From 40ce20fa9b78e74d6e3e2cbaa10989aaa35f870a Mon Sep 17 00:00:00 2001
From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Date: Sat, 3 Jul 2021 16:54:14 +0800
Subject: [PATCH] spdk: backport upstream patches to fix several bugfixes

backport upstream patches to fix several bugfixes,
patches info:
8432: idxd: fix memleak problem in spdk_idxd_configure_chan()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8432
8311: uring: set fd to -1 after close(fd) in uring_sock_create()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8311
8308: blobstore:fix memleak problem in blob_load_cpl()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8308
8310: posix: set fd to -1 after close(fd) in posix_sock_create()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8310
8303: blobfs: check return value of strdup in blobfs_fuse_start()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8303
8306: spdk_top:check return value of strdup in store_last_run_counter()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8306
8307: blobstore: fix potential memleak problem in blob_serialize_add_page()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8307
8300: ioat: fix potential double free problem in ioat_channel_start()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8300
8302: blobfs: check return value of strdup in spdk_fs_create_file_async()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8302
8309: nvmf: fix fd leakage problem in nvmf_vfio_user_listen()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8309
8301: idxd: fix one memleak problem in spdk_idxd_get_channel()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8301
8305: nvmf:check return value of strdup in spdk_nvmf_subsystem_add_ns_ext()
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8305
8304: nvmf: check return value of strdup in spdk_nvmf_subsystem_disconnect_host() |
     | https://review.spdk.io/gerrit/c/spdk/spdk/+/8304

Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
---
 ...urn-value-of-strdup-in-blobfs_fuse_s.patch | 52 ++++++++++++
 ...urn-value-of-strdup-in-spdk_fs_creat.patch | 51 ++++++++++++
 ...fix-memleak-problem-in-blob_load_cpl.patch | 50 +++++++++++
 ...tential-memleak-problem-in-blob_seri.patch | 69 ++++++++++++++++
 ...-problem-in-spdk_idxd_configure_chan.patch | 72 ++++++++++++++++
 ...leak-problem-in-spdk_idxd_get_channe.patch | 35 ++++++++
 ...al-double-free-problem-in-ioat_chann.patch | 41 ++++++++++
 ...n-value-of-strdup-in-spdk_nvmf_subsy.patch | 82 +++++++++++++++++++
 ...age-problem-in-nvmf_vfio_user_listen.patch | 47 +++++++++++
 ...1-after-close-fd-in-posix_sock_creat.patch | 62 ++++++++++++++
 ...eturn-value-of-strdup-in-store_last_.patch | 39 +++++++++
 ...1-after-close-fd-in-uring_sock_creat.patch | 62 ++++++++++++++
 ...n-value-of-strdup-in-spdk_nvmf_subsy.patch | 43 ++++++++++
 spdk.spec                                     | 20 ++++-
 14 files changed, 723 insertions(+), 2 deletions(-)
 create mode 100644 0002-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch
 create mode 100644 0003-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch
 create mode 100644 0004-blobstore-fix-memleak-problem-in-blob_load_cpl.patch
 create mode 100644 0005-blobstore-fix-potential-memleak-problem-in-blob_seri.patch
 create mode 100644 0006-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch
 create mode 100644 0007-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch
 create mode 100644 0008-ioat-fix-potential-double-free-problem-in-ioat_chann.patch
 create mode 100644 0009-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch
 create mode 100644 0010-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch
 create mode 100644 0011-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch
 create mode 100644 0012-spdk_top-check-return-value-of-strdup-in-store_last_.patch
 create mode 100644 0013-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch
 create mode 100644 0014-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch

diff --git a/0002-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch b/0002-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch
new file mode 100644
index 0000000..ba7de15
--- /dev/null
+++ b/0002-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch
@@ -0,0 +1,52 @@
+From a6525b5da03eadc9124d60011a07baee33926e30 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 18:25:14 +0800
+Subject: [PATCH 02/14] blobfs: check return value of strdup in
+ blobfs_fuse_start()
+
+In blobfs_fuse_start(), bfuse->bdev_name and bfuse->mountpoint
+are allocated by calling strdup(), which may return NULL.
+Here, we will go to err if strdup() returns NULL.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: I0599254b3436a310ddd26732312281f07a4972ec
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8303
+Community-CI: Mellanox Build Bot
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Jim Harris <james.r.harris@intel.com>
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+---
+ module/blobfs/bdev/blobfs_fuse.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/module/blobfs/bdev/blobfs_fuse.c b/module/blobfs/bdev/blobfs_fuse.c
+index 1666549..176f81e 100644
+--- a/module/blobfs/bdev/blobfs_fuse.c
++++ b/module/blobfs/bdev/blobfs_fuse.c
+@@ -301,15 +301,19 @@ blobfs_fuse_start(const char *bdev_name, const char *mountpoint, struct spdk_fil
+ 		return -ENOMEM;
+ 	}
+ 
+-	rc = fuse_parse_cmdline(&args, &opts);
+-	assert(rc == 0);
+-
+ 	bfuse->bdev_name = strdup(bdev_name);
+ 	bfuse->mountpoint = strdup(mountpoint);
++	if (!bfuse->bdev_name || !bfuse->mountpoint) {
++		rc = -ENOMEM;
++		goto err;
++	}
+ 	bfuse->fs = fs;
+ 	bfuse->cb_fn = cb_fn;
+ 	bfuse->cb_arg = cb_arg;
+ 
++	rc = fuse_parse_cmdline(&args, &opts);
++	assert(rc == 0);
++
+ 	fuse_handle = fuse_new(&args, &spdk_fuse_oper, sizeof(spdk_fuse_oper), NULL);
+ 	fuse_opt_free_args(&args);
+ 	if (fuse_handle == NULL) {
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0003-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch b/0003-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch
new file mode 100644
index 0000000..9e71fbb
--- /dev/null
+++ b/0003-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch
@@ -0,0 +1,51 @@
+From 0de771c7906b8da31fb9aaf6718bc60606106ac1 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 16:17:32 +0800
+Subject: [PATCH 03/14] blobfs: check return value of strdup in
+ spdk_fs_create_file_async()
+
+In spdk_fs_create_file_async(), file->name is set to strdup(name).
+We should check whether file->name is equal to NULL.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: I2219cc353eb4711290aee2599505f57af9088bb2
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8302
+Community-CI: Mellanox Build Bot
+Reviewed-by: Ziye Yang <ziye.yang@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+---
+ lib/blobfs/blobfs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/lib/blobfs/blobfs.c b/lib/blobfs/blobfs.c
+index c9bcde8..65c92a9 100644
+--- a/lib/blobfs/blobfs.c
++++ b/lib/blobfs/blobfs.c
+@@ -1100,6 +1100,8 @@ spdk_fs_create_file_async(struct spdk_filesystem *fs, const char *name,
+ 	req = alloc_fs_request(fs->md_target.md_fs_channel);
+ 	if (req == NULL) {
+ 		SPDK_ERRLOG("Cannot allocate create async req for file=%s\n", name);
++		TAILQ_REMOVE(&fs->files, file, tailq);
++		file_free(file);
+ 		cb_fn(cb_arg, -ENOMEM);
+ 		return;
+ 	}
+@@ -1110,6 +1112,14 @@ spdk_fs_create_file_async(struct spdk_filesystem *fs, const char *name,
+ 	args->arg = cb_arg;
+ 
+ 	file->name = strdup(name);
++	if (!file->name) {
++		SPDK_ERRLOG("Cannot allocate file->name for file=%s\n", name);
++		free_fs_request(req);
++		TAILQ_REMOVE(&fs->files, file, tailq);
++		file_free(file);
++		cb_fn(cb_arg, -ENOMEM);
++		return;
++	}
+ 	_file_build_trace_arg_name(file);
+ 	spdk_bs_create_blob(fs->bs, fs_create_blob_create_cb, args);
+ }
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0004-blobstore-fix-memleak-problem-in-blob_load_cpl.patch b/0004-blobstore-fix-memleak-problem-in-blob_load_cpl.patch
new file mode 100644
index 0000000..00857b2
--- /dev/null
+++ b/0004-blobstore-fix-memleak-problem-in-blob_load_cpl.patch
@@ -0,0 +1,50 @@
+From 527e36a421361c032436e336a6bb256d257c2fbf Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 19:53:08 +0800
+Subject: [PATCH 04/14] blobstore:fix memleak problem in blob_load_cpl()
+
+In blob_load_cpl(), spdk_realloc() is called to realloc
+memory of ctx->pages. If spdk_realloc() return NULL,
+the ctx->pages is set to NULL without being freed,
+and then a memleak problem occurs.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: Idf21b690e89beab0245ba57a5de66a4f506d54fb
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8308
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Community-CI: Mellanox Build Bot
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
+---
+ lib/blob/blobstore.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/blob/blobstore.c b/lib/blob/blobstore.c
+index 08483fc..1f7d224 100644
+--- a/lib/blob/blobstore.c
++++ b/lib/blob/blobstore.c
+@@ -1490,16 +1490,18 @@ blob_load_cpl(spdk_bs_sequence_t *seq, void *cb_arg, int bserrno)
+ 	}
+ 
+ 	if (page->next != SPDK_INVALID_MD_PAGE) {
++		struct spdk_blob_md_page *tmp_pages;
+ 		uint32_t next_page = page->next;
+ 		uint64_t next_lba = bs_md_page_to_lba(blob->bs, next_page);
+ 
+ 		/* Read the next page */
+-		ctx->num_pages++;
+-		ctx->pages = spdk_realloc(ctx->pages, (sizeof(*page) * ctx->num_pages), 0);
+-		if (ctx->pages == NULL) {
++		tmp_pages = spdk_realloc(ctx->pages, (sizeof(*page) * (ctx->num_pages + 1)), 0);
++		if (tmp_pages == NULL) {
+ 			blob_load_final(ctx, -ENOMEM);
+ 			return;
+ 		}
++		ctx->num_pages++;
++		ctx->pages = tmp_pages;
+ 
+ 		bs_sequence_read_dev(seq, &ctx->pages[ctx->num_pages - 1],
+ 				     next_lba,
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0005-blobstore-fix-potential-memleak-problem-in-blob_seri.patch b/0005-blobstore-fix-potential-memleak-problem-in-blob_seri.patch
new file mode 100644
index 0000000..c5b3b22
--- /dev/null
+++ b/0005-blobstore-fix-potential-memleak-problem-in-blob_seri.patch
@@ -0,0 +1,69 @@
+From c17ce08e7ab07e788c079253e9d23407bc0a565c Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 19:42:14 +0800
+Subject: [PATCH 05/14] blobstore: fix potential memleak problem in
+ blob_serialize_add_page()
+
+In blob_serialize_add_page(), *pages is set to spdk_realloc(*pages).
+If spdk_realloc() returns NULL, the *pages pointer will be
+overridden, whose memory will leak.
+
+Here, we introduce a new var (tmp_pages) for checking the return
+value of spdk_realloc(*pages).
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: Ib2ead3f3b5d5e44688d1f0568816f483aa9e101f
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8307
+Community-CI: Mellanox Build Bot
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
+---
+ lib/blob/blobstore.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/lib/blob/blobstore.c b/lib/blob/blobstore.c
+index 1f7d224..551e615 100644
+--- a/lib/blob/blobstore.c
++++ b/lib/blob/blobstore.c
+@@ -874,26 +874,28 @@ blob_serialize_add_page(const struct spdk_blob *blob,
+ 			uint32_t *page_count,
+ 			struct spdk_blob_md_page **last_page)
+ {
+-	struct spdk_blob_md_page *page;
++	struct spdk_blob_md_page *page, *tmp_pages;
+ 
+ 	assert(pages != NULL);
+ 	assert(page_count != NULL);
+ 
++	*last_page = NULL;
+ 	if (*page_count == 0) {
+ 		assert(*pages == NULL);
+-		*page_count = 1;
+ 		*pages = spdk_malloc(SPDK_BS_PAGE_SIZE, 0,
+ 				     NULL, SPDK_ENV_SOCKET_ID_ANY, SPDK_MALLOC_DMA);
++		if (*pages == NULL) {
++			return -ENOMEM;
++		}
++		*page_count = 1;
+ 	} else {
+ 		assert(*pages != NULL);
++		tmp_pages = spdk_realloc(*pages, SPDK_BS_PAGE_SIZE * (*page_count + 1), 0);
++		if (tmp_pages == NULL) {
++			return -ENOMEM;
++		}
+ 		(*page_count)++;
+-		*pages = spdk_realloc(*pages, SPDK_BS_PAGE_SIZE * (*page_count), 0);
+-	}
+-
+-	if (*pages == NULL) {
+-		*page_count = 0;
+-		*last_page = NULL;
+-		return -ENOMEM;
++		*pages = tmp_pages;
+ 	}
+ 
+ 	page = &(*pages)[*page_count - 1];
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0006-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch b/0006-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch
new file mode 100644
index 0000000..884c3bc
--- /dev/null
+++ b/0006-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch
@@ -0,0 +1,72 @@
+From 38202a99862f151316cbb37b08ec1c5826368128 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Fri, 18 Jun 2021 17:11:16 +0800
+Subject: [PATCH 06/14] idxd: fix memleak problem in spdk_idxd_configure_chan()
+
+In spdk_idxd_configure_chan(), if memory allocation fails in
+TAILQ_FOREACH() {} code range, we will goto err_user_comp and
+err_user_desc tag, in which we donot free chan->completions
+and confused batch->user_completions with chan->completions.
+Memleak problem and double free problem may occurs.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: I0e588a35184d97cab0ea6b6c013ca8b3342f940a
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8432
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: Ziye Yang <ziye.yang@intel.com>
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Reviewed-by: Jim Harris <james.r.harris@intel.com>
+Community-CI: Mellanox Build Bot
+---
+ lib/idxd/idxd.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/lib/idxd/idxd.c b/lib/idxd/idxd.c
+index f240225..4f76f09 100644
+--- a/lib/idxd/idxd.c
++++ b/lib/idxd/idxd.c
+@@ -194,7 +194,7 @@ spdk_idxd_configure_chan(struct spdk_idxd_io_channel *chan)
+ 		if (batch->user_desc == NULL) {
+ 			SPDK_ERRLOG("Failed to allocate batch descriptor memory\n");
+ 			rc = -ENOMEM;
+-			goto err_user_desc;
++			goto err_user_desc_or_comp;
+ 		}
+ 
+ 		batch->user_completions = spdk_zmalloc(DESC_PER_BATCH * sizeof(struct idxd_comp),
+@@ -203,7 +203,7 @@ spdk_idxd_configure_chan(struct spdk_idxd_io_channel *chan)
+ 		if (batch->user_completions == NULL) {
+ 			SPDK_ERRLOG("Failed to allocate user completion memory\n");
+ 			rc = -ENOMEM;
+-			goto err_user_comp;
++			goto err_user_desc_or_comp;
+ 		}
+ 	}
+ 
+@@ -212,16 +212,18 @@ spdk_idxd_configure_chan(struct spdk_idxd_io_channel *chan)
+ 
+ 	return 0;
+ 
+-err_user_comp:
++err_user_desc_or_comp:
+ 	TAILQ_FOREACH(batch, &chan->batch_pool, link) {
+ 		spdk_free(batch->user_desc);
++		batch->user_desc = NULL;
++		spdk_free(batch->user_completions);
++		batch->user_completions = NULL;
+ 	}
+-err_user_desc:
+-	TAILQ_FOREACH(batch, &chan->batch_pool, link) {
+-		spdk_free(chan->completions);
+-	}
++	spdk_free(chan->completions);
++	chan->completions = NULL;
+ err_comp:
+ 	spdk_free(chan->desc);
++	chan->desc = NULL;
+ err_desc:
+ 	spdk_bit_array_free(&chan->ring_slots);
+ 
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0007-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch b/0007-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch
new file mode 100644
index 0000000..d188807
--- /dev/null
+++ b/0007-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch
@@ -0,0 +1,35 @@
+From da0ec33af632d514306cfd1e852726f67cdd359f Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 14:53:27 +0800
+Subject: [PATCH 07/14] idxd: fix one memleak problem in
+ spdk_idxd_get_channel()
+
+In spdk_idxd_get_channel(), if chan->batch_base is allocated
+faild, we should free chan before returning NULL.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: Ia652c334aead592429c1171da73d67160879686d
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8301
+Community-CI: Mellanox Build Bot
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+---
+ lib/idxd/idxd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/idxd/idxd.c b/lib/idxd/idxd.c
+index 4f76f09..d2fad12 100644
+--- a/lib/idxd/idxd.c
++++ b/lib/idxd/idxd.c
+@@ -121,6 +121,7 @@ spdk_idxd_get_channel(struct spdk_idxd_device *idxd)
+ 	chan->batch_base = calloc(NUM_BATCHES_PER_CHANNEL, sizeof(struct idxd_batch));
+ 	if (chan->batch_base == NULL) {
+ 		SPDK_ERRLOG("Failed to allocate batch pool\n");
++		free(chan);
+ 		return NULL;
+ 	}
+ 
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0008-ioat-fix-potential-double-free-problem-in-ioat_chann.patch b/0008-ioat-fix-potential-double-free-problem-in-ioat_chann.patch
new file mode 100644
index 0000000..57ca0b5
--- /dev/null
+++ b/0008-ioat-fix-potential-double-free-problem-in-ioat_chann.patch
@@ -0,0 +1,41 @@
+From 811861742d87e22d99a3b63183ae68d0ddcf0132 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 12:23:58 +0800
+Subject: [PATCH 08/14] ioat: fix potential double free problem in
+ ioat_channel_start()
+
+In ioat_channel_start(), if spdk_vtophys(ioat->comp_update) returns
+SPDK_VTOPHYS_ERROR, spdk_free is called to free ioat->comp_update,
+and ioat->comp_update is not set to NULL. However, the caller
+ioat_attach() will also call ioat_channel_destruct() to free
+ioat->comp_update, then double-free problem occurs.
+
+Here, we will not free ioat->comp_update in ioat_channel_start(),
+ioat_channel_destruct() will do that.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: I3be19a3feec5c2188051ee67820bfd1e61de9b48
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8300
+Community-CI: Mellanox Build Bot
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+---
+ lib/ioat/ioat.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/ioat/ioat.c b/lib/ioat/ioat.c
+index 27ac0a0..af83c42 100644
+--- a/lib/ioat/ioat.c
++++ b/lib/ioat/ioat.c
+@@ -429,7 +429,6 @@ ioat_channel_start(struct spdk_ioat_chan *ioat)
+ 
+ 	comp_update_bus_addr = spdk_vtophys((void *)ioat->comp_update, NULL);
+ 	if (comp_update_bus_addr == SPDK_VTOPHYS_ERROR) {
+-		spdk_free((void *)ioat->comp_update);
+ 		return -1;
+ 	}
+ 
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0009-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch b/0009-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch
new file mode 100644
index 0000000..bb61c47
--- /dev/null
+++ b/0009-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch
@@ -0,0 +1,82 @@
+From 38a8e2eb6d94056125eb52f708a60634739bcf48 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 18:59:13 +0800
+Subject: [PATCH 09/14] nvmf:check return value of strdup in
+ spdk_nvmf_subsystem_add_ns_ext()
+
+In spdk_nvmf_subsystem_add_ns_ext(), ns->ptpl_file is set to strdup(),
+which may return NULL. We should deal with it.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: If95102fe9d6d789b8ba9e846c4d7f4e22e48a93c
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8305
+Community-CI: Mellanox Build Bot
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Jim Harris <james.r.harris@intel.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+---
+ lib/nvmf/subsystem.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c
+index 8a3dd3b..b983a65 100644
+--- a/lib/nvmf/subsystem.c
++++ b/lib/nvmf/subsystem.c
+@@ -1446,14 +1446,14 @@ spdk_nvmf_subsystem_add_ns_ext(struct spdk_nvmf_subsystem *subsystem, const char
+ 			rc = nvmf_ns_reservation_restore(ns, &info);
+ 			if (rc) {
+ 				SPDK_ERRLOG("Subsystem restore reservation failed\n");
+-				subsystem->ns[opts.nsid - 1] = NULL;
+-				spdk_bdev_module_release_bdev(ns->bdev);
+-				spdk_bdev_close(ns->desc);
+-				free(ns);
+-				return 0;
++				goto err_ns_reservation_restore;
+ 			}
+ 		}
+ 		ns->ptpl_file = strdup(ptpl_file);
++		if (!ns->ptpl_file) {
++			SPDK_ERRLOG("Namespace ns->ptpl_file allocation failed\n");
++			goto err_strdup;
++		}
+ 	}
+ 
+ 	for (transport = spdk_nvmf_transport_get_first(subsystem->tgt); transport;
+@@ -1462,13 +1462,7 @@ spdk_nvmf_subsystem_add_ns_ext(struct spdk_nvmf_subsystem *subsystem, const char
+ 			rc = transport->ops->subsystem_add_ns(transport, subsystem, ns);
+ 			if (rc) {
+ 				SPDK_ERRLOG("Namespace attachment is not allowed by %s transport\n", transport->ops->name);
+-				free(ns->ptpl_file);
+-				nvmf_ns_reservation_clear_all_registrants(ns);
+-				subsystem->ns[opts.nsid - 1] = NULL;
+-				spdk_bdev_module_release_bdev(ns->bdev);
+-				spdk_bdev_close(ns->desc);
+-				free(ns);
+-				return 0;
++				goto err_subsystem_add_ns;
+ 			}
+ 		}
+ 	}
+@@ -1481,6 +1475,18 @@ spdk_nvmf_subsystem_add_ns_ext(struct spdk_nvmf_subsystem *subsystem, const char
+ 	nvmf_subsystem_ns_changed(subsystem, opts.nsid);
+ 
+ 	return opts.nsid;
++
++err_subsystem_add_ns:
++	free(ns->ptpl_file);
++err_strdup:
++	nvmf_ns_reservation_clear_all_registrants(ns);
++err_ns_reservation_restore:
++	subsystem->ns[opts.nsid - 1] = NULL;
++	spdk_bdev_module_release_bdev(ns->bdev);
++	spdk_bdev_close(ns->desc);
++	free(ns);
++	return 0;
++
+ }
+ 
+ uint32_t
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0010-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch b/0010-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch
new file mode 100644
index 0000000..2cc990c
--- /dev/null
+++ b/0010-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch
@@ -0,0 +1,47 @@
+From 140442f4145d505fa7d9053b4c9e0eafe941bf27 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 20:12:17 +0800
+Subject: [PATCH 10/14] nvmf: fix fd leakage problem in nvmf_vfio_user_listen()
+
+In nvmf_vfio_user_listen(), fd should be closed before
+set it to endpoint->fd, otherwise, the fd leakage probem
+occurs.
+
+Conflicts: adapt context
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: I3fabc65d2764926e5873475962e4362e46eb37e4
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8309
+Community-CI: Mellanox Build Bot
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Reviewed-by: sunshihao <sunshihao@huawei.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+---
+ lib/nvmf/vfio_user.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/nvmf/vfio_user.c b/lib/nvmf/vfio_user.c
+index f5daa8d..7ec980a 100644
+--- a/lib/nvmf/vfio_user.c
++++ b/lib/nvmf/vfio_user.c
+@@ -1662,6 +1662,7 @@ nvmf_vfio_user_listen(struct spdk_nvmf_transport *transport,
+ 	}
+ 	free(path);
+ 
++	endpoint->fd = fd;
+ 	err = ftruncate(fd, NVMF_VFIO_USER_DOORBELLS_OFFSET + NVMF_VFIO_USER_DOORBELLS_SIZE);
+ 	if (err != 0) {
+ 		goto out;
+@@ -1675,8 +1676,6 @@ nvmf_vfio_user_listen(struct spdk_nvmf_transport *transport,
+ 		goto out;
+ 	}
+ 
+-	endpoint->fd = fd;
+-
+ 	snprintf(uuid, PATH_MAX, "%s/cntrl", endpoint_id(endpoint));
+ 	SPDK_DEBUGLOG(nvmf_vfio, "%s: doorbells %p\n", uuid, endpoint->doorbells);
+ 
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0011-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch b/0011-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch
new file mode 100644
index 0000000..798d15f
--- /dev/null
+++ b/0011-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch
@@ -0,0 +1,62 @@
+From 10c4d7b856b8cfbbe9886ad67129c94c78cc064c Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 21:10:19 +0800
+Subject: [PATCH 11/14] posix: set fd to -1 after close(fd) in
+ posix_sock_create()
+
+In posix_sock_create(), we loops through all the addresses available.
+If something is wrong, we should close(fd) and set fd to -1, and
+try the next address. Only, when one fd satisfies all conditions,
+we will break the loop with the useful fd.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: Icbfc10246c92b95cacd6eb058e6e46cf8924fc4c
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8310
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
+Reviewed-by: Ziye Yang <ziye.yang@intel.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Community-CI: Mellanox Build Bot
+---
+ module/sock/posix/posix.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/module/sock/posix/posix.c b/module/sock/posix/posix.c
+index c180a16..ebafc1e 100644
+--- a/module/sock/posix/posix.c
++++ b/module/sock/posix/posix.c
+@@ -468,12 +468,14 @@ retry:
+ 		rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof val);
+ 		if (rc != 0) {
+ 			close(fd);
++			fd = -1;
+ 			/* error */
+ 			continue;
+ 		}
+ 		rc = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof val);
+ 		if (rc != 0) {
+ 			close(fd);
++			fd = -1;
+ 			/* error */
+ 			continue;
+ 		}
+@@ -483,6 +485,7 @@ retry:
+ 			rc = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &opts->priority, sizeof val);
+ 			if (rc != 0) {
+ 				close(fd);
++				fd = -1;
+ 				/* error */
+ 				continue;
+ 			}
+@@ -493,6 +496,7 @@ retry:
+ 			rc = setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof val);
+ 			if (rc != 0) {
+ 				close(fd);
++				fd = -1;
+ 				/* error */
+ 				continue;
+ 			}
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0012-spdk_top-check-return-value-of-strdup-in-store_last_.patch b/0012-spdk_top-check-return-value-of-strdup-in-store_last_.patch
new file mode 100644
index 0000000..9470db5
--- /dev/null
+++ b/0012-spdk_top-check-return-value-of-strdup-in-store_last_.patch
@@ -0,0 +1,39 @@
+From 0649ddb17a7eaa3f4585fe22dac5e230c3cc1d84 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 19:04:05 +0800
+Subject: [PATCH 12/14] spdk_top:check return value of strdup in
+ store_last_run_counter()
+
+In store_last_run_counter(), history->poller_name is set to
+strdup(), which may return NULL. We should deal with it.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: Ice5f27c4a7d2f9abd528b97a48ff5f92b48c8d7c
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8306
+Community-CI: Mellanox Build Bot
+Reviewed-by: Jim Harris <james.r.harris@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+---
+ app/spdk_top/spdk_top.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/app/spdk_top/spdk_top.c b/app/spdk_top/spdk_top.c
+index c996235..bf1eaf1 100644
+--- a/app/spdk_top/spdk_top.c
++++ b/app/spdk_top/spdk_top.c
+@@ -1017,6 +1017,11 @@ store_last_run_counter(const char *poller_name, uint64_t thread_id, uint64_t las
+ 		return;
+ 	}
+ 	history->poller_name = strdup(poller_name);
++	if (!history->poller_name) {
++		fprintf(stderr, "Unable to allocate poller_name of a history object in store_last_run_counter.\n");
++		free(history);
++		return;
++	}
+ 	history->thread_id = thread_id;
+ 	history->last_run_counter = last_run_counter;
+ 
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0013-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch b/0013-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch
new file mode 100644
index 0000000..1eafa28
--- /dev/null
+++ b/0013-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch
@@ -0,0 +1,62 @@
+From b71bce125aa97454c598efbea7d78e115e0914dd Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 21:29:33 +0800
+Subject: [PATCH 13/14] uring: set fd to -1 after close(fd) in
+ uring_sock_create()
+
+In uring_sock_create(), we loops through all the addresses available.
+If something is wrong, we should close(fd) and set fd to -1, and
+try the next address. Only, when one fd satisfies all conditions,
+we will break the loop with the useful fd.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: I22eada5437776fe90a6b57ab42cbad6dc4b0585c
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8311
+Community-CI: Mellanox Build Bot
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Reviewed-by: Jim Harris <james.r.harris@intel.com>
+Reviewed-by: Ziye Yang <ziye.yang@intel.com>
+---
+ module/sock/uring/uring.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/module/sock/uring/uring.c b/module/sock/uring/uring.c
+index be76973..8f22758 100644
+--- a/module/sock/uring/uring.c
++++ b/module/sock/uring/uring.c
+@@ -424,12 +424,14 @@ retry:
+ 		rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof val);
+ 		if (rc != 0) {
+ 			close(fd);
++			fd = -1;
+ 			/* error */
+ 			continue;
+ 		}
+ 		rc = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof val);
+ 		if (rc != 0) {
+ 			close(fd);
++			fd = -1;
+ 			/* error */
+ 			continue;
+ 		}
+@@ -439,6 +441,7 @@ retry:
+ 			rc = setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &opts->priority, sizeof val);
+ 			if (rc != 0) {
+ 				close(fd);
++				fd = -1;
+ 				/* error */
+ 				continue;
+ 			}
+@@ -448,6 +451,7 @@ retry:
+ 			rc = setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof val);
+ 			if (rc != 0) {
+ 				close(fd);
++				fd = -1;
+ 				/* error */
+ 				continue;
+ 			}
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/0014-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch b/0014-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch
new file mode 100644
index 0000000..56abf0b
--- /dev/null
+++ b/0014-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch
@@ -0,0 +1,43 @@
+From 4cc5870ced30e40cd726a5450e9510a17bd55de4 Mon Sep 17 00:00:00 2001
+From: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Date: Sun, 13 Jun 2021 18:37:02 +0800
+Subject: [PATCH 14/14] nvmf: check return value of strdup in
+ spdk_nvmf_subsystem_disconnect_host()
+
+In spdk_nvmf_subsystem_disconnect_host(), we should check
+whether strdup() return NULL.
+
+Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Change-Id: I29cb6b2499ecd2a2367001c0d21ac95da4e10e20
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/8304
+Community-CI: Mellanox Build Bot
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: Changpeng Liu <changpeng.liu@intel.com>
+Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>
+Reviewed-by: Jim Harris <james.r.harris@intel.com>
+---
+ lib/nvmf/subsystem.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c
+index b983a65..5729524 100644
+--- a/lib/nvmf/subsystem.c
++++ b/lib/nvmf/subsystem.c
+@@ -831,8 +831,13 @@ spdk_nvmf_subsystem_disconnect_host(struct spdk_nvmf_subsystem *subsystem,
+ 		return -ENOMEM;
+ 	}
+ 
+-	ctx->subsystem = subsystem;
+ 	ctx->hostnqn = strdup(hostnqn);
++	if (ctx->hostnqn == NULL) {
++		free(ctx);
++		return -ENOMEM;
++	}
++
++	ctx->subsystem = subsystem;
+ 	ctx->cb_fn = cb_fn;
+ 	ctx->cb_arg = cb_arg;
+ 
+-- 
+2.21.1 (Apple Git-122.3)
+
diff --git a/spdk.spec b/spdk.spec
index 9e2a0a8..db5663f 100644
--- a/spdk.spec
+++ b/spdk.spec
@@ -3,12 +3,25 @@
 
 Name: spdk
 Version: 21.01
-Release: 2
+Release: 3
 Summary: Set of libraries and utilities for high performance user-mode storage
 License: BSD and MIT
 URL: http://spdk.io
 Source0: https://github.com/spdk/spdk/archive/v%{version}.tar.gz
-Patch0: 0001-spdk-fix-the-deference-between-dpdk-19.11-and-dpdk-20.11.patch
+Patch1: 0001-spdk-fix-the-deference-between-dpdk-19.11-and-dpdk-20.11.patch
+Patch2: 0002-blobfs-check-return-value-of-strdup-in-blobfs_fuse_s.patch
+Patch3: 0003-blobfs-check-return-value-of-strdup-in-spdk_fs_creat.patch
+Patch4: 0004-blobstore-fix-memleak-problem-in-blob_load_cpl.patch
+Patch5: 0005-blobstore-fix-potential-memleak-problem-in-blob_seri.patch
+Patch6: 0006-idxd-fix-memleak-problem-in-spdk_idxd_configure_chan.patch
+Patch7: 0007-idxd-fix-one-memleak-problem-in-spdk_idxd_get_channe.patch
+Patch8: 0008-ioat-fix-potential-double-free-problem-in-ioat_chann.patch
+Patch9: 0009-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch
+Patch10: 0010-nvmf-fix-fd-leakage-problem-in-nvmf_vfio_user_listen.patch
+Patch11: 0011-posix-set-fd-to-1-after-close-fd-in-posix_sock_creat.patch
+Patch12: 0012-spdk_top-check-return-value-of-strdup-in-store_last_.patch
+Patch13: 0013-uring-set-fd-to-1-after-close-fd-in-uring_sock_creat.patch
+Patch14: 0014-nvmf-check-return-value-of-strdup-in-spdk_nvmf_subsy.patch
 
 %define package_version %{version}-%{release}
 
@@ -169,6 +182,9 @@ mv doc/output/html/ %{install_docdir}
 
 
 %changelog
+* Sat Jul 3 2021 Zhiqiang Liu <liuzhiqiang26@huawei.com> - 21.01-3
+- backport upstream bugfix patches
+
 * Wed Mar 10 2021 Shihao Sun <sunshihao@huawei.com> - 21.01-2
 - use --without-isal to avoid build failed in arm.
 
-- 
Gitee