From 367e7896baf378f0f7c2fe08159c6bb1d9457960 Mon Sep 17 00:00:00 2001
From: SiXiang Jing <jingsixiang1@h-partners.com>
Date: Wed, 5 Nov 2025 09:46:39 +0000
Subject: [PATCH] lib/nvmf: fix CVE-2025-57275

Signed-off-by: SiXiang Jing <jingsixiang1@h-partners.com>
---
 ...umber-of-NVMe-oF-registrants-when-up.patch | 35 +++++++++++++++++++
 spdk.spec                                     |  6 +++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 0029-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch

diff --git a/0029-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch b/0029-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch
new file mode 100644
index 0000000..7938e94
--- /dev/null
+++ b/0029-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch
@@ -0,0 +1,35 @@
+From 9745f696d0e0c1839da6426fba155c60a49051f1 Mon Sep 17 00:00:00 2001
+From: Tomasz Zawadzki <tomasz.zawadzki@nutanix.com>
+Date: Thu, 6 Nov 2025 03:49:34 +0800
+Subject: [PATCH] [Backport]NVMF: lib nvmf limit number of NVMe-oF registrants when up
+Reference:https://gitee.com/src-openeuler/spdk/commit/1deb6ee549ad8193718a2fe17891fa6bb8a5a79d
+Conflict:no
+---
+ lib/nvmf/subsystem.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+ 
+ 
+diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c
+index 5729524..9f94e0d 100644
+--- a/lib/nvmf/subsystem.c
++++ b/lib/nvmf/subsystem.c
+@@ -1994,9 +1994,14 @@ nvmf_ns_update_reservation_info(struct spdk_nvmf_ns *ns)
+ 	}
+ 
+ 	TAILQ_FOREACH_SAFE(reg, &ns->registrants, link, tmp) {
+-		spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
+-				    &reg->hostid);
+-		info.registrants[i++].rkey = reg->rkey;
++		if (i < SPDK_NVMF_MAX_NUM_REGISTRANTS) {
++			spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
++								&reg->hostid);
++ 			info.registrants[i++].rkey = reg->rkey;
++		} else {
++			SPDK_ERRLOG("More registrants that can fit into reservation info, truncating\n");
++			break;
++		}
+ 	}
+ 
+ 	info.num_regs = i;
+--
+2.43.0
diff --git a/spdk.spec b/spdk.spec
index 2821730..9c8eb0f 100644
--- a/spdk.spec
+++ b/spdk.spec
@@ -3,7 +3,7 @@
 
 Name: spdk
 Version: 21.01.1
-Release: 15
+Release: 16
 Summary: Set of libraries and utilities for high performance user-mode storage
 License: BSD and MIT
 URL: http://spdk.io
@@ -36,6 +36,7 @@ Patch25: 0025-ut-rdma-Fix-GCC-10.2.0-warning.patch
 Patch26: 0026-lib-nvme-add-mutex-before-submit-admin-request.patch
 Patch27: 0027--nvme-cuse-Add-ctrlr_lock-for-cuse-register-and-unreg.patch
 Patch28: 0028-fixed-use-after-free-detected-by-Coverity.patch
+Patch29: 0029-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch
 
 %define package_version %{version}-%{release}
 
@@ -206,6 +207,9 @@ mv doc/output/html/ %{install_docdir}
 
 
 %changelog
+* Wed Nov 5 2025 SiXiang Jing <jingsixiang1@h-partners.com> - 21.01.1-16
+- lib/nvmf: fix CVE-2025-57275
+
 * Mon May 20 2024 yanshuai <yanshuai01@kylinos.cn> - 21.01.1-15
 - lib/nvme: fixed use-after-free detected by Coverity
 
-- 
Gitee