!314 docker:modify runc rpm package name to runc

From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234

VERSION-vendor

@@ -1 +1 @@
-18.09.0.331
+18.09.0.336

docker.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 331
+Release: 336
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -22,7 +22,7 @@ URL: https://mobyproject.org
 # most are already in the container (see contrib/builder/rpm/ARCH/generate.sh)
 BuildRequires: pkgconfig(systemd) golang >= 1.8.3 btrfs-progs-devel device-mapper-devel glibc-static libseccomp-devel
 BuildRequires: libselinux-devel libtool-ltdl-devel pkgconfig selinux-policy selinux-policy-devel sqlite-devel systemd-devel
-BuildRequires: tar containerd docker-runc docker-proxy git
+BuildRequires: tar containerd runc docker-proxy git
 
 # required packages on install
 Requires: /bin/sh iptables tar xz device-mapper-libs >= 1.02.90-1 systemd-units
@@ -213,6 +213,36 @@ fi
 %endif
 
 %changelog
+* Thu Jun 13 2024 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-336
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:modify runc rpm package name to runc
+
+* Wed May 08 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-335
+- Type:CVE
+- CVE:CVE-2024-32473
+- SUG:NA
+- DESC:fix CVE-2024-32473
+
+* Fri Apr 12 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-334
+- Type:CVE
+- CVE:CVE-2024-29018
+- SUG:NA
+- DESC:fix CVE-2024-29018
+
+* Tue Mar 19 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-333
+- Type:CVE
+- CVE:CVE-2024-24557
+- SUG:NA
+- DESC:fix CVE-2024-24557
+
+* Tue Jan 02 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-332
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync patches from upstream
+
 * Thu Oct 12 2023 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-331
 - Type:bugfix
 - CVE:NA

git-commit

@@ -1 +1 @@
-27990572a4a6368c387a04649493a8a41bf26d57
+4675816506f3dff800eea181d86ae6a0ff6e69af

patch/0264-Fix-possible-nil-pointer-exception.patch

@@ -0,0 +1,59 @@
+From b38955814a5c5259974e081d3abb8e7da7c1f90a Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:22:14 +0800
+Subject: [PATCH 01/10] Fix possible nil pointer exception It is possible that
+ the node is not yet present in the node list map. In this case just print a
+ warning and return. The next iteration would be fine
+
+Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
+Upstream-commit: 151f42aeaa062535246a38330a78700398de53cd
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/b033961a82cd48cc31e5ae891f033fe4eb184192
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ .../engine/vendor/github.com/docker/libnetwork/network.go | 8 +++-----
+ .../github.com/docker/libnetwork/networkdb/cluster.go     | 7 ++++++-
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/network.go b/components/engine/vendor/github.com/docker/libnetwork/network.go
+index 4940aa835..0e7890769 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/network.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/network.go
+@@ -396,11 +396,9 @@ func (n *network) validateConfiguration() error {
+ 					driverOptions map[string]string
+ 					opts          interface{}
+ 				)
+-				switch data.(type) {
+-				case map[string]interface{}:
+-					opts = data.(map[string]interface{})
+-				case map[string]string:
+-					opts = data.(map[string]string)
++				switch t := data.(type) {
++				case map[string]interface{}, map[string]string:
++					opts = t
+ 				}
+ 				ba, err := json.Marshal(opts)
+ 				if err != nil {
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go b/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go
+index c98957084..2e7795440 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go
+@@ -288,7 +288,12 @@ func (nDB *NetworkDB) rejoinClusterBootStrap() {
+ 		return
+ 	}
+ 
+-	myself, _ := nDB.nodes[nDB.config.NodeID]
++	myself, ok := nDB.nodes[nDB.config.NodeID]
++	if !ok {
++		nDB.RUnlock()
++		logrus.Warnf("rejoinClusterBootstrap unable to find local node info using ID:%v", nDB.config.NodeID)
++		return
++	}
+ 	bootStrapIPs := make([]string, 0, len(nDB.bootStrapIP))
+ 	for _, bootIP := range nDB.bootStrapIP {
+ 		// botostrap IPs are usually IP:port from the Join
+-- 
+2.33.0
+

patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch

@@ -0,0 +1,37 @@
+From f1bc509fb5e58500bc3d8661d335268130e2e4a7 Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:31:18 +0800
+Subject: [PATCH 03/10] Fix error handling for bind mount spec parser. Errors
+ were being ignored and always telling the user that the path doesn't exist
+ even if it was some other problem, such as a permission error.
+
+Signed-off-by: Brian Goff <cpuguy83@gmail.com>
+Upstream-commit: ebcef288343698dd86ff307f5b9c58aa52ce9fdd
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/2a8341f2528b3e3a5c70f0ebf0980af3e3f70119
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/volume/mounts/linux_parser.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/volume/mounts/linux_parser.go b/components/engine/volume/mounts/linux_parser.go
+index 8e436aec0..e276a39ce 100644
+--- a/components/engine/volume/mounts/linux_parser.go
++++ b/components/engine/volume/mounts/linux_parser.go
+@@ -82,7 +82,10 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour
+ 		}
+ 
+ 		if validateBindSourceExists {
+-			exists, _, _ := currentFileInfoProvider.fileInfo(mnt.Source)
++			exists, _, err := currentFileInfoProvider.fileInfo(mnt.Source)
++			if err != nil {
++				return &errMountConfig{mnt, err}
++			}
+ 			if !exists {
+ 				return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)}
+ 			}
+-- 
+2.33.0
+

patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch

@@ -0,0 +1,59 @@
+From 2d1f0bc85e2d596d7cd566fe32d85ecd394af50d Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:32:58 +0800
+Subject: [PATCH 04/10] =?UTF-8?q?Fixed=20the=20inconsistence=20and=20also?=
+ =?UTF-8?q?=20a=20potential=20data=20race=20in=20pkg/ioutils=E2=80=A6=20?=
+ =?UTF-8?q?=E2=80=A6/bytespipe.go:=20bp.closeErr=20is=20read/write=208=20t?=
+ =?UTF-8?q?imes;=207=20out=20of=208=20times=20it=20is=20protected=20by=20b?=
+ =?UTF-8?q?p.mu.Lock();=201=20out=20of=208=20times=20it=20is=20read=20with?=
+ =?UTF-8?q?out=20a=20Lock?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: lzhfromutsc <lzhfromustc@gmail.com>
+Upstream-commit: c2479f6ebf288fe8660ea64f51ac80cfdda3011d
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/cae76642b61f2306c610c91900fd8100967197fe
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/pkg/ioutils/bytespipe.go | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/pkg/ioutils/bytespipe.go b/components/engine/pkg/ioutils/bytespipe.go
+index e04a5bf51..bd57e5fbb 100644
+--- a/components/engine/pkg/ioutils/bytespipe.go
++++ b/components/engine/pkg/ioutils/bytespipe.go
+@@ -29,11 +29,11 @@ var (
+ // and releases new byte slices to adjust to current needs, so the buffer
+ // won't be overgrown after peak loads.
+ type BytesPipe struct {
+-	mu       sync.Mutex
+-	wait     *sync.Cond
+-	buf      []*fixedBuffer
+-	bufLen   int
+-	closeErr error // error to return from next Read. set to nil if not closed.
++	mu        sync.Mutex
++	wait      *sync.Cond
++	buf       []*fixedBuffer
++	bufLen    int
++	closeErr  error // error to return from next Read. set to nil if not closed.
+ 	readBlock bool  // check read BytesPipe is Wait() or not
+ }
+ 
+@@ -132,8 +132,9 @@ func (bp *BytesPipe) Read(p []byte) (n int, err error) {
+ 	bp.mu.Lock()
+ 	if bp.bufLen == 0 {
+ 		if bp.closeErr != nil {
++			err := bp.closeErr
+ 			bp.mu.Unlock()
+-			return 0, bp.closeErr
++			return 0, err
+ 		}
+ 		bp.readBlock = true
+ 		bp.wait.Wait()
+-- 
+2.33.0
+

patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch

@@ -0,0 +1,54 @@
+From 543ae0a4cbdfa0253dc1fd2b29dc957ea23fde63 Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:35:19 +0800
+Subject: [PATCH 05/10] daemon/ProcessEvent: make sure to cancel the contexts
+ Reported by govet linter:
+
+> daemon/monitor.go:57:9: lostcancel: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak (govet)
+> 			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
+> 			     ^
+> daemon/monitor.go:128:9: lostcancel: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak (govet)
+> 			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
+> 			     ^
+
+Fixes: b5f288 ("Handle blocked I/O of exec'd processes")
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+Upstream-commit: 53cbf1797b001314035a13578ed60f015a0179e4
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/f43f820a8c0e17c76f6cb42ab07a9c526b64734c
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/daemon/monitor.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/components/engine/daemon/monitor.go b/components/engine/daemon/monitor.go
+index d47b51a33..7ab4d431b 100644
+--- a/components/engine/daemon/monitor.go
++++ b/components/engine/daemon/monitor.go
+@@ -77,8 +77,9 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc
+ 				logrus.WithError(err).Warnf("failed to delete container %s from containerd", c.ID)
+ 			}
+ 
+-			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
++			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+ 			c.StreamConfig.Wait(ctx)
++			cancel()
+ 			c.Reset(false)
+ 
+ 			exitStatus := container.ExitStatus{
+@@ -145,8 +146,9 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc
+ 			defer execConfig.Unlock()
+ 			execConfig.ExitCode = &ec
+ 			execConfig.Running = false
+-			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
++			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+ 			execConfig.StreamConfig.Wait(ctx)
++			cancel()
+ 			if err := execConfig.CloseStreams(); err != nil {
+ 				logrus.Errorf("failed to cleanup exec %s streams: %s", c.ID, err)
+ 			}
+-- 
+2.33.0
+

patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch

@@ -0,0 +1,59 @@
+From 316b667f240bf2d3792188d05b8bdace294a8d2c Mon Sep 17 00:00:00 2001
+From: Sascha Grunert <sgrunert@suse.com>
+Date: Wed, 4 Dec 2019 14:25:58 +0100
+Subject: [PATCH 06/10] Fix possible runtime panic in Lgetxattr
+
+If `unix.Lgetxattr` returns an error, then `sz == -1` which will cause a
+runtime panic if `errno == unix.ERANGE`.
+
+Signed-off-by: Sascha Grunert <sgrunert@suse.com>
+Upstream-commit: 4138cd22abeaa7d1c49a96fa4c0045feb32b847e
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/b1d05350ecaf98f478577246d7e17311cd4761c9
+---
+ components/engine/pkg/system/xattrs_linux.go | 21 ++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/pkg/system/xattrs_linux.go b/components/engine/pkg/system/xattrs_linux.go
+index 66d4895b2..d4f1a57fb 100644
+--- a/components/engine/pkg/system/xattrs_linux.go
++++ b/components/engine/pkg/system/xattrs_linux.go
+@@ -6,19 +6,28 @@ import "golang.org/x/sys/unix"
+ // and associated with the given path in the file system.
+ // It will returns a nil slice and nil error if the xattr is not set.
+ func Lgetxattr(path string, attr string) ([]byte, error) {
++	// Start with a 128 length byte array
+ 	dest := make([]byte, 128)
+ 	sz, errno := unix.Lgetxattr(path, attr, dest)
+-	if errno == unix.ENODATA {
++
++	switch {
++	case errno == unix.ENODATA:
+ 		return nil, nil
+-	}
+-	if errno == unix.ERANGE {
++	case errno == unix.ERANGE:
++		// 128 byte array might just not be good enough. A dummy buffer is used
++		// to get the real size of the xattrs on disk
++		sz, errno = unix.Lgetxattr(path, attr, []byte{})
++		if errno != nil {
++			return nil, errno
++		}
+ 		dest = make([]byte, sz)
+ 		sz, errno = unix.Lgetxattr(path, attr, dest)
+-	}
+-	if errno != nil {
++		if errno != nil {
++			return nil, errno
++		}
++	case errno != nil:
+ 		return nil, errno
+ 	}
+-
+ 	return dest[:sz], nil
+ }
+ 
+-- 
+2.33.0
+

patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch

@@ -0,0 +1,191 @@
+From 7968f451470d4fb2a50335ebb593e885fc54956e Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:49:55 +0800
+Subject: [PATCH 07/10] vendor: vishvananda/netns
+ db3c7e526aae966c4ccfa6c8189b693d6ac5d202 Signed-off-by: Sebastiaan van Stijn
+ <github@gone.nl> Upstream-commit: e11c7fe3ab085939d74a386d763ca3ae4c67c7a0
+ Component: engine
+
+ Reference: https://github.com/docker/docker-ce/commit/7a24e475b3cb5975c7fc02b2d854ae58f13bcabd
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ .../github.com/vishvananda/netns/netns.go     | 15 ++--
+ .../vishvananda/netns/netns_linux.go          | 72 +++++++++++++++----
+ 2 files changed, 66 insertions(+), 21 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/vishvananda/netns/netns.go b/components/engine/vendor/github.com/vishvananda/netns/netns.go
+index 2ca0feedd..aa32ac7fd 100644
+--- a/components/engine/vendor/github.com/vishvananda/netns/netns.go
++++ b/components/engine/vendor/github.com/vishvananda/netns/netns.go
+@@ -10,7 +10,8 @@ package netns
+ 
+ import (
+ 	"fmt"
+-	"syscall"
++
++	"golang.org/x/sys/unix"
+ )
+ 
+ // NsHandle is a handle to a network namespace. It can be cast directly
+@@ -24,11 +25,11 @@ func (ns NsHandle) Equal(other NsHandle) bool {
+ 	if ns == other {
+ 		return true
+ 	}
+-	var s1, s2 syscall.Stat_t
+-	if err := syscall.Fstat(int(ns), &s1); err != nil {
++	var s1, s2 unix.Stat_t
++	if err := unix.Fstat(int(ns), &s1); err != nil {
+ 		return false
+ 	}
+-	if err := syscall.Fstat(int(other), &s2); err != nil {
++	if err := unix.Fstat(int(other), &s2); err != nil {
+ 		return false
+ 	}
+ 	return (s1.Dev == s2.Dev) && (s1.Ino == s2.Ino)
+@@ -36,11 +37,11 @@ func (ns NsHandle) Equal(other NsHandle) bool {
+ 
+ // String shows the file descriptor number and its dev and inode.
+ func (ns NsHandle) String() string {
+-	var s syscall.Stat_t
+ 	if ns == -1 {
+ 		return "NS(None)"
+ 	}
+-	if err := syscall.Fstat(int(ns), &s); err != nil {
++	var s unix.Stat_t
++	if err := unix.Fstat(int(ns), &s); err != nil {
+ 		return fmt.Sprintf("NS(%d: unknown)", ns)
+ 	}
+ 	return fmt.Sprintf("NS(%d: %d, %d)", ns, s.Dev, s.Ino)
+@@ -54,7 +55,7 @@ func (ns NsHandle) IsOpen() bool {
+ // Close closes the NsHandle and resets its file descriptor to -1.
+ // It is not safe to use an NsHandle after Close() is called.
+ func (ns *NsHandle) Close() error {
+-	if err := syscall.Close(int(*ns)); err != nil {
++	if err := unix.Close(int(*ns)); err != nil {
+ 		return err
+ 	}
+ 	(*ns) = -1
+diff --git a/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go b/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go
+index abdc30829..cf1db6025 100644
+--- a/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go
++++ b/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go
+@@ -1,3 +1,4 @@
++//go:build linux
+ // +build linux
+ 
+ package netns
+@@ -6,31 +7,31 @@ import (
+ 	"fmt"
+ 	"io/ioutil"
+ 	"os"
++	"path"
+ 	"path/filepath"
+ 	"strconv"
+ 	"strings"
+ 	"syscall"
++
++	"golang.org/x/sys/unix"
+ )
+ 
+ const (
+ 	// These constants belong in the syscall library but have not been
+ 	// added yet.
+-	CLONE_NEWUTS  = 0x04000000 /* New utsname group? */
+-	CLONE_NEWIPC  = 0x08000000 /* New ipcs */
+-	CLONE_NEWUSER = 0x10000000 /* New user namespace */
+-	CLONE_NEWPID  = 0x20000000 /* New pid namespace */
+-	CLONE_NEWNET  = 0x40000000 /* New network namespace */
+-	CLONE_IO      = 0x80000000 /* Get io context */
++	CLONE_NEWUTS  = 0x04000000   /* New utsname group? */
++	CLONE_NEWIPC  = 0x08000000   /* New ipcs */
++	CLONE_NEWUSER = 0x10000000   /* New user namespace */
++	CLONE_NEWPID  = 0x20000000   /* New pid namespace */
++	CLONE_NEWNET  = 0x40000000   /* New network namespace */
++	CLONE_IO      = 0x80000000   /* Get io context */
++	bindMountPath = "/run/netns" /* Bind mount path for named netns */
+ )
+ 
+ // Setns sets namespace using syscall. Note that this should be a method
+ // in syscall but it has not been added.
+ func Setns(ns NsHandle, nstype int) (err error) {
+-	_, _, e1 := syscall.Syscall(SYS_SETNS, uintptr(ns), uintptr(nstype), 0)
+-	if e1 != 0 {
+-		err = e1
+-	}
+-	return
++	return unix.Setns(int(ns), nstype)
+ }
+ 
+ // Set sets the current network namespace to the namespace represented
+@@ -41,21 +42,64 @@ func Set(ns NsHandle) (err error) {
+ 
+ // New creates a new network namespace and returns a handle to it.
+ func New() (ns NsHandle, err error) {
+-	if err := syscall.Unshare(CLONE_NEWNET); err != nil {
++	if err := unix.Unshare(CLONE_NEWNET); err != nil {
+ 		return -1, err
+ 	}
+ 	return Get()
+ }
+ 
++// NewNamed creates a new named network namespace and returns a handle to it
++func NewNamed(name string) (NsHandle, error) {
++	if _, err := os.Stat(bindMountPath); os.IsNotExist(err) {
++		err = os.MkdirAll(bindMountPath, 0755)
++		if err != nil {
++			return None(), err
++		}
++	}
++
++	newNs, err := New()
++	if err != nil {
++		return None(), err
++	}
++
++	namedPath := path.Join(bindMountPath, name)
++
++	f, err := os.OpenFile(namedPath, os.O_CREATE|os.O_EXCL, 0444)
++	if err != nil {
++		return None(), err
++	}
++	f.Close()
++
++	nsPath := fmt.Sprintf("/proc/%d/task/%d/ns/net", os.Getpid(), syscall.Gettid())
++	err = syscall.Mount(nsPath, namedPath, "bind", syscall.MS_BIND, "")
++	if err != nil {
++		return None(), err
++	}
++
++	return newNs, nil
++}
++
++// DeleteNamed deletes a named network namespace
++func DeleteNamed(name string) error {
++	namedPath := path.Join(bindMountPath, name)
++
++	err := syscall.Unmount(namedPath, syscall.MNT_DETACH)
++	if err != nil {
++		return err
++	}
++
++	return os.Remove(namedPath)
++}
++
+ // Get gets a handle to the current threads network namespace.
+ func Get() (NsHandle, error) {
+-	return GetFromThread(os.Getpid(), syscall.Gettid())
++	return GetFromThread(os.Getpid(), unix.Gettid())
+ }
+ 
+ // GetFromPath gets a handle to a network namespace
+ // identified by the path
+ func GetFromPath(path string) (NsHandle, error) {
+-	fd, err := syscall.Open(path, syscall.O_RDONLY, 0)
++	fd, err := unix.Open(path, unix.O_RDONLY|unix.O_CLOEXEC, 0)
+ 	if err != nil {
+ 		return -1, err
+ 	}
+-- 
+2.33.0
+

patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch

@@ -0,0 +1,33 @@
+From 3b9d957c2a590f54eb03b37c48e8c1a911430ed6 Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:50:54 +0800
+Subject: [PATCH 08/10] Update daemon_linux.go for preventing off-by-one Array
+ length should be bigger than 5, when accessing index 4
+
+Signed-off-by: J-jaeyoung <jjy600901@gmail.com>
+Upstream-commit: 19eda6b9a2991733a7e5b8fb0c435bf55846461f
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/f89fd3df7d5c4a63fed8e47ece566fa2d1db681d
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/daemon/daemon_linux.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/daemon_linux.go b/components/engine/daemon/daemon_linux.go
+index 6a5790b4f..ed23bf30d 100644
+--- a/components/engine/daemon/daemon_linux.go
++++ b/components/engine/daemon/daemon_linux.go
+@@ -49,7 +49,7 @@ func (daemon *Daemon) cleanupMountsFromReaderByID(reader io.Reader, id string, u
+ 	regexps := getCleanPatterns(id)
+ 	sc := bufio.NewScanner(reader)
+ 	for sc.Scan() {
+-		if fields := strings.Fields(sc.Text()); len(fields) >= 4 {
++		if fields := strings.Fields(sc.Text()); len(fields) > 4 {
+ 			if mnt := fields[4]; strings.HasPrefix(mnt, daemon.root) {
+ 				for _, p := range regexps {
+ 					if p.MatchString(mnt) {
+-- 
+2.33.0
+

patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch

@@ -0,0 +1,73 @@
+From fb353504e81196d7030710b648834ca61092f3aa Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:59:30 +0800
+Subject: [PATCH 09/10] =?UTF-8?q?libnetwork:=20processEndpointDelete:=20Fi?=
+ =?UTF-8?q?x=20deadlock=20between=20getSvcRecords=E2=80=A6=20=E2=80=A6=20a?=
+ =?UTF-8?q?nd=20processEndpointDelete?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We had some hosts with quite a bit of cycling containers that ocassionally causes docker daemons to lock up.
+Most prominently `docker run` commands do not respond and nothing happens anymore.
+
+Looking at the stack trace the following is at least likely sometimes a cause to that:
+Two goroutines g0 and g1 can race against each other:
+* (g0) 1. getSvcRecords is called and calls (*network).Lock()
+       --> Network is locked.
+* (g1) 2. processEndpointDelete is called, and calls (*controller).Lock()
+       --> Controller is locked
+* (g1) 3. processEndpointDelete tries (*network).ID() which calls (*network).Lock().
+* (g0) 4. getSvcRecords calls (*controller).Lock().
+
+3./4. are deadlocked against each other since the other goroutine holds the lock they need.
+
+References https://github.com/moby/libnetwork/blob/b5dc37037049d9b9ef68a3c4611e5eb1b35dd2af/network.go
+
+Signed-off-by: Steffen Butzer <steffen.butzer@outlook.com>
+Upstream-commit: 7c97896747726554165480d102d9e46c54334cba
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/76e42601417c9bbcd7637a8b75d2d4318f6254ed
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ .../vendor/github.com/docker/libnetwork/store.go      | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/store.go b/components/engine/vendor/github.com/docker/libnetwork/store.go
+index 0a7c5754d..65af83d22 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/store.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/store.go
+@@ -421,11 +421,14 @@ func (c *controller) processEndpointDelete(nmap map[string]*netWatch, ep *endpoi
+ 		return
+ 	}
+ 
++	networkID := n.ID()
++	endpointID := ep.ID()
++
+ 	c.Lock()
+-	nw, ok := nmap[n.ID()]
++	nw, ok := nmap[networkID]
+ 
+ 	if ok {
+-		delete(nw.localEps, ep.ID())
++		delete(nw.localEps, endpointID)
+ 		c.Unlock()
+ 
+ 		// Update the svc db about local endpoint leave right away
+@@ -439,9 +442,9 @@ func (c *controller) processEndpointDelete(nmap map[string]*netWatch, ep *endpoi
+ 
+ 			// This is the last container going away for the network. Destroy
+ 			// this network's svc db entry
+-			delete(c.svcRecords, n.ID())
++			delete(c.svcRecords, networkID)
+ 
+-			delete(nmap, n.ID())
++			delete(nmap, networkID)
+ 		}
+ 	}
+ 	c.Unlock()
+-- 
+2.33.0
+

patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch

@@ -0,0 +1,55 @@
+From b12d244a382c920c19a75fbc52845ef7b74fcaac Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 21:08:59 +0800
+Subject: [PATCH 10/10] Fixes #41871: Update daemon/daemon.go: resume
+ healthcheck on restore Call updateHealthMonitor for alive non-paused
+ containers
+
+Signed-off-by: Alexis Ries <alexis.ries.ext@orange.com>
+Upstream-commit: 9f39889dee7d96430359d7e1f8970a88acad59e5
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/b92585a47049e661c8dcc0956e3e5f0210b5c4f3
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/daemon/daemon.go | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
+index 8754492ce..80a2f54f4 100644
+--- a/components/engine/daemon/daemon.go
++++ b/components/engine/daemon/daemon.go
+@@ -416,7 +416,8 @@ func (daemon *Daemon) restore() error {
+ 			if c.IsRunning() || c.IsPaused() {
+ 				c.RestartManager().Cancel() // manually start containers because some need to wait for swarm networking
+ 
+-				if c.IsPaused() && alive {
++				switch {
++				case c.IsPaused() && alive:
+ 					s, err := daemon.containerd.Status(context.Background(), c.ID)
+ 					if err != nil {
+ 						logrus.WithError(err).WithField("container", c.ID).
+@@ -437,6 +438,7 @@ func (daemon *Daemon) restore() error {
+ 							c.Lock()
+ 							c.Paused = false
+ 							daemon.setStateCounter(c)
++							daemon.updateHealthMonitor(c)
+ 							if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+ 								logrus.WithError(err).WithField("container", c.ID).
+ 									Error("Failed to update stopped container state")
+@@ -444,6 +446,11 @@ func (daemon *Daemon) restore() error {
+ 							c.Unlock()
+ 						}
+ 					}
++				case !c.IsPaused() && alive:
++					logrus.Debug("restoring healthcheck")
++					c.Lock()
++					daemon.updateHealthMonitor(c)
++					c.Unlock()
+ 				}
+ 
+ 				if !alive {
+-- 
+2.33.0
+

patch/0273-backport-fix-CVE-2024-24557.patch

@@ -0,0 +1,612 @@
+From 1f21f5717e4347322de8f62e4141696ae213abe9 Mon Sep 17 00:00:00 2001
+From: chenjiankun <chenjiankun1@huawei.com>
+Date: Fri, 1 Mar 2024 10:29:33 +0800
+Subject: [PATCH] docker: fix CVE-2024-24557
+
+image/cache: Restrict cache candidates to locally built images
+
+Conflict:builder/dockerfile/copy.go,builder/dockerfile/dispatchers.go,image/cache/cache.go,image/cache/compare.go,image/store.go,daemon/containerd/cache.go,builder/dockerfile/dispatchers.go
+Reference: https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
+
+---
+ components/engine/builder/builder.go          |   3 +-
+ components/engine/builder/dockerfile/copy.go  |  16 +-
+ .../engine/builder/dockerfile/imageprobe.go   |   9 +-
+ .../engine/builder/dockerfile/internals.go    |  18 ++-
+ .../builder/dockerfile/mockbackend_test.go    |   3 +-
+ .../engine/daemon/images/image_builder.go     |   3 +
+ .../engine/daemon/images/image_commit.go      |   3 +
+ components/engine/image/cache/cache.go        |  78 +++++++++-
+ components/engine/image/cache/compare.go      | 143 +++++++++++++++---
+ components/engine/image/image.go              |  10 ++
+ components/engine/image/store.go              |  19 +++
+ 11 files changed, 253 insertions(+), 52 deletions(-)
+
+diff --git a/components/engine/builder/builder.go b/components/engine/builder/builder.go
+index 3eb034141..0e0a887df 100644
+--- a/components/engine/builder/builder.go
++++ b/components/engine/builder/builder.go
+@@ -15,6 +15,7 @@ import (
+ 	"github.com/docker/docker/image"
+ 	"github.com/docker/docker/layer"
+ 	"github.com/docker/docker/pkg/containerfs"
++	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+ )
+ 
+ const (
+@@ -89,7 +90,7 @@ type ImageCacheBuilder interface {
+ type ImageCache interface {
+ 	// GetCache returns a reference to a cached image whose parent equals `parent`
+ 	// and runconfig equals `cfg`. A cache miss is expected to return an empty ID and a nil error.
+-	GetCache(parentID string, cfg *container.Config) (imageID string, err error)
++	GetCache(parentID string, cfg *container.Config, platform ocispec.Platform) (imageID string, err error)
+ }
+ 
+ // Image represents a Docker image used by the builder.
+diff --git a/components/engine/builder/dockerfile/copy.go b/components/engine/builder/dockerfile/copy.go
+index c7a90f59b..f8a6a0885 100644
+--- a/components/engine/builder/dockerfile/copy.go
++++ b/components/engine/builder/dockerfile/copy.go
+@@ -83,26 +83,14 @@ type copier struct {
+ }
+ 
+ func copierFromDispatchRequest(req dispatchRequest, download sourceDownloader, imageSource *imageMount) copier {
+-	platform := req.builder.platform
+-	if platform == nil {
+-		// May be nil if not explicitly set in API/dockerfile
+-		platform = &specs.Platform{}
+-	}
+-	if platform.OS == "" {
+-		// Default to the dispatch requests operating system if not explicit in API/dockerfile
+-		platform.OS = req.state.operatingSystem
+-	}
+-	if platform.OS == "" {
+-		// This is a failsafe just in case. Shouldn't be hit.
+-		platform.OS = runtime.GOOS
+-	}
++	platform := req.builder.getPlatform(req.state)
+ 
+ 	return copier{
+ 		source:      req.source,
+ 		pathCache:   req.builder.pathCache,
+ 		download:    download,
+ 		imageSource: imageSource,
+-		platform:    platform,
++		platform:    &platform,
+ 	}
+ 
+ }
+diff --git a/components/engine/builder/dockerfile/imageprobe.go b/components/engine/builder/dockerfile/imageprobe.go
+index 6960bf889..c2a8d116b 100644
+--- a/components/engine/builder/dockerfile/imageprobe.go
++++ b/components/engine/builder/dockerfile/imageprobe.go
+@@ -3,6 +3,7 @@ package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+ import (
+ 	"github.com/docker/docker/api/types/container"
+ 	"github.com/docker/docker/builder"
++	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+ 	"github.com/sirupsen/logrus"
+ )
+ 
+@@ -10,7 +11,7 @@ import (
+ // cache.
+ type ImageProber interface {
+ 	Reset()
+-	Probe(parentID string, runConfig *container.Config) (string, error)
++	Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error)
+ }
+ 
+ type imageProber struct {
+@@ -37,11 +38,11 @@ func (c *imageProber) Reset() {
+ 
+ // Probe checks if cache match can be found for current build instruction.
+ // It returns the cachedID if there is a hit, and the empty string on miss
+-func (c *imageProber) Probe(parentID string, runConfig *container.Config) (string, error) {
++func (c *imageProber) Probe(parentID string, runConfig *container.Config, platform ocispec.Platform) (string, error) {
+ 	if c.cacheBusted {
+ 		return "", nil
+ 	}
+-	cacheID, err := c.cache.GetCache(parentID, runConfig)
++	cacheID, err := c.cache.GetCache(parentID, runConfig, platform)
+ 	if err != nil {
+ 		return "", err
+ 	}
+@@ -58,6 +59,6 @@ type nopProber struct{}
+ 
+ func (c *nopProber) Reset() {}
+ 
+-func (c *nopProber) Probe(_ string, _ *container.Config) (string, error) {
++func (c *nopProber) Probe(_ string, _ *container.Config, _ ocispec.Platform) (string, error) {
+ 	return "", nil
+ }
+diff --git a/components/engine/builder/dockerfile/internals.go b/components/engine/builder/dockerfile/internals.go
+index 5d906e364..2411a9e46 100644
+--- a/components/engine/builder/dockerfile/internals.go
++++ b/components/engine/builder/dockerfile/internals.go
+@@ -14,6 +14,7 @@ import (
+ 	"runtime"
+ 	"strings"
+ 
++	"github.com/containerd/containerd/platforms"
+ 	"github.com/docker/docker/api/types"
+ 	"github.com/docker/docker/api/types/backend"
+ 	"github.com/docker/docker/api/types/container"
+@@ -26,6 +27,7 @@ import (
+ 	"github.com/docker/docker/pkg/stringid"
+ 	"github.com/docker/docker/pkg/system"
+ 	"github.com/docker/go-connections/nat"
++	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+ )
+@@ -413,7 +415,7 @@ func getShell(c *container.Config, os string) []string {
+ }
+ 
+ func (b *Builder) probeCache(dispatchState *dispatchState, runConfig *container.Config) (bool, error) {
+-	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig)
++	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig, b.getPlatform(dispatchState))
+ 	if cachedID == "" || err != nil {
+ 		return false, err
+ 	}
+@@ -449,6 +451,20 @@ func (b *Builder) create(runConfig *container.Config) (string, error) {
+ 	return container.ID, nil
+ }
+ 
++func (b *Builder) getPlatform(state *dispatchState) ocispec.Platform {
++	// May be nil if not explicitly set in API/dockerfile
++	out := platforms.DefaultSpec()
++	if b.platform != nil {
++		out = *b.platform
++	}
++
++	if state.operatingSystem != "" {
++		out.OS = state.operatingSystem
++	}
++
++	return out
++}
++
+ func hostConfigFromOptions(options *types.ImageBuildOptions, isWCOW bool) *container.HostConfig {
+ 	resources := container.Resources{
+ 		CgroupParent: options.CgroupParent,
+diff --git a/components/engine/builder/dockerfile/mockbackend_test.go b/components/engine/builder/dockerfile/mockbackend_test.go
+index 45cba00a8..fa0066054 100644
+--- a/components/engine/builder/dockerfile/mockbackend_test.go
++++ b/components/engine/builder/dockerfile/mockbackend_test.go
+@@ -13,6 +13,7 @@ import (
+ 	containerpkg "github.com/docker/docker/container"
+ 	"github.com/docker/docker/image"
+ 	"github.com/docker/docker/layer"
++	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+ 	"github.com/docker/docker/pkg/containerfs"
+ )
+ 
+@@ -111,7 +112,7 @@ type mockImageCache struct {
+ 	getCacheFunc func(parentID string, cfg *container.Config) (string, error)
+ }
+ 
+-func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config) (string, error) {
++func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config, _ ocispec.Platform) (string, error) {
+ 	if mic.getCacheFunc != nil {
+ 		return mic.getCacheFunc(parentID, cfg)
+ 	}
+diff --git a/components/engine/daemon/images/image_builder.go b/components/engine/daemon/images/image_builder.go
+index cdf951c6f..c77bd268b 100644
+--- a/components/engine/daemon/images/image_builder.go
++++ b/components/engine/daemon/images/image_builder.go
+@@ -220,6 +220,9 @@ func (i *ImageService) CreateImage(config []byte, parent string) (builder.Image,
+ 			return nil, errors.Wrapf(err, "failed to set parent %s", parent)
+ 		}
+ 	}
++	if err := i.imageStore.SetBuiltLocally(id); err != nil {
++		return nil, errors.Wrapf(err, "failed to mark image %s as built locally", id)
++	}
+ 
+ 	return i.imageStore.Get(id)
+ }
+diff --git a/components/engine/daemon/images/image_commit.go b/components/engine/daemon/images/image_commit.go
+index 4caba9f27..23a01b627 100644
+--- a/components/engine/daemon/images/image_commit.go
++++ b/components/engine/daemon/images/image_commit.go
+@@ -62,6 +62,9 @@ func (i *ImageService) CommitImage(c backend.CommitConfig) (image.ID, error) {
+ 	if err != nil {
+ 		return "", err
+ 	}
++	if err := i.imageStore.SetBuiltLocally(id); err != nil {
++		return "", err
++	}
+ 
+ 	if c.ParentImageID != "" {
+ 		if err := i.imageStore.SetParent(id, image.ID(c.ParentImageID)); err != nil {
+diff --git a/components/engine/image/cache/cache.go b/components/engine/image/cache/cache.go
+index 6d3f4c57b..6d4adcecf 100644
+--- a/components/engine/image/cache/cache.go
++++ b/components/engine/image/cache/cache.go
+@@ -1,16 +1,21 @@
+ package cache // import "github.com/docker/docker/image/cache"
+ 
+ import (
++	"context"
+ 	"encoding/json"
+ 	"fmt"
+ 	"reflect"
+ 	"strings"
+ 
++	"github.com/containerd/containerd/log"
++	"github.com/containerd/containerd/platforms"
+ 	containertypes "github.com/docker/docker/api/types/container"
+ 	"github.com/docker/docker/dockerversion"
+ 	"github.com/docker/docker/image"
+ 	"github.com/docker/docker/layer"
++	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+ 	"github.com/pkg/errors"
++	"github.com/sirupsen/logrus"
+ )
+ 
+ // NewLocal returns a local image cache, based on parent chain
+@@ -26,8 +31,8 @@ type LocalImageCache struct {
+ }
+ 
+ // GetCache returns the image id found in the cache
+-func (lic *LocalImageCache) GetCache(imgID string, config *containertypes.Config) (string, error) {
+-	return getImageIDAndError(getLocalCachedImage(lic.store, image.ID(imgID), config))
++func (lic *LocalImageCache) GetCache(imgID string, config *containertypes.Config, platform ocispec.Platform) (string, error) {
++	return getImageIDAndError(getLocalCachedImage(lic.store, image.ID(imgID), config, platform))
+ }
+ 
+ // New returns an image cache, based on history objects
+@@ -51,8 +56,8 @@ func (ic *ImageCache) Populate(image *image.Image) {
+ }
+ 
+ // GetCache returns the image id found in the cache
+-func (ic *ImageCache) GetCache(parentID string, cfg *containertypes.Config) (string, error) {
+-	imgID, err := ic.localImageCache.GetCache(parentID, cfg)
++func (ic *ImageCache) GetCache(parentID string, cfg *containertypes.Config, platform ocispec.Platform) (string, error) {
++	imgID, err := ic.localImageCache.GetCache(parentID, cfg, platform)
+ 	if err != nil {
+ 		return "", err
+ 	}
+@@ -215,7 +220,23 @@ func getImageIDAndError(img *image.Image, err error) (string, error) {
+ // of the image with imgID, that had the same config when it was
+ // created. nil is returned if a child cannot be found. An error is
+ // returned if the parent image cannot be found.
+-func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *containertypes.Config) (*image.Image, error) {
++func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *containertypes.Config, platform ocispec.Platform) (*image.Image, error) {
++	if config == nil {
++		return nil, nil
++	}
++
++	isBuiltLocally := func(id image.ID) bool {
++		builtLocally, err := imageStore.IsBuiltLocally(id)
++		if err != nil {
++			log.G(context.TODO()).WithFields(logrus.Fields{
++				"error": err,
++				"id":    id,
++			}).Warn("failed to check if image was built locally")
++			return false
++		}
++		return builtLocally
++	}
++
+ 	// Loop on the children of the given image and check the config
+ 	getMatch := func(siblings []image.ID) (*image.Image, error) {
+ 		var match *image.Image
+@@ -225,6 +246,19 @@ func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *contain
+ 				return nil, fmt.Errorf("unable to find image %q", id)
+ 			}
+ 
++			if !isBuiltLocally(id) {
++				continue
++			}
++
++			imgPlatform := img.Platform()
++			// Discard old linux/amd64 images with empty platform.
++			if imgPlatform.OS == "" && imgPlatform.Architecture == "" {
++				continue
++			}
++			if !platforms.Ordered(platforms.Normalize(platform)).Match(imgPlatform) {
++				continue
++			}
++
+ 			if compare(&img.ContainerConfig, config) {
+ 				// check for the most up to date match
+ 				if match == nil || match.Created.Before(img.Created) {
+@@ -238,11 +272,29 @@ func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *contain
+ 	// In this case, this is `FROM scratch`, which isn't an actual image.
+ 	if imgID == "" {
+ 		images := imageStore.Map()
++
+ 		var siblings []image.ID
+ 		for id, img := range images {
+-			if img.Parent == imgID {
+-				siblings = append(siblings, id)
++			if img.Parent != "" {
++				continue
+ 			}
++
++			if !isBuiltLocally(id) {
++				continue
++			}
++
++			// Do a quick initial filter on the Cmd to avoid adding all
++			// non-local images with empty parent to the siblings slice and
++			// performing a full config compare.
++			//
++			// config.Cmd is set to the current Dockerfile instruction so we
++			// check it against the img.ContainerConfig.Cmd which is the
++			// command of the last layer.
++			if !strSliceEqual(img.ContainerConfig.Cmd, config.Cmd) {
++				continue
++			}
++
++			siblings = append(siblings, id)
+ 		}
+ 		return getMatch(siblings)
+ 	}
+@@ -251,3 +303,15 @@ func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *contain
+ 	siblings := imageStore.Children(imgID)
+ 	return getMatch(siblings)
+ }
++
++func strSliceEqual(a, b []string) bool {
++	if len(a) != len(b) {
++		return false
++	}
++	for i := 0; i < len(a); i++ {
++		if a[i] != b[i] {
++			return false
++		}
++	}
++	return true
++}
+diff --git a/components/engine/image/cache/compare.go b/components/engine/image/cache/compare.go
+index e31e9c8bd..d438b65be 100644
+--- a/components/engine/image/cache/compare.go
++++ b/components/engine/image/cache/compare.go
+@@ -4,42 +4,69 @@ import (
+ 	"github.com/docker/docker/api/types/container"
+ )
+ 
+-// compare two Config struct. Do not compare the "Image" nor "Hostname" fields
+-// If OpenStdin is set, then it differs
++// TODO: Remove once containerd image service directly uses the ImageCache and
++// LocalImageCache structs.
++func CompareConfig(a, b *container.Config) bool {
++	return compare(a, b)
++}
++
++// compare two Config struct. Do not container-specific fields:
++// - Image
++// - Hostname
++// - Domainname
++// - MacAddress
+ func compare(a, b *container.Config) bool {
+-	if a == nil || b == nil ||
+-		a.OpenStdin || b.OpenStdin {
++	if a == nil || b == nil {
++		return false
++	}
++
++	if len(a.Env) != len(b.Env) {
+ 		return false
+ 	}
+-	if a.AttachStdout != b.AttachStdout ||
+-		a.AttachStderr != b.AttachStderr ||
+-		a.User != b.User ||
+-		a.OpenStdin != b.OpenStdin ||
+-		a.Tty != b.Tty {
++	if len(a.Cmd) != len(b.Cmd) {
+ 		return false
+ 	}
+-
+-	if len(a.Cmd) != len(b.Cmd) ||
+-		len(a.Env) != len(b.Env) ||
+-		len(a.Labels) != len(b.Labels) ||
+-		len(a.ExposedPorts) != len(b.ExposedPorts) ||
+-		len(a.Entrypoint) != len(b.Entrypoint) ||
+-		len(a.Volumes) != len(b.Volumes) {
++	if len(a.Entrypoint) != len(b.Entrypoint) {
++		return false
++	}
++	if len(a.Shell) != len(b.Shell) {
++		return false
++	}
++	if len(a.ExposedPorts) != len(b.ExposedPorts) {
++		return false
++	}
++	if len(a.Volumes) != len(b.Volumes) {
++		return false
++	}
++	if len(a.Labels) != len(b.Labels) {
++		return false
++	}
++	if len(a.OnBuild) != len(b.OnBuild) {
+ 		return false
+ 	}
+ 
++	for i := 0; i < len(a.Env); i++ {
++		if a.Env[i] != b.Env[i] {
++			return false
++		}
++	}
++	for i := 0; i < len(a.OnBuild); i++ {
++		if a.OnBuild[i] != b.OnBuild[i] {
++			return false
++		}
++	}
+ 	for i := 0; i < len(a.Cmd); i++ {
+ 		if a.Cmd[i] != b.Cmd[i] {
+ 			return false
+ 		}
+ 	}
+-	for i := 0; i < len(a.Env); i++ {
+-		if a.Env[i] != b.Env[i] {
++	for i := 0; i < len(a.Entrypoint); i++ {
++		if a.Entrypoint[i] != b.Entrypoint[i] {
+ 			return false
+ 		}
+ 	}
+-	for k, v := range a.Labels {
+-		if v != b.Labels[k] {
++	for i := 0; i < len(a.Shell); i++ {
++		if a.Shell[i] != b.Shell[i] {
+ 			return false
+ 		}
+ 	}
+@@ -48,16 +75,84 @@ func compare(a, b *container.Config) bool {
+ 			return false
+ 		}
+ 	}
++	for key := range a.Volumes {
++		if _, exists := b.Volumes[key]; !exists {
++			return false
++		}
++	}
++	for k, v := range a.Labels {
++		if v != b.Labels[k] {
++			return false
++		}
++	}
+ 
+-	for i := 0; i < len(a.Entrypoint); i++ {
+-		if a.Entrypoint[i] != b.Entrypoint[i] {
++	if a.AttachStdin != b.AttachStdin {
++		return false
++	}
++	if a.AttachStdout != b.AttachStdout {
++		return false
++	}
++	if a.AttachStderr != b.AttachStderr {
++		return false
++	}
++	if a.NetworkDisabled != b.NetworkDisabled {
++		return false
++	}
++	if a.Tty != b.Tty {
++		return false
++	}
++	if a.OpenStdin != b.OpenStdin {
++		return false
++	}
++	if a.StdinOnce != b.StdinOnce {
++		return false
++	}
++	if a.ArgsEscaped != b.ArgsEscaped {
++		return false
++	}
++	if a.User != b.User {
++		return false
++	}
++	if a.WorkingDir != b.WorkingDir {
++		return false
++	}
++	if a.StopSignal != b.StopSignal {
++		return false
++	}
++
++	if (a.StopTimeout == nil) != (b.StopTimeout == nil) {
++		return false
++	}
++	if a.StopTimeout != nil && b.StopTimeout != nil {
++		if *a.StopTimeout != *b.StopTimeout {
+ 			return false
+ 		}
+ 	}
+-	for key := range a.Volumes {
+-		if _, exists := b.Volumes[key]; !exists {
++	if (a.Healthcheck == nil) != (b.Healthcheck == nil) {
++		return false
++	}
++	if a.Healthcheck != nil && b.Healthcheck != nil {
++		if a.Healthcheck.Interval != b.Healthcheck.Interval {
+ 			return false
+ 		}
++		if a.Healthcheck.StartPeriod != b.Healthcheck.StartPeriod {
++			return false
++		}
++		if a.Healthcheck.Timeout != b.Healthcheck.Timeout {
++			return false
++		}
++		if a.Healthcheck.Retries != b.Healthcheck.Retries {
++			return false
++		}
++		if len(a.Healthcheck.Test) != len(b.Healthcheck.Test) {
++			return false
++		}
++		for i := 0; i < len(a.Healthcheck.Test); i++ {
++			if a.Healthcheck.Test[i] != b.Healthcheck.Test[i] {
++				return false
++			}
++		}
+ 	}
++
+ 	return true
+ }
+diff --git a/components/engine/image/image.go b/components/engine/image/image.go
+index bb6046b5e..bd36e6621 100644
+--- a/components/engine/image/image.go
++++ b/components/engine/image/image.go
+@@ -12,6 +12,7 @@ import (
+ 	"github.com/docker/docker/dockerversion"
+ 	"github.com/docker/docker/layer"
+ 	"github.com/opencontainers/go-digest"
++	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+ )
+ 
+ // ID is the content-addressable ID of an image.
+@@ -114,6 +115,15 @@ func (img *Image) OperatingSystem() string {
+ 	return os
+ }
+ 
++func (img *Image) Platform() ocispec.Platform {
++	return ocispec.Platform{
++		Architecture: img.Architecture,
++		OS:           img.OS,
++		OSVersion:    img.OSVersion,
++		OSFeatures:   img.OSFeatures,
++	}
++}
++
+ // MarshalJSON serializes the image to JSON. It sorts the top-level keys so
+ // that JSON that's been manipulated by a push/pull cycle with a legacy
+ // registry won't end up with a different key order.
+diff --git a/components/engine/image/store.go b/components/engine/image/store.go
+index b31cd4a61..4044c0a23 100644
+--- a/components/engine/image/store.go
++++ b/components/engine/image/store.go
+@@ -27,6 +27,8 @@ type Store interface {
+ 	GetParent(id ID) (ID, error)
+ 	SetLastUpdated(id ID) error
+ 	GetLastUpdated(id ID) (time.Time, error)
++	SetBuiltLocally(id ID) error
++	IsBuiltLocally(id ID) (bool, error)
+ 	Children(id ID) []ID
+ 	Map() map[ID]*Image
+ 	Heads() map[ID]*Image
+@@ -313,6 +315,23 @@ func (is *store) GetLastUpdated(id ID) (time.Time, error) {
+ 	return time.Parse(time.RFC3339Nano, string(bytes))
+ }
+ 
++// SetBuiltLocally sets whether image can be used as a builder cache
++func (is *store) SetBuiltLocally(id ID) error {
++	return is.fs.SetMetadata(id.Digest(), "builtLocally", []byte{1})
++}
++
++// IsBuiltLocally returns whether image can be used as a builder cache
++func (is *store) IsBuiltLocally(id ID) (bool, error) {
++	bytes, err := is.fs.GetMetadata(id.Digest(), "builtLocally")
++	if err != nil || len(bytes) == 0 {
++		if err == os.ErrNotExist {
++			err = nil
++		}
++		return false, err
++	}
++	return bytes[0] == 1, nil
++}
++
+ func (is *store) Children(id ID) []ID {
+ 	is.RLock()
+ 	defer is.RUnlock()
+-- 
+2.23.0
+

patch/0274-docker-fix-CVE-2024-29018.patch

@@ -0,0 +1,101 @@
+From e90f75c9e91427aa6254a89a10c619a17e2be594 Mon Sep 17 00:00:00 2001
+From: chenjiankun <chenjiankun1@huawei.com>
+Date: Thu, 28 Mar 2024 17:16:11 +0800
+Subject: [PATCH] docker: fix CVE-2024-29018
+
+libnet: Don't forward to upstream resolvers on internal nw
+
+Commit cbc2a71 makes `connect` syscall fail fast when a container is
+only attached to an internal network. Thanks to that, if such a
+container tries to resolve an "external" domain, the embedded resolver
+returns an error immediately instead of waiting for a timeout.
+
+This commit makes sure the embedded resolver doesn't even try to forward
+to upstream servers.
+
+Conflict:libnetwork/resolver.go,sandbox_dns_unix.go
+Reference:https://github.com/moby/moby/commit/790c3039d0ca5ed86ecd099b4b571496607628bc
+---
+ .../vendor/github.com/docker/libnetwork/endpoint.go | 13 ++++++++++++-
+ .../vendor/github.com/docker/libnetwork/resolver.go |  9 +++++++++
+ .../docker/libnetwork/sandbox_dns_unix.go           |  6 +++++-
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/endpoint.go b/components/engine/vendor/github.com/docker/libnetwork/endpoint.go
+index 822f88bd3..914169199 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/endpoint.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/endpoint.go
+@@ -550,7 +550,13 @@ func (ep *endpoint) sbJoin(sb *sandbox, options ...EndpointOption) (err error) {
+ 		return sb.setupDefaultGW()
+ 	}
+ 
+-	moveExtConn := sb.getGatewayEndpoint() != extEp
++	currentExtEp := sb.getGatewayEndpoint()
++	// Enable upstream forwarding if the sandbox gained external connectivity.
++	if sb.resolver != nil {
++		sb.resolver.SetForwardingPolicy(currentExtEp != nil)
++	}
++
++	moveExtConn := currentExtEp != extEp
+ 
+ 	if moveExtConn {
+ 		if extEp != nil {
+@@ -786,6 +792,11 @@ func (ep *endpoint) sbLeave(sb *sandbox, force bool, options ...EndpointOption)
+ 
+ 	// New endpoint providing external connectivity for the sandbox
+ 	extEp = sb.getGatewayEndpoint()
++	// Disable upstream forwarding if the sandbox lost external connectivity.
++	if sb.resolver != nil {
++		sb.resolver.SetForwardingPolicy(extEp != nil)
++	}
++
+ 	if moveExtConn && extEp != nil {
+ 		logrus.Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
+ 		extN, err := extEp.getNetworkFromStore()
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/resolver.go b/components/engine/vendor/github.com/docker/libnetwork/resolver.go
+index 04afe7a1d..0e44352d7 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/resolver.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/resolver.go
+@@ -24,6 +24,9 @@ type Resolver interface {
+ 	// SetupFunc() provides the setup function that should be run
+ 	// in the container's network namespace.
+ 	SetupFunc(int) func()
++	// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to
++	// external servers.
++	SetForwardingPolicy(bool)
+ 	// NameServer() returns the IP of the DNS resolver for the
+ 	// containers.
+ 	NameServer() string
+@@ -196,6 +199,12 @@ func (r *resolver) SetExtServers(extDNS []extDNSEntry) {
+ 	}
+ }
+ 
++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to
++// external servers.
++func (r *resolver) SetForwardingPolicy(policy bool) {
++	r.proxyDNS = policy
++}
++
+ func (r *resolver) NameServer() string {
+ 	return r.listenAddress
+ }
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go b/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go
+index db1b66b19..484987a83 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go
+@@ -27,7 +27,11 @@ const (
+ func (sb *sandbox) startResolver(restore bool) {
+ 	sb.resolverOnce.Do(func() {
+ 		var err error
+-		sb.resolver = NewResolver(resolverIPSandbox, true, sb.Key(), sb)
++		// The resolver is started with proxyDNS=false if the sandbox does not currently
++		// have a gateway. So, if the Sandbox is only connected to an 'internal' network,
++		// it will not forward DNS requests to external resolvers. The resolver's
++		// proxyDNS setting is then updated as network Endpoints are added/removed.
++		sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb.Key(), sb)
+ 		defer func() {
+ 			if err != nil {
+ 				sb.resolver = nil
+-- 
+2.33.0
+

patch/0275-backport-fix-CVE-2024-32473.patch

@@ -0,0 +1,60 @@
+From ed5ed46f0aee11f3e4e0fcc2b2ce391460bd4550 Mon Sep 17 00:00:00 2001
+From: chenjiankun <chenjiankun1@huawei.com>
+Date: Wed, 8 May 2024 10:03:36 +0800
+Subject: [PATCH] docker: Disable IPv6 for endpoints in '--ipv6=false' networks
+
+No IPAM IPv6 address is given to an interface in a network with
+'--ipv6=false', but the kernel would assign a link-local address and,
+in a macvlan/ipvlan network, the interface may get a SLAAC-assigned
+address.
+
+So, disable IPv6 on the interface to avoid that.
+
+Signed-off-by: Rob Murray <rob.murray@docker.com>
+
+Conflict:no
+Reference:https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642
+
+---
+ .../docker/libnetwork/osl/interface_linux.go  | 21 ++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
+index a924af4bd..63d0e5650 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
+@@ -377,17 +377,24 @@ func setInterfaceIP(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+ }
+ 
+ func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+-	if i.AddressIPv6() == nil {
++	addr := i.AddressIPv6()
++	// IPv6 must be enabled on the interface if and only if the network is
++	// IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't
++	// disabled, the interface will be put into IPv6 multicast groups making
++	// it unexpectedly susceptible to NDP cache poisoning, route injection, etc.
++	// (At present, there will always be a pre-configured IPv6 address if the
++	// network is IPv6-enabled.)
++	if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil {
++		return fmt.Errorf("failed to configure ipv6: %v", err)
++	}
++	if addr == nil {
+ 		return nil
+ 	}
+-	if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil {
++	if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil {
+ 		return err
+ 	}
+-	if err := setIPv6(i.ns.path, i.DstName(), true); err != nil {
+-		return fmt.Errorf("failed to enable ipv6: %v", err)
+-	}
+-	ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD}
+-	return nlh.AddrAdd(iface, ipAddr)
++	nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD}
++	return nlh.AddrAdd(iface, nlAddr)
+ }
+ 
+ func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+-- 
+2.33.0
+

series.conf

@@ -258,4 +258,16 @@ patch/0260-docker-repalce-unix.Rmdir-with-os.RemoveAll-when-rem.patch
 patch/0261-backport-client-define-a-dummy-hostname-to-use-for-local-conn.patch
 patch/0262-docker-remove-useless-mount-point-dir.patch
 patch/0263-docker-builder-fix-COPY-from-should-preserve-ownership.patch
+patch/0264-Fix-possible-nil-pointer-exception.patch
+patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch
+patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch
+patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch
+patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch
+patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch
+patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch
+patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch
+patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch
+patch/0273-backport-fix-CVE-2024-24557.patch
+patch/0274-docker-fix-CVE-2024-29018.patch
+patch/0275-backport-fix-CVE-2024-32473.patch
 #end