diff --git a/Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch b/Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch
new file mode 100644
index 0000000..d8025ea
--- /dev/null
+++ b/Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch
@@ -0,0 +1,166 @@
+From aca8d49dea577cac55a6b9704770882f18649fb9 Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Fri, 1 Dec 2023 01:26:18 +0800
+Subject: [PATCH 3/6] add handle cleanup and refactor Subscribe/UnSubscribe
+
+1. fix error residue handle
+2. refactor Subscribe and UnSubscribe
+
+Signed-off-by: hurricane618 <hurricane618@hotmail.com>
+---
+ observer_agent/grpc_comm/Makefile   |  8 +----
+ observer_agent/grpc_comm/grpc_api.h |  9 ++++-
+ observer_agent/grpc_comm/server.cpp | 51 +++++++++++++++++++++++++++--
+ 3 files changed, 58 insertions(+), 10 deletions(-)
+
+diff --git a/observer_agent/grpc_comm/Makefile b/observer_agent/grpc_comm/Makefile
+index 4dbaa46..3c87ad8 100644
+--- a/observer_agent/grpc_comm/Makefile
++++ b/observer_agent/grpc_comm/Makefile
+@@ -38,13 +38,7 @@ PROTOS_PATH = ./protos
+ 
+ vpath %.proto $(PROTOS_PATH)
+ 
+-all: system-check client server client_pub_demo client_sub_demo server_demo
+-
+-client: comm_api.pb.o comm_api.grpc.pb.o client.o
+-	@echo "only compile client don't link"
+-
+-server: comm_api.pb.o comm_api.grpc.pb.o server.o
+-	@echo "only compile server don't link"
++all: system-check client_pub_demo client_sub_demo server_demo
+ 
+ client_pub_demo: comm_api.pb.o comm_api.grpc.pb.o client.o client_pub_demo.o
+ 	$(CXX) $^ $(LDFLAGS) -o $@
+diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
+index 7b19552..44d4aa9 100644
+--- a/observer_agent/grpc_comm/grpc_api.h
++++ b/observer_agent/grpc_comm/grpc_api.h
+@@ -18,6 +18,8 @@ using grpc::ServerBuilder;
+ using grpc::ServerContext;
+ using grpc::ServerWriter;
+ 
++#define MAX_CONNECTION 5
++
+ class PubSubServiceImpl final : public SubManager::Service
+ {
+   public:
+@@ -26,7 +28,12 @@ class PubSubServiceImpl final : public SubManager::Service
+     grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response);
+ 
+   private:
+-    std::unordered_map<int, std::vector<ServerWriter<Message> *>> subscribers_;
++    std::unordered_map<std::string, std::vector<int>> suber_topic_;
++    std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
++    std::unordered_map<std::string, std::vector<int>> suber_connection_;
++    std::mutex sub_mutex;
++    int connection_num = 0;
++    bool connect_status[MAX_CONNECTION] = {false};
+ };
+ 
+ void StopServer();
+diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
+index 04e8163..54ae66f 100644
+--- a/observer_agent/grpc_comm/server.cpp
++++ b/observer_agent/grpc_comm/server.cpp
+@@ -28,6 +28,7 @@ using grpc::ServerContext;
+ using grpc::ServerWriter;
+ 
+ #define MAX_CONNECTION 5
++#define CHECK_TIME 60
+ 
+ class PubSubServiceImpl final : public SubManager::Service
+ {
+@@ -38,6 +39,8 @@ class PubSubServiceImpl final : public SubManager::Service
+         int cli_topic = request->topic();
+         std::string cli_name = request->sub_name();
+         Message msg;
++        Message keepalive_msg;
++        int i = 0, tmp_index;
+ 
+         if (connection_num >= MAX_CONNECTION) {
+             msg.set_text("over max connection number!");
+@@ -65,8 +68,28 @@ class PubSubServiceImpl final : public SubManager::Service
+ 
+         sub_mutex.lock();
+ 
++        for (tmp_index = 0; tmp_index <  MAX_CONNECTION; tmp_index++)
++        {
++            if (!connect_status[tmp_index])
++                break;
++        }
++
++        if (tmp_index == MAX_CONNECTION)
++        {
++            sub_mutex.unlock();
++            msg.set_text("multi-process max connection number!");
++            if (!writer->Write(msg))
++            {
++                std::cerr << "Failed to write the initial message" << std::endl;
++                return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
++            }
++            return grpc::Status(grpc::StatusCode::INTERNAL, "multi-process max connection number, Failed to Subscribe the topic");
++        }
++
+         suber_topic_[cli_name].push_back(cli_topic);
+         suber_writer_[cli_name].push_back(writer);
++        suber_connection_[cli_name].push_back(tmp_index);
++        connect_status[tmp_index] = true;
+         connection_num++;
+ 
+         sub_mutex.unlock();
+@@ -78,9 +101,29 @@ class PubSubServiceImpl final : public SubManager::Service
+             return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+         }
+ 
+-        // ToDo: set some condition to break loop
+-        while (1)
++        keepalive_msg.set_text("keepalive");
++        while (connect_status[tmp_index])
+         {
++            sleep(CHECK_TIME);
++            if (!writer->Write(keepalive_msg))
++            {
++                for (auto topic_item : suber_topic_[cli_name])
++                {
++                    if (topic_item == cli_topic)
++                    {
++                        sub_mutex.lock();
++                        suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
++                        suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
++                        connect_status[suber_connection_[cli_name].at(i)] = false;
++                        suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
++                        connection_num--;
++                        sub_mutex.unlock();
++                        break;
++                    }
++                    i++;
++                }
++                return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
++            }
+         }
+         return grpc::Status::OK;
+     }
+@@ -136,6 +179,8 @@ class PubSubServiceImpl final : public SubManager::Service
+             {
+                 suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
+                 suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
++                connect_status[suber_connection_[cli_name].at(i)] = false;
++                suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
+                 connection_num--;
+                 unsub_flag = 1;
+                 break;
+@@ -155,8 +200,10 @@ class PubSubServiceImpl final : public SubManager::Service
+   private:
+     std::unordered_map<std::string, std::vector<int>> suber_topic_;
+     std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
++    std::unordered_map<std::string, std::vector<int>> suber_connection_;
+     std::mutex sub_mutex;
+     int connection_num = 0;
++    bool connect_status[MAX_CONNECTION] = {false};
+ };
+ 
+ std::unique_ptr<Server> server;
+-- 
+2.33.0
+
diff --git a/Backport-add-lock-limit-publish-API.patch b/Backport-add-lock-limit-publish-API.patch
new file mode 100644
index 0000000..faae828
--- /dev/null
+++ b/Backport-add-lock-limit-publish-API.patch
@@ -0,0 +1,48 @@
+From b6705fe2d5b4aefdc0db16ae6ec9d75b69e8f421 Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Wed, 6 Dec 2023 22:12:27 +0800
+Subject: [PATCH] add lock limit publish API
+
+call publish too quick, so add lock to limit it.
+
+Signed-off-by: hurricane618 <hurricane618@hotmail.com>
+---
+ observer_agent/service/main.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp
+index bd01690..8c24345 100644
+--- a/observer_agent/service/main.cpp
++++ b/observer_agent/service/main.cpp
+@@ -80,6 +80,10 @@ static void sig_handler(int sig)
+ }
+ static bool debug = false;
+ 
++static std::string server_address("unix:///var/run/secDetector.sock");
++PubSubClient client;
++std::mutex pub_mutex;
++
+ static void push_log(int type, const std::string &content)
+ {
+     if ((topic_mask & type)  == 0)
+@@ -92,8 +96,7 @@ static void push_log(int type, const std::string &content)
+     }
+ 
+     // push to grpc
+-    std::string server_address("unix:///var/run/secDetector.sock");
+-    PubSubClient client(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
++    std::lock_guard<std::mutex> lock(pub_mutex);
+     client.Publish(type, content);
+ }
+ 
+@@ -179,6 +182,7 @@ int main(int argc, char *argv[])
+     std::thread thread_grpc = std::thread(RunServer);
+     std::thread thread_ebpf_process = std::thread(StartProcesseBPFProg, ebpf_cb, ringbuf_size_bytes, topic_mask);
+     std::thread thread_ebpf_file = std::thread(StartFileBPFProg, ebpf_cb, ringbuf_size_bytes, topic_mask);
++    client.init(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
+ 
+     while (exiting == 0)
+     {
+-- 
+2.33.0
+
diff --git a/Backport-add-nullptr-check-in-Subscribe.patch b/Backport-add-nullptr-check-in-Subscribe.patch
new file mode 100644
index 0000000..3c41cdd
--- /dev/null
+++ b/Backport-add-nullptr-check-in-Subscribe.patch
@@ -0,0 +1,78 @@
+From ce029db530429609847b38ae7bae2428064e3a27 Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Mon, 4 Dec 2023 10:06:55 +0800
+Subject: [PATCH 5/6] add nullptr check in Subscribe
+
+fix leak of nullptr problem
+
+Signed-off-by: hurricane618 <hurricane618@hotmail.com>
+---
+ observer_agent/grpc_comm/client.cpp | 10 ++++++++--
+ observer_agent/grpc_comm/server.cpp | 15 ++++++++-------
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/observer_agent/grpc_comm/client.cpp b/observer_agent/grpc_comm/client.cpp
+index ecb54ae..84b5c96 100644
+--- a/observer_agent/grpc_comm/client.cpp
++++ b/observer_agent/grpc_comm/client.cpp
+@@ -43,16 +43,22 @@ std::unique_ptr<ClientReader<Message>> PubSubClient::Subscribe(const int topic)
+     SubscribeRequest request;
+     request.set_topic(topic);
+     request.set_sub_name(uuid_str);
++    std::string ret_info;
+ 
+     Message msg;
+     SubFlag = true;
+     std::unique_ptr<ClientReader<Message>> reader = stub_->Subscribe(&context, request);
+-    if (reader == nullptr)
++    ret_info = ReadFrom(reader);
++
++    if (ret_info.substr(0, 6) == "topic:")
++    {
++        std::cout << "Success subscribe." << std::endl;
++        return reader;
++    } else
+     {
+         std::cerr << "Failed to subscribe." << std::endl;
+         return nullptr;
+     }
+-    return reader;
+ }
+ 
+ void PubSubClient::Publish(const int topic, const std::string &content)
+diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
+index 54ae66f..d53866f 100644
+--- a/observer_agent/grpc_comm/server.cpp
++++ b/observer_agent/grpc_comm/server.cpp
+@@ -86,6 +86,14 @@ class PubSubServiceImpl final : public SubManager::Service
+             return grpc::Status(grpc::StatusCode::INTERNAL, "multi-process max connection number, Failed to Subscribe the topic");
+         }
+ 
++        msg.set_text("topic: " + std::to_string(cli_topic) + " Subscribe success!");
++        if (!writer->Write(msg))
++        {
++            std::cerr << "Failed to write the initial message" << std::endl;
++            sub_mutex.unlock();
++            return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
++        }
++
+         suber_topic_[cli_name].push_back(cli_topic);
+         suber_writer_[cli_name].push_back(writer);
+         suber_connection_[cli_name].push_back(tmp_index);
+@@ -94,13 +102,6 @@ class PubSubServiceImpl final : public SubManager::Service
+ 
+         sub_mutex.unlock();
+ 
+-        msg.set_text("topic: " + std::to_string(cli_topic) + " Subscribe success!");
+-        if (!writer->Write(msg))
+-        {
+-            std::cerr << "Failed to write the initial message" << std::endl;
+-            return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+-        }
+-
+         keepalive_msg.set_text("keepalive");
+         while (connect_status[tmp_index])
+         {
+-- 
+2.33.0
+
diff --git a/Backport-bug-fix-memory-leak-in-sc-analyze-unit.patch b/Backport-bug-fix-memory-leak-in-sc-analyze-unit.patch
new file mode 100644
index 0000000..ab185be
--- /dev/null
+++ b/Backport-bug-fix-memory-leak-in-sc-analyze-unit.patch
@@ -0,0 +1,87 @@
+From 2ff0256c1ca0bfb1e119fc419d2a9c3e7a48fc22 Mon Sep 17 00:00:00 2001
+From: yieux <yangxy79315@sina.com>
+Date: Wed, 20 Dec 2023 15:31:22 +0800
+Subject: [PATCH] bug fix memory leak in sc analyze unit
+
+---
+ .../analyze_unit/secDetector_save_check.c     | 24 +++++++++++++------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+index 4a5f689..788de3e 100644
+--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
++++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+@@ -38,6 +38,11 @@ static int init_analyze_status_data_sc(analyze_status_t *analyze_status_data, in
+ 		return 0;
+ 	}
+ 	analyze_status_data->sc_data.data = kmalloc(sizeof(unsigned long long) * len, GFP_KERNEL);
++	if (analyze_status_data->sc_data.data == NULL) {
++		pr_err("kmalloc failed");
++		return -ENOMEM;
++	}
++	analyze_status_data->sc_data.data_type = ANALYZE_STATUS_SAVE_CHECK;
+ 	analyze_status_data->sc_data.len = len;
+ 	return 0;
+ }
+@@ -51,6 +56,7 @@ void free_analyze_status_data_sc(analyze_status_t *analyze_status_data)
+ 
+ static int analyze_save_check_init(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data)
+ {
++	int ret = 0;
+ 	int data_index = 0;
+ 	struct collect_data *cd;
+ 	list_for_each_entry(cd, collect_data_list, list) {
+@@ -58,7 +64,9 @@ static int analyze_save_check_init(struct list_head *collect_data_list, analyze_
+ 			continue;
+ 		data_index++;
+ 	}
+-	init_analyze_status_data_sc(analyze_status_data, data_index);
++	ret = init_analyze_status_data_sc(analyze_status_data, data_index);
++	if (ret < 0)
++		return ret;
+ 
+ 	data_index = 0;
+ 	list_for_each_entry(cd, collect_data_list, list) {
+@@ -89,7 +97,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 	unsigned long long measure_value;
+ 	struct collect_data *cd;
+ 	char *timestamp = NULL;
+-	int timestamp_len;
++	int timestamp_len = 0;
+ 	char **response_arrays;
+ 	int response_array_index = 0;
+ 	char int_str[MAX_DIGITS];
+@@ -124,7 +132,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 				break;
+ 		}
+ 		if (measure_value != analyze_status_data->sc_data.data[data_index]) {
+-			pr_warn("[save_check]%s: original: %llu; now: %llu.!\n",
++			pr_debug("[save_check]%s: original: %llu; now: %llu.!\n",
+ 					cd->name, analyze_status_data->sc_data.data[data_index], measure_value);
+ 			response_arrays[response_array_index] = kzalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
+ 			if (response_arrays[response_array_index] == NULL) {
+@@ -162,15 +170,17 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 			ret = -ENOMEM;
+ 			goto end;
+ 		}
+-		if (timestamp_len > 0) {
+-			strncat(response_data->report_data.text, timestamp, timestamp_len);
+-			kfree(timestamp);
+-		}
++
+ 		for (i = 0; i < response_array_index; i++)
+ 			strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
+ 		strcat(response_data->report_data.text, "\n");
+ 	}
++
+ end:
++	if (timestamp_len > 0) {
++		strncat(response_data->report_data.text, timestamp, timestamp_len);
++		kfree(timestamp);
++}
+ 	for (i = 0; i < response_array_index; i++)
+ 		kfree(response_arrays[i]);
+ 	kfree(response_arrays);
+-- 
+2.33.0
+
diff --git a/Backport-check-value-for-topic.patch b/Backport-check-value-for-topic.patch
new file mode 100644
index 0000000..b5320c5
--- /dev/null
+++ b/Backport-check-value-for-topic.patch
@@ -0,0 +1,50 @@
+From 585ac671ed21faa9d84cbab1609f2557857e5204 Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Tue, 21 Nov 2023 21:21:26 +0800
+Subject: [PATCH] check value for topic
+
+---
+ lib/secDetector_sdk.cpp | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
+index 208f4ac..ee76079 100644
+--- a/lib/secDetector_sdk.cpp
++++ b/lib/secDetector_sdk.cpp
+@@ -18,7 +18,7 @@
+ #include <iostream>
+ #include "../observer_agent/grpc_comm/grpc_api.h"
+ 
+-#define ALLTOPIC 0x008FFFFF
++#define ALLTOPIC 0x00FFFFFF
+ using namespace std;
+ static string server_address("unix:///var/run/secDetector.sock");
+ static PubSubClient g_client(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
+@@ -32,8 +32,10 @@ extern "C" {
+ 
+ void *secSub(const int topic)
+ {
+-	if (!(topic & ALLTOPIC))
++	if (topic <= 0 || topic > ALLTOPIC) {
++		printf("secSub failed, topic:%d is error\n", topic);
+ 		return NULL;
++	}
+ 
+ 	unique_ptr<ClientReader<Message>> reader = g_client.Subscribe(topic);
+ 
+@@ -47,8 +49,10 @@ void *secSub(const int topic)
+ 
+ void secUnsub(const int topic, void *reader)
+ {
+-        if (!(topic & ALLTOPIC))
+-                return;
++	if (topic <= 0 || topic > ALLTOPIC) {
++		printf("secUnsub failed, topic:%d is error\n", topic);
++		return;
++	}
+ 
+ 	if (!reader)
+                 return;
+-- 
+2.33.0
+
diff --git a/Backport-createfile-check-f_mode-and-fix-typo.patch b/Backport-createfile-check-f_mode-and-fix-typo.patch
new file mode 100644
index 0000000..c4c5d46
--- /dev/null
+++ b/Backport-createfile-check-f_mode-and-fix-typo.patch
@@ -0,0 +1,110 @@
+From bb4b1875241741b0329555342f82ab820cf12187 Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Sat, 9 Dec 2023 15:29:01 +0800
+Subject: createfile check f_mode and fix typo
+
+---
+ include/secDetector_topic.h                      | 2 +-
+ observer_agent/ebpf/file_ebpf/file_fentry.bpf.c  | 5 ++++-
+ observer_agent/ebpf/file_ebpf/file_fentry.c      | 2 +-
+ observer_agent/ebpf/file_ebpf/test_file_fentry.c | 2 +-
+ observer_agent/ebpf/test_fentry.c                | 2 +-
+ observer_agent/service/ebpf_converter.cpp        | 2 +-
+ 6 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/include/secDetector_topic.h b/include/secDetector_topic.h
+index 7320042..93a6872 100644
+--- a/include/secDetector_topic.h
++++ b/include/secDetector_topic.h
+@@ -17,7 +17,7 @@
+ #ifndef SECDETECTOR_TOPIC_H
+ #define SECDETECTOR_TOPIC_H
+ /* file */
+-#define CREATFILE 0x00000001
++#define CREATEFILE 0x00000001
+ #define DELFILE 0x00000002
+ #define SETFILEATTR 0x00000004
+ #define WRITEFILE 0x00000008
+diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+index f4e7e44..941b785 100644
+--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
++++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+@@ -13,6 +13,7 @@
+ 
+ #define O_CREAT 100
+ #define LOOKUP_CREATE 0x0200
++#define FMODE_CREATED 0x100000
+ 
+ char LICENSE[] SEC("license") = "Dual BSD/GPL";
+ 
+@@ -112,12 +113,14 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
+ 		return 0;
+ 	if (!S_ISREG(ret_file->f_inode->i_mode))
+ 		return 0;
++	if (!(ret_file->f_mode & FMODE_CREATED))
++		return 0;
+ 
+ 	e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+ 	if (!e)
+ 		return 0;
+ 
+-	e->type = CREATFILE;
++	e->type = CREATEFILE;
+ 
+ 	struct task_struct *parent = NULL;
+ 	struct task_struct *task = NULL;
+diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.c b/observer_agent/ebpf/file_ebpf/file_fentry.c
+index bf445ab..daec6e3 100644
+--- a/observer_agent/ebpf/file_ebpf/file_fentry.c
++++ b/observer_agent/ebpf/file_ebpf/file_fentry.c
+@@ -44,7 +44,7 @@ static void DisableProg(struct bpf_object_skeleton *s, const char *prog_name)
+ 
+ static void DisableProgBasedOnMask(struct bpf_object_skeleton *skel, int mask)
+ {
+-    if ((mask & CREATFILE) == 0) {
++    if ((mask & CREATEFILE) == 0) {
+         DisableProg(skel, "do_filp_open_exit");
+     }
+ 
+diff --git a/observer_agent/ebpf/file_ebpf/test_file_fentry.c b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
+index a9ea778..c22d2ef 100644
+--- a/observer_agent/ebpf/file_ebpf/test_file_fentry.c
++++ b/observer_agent/ebpf/file_ebpf/test_file_fentry.c
+@@ -9,7 +9,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
+ 	printf("timestamp:%llu event_name:%s exe:%s pid:%u tgid:%u uid:%u gid:%u comm:%s"
+ 		" sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
+ 		e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,e->pcomm, e->nodename, e->pns, e->root_pns);
+-    	if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
++	if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+ 		printf(" filename:%s", e->file_info.filename);
+ 	if (e->type & SETFILEATTR)
+ 		printf(" name:%s value:%s old_value:%s", e->file_info.name, e->file_info.value,e->file_info.old_value);
+diff --git a/observer_agent/ebpf/test_fentry.c b/observer_agent/ebpf/test_fentry.c
+index 0616958..330e82a 100644
+--- a/observer_agent/ebpf/test_fentry.c
++++ b/observer_agent/ebpf/test_fentry.c
+@@ -24,7 +24,7 @@ static int handle_event(void *ctx, void *data, size_t data_sz)
+            " sid:%u ppid:%u pgid:%u pcomm:%s nodename:%s pns:%u root_pns:%u",
+            e->timestamp, e->event_name, e->exe, e->pid, e->tgid, e->uid, e->gid, e->comm, e->sid, e->ppid, e->pgid,
+            e->pcomm, e->nodename, e->pns, e->root_pns);
+-    if (e->type & (CREATFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
++    if (e->type & (CREATEFILE | DELFILE | SETFILEATTR | WRITEFILE | READFILE))
+ 	    printf(" filename:%s", e->file_info.filename);
+     printf(" exit_code: %u\n", e->process_info.exit_code);
+     return 0;
+diff --git a/observer_agent/service/ebpf_converter.cpp b/observer_agent/service/ebpf_converter.cpp
+index 27a2e37..4d8d8ba 100644
+--- a/observer_agent/service/ebpf_converter.cpp
++++ b/observer_agent/service/ebpf_converter.cpp
+@@ -158,7 +158,7 @@ static std::map<int, convert_func_t> convert_funcs = {
+     {CREATPROCESS, convert_creat_process},
+     {DESTROYPROCESS, convert_destroy_process},
+     {SETPROCESSATTR, convert_set_process_attr},
+-    {CREATFILE, convert_common_file},
++    {CREATEFILE, convert_common_file},
+     {DELFILE, convert_common_file},
+     {SETFILEATTR, convert_set_file_attr},
+     {WRITEFILE, convert_common_file},
+-- 
+2.33.0
+
diff --git a/Backport-creatfile-check-op-intent-value.patch b/Backport-creatfile-check-op-intent-value.patch
new file mode 100644
index 0000000..8262b3e
--- /dev/null
+++ b/Backport-creatfile-check-op-intent-value.patch
@@ -0,0 +1,33 @@
+From b3108cabb7ff97f8bb8b8398842cb2e8c623664c Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Wed, 6 Dec 2023 16:13:13 +0800
+Subject: creatfile check op intent value
+
+---
+ observer_agent/ebpf/file_ebpf/file_fentry.bpf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+index 7afb7e2..f4e7e44 100644
+--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
++++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+@@ -12,6 +12,7 @@
+ #define S_ISREG(m) (((m) & S_IFMT) == S_IFREG)
+ 
+ #define O_CREAT 100
++#define LOOKUP_CREATE 0x0200
+ 
+ char LICENSE[] SEC("license") = "Dual BSD/GPL";
+ 
+@@ -107,7 +108,7 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
+ 	struct ebpf_event *e = NULL;
+ 	RETURN_ZERO_IF_OURSELF();
+ 
+-	if (op && !(op->open_flag & O_CREAT))
++	if (op && (!(op->open_flag & O_CREAT) || !(op->intent & LOOKUP_CREATE)))
+ 		return 0;
+ 	if (!S_ISREG(ret_file->f_inode->i_mode))
+ 		return 0;
+-- 
+2.33.0
+
diff --git a/Backport-del-useless-code-for-timestamp.patch b/Backport-del-useless-code-for-timestamp.patch
new file mode 100644
index 0000000..c219600
--- /dev/null
+++ b/Backport-del-useless-code-for-timestamp.patch
@@ -0,0 +1,37 @@
+From 8798032e6dafed4730c51fb796347fb7b5092d7c Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Wed, 29 Nov 2023 10:15:00 +0800
+Subject: del useless code for timestamp
+
+---
+ .../kmodule_baseline/secDetector_mc_kmodule_baseline.c     | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+index 6a7edda..cff1ff5 100644
+--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
++++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+@@ -17,7 +17,6 @@
+ 
+ #define MODULE_LIST_MAXSIZE 0x10000
+ #define NAME_LEN 4096
+-#define HEADER_MSG_LEN 128
+ #define KMODULE_BASELINE_TYPE 0x00800000
+ 
+ typedef struct chkrkatt_module {
+@@ -79,12 +78,6 @@ static void report_kmodule_baseline(void)
+ 		pr_err("module_name_all kzalloc failed\n");
+ 		return;
+ 	}
+-	header_msg = (char *)kzalloc(HEADER_MSG_LEN, GFP_ATOMIC);
+-	if (header_msg == NULL) {
+-		pr_err("hearder_msg kzalloc failed\n");
+-		kfree(module_name_all);
+-		return;
+-	}
+ 
+ 	header_msg_len = get_timestamp_str(&header_msg);
+ 	if (header_msg_len <= 0)
+-- 
+2.33.0
+
diff --git a/Backport-fix-6.x-kernel-compile-error.patch b/Backport-fix-6.x-kernel-compile-error.patch
new file mode 100644
index 0000000..ad58abf
--- /dev/null
+++ b/Backport-fix-6.x-kernel-compile-error.patch
@@ -0,0 +1,268 @@
+From 0583e13c466bf0be32ccbfbb854e4aff41fb32ff Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Mon, 19 Feb 2024 23:31:59 +0800
+Subject: [PATCH] fix 6.x kernel compile error
+
+---
+ kerneldriver/cases/Makefile                   |  2 +
+ .../secDetector_mc_kmodule_baseline.c         |  5 ++
+ .../secDetector_program_action.c              | 41 +++++++++++++
+ .../response_unit/secDetector_ringbuffer.c    | 12 +++-
+ observer_agent/CMakeLists.txt                 |  4 +-
+ observer_agent/grpc_comm/Makefile             | 59 +------------------
+ 6 files changed, 63 insertions(+), 60 deletions(-)
+
+diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile
+index 5a94e50..146fbee 100644
+--- a/kerneldriver/cases/Makefile
++++ b/kerneldriver/cases/Makefile
+@@ -26,8 +26,10 @@ ifndef KDIR
+ KDIR=$(KERNEL_SRC)
+ endif
+ 
++ifneq ($(VERSION), 6)
+ KBUILD_EXTRA_SYMBOLS += $(PWD)/../core/Module.symvers
+ export KBUILD_EXTRA_SYMBOLS
++endif
+ 
+ all:
+ 	$(MAKE) -C $(KERNEL_SRC) M=$(PWD) modules KCPPFLAGS="${cflags-y}"
+diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+index 9a051ca..b799f9f 100644
+--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
++++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+@@ -10,6 +10,7 @@
+ #include <linux/list.h>
+ #include <linux/spinlock.h>
+ #include <linux/slab.h>
++#include <linux/version.h>
+ #include <time.h>
+ #include "secDetector_mc_kmodule_baseline.h"
+ #include "secDetector_response.h"
+@@ -123,7 +124,9 @@ void check_kmodule_baseline(void)
+ 	if (module_kset == NULL)
+ 		return;
+ 
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 0, 0)
+ 	mutex_lock(&module_mutex);
++#endif
+ 	spin_lock(&module_kset->list_lock);
+ 	list_for_each_entry(k, &module_kset->list, entry) {
+ 		if (k->name == NULL)
+@@ -137,7 +140,9 @@ void check_kmodule_baseline(void)
+ 			break;
+ 	}
+ 	spin_unlock(&module_kset->list_lock);
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 0, 0)
+ 	mutex_unlock(&module_mutex);
++#endif
+ 
+ 	report_kmodule_baseline();
+ 	free_kmodule_baseline();
+diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
+index f571c08..facd3b2 100644
+--- a/kerneldriver/cases/program_action/secDetector_program_action.c
++++ b/kerneldriver/cases/program_action/secDetector_program_action.c
+@@ -38,6 +38,7 @@
+ #include <linux/ctype.h>
+ #include <linux/cred.h>
+ #include <linux/kthread.h>
++#include <linux/version.h>
+ #include <string.h>
+ 
+ #include "secDetector_manager.h"
+@@ -84,6 +85,46 @@ struct process_info {
+ 	int umask;
+ };
+ 
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 7, 0)
++struct file *get_mm_exe_file(struct mm_struct *mm)
++{
++	struct file *exe_file;
++
++	rcu_read_lock();
++	exe_file = get_file_rcu(&mm->exe_file);
++	rcu_read_unlock();
++	return exe_file;
++}
++#else
++struct file *get_mm_exe_file(struct mm_struct *mm)
++{
++	struct file *exe_file;
++
++	rcu_read_lock();
++	exe_file = rcu_dereference(mm->exe_file);
++	if (exe_file && !get_file_rcu(exe_file))
++		exe_file = NULL;
++	rcu_read_unlock();
++	return exe_file;
++}
++#endif
++struct file *get_task_exe_file(struct task_struct *task)
++{
++	struct file *exe_file = NULL;
++	struct mm_struct *mm;
++
++	spin_lock(&task->alloc_lock);
++	mm = task->mm;
++	if (mm) {
++		if (!(task->flags & PF_KTHREAD))
++			exe_file = get_mm_exe_file(mm);
++	}
++	spin_unlock(&task->alloc_lock);
++	return exe_file;
++}
++#endif
++
+ char *get_process_path(struct task_struct *p, char *pathname, int len)
+ {
+ 	char *process_path = NULL;
+diff --git a/kerneldriver/core/response_unit/secDetector_ringbuffer.c b/kerneldriver/core/response_unit/secDetector_ringbuffer.c
+index b367d74..27e8640 100644
+--- a/kerneldriver/core/response_unit/secDetector_ringbuffer.c
++++ b/kerneldriver/core/response_unit/secDetector_ringbuffer.c
+@@ -17,6 +17,7 @@
+ #include <linux/module.h>
+ #include <linux/kmemleak.h>
+ #include <linux/fs.h>
++#include <linux/version.h>
+ 
+ static unsigned long rb_datasz;
+ static unsigned long rb_mask;
+@@ -287,7 +288,11 @@ static int ringbuffer_mmap(struct file *flip, struct vm_area_struct *vma)
+ 		    vma->vm_end - vma->vm_start != PAGE_SIZE)
+ 			return -EPERM;
+ 	} else {
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
++		vm_flags_clear(vma, VM_MAYWRITE);
++#else
+ 		vma->vm_flags &= ~VM_MAYWRITE;
++#endif
+ 	}
+ 	/* remap_vmalloc_range() checks size and offset */
+ 	return remap_vmalloc_range(vma, g_rb, vma->vm_pgoff + RINGBUF_PGOFF);
+@@ -366,8 +371,11 @@ int __init secDetector_ringbuf_dev_init(unsigned int rb_sz)
+ 		ret = major;
+ 		goto error_free;
+ 	}
+-
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
++	class = class_create(MODULE_DEVICE);
++#else
+ 	class = class_create(THIS_MODULE, MODULE_DEVICE);
++#endif
+ 	if (IS_ERR(class)) {
+ 		ret = PTR_ERR(class);
+ 		goto error_class_create;
+@@ -398,4 +406,4 @@ void __exit secDetector_ringbuf_dev_exit(void)
+ 	class_destroy(class);
+ 	unregister_chrdev(major, MODULE_DEVICE);
+ 	ringbuf_free(g_rb);
+-}
+\ No newline at end of file
++}
+diff --git a/observer_agent/CMakeLists.txt b/observer_agent/CMakeLists.txt
+index f110b49..297fcc0 100644
+--- a/observer_agent/CMakeLists.txt
++++ b/observer_agent/CMakeLists.txt
+@@ -1,7 +1,7 @@
+ cmake_minimum_required(VERSION 3.22)
+ 
+ add_subdirectory(ebpf)
+-set(CMAKE_CXX_STANDARD 11)
++set(CMAKE_CXX_STANDARD 17)
+ project(observer_agent VERSION 1.0 LANGUAGES CXX)
+ set(GRPC_PATH ${CMAKE_CURRENT_SOURCE_DIR}/grpc_comm)
+ add_custom_target(grpc_demo ALL
+@@ -16,5 +16,5 @@ target_include_directories(secDetectord PUBLIC service grpc_comm ${CMAKE_SOURCE_
+ target_link_libraries(secDetectord ${CMAKE_CURRENT_BINARY_DIR}/ebpf/.output/fentry.o)
+ target_link_libraries(secDetectord ${CMAKE_CURRENT_BINARY_DIR}/ebpf/file_ebpf/.output/file_fentry.o)
+ target_link_libraries(secDetectord ${GRPC_PATH}/comm_api.pb.o ${GRPC_PATH}/comm_api.grpc.pb.o)
+-target_link_libraries(secDetectord protobuf grpc++ grpc absl_synchronization uuid)
++target_link_libraries(secDetectord protobuf grpc++ grpc absl_synchronization absl_log_internal_message absl_log_internal_check_op absl_cord absl_cordz_info absl_cordz_functions absl_cordz_handle gpr uuid)
+ target_link_libraries(secDetectord z elf bpf)
+diff --git a/observer_agent/grpc_comm/Makefile b/observer_agent/grpc_comm/Makefile
+index 3c87ad8..0556a16 100644
+--- a/observer_agent/grpc_comm/Makefile
++++ b/observer_agent/grpc_comm/Makefile
+@@ -17,8 +17,8 @@
+ HOST_SYSTEM = $(shell uname | cut -f 1 -d_)
+ SYSTEM ?= $(HOST_SYSTEM)
+ CXX = g++
+-CPPFLAGS += `pkg-config --cflags protobuf grpc`
+-CXXFLAGS += -std=c++11 -fPIC
++CPPFLAGS += `pkg-config --cflags protobuf grpc` -std=c++17
++CXXFLAGS += -fPIC
+ ifeq ($(SYSTEM),Darwin)
+ LDFLAGS += -L/usr/local/lib `pkg-config --libs protobuf grpc++`\
+ 					 -pthread\
+@@ -38,7 +38,7 @@ PROTOS_PATH = ./protos
+ 
+ vpath %.proto $(PROTOS_PATH)
+ 
+-all: system-check client_pub_demo client_sub_demo server_demo
++all: client_pub_demo client_sub_demo server_demo
+ 
+ client_pub_demo: comm_api.pb.o comm_api.grpc.pb.o client.o client_pub_demo.o
+ 	$(CXX) $^ $(LDFLAGS) -o $@
+@@ -58,56 +58,3 @@ server_demo: comm_api.pb.o comm_api.grpc.pb.o server.o server_demo.o
+ clean:
+ 	rm -f *.o *.pb.cc *.pb.h server_demo client_sub_demo client_pub_demo
+ 
+-
+-# The following is to test your system and ensure a smoother experience.
+-# They are by no means necessary to actually compile a grpc-enabled software.
+-
+-PROTOC_CMD = which $(PROTOC)
+-PROTOC_CHECK_CMD = $(PROTOC) --version | grep -q libprotoc.3
+-PLUGIN_CHECK_CMD = which $(GRPC_CPP_PLUGIN)
+-HAS_PROTOC = $(shell $(PROTOC_CMD) > /dev/null && echo true || echo false)
+-ifeq ($(HAS_PROTOC),true)
+-HAS_VALID_PROTOC = $(shell $(PROTOC_CHECK_CMD) 2> /dev/null && echo true || echo false)
+-endif
+-HAS_PLUGIN = $(shell $(PLUGIN_CHECK_CMD) > /dev/null && echo true || echo false)
+-
+-SYSTEM_OK = false
+-ifeq ($(HAS_VALID_PROTOC),true)
+-ifeq ($(HAS_PLUGIN),true)
+-SYSTEM_OK = true
+-endif
+-endif
+-
+-system-check:
+-ifneq ($(HAS_VALID_PROTOC),true)
+-	@echo " DEPENDENCY ERROR"
+-	@echo
+-	@echo "You don't have protoc 3.0.0 installed in your path."
+-	@echo "Please install Google protocol buffers 3.0.0 and its compiler."
+-	@echo "You can find it here:"
+-	@echo
+-	@echo "   https://github.com/protocolbuffers/protobuf/releases/tag/v3.0.0"
+-	@echo
+-	@echo "Here is what I get when trying to evaluate your version of protoc:"
+-	@echo
+-	-$(PROTOC) --version
+-	@echo
+-	@echo
+-endif
+-ifneq ($(HAS_PLUGIN),true)
+-	@echo " DEPENDENCY ERROR"
+-	@echo
+-	@echo "You don't have the grpc c++ protobuf plugin installed in your path."
+-	@echo "Please install grpc. You can find it here:"
+-	@echo
+-	@echo "   https://github.com/grpc/grpc"
+-	@echo
+-	@echo "Here is what I get when trying to detect if you have the plugin:"
+-	@echo
+-	-which $(GRPC_CPP_PLUGIN)
+-	@echo
+-	@echo
+-endif
+-ifneq ($(SYSTEM_OK),true)
+-	@false
+-endif
+-- 
+2.21.0
+
diff --git a/Backport-fix-bug-of-mc-case-not-collect-data.patch b/Backport-fix-bug-of-mc-case-not-collect-data.patch
new file mode 100644
index 0000000..1e4a92e
--- /dev/null
+++ b/Backport-fix-bug-of-mc-case-not-collect-data.patch
@@ -0,0 +1,24 @@
+From b1689ab1e8e79f7e8125adb2c8f8614d90eb3209 Mon Sep 17 00:00:00 2001
+From: yieux <yangxy79315@sina.com>
+Date: Tue, 28 Nov 2023 10:49:35 +0800
+Subject: fix bug of mc case not collect data
+
+---
+ .../cases/memory_corruption/secDetector_memory_corruption.c      | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
+index 5b487ac..c9e9868 100644
+--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
++++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
+@@ -43,6 +43,7 @@ static struct secDetector_workflow workflow_array[] = {
+ 		.workflow_type = WORKFLOW_PRESET,
+ 		.hook_type = SECDETECTOR_TIMER,
+ 		.collect_array = collect_array,
++		.collect_array_len = ARRAY_SIZE(collect_array),
+ 		.analyze_type = ANALYZE_PRESET_SAVE_CHECK,
+ 		.interval = TIME_INTERVAL,
+ 		.enabled = ATOMIC_INIT(true)
+-- 
+2.33.0
+
diff --git a/Backport-fix-invalid-TUF-8-data-in-memory-corruption-module.patch b/Backport-fix-invalid-TUF-8-data-in-memory-corruption-module.patch
new file mode 100644
index 0000000..08ea01e
--- /dev/null
+++ b/Backport-fix-invalid-TUF-8-data-in-memory-corruption-module.patch
@@ -0,0 +1,63 @@
+From b1a7122cfd360a9a3012555bc7e5821e1fbe7a34 Mon Sep 17 00:00:00 2001
+From: yieux <yangxy79315@sina.com>
+Date: Thu, 14 Dec 2023 17:02:34 +0800
+Subject: [PATCH 4/4] fix invalid TUF-8 data in memory corruption module
+
+---
+ .../analyze_unit/secDetector_save_check.c     | 22 +++++++++----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+index 72c4948..0ab40ce 100644
+--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
++++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+@@ -124,25 +124,25 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 				break;
+ 		}
+ 		if (measure_value != analyze_status_data->sc_data.data[data_index]) {
+-			pr_debug("[save_check]%s: original: %llx; now: %llx.!\n",
++			pr_debug("[save_check]%s: original: %lld; now: %lld.!\n",
+ 					cd->name, analyze_status_data->sc_data.data[data_index], measure_value);
+-			response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
++			response_arrays[response_array_index] = kzalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
+ 			if (response_arrays[response_array_index] == NULL) {
+-				pr_err("kmalloc failed");
++				pr_err("kzalloc failed");
+ 				ret = -ENOMEM;
+ 				goto end;
+ 			}
+ 
+-			strcpy(response_arrays[response_array_index], "[save_check]");
++			strcpy(response_arrays[response_array_index], " secswitch_name=");
+ 			//应该有 workflow的名字
+ 			strncat(response_arrays[response_array_index], cd->name, strlen(cd->name));
+-			strcat(response_arrays[response_array_index],": original: ");
+-			sprintf(int_str, "%llx", analyze_status_data->sc_data.data[data_index]);
++			strcat(response_arrays[response_array_index]," old_value=");
++			sprintf(int_str, "%lld", analyze_status_data->sc_data.data[data_index]);
+ 			strncat(response_arrays[response_array_index], int_str, strlen(int_str));
+-			strcat(response_arrays[response_array_index],"; now: ");
+-			sprintf(int_str, "%llx", measure_value);
++			strcat(response_arrays[response_array_index]," new_value=");
++			sprintf(int_str, "%lld", measure_value);
+ 			strncat(response_arrays[response_array_index], int_str, strlen(int_str));
+-			strcat(response_arrays[response_array_index],".!\n");
++			strcat(response_arrays[response_array_index],".\n");
+ 
+ 			response_data_char_len += strlen(response_arrays[response_array_index]);
+ 			ret = RESPONSE_REPORT;
+@@ -156,9 +156,9 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 		timestamp_len = get_timestamp_str(&timestamp);
+ 		response_data->report_data.type = event_type;
+ 		response_data->report_data.len = response_data_char_len + timestamp_len;
+-		response_data->report_data.text = kmalloc(response_data->report_data.len + 1, GFP_KERNEL);
++		response_data->report_data.text = kzalloc(response_data->report_data.len + 1, GFP_KERNEL);
+ 		if (response_data->report_data.text == NULL) {
+-			pr_err("kmalloc failed");
++			pr_err("kzalloc failed");
+ 			ret = -ENOMEM;
+ 			goto end;
+ 		}
+-- 
+2.33.0
+
diff --git a/Backport-fix-memleak-bug-in-secDetector_program_action.patch b/Backport-fix-memleak-bug-in-secDetector_program_action.patch
new file mode 100644
index 0000000..14693b0
--- /dev/null
+++ b/Backport-fix-memleak-bug-in-secDetector_program_action.patch
@@ -0,0 +1,127 @@
+From a4b7e62a1a24948a8f436ba3b5763317315e081a Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Wed, 29 Nov 2023 23:13:39 +0800
+Subject: [PATCH 1/6] fix memleak bug in secDetector_program_action
+
+fix memleak
+
+Signed-off-by: hurricane618 <hurricane618@hotmail.com>
+---
+ .../secDetector_program_action.c              | 52 +++++--------------
+ 1 file changed, 13 insertions(+), 39 deletions(-)
+
+diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
+index 4f8a555..504a36d 100644
+--- a/kerneldriver/cases/program_action/secDetector_program_action.c
++++ b/kerneldriver/cases/program_action/secDetector_program_action.c
+@@ -42,6 +42,7 @@
+ 
+ #include "secDetector_manager.h"
+ #include "secDetector_response.h"
++#include "secDetector_analyze.h"
+ #include <secDetector_module_type.h>
+ 
+ #define PATH_LEN 512
+@@ -83,43 +84,6 @@ struct process_info {
+ 	int umask;
+ };
+ 
+-int get_timestamp_str(char **ret_str)
+-{
+-	struct timespec64 ts;
+-	struct tm stm;
+-	char *stm_str;
+-	int stm_str_len = 0;
+-
+-	ktime_get_real_ts64(&ts);
+-	time64_to_tm(ts.tv_sec, 0, &stm);
+-
+-	stm_str = (char *)kzalloc(TIME_STR_MAX_LEN, GFP_ATOMIC);
+-	if (stm_str == NULL) {
+-		pr_err("kzalloc failed\n");
+-		*ret_str = NULL;
+-		return 0;
+-	}
+-
+-	stm_str_len = scnprintf(stm_str, TIME_STR_MAX_LEN,
+-			"timestamp=%04ld%02d%02d.%02d:%02d:%02d ",
+-			stm.tm_year + 1900, stm.tm_mon + 1, stm.tm_mday, stm.tm_hour, stm.tm_min, stm.tm_sec);
+-	if (stm_str_len <= 0) {
+-		pr_err("scnprintf failed\n");
+-		kfree(stm_str);
+-		*ret_str  = NULL;
+-		return 0;
+-	}
+-
+-	*ret_str = kstrdup(stm_str, GFP_KERNEL);
+-	if (*ret_str == NULL) {
+-		pr_err("kstrdup failed\n");
+-		stm_str_len = 0;
+-	}
+-
+-	kfree(stm_str);
+-	return stm_str_len;
+-}
+-
+ char *get_process_path(struct task_struct *p, char *pathname, int len)
+ {
+ 	char *process_path = NULL;
+@@ -276,7 +240,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
+ 	response_data_t log;
+ 
+ 	if (!pi) {
+-		pr_warn("get_common_process_info by fork failed\n");
++		pr_err("get_common_process_info by fork failed\n");
+ 		return 0;
+ 	}
+ 
+@@ -302,6 +266,10 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
+ 	log.report_data.type = 0x00000800;
+ 	log.report_data.len = BUF_SIZE;
+ 	log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
++	if (!log.report_data.text) {
++		pr_err("log.report_data.text kzalloc failed!\n");
++		return 0;
++	}
+ 	snprintf(log.report_data.text, BUF_SIZE,
+ 			 "%s event_type=call_api uid=%d exe=%s pid=%d comm=%s tgid=%d ppid=%d pcomm=%s pgid=%d sid=%d nodename=%s pns=%u root_pns=%u api_name=%s api_arg=[attach_task_pid=%d cur_task_pid=%d request=%ld addr=%lu flags=%lu]\n",
+ 			 timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
+@@ -309,6 +277,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
+ 
+ 	secDetector_report(&log);
+ 	kfree(log.report_data.text);
++	kfree(timestamp);
+  	put_common_process_info(pi);
+ 
+ 	return 0;
+@@ -323,7 +292,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
+ 	response_data_t log;
+ 
+ 	if (!pi) {
+-		pr_warn("get_common_process_info by fork failed\n");
++		pr_err("get_common_process_info by fork failed\n");
+ 		return 0;
+ 	}
+ 	timestamp_len = get_timestamp_str(&timestamp);
+@@ -331,6 +300,10 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
+ 	log.report_data.type = 0x00000200;
+ 	log.report_data.len = BUF_SIZE;
+ 	log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
++	if (!log.report_data.text) {
++		pr_err("log.report_data.text kzalloc failed!\n");
++		return 0;
++	}
+ 	snprintf(log.report_data.text, BUF_SIZE,
+ 			 "%s event_type=createpipe uid=%d exe=%s pid=%d comm=%s tgid=%d ppid=%d pcomm=%s pgid=%d sid=%d nodename=%s pns=%u root_pns=%u dfd= pipe_name=%s\n",
+ 			 timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
+@@ -338,6 +311,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
+ 
+ 	secDetector_report(&log);
+ 	kfree(log.report_data.text);
++	kfree(timestamp);
+ 	put_common_process_info(pi);
+ 
+ 	return 0;
+-- 
+2.33.0
+
diff --git a/Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch b/Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch
new file mode 100644
index 0000000..740e754
--- /dev/null
+++ b/Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch
@@ -0,0 +1,68 @@
+From 6d1833b44b7cdea6c8459df8c431f1779afa2ab8 Mon Sep 17 00:00:00 2001
+From: yieux <yangxy79315@sina.com>
+Date: Mon, 27 Nov 2023 15:29:30 +0800
+Subject: fix memory leak bug in sc analyze unit
+
+---
+ README.md                                         |  2 +-
+ .../core/analyze_unit/secDetector_save_check.c    | 15 +++++++++------
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/README.md b/README.md
+index a2b7726..9658879 100644
+--- a/README.md
++++ b/README.md
+@@ -68,7 +68,7 @@ secDetector在架构上分为四个部分：SDK、Service、检测特性集合ca
+ 
+   检测框架core是以一个cases依赖的基础框架，提供case的管理，和workflow所需的通用的基础功能单元。内核异常信息检测框架会以内核模块ko的形态承载。一个检测特性case可以将自己注册到框架中，或者从框架中去注册。框架还可以提供特定的交互接口以满足外部的动态请求。一个workflow被定义为有四类功能单元组成：事件发生器、信息采集器、事件分析器、响应单元。
+ 
+-
++Driver分为两类，kerneldriver 和 usrdriver。顾名思义，kerneldriver是部署在内核态中的，以内核模块的形式承载。usrdriver是部署在用户态中的，直接被部署为Service中的一个模块。从逻辑上usrdriver是在Service之下的，但是在运行中，为了降低通信成本，usrdriver被直接集成在Service程序中。
+ 
+ ## 安装教程
+ - kerneldriver
+diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+index 101a028..72c4948 100644
+--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
++++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+@@ -129,7 +129,8 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 			response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
+ 			if (response_arrays[response_array_index] == NULL) {
+ 				pr_err("kmalloc failed");
+-				return -ENOMEM;
++				ret = -ENOMEM;
++				goto end;
+ 			}
+ 
+ 			strcpy(response_arrays[response_array_index], "[save_check]");
+@@ -155,20 +156,22 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 		timestamp_len = get_timestamp_str(&timestamp);
+ 		response_data->report_data.type = event_type;
+ 		response_data->report_data.len = response_data_char_len + timestamp_len;
+-		response_data->report_data.text = kmalloc(response_data_char_len + 1, GFP_KERNEL);
++		response_data->report_data.text = kmalloc(response_data->report_data.len + 1, GFP_KERNEL);
+ 		if (response_data->report_data.text == NULL) {
+ 			pr_err("kmalloc failed");
+-			return -ENOMEM;
++			ret = -ENOMEM;
++			goto end;
+ 		}
+ 		if (timestamp_len > 0) {
+ 			strncat(response_data->report_data.text, timestamp, timestamp_len);
+ 			kfree(timestamp);
+ 		}
+-		for (i = 0; i < response_array_index; i++) {
++		for (i = 0; i < response_array_index; i++)
+ 			strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
+-			kfree(response_arrays[i]);
+-		}
+ 	}
++end:
++	for (i = 0; i < response_array_index; i++)
++		kfree(response_arrays[i]);
+ 	kfree(response_arrays);
+ 
+ 	return ret;
+-- 
+2.33.0
+
diff --git a/Backport-fix-memory-leak-in-program_action.patch b/Backport-fix-memory-leak-in-program_action.patch
new file mode 100644
index 0000000..23990b1
--- /dev/null
+++ b/Backport-fix-memory-leak-in-program_action.patch
@@ -0,0 +1,64 @@
+From aaed2290507cac0878c93aa550664875d5875a6b Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Wed, 20 Dec 2023 20:17:33 +0800
+Subject: [PATCH] fix memory leak in program_action
+
+1. free path data
+2. free pi in error branch
+
+Signed-off-by: hurricane618 <hurricane618@hotmail.com>
+---
+ .../cases/program_action/secDetector_program_action.c    | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
+index 1f0749a..f571c08 100644
+--- a/kerneldriver/cases/program_action/secDetector_program_action.c
++++ b/kerneldriver/cases/program_action/secDetector_program_action.c
+@@ -177,6 +177,9 @@ static struct process_info *get_common_process_info(struct task_struct *tsk, str
+ 	if (get_task_root(tsk, &root) == 0) {
+ 		pi->root = d_path(&root, pi->rootbuf, PATH_LEN);
+ 	}
++
++	path_put(&root);
++
+ 	if (IS_ERR_OR_NULL(pi->root)) {
+ 		pi->root = "invalid";
+ 	}
+@@ -184,6 +187,9 @@ static struct process_info *get_common_process_info(struct task_struct *tsk, str
+ 	if (get_task_cwd(tsk, &cwd) == 0) {
+ 		pi->cwd = d_path(&cwd, pi->cwdbuf, PATH_LEN);
+ 	}
++
++	path_put(&cwd);
++
+ 	if (IS_ERR_OR_NULL(pi->cwd)) {
+ 		pi->cwd = "invalid";
+ 	}
+@@ -258,6 +264,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
+ #endif
+ 	if (!attach_task) {
+ 		pr_err("ptrace_attach input task_struct error or arch don't support\n");
++		put_common_process_info(pi);
+ 		return 0;
+ 	}
+ 
+@@ -269,6 +276,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
+ 	if (!log.report_data.text) {
+ 		pr_err("log.report_data.text kzalloc failed!\n");
+ 		kfree(timestamp);
++		put_common_process_info(pi);
+ 		return 0;
+ 	}
+ 	snprintf(log.report_data.text, BUF_SIZE,
+@@ -304,6 +312,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
+ 	if (!log.report_data.text) {
+ 		pr_err("log.report_data.text kzalloc failed!\n");
+ 		kfree(timestamp);
++		put_common_process_info(pi);
+ 		return 0;
+ 	}
+ 	snprintf(log.report_data.text, BUF_SIZE,
+-- 
+2.33.0
+
diff --git a/Backport-fix-printf-error-in-main.cpp.patch b/Backport-fix-printf-error-in-main.cpp.patch
new file mode 100644
index 0000000..8a0e863
--- /dev/null
+++ b/Backport-fix-printf-error-in-main.cpp.patch
@@ -0,0 +1,26 @@
+From ac917ecc5abc25a69821ab6a9be323ed1dd39172 Mon Sep 17 00:00:00 2001
+From: lihengwei <lihengwei@uniontech.com>
+Date: Tue, 21 Nov 2023 14:57:34 +0800
+Subject: [PATCH 1/4] fix printf error in main.cpp
+
+Signed-off-by: lihengwei <lihengwei@uniontech.com>
+---
+ observer_agent/service/main.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp
+index f177645..bd01690 100644
+--- a/observer_agent/service/main.cpp
++++ b/observer_agent/service/main.cpp
+@@ -164,7 +164,7 @@ int main(int argc, char *argv[])
+         r = daemon(0, 0);
+         if (r == -1)
+         {
+-            printf("daemon failed, r:%d\n");
++            printf("daemon failed, r:%d\n", r);
+             exit(EXIT_FAILURE);
+         }
+     }
+-- 
+2.33.0
+
diff --git a/Backport-fix-register-kpobe-mutiple-times.patch b/Backport-fix-register-kpobe-mutiple-times.patch
new file mode 100644
index 0000000..35a40ff
--- /dev/null
+++ b/Backport-fix-register-kpobe-mutiple-times.patch
@@ -0,0 +1,40 @@
+From 7db0bbb70c7b4148eafa9d44b8b04c80e6b7e78e Mon Sep 17 00:00:00 2001
+From: zcfsite <zhchf2010@126.com>
+Date: Sat, 25 Nov 2023 17:58:26 +0800
+Subject: [PATCH 4/4] fix register kpobe mutiple times
+
+---
+ kerneldriver/core/hook_unit/secDetector_hook_kprobe.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c b/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c
+index fb6de05..5acce03 100644
+--- a/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c
++++ b/kerneldriver/core/hook_unit/secDetector_hook_kprobe.c
+@@ -77,6 +77,8 @@ int insert_kprobe_hook(struct secDetector_workflow *workflow)
+ int delete_kprobe_hook(struct secDetector_workflow *workflow)
+ {
+ 	struct kprobe *kp = NULL;
++	const char *tmp_sym = NULL;
++	kprobe_pre_handler_t tmp_handler;
+ 
+ 	if (workflow == NULL)
+ 		return -1;
+@@ -94,7 +96,14 @@ int delete_kprobe_hook(struct secDetector_workflow *workflow)
+ 		if (!kp)
+ 			return -1;
+ 
++		tmp_sym = kp->symbol_name;
++		tmp_handler = kp->pre_handler;
++
+ 		unregister_kprobe(kp);
++		//register mutiple times
++		memset(kp, 0, sizeof(struct kprobe));
++		kp->symbol_name = tmp_sym;
++		kp->pre_handler = tmp_handler;
+ 	}
+ 
+ 	return 0;
+-- 
+2.33.0
+
diff --git a/Backport-fix-report-api-function.patch b/Backport-fix-report-api-function.patch
new file mode 100644
index 0000000..5e098dc
--- /dev/null
+++ b/Backport-fix-report-api-function.patch
@@ -0,0 +1,41 @@
+From d9313a0248bcff9d5655d070ada674972d0c6ff8 Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Sun, 19 Nov 2023 14:21:12 +0800
+Subject: [PATCH] fix report api function and memory leak
+
+1. proc_report function change to report
+2. free pi struct
+
+Signed-off-by: hurricane618 <hurricane618@hotmail.com>
+---
+ .../cases/program_action/secDetector_program_action.c       | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
+index 4421e43..4f8a555 100644
+--- a/kerneldriver/cases/program_action/secDetector_program_action.c
++++ b/kerneldriver/cases/program_action/secDetector_program_action.c
+@@ -307,8 +307,9 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
+ 			 timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
+ 			 "ptrace_attach", attach_task->pid, current->pid, request, addr, flags);
+ 
+-	secDetector_proc_report(&log);
++	secDetector_report(&log);
+ 	kfree(log.report_data.text);
++ 	put_common_process_info(pi);
+ 
+ 	return 0;
+ }
+@@ -335,8 +336,9 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
+ 			 timestamp, pi->uid, pi->exe, pi->pid, pi->comm, pi->tgid, pi->ppid, pi->pcomm, pi->pgid, pi->sid, pi->nodename, pi->pns, pi->root_pns,
+ 			 "");
+ 
+-	secDetector_proc_report(&log);
++	secDetector_report(&log);
+ 	kfree(log.report_data.text);
++	put_common_process_info(pi);
+ 
+ 	return 0;
+ }
+-- 
+2.33.0
diff --git a/Backport-fix-system-crash-caused-by-registration-exception.patch b/Backport-fix-system-crash-caused-by-registration-exception.patch
new file mode 100644
index 0000000..1df01c6
--- /dev/null
+++ b/Backport-fix-system-crash-caused-by-registration-exception.patch
@@ -0,0 +1,85 @@
+From 4b28444ed29d730de3b2e145dbd43d9d508deb41 Mon Sep 17 00:00:00 2001
+From: yieux <yangxy79315@sina.com>
+Date: Thu, 23 Nov 2023 14:40:02 +0800
+Subject: fix system crash caused by registration exception
+
+---
+ .../core/analyze_unit/secDetector_analyze.c     |  1 +
+ kerneldriver/core/secDetector_manager.c         | 17 +++++++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/kerneldriver/core/analyze_unit/secDetector_analyze.c b/kerneldriver/core/analyze_unit/secDetector_analyze.c
+index 688a5e0..226e245 100644
+--- a/kerneldriver/core/analyze_unit/secDetector_analyze.c
++++ b/kerneldriver/core/analyze_unit/secDetector_analyze.c
+@@ -17,6 +17,7 @@ analyze_func_t analyze_units[NR_ANALYZE] = {
+ 	[ANALYZE_PRESET_SAVE_CHECK] = analyze_save_check,
+ };
+ 
++// 不使用analyze_status_data的时候，data_type 为0，因此free_analyze_status_data不处理对应的 ANALYZE_STATUS。
+ void free_analyze_status_data(analyze_status_t *analyze_status_data)
+ {
+ 	switch (analyze_status_data->data.data_type) {
+diff --git a/kerneldriver/core/secDetector_manager.c b/kerneldriver/core/secDetector_manager.c
+index 9304877..4c88386 100644
+--- a/kerneldriver/core/secDetector_manager.c
++++ b/kerneldriver/core/secDetector_manager.c
+@@ -35,12 +35,14 @@ void secDetector_module_unregister(struct secDetector_module *module)
+ 	mutex_lock(&g_hook_list_array_mutex);
+ 	ret_id = idr_remove(&g_module_idr, (unsigned long)module->id);
+ 	if (ret_id == NULL) {
++		pr_err("[secDetector] remove module id failed\n");
+ 		goto error;
+ 	}
+ 
+ 	for (i = 0, wf = module->workflow_array; i < module->workflow_array_len;
+ 	     i++, wf++) {
+ 		if (wf == NULL) {
++			pr_err("[secDetector] invalid workflow\n");
+ 			goto error;
+ 		}
+ 		ret = delete_callback(wf);
+@@ -48,15 +50,20 @@ void secDetector_module_unregister(struct secDetector_module *module)
+ 			pr_err("[secDetector] delete callback failed, return %d\n", ret);
+ 			goto error;
+ 		}
+-		// workflow在被卸载的时候，需要释放analyze status等申请的内存,特别是使用默认的response list。
+-		free_analyze_status_data(&wf->analyze_status);
+-		if (wf->response_array_len == 0) {
++		if (wf->workflow_type == WORKFLOW_PRESET) {
++			// workflow在被卸载的时候，需要释放analyze status等申请的内存,特别是使用默认的response list。
++			free_analyze_status_data(&wf->analyze_status);
++			if (wf->response_array_len == 0) {
+ 			kfree(wf->response_array);
++			}
+ 		}
+ 	}
+ 
+ error:
+-	list_del_rcu(&module->list);
++	//secDetector_module_unregister 的执行流可能来源于 失败的register，因此module此时还未被list_add_rcu
++	if ((module->list.next != NULL) && (module->list.prev != NULL) &&
++		((module->list.next != &module->list) || (module->list.prev != &module->list)))
++		list_del_rcu(&module->list);
+ 	synchronize_rcu();
+ 	mutex_unlock(&g_hook_list_array_mutex);
+ 
+@@ -125,6 +132,7 @@ int secDetector_module_register(struct secDetector_module *module)
+ 	for (i = 0, wf = module->workflow_array; i < module->workflow_array_len;
+ 	     i++, wf++) {
+ 		if (wf == NULL) {
++			pr_err("[secDetector] invalid workflow\n");
+ 			ret = -EINVAL;
+ 			goto error;
+ 		}
+@@ -148,6 +156,7 @@ int secDetector_module_register(struct secDetector_module *module)
+ 					 param->proc_ops, param->data);
+ 		if (!param->entry) {
+ 			pr_err("[secDetector] create proc failed\n");
++			ret = -EINVAL;
+ 			goto error;
+ 		}
+ 	}
+-- 
+2.33.0
+
diff --git a/Backport-fix-the-memory-leak-in-collect-unit.patch b/Backport-fix-the-memory-leak-in-collect-unit.patch
new file mode 100644
index 0000000..b517c19
--- /dev/null
+++ b/Backport-fix-the-memory-leak-in-collect-unit.patch
@@ -0,0 +1,65 @@
+From fb0b9eeccc697b2b8935ed5a643ef30efaad19f7 Mon Sep 17 00:00:00 2001
+From: yieux <yangxy79315@sina.com>
+Date: Mon, 18 Dec 2023 09:28:15 +0800
+Subject: [PATCH] fix the memory leak in collect unit
+
+---
+ .../core/analyze_unit/secDetector_save_check.c      | 13 +++++++------
+ .../core/collect_unit/secDetector_collect.c         |  1 +
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+index 0ab40ce..4a5f689 100644
+--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
++++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
+@@ -124,7 +124,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 				break;
+ 		}
+ 		if (measure_value != analyze_status_data->sc_data.data[data_index]) {
+-			pr_debug("[save_check]%s: original: %lld; now: %lld.!\n",
++			pr_warn("[save_check]%s: original: %llu; now: %llu.!\n",
+ 					cd->name, analyze_status_data->sc_data.data[data_index], measure_value);
+ 			response_arrays[response_array_index] = kzalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
+ 			if (response_arrays[response_array_index] == NULL) {
+@@ -136,13 +136,13 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 			strcpy(response_arrays[response_array_index], " secswitch_name=");
+ 			//应该有 workflow的名字
+ 			strncat(response_arrays[response_array_index], cd->name, strlen(cd->name));
+-			strcat(response_arrays[response_array_index]," old_value=");
+-			sprintf(int_str, "%lld", analyze_status_data->sc_data.data[data_index]);
++			strcat(response_arrays[response_array_index], " old_value=");
++			sprintf(int_str, "%llu", analyze_status_data->sc_data.data[data_index]);
+ 			strncat(response_arrays[response_array_index], int_str, strlen(int_str));
+-			strcat(response_arrays[response_array_index]," new_value=");
+-			sprintf(int_str, "%lld", measure_value);
++			strcat(response_arrays[response_array_index], " new_value=");
++			sprintf(int_str, "%llu", measure_value);
+ 			strncat(response_arrays[response_array_index], int_str, strlen(int_str));
+-			strcat(response_arrays[response_array_index],".\n");
++			strcat(response_arrays[response_array_index], ".");
+ 
+ 			response_data_char_len += strlen(response_arrays[response_array_index]);
+ 			ret = RESPONSE_REPORT;
+@@ -168,6 +168,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
+ 		}
+ 		for (i = 0; i < response_array_index; i++)
+ 			strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
++		strcat(response_data->report_data.text, "\n");
+ 	}
+ end:
+ 	for (i = 0; i < response_array_index; i++)
+diff --git a/kerneldriver/core/collect_unit/secDetector_collect.c b/kerneldriver/core/collect_unit/secDetector_collect.c
+index c04dd33..2240577 100644
+--- a/kerneldriver/core/collect_unit/secDetector_collect.c
++++ b/kerneldriver/core/collect_unit/secDetector_collect.c
+@@ -32,6 +32,7 @@ struct collect_data *init_collect_data(const char *name)
+ 	cd->name = kmalloc(nl + 1, GFP_KERNEL);
+ 	if (cd->name == NULL) {
+ 		pr_err("kmalloc failed");
++		kfree(cd);
+ 		return NULL;
+ 	}
+ 	strncpy(cd->name, name, nl);
+-- 
+2.33.0
+
diff --git a/Backport-fix-timestamp-memleak.patch b/Backport-fix-timestamp-memleak.patch
new file mode 100644
index 0000000..474ab9b
--- /dev/null
+++ b/Backport-fix-timestamp-memleak.patch
@@ -0,0 +1,35 @@
+From 859b4a40626e870f83dda00e2e3ba40bf0558224 Mon Sep 17 00:00:00 2001
+From: hurricane618 <hurricane618@hotmail.com>
+Date: Thu, 30 Nov 2023 11:31:24 +0800
+Subject: [PATCH 2/6] fix timestamp memleak
+
+timestamp need to free in error process
+
+Signed-off-by: hurricane618 <hurricane618@hotmail.com>
+---
+ kerneldriver/cases/program_action/secDetector_program_action.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kerneldriver/cases/program_action/secDetector_program_action.c b/kerneldriver/cases/program_action/secDetector_program_action.c
+index 504a36d..1f0749a 100644
+--- a/kerneldriver/cases/program_action/secDetector_program_action.c
++++ b/kerneldriver/cases/program_action/secDetector_program_action.c
+@@ -268,6 +268,7 @@ static int ptrace_attach_pre_handler(struct secDetector_workflow *wf,
+ 	log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
+ 	if (!log.report_data.text) {
+ 		pr_err("log.report_data.text kzalloc failed!\n");
++		kfree(timestamp);
+ 		return 0;
+ 	}
+ 	snprintf(log.report_data.text, BUF_SIZE,
+@@ -302,6 +303,7 @@ static int do_pipe2_pre_handler(struct secDetector_workflow *wf,
+ 	log.report_data.text = kzalloc(BUF_SIZE, GFP_ATOMIC);
+ 	if (!log.report_data.text) {
+ 		pr_err("log.report_data.text kzalloc failed!\n");
++		kfree(timestamp);
+ 		return 0;
+ 	}
+ 	snprintf(log.report_data.text, BUF_SIZE,
+-- 
+2.33.0
+
diff --git a/Backport-grpc-fix-coredump-in-Publish.patch b/Backport-grpc-fix-coredump-in-Publish.patch
new file mode 100644
index 0000000..0c4b563
--- /dev/null
+++ b/Backport-grpc-fix-coredump-in-Publish.patch
@@ -0,0 +1,265 @@
+From 8dd0f6984ef002e30f3d7aa133a1a439fc5d0f95 Mon Sep 17 00:00:00 2001
+From: chenjingwen <lhchenjw@gmail.com>
+Date: Thu, 14 Dec 2023 21:55:10 +0800
+Subject: [PATCH] grpc: fix coredump in Publish
+
+fix coredump in Publish
+
+Signed-off-by: chenjingwen <lhchenjw@gmail.com>
+---
+ observer_agent/grpc_comm/server.cpp | 165 +++++++++++-----------------
+ 1 file changed, 62 insertions(+), 103 deletions(-)
+
+diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
+index 938d09c..b858853 100644
+--- a/observer_agent/grpc_comm/server.cpp
++++ b/observer_agent/grpc_comm/server.cpp
+@@ -33,16 +33,21 @@ using grpc::ServerWriter;
+ 
+ static bool killed = false;
+ 
++class Subscribers {
++public:
++    int topic;
++    ServerWriter<Message> *writer;
++
++    Subscribers(int t, ServerWriter<Message> *w) : topic(t), writer(w) {}
++    Subscribers() : topic(0), writer(nullptr) {}
++};
++
+ class PubSubServiceImpl final : public SubManager::Service
+ {
+   public:
+     void CloseAllConnection(void)
+     {
+-	std::lock_guard<std::mutex> lk(wait_mutex);
+-
+-        for (int i = 0; i < MAX_CONNECTION; i++) {
+-            connect_status[i] = false;
+-	}
++        std::lock_guard<std::mutex> lk(wait_mutex);
+ 
+         killed = true;
+         cv.notify_all();
+@@ -55,50 +60,21 @@ class PubSubServiceImpl final : public SubManager::Service
+         std::string cli_name = request->sub_name();
+         Message msg;
+         Message keepalive_msg;
+-        int i = 0, tmp_index;
+ 
++        sub_mutex.lock();
+         if (connection_num >= MAX_CONNECTION) {
+             msg.set_text("over max connection number!");
+-            if (!writer->Write(msg))
+-            {
+-                std::cerr << "Failed to write the initial message" << std::endl;
+-                return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+-            }
+-            return grpc::Status(grpc::StatusCode::INTERNAL, "over max connection number, Failed to Subscribe the topic");
+-        }
+-
+-        for (auto iter = suber_topic_[cli_name].begin(); iter != suber_topic_[cli_name].end(); iter++)
+-        {
+-            if ((*iter & cli_topic) != 0)
+-            {
+-                msg.set_text("this client name already subscribe the topic");
+-                if (!writer->Write(msg))
+-                {
+-                    std::cerr << "Failed to write the initial message" << std::endl;
+-                    return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+-                }
+-                return grpc::Status(grpc::StatusCode::INTERNAL, "this client name already subscribe the topic");
+-            }
+-        }
+-
+-        sub_mutex.lock();
+-
+-        for (tmp_index = 0; tmp_index <  MAX_CONNECTION; tmp_index++)
+-        {
+-            if (!connect_status[tmp_index])
+-                break;
++            writer->Write(msg);
++            sub_mutex.unlock();
++            return grpc::Status(grpc::StatusCode::INTERNAL, "over max connection number");
+         }
+ 
+-        if (tmp_index == MAX_CONNECTION)
+-        {
++        auto iter = suber_topic_.find(cli_name);
++        if (iter != suber_topic_.end()) {
++            msg.set_text("this client name already subscribe the topic");
++            writer->Write(msg);
+             sub_mutex.unlock();
+-            msg.set_text("multi-process max connection number!");
+-            if (!writer->Write(msg))
+-            {
+-                std::cerr << "Failed to write the initial message" << std::endl;
+-                return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+-            }
+-            return grpc::Status(grpc::StatusCode::INTERNAL, "multi-process max connection number, Failed to Subscribe the topic");
++            return grpc::Status(grpc::StatusCode::INTERNAL, "this client name already subscribe the topic");
+         }
+ 
+         msg.set_text("topic: " + std::to_string(cli_topic) + " Subscribe success!");
+@@ -109,65 +85,50 @@ class PubSubServiceImpl final : public SubManager::Service
+             return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+         }
+ 
+-        suber_topic_[cli_name].push_back(cli_topic);
+-        suber_writer_[cli_name].push_back(writer);
+-        suber_connection_[cli_name].push_back(tmp_index);
+-        connect_status[tmp_index] = true;
++        std::cout << "Subscribe " << cli_name << " ok" << std::endl;
++        suber_topic_[cli_name] = Subscribers(cli_topic, writer);
+         connection_num++;
+-
+         sub_mutex.unlock();
+ 
+-        keepalive_msg.set_text("keepalive");
+-        while (connect_status[tmp_index])
++        /* loop until connot write */
++        while (!killed)
+         {
+-            if (!writer->Write(keepalive_msg))
+-            {
+-                for (auto topic_item : suber_topic_[cli_name])
+-                {
+-                    if (topic_item == cli_topic)
+-                    {
+-                        sub_mutex.lock();
+-                        suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
+-                        suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
+-                        connect_status[suber_connection_[cli_name].at(i)] = false;
+-                        suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
+-                        connection_num--;
+-                        sub_mutex.unlock();
+-                        break;
+-                    }
+-                    i++;
+-                }
++            sub_mutex.lock();
++            if (suber_topic_.count(cli_name) == 0) {
++                sub_mutex.unlock();
++                return grpc::Status::OK;
++            }
++
++            keepalive_msg.set_text("keepalive");
++            if (!writer->Write(keepalive_msg)) {
++                DeleteSubscriberByCliName(cli_name);
++                sub_mutex.unlock();
+                 return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
+             }
++            sub_mutex.unlock();
+             WaitKeeplive();
+         }
++
++        std::cout << cli_name << " is dead" << std::endl;
+         return grpc::Status::OK;
+     }
+ 
+     grpc::Status Publish(ServerContext *context, const PublishRequest *request, Message *response) override
+     {
++        std::lock_guard<std::mutex> lock(sub_mutex);
+         int cli_topic = request->topic();
+         std::string cli_data = request->data();
+-        int i = 0;
+         Message msg;
+         msg.set_text(cli_data);
+ 
+         for (auto iter = suber_topic_.begin(); iter != suber_topic_.end(); iter++)
+         {
+-            i = 0;
+-            for (auto topic_item : iter->second)
+-            {
+-                if ((topic_item & cli_topic) != 0)
+-                {
+-                    auto &subscriber = suber_writer_[iter->first][i];
+-                    if (!subscriber->Write(msg))
+-                    {
+-                        std::cerr << "Failed to write to a subscriber" << std::endl;
+-                        return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+-                    }
+-                    break;
++            Subscribers subscriber = iter->second;
++            if ((subscriber.topic & cli_topic) != 0) {
++                if (!subscriber.writer->Write(msg)) {
++                    std::cerr << "Failed to write to a subscriber: " << iter->first << std::endl;
++                    return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to write the message");
+                 }
+-                i++;
+             }
+         }
+ 
+@@ -177,8 +138,7 @@ class PubSubServiceImpl final : public SubManager::Service
+     grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response) override
+     {
+         std::string cli_name = request->sub_name();
+-        int i = 0;
+-        int unsub_flag = 0;
++        std::lock_guard<std::mutex> lock(sub_mutex);
+ 
+         if (connection_num <= 0) {
+             response->set_text("connection_num <= 0, don't UnSubscribe!");
+@@ -186,20 +146,7 @@ class PubSubServiceImpl final : public SubManager::Service
+             return grpc::Status(grpc::StatusCode::INTERNAL, "connection_num <= 0, Failed to UnSubscribe topic!");
+         }
+ 
+-        std::lock_guard<std::mutex> lock(sub_mutex);
+-
+-        std::unordered_map<std::string, std::vector<int>>::iterator iter = suber_topic_.find(cli_name);
+-        if (iter != suber_topic_.end())
+-        {
+-            suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
+-            suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
+-            connect_status[suber_connection_[cli_name].at(i)] = false;
+-            suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
+-            connection_num--;
+-            unsub_flag = 1;
+-        }
+-
+-        if (!unsub_flag)
++        if (!DeleteSubscriberByCliName(cli_name))
+         {
+             response->set_text("don't exist the reader");
+             return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to UnSubscribe reader!");
+@@ -209,19 +156,31 @@ class PubSubServiceImpl final : public SubManager::Service
+     }
+ 
+   private:
+-    std::unordered_map<std::string, std::vector<int>> suber_topic_;
+-    std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
+-    std::unordered_map<std::string, std::vector<int>> suber_connection_;
++    std::unordered_map<std::string, Subscribers> suber_topic_;
+     std::mutex sub_mutex;
+     std::mutex wait_mutex;
+     std::condition_variable cv;
+     int connection_num = 0;
+-    bool connect_status[MAX_CONNECTION] = {false};
+ 
+     void WaitKeeplive(void)
+     {
+-	std::unique_lock<std::mutex> lk(wait_mutex);
+-	cv.wait_for(lk, std::chrono::seconds(CHECK_TIME), []{ return killed; });
++        std::unique_lock<std::mutex> lk(wait_mutex);
++        cv.wait_for(lk, std::chrono::seconds(CHECK_TIME), []{ return killed; });
++    }
++
++    /* Must called with sub_mutex */
++    bool DeleteSubscriberByCliName(std::string &cli_name)
++    {
++        bool exist = false;
++        std::cout << "UnSubscribe " << cli_name << " ok" << std::endl;
++
++        auto it = suber_topic_.find(cli_name);
++        if (it != suber_topic_.end()) {
++            suber_topic_.erase(it);
++            connection_num--;
++            exist = true;
++        }
++        return exist;
+     }
+ };
+ 
+-- 
+2.33.0
+
diff --git a/Backport-lib-modify-for-unsub.patch b/Backport-lib-modify-for-unsub.patch
new file mode 100644
index 0000000..309c5da
--- /dev/null
+++ b/Backport-lib-modify-for-unsub.patch
@@ -0,0 +1,120 @@
+From d9a4c1cf011ab3d26b88229b5072ebbf6017893a Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Fri, 1 Dec 2023 17:36:11 +0800
+Subject: [PATCH 4/6] lib modify for unsub
+
+---
+ examples/python/client.py           | 10 ++++++----
+ lib/secDetector_sdk.cpp             | 19 +++++++++++++------
+ observer_agent/grpc_comm/server.cpp |  2 +-
+ 3 files changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/examples/python/client.py b/examples/python/client.py
+index d6dd7aa..312384d 100644
+--- a/examples/python/client.py
++++ b/examples/python/client.py
+@@ -36,9 +36,11 @@ secDetectorsdklib.secUnsub.restype = None
+ secDetectorsdklib.secReadFrom.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int]
+ secDetectorsdklib.secReadFrom.restype = None
+ 
++g_read_flag = True
+ 
+ def thread_func_sub_and_read(num=0):
+     global g_cli_reader
++    global g_read_flag
+ 
+     cli_reader = secDetectorsdklib.secSub(1)
+     g_cli_reader_lock.acquire()
+@@ -50,10 +52,7 @@ def thread_func_sub_and_read(num=0):
+     secDetectorsdklib.secReadFrom(cli_reader, data, data_len)
+     print("client read data:{}".format(data.value.decode()))
+ 
+-    while True:
+-        if data.value.decode() == 'end':
+-            print("client received end")
+-            break
++    while g_read_flag:
+         time.sleep(3)
+         secDetectorsdklib.secReadFrom(cli_reader, data, data_len)
+         print("client while read data:{}".format(data.value.decode()))
+@@ -62,8 +61,11 @@ def thread_func_sub_and_read(num=0):
+ 
+ def thread_func_unsub(num=0):
+     global g_cli_reader
++    global g_read_flag
++
+     g_cli_reader_lock.acquire()
+     try:
++        g_read_flag = False
+         secDetectorsdklib.secUnsub(1, g_cli_reader)
+     finally:
+         g_cli_reader_lock.release()
+diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
+index ee76079..847dd2f 100644
+--- a/lib/secDetector_sdk.cpp
++++ b/lib/secDetector_sdk.cpp
+@@ -55,14 +55,14 @@ void secUnsub(const int topic, void *reader)
+ 	}
+ 
+ 	if (!reader)
+-                return;
++		return;
+ 
+-	g_client.Publish(topic, "end");
+ 	g_client.UnSubscribe(topic);
+ 	
+ 	Readmap::iterator iter = g_reader_map.find(reader);
+ 	if (iter != g_reader_map.end()) {
+ 		g_reader_map.erase(iter);
++		reader = NULL;
+ 	}
+ }
+ 
+@@ -70,13 +70,20 @@ void secReadFrom(void *reader, char *data, int data_len)
+ {
+ 	string msg("");
+ 
+-        if (!reader || !data || data_len <= 1)
+-                return;
++	if (!data || data_len <= 1)
++		return
++
++	memset(data, 0, data_len);
++
++	if (!reader)
++		return;
+ 
+ 	Readmap::iterator iter = g_reader_map.find(reader);
+-        if (iter != g_reader_map.end()) {
++	if (iter != g_reader_map.end()) {
+ 		msg = g_client.ReadFrom(iter->second);
+-        }
++		if (msg == "keepalive")
++			return;
++	}
+ 
+ 	strncpy(data, msg.c_str(), data_len - 1);
+ }
+diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
+index 54ae66f..3340dfa 100644
+--- a/observer_agent/grpc_comm/server.cpp
++++ b/observer_agent/grpc_comm/server.cpp
+@@ -104,7 +104,6 @@ class PubSubServiceImpl final : public SubManager::Service
+         keepalive_msg.set_text("keepalive");
+         while (connect_status[tmp_index])
+         {
+-            sleep(CHECK_TIME);
+             if (!writer->Write(keepalive_msg))
+             {
+                 for (auto topic_item : suber_topic_[cli_name])
+@@ -124,6 +123,7 @@ class PubSubServiceImpl final : public SubManager::Service
+                 }
+                 return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
+             }
++            sleep(CHECK_TIME);
+         }
+         return grpc::Status::OK;
+     }
+-- 
+2.33.0
+
diff --git a/Backport-modify-for-code-review.patch b/Backport-modify-for-code-review.patch
new file mode 100644
index 0000000..9af6b5d
--- /dev/null
+++ b/Backport-modify-for-code-review.patch
@@ -0,0 +1,224 @@
+From ea375b56fb92a954fcf16901773b3b8442128a5c Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Wed, 13 Dec 2023 15:34:53 +0800
+Subject: [PATCH 2/4] modify for code review
+
+---
+ .../cases/file_block/secDetector_file_block.c    | 16 ++++++++--------
+ .../secDetector_kmodule_baseline.c               |  5 ++++-
+ .../secDetector_mc_kmodule_baseline.c            |  4 ++--
+ .../cases/task_block/secDetector_task_block.c    | 16 ++++++++--------
+ .../core/analyze_unit/secDetector_analyze.c      |  4 ++--
+ kerneldriver/core/secDetector_manager.c          |  4 +++-
+ lib/secDetector_sdk.cpp                          |  6 +++---
+ 7 files changed, 30 insertions(+), 25 deletions(-)
+
+diff --git a/kerneldriver/cases/file_block/secDetector_file_block.c b/kerneldriver/cases/file_block/secDetector_file_block.c
+index 7e0963d..b4972ee 100644
+--- a/kerneldriver/cases/file_block/secDetector_file_block.c
++++ b/kerneldriver/cases/file_block/secDetector_file_block.c
+@@ -35,7 +35,7 @@ static int file_write_check(struct secDetector_workflow *wf, struct file *file)
+ 	char *pathname = NULL;
+ 	response_data_t log;
+ 	bool matched = false;
+-	struct file_block_rules_item *item;
++	struct file_block_rules_item *item = NULL;
+ 	int ret = 0;
+ 
+ 	buf = kzalloc(BUF_SIZE, GFP_ATOMIC);
+@@ -87,7 +87,7 @@ static struct secDetector_workflow workflow_array[] = {
+ 
+ static int proc_show(struct seq_file *m, void *v)
+ {
+-	struct file_block_rules_item *item;
++	struct file_block_rules_item *item = NULL;
+ 
+ 	mutex_lock(&rules_mutex);
+ 	list_for_each_entry (item, &file_block_rule_list, list) {
+@@ -104,8 +104,8 @@ static int proc_open(struct inode *inode, struct file *file)
+ 
+ static void clear_file_rule_list(void)
+ {
+-	struct file_block_rules_item *item;
+-	struct file_block_rules_item *tmp;
++	struct file_block_rules_item *item = NULL;
++	struct file_block_rules_item *tmp = NULL;
+ 
+ 	mutex_lock(&rules_mutex);
+ 	list_for_each_entry_safe (item, tmp, &file_block_rule_list, list) {
+@@ -121,10 +121,10 @@ static void clear_file_rule_list(void)
+ static ssize_t proc_write(struct file *file, const char __user *buffer,
+ 			  size_t len, loff_t *offset)
+ {
+-	char *data;
+-	char *str;
+-	char *rule;
+-	struct file_block_rules_item *item;
++	char *data = NULL;
++	char *str = NULL;
++	char *rule = NULL;
++	struct file_block_rules_item *item = NULL;
+ 	ssize_t r = -EINVAL;
+ 
+ 	data = memdup_user_nul(buffer, len);
+diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c
+index 85411c0..4f59c14 100644
+--- a/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c
++++ b/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c
+@@ -17,7 +17,10 @@ DEFINE_MUTEX(case_kmodule_mutex);
+ 
+ static void check_watching_kmodule(void)
+ {
+-        mutex_lock(&case_kmodule_mutex);
++	if (mutex_trylock(&case_kmodule_mutex) == 0) {
++		pr_warn("[secDetector case kmodule baseline] check cann't getlock, ret\n");
++		return;
++	}
+         check_kmodule_baseline();
+         mutex_unlock(&case_kmodule_mutex);
+ }
+diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+index cff1ff5..9a051ca 100644
+--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
++++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
+@@ -43,7 +43,7 @@ static int add_kmodule_baseline_name(const char *name)
+ 		return -1;
+ 	}
+ 
+-	name_len = strlen(name) < NAME_LEN ? strlen(name) : NAME_LEN;		
++	name_len = strlen(name) < NAME_LEN ? strlen(name) : NAME_LEN - 1;
+ 	memcpy(module->module_name, name, name_len);
+ 	list_add(&module->list, &chkrkatt_module_list);
+ 	return 0;
+@@ -86,7 +86,7 @@ static void report_kmodule_baseline(void)
+ 	list_for_each_entry_safe(get_module_name, get_module_name_next, &chkrkatt_module_list, list) {
+ 		if (get_module_name != NULL && get_module_name_next != NULL) {
+ 			/* 2: ', ' */
+-			if(sizeof(module_name_all) + sizeof(get_module_name->module_name) < NAME_LEN - 2 - header_msg_len) {
++			if(strlen(module_name_all) + strlen(get_module_name->module_name) < NAME_LEN - 2 - header_msg_len) {
+ 				strcat(module_name_all, get_module_name->module_name);
+ 				strcat(module_name_all, strtmp);
+ 			}
+diff --git a/kerneldriver/cases/task_block/secDetector_task_block.c b/kerneldriver/cases/task_block/secDetector_task_block.c
+index 94859e4..a46c5f5 100644
+--- a/kerneldriver/cases/task_block/secDetector_task_block.c
++++ b/kerneldriver/cases/task_block/secDetector_task_block.c
+@@ -37,7 +37,7 @@ static int task_bprm_check(struct secDetector_workflow *wf,
+ 	char *pathname = NULL;
+ 	response_data_t log;
+ 	bool matched = false;
+-	struct task_block_rules_item *item;
++	struct task_block_rules_item *item = NULL;
+ 	int ret = 0;
+ 
+ 	buf = kzalloc(BUF_SIZE, GFP_ATOMIC);
+@@ -88,7 +88,7 @@ static struct secDetector_workflow workflow_array[] = {
+ 
+ static int proc_show(struct seq_file *m, void *v)
+ {
+-	struct task_block_rules_item *item;
++	struct task_block_rules_item *item = NULL;
+ 
+ 	mutex_lock(&rules_mutex);
+ 	list_for_each_entry (item, &task_block_rule_list, list) {
+@@ -105,8 +105,8 @@ static int proc_open(struct inode *inode, struct file *file)
+ 
+ static void clear_task_rule_list(void)
+ {
+-	struct task_block_rules_item *item;
+-	struct task_block_rules_item *tmp;
++	struct task_block_rules_item *item = NULL;
++	struct task_block_rules_item *tmp = NULL;
+ 
+ 	mutex_lock(&rules_mutex);
+ 	list_for_each_entry_safe (item, tmp, &task_block_rule_list, list) {
+@@ -122,10 +122,10 @@ static void clear_task_rule_list(void)
+ static ssize_t proc_write(struct file *file, const char __user *buffer,
+ 			  size_t len, loff_t *offset)
+ {
+-	char *data;
+-	char *str;
+-	char *rule;
+-	struct task_block_rules_item *item;
++	char *data = NULL;
++	char *str = NULL;
++	char *rule = NULL;
++	struct task_block_rules_item *item = NULL;
+ 	ssize_t r = -EINVAL;
+ 
+ 	data = memdup_user_nul(buffer, len);
+diff --git a/kerneldriver/core/analyze_unit/secDetector_analyze.c b/kerneldriver/core/analyze_unit/secDetector_analyze.c
+index 226e245..f345412 100644
+--- a/kerneldriver/core/analyze_unit/secDetector_analyze.c
++++ b/kerneldriver/core/analyze_unit/secDetector_analyze.c
+@@ -33,7 +33,7 @@ int get_timestamp_str(char **ret_str)
+ {
+ 	struct timespec64 ts;
+ 	struct tm stm;
+-	char *stm_str;
++	char *stm_str = NULL;
+ 	int stm_str_len = 0;
+ 
+ 	ktime_get_real_ts64(&ts);
+@@ -65,4 +65,4 @@ int get_timestamp_str(char **ret_str)
+ 	kfree(stm_str);
+ 	return stm_str_len;
+ }
+-EXPORT_SYMBOL_GPL(get_timestamp_str);
+\ No newline at end of file
++EXPORT_SYMBOL_GPL(get_timestamp_str);
+diff --git a/kerneldriver/core/secDetector_manager.c b/kerneldriver/core/secDetector_manager.c
+index 4c88386..07b45d8 100644
+--- a/kerneldriver/core/secDetector_manager.c
++++ b/kerneldriver/core/secDetector_manager.c
+@@ -115,13 +115,15 @@ int secDetector_module_register(struct secDetector_module *module)
+ 	int i;
+ 	int module_id;
+ 	unsigned int callback_id = 0;
+-	struct secDetector_parameter *param = module->parameter;
++	struct secDetector_parameter *param = NULL;
+ 
+ 	if (module == NULL) {
+ 		pr_err("[secDetector] register module is null\n");
+ 		return -EINVAL;
+ 	}
+ 
++	param = module->parameter;
++
+ 	module_id = idr_alloc(&g_module_idr, module, 0, INT_MAX, GFP_KERNEL);
+ 	if (module_id < 0) {
+ 		pr_err("[secDetector] alloc module id failed\n");
+diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
+index 6b00953..a431377 100644
+--- a/lib/secDetector_sdk.cpp
++++ b/lib/secDetector_sdk.cpp
+@@ -34,7 +34,7 @@ extern "C" {
+ 
+ void *secSub(const int topic)
+ {
+-	PubSubClient *cur_client;
++	PubSubClient *cur_client = nullptr;
+ 	if (topic <= 0 || topic > ALLTOPIC) {
+ 		printf("lib secSub failed, topic:%d is error\n", topic);
+ 		return NULL;
+@@ -64,7 +64,7 @@ void *secSub(const int topic)
+ 
+ void secUnsub(void *reader)
+ {
+-	PubSubClient *cur_client;
++	PubSubClient *cur_client = nullptr;
+ 
+ 	if (!reader)
+ 		return;
+@@ -84,7 +84,7 @@ void secUnsub(void *reader)
+ void secReadFrom(void *reader, char *data, int data_len)
+ {
+ 	string msg("");
+-	PubSubClient *cur_client;
++	PubSubClient *cur_client = nullptr;
+ 
+ 	if (!data || data_len <= 1)
+ 		return
+-- 
+2.33.0
+
diff --git a/Backport-modify-for-getting-common-info-in-createfile.patch b/Backport-modify-for-getting-common-info-in-createfile.patch
new file mode 100644
index 0000000..92c43d7
--- /dev/null
+++ b/Backport-modify-for-getting-common-info-in-createfile.patch
@@ -0,0 +1,49 @@
+From 7eadc69ff955e57de06b2d9be1ad8d74f3189047 Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Wed, 29 Nov 2023 18:35:53 +0800
+Subject: modify for getting common info in createfile
+
+---
+ .../ebpf/file_ebpf/file_fentry.bpf.c          | 26 ++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+index 0b3d3ad..7afb7e2 100644
+--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
++++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
+@@ -117,7 +117,31 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
+ 		return 0;
+ 
+ 	e->type = CREATFILE;
+-	get_common_info(e);
++
++	struct task_struct *parent = NULL;
++	struct task_struct *task = NULL;
++
++	e->timestamp = bpf_ktime_get_ns();
++	e->pid = bpf_get_current_pid_tgid() >> 32;
++	e->pgid = e->tgid = bpf_get_current_pid_tgid() >> 32;
++	e->uid = bpf_get_current_uid_gid();
++	e->gid = bpf_get_current_uid_gid() >> 32;
++	bpf_get_current_comm(&e->comm, sizeof(e->comm));
++	/*
++	 * exe path is diffcult to get in ebpf, we can get it from userspace
++	 */
++	bpf_get_current_comm(&e->exe, sizeof(e->exe));
++
++	task = (struct task_struct *)bpf_get_current_task();
++	parent = (struct task_struct *)BPF_CORE_READ(task, real_parent);
++
++	e->ppid = BPF_CORE_READ(parent, pid);
++	e->sid = get_task_sid(task);
++	e->pns = BPF_CORE_READ(pid_ns(task), ns.inum);
++	e->root_pns = BPF_CORE_READ(pid_ns(find_init_task()), ns.inum);
++	BPF_CORE_READ_INTO(&e->pcomm, parent, real_parent, comm);
++	BPF_CORE_READ_INTO(&e->nodename, task, nsproxy, uts_ns, name.nodename);
++	//get_common_info(e);
+ 	__builtin_memcpy(e->event_name, "createfile", sizeof("createfile"));
+ 	bpf_probe_read(e->file_info.filename, MAX_TEXT_SIZE, pathname->name);
+ 	bpf_ringbuf_submit(e, 0);
+-- 
+2.33.0
+
diff --git a/Backport-modify-for-multiple-sub-in-the-same-process.patch b/Backport-modify-for-multiple-sub-in-the-same-process.patch
new file mode 100644
index 0000000..02cc80c
--- /dev/null
+++ b/Backport-modify-for-multiple-sub-in-the-same-process.patch
@@ -0,0 +1,178 @@
+From 511ad1d3ce2c9e44621c9b508b3e44d3d5098f0e Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Mon, 4 Dec 2023 15:31:22 +0800
+Subject: [PATCH 6/6] modify for multiple sub in the same process
+
+---
+ lib/secDetector_sdk.cpp             | 54 +++++++++++++++++++++--------
+ observer_agent/grpc_comm/client.cpp | 12 +++++++
+ observer_agent/grpc_comm/grpc_api.h |  2 ++
+ 3 files changed, 53 insertions(+), 15 deletions(-)
+
+diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
+index 847dd2f..6f47f41 100644
+--- a/lib/secDetector_sdk.cpp
++++ b/lib/secDetector_sdk.cpp
+@@ -16,15 +16,17 @@
+ 
+ #include <string>
+ #include <iostream>
++#include <list>
++#include <mutex>
+ #include "../observer_agent/grpc_comm/grpc_api.h"
+ 
+ #define ALLTOPIC 0x00FFFFFF
+ using namespace std;
+ static string server_address("unix:///var/run/secDetector.sock");
+-static PubSubClient g_client(grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials()));
+ 
+-using Readmap = map<void *, unique_ptr<ClientReader<Message>>>;
++using Readmap = map<void *, std::pair<unique_ptr<ClientReader<Message>>, PubSubClient *>>;
+ static Readmap g_reader_map;
++static mutex g_connect_mtx;
+ 
+ #ifdef __cplusplus
+ extern "C" {
+@@ -32,60 +34,82 @@ extern "C" {
+ 
+ void *secSub(const int topic)
+ {
++	PubSubClient *cur_client;
+ 	if (topic <= 0 || topic > ALLTOPIC) {
+-		printf("secSub failed, topic:%d is error\n", topic);
++		printf("lib secSub failed, topic:%d is error\n", topic);
+ 		return NULL;
+ 	}
++	g_connect_mtx.lock();
++	std::shared_ptr<Channel> channel = grpc::CreateChannel(server_address, grpc::InsecureChannelCredentials());
++	cur_client = new(PubSubClient);
++	if (cur_client == nullptr) {
++		g_connect_mtx.unlock();
++		return NULL;
++	}
++	cur_client->init(channel);
++	unique_ptr<ClientReader<Message>> reader = cur_client->Subscribe(topic);
+ 
+-	unique_ptr<ClientReader<Message>> reader = g_client.Subscribe(topic);
+-
+-	if (!reader)
++	if (!reader) {
++		printf("lib secSub failed, get reader null\n");
++		delete cur_client;
++		g_connect_mtx.unlock();
+ 		return NULL;
++	}
+ 	void * ret_reader = static_cast<void *>(reader.get());
+ 
+-	g_reader_map.insert(Readmap::value_type(ret_reader, move(reader)));
++	g_reader_map.insert(Readmap::value_type(ret_reader, std::make_pair(move(reader), cur_client)));
++	g_connect_mtx.unlock();
+ 	return ret_reader;
+ }
+ 
+ void secUnsub(const int topic, void *reader)
+ {
++	PubSubClient *cur_client;
+ 	if (topic <= 0 || topic > ALLTOPIC) {
+-		printf("secUnsub failed, topic:%d is error\n", topic);
++		printf("lib secUnsub failed, topic:%d is error\n", topic);
+ 		return;
+ 	}
+ 
+ 	if (!reader)
+ 		return;
+ 
+-	g_client.UnSubscribe(topic);
+-	
++	g_connect_mtx.lock();
+ 	Readmap::iterator iter = g_reader_map.find(reader);
+ 	if (iter != g_reader_map.end()) {
++		cur_client = iter->second.second;
++		cur_client->UnSubscribe(topic);
+ 		g_reader_map.erase(iter);
+ 		reader = NULL;
++		delete cur_client;
+ 	}
++	g_connect_mtx.unlock();
+ }
+ 
+ void secReadFrom(void *reader, char *data, int data_len)
+ {
+ 	string msg("");
++	PubSubClient *cur_client;
+ 
+ 	if (!data || data_len <= 1)
+ 		return
+ 
+-	memset(data, 0, data_len);
++	(void)memset(data, 0, data_len);
+ 
+ 	if (!reader)
+ 		return;
+ 
++	g_connect_mtx.lock();
+ 	Readmap::iterator iter = g_reader_map.find(reader);
+ 	if (iter != g_reader_map.end()) {
+-		msg = g_client.ReadFrom(iter->second);
+-		if (msg == "keepalive")
++		cur_client = iter->second.second;
++		msg = cur_client->ReadFrom(iter->second.first);
++		if (msg == "keepalive") {
++			g_connect_mtx.unlock();
+ 			return;
++		}
++		strncpy(data, msg.c_str(), data_len - 1);
+ 	}
+-
+-	strncpy(data, msg.c_str(), data_len - 1);
++	g_connect_mtx.unlock();
+ }
+ 
+ #ifdef __cplusplus
+diff --git a/observer_agent/grpc_comm/client.cpp b/observer_agent/grpc_comm/client.cpp
+index ecb54ae..d4b0948 100644
+--- a/observer_agent/grpc_comm/client.cpp
++++ b/observer_agent/grpc_comm/client.cpp
+@@ -29,6 +29,8 @@ using grpc::ClientReader;
+ 
+ #define BUF_NUM 1024
+ 
++PubSubClient::PubSubClient() {}
++
+ PubSubClient::PubSubClient(std::shared_ptr<Channel> channel) : stub_(SubManager::NewStub(channel))
+ {
+     uuid_t uuid;
+@@ -38,6 +40,16 @@ PubSubClient::PubSubClient(std::shared_ptr<Channel> channel) : stub_(SubManager:
+     uuid_str = std::string(uuid_temp);
+ }
+ 
++void PubSubClient::init(std::shared_ptr<Channel> channel)
++{
++    uuid_t uuid;
++    char uuid_temp[37];
++    uuid_generate(uuid);
++    uuid_unparse(uuid, uuid_temp);
++    uuid_str = std::string(uuid_temp);
++    stub_ = SubManager::NewStub(channel);
++}
++
+ std::unique_ptr<ClientReader<Message>> PubSubClient::Subscribe(const int topic)
+ {
+     SubscribeRequest request;
+diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
+index 44d4aa9..4bde109 100644
+--- a/observer_agent/grpc_comm/grpc_api.h
++++ b/observer_agent/grpc_comm/grpc_api.h
+@@ -42,7 +42,9 @@ void RunServer();
+ class PubSubClient
+ {
+   public:
++    PubSubClient();
+     PubSubClient(std::shared_ptr<Channel> channel);
++    void init(std::shared_ptr<Channel> channel);
+     std::unique_ptr<ClientReader<Message>> Subscribe(const int topic);
+     void Publish(const int topic, const std::string &content);
+     void UnSubscribe(const int topic);
+-- 
+2.33.0
+
diff --git a/Backport-modify-for-secReadFrom-error.patch b/Backport-modify-for-secReadFrom-error.patch
new file mode 100644
index 0000000..e1b3b1b
--- /dev/null
+++ b/Backport-modify-for-secReadFrom-error.patch
@@ -0,0 +1,29 @@
+From 2ed3096cab89564b1e7b95318260517b51573709 Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Thu, 14 Dec 2023 18:21:30 +0800
+Subject: [PATCH 3/4] modify for secReadFrom error
+
+---
+ lib/secDetector_sdk.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
+index a431377..5bc189e 100644
+--- a/lib/secDetector_sdk.cpp
++++ b/lib/secDetector_sdk.cpp
+@@ -86,8 +86,10 @@ void secReadFrom(void *reader, char *data, int data_len)
+ 	string msg("");
+ 	PubSubClient *cur_client = nullptr;
+ 
+-	if (!data || data_len <= 1)
+-		return
++	if (!data || data_len <= 1) {
++		printf("lib secReadFrom data or data_len error\n");
++		return;
++	}
+ 
+ 	(void)memset(data, 0, data_len);
+ 
+-- 
+2.33.0
+
diff --git a/Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch b/Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch
new file mode 100644
index 0000000..ed4d089
--- /dev/null
+++ b/Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch
@@ -0,0 +1,165 @@
+From 71409081fc4c642412d7b7fb1812bee12b6af6b9 Mon Sep 17 00:00:00 2001
+From: zcfsite <zhchf2010@126.com>
+Date: Mon, 27 Nov 2023 22:27:06 +0800
+Subject: rm kmodule_list in mc and fix param ringbuf desc
+
+---
+ kerneldriver/cases/Makefile                   |  2 +-
+ .../secDetector_mc_kmodule_list.c             | 55 -------------------
+ .../secDetector_mc_kmodule_list.h             | 12 ----
+ .../secDetector_memory_corruption.c           | 16 ------
+ kerneldriver/core/secDetector_main.c          |  2 +-
+ 5 files changed, 2 insertions(+), 85 deletions(-)
+ delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
+ delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
+
+diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile
+index 0af72ba..5a94e50 100644
+--- a/kerneldriver/cases/Makefile
++++ b/kerneldriver/cases/Makefile
+@@ -8,7 +8,7 @@ obj-m += secDetector_kmodule_baseline.o
+ # obj-m += secDetector_lsm_example.o
+ obj-m += secDetector_program_action.o
+ 
+-secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o
++secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o 
+ #secDetector_task_block-objs := task_block/secDetector_task_block.o
+ #secDetector_file_block-objs := file_block/secDetector_file_block.o
+ secDetector_kmodule_baseline-objs := kmodule_baseline/secDetector_kmodule_baseline.o kmodule_baseline/secDetector_mc_kmodule_baseline.o
+diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
+deleted file mode 100644
+index 283590b..0000000
+--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
++++ /dev/null
+@@ -1,55 +0,0 @@
+-/*
+- * SPDX-License-Identifier: GPL-2.0
+- *
+- * Author: yieux
+- * create: 2023-09-28
+- * Description: the main implement of the kmodule list corruption.
+- */
+-#include <linux/module.h>
+-#include <linux/list.h>
+-#include <linux/spinlock.h>
+-#include "secDetector_mc_kmodule_list.h"
+-#include "secDetector_response.h"
+-#include <linux/slab.h>
+-
+-#define MODULE_LIST_MAXSIZE 0x10000
+-#define MC_KMODULE_REPORT_WORD_LEN 55
+-
+-// 3 ways for get kernel module list.
+-// struct module->list
+-// struct module->mkobj->kobj->entry
+-// struct module->mkobj->kobj->kset
+-void check_kmodule_list(void)
+-{
+-	struct module_kobject *mobj = NULL;
+-	struct kobject *k = NULL;
+-	struct module *m = NULL;
+-	struct kset *module_kset = __this_module.mkobj.kobj.kset;
+-	response_data_t log;
+-
+-	if (module_kset == NULL)
+-	return;
+-
+-	spin_lock(&module_kset->list_lock);
+-	list_for_each_entry(k, &module_kset->list, entry) {
+-		if (k->name == NULL)
+-			continue;
+-		mobj = container_of(k, struct module_kobject, kobj);
+-		if (mobj == NULL || mobj->mod == NULL || (unsigned long)mobj->mod->name < MODULE_LIST_MAXSIZE)
+-			continue;
+-
+-		mutex_lock(&module_mutex);
+-		m = find_module(k->name);
+-		if (m == NULL) {
+-			pr_err("[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
+-			log.report_data.len = MC_KMODULE_REPORT_WORD_LEN + strlen(k->name);
+-			log.report_data.text = kmalloc(log.report_data.len, GFP_KERNEL);
+-			sprintf(log.report_data.text, "[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
+-			secDetector_report(&log);
+-			kfree(log.report_data.text);
+-		}
+-		mutex_unlock(&module_mutex);
+-	}
+-	spin_unlock(&module_kset->list_lock);
+-	return;
+-}
+\ No newline at end of file
+diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
+deleted file mode 100644
+index 737ca47..0000000
+--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
++++ /dev/null
+@@ -1,12 +0,0 @@
+-/*
+- * SPDX-License-Identifier: GPL-2.0
+- *
+- * Author: yieux
+- * create: 2023-09-28
+- * Description: the kmodule list corruption head file.
+- */
+- #ifndef SECDETECTOR_MC_KMODULE_LIST_H
+- #define SECDETECTOR_MC_KMODULE_LIST_H
+- 
+-void check_kmodule_list(void);
+- #endif
+\ No newline at end of file
+diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
+index 5b487ac..f4a1c9f 100644
+--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
++++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
+@@ -10,35 +10,19 @@
+ #include <linux/seq_file.h>
+ #include "secDetector_manager.h"
+ #include <secDetector_module_type.h>
+-#include "secDetector_mc_kmodule_list.h"
+ 
+ 
+ #define TIME_INTERVAL 10
+ DEFINE_MUTEX(case_mc_mutex);
+ #define KERNELKEYDATATAMPER 0x00008000
+ 
+-static void check_all_watching_memory(void)
+-{
+-	mutex_lock(&case_mc_mutex);
+-	check_kmodule_list();
+-	mutex_unlock(&case_mc_mutex);
+-}
+-
+ static struct secDetector_collect collect_array[] = {
+ 	{
+ 		.collect_type = COLLECT_GLOBAL_FUNCTION_SWITCH,
+ 	},
+ };
+ 
+-
+ static struct secDetector_workflow workflow_array[] = {
+-	{
+-		.workflow_type = WORKFLOW_CUSTOMIZATION,
+-		.workflow_func.func = check_all_watching_memory,
+-		.hook_type = SECDETECTOR_TIMER,
+-		.interval = TIME_INTERVAL,
+-		.enabled = ATOMIC_INIT(true)
+-	},
+ 	{
+ 		.workflow_type = WORKFLOW_PRESET,
+ 		.hook_type = SECDETECTOR_TIMER,
+diff --git a/kerneldriver/core/secDetector_main.c b/kerneldriver/core/secDetector_main.c
+index 878d4a3..3931229 100644
+--- a/kerneldriver/core/secDetector_main.c
++++ b/kerneldriver/core/secDetector_main.c
+@@ -22,7 +22,7 @@ MODULE_PARM_DESC(log_size, "log size");
+ static unsigned int ringbuf_size = MIN_RINGBUF_SIZE; /* unit is Mb */
+ static unsigned int ringbuf_size_bytes; /* unit is bytes */
+ module_param(ringbuf_size, uint, 0400);
+-MODULE_PARM_DESC(log_size, "ringbuffer size");
++MODULE_PARM_DESC(ringbuf_size, "ringbuffer size");
+ 
+ static bool ringbuf_size_check(void)
+ {
+-- 
+2.33.0
+
diff --git a/Backport-secDetectord-fix-a-grpc-hang-bug.patch b/Backport-secDetectord-fix-a-grpc-hang-bug.patch
new file mode 100644
index 0000000..4d70734
--- /dev/null
+++ b/Backport-secDetectord-fix-a-grpc-hang-bug.patch
@@ -0,0 +1,107 @@
+From f531f56ee36aecd3bb9eae527551eb8eff8c9457 Mon Sep 17 00:00:00 2001
+From: chenjingwen <lhchenjw@gmail.com>
+Date: Mon, 11 Dec 2023 19:52:42 +0800
+Subject: [PATCH 2/2] secDetectord: fix a grpc hang bug
+
+break connection loop before shutdown
+so that shutdown won't hang.
+
+Signed-off-by: chenjingwen <lhchenjw@gmail.com>
+---
+ observer_agent/grpc_comm/grpc_api.h |  1 +
+ observer_agent/grpc_comm/server.cpp | 30 ++++++++++++++++++++++++++---
+ 2 files changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
+index 4bde109..27a9139 100644
+--- a/observer_agent/grpc_comm/grpc_api.h
++++ b/observer_agent/grpc_comm/grpc_api.h
+@@ -26,6 +26,7 @@ class PubSubServiceImpl final : public SubManager::Service
+     grpc::Status Subscribe(ServerContext *context, const SubscribeRequest *request, ServerWriter<Message> *writer);
+     grpc::Status Publish(ServerContext *context, const PublishRequest *request, Message *response);
+     grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response);
++    void CloseAllConnection(void);
+ 
+   private:
+     std::unordered_map<std::string, std::vector<int>> suber_topic_;
+diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
+index cce5131..b47b1aa 100644
+--- a/observer_agent/grpc_comm/server.cpp
++++ b/observer_agent/grpc_comm/server.cpp
+@@ -16,6 +16,7 @@
+ #include "comm_api.grpc.pb.h"
+ #include <grpcpp/grpcpp.h>
+ #include <sys/stat.h>
++#include <condition_variable>
+ 
+ using data_comm::Message;
+ using data_comm::PublishRequest;
+@@ -30,9 +31,23 @@ using grpc::ServerWriter;
+ #define MAX_CONNECTION 5
+ #define CHECK_TIME 60
+ 
++static bool killed = false;
++
+ class PubSubServiceImpl final : public SubManager::Service
+ {
+   public:
++    void CloseAllConnection(void)
++    {
++	std::lock_guard<std::mutex> lk(wait_mutex);
++
++        for (int i = 0; i < MAX_CONNECTION; i++) {
++            connect_status[i] = false;
++	}
++
++        killed = true;
++        cv.notify_all();
++    }
++
+     grpc::Status Subscribe(ServerContext *context, const SubscribeRequest *request,
+                            ServerWriter<Message> *writer) override
+     {
+@@ -124,7 +139,7 @@ class PubSubServiceImpl final : public SubManager::Service
+                 }
+                 return grpc::Status(grpc::StatusCode::INTERNAL, "writer is lose!");
+             }
+-            sleep(CHECK_TIME);
++            WaitKeeplive();
+         }
+         return grpc::Status::OK;
+     }
+@@ -203,21 +218,30 @@ class PubSubServiceImpl final : public SubManager::Service
+     std::unordered_map<std::string, std::vector<ServerWriter<Message> *>> suber_writer_;
+     std::unordered_map<std::string, std::vector<int>> suber_connection_;
+     std::mutex sub_mutex;
++    std::mutex wait_mutex;
++    std::condition_variable cv;
+     int connection_num = 0;
+     bool connect_status[MAX_CONNECTION] = {false};
++
++    void WaitKeeplive(void)
++    {
++	std::unique_lock<std::mutex> lk(wait_mutex);
++	cv.wait_for(lk, std::chrono::seconds(CHECK_TIME), []{ return killed; });
++    }
+ };
+ 
+-std::unique_ptr<Server> server;
++static std::unique_ptr<Server> server;
++static PubSubServiceImpl service;
+ 
+ void StopServer()
+ {
++    service.CloseAllConnection();
+     server->Shutdown();
+ }
+ 
+ void RunServer()
+ {
+     std::string server_address("unix:///var/run/secDetector.sock");
+-    PubSubServiceImpl service;
+ 
+     ServerBuilder builder;
+     builder.AddListeningPort(server_address, grpc::InsecureServerCredentials());
+-- 
+2.33.0
+
diff --git a/Backport-secUnsub-del-topic-in-README.patch b/Backport-secUnsub-del-topic-in-README.patch
new file mode 100644
index 0000000..9fec2a2
--- /dev/null
+++ b/Backport-secUnsub-del-topic-in-README.patch
@@ -0,0 +1,31 @@
+From afb0176a27e64325de49155348cf3e189685a960 Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Mon, 11 Dec 2023 21:12:52 +0800
+Subject: [PATCH] secUnsub del topic in README
+
+---
+ README.md | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/README.md b/README.md
+index 9658879..6a06586 100644
+--- a/README.md
++++ b/README.md
+@@ -109,11 +109,11 @@ secDetectord 默认会在后台运行，从探针中取得数据并转发给订
+ 参数	“topic”:注册的事件类型，具体可见” /usr/include/secDetector/secDetector_sdk.h”中定义
+ 输出	返回读取事件的指针
+ 
+-接口名称	void secUnsub(const int topic, void *reader)
++接口名称	void secUnsub(void *reader)
+ 接口描述	注销订阅接口
+-参数	“topic”:注销的事件类型， “reader”:注销的读事件指针
++参数	“reader”:注销的读事件指针
+ 输出	无
+-注意事项	当前会全部取消，不支持指定reader取消
++注意事项	当前会取消reader的全部订阅
+ 
+ 接口名称	void secReadFrom(void *reader, char *data, int data_len)
+ 接口描述	读事件信息接口
+-- 
+2.33.0
+
diff --git a/Backport-secUnsub-del-topic.patch b/Backport-secUnsub-del-topic.patch
new file mode 100644
index 0000000..c136e5d
--- /dev/null
+++ b/Backport-secUnsub-del-topic.patch
@@ -0,0 +1,189 @@
+From 4a58573122e2c677c427cb43bb02e6f055fdf391 Mon Sep 17 00:00:00 2001
+From: zgzxx <zhangguangzhi3@huawei.com>
+Date: Mon, 11 Dec 2023 20:57:58 +0800
+Subject: [PATCH] secUnsub del topic
+
+---
+ examples/python/client.py                     |  4 +--
+ lib/secDetector_sdk.cpp                       |  8 ++----
+ lib/secDetector_sdk.h                         |  2 +-
+ observer_agent/grpc_comm/client.cpp           |  3 +--
+ observer_agent/grpc_comm/client_sub_demo.cpp  |  2 +-
+ observer_agent/grpc_comm/grpc_api.h           |  2 +-
+ .../grpc_comm/protos/comm_api.proto           |  3 +--
+ observer_agent/grpc_comm/server.cpp           | 27 ++++++++-----------
+ 8 files changed, 20 insertions(+), 31 deletions(-)
+
+diff --git a/examples/python/client.py b/examples/python/client.py
+index 312384d..3fb95b4 100644
+--- a/examples/python/client.py
++++ b/examples/python/client.py
+@@ -31,7 +31,7 @@ g_cli_reader_lock = threading.Lock()
+ 
+ secDetectorsdklib.secSub.argtypes = [ctypes.c_int]
+ secDetectorsdklib.secSub.restype = ctypes.c_void_p
+-secDetectorsdklib.secUnsub.argtypes = [ctypes.c_int, ctypes.c_void_p]
++secDetectorsdklib.secUnsub.argtypes = [ctypes.c_void_p]
+ secDetectorsdklib.secUnsub.restype = None
+ secDetectorsdklib.secReadFrom.argtypes = [ctypes.c_void_p, ctypes.c_char_p, ctypes.c_int]
+ secDetectorsdklib.secReadFrom.restype = None
+@@ -66,7 +66,7 @@ def thread_func_unsub(num=0):
+     g_cli_reader_lock.acquire()
+     try:
+         g_read_flag = False
+-        secDetectorsdklib.secUnsub(1, g_cli_reader)
++        secDetectorsdklib.secUnsub(g_cli_reader)
+     finally:
+         g_cli_reader_lock.release()
+     print("client thread_func_unsub end")
+diff --git a/lib/secDetector_sdk.cpp b/lib/secDetector_sdk.cpp
+index 6f47f41..6b00953 100644
+--- a/lib/secDetector_sdk.cpp
++++ b/lib/secDetector_sdk.cpp
+@@ -62,13 +62,9 @@ void *secSub(const int topic)
+ 	return ret_reader;
+ }
+ 
+-void secUnsub(const int topic, void *reader)
++void secUnsub(void *reader)
+ {
+ 	PubSubClient *cur_client;
+-	if (topic <= 0 || topic > ALLTOPIC) {
+-		printf("lib secUnsub failed, topic:%d is error\n", topic);
+-		return;
+-	}
+ 
+ 	if (!reader)
+ 		return;
+@@ -77,7 +73,7 @@ void secUnsub(const int topic, void *reader)
+ 	Readmap::iterator iter = g_reader_map.find(reader);
+ 	if (iter != g_reader_map.end()) {
+ 		cur_client = iter->second.second;
+-		cur_client->UnSubscribe(topic);
++		cur_client->UnSubscribe();
+ 		g_reader_map.erase(iter);
+ 		reader = NULL;
+ 		delete cur_client;
+diff --git a/lib/secDetector_sdk.h b/lib/secDetector_sdk.h
+index abf112b..92ef5b4 100644
+--- a/lib/secDetector_sdk.h
++++ b/lib/secDetector_sdk.h
+@@ -18,7 +18,7 @@
+ #define SECDETECTOR_SDK_H
+ 
+ void *secSub(const int topic);
+-void secUnsub(const int topic, void *reader);
++void secUnsub(void *reader);
+ void secReadFrom(void *reader, char *data, int data_len);
+ 
+ #endif
+diff --git a/observer_agent/grpc_comm/client.cpp b/observer_agent/grpc_comm/client.cpp
+index 0dd02f9..5cf8cf2 100644
+--- a/observer_agent/grpc_comm/client.cpp
++++ b/observer_agent/grpc_comm/client.cpp
+@@ -87,10 +87,9 @@ void PubSubClient::Publish(const int topic, const std::string &content)
+     }
+ }
+ 
+-void PubSubClient::UnSubscribe(const int topic)
++void PubSubClient::UnSubscribe(void)
+ {
+     UnSubscribeRequest request;
+-    request.set_topic(topic);
+     request.set_sub_name(uuid_str);
+ 
+     ClientContext unsub_context;
+diff --git a/observer_agent/grpc_comm/client_sub_demo.cpp b/observer_agent/grpc_comm/client_sub_demo.cpp
+index fbf27ad..550b503 100644
+--- a/observer_agent/grpc_comm/client_sub_demo.cpp
++++ b/observer_agent/grpc_comm/client_sub_demo.cpp
+@@ -34,7 +34,7 @@ int main(int argc, char **argv)
+         some_data = client.ReadFrom(cli_reader);
+         std::cout << "loop whz: " << some_data << std::endl;
+     }
+-    client.UnSubscribe(std::stoi(argv[1]));
++    client.UnSubscribe();
+ 
+     return 0;
+ }
+diff --git a/observer_agent/grpc_comm/grpc_api.h b/observer_agent/grpc_comm/grpc_api.h
+index 27a9139..c5b43cc 100644
+--- a/observer_agent/grpc_comm/grpc_api.h
++++ b/observer_agent/grpc_comm/grpc_api.h
+@@ -48,7 +48,7 @@ class PubSubClient
+     void init(std::shared_ptr<Channel> channel);
+     std::unique_ptr<ClientReader<Message>> Subscribe(const int topic);
+     void Publish(const int topic, const std::string &content);
+-    void UnSubscribe(const int topic);
++    void UnSubscribe(void);
+     std::string ReadFrom(std::unique_ptr<ClientReader<Message>> &reader);
+ 
+   private:
+diff --git a/observer_agent/grpc_comm/protos/comm_api.proto b/observer_agent/grpc_comm/protos/comm_api.proto
+index 6c84865..cf1e445 100644
+--- a/observer_agent/grpc_comm/protos/comm_api.proto
++++ b/observer_agent/grpc_comm/protos/comm_api.proto
+@@ -13,8 +13,7 @@ message SubscribeRequest {
+ }
+ 
+ message UnSubscribeRequest {
+-  int32 topic = 1;
+-  string sub_name = 2;
++  string sub_name = 1;
+ }
+ 
+ message PublishRequest {
+diff --git a/observer_agent/grpc_comm/server.cpp b/observer_agent/grpc_comm/server.cpp
+index b47b1aa..938d09c 100644
+--- a/observer_agent/grpc_comm/server.cpp
++++ b/observer_agent/grpc_comm/server.cpp
+@@ -176,7 +176,6 @@ class PubSubServiceImpl final : public SubManager::Service
+ 
+     grpc::Status UnSubscribe(ServerContext *context, const UnSubscribeRequest *request, Message *response) override
+     {
+-        int cli_topic = request->topic();
+         std::string cli_name = request->sub_name();
+         int i = 0;
+         int unsub_flag = 0;
+@@ -189,27 +188,23 @@ class PubSubServiceImpl final : public SubManager::Service
+ 
+         std::lock_guard<std::mutex> lock(sub_mutex);
+ 
+-        for (auto topic_item : suber_topic_[cli_name])
++        std::unordered_map<std::string, std::vector<int>>::iterator iter = suber_topic_.find(cli_name);
++        if (iter != suber_topic_.end())
+         {
+-            if (topic_item == cli_topic)
+-            {
+-                suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
+-                suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
+-                connect_status[suber_connection_[cli_name].at(i)] = false;
+-                suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
+-                connection_num--;
+-                unsub_flag = 1;
+-                break;
+-            }
+-            i++;
++            suber_topic_[cli_name].erase(suber_topic_[cli_name].begin() + i);
++            suber_writer_[cli_name].erase(suber_writer_[cli_name].begin() + i);
++            connect_status[suber_connection_[cli_name].at(i)] = false;
++            suber_connection_[cli_name].erase(suber_connection_[cli_name].begin() + i);
++            connection_num--;
++            unsub_flag = 1;
+         }
+ 
+         if (!unsub_flag)
+         {
+-            response->set_text("don't exist the topic: " + std::to_string(cli_topic));
+-            return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to UnSubscribe topic!");
++            response->set_text("don't exist the reader");
++            return grpc::Status(grpc::StatusCode::INTERNAL, "Failed to UnSubscribe reader!");
+         }
+-        response->set_text("topic: " + std::to_string(cli_topic) + " UnSubscribe success!");
++        response->set_text("UnSubscribe success!");
+         return grpc::Status::OK;
+     }
+ 
+-- 
+2.33.0
+
diff --git a/Backport-service-fix-power_of_2-bug.patch b/Backport-service-fix-power_of_2-bug.patch
new file mode 100644
index 0000000..182613d
--- /dev/null
+++ b/Backport-service-fix-power_of_2-bug.patch
@@ -0,0 +1,28 @@
+From 2ddd09ee581829e482d55db70b0cc92724b23c8d Mon Sep 17 00:00:00 2001
+From: chenjingwen <lhchenjw@gmail.com>
+Date: Mon, 20 Nov 2023 10:48:18 +0800
+Subject: [PATCH 2/2] service: fix power_of_2 bug
+
+fix a bug
+
+Signed-off-by: chenjingwen <lhchenjw@gmail.com>
+---
+ observer_agent/service/main.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp
+index 940cf83..f177645 100644
+--- a/observer_agent/service/main.cpp
++++ b/observer_agent/service/main.cpp
+@@ -51,7 +51,7 @@ static bool power_of_2(unsigned int num)
+ {
+     if (num == 0)
+         return false;
+-    if (num & (num - 1) != 0)
++    if ((num & (num - 1)) != 0)
+         return false;
+     return true;
+ }
+-- 
+2.33.0
+
diff --git a/Backport-set-cmake-minimum-required-to-VERSION-3.22.patch b/Backport-set-cmake-minimum-required-to-VERSION-3.22.patch
new file mode 100644
index 0000000..456ad52
--- /dev/null
+++ b/Backport-set-cmake-minimum-required-to-VERSION-3.22.patch
@@ -0,0 +1,68 @@
+From 0a89d59f076bd9de9e997f76fd5088cf600bb685 Mon Sep 17 00:00:00 2001
+From: zcfsite <zhchf2010@126.com>
+Date: Wed, 6 Dec 2023 10:14:56 +0800
+Subject: [PATCH 1/4] set cmake minimum required to VERSION 3.22
+
+---
+ CMakeLists.txt                               | 2 +-
+ lib/CMakeLists.txt                           | 2 +-
+ observer_agent/CMakeLists.txt                | 2 +-
+ observer_agent/ebpf/CMakeLists.txt           | 2 +-
+ observer_agent/ebpf/file_ebpf/CMakeLists.txt | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 1f44e4a..56c31c9 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-cmake_minimum_required(VERSION 3.1)
++cmake_minimum_required(VERSION 3.22)
+ project(secDetector)
+ add_subdirectory(observer_agent)
+ add_subdirectory(lib)
+diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt
+index b3f61f1..6b1ee78 100644
+--- a/lib/CMakeLists.txt
++++ b/lib/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-cmake_minimum_required(VERSION 3.14.1)
++cmake_minimum_required(VERSION 3.22)
+ 
+ project(secDetector_sdk)
+ 
+diff --git a/observer_agent/CMakeLists.txt b/observer_agent/CMakeLists.txt
+index 8465044..f110b49 100644
+--- a/observer_agent/CMakeLists.txt
++++ b/observer_agent/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-cmake_minimum_required(VERSION 3.1)
++cmake_minimum_required(VERSION 3.22)
+ 
+ add_subdirectory(ebpf)
+ set(CMAKE_CXX_STANDARD 11)
+diff --git a/observer_agent/ebpf/CMakeLists.txt b/observer_agent/ebpf/CMakeLists.txt
+index 6b97de4..a5c9bbe 100644
+--- a/observer_agent/ebpf/CMakeLists.txt
++++ b/observer_agent/ebpf/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-cmake_minimum_required(VERSION 3.16)
++cmake_minimum_required(VERSION 3.22)
+ project(ebpf)
+ add_subdirectory(file_ebpf)
+ add_custom_target(ebpf
+diff --git a/observer_agent/ebpf/file_ebpf/CMakeLists.txt b/observer_agent/ebpf/file_ebpf/CMakeLists.txt
+index 9517832..e9e073a 100644
+--- a/observer_agent/ebpf/file_ebpf/CMakeLists.txt
++++ b/observer_agent/ebpf/file_ebpf/CMakeLists.txt
+@@ -1,6 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+ 
+-cmake_minimum_required(VERSION 3.16)
++cmake_minimum_required(VERSION 3.22)
+ project(file_ebpf)
+ add_custom_target(file_ebpf
+ 	COMMAND mkdir -p ${CMAKE_CURRENT_BINARY_DIR}/.output
+-- 
+2.33.0
+
diff --git a/secDetector-v0.9.tar.gz b/secDetector-v0.9.tar.gz
deleted file mode 100644
index a0544ca..0000000
Binary files a/secDetector-v0.9.tar.gz and /dev/null differ
diff --git a/secDetector-v1.0.tar.gz b/secDetector-v1.0.tar.gz
new file mode 100644
index 0000000..699cb78
Binary files /dev/null and b/secDetector-v1.0.tar.gz differ
diff --git a/secDetector.spec b/secDetector.spec
index 6014576..f281df4 100644
--- a/secDetector.spec
+++ b/secDetector.spec
@@ -1,20 +1,62 @@
 %global debug_package %{nil}
 %define kernel_version %(ver=`rpm -qa|grep kernel-devel`;echo ${ver#*kernel-devel-})
 
+
 Name         :  secDetector
 Summary      :  OS Security Intrusion Detection System
-Version      :  0.9
-Release      :  1
+Version      :  1.0
+Release      :  14
 License      :  GPL-2.0
-URL          :	https://gitee.com/openeuler/secDetector
 Source0      :  %{name}-v%{version}.tar.gz
 BuildRequires:  kernel-devel kernel-headers
+BuildRequires:	gcc gcc-c++ clang cmake make
+BuildRequires:	libbpf-devel bpftool 
+BuildRequires:	grpc-devel grpc-plugins protobuf-devel c-ares-devel libuuid-devel
 Requires     :  kernel
+Requires     :  protobuf grpc libuuid libbpf
 
+Patch0001: Backport-fix-report-api-function.patch
+Patch0002: Backport-service-fix-power_of_2-bug.patch
+Patch0003: Backport-check-value-for-topic.patch
+Patch0004: Backport-fix-printf-error-in-main.cpp.patch
+Patch0005: Backport-fix-system-crash-caused-by-registration-exception.patch
+Patch0006: Backport-fix-register-kpobe-mutiple-times.patch
+Patch0007: Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch
+Patch0008: Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch
+Patch0009: Backport-fix-bug-of-mc-case-not-collect-data.patch
+Patch0010: Backport-del-useless-code-for-timestamp.patch
+Patch0011: Backport-modify-for-getting-common-info-in-createfile.patch
+Patch0012: Backport-fix-memleak-bug-in-secDetector_program_action.patch
+Patch0013: Backport-fix-timestamp-memleak.patch
+Patch0014: Backport-add-handle-cleanup-and-refactor-Subscribe-UnSubscrib.patch
+Patch0015: Backport-lib-modify-for-unsub.patch
+Patch0016: Backport-add-nullptr-check-in-Subscribe.patch
+Patch0017: Backport-modify-for-multiple-sub-in-the-same-process.patch
+Patch0018: Backport-creatfile-check-op-intent-value.patch
+Patch0019: Backport-createfile-check-f_mode-and-fix-typo.patch
+Patch0021: Backport-add-lock-limit-publish-API.patch
+Patch0022: Backport-secDetectord-fix-a-grpc-hang-bug.patch
+Patch0023: Backport-secUnsub-del-topic.patch
+Patch0024: Backport-secUnsub-del-topic-in-README.patch
+Patch0025: Backport-modify-for-code-review.patch
+Patch0026: Backport-modify-for-secReadFrom-error.patch
+Patch0027: Backport-fix-invalid-TUF-8-data-in-memory-corruption-module.patch
+Patch0028: Backport-set-cmake-minimum-required-to-VERSION-3.22.patch
+Patch0029: Backport-grpc-fix-coredump-in-Publish.patch
+Patch0030: Backport-fix-the-memory-leak-in-collect-unit.patch
+Patch0031: Backport-fix-memory-leak-in-program_action.patch
+Patch0032: Backport-bug-fix-memory-leak-in-sc-analyze-unit.patch
+Patch0033: Backport-fix-6.x-kernel-compile-error.patch
 
 %description
 OS Security Intrusion Detection System
 
+%package devel
+Summary      : Files for development
+
+%description devel
+The secDetector-devel package contains header file for development
+
 %prep
 %autosetup -n %{name}-v%{version} -p1
 
@@ -26,12 +68,27 @@ cd ../cases
 sed -i 's#/lib/modules/$(shell uname -r)/build#/lib/modules/%{kernel_version}/build#' Makefile
 make
 
+cd ../../
+mkdir -p build
+cd build
+cmake .. && make
+
 
 %install
 mkdir -p $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
 install -m 600 ./kerneldriver/core/secDetector_core.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
 install -m 600 ./kerneldriver/cases/secDetector_kmodule_baseline.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
 install -m 600 ./kerneldriver/cases/secDetector_memory_corruption.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
+install -m 600 ./kerneldriver/cases/secDetector_program_action.ko $RPM_BUILD_ROOT/lib/modules/%{kernel_version}/extra/secDetector
+
+mkdir -p $RPM_BUILD_ROOT/usr/bin
+install -m 700 ./build/observer_agent/secDetectord $RPM_BUILD_ROOT/usr/bin/secDetectord
+
+mkdir -p $RPM_BUILD_ROOT/usr/lib64/secDetector
+install -m 700 ./build/lib/libsecDetectorsdk.so $RPM_BUILD_ROOT/usr/lib64/secDetector
+mkdir -p $RPM_BUILD_ROOT/usr/include/secDetector
+install -m 644 ./lib/secDetector_sdk.h $RPM_BUILD_ROOT/usr/include/secDetector
+install -m 644 ./include/secDetector_topic.h $RPM_BUILD_ROOT/usr/include/secDetector
 
 %pre
 
@@ -53,7 +110,60 @@ rm -rf %{buildroot}
 %attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_core.ko
 %attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_kmodule_baseline.ko
 %attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_memory_corruption.ko
+%attr(0400,root,root) /lib/modules/%{kernel_version}/extra/secDetector/secDetector_program_action.ko
+%attr(0700,root,root) /usr/bin/secDetectord
+%attr(0500,root,root) /usr/lib64/secDetector/libsecDetectorsdk.so
+
+%files devel
+%defattr(-,root,root)
+%attr(0644,root,root) /usr/include/secDetector/secDetector_sdk.h
+%attr(0644,root,root) /usr/include/secDetector/secDetector_topic.h
 
 %changelog
+* Tue Feb 20 2024 hurricane618 <hurricane618@hotmail.com> 1.0-14
+- backport patch to fix compile error in v6.6 kernel
+
+* Thu Dec 21 2023 hurricane618 <hurricane618@hotmail.com> 1.0-13
+- backport patchs to fix memory
+
+* Thu Dec 14 2023 zcfsite <zhchf2010@126.com> 1.0-12
+- fix secReadFrom error,invalid TUF-8 data in mc module,publish coredump
+
+* Mon Dec 11 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-11
+- backport patch
+
+* Mon Dec 11 2023 chenjingwen6 <lhchenjw@gmail.com> 1.0-10
+- backport some patches to fix issue such as grpc hangs
+
+* Sat Dec 9 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-9
+- backport some patches
+
+* Tue Dec 05 2023 hurricane618 <hurricane618@hotmail.com> 1.0-8
+- backport some patches
+
+* Wed Nov 29 2023 hurricane618 <hurricane618@hotmail.com> 1.0-7
+- fix backport patch0001
+
+* Wed Nov 29 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-6
+- backport some patches
+
+* Mon Nov 27 2023 zcfsite <zhchf2010@126.com> 1.0-5
+- fix some kerneldriver error
+
+* Wed Nov 22 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-4
+- add patch to check value for topic
+
+* Tue Nov 21 2023 chenjingwen6 <lhchenjw@gmail.com> 1.0-3
+- add patch to fix power_of_2 bug
+
+* Sun Nov 19 2023 hurricane618 <hurricane618@hotmail.com> 1.0-2
+- add fix patch
+
+* Sat Nov 18 2023 zcfsite <zhchf2010@126.com> 1.0-1
+- release v1.0
+
+* Wed Nov 15 2023 zcfsite <zhchf2010@126.com> 0.9-2
+- add devel package
+
 * Tue Nov 14 2023 zcfsite <zhchf2010@126.com> 0.9-1
 - Init package