diff --git a/containerd.spec b/containerd.spec
index 0420056f44b8d2686538b13aefc3e70c17528b0a..726a85bcb5db9032bc3cb3a7d64568e18bcfba8d 100644
--- a/containerd.spec
+++ b/containerd.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.6.22
 Name:           containerd
-Release:        16
+Release:        17
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -68,6 +68,12 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml
 %exclude %{_bindir}/containerd-stress
 
 %changelog
+* Thu Jun 19 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.6.22-17
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:sync some patches from upstream
+
 * Wed Mar 19 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.6.22-16
 - Type:CVE
 - ID:NA
diff --git a/git-commit b/git-commit
index da776f0861b143775a38976ee38af9b4179cb157..6d4eb36a42d4c4cff0b9f0ffeca33236479b5e4e 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-6e187036a2a3eaf960f715062dcf629c2b429710
+8943cbda2c835ae830ac8cdbb200fd5a87935825
diff --git a/patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch b/patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1c89ee56aa3ea4165731eb4107f21f8eb2f77cf4
--- /dev/null
+++ b/patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch
@@ -0,0 +1,44 @@
+From 09fb880f48ab464c1b5ea8696737164c8637c109 Mon Sep 17 00:00:00 2001
+From: Cesar Talledo <cesar.talledo@docker.com>
+Date: Tue, 8 Apr 2025 18:00:26 -0700
+Subject: [PATCH] Prevent panic in Docker pusher.
+
+Prevent a panic in the Docker pusher pushWriter, by checking that
+the pipe is non nil before attempting to use it.
+
+The panic was found by Moby issue #46746 (https://github.com/moby/moby/issues/46746).
+With this fix the panic no longer reproduces.
+
+Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
+---
+ remotes/docker/pusher.go | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/remotes/docker/pusher.go b/remotes/docker/pusher.go
+index bef77fa61..7ca09c1d5 100644
+--- a/remotes/docker/pusher.go
++++ b/remotes/docker/pusher.go
+@@ -435,13 +435,15 @@ func (pw *pushWriter) Digest() digest.Digest {
+ 
+ func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Digest, opts ...content.Opt) error {
+ 	// Check whether read has already thrown an error
+-	if _, err := pw.pipe.Write([]byte{}); err != nil && !errors.Is(err, io.ErrClosedPipe) {
+-		return fmt.Errorf("pipe error before commit: %w", err)
++	if pw.pipe != nil {
++		if _, err := pw.pipe.Write([]byte{}); err != nil && !errors.Is(err, io.ErrClosedPipe) {
++			return fmt.Errorf("pipe error before commit: %w", err)
++		}
++		if err := pw.pipe.Close(); err != nil {
++			return err
++		}
+ 	}
+ 
+-	if err := pw.pipe.Close(); err != nil {
+-		return err
+-	}
+ 	// TODO: timeout waiting for response
+ 	var resp *http.Response
+ 	select {
+-- 
+2.33.0
+
diff --git a/patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch b/patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1ad764f79380a781bb29003e43085b10cfbd9b20
--- /dev/null
+++ b/patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch
@@ -0,0 +1,56 @@
+From f7914c10c947cfbc09d649df4180b5e5fc790757 Mon Sep 17 00:00:00 2001
+From: Iceber Gu <caiwei95@hotmail.com>
+Date: Tue, 15 Apr 2025 16:07:50 +0800
+Subject: [PATCH] client: fix returned error in the defer function
+
+Signed-off-by: Iceber Gu <caiwei95@hotmail.com>
+---
+ container.go | 4 ++--
+ task.go      | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/container.go b/container.go
+index 2cf15666f..f179bf450 100644
+--- a/container.go
++++ b/container.go
+@@ -207,13 +207,13 @@ func (c *container) Image(ctx context.Context) (Image, error) {
+ 	return NewImage(c.client, i), nil
+ }
+ 
+-func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...NewTaskOpts) (_ Task, err error) {
++func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...NewTaskOpts) (_ Task, retErr error) {
+ 	i, err := ioCreate(c.id)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 	defer func() {
+-		if err != nil && i != nil {
++		if retErr != nil && i != nil {
+ 			i.Cancel()
+ 			i.Close()
+ 		}
+diff --git a/task.go b/task.go
+index ef8cd4494..9efdec901 100644
+--- a/task.go
++++ b/task.go
+@@ -351,7 +351,7 @@ func (t *task) Delete(ctx context.Context, opts ...ProcessDeleteOpts) (*ExitStat
+ 	return &ExitStatus{code: r.ExitStatus, exitedAt: r.ExitedAt}, nil
+ }
+ 
+-func (t *task) Exec(ctx context.Context, id string, spec *specs.Process, ioCreate cio.Creator) (_ Process, err error) {
++func (t *task) Exec(ctx context.Context, id string, spec *specs.Process, ioCreate cio.Creator) (_ Process, retErr error) {
+ 	if id == "" {
+ 		return nil, fmt.Errorf("exec id must not be empty: %w", errdefs.ErrInvalidArgument)
+ 	}
+@@ -360,7 +360,7 @@ func (t *task) Exec(ctx context.Context, id string, spec *specs.Process, ioCreat
+ 		return nil, err
+ 	}
+ 	defer func() {
+-		if err != nil && i != nil {
++		if retErr != nil && i != nil {
+ 			i.Cancel()
+ 			i.Close()
+ 		}
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index 1889e9604fc5297039c5a83443426b5446a59841..4a76f494b40687c3246c543a1deb31e350585de1 100644
--- a/series.conf
+++ b/series.conf
@@ -35,3 +35,5 @@ patch/0035-containerd-modify-Makefile-for-go-build-options.patch
 patch/0036-containerd-modify-makefile-options.patch
 patch/0037-fix-build-error-for-loong64.patch
 patch/0038-containerd-fix-CVE-2024-40635.patch
+patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch
+patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch