 +1,34 @@
+From f51de57e54d9a28a065c301ec0536ad377a134cc Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Wed, 19 Feb 2025 16:28:21 -0800
+Subject: [PATCH] libbpf: Fix hypothetical STT_SECTION extern NULL deref case
+
+Fix theoretical NULL dereference in linker when resolving *extern*
+STT_SECTION symbol against not-yet-existing ELF section. Not sure if
+it's possible in practice for valid ELF object files (this would require
+embedded assembly manipulations, at which point BTF will be missing),
+but fix the s/dst_sym/dst_sec/ typo guarding this condition anyways.
+
+Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
+Fixes: a46349227cd8 ("libbpf: Add linker extern resolution support for functions and global variables")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20250220002821.834400-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
+---
+ src/linker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/linker.c b/src/linker.c
+index b52f71c59..800e0ef09 100644
+--- a/src/linker.c
++++ b/src/linker.c
+@@ -2163,7 +2163,7 @@ static int linker_append_elf_sym(struct bpf_linker *linker, struct src_obj *obj,
+ 
+ 	obj->sym_map[src_sym_idx] = dst_sym_idx;
+ 
+-	if (sym_type == STT_SECTION && dst_sym) {
++	if (sym_type == STT_SECTION && dst_sec) {
+ 		dst_sec->sec_sym_idx = dst_sym_idx;
+ 		dst_sym->st_value = 0;
+ 	}
diff --git a/backport-libbpf-Fix-out-of-bound-read.patch b/backport-libbpf-Fix-out-of-bound-read.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e05081d49e05175224756562eeb6722a7299a805
--- /dev/null
+++ b/backport-libbpf-Fix-out-of-bound-read.patch
@@ -0,0 +1,36 @@
+From d4d238b1314a9ecd027f2ffefe63f96547640b62 Mon Sep 17 00:00:00 2001
+From: Nandakumar Edamana <nandakumar@nandakumar.co.in>
+Date: Sat, 22 Feb 2025 02:31:11 +0530
+Subject: [PATCH] libbpf: Fix out-of-bound read
+
+In `set_kcfg_value_str`, an untrusted string is accessed with the assumption
+that it will be at least two characters long due to the presence of checks for
+opening and closing quotes. But the check for the closing quote
+(value[len - 1] != '"') misses the fact that it could be checking the opening
+quote itself in case of an invalid input that consists of just the opening
+quote.
+
+This commit adds an explicit check to make sure the string is at least two
+characters long.
+
+Signed-off-by: Nandakumar Edamana <nandakumar@nandakumar.co.in>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250221210110.3182084-1-nandakumar@nandakumar.co.in
+Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
+---
+ src/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libbpf.c b/src/libbpf.c
+index 6df258912..899e98225 100644
+--- a/src/libbpf.c
++++ b/src/libbpf.c
+@@ -2106,7 +2106,7 @@ static int set_kcfg_value_str(struct extern_desc *ext, char *ext_val,
+ 	}
+ 
+ 	len = strlen(value);
+-	if (value[len - 1] != '"') {
++	if (len < 2 || value[len - 1] != '"') {
+ 		pr_warn("extern (kcfg) '%s': invalid string config '%s'\n",
+ 			ext->name, value);
+ 		return -EINVAL;
diff --git a/backport-libbpf-fix-LDX_STX_ST-CO-RE-relocation-size-adjustment-logic.patch b/backport-libbpf-fix-LDX_STX_ST-CO-RE-relocation-size-adjustment-logic.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ca75509377a31382add94a380e95b9006c46f9bb
--- /dev/null
+++ b/backport-libbpf-fix-LDX_STX_ST-CO-RE-relocation-size-adjustment-logic.patch
@@ -0,0 +1,85 @@
+From 330a7f3e82e2154fa2da1af79d0525043d08d08a Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Thu, 6 Feb 2025 17:48:08 -0800
+Subject: [PATCH] libbpf: fix LDX/STX/ST CO-RE relocation size adjustment logic
+
+Libbpf has a somewhat obscure feature of automatically adjusting the
+"size" of LDX/STX/ST instruction (memory store and load instructions),
+based on originally recorded access size (u8, u16, u32, or u64) and the
+actual size of the field on target kernel. This is meant to facilitate
+using BPF CO-RE on 32-bit architectures (pointers are always 64-bit in
+BPF, but host kernel's BTF will have it as 32-bit type), as well as
+generally supporting safe type changes (unsigned integer type changes
+can be transparently "relocated").
+
+One issue that surfaced only now, 5 years after this logic was
+implemented, is how this all works when dealing with fields that are
+arrays. This isn't all that easy and straightforward to hit (see
+selftests that reproduce this condition), but one of sched_ext BPF
+programs did hit it with innocent looking loop.
+
+Long story short, libbpf used to calculate entire array size, instead of
+making sure to only calculate array's element size. But it's the element
+that is loaded by LDX/STX/ST instructions (1, 2, 4, or 8 bytes), so
+that's what libbpf should check. This patch adjusts the logic for
+arrays and fixed the issue.
+
+Reported-by: Emil Tsalapatis <emil@etsalapatis.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20250207014809.1573841-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
+---
+ src/relo_core.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/src/relo_core.c b/src/relo_core.c
+index 7632e9d41..2b83c98a1 100644
+--- a/src/relo_core.c
++++ b/src/relo_core.c
+@@ -683,7 +683,7 @@ static int bpf_core_calc_field_relo(const char *prog_name,
+ {
+ 	const struct bpf_core_accessor *acc;
+ 	const struct btf_type *t;
+-	__u32 byte_off, byte_sz, bit_off, bit_sz, field_type_id;
++	__u32 byte_off, byte_sz, bit_off, bit_sz, field_type_id, elem_id;
+ 	const struct btf_member *m;
+ 	const struct btf_type *mt;
+ 	bool bitfield;
+@@ -706,8 +706,14 @@ static int bpf_core_calc_field_relo(const char *prog_name,
+ 	if (!acc->name) {
+ 		if (relo->kind == BPF_CORE_FIELD_BYTE_OFFSET) {
+ 			*val = spec->bit_offset / 8;
+-			/* remember field size for load/store mem size */
+-			sz = btf__resolve_size(spec->btf, acc->type_id);
++			/* remember field size for load/store mem size;
++			 * note, for arrays we care about individual element
++			 * sizes, not the overall array size
++			 */
++			t = skip_mods_and_typedefs(spec->btf, acc->type_id, &elem_id);
++			while (btf_is_array(t))
++				t = skip_mods_and_typedefs(spec->btf, btf_array(t)->type, &elem_id);
++			sz = btf__resolve_size(spec->btf, elem_id);
+ 			if (sz < 0)
+ 				return -EINVAL;
+ 			*field_sz = sz;
+@@ -767,7 +773,17 @@ static int bpf_core_calc_field_relo(const char *prog_name,
+ 	case BPF_CORE_FIELD_BYTE_OFFSET:
+ 		*val = byte_off;
+ 		if (!bitfield) {
+-			*field_sz = byte_sz;
++			/* remember field size for load/store mem size;
++			 * note, for arrays we care about individual element
++			 * sizes, not the overall array size
++			 */
++			t = skip_mods_and_typedefs(spec->btf, field_type_id, &elem_id);
++			while (btf_is_array(t))
++				t = skip_mods_and_typedefs(spec->btf, btf_array(t)->type, &elem_id);
++			sz = btf__resolve_size(spec->btf, elem_id);
++			if (sz < 0)
++				return -EINVAL;
++			*field_sz = sz;
+ 			*type_id = field_type_id;
+ 		}
+ 		break;
diff --git a/libbpf.spec b/libbpf.spec
index b3adcaf91775040e241e72678ffc2d0bdfa87881..374eb9f7d34c8aec9b5747f9bbb5f839c379962e 100644
--- a/libbpf.spec
+++ b/libbpf.spec
@@ -4,7 +4,7 @@
 
 Name:           %{githubname}
 Version:        %{githubver}
-Release:        9
+Release:        10
 Summary:        Libbpf library
 
 License:        LGPLv2 or BSD
@@ -30,6 +30,9 @@ Patch0013:      backport-libbpf-Fixed-getting-wrong-return-address-on-arm64-a.pa
 Patch0014:      backport-libbpf-fix-sym_is_subprog-logic-for-weak-global-subp.patch
 Patch0015:      backport-libbpf-move-global-data-mmap-ing-into-bpf_object__lo.patch
 Patch0016:      backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch
+Patch0017:      backport-libbpf-Fix-out-of-bound-read.patch
+Patch0018:      backport-libbpf-fix-LDX_STX_ST-CO-RE-relocation-size-adjustment-logic.patch
+Patch0019:      backport-libbpf-Fix-hypothetical-STT_SECTION-extern-NULL-deref-case.patch
 
 # This package supersedes libbpf from kernel-tools,
 # which has default Epoch: 0. By having Epoch: 1
@@ -82,6 +85,12 @@ developing applications that use %{name}
 %{_libdir}/libbpf.a
 
 %changelog
+* Mon Jul 14 2025 andy <liuyang01@kylinos.cn> 2:1.2.2-10
+- backport patch from upstream:
+  backport-libbpf-Fix-out-of-bound-read.patch
+  backport-libbpf-fix-LDX_STX_ST-CO-RE-relocation-size-adjustment-logic.patch
+  backport-libbpf-Fix-hypothetical-STT_SECTION-extern-NULL-deref-case.patch
+
 * Fri Mar 14 2025 zhangmingyi <zhangmingyi5@huawei.com> 2:1.2.2-9
 - backport patch from upstream:
   backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch