diff --git a/1015-builder-next-fix-missing-lock-in-ensurelayer.patch b/1015-builder-next-fix-missing-lock-in-ensurelayer.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd743a0fdd471bd5a563f3b0df93816a19e7a204 --- /dev/null +++ b/1015-builder-next-fix-missing-lock-in-ensurelayer.patch @@ -0,0 +1,84 @@ +From d250e139459172b37be2e57b9c025ed0ded70fb2 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Wed, 6 Mar 2024 23:11:32 -0800 +Subject: [PATCH 023/172] builder-next: fix missing lock in ensurelayer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When this was called concurrently from the moby image +exporter there could be a data race where a layer was +written to the refs map when it was already there. + +In that case the reference count got mixed up and on +release only one of these layers was actually released. + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 37545cc644344dcb576cba67eb7b6f51a463d31e) +Signed-off-by: Paweł Gronowski +--- + .../builder-next/adapters/snapshot/layer.go | 3 +++ + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go +index 73120ea70b..fc83058339 100644 +--- a/builder/builder-next/adapters/snapshot/layer.go ++++ b/builder/builder-next/adapters/snapshot/layer.go +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI + } + + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { ++ s.layerCreateLocker.Lock(key) ++ defer s.layerCreateLocker.Unlock(key) ++ + diffIDs, err := s.GetDiffIDs(ctx, key) + if err != nil { + return nil, err +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go +index a0d28ad984..510ffefb49 100644 +--- a/builder/builder-next/adapters/snapshot/snapshot.go ++++ b/builder/builder-next/adapters/snapshot/snapshot.go +@@ -17,6 +17,7 @@ import ( + "github.com/moby/buildkit/identity" + "github.com/moby/buildkit/snapshot" + "github.com/moby/buildkit/util/leaseutil" ++ "github.com/moby/locker" + "github.com/opencontainers/go-digest" + "github.com/pkg/errors" + bolt "go.etcd.io/bbolt" +@@ -51,10 +52,11 @@ type checksumCalculator interface { + type snapshotter struct { + opt Opt + +- refs map[string]layer.Layer +- db *bolt.DB +- mu sync.Mutex +- reg graphIDRegistrar ++ refs map[string]layer.Layer ++ db *bolt.DB ++ mu sync.Mutex ++ reg graphIDRegistrar ++ layerCreateLocker *locker.Locker + } + + // NewSnapshotter creates a new snapshotter +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho + } + + s := &snapshotter{ +- opt: opt, +- db: db, +- refs: map[string]layer.Layer{}, +- reg: reg, ++ opt: opt, ++ db: db, ++ refs: map[string]layer.Layer{}, ++ reg: reg, ++ layerCreateLocker: locker.New(), + } + + slm := newLeaseManager(s, prevLM) +-- +2.27.0 + diff --git a/moby.spec b/moby.spec index 18c3aecb6fbe1b3a0b053a5c7582b5b06082857a..ad5c32d280b24c1d75ad672978b820d6e495c727 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 26 +Release: 27 Summary: The open-source application container engine License: Apache-2.0 URL: https://www.docker.com @@ -38,6 +38,7 @@ Patch1011: 1011-fix-CVE-2024-36620.patch Patch1012: 1012-fix-CVE-2024-36623.patch Patch1013: 1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch Patch1014: 1014-daemon-overlay2-remove-world-writable-permission-fro.patch +#Patch1015: 1015-builder-next-fix-missing-lock-in-ensurelayer.patch # Patch 2001-2999 for tini Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch Requires(meta): %{name}-engine = %{version}-%{release} @@ -229,6 +230,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Thu Apr 17 2025 shechenglong - 25.0.3-27 +- builder-next: fix missing lock in ensurelayer + * Thu Apr 17 2025 shechenglong - 25.0.3-26 - daemon: overlay2: remove world writable permission from the lower file