!168 [sync] PR-163: [22.03-LTS] cio: FIFOSet.Close() check if FIFOSet is nill to prevent NPE

From: @openeuler-sync-bot 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        314
+Release:        319
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -72,6 +72,36 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr
 %{_bindir}/ctr
 
 %changelog
+* Mon Mar 4 2024 Lu Jingxiao<lujingxiao@huawei.com> - 1.2.0-319
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:FIFOSet.Close() check if FIFOSet is nill to prevent NPE
+
+* Fri Feb 23 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-318
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:disable Transparent HugePage for shim process if SHIM_DISABLE_THP is set
+
+* Tue Feb 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-317
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:update vendored golang.org/x/net
+
+* Tue Jan 30 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-316
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2023-39325
+
+* Thu Dec 21 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-315
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:sync some patches
+
 * Wed Nov 08 2023 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-314
 - Type:bugfix
 - ID:NA

git-commit

@@ -1 +1 @@
-8e9edf2a5aa9a0e32d8c7c0c6100542001c6910c
+871075eb7cc979944ba2d987719cb534bbb87e5c

patch/0107-containerd-Fix-missing-closed-fifo.patch

@@ -0,0 +1,38 @@
+From 1c93da5ded1b80338ae4014084ce005f89e20a94 Mon Sep 17 00:00:00 2001
+From: Shiming Zhang <wzshiming@foxmail.com>
+Date: Mon, 31 Oct 2022 17:18:27 +0800
+Subject: [PATCH] Fix missing closed fifo
+
+Signed-off-by: Shiming Zhang <wzshiming@foxmail.com>
+---
+ runtime/v1/shim/service_linux.go | 1 +
+ runtime/v2/runc/service_linux.go | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/runtime/v1/shim/service_linux.go b/runtime/v1/shim/service_linux.go
+index 307e20d..b8b85f6 100644
+--- a/runtime/v1/shim/service_linux.go
++++ b/runtime/v1/shim/service_linux.go
+@@ -54,6 +54,7 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
+ 			io.CopyBuffer(epollConsole, in, *bp)
+ 			// we need to shutdown epollConsole when pipe broken
+ 			epollConsole.Shutdown(p.epoller.CloseConsole)
++			in.Close()
+ 		}()
+ 	}
+ 
+diff --git a/runtime/v2/runc/service_linux.go b/runtime/v2/runc/service_linux.go
+index 195c230..de85993 100644
+--- a/runtime/v2/runc/service_linux.go
++++ b/runtime/v2/runc/service_linux.go
+@@ -54,6 +54,7 @@ func (p *linuxPlatform) CopyConsole(ctx context.Context, console console.Console
+ 			io.CopyBuffer(epollConsole, in, *bp)
+ 			// we need to shutdown epollConsole when pipe broken
+ 			epollConsole.Shutdown(p.epoller.CloseConsole)
++			in.Close()
+ 		}()
+ 	}
+ 
+-- 
+2.33.0
+

patch/0108-containerd-Update-TTRPC-and-Protobuild-dependencies.patch

@@ -0,0 +1,51 @@
+From 99580e0aad981d8be11a0d8e7ad2c24130b2dc8d Mon Sep 17 00:00:00 2001
+From: Maksym Pavlenko <pavlenko.maksym@gmail.com>
+Date: Thu, 19 Jan 2023 10:52:41 -0800
+Subject: [PATCH] Update TTRPC and Protobuild dependencies
+
+Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>
+---
+ vendor/github.com/containerd/ttrpc/server.go | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/github.com/containerd/ttrpc/server.go b/vendor/github.com/containerd/ttrpc/server.go
+index ab2fdf2..7445d93 100644
+--- a/vendor/github.com/containerd/ttrpc/server.go
++++ b/vendor/github.com/containerd/ttrpc/server.go
+@@ -18,14 +18,15 @@ package ttrpc
+ 
+ import (
+ 	"context"
++	"errors"
+ 	"io"
+ 	"math/rand"
+ 	"net"
+ 	"sync"
+ 	"sync/atomic"
++	"syscall"
+ 	"time"
+ 
+-	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+ 	"google.golang.org/grpc/codes"
+ 	"google.golang.org/grpc/status"
+@@ -446,14 +447,12 @@ func (c *serverConn) run(sctx context.Context) {
+ 			// branch. Basically, it means that we are no longer receiving
+ 			// requests due to a terminal error.
+ 			recvErr = nil // connection is now "closing"
+-			if err == io.EOF || err == io.ErrUnexpectedEOF {
++			if err == io.EOF || err == io.ErrUnexpectedEOF || errors.Is(err, syscall.ECONNRESET) {
+ 				// The client went away and we should stop processing
+ 				// requests, so that the client connection is closed
+ 				return
+ 			}
+-			if err != nil {
+-				logrus.WithError(err).Error("error receiving message")
+-			}
++			logrus.WithError(err).Error("error receiving message")
+ 		case <-shutdown:
+ 			return
+ 		}
+-- 
+2.33.0
+

patch/0109-containerd-Backport-net-http-regenerate-h2_bundle.go.patch

@@ -0,0 +1,147 @@
+From 6dc693737f84785a30238ca7640ad8ba605c0eac Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Sat, 7 Oct 2023 05:16:27 +0800
+Subject: [PATCH] [Backport] net/http: regenerate h2_bundle.go
+
+Offering: Cloud Core Network
+CVE: CVE-2023-39325
+Reference: https://go-review.googlesource.com/c/go/+/534255
+
+Pull in a security fix from x/net/http2:
+http2: limit maximum handler goroutines to MaxConcurrentStreamso
+
+Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
+Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
+
+Edited-by: machangwang m00509938
+
+For #63417
+Fixes #63426
+Fixes CVE-2023-39325
+
+Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ vendor/golang.org/x/net/http2/server.go | 62 ++++++++++++++++++++++++-
+ 1 file changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index eae143d..fb18ae7 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -470,9 +470,11 @@ type serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*stream
++	unstartedHandlers           []unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	headerTableSize             uint32
+@@ -843,6 +845,8 @@ func (sc *serverConn) serve() {
+ 					return
+ 				case gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -875,6 +879,7 @@ var (
+ 	idleTimerMsg        = new(serverMessage)
+ 	shutdownTimerMsg    = new(serverMessage)
+ 	gracefulShutdownMsg = new(serverMessage)
++	handlerDoneMsg      = new(serverMessage)
+ )
+ 
+ func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+@@ -1784,8 +1789,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error {
+@@ -2028,8 +2032,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r
+ 	return rw, req, nil
+ }
+ 
++type unstartedHandler struct {
++	streamID uint32
++	rw       *responseWriter
++	req      *http.Request
++	handler  func(http.ResponseWriter, *http.Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return ConnectionError(ErrCodeEnhanceYourCalm)
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
++	defer sc.sendServeMsg(handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+-- 
+2.33.0
+

patch/0110-containerd-update-vendored-golang.org-x-net.patch

@@ -0,0 +1,135 @@
+From 7ab94524b9c4f0d9ab767cc6c22afc9e451e67dc Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Tue, 6 Feb 2024 15:43:40 +0800
+Subject: [PATCH] containerd: update vendored golang.org/x/net
+
+---
+ vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++--------
+ 1 file changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
+index 176644a..f56067e 100644
+--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
+@@ -351,6 +351,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 
+ 	var hf HeaderField
+ 	wantStr := d.emitEnabled || it.indexed()
++	var undecodedName undecodedString
+ 	if nameIdx > 0 {
+ 		ihf, ok := d.at(nameIdx)
+ 		if !ok {
+@@ -358,15 +359,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 		}
+ 		hf.Name = ihf.Name
+ 	} else {
+-		hf.Name, buf, err = d.readString(buf, wantStr)
++		undecodedName, buf, err = d.readString(buf)
+ 		if err != nil {
+ 			return err
+ 		}
+ 	}
+-	hf.Value, buf, err = d.readString(buf, wantStr)
++	undecodedValue, buf, err := d.readString(buf)
+ 	if err != nil {
+ 		return err
+ 	}
++	if wantStr {
++		if nameIdx <= 0 {
++			hf.Name, err = d.decodeString(undecodedName)
++			if err != nil {
++				return err
++			}
++		}
++		hf.Value, err = d.decodeString(undecodedValue)
++		if err != nil {
++			return err
++		}
++	}
+ 	d.buf = buf
+ 	if it.indexed() {
+ 		d.dynTab.add(hf)
+@@ -445,46 +458,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
+ 	return 0, origP, errNeedMore
+ }
+ 
+-// readString decodes an hpack string from p.
++// readString reads an hpack string from p.
+ //
+-// wantStr is whether s will be used. If false, decompression and
+-// []byte->string garbage are skipped if s will be ignored
+-// anyway. This does mean that huffman decoding errors for non-indexed
+-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
+-// is returning an error anyway, and because they're not indexed, the error
+-// won't affect the decoding state.
+-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
++// It returns a reference to the encoded string data to permit deferring decode costs
++// until after the caller verifies all data is present.
++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
+ 	if len(p) == 0 {
+-		return "", p, errNeedMore
++		return u, p, errNeedMore
+ 	}
+ 	isHuff := p[0]&128 != 0
+ 	strLen, p, err := readVarInt(7, p)
+ 	if err != nil {
+-		return "", p, err
++		return u, p, err
+ 	}
+ 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
+-		return "", nil, ErrStringLength
++		// Returning an error here means Huffman decoding errors
++		// for non-indexed strings past the maximum string length
++		// are ignored, but the server is returning an error anyway
++		// and because the string is not indexed the error will not
++		// affect the decoding state.
++		return u, nil, ErrStringLength
+ 	}
+ 	if uint64(len(p)) < strLen {
+-		return "", p, errNeedMore
+-	}
+-	if !isHuff {
+-		if wantStr {
+-			s = string(p[:strLen])
+-		}
+-		return s, p[strLen:], nil
++		return u, p, errNeedMore
+ 	}
++	u.isHuff = isHuff
++	u.b = p[:strLen]
++	return u, p[strLen:], nil
++}
+ 
+-	if wantStr {
+-		buf := bufPool.Get().(*bytes.Buffer)
+-		buf.Reset() // don't trust others
+-		defer bufPool.Put(buf)
+-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
+-			buf.Reset()
+-			return "", nil, err
+-		}
++type undecodedString struct {
++	isHuff bool
++	b      []byte
++}
++
++func (d *Decoder) decodeString(u undecodedString) (string, error) {
++	if !u.isHuff {
++		return string(u.b), nil
++	}
++	buf := bufPool.Get().(*bytes.Buffer)
++	buf.Reset() // don't trust others
++	var s string
++	err := huffmanDecode(buf, d.maxStrLen, u.b)
++	if err == nil {
+ 		s = buf.String()
+-		buf.Reset() // be nice to GC
+ 	}
+-	return s, p[strLen:], nil
++	buf.Reset() // be nice to GC
++	bufPool.Put(buf)
++	return s, err
+ }
+-- 
+2.33.0
+

patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch

@@ -0,0 +1,178 @@
+From 746264387fe1f3d0daa17d05ee7a1751f526dde8 Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Thu, 21 Dec 2023 18:57:19 +0800
+Subject: [PATCH] containerd: disable Transparent HugePage for shim process if 
+ SHIM_DISABLE_THP is set
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ runtime/v1/shim/client/client.go              | 13 +++++++
+ runtime/v1/shim/reaper.go                     | 13 +++++++
+ sys/thp.go                                    | 34 +++++++++++++++++++
+ sys/thp_amd64.go                              |  3 ++
+ sys/thp_arm64.go                              |  3 ++
+ .../github.com/containerd/go-runc/monitor.go  | 20 +++++++++--
+ 6 files changed, 83 insertions(+), 3 deletions(-)
+ create mode 100644 sys/thp.go
+ create mode 100644 sys/thp_amd64.go
+ create mode 100644 sys/thp_arm64.go
+
+diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
+index 4c134c2..29a89e7 100644
+--- a/runtime/v1/shim/client/client.go
++++ b/runtime/v1/shim/client/client.go
+@@ -105,9 +105,22 @@ func WithStart(binary, address, daemonAddress, cgroup string, debug bool, exitHa
+ 		if err != nil {
+ 			return nil, nil, err
+ 		}
++		// Set THP disabled for shim process
++		if err := sys.SetTHPState(1, false); err != nil {
++			if err := sys.SetTHPState(0, true); err != nil {
++				return nil, nil, err
++			}
++			return nil, nil, err
++		}
+ 		if err := cmd.Start(); err != nil {
++			if err := sys.SetTHPState(0, true); err != nil {
++				return nil, nil, err
++			}
+ 			return nil, nil, errors.Wrapf(err, "failed to start shim")
+ 		}
++		if err := sys.SetTHPState(0, true); err != nil {
++			return nil, nil, err
++		}
+ 		defer func() {
+ 			if err != nil {
+ 				cmd.Process.Kill()
+diff --git a/runtime/v1/shim/reaper.go b/runtime/v1/shim/reaper.go
+index f5f8096..03759a6 100644
+--- a/runtime/v1/shim/reaper.go
++++ b/runtime/v1/shim/reaper.go
+@@ -76,9 +76,22 @@ type Monitor struct {
+ 
+ // Start starts the command a registers the process with the reaper
+ func (m *Monitor) Start(c *exec.Cmd) (chan runc.Exit, error) {
++	// Set THP enabled for subprocess.
++	if err := sys.SetTHPState(0, false); err != nil {
++		if err := sys.SetTHPState(1, true); err != nil {
++			return nil, err
++		}
++		return nil, err
++	}
+ 	ec := m.Subscribe()
+ 	if err := c.Start(); err != nil {
+ 		m.Unsubscribe(ec)
++		if err := sys.SetTHPState(1, true); err != nil {
++			return nil, err
++		}
++		return nil, err
++	}
++	if err := sys.SetTHPState(1, true); err != nil {
+ 		return nil, err
+ 	}
+ 	return ec, nil
+diff --git a/sys/thp.go b/sys/thp.go
+new file mode 100644
+index 0000000..3bbbd00
+--- /dev/null
++++ b/sys/thp.go
+@@ -0,0 +1,34 @@
++package sys
++
++import (
++	"os"
++	"runtime"
++	"syscall"
++
++	"github.com/sirupsen/logrus"
++)
++
++const (
++	PR_SET_THP_DISABLE = 41
++)
++
++func SetTHPState(flag int, resume bool) error {
++	logrus.Debug("start to set THP")
++	if os.Getenv("SHIM_DISABLE_THP") != "1" {
++		logrus.Debug("skip set THP")
++		return nil
++	}
++
++	if resume {
++		defer runtime.UnlockOSThread()
++	} else {
++		runtime.LockOSThread()
++	}
++
++	_, _, errno := syscall.RawSyscall6(uintptr(PRCTL_SYSCALL), uintptr(PR_SET_THP_DISABLE), uintptr(flag), 0, 0, 0, 0)
++	if errno != 0 {
++		logrus.Errorf("disable THP failed: %v", errno)
++		return errno
++	}
++	return nil
++}
+diff --git a/sys/thp_amd64.go b/sys/thp_amd64.go
+new file mode 100644
+index 0000000..e1e977e
+--- /dev/null
++++ b/sys/thp_amd64.go
+@@ -0,0 +1,3 @@
++package sys
++
++const PRCTL_SYSCALL = 157
+diff --git a/sys/thp_arm64.go b/sys/thp_arm64.go
+new file mode 100644
+index 0000000..a6db8d6
+--- /dev/null
++++ b/sys/thp_arm64.go
+@@ -0,0 +1,3 @@
++package sys
++
++const PRCTL_SYSCALL = 167
+diff --git a/vendor/github.com/containerd/go-runc/monitor.go b/vendor/github.com/containerd/go-runc/monitor.go
+index bb8bbab..a9ac837 100644
+--- a/vendor/github.com/containerd/go-runc/monitor.go
++++ b/vendor/github.com/containerd/go-runc/monitor.go
+@@ -17,14 +17,15 @@
+ package runc
+ 
+ import (
+-	"os/exec"
+-	"syscall"
+-	"time"
+ 	"io/ioutil"
++	"os/exec"
+ 	"path/filepath"
+ 	"strconv"
+ 	"strings"
++	"syscall"
++	"time"
+ 
++	"github.com/containerd/containerd/sys"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+ )
+@@ -54,7 +55,20 @@ type defaultMonitor struct {
+ }
+ 
+ func (m *defaultMonitor) Start(c *exec.Cmd) (chan Exit, error) {
++	// Set THP enabled for runc process.
++	if err := sys.SetTHPState(0, false); err != nil {
++		if err := sys.SetTHPState(1, true); err != nil {
++			return nil, err
++		}
++		return nil, err
++	}
+ 	if err := c.Start(); err != nil {
++		if err := sys.SetTHPState(1, true); err != nil {
++			return nil, err
++		}
++		return nil, err
++	}
++	if err := sys.SetTHPState(1, true); err != nil {
+ 		return nil, err
+ 	}
+ 	ec := make(chan Exit, 1)
+-- 
+2.33.0
+

patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch

@@ -0,0 +1,26 @@
+From 38f756e73afaedae43d5d53e4731cf9ea45b8e5d Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Thu, 29 Feb 2024 19:52:14 +0800
+Subject: [PATCH] cio: FIFOSet.Close() check if FIFOSet is nill to prevent NPE
+
+Reference:https://github.com/containerd/containerd/commit/6a2d3990d1db676935ea7d1d2f8e2b952998b5d9
+---
+ cio/io.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cio/io.go b/cio/io.go
+index bda04d2..dcf40aa 100644
+--- a/cio/io.go
++++ b/cio/io.go
+@@ -77,7 +77,7 @@ type FIFOSet struct {
+ 
+ // Close the FIFOSet
+ func (f *FIFOSet) Close() error {
+-	if f.close != nil {
++	if f != nil && f.close != nil {
+ 		return f.close()
+ 	}
+ 	return nil
+-- 
+2.33.0
+

series.conf

@@ -114,4 +114,10 @@ patch/0105-containerd-fix-allow-attaching-to-any-combination-of-stdin-stdo.patch
 # sw_64
 sw64_patch/3000-bbolt-add-support-sw_64.patch
 patch/0106-containerd-bump-ttrpc.patch
+patch/0107-containerd-Fix-missing-closed-fifo.patch
+patch/0108-containerd-Update-TTRPC-and-Protobuild-dependencies.patch
+patch/0109-containerd-Backport-net-http-regenerate-h2_bundle.go.patch
+patch/0110-containerd-update-vendored-golang.org-x-net.patch
+patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch
+patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch
 # end