From b82eb7f3253fe346a881c4c0a0625c464f93ad32 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Thu, 19 Jun 2025 14:48:21 +0800 Subject: [PATCH] sync some patches from upstream (cherry picked from commit 8b4cd581b05e238b1071ea6ee4f20ee2aebee2d3) --- containerd.spec | 8 ++- git-commit | 2 +- ...inerd-Prevent-panic-in-Docker-pusher.patch | 44 +++++++++++++++ ...returned-error-in-the-defer-function.patch | 56 +++++++++++++++++++ series.conf | 2 + 5 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch create mode 100644 patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch diff --git a/containerd.spec b/containerd.spec index 0420056..726a85b 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.6.22 Name: containerd -Release: 16 +Release: 17 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -68,6 +68,12 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml %exclude %{_bindir}/containerd-stress %changelog +* Thu Jun 19 2025 dongyuzhen - 1.6.22-17 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:sync some patches from upstream + * Wed Mar 19 2025 dongyuzhen - 1.6.22-16 - Type:CVE - ID:NA diff --git a/git-commit b/git-commit index da776f0..6d4eb36 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -6e187036a2a3eaf960f715062dcf629c2b429710 +8943cbda2c835ae830ac8cdbb200fd5a87935825 diff --git a/patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch b/patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch new file mode 100644 index 0000000..1c89ee5 --- /dev/null +++ b/patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch @@ -0,0 +1,44 @@ +From 09fb880f48ab464c1b5ea8696737164c8637c109 Mon Sep 17 00:00:00 2001 +From: Cesar Talledo +Date: Tue, 8 Apr 2025 18:00:26 -0700 +Subject: [PATCH] Prevent panic in Docker pusher. + +Prevent a panic in the Docker pusher pushWriter, by checking that +the pipe is non nil before attempting to use it. + +The panic was found by Moby issue #46746 (https://github.com/moby/moby/issues/46746). +With this fix the panic no longer reproduces. + +Signed-off-by: Cesar Talledo +--- + remotes/docker/pusher.go | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/remotes/docker/pusher.go b/remotes/docker/pusher.go +index bef77fa61..7ca09c1d5 100644 +--- a/remotes/docker/pusher.go ++++ b/remotes/docker/pusher.go +@@ -435,13 +435,15 @@ func (pw *pushWriter) Digest() digest.Digest { + + func (pw *pushWriter) Commit(ctx context.Context, size int64, expected digest.Digest, opts ...content.Opt) error { + // Check whether read has already thrown an error +- if _, err := pw.pipe.Write([]byte{}); err != nil && !errors.Is(err, io.ErrClosedPipe) { +- return fmt.Errorf("pipe error before commit: %w", err) ++ if pw.pipe != nil { ++ if _, err := pw.pipe.Write([]byte{}); err != nil && !errors.Is(err, io.ErrClosedPipe) { ++ return fmt.Errorf("pipe error before commit: %w", err) ++ } ++ if err := pw.pipe.Close(); err != nil { ++ return err ++ } + } + +- if err := pw.pipe.Close(); err != nil { +- return err +- } + // TODO: timeout waiting for response + var resp *http.Response + select { +-- +2.33.0 + diff --git a/patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch b/patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch new file mode 100644 index 0000000..1ad764f --- /dev/null +++ b/patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch @@ -0,0 +1,56 @@ +From f7914c10c947cfbc09d649df4180b5e5fc790757 Mon Sep 17 00:00:00 2001 +From: Iceber Gu +Date: Tue, 15 Apr 2025 16:07:50 +0800 +Subject: [PATCH] client: fix returned error in the defer function + +Signed-off-by: Iceber Gu +--- + container.go | 4 ++-- + task.go | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/container.go b/container.go +index 2cf15666f..f179bf450 100644 +--- a/container.go ++++ b/container.go +@@ -207,13 +207,13 @@ func (c *container) Image(ctx context.Context) (Image, error) { + return NewImage(c.client, i), nil + } + +-func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...NewTaskOpts) (_ Task, err error) { ++func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...NewTaskOpts) (_ Task, retErr error) { + i, err := ioCreate(c.id) + if err != nil { + return nil, err + } + defer func() { +- if err != nil && i != nil { ++ if retErr != nil && i != nil { + i.Cancel() + i.Close() + } +diff --git a/task.go b/task.go +index ef8cd4494..9efdec901 100644 +--- a/task.go ++++ b/task.go +@@ -351,7 +351,7 @@ func (t *task) Delete(ctx context.Context, opts ...ProcessDeleteOpts) (*ExitStat + return &ExitStatus{code: r.ExitStatus, exitedAt: r.ExitedAt}, nil + } + +-func (t *task) Exec(ctx context.Context, id string, spec *specs.Process, ioCreate cio.Creator) (_ Process, err error) { ++func (t *task) Exec(ctx context.Context, id string, spec *specs.Process, ioCreate cio.Creator) (_ Process, retErr error) { + if id == "" { + return nil, fmt.Errorf("exec id must not be empty: %w", errdefs.ErrInvalidArgument) + } +@@ -360,7 +360,7 @@ func (t *task) Exec(ctx context.Context, id string, spec *specs.Process, ioCreat + return nil, err + } + defer func() { +- if err != nil && i != nil { ++ if retErr != nil && i != nil { + i.Cancel() + i.Close() + } +-- +2.33.0 + diff --git a/series.conf b/series.conf index 1889e96..4a76f49 100644 --- a/series.conf +++ b/series.conf @@ -35,3 +35,5 @@ patch/0035-containerd-modify-Makefile-for-go-build-options.patch patch/0036-containerd-modify-makefile-options.patch patch/0037-fix-build-error-for-loong64.patch patch/0038-containerd-fix-CVE-2024-40635.patch +patch/0039-containerd-Prevent-panic-in-Docker-pusher.patch +patch/0040-containerd-client-fix-returned-error-in-the-defer-function.patch -- Gitee