docker: sync patches from upstream

Sync patches from upstream, including:
- b033961a82
- 2a8341f252
- cae76642b6
- f43f820a8c
- b1d05350ec
- 7a24e475b3
- f89fd3df7d
- 76e4260141
- b92585a470

Signed-off-by: Lu Jingxiao <lujingxiao@huawei.com>

VERSION-vendor

@@ -1 +1 @@
-18.09.0.332
+18.09.0.333

docker.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 332
+Release: 333
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -229,6 +229,12 @@ fi
 %endif
 
 %changelog
+* Fri Dec 22 2023 Lu Jingxiao<lujingxiao@huawei.com> - 2:18.09.0-333
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync patches from upstream
+
 * Fri Nov 17 2023 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-332
 - Type:bugfix
 - CVE:NA

git-commit

@@ -1 +1 @@
-9942888bfef38caf57c544280f99648ea33fc7f6
+27b99f468b2ba3ed1aa44bedbd7599a08e100a4c

patch/0264-Fix-possible-nil-pointer-exception.patch

@@ -0,0 +1,59 @@
+From b38955814a5c5259974e081d3abb8e7da7c1f90a Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:22:14 +0800
+Subject: [PATCH 01/10] Fix possible nil pointer exception It is possible that
+ the node is not yet present in the node list map. In this case just print a
+ warning and return. The next iteration would be fine
+
+Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
+Upstream-commit: 151f42aeaa062535246a38330a78700398de53cd
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/b033961a82cd48cc31e5ae891f033fe4eb184192
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ .../engine/vendor/github.com/docker/libnetwork/network.go | 8 +++-----
+ .../github.com/docker/libnetwork/networkdb/cluster.go     | 7 ++++++-
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/network.go b/components/engine/vendor/github.com/docker/libnetwork/network.go
+index 4940aa835..0e7890769 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/network.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/network.go
+@@ -396,11 +396,9 @@ func (n *network) validateConfiguration() error {
+ 					driverOptions map[string]string
+ 					opts          interface{}
+ 				)
+-				switch data.(type) {
+-				case map[string]interface{}:
+-					opts = data.(map[string]interface{})
+-				case map[string]string:
+-					opts = data.(map[string]string)
++				switch t := data.(type) {
++				case map[string]interface{}, map[string]string:
++					opts = t
+ 				}
+ 				ba, err := json.Marshal(opts)
+ 				if err != nil {
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go b/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go
+index c98957084..2e7795440 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/networkdb/cluster.go
+@@ -288,7 +288,12 @@ func (nDB *NetworkDB) rejoinClusterBootStrap() {
+ 		return
+ 	}
+ 
+-	myself, _ := nDB.nodes[nDB.config.NodeID]
++	myself, ok := nDB.nodes[nDB.config.NodeID]
++	if !ok {
++		nDB.RUnlock()
++		logrus.Warnf("rejoinClusterBootstrap unable to find local node info using ID:%v", nDB.config.NodeID)
++		return
++	}
+ 	bootStrapIPs := make([]string, 0, len(nDB.bootStrapIP))
+ 	for _, bootIP := range nDB.bootStrapIP {
+ 		// botostrap IPs are usually IP:port from the Join
+-- 
+2.33.0
+

patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch

@@ -0,0 +1,37 @@
+From f1bc509fb5e58500bc3d8661d335268130e2e4a7 Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:31:18 +0800
+Subject: [PATCH 03/10] Fix error handling for bind mount spec parser. Errors
+ were being ignored and always telling the user that the path doesn't exist
+ even if it was some other problem, such as a permission error.
+
+Signed-off-by: Brian Goff <cpuguy83@gmail.com>
+Upstream-commit: ebcef288343698dd86ff307f5b9c58aa52ce9fdd
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/2a8341f2528b3e3a5c70f0ebf0980af3e3f70119
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/volume/mounts/linux_parser.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/volume/mounts/linux_parser.go b/components/engine/volume/mounts/linux_parser.go
+index 8e436aec0..e276a39ce 100644
+--- a/components/engine/volume/mounts/linux_parser.go
++++ b/components/engine/volume/mounts/linux_parser.go
+@@ -82,7 +82,10 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour
+ 		}
+ 
+ 		if validateBindSourceExists {
+-			exists, _, _ := currentFileInfoProvider.fileInfo(mnt.Source)
++			exists, _, err := currentFileInfoProvider.fileInfo(mnt.Source)
++			if err != nil {
++				return &errMountConfig{mnt, err}
++			}
+ 			if !exists {
+ 				return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)}
+ 			}
+-- 
+2.33.0
+

patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch

@@ -0,0 +1,59 @@
+From 2d1f0bc85e2d596d7cd566fe32d85ecd394af50d Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:32:58 +0800
+Subject: [PATCH 04/10] =?UTF-8?q?Fixed=20the=20inconsistence=20and=20also?=
+ =?UTF-8?q?=20a=20potential=20data=20race=20in=20pkg/ioutils=E2=80=A6=20?=
+ =?UTF-8?q?=E2=80=A6/bytespipe.go:=20bp.closeErr=20is=20read/write=208=20t?=
+ =?UTF-8?q?imes;=207=20out=20of=208=20times=20it=20is=20protected=20by=20b?=
+ =?UTF-8?q?p.mu.Lock();=201=20out=20of=208=20times=20it=20is=20read=20with?=
+ =?UTF-8?q?out=20a=20Lock?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: lzhfromutsc <lzhfromustc@gmail.com>
+Upstream-commit: c2479f6ebf288fe8660ea64f51ac80cfdda3011d
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/cae76642b61f2306c610c91900fd8100967197fe
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/pkg/ioutils/bytespipe.go | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/pkg/ioutils/bytespipe.go b/components/engine/pkg/ioutils/bytespipe.go
+index e04a5bf51..bd57e5fbb 100644
+--- a/components/engine/pkg/ioutils/bytespipe.go
++++ b/components/engine/pkg/ioutils/bytespipe.go
+@@ -29,11 +29,11 @@ var (
+ // and releases new byte slices to adjust to current needs, so the buffer
+ // won't be overgrown after peak loads.
+ type BytesPipe struct {
+-	mu       sync.Mutex
+-	wait     *sync.Cond
+-	buf      []*fixedBuffer
+-	bufLen   int
+-	closeErr error // error to return from next Read. set to nil if not closed.
++	mu        sync.Mutex
++	wait      *sync.Cond
++	buf       []*fixedBuffer
++	bufLen    int
++	closeErr  error // error to return from next Read. set to nil if not closed.
+ 	readBlock bool  // check read BytesPipe is Wait() or not
+ }
+ 
+@@ -132,8 +132,9 @@ func (bp *BytesPipe) Read(p []byte) (n int, err error) {
+ 	bp.mu.Lock()
+ 	if bp.bufLen == 0 {
+ 		if bp.closeErr != nil {
++			err := bp.closeErr
+ 			bp.mu.Unlock()
+-			return 0, bp.closeErr
++			return 0, err
+ 		}
+ 		bp.readBlock = true
+ 		bp.wait.Wait()
+-- 
+2.33.0
+

patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch

@@ -0,0 +1,54 @@
+From 543ae0a4cbdfa0253dc1fd2b29dc957ea23fde63 Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:35:19 +0800
+Subject: [PATCH 05/10] daemon/ProcessEvent: make sure to cancel the contexts
+ Reported by govet linter:
+
+> daemon/monitor.go:57:9: lostcancel: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak (govet)
+> 			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
+> 			     ^
+> daemon/monitor.go:128:9: lostcancel: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak (govet)
+> 			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
+> 			     ^
+
+Fixes: b5f288 ("Handle blocked I/O of exec'd processes")
+Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
+Upstream-commit: 53cbf1797b001314035a13578ed60f015a0179e4
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/f43f820a8c0e17c76f6cb42ab07a9c526b64734c
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/daemon/monitor.go | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/components/engine/daemon/monitor.go b/components/engine/daemon/monitor.go
+index d47b51a33..7ab4d431b 100644
+--- a/components/engine/daemon/monitor.go
++++ b/components/engine/daemon/monitor.go
+@@ -77,8 +77,9 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc
+ 				logrus.WithError(err).Warnf("failed to delete container %s from containerd", c.ID)
+ 			}
+ 
+-			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
++			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+ 			c.StreamConfig.Wait(ctx)
++			cancel()
+ 			c.Reset(false)
+ 
+ 			exitStatus := container.ExitStatus{
+@@ -145,8 +146,9 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc
+ 			defer execConfig.Unlock()
+ 			execConfig.ExitCode = &ec
+ 			execConfig.Running = false
+-			ctx, _ := context.WithTimeout(context.Background(), 2*time.Second)
++			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+ 			execConfig.StreamConfig.Wait(ctx)
++			cancel()
+ 			if err := execConfig.CloseStreams(); err != nil {
+ 				logrus.Errorf("failed to cleanup exec %s streams: %s", c.ID, err)
+ 			}
+-- 
+2.33.0
+

patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch

@@ -0,0 +1,59 @@
+From 316b667f240bf2d3792188d05b8bdace294a8d2c Mon Sep 17 00:00:00 2001
+From: Sascha Grunert <sgrunert@suse.com>
+Date: Wed, 4 Dec 2019 14:25:58 +0100
+Subject: [PATCH 06/10] Fix possible runtime panic in Lgetxattr
+
+If `unix.Lgetxattr` returns an error, then `sz == -1` which will cause a
+runtime panic if `errno == unix.ERANGE`.
+
+Signed-off-by: Sascha Grunert <sgrunert@suse.com>
+Upstream-commit: 4138cd22abeaa7d1c49a96fa4c0045feb32b847e
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/b1d05350ecaf98f478577246d7e17311cd4761c9
+---
+ components/engine/pkg/system/xattrs_linux.go | 21 ++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/pkg/system/xattrs_linux.go b/components/engine/pkg/system/xattrs_linux.go
+index 66d4895b2..d4f1a57fb 100644
+--- a/components/engine/pkg/system/xattrs_linux.go
++++ b/components/engine/pkg/system/xattrs_linux.go
+@@ -6,19 +6,28 @@ import "golang.org/x/sys/unix"
+ // and associated with the given path in the file system.
+ // It will returns a nil slice and nil error if the xattr is not set.
+ func Lgetxattr(path string, attr string) ([]byte, error) {
++	// Start with a 128 length byte array
+ 	dest := make([]byte, 128)
+ 	sz, errno := unix.Lgetxattr(path, attr, dest)
+-	if errno == unix.ENODATA {
++
++	switch {
++	case errno == unix.ENODATA:
+ 		return nil, nil
+-	}
+-	if errno == unix.ERANGE {
++	case errno == unix.ERANGE:
++		// 128 byte array might just not be good enough. A dummy buffer is used
++		// to get the real size of the xattrs on disk
++		sz, errno = unix.Lgetxattr(path, attr, []byte{})
++		if errno != nil {
++			return nil, errno
++		}
+ 		dest = make([]byte, sz)
+ 		sz, errno = unix.Lgetxattr(path, attr, dest)
+-	}
+-	if errno != nil {
++		if errno != nil {
++			return nil, errno
++		}
++	case errno != nil:
+ 		return nil, errno
+ 	}
+-
+ 	return dest[:sz], nil
+ }
+ 
+-- 
+2.33.0
+

patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch

@@ -0,0 +1,191 @@
+From 7968f451470d4fb2a50335ebb593e885fc54956e Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:49:55 +0800
+Subject: [PATCH 07/10] vendor: vishvananda/netns
+ db3c7e526aae966c4ccfa6c8189b693d6ac5d202 Signed-off-by: Sebastiaan van Stijn
+ <github@gone.nl> Upstream-commit: e11c7fe3ab085939d74a386d763ca3ae4c67c7a0
+ Component: engine
+
+ Reference: https://github.com/docker/docker-ce/commit/7a24e475b3cb5975c7fc02b2d854ae58f13bcabd
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ .../github.com/vishvananda/netns/netns.go     | 15 ++--
+ .../vishvananda/netns/netns_linux.go          | 72 +++++++++++++++----
+ 2 files changed, 66 insertions(+), 21 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/vishvananda/netns/netns.go b/components/engine/vendor/github.com/vishvananda/netns/netns.go
+index 2ca0feedd..aa32ac7fd 100644
+--- a/components/engine/vendor/github.com/vishvananda/netns/netns.go
++++ b/components/engine/vendor/github.com/vishvananda/netns/netns.go
+@@ -10,7 +10,8 @@ package netns
+ 
+ import (
+ 	"fmt"
+-	"syscall"
++
++	"golang.org/x/sys/unix"
+ )
+ 
+ // NsHandle is a handle to a network namespace. It can be cast directly
+@@ -24,11 +25,11 @@ func (ns NsHandle) Equal(other NsHandle) bool {
+ 	if ns == other {
+ 		return true
+ 	}
+-	var s1, s2 syscall.Stat_t
+-	if err := syscall.Fstat(int(ns), &s1); err != nil {
++	var s1, s2 unix.Stat_t
++	if err := unix.Fstat(int(ns), &s1); err != nil {
+ 		return false
+ 	}
+-	if err := syscall.Fstat(int(other), &s2); err != nil {
++	if err := unix.Fstat(int(other), &s2); err != nil {
+ 		return false
+ 	}
+ 	return (s1.Dev == s2.Dev) && (s1.Ino == s2.Ino)
+@@ -36,11 +37,11 @@ func (ns NsHandle) Equal(other NsHandle) bool {
+ 
+ // String shows the file descriptor number and its dev and inode.
+ func (ns NsHandle) String() string {
+-	var s syscall.Stat_t
+ 	if ns == -1 {
+ 		return "NS(None)"
+ 	}
+-	if err := syscall.Fstat(int(ns), &s); err != nil {
++	var s unix.Stat_t
++	if err := unix.Fstat(int(ns), &s); err != nil {
+ 		return fmt.Sprintf("NS(%d: unknown)", ns)
+ 	}
+ 	return fmt.Sprintf("NS(%d: %d, %d)", ns, s.Dev, s.Ino)
+@@ -54,7 +55,7 @@ func (ns NsHandle) IsOpen() bool {
+ // Close closes the NsHandle and resets its file descriptor to -1.
+ // It is not safe to use an NsHandle after Close() is called.
+ func (ns *NsHandle) Close() error {
+-	if err := syscall.Close(int(*ns)); err != nil {
++	if err := unix.Close(int(*ns)); err != nil {
+ 		return err
+ 	}
+ 	(*ns) = -1
+diff --git a/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go b/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go
+index abdc30829..cf1db6025 100644
+--- a/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go
++++ b/components/engine/vendor/github.com/vishvananda/netns/netns_linux.go
+@@ -1,3 +1,4 @@
++//go:build linux
+ // +build linux
+ 
+ package netns
+@@ -6,31 +7,31 @@ import (
+ 	"fmt"
+ 	"io/ioutil"
+ 	"os"
++	"path"
+ 	"path/filepath"
+ 	"strconv"
+ 	"strings"
+ 	"syscall"
++
++	"golang.org/x/sys/unix"
+ )
+ 
+ const (
+ 	// These constants belong in the syscall library but have not been
+ 	// added yet.
+-	CLONE_NEWUTS  = 0x04000000 /* New utsname group? */
+-	CLONE_NEWIPC  = 0x08000000 /* New ipcs */
+-	CLONE_NEWUSER = 0x10000000 /* New user namespace */
+-	CLONE_NEWPID  = 0x20000000 /* New pid namespace */
+-	CLONE_NEWNET  = 0x40000000 /* New network namespace */
+-	CLONE_IO      = 0x80000000 /* Get io context */
++	CLONE_NEWUTS  = 0x04000000   /* New utsname group? */
++	CLONE_NEWIPC  = 0x08000000   /* New ipcs */
++	CLONE_NEWUSER = 0x10000000   /* New user namespace */
++	CLONE_NEWPID  = 0x20000000   /* New pid namespace */
++	CLONE_NEWNET  = 0x40000000   /* New network namespace */
++	CLONE_IO      = 0x80000000   /* Get io context */
++	bindMountPath = "/run/netns" /* Bind mount path for named netns */
+ )
+ 
+ // Setns sets namespace using syscall. Note that this should be a method
+ // in syscall but it has not been added.
+ func Setns(ns NsHandle, nstype int) (err error) {
+-	_, _, e1 := syscall.Syscall(SYS_SETNS, uintptr(ns), uintptr(nstype), 0)
+-	if e1 != 0 {
+-		err = e1
+-	}
+-	return
++	return unix.Setns(int(ns), nstype)
+ }
+ 
+ // Set sets the current network namespace to the namespace represented
+@@ -41,21 +42,64 @@ func Set(ns NsHandle) (err error) {
+ 
+ // New creates a new network namespace and returns a handle to it.
+ func New() (ns NsHandle, err error) {
+-	if err := syscall.Unshare(CLONE_NEWNET); err != nil {
++	if err := unix.Unshare(CLONE_NEWNET); err != nil {
+ 		return -1, err
+ 	}
+ 	return Get()
+ }
+ 
++// NewNamed creates a new named network namespace and returns a handle to it
++func NewNamed(name string) (NsHandle, error) {
++	if _, err := os.Stat(bindMountPath); os.IsNotExist(err) {
++		err = os.MkdirAll(bindMountPath, 0755)
++		if err != nil {
++			return None(), err
++		}
++	}
++
++	newNs, err := New()
++	if err != nil {
++		return None(), err
++	}
++
++	namedPath := path.Join(bindMountPath, name)
++
++	f, err := os.OpenFile(namedPath, os.O_CREATE|os.O_EXCL, 0444)
++	if err != nil {
++		return None(), err
++	}
++	f.Close()
++
++	nsPath := fmt.Sprintf("/proc/%d/task/%d/ns/net", os.Getpid(), syscall.Gettid())
++	err = syscall.Mount(nsPath, namedPath, "bind", syscall.MS_BIND, "")
++	if err != nil {
++		return None(), err
++	}
++
++	return newNs, nil
++}
++
++// DeleteNamed deletes a named network namespace
++func DeleteNamed(name string) error {
++	namedPath := path.Join(bindMountPath, name)
++
++	err := syscall.Unmount(namedPath, syscall.MNT_DETACH)
++	if err != nil {
++		return err
++	}
++
++	return os.Remove(namedPath)
++}
++
+ // Get gets a handle to the current threads network namespace.
+ func Get() (NsHandle, error) {
+-	return GetFromThread(os.Getpid(), syscall.Gettid())
++	return GetFromThread(os.Getpid(), unix.Gettid())
+ }
+ 
+ // GetFromPath gets a handle to a network namespace
+ // identified by the path
+ func GetFromPath(path string) (NsHandle, error) {
+-	fd, err := syscall.Open(path, syscall.O_RDONLY, 0)
++	fd, err := unix.Open(path, unix.O_RDONLY|unix.O_CLOEXEC, 0)
+ 	if err != nil {
+ 		return -1, err
+ 	}
+-- 
+2.33.0
+

patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch

@@ -0,0 +1,33 @@
+From 3b9d957c2a590f54eb03b37c48e8c1a911430ed6 Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:50:54 +0800
+Subject: [PATCH 08/10] Update daemon_linux.go for preventing off-by-one Array
+ length should be bigger than 5, when accessing index 4
+
+Signed-off-by: J-jaeyoung <jjy600901@gmail.com>
+Upstream-commit: 19eda6b9a2991733a7e5b8fb0c435bf55846461f
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/f89fd3df7d5c4a63fed8e47ece566fa2d1db681d
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/daemon/daemon_linux.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/daemon_linux.go b/components/engine/daemon/daemon_linux.go
+index 6a5790b4f..ed23bf30d 100644
+--- a/components/engine/daemon/daemon_linux.go
++++ b/components/engine/daemon/daemon_linux.go
+@@ -49,7 +49,7 @@ func (daemon *Daemon) cleanupMountsFromReaderByID(reader io.Reader, id string, u
+ 	regexps := getCleanPatterns(id)
+ 	sc := bufio.NewScanner(reader)
+ 	for sc.Scan() {
+-		if fields := strings.Fields(sc.Text()); len(fields) >= 4 {
++		if fields := strings.Fields(sc.Text()); len(fields) > 4 {
+ 			if mnt := fields[4]; strings.HasPrefix(mnt, daemon.root) {
+ 				for _, p := range regexps {
+ 					if p.MatchString(mnt) {
+-- 
+2.33.0
+

patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch

@@ -0,0 +1,73 @@
+From fb353504e81196d7030710b648834ca61092f3aa Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 20:59:30 +0800
+Subject: [PATCH 09/10] =?UTF-8?q?libnetwork:=20processEndpointDelete:=20Fi?=
+ =?UTF-8?q?x=20deadlock=20between=20getSvcRecords=E2=80=A6=20=E2=80=A6=20a?=
+ =?UTF-8?q?nd=20processEndpointDelete?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We had some hosts with quite a bit of cycling containers that ocassionally causes docker daemons to lock up.
+Most prominently `docker run` commands do not respond and nothing happens anymore.
+
+Looking at the stack trace the following is at least likely sometimes a cause to that:
+Two goroutines g0 and g1 can race against each other:
+* (g0) 1. getSvcRecords is called and calls (*network).Lock()
+       --> Network is locked.
+* (g1) 2. processEndpointDelete is called, and calls (*controller).Lock()
+       --> Controller is locked
+* (g1) 3. processEndpointDelete tries (*network).ID() which calls (*network).Lock().
+* (g0) 4. getSvcRecords calls (*controller).Lock().
+
+3./4. are deadlocked against each other since the other goroutine holds the lock they need.
+
+References https://github.com/moby/libnetwork/blob/b5dc37037049d9b9ef68a3c4611e5eb1b35dd2af/network.go
+
+Signed-off-by: Steffen Butzer <steffen.butzer@outlook.com>
+Upstream-commit: 7c97896747726554165480d102d9e46c54334cba
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/76e42601417c9bbcd7637a8b75d2d4318f6254ed
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ .../vendor/github.com/docker/libnetwork/store.go      | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/store.go b/components/engine/vendor/github.com/docker/libnetwork/store.go
+index 0a7c5754d..65af83d22 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/store.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/store.go
+@@ -421,11 +421,14 @@ func (c *controller) processEndpointDelete(nmap map[string]*netWatch, ep *endpoi
+ 		return
+ 	}
+ 
++	networkID := n.ID()
++	endpointID := ep.ID()
++
+ 	c.Lock()
+-	nw, ok := nmap[n.ID()]
++	nw, ok := nmap[networkID]
+ 
+ 	if ok {
+-		delete(nw.localEps, ep.ID())
++		delete(nw.localEps, endpointID)
+ 		c.Unlock()
+ 
+ 		// Update the svc db about local endpoint leave right away
+@@ -439,9 +442,9 @@ func (c *controller) processEndpointDelete(nmap map[string]*netWatch, ep *endpoi
+ 
+ 			// This is the last container going away for the network. Destroy
+ 			// this network's svc db entry
+-			delete(c.svcRecords, n.ID())
++			delete(c.svcRecords, networkID)
+ 
+-			delete(nmap, n.ID())
++			delete(nmap, networkID)
+ 		}
+ 	}
+ 	c.Unlock()
+-- 
+2.33.0
+

patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch

@@ -0,0 +1,55 @@
+From b12d244a382c920c19a75fbc52845ef7b74fcaac Mon Sep 17 00:00:00 2001
+From: Song Zhang <zhangsong34@huawei.com>
+Date: Mon, 18 Dec 2023 21:08:59 +0800
+Subject: [PATCH 10/10] Fixes #41871: Update daemon/daemon.go: resume
+ healthcheck on restore Call updateHealthMonitor for alive non-paused
+ containers
+
+Signed-off-by: Alexis Ries <alexis.ries.ext@orange.com>
+Upstream-commit: 9f39889dee7d96430359d7e1f8970a88acad59e5
+Component: engine
+
+Reference: https://github.com/docker/docker-ce/commit/b92585a47049e661c8dcc0956e3e5f0210b5c4f3
+
+Signed-off-by: Song Zhang <zhangsong34@huawei.com>
+---
+ components/engine/daemon/daemon.go | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
+index 8754492ce..80a2f54f4 100644
+--- a/components/engine/daemon/daemon.go
++++ b/components/engine/daemon/daemon.go
+@@ -416,7 +416,8 @@ func (daemon *Daemon) restore() error {
+ 			if c.IsRunning() || c.IsPaused() {
+ 				c.RestartManager().Cancel() // manually start containers because some need to wait for swarm networking
+ 
+-				if c.IsPaused() && alive {
++				switch {
++				case c.IsPaused() && alive:
+ 					s, err := daemon.containerd.Status(context.Background(), c.ID)
+ 					if err != nil {
+ 						logrus.WithError(err).WithField("container", c.ID).
+@@ -437,6 +438,7 @@ func (daemon *Daemon) restore() error {
+ 							c.Lock()
+ 							c.Paused = false
+ 							daemon.setStateCounter(c)
++							daemon.updateHealthMonitor(c)
+ 							if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+ 								logrus.WithError(err).WithField("container", c.ID).
+ 									Error("Failed to update stopped container state")
+@@ -444,6 +446,11 @@ func (daemon *Daemon) restore() error {
+ 							c.Unlock()
+ 						}
+ 					}
++				case !c.IsPaused() && alive:
++					logrus.Debug("restoring healthcheck")
++					c.Lock()
++					daemon.updateHealthMonitor(c)
++					c.Unlock()
+ 				}
+ 
+ 				if !alive {
+-- 
+2.33.0
+

series.conf

@@ -261,4 +261,13 @@ patch/0260-docker-repalce-unix.Rmdir-with-os.RemoveAll-when-rem.patch
 patch/0261-backport-client-define-a-dummy-hostname-to-use-for-local-conn.patch
 patch/0262-docker-remove-useless-mount-point-dir.patch
 patch/0263-docker-builder-fix-COPY-from-should-preserve-ownership.patch
+patch/0264-Fix-possible-nil-pointer-exception.patch
+patch/0265-Fix-error-handling-for-bind-mount-spec-parser.patch
+patch/0266-Fixed-the-inconsistence-and-also-a-potential-data-ra.patch
+patch/0267-daemon-ProcessEvent-make-sure-to-cancel-the-contexts.patch
+patch/0268-Fix-possible-runtime-panic-in-Lgetxattr.patch
+patch/0269-vendor-vishvananda-netns-db3c7e526aae966c4ccfa6c8189.patch
+patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch
+patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch
+patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch
 #end