From 83f0f0ea7393636c1710b153e55bbba9f8a1e6fd Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Wed, 29 Mar 2023 16:19:20 +0800
Subject: [PATCH] docker:sync some patches

(cherry picked from commit 5004ebff5b6cd0eeff1a8edaf8f59dea0f348021)
---
 VERSION-vendor                                |   2 +-
 docker.spec                                   |   8 +-
 git-commit                                    |   2 +-
 ...routine-leak-by-making-channel-non-b.patch |  27 +++++
 patch/0244-docker-Fix-off-by-one-bug.patch    |  63 +++++++++++
 ...ock-in-resolvePluginID-to-fix-double.patch |  32 ++++++
 ...rtup-actually-shutdown-the-container.patch | 102 ++++++++++++++++++
 ...ker-builder-fix-concurrent-map-write.patch |  29 +++++
 ...e-to-null-value-returned-by-ep.Iface.patch |  71 ++++++++++++
 ...docker-plugin-fix-a-double-RLock-bug.patch |  29 +++++
 ...r-case-when-fixed-cidr-ipv6-is-empty.patch |  34 ++++++
 ...Start-fix-unhandled-error-for-saveAp.patch |  29 +++++
 ...cker-Prevent-panic-on-network-attach.patch |  82 ++++++++++++++
 ...uild-fix-panic-when-exporting-to-tar.patch |  34 ++++++
 ...-right-device-number-which-great-tha.patch |  42 ++++++++
 series.conf                                   |  12 +++
 16 files changed, 595 insertions(+), 3 deletions(-)
 create mode 100644 patch/0243-docker-fix-potential-goroutine-leak-by-making-channel-non-b.patch
 create mode 100644 patch/0244-docker-Fix-off-by-one-bug.patch
 create mode 100644 patch/0245-docker-plugin-remove-Rlock-in-resolvePluginID-to-fix-double.patch
 create mode 100644 patch/0246-docker-On-startup-actually-shutdown-the-container.patch
 create mode 100644 patch/0247-docker-builder-fix-concurrent-map-write.patch
 create mode 100644 patch/0248-docker-Fix-NPE-due-to-null-value-returned-by-ep.Iface.patch
 create mode 100644 patch/0249-docker-plugin-fix-a-double-RLock-bug.patch
 create mode 100644 patch/0250-docker-Handle-error-case-when-fixed-cidr-ipv6-is-empty.patch
 create mode 100644 patch/0251-docker-daemon-containerStart-fix-unhandled-error-for-saveAp.patch
 create mode 100644 patch/0252-docker-Prevent-panic-on-network-attach.patch
 create mode 100644 patch/0253-docker-build-fix-panic-when-exporting-to-tar.patch
 create mode 100644 patch/0254-docker-bugfix-fetch-the-right-device-number-which-great-tha.patch

diff --git a/VERSION-vendor b/VERSION-vendor
index e2a3f98..594e347 100644
--- a/VERSION-vendor
+++ b/VERSION-vendor
@@ -1 +1 @@
-18.09.0.320
+18.09.0.321
diff --git a/docker.spec b/docker.spec
index 0b7d0d1..c8a1d11 100644
--- a/docker.spec
+++ b/docker.spec
@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 320
+Release: 321
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -213,6 +213,12 @@ fi
 %endif
 
 %changelog
+* Wed Mar 29 2023 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-321
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync some patches
+
 * Wed Mar 15 2023 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-320
 - Type:bugfix
 - CVE:NA
diff --git a/git-commit b/git-commit
index 8595ac8..85d50d7 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-dc32e88375199186065f6206a9be6a7417d64620
+8874a39f1d69c76ddfef890840f955030e1ee461
diff --git a/patch/0243-docker-fix-potential-goroutine-leak-by-making-channel-non-b.patch b/patch/0243-docker-fix-potential-goroutine-leak-by-making-channel-non-b.patch
new file mode 100644
index 0000000..aa1777d
--- /dev/null
+++ b/patch/0243-docker-fix-potential-goroutine-leak-by-making-channel-non-b.patch
@@ -0,0 +1,27 @@
+From cfc3497b3612d7f4a5cb56bbf2d04fcd9d48a1d3 Mon Sep 17 00:00:00 2001
+From: Shihao Xia <charlesxsh@hotmail.com>
+Date: Thu, 26 Aug 2021 12:57:03 -0400
+Subject: [PATCH 01/14] fix potential goroutine leak by making channel
+ non-blocking Signed-off-by: Shihao Xia <charlesxsh@hotmail.com>
+ Upstream-commit: 6a72e73c1d9f991c2f3da5199b8ad221c3668515 Component: engine
+
+---
+ components/engine/container/state.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/container/state.go b/components/engine/container/state.go
+index 292b0ec0bc..c2ce0323a5 100644
+--- a/components/engine/container/state.go
++++ b/components/engine/container/state.go
+@@ -217,7 +217,7 @@ func (s *State) Wait3(ctx context.Context, condition WaitCondition, waitStop cha
+ 	// actually stopped.
+ 	waitRemove := s.waitRemove
+ 
+-	resultC := make(chan StateStatus)
++	resultC := make(chan StateStatus, 1)
+ 
+ 	go func() {
+ 		select {
+-- 
+2.33.0
+
diff --git a/patch/0244-docker-Fix-off-by-one-bug.patch b/patch/0244-docker-Fix-off-by-one-bug.patch
new file mode 100644
index 0000000..4f3a1d1
--- /dev/null
+++ b/patch/0244-docker-Fix-off-by-one-bug.patch
@@ -0,0 +1,63 @@
+From ddf2e1ab2b60ff267a437fda133a9b9b828509fe Mon Sep 17 00:00:00 2001
+From: Oscar Bonilla <6f6231@gmail.com>
+Date: Sun, 20 Dec 2020 16:12:27 -0800
+Subject: [PATCH 03/14] Fix off-by-one bug
+
+This is a fix for https://github.com/docker/for-linux/issues/1012.
+
+The code was not considering that C strings are NULL-terminated so
+we need to leave one extra byte.
+
+Without this fix, the testcase in https://github.com/docker/for-linux/issues/1012
+fails with
+
+```
+Step 61/1001 : RUN echo 60 > 60
+ ---> Running in dde85ac3b1e3
+Removing intermediate container dde85ac3b1e3
+ ---> 80a12a18a241
+Step 62/1001 : RUN echo 61 > 61
+error creating overlay mount to /23456789112345678921234/overlay2/d368abcc97d6c6ebcf23fa71225e2011d095295d5d8c9b31d6810bea748bdf07-init/merged: no such file or directory
+```
+
+with the output of `dmesg -T` as:
+
+```
+[Sat Dec 19 02:35:40 2020] overlayfs: failed to resolve '/23456789112345678921234/overlay2/89e435a1b24583c463abb73e8abfad8bf8a88312ef8253455390c5fa0a765517-init/wor': -2
+```
+
+with this fix, you get the expected:
+
+```
+Step 126/1001 : RUN echo 125 > 125
+ ---> Running in 2f2e56da89e0
+max depth exceeded
+```
+
+Signed-off-by: Oscar Bonilla <6f6231@gmail.com>
+Upstream-commit: c923f6ac3bf61c8eb369a978b55a5d3f1fad0fbb
+Component: engine
+---
+ components/engine/daemon/graphdriver/overlay2/overlay.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/components/engine/daemon/graphdriver/overlay2/overlay.go b/components/engine/daemon/graphdriver/overlay2/overlay.go
+index 3a9f5ce6e7..40a81ad0b0 100644
+--- a/components/engine/daemon/graphdriver/overlay2/overlay.go
++++ b/components/engine/daemon/graphdriver/overlay2/overlay.go
+@@ -714,10 +714,10 @@ func (d *Driver) Get(id, mountLabel string) (_ containerfs.ContainerFS, retErr e
+ 	// the page size. The mount syscall fails if the mount data cannot
+ 	// fit within a page and relative links make the mount data much
+ 	// smaller at the expense of requiring a fork exec to chroot.
+-	if len(mountData) > pageSize {
++	if len(mountData) > pageSize-1 {
+ 		opts = indexOff + "lowerdir=" + string(lowers) + ",upperdir=" + path.Join(id, "diff") + ",workdir=" + path.Join(id, "work")
+ 		mountData = label.FormatMountLabel(opts, mountLabel)
+-		if len(mountData) > pageSize {
++		if len(mountData) > pageSize-1 {
+ 			return nil, fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData))
+ 		}
+ 
+-- 
+2.33.0
+
diff --git a/patch/0245-docker-plugin-remove-Rlock-in-resolvePluginID-to-fix-double.patch b/patch/0245-docker-plugin-remove-Rlock-in-resolvePluginID-to-fix-double.patch
new file mode 100644
index 0000000..55bec29
--- /dev/null
+++ b/patch/0245-docker-plugin-remove-Rlock-in-resolvePluginID-to-fix-double.patch
@@ -0,0 +1,32 @@
+From 57b288abe57c91f7e69d59abcd1e063877ad08b8 Mon Sep 17 00:00:00 2001
+From: BurtonQin <bobbqqin@gmail.com>
+Date: Tue, 28 Apr 2020 11:37:35 -0400
+Subject: [PATCH 04/14] plugin: remove Rlock in resolvePluginID to fix double
+ Rlock
+
+Signed-off-by: BurtonQin <bobbqqin@gmail.com>
+Upstream-commit: a36db14ce0223864a46a7764fa35db1153952023
+Component: engine
+---
+ components/engine/plugin/store.go | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/components/engine/plugin/store.go b/components/engine/plugin/store.go
+index 8e96c11da4..b862b08aba 100644
+--- a/components/engine/plugin/store.go
++++ b/components/engine/plugin/store.go
+@@ -250,10 +250,8 @@ func (ps *Store) CallHandler(p *v2.Plugin) {
+ 	}
+ }
+ 
++// resolvePluginID must be protected by ps.RLock
+ func (ps *Store) resolvePluginID(idOrName string) (string, error) {
+-	ps.RLock() // todo: fix
+-	defer ps.RUnlock()
+-
+ 	if validFullID.MatchString(idOrName) {
+ 		return idOrName, nil
+ 	}
+-- 
+2.33.0
+
diff --git a/patch/0246-docker-On-startup-actually-shutdown-the-container.patch b/patch/0246-docker-On-startup-actually-shutdown-the-container.patch
new file mode 100644
index 0000000..966d73c
--- /dev/null
+++ b/patch/0246-docker-On-startup-actually-shutdown-the-container.patch
@@ -0,0 +1,102 @@
+From 50af5f9c3fead1cca65c088c920d36faa5b29264 Mon Sep 17 00:00:00 2001
+From: Brian Goff <cpuguy83@gmail.com>
+Date: Tue, 7 Apr 2020 17:03:32 -0700
+Subject: [PATCH 06/14] On startup, actually shutdown the container.
+
+When a container is left running after the daemon exits (e.g. the daemon
+is SIGKILL'd or crashes), it should stop any running containers when the
+daemon starts back up.
+
+What actually happens is the daemon only sends the container's
+configured stop signal and does not check if it has exited.
+If the container does not actually exit then it is left running.
+
+This fixes this unexpected behavior by calling the same function to shut
+down the container that the daemon shutdown process does.
+
+Signed-off-by: Brian Goff <cpuguy83@gmail.com>
+Upstream-commit: ced91bee4b54c6acc3271e6ed28e0496a344321f
+Component: engine
+---
+ components/engine/daemon/daemon.go            |  3 +-
+ .../integration/container/daemon_test.go      | 51 +++++++++++++++++++
+ 2 files changed, 53 insertions(+), 1 deletion(-)
+ create mode 100644 components/engine/integration/container/daemon_test.go
+
+diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
+index 96cfb14bf8..8754492cef 100644
+--- a/components/engine/daemon/daemon.go
++++ b/components/engine/daemon/daemon.go
+@@ -397,10 +397,11 @@ func (daemon *Daemon) restore() error {
+ 					return
+ 				}
+ 			} else if !daemon.configStore.LiveRestoreEnabled {
+-				if err := daemon.kill(c, c.StopSignal()); err != nil && !errdefs.IsNotFound(err) {
++				if err := daemon.shutdownContainer(c); err != nil && !errdefs.IsNotFound(err) {
+ 					logrus.WithError(err).WithField("container", c.ID).Error("error shutting down container")
+ 					return
+ 				}
++				c.ResetRestartManager(false)
+ 			}
+ 
+ 			if alive && !c.IsRunning() && pid > 1 {
+diff --git a/components/engine/integration/container/daemon_test.go b/components/engine/integration/container/daemon_test.go
+new file mode 100644
+index 0000000000..94468a4409
+--- /dev/null
++++ b/components/engine/integration/container/daemon_test.go
+@@ -0,0 +1,51 @@
++package container
++
++import (
++	"context"
++	"testing"
++
++	"github.com/docker/docker/api/types"
++	"github.com/docker/docker/integration/internal/container"
++	"github.com/docker/docker/testutil/daemon"
++	"gotest.tools/v3/assert"
++	is "gotest.tools/v3/assert/cmp"
++	"gotest.tools/v3/skip"
++)
++
++// Make sure a container that does not exit when it upon receiving it's stop signal is actually shutdown on daemon
++// startup.
++func TestContainerKillOnDaemonStart(t *testing.T) {
++	skip.If(t, testEnv.IsRemoteDaemon, "cannot start daemon on remote test run")
++	skip.If(t, testEnv.DaemonInfo.OSType == "windows")
++	skip.If(t, testEnv.IsRootless, "scenario doesn't work with rootless mode")
++
++	t.Parallel()
++
++	d := daemon.New(t)
++	defer d.Cleanup(t)
++
++	d.StartWithBusybox(t, "--iptables=false")
++	defer d.Stop(t)
++
++	client := d.NewClientT(t)
++	ctx := context.Background()
++
++	// The intention of this container is to ignore stop signals.
++	// Sadly this means the test will take longer, but at least this test can be parallelized.
++	id := container.Run(ctx, t, client, container.WithCmd("/bin/sh", "-c", "while true; do echo hello; sleep 1; done"))
++	defer func() {
++		err := client.ContainerRemove(ctx, id, types.ContainerRemoveOptions{Force: true})
++		assert.NilError(t, err)
++	}()
++
++	inspect, err := client.ContainerInspect(ctx, id)
++	assert.NilError(t, err)
++	assert.Assert(t, inspect.State.Running)
++
++	assert.NilError(t, d.Kill())
++	d.Start(t)
++
++	inspect, err = client.ContainerInspect(ctx, id)
++	assert.Check(t, is.Nil(err))
++	assert.Assert(t, !inspect.State.Running)
++}
+-- 
+2.33.0
+
diff --git a/patch/0247-docker-builder-fix-concurrent-map-write.patch b/patch/0247-docker-builder-fix-concurrent-map-write.patch
new file mode 100644
index 0000000..377d5f9
--- /dev/null
+++ b/patch/0247-docker-builder-fix-concurrent-map-write.patch
@@ -0,0 +1,29 @@
+From dacea224b14852b37ea2563df022165dc58bbdaa Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Fri, 3 Apr 2020 15:33:15 -0700
+Subject: [PATCH 07/14] builder: fix concurrent map write
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+Upstream-commit: 5ad981640f9e747e9c9d29c686084206e007f07b
+Component: engine
+---
+ components/engine/builder/builder-next/builder.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/components/engine/builder/builder-next/builder.go b/components/engine/builder/builder-next/builder.go
+index 1e3c7bda2f..a4f0ac7e79 100644
+--- a/components/engine/builder/builder-next/builder.go
++++ b/components/engine/builder/builder-next/builder.go
+@@ -213,7 +213,9 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.
+ 		}
+ 
+ 		defer func() {
++			b.mu.Lock()
+ 			delete(b.jobs, buildID)
++			b.mu.Unlock()
+ 		}()
+ 	}
+ 
+-- 
+2.33.0
+
diff --git a/patch/0248-docker-Fix-NPE-due-to-null-value-returned-by-ep.Iface.patch b/patch/0248-docker-Fix-NPE-due-to-null-value-returned-by-ep.Iface.patch
new file mode 100644
index 0000000..3fa4137
--- /dev/null
+++ b/patch/0248-docker-Fix-NPE-due-to-null-value-returned-by-ep.Iface.patch
@@ -0,0 +1,71 @@
+From 5a155c96e8d540640d4cd8c58371269a89359fd8 Mon Sep 17 00:00:00 2001
+From: Arko Dasgupta <arko.dasgupta@docker.com>
+Date: Thu, 2 Apr 2020 21:21:47 -0700
+Subject: [PATCH 08/14] Fix NPE due to null value returned by ep.Iface()
+
+This PR carryforwards https://github.com/moby/libnetwork/pull/2239
+and incorporates the suggestions in comments to fix the NPE and
+potential NPEs due to a null value returned by ep.Iface()
+
+Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
+Upstream-commit: c7f0b0152e13c95d53c9ce49a318effa50053239
+Component: engine
+---
+ .../engine/vendor/github.com/docker/libnetwork/agent.go       | 4 ++--
+ .../engine/vendor/github.com/docker/libnetwork/controller.go  | 4 ++++
+ .../engine/vendor/github.com/docker/libnetwork/network.go     | 2 +-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/agent.go b/components/engine/vendor/github.com/docker/libnetwork/agent.go
+index a9d77e2670..c2712778fc 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/agent.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/agent.go
+@@ -583,7 +583,7 @@ func (ep *endpoint) deleteDriverInfoFromCluster() error {
+ }
+ 
+ func (ep *endpoint) addServiceInfoToCluster(sb *sandbox) error {
+-	if ep.isAnonymous() && len(ep.myAliases) == 0 || ep.Iface().Address() == nil {
++	if ep.isAnonymous() && len(ep.myAliases) == 0 || ep.Iface() == nil || ep.Iface().Address() == nil {
+ 		return nil
+ 	}
+ 
+@@ -706,7 +706,7 @@ func (ep *endpoint) deleteServiceInfoFromCluster(sb *sandbox, fullRemove bool, m
+ 		}
+ 	}
+ 
+-	if ep.Iface().Address() != nil {
++	if ep.Iface() != nil && ep.Iface().Address() != nil {
+ 		if ep.svcID != "" {
+ 			// This is a task part of a service
+ 			var ingressPorts []*PortConfig
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/controller.go b/components/engine/vendor/github.com/docker/libnetwork/controller.go
+index 95013d31d3..fb9d38b534 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/controller.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/controller.go
+@@ -973,6 +973,10 @@ func (c *controller) reservePools() {
+ 			continue
+ 		}
+ 		for _, ep := range epl {
++			if ep.Iface() == nil {
++				logrus.Warnf("endpoint interface is empty for %q (%s)", ep.Name(), ep.ID())
++				continue
++			}
+ 			if err := ep.assignAddress(ipam, true, ep.Iface().AddressIPv6() != nil); err != nil {
+ 				logrus.Warnf("Failed to reserve current address for endpoint %q (%s) on network %q (%s)",
+ 					ep.Name(), ep.ID(), n.Name(), n.ID())
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/network.go b/components/engine/vendor/github.com/docker/libnetwork/network.go
+index 0a4a2277b0..4940aa8354 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/network.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/network.go
+@@ -1327,7 +1327,7 @@ func (n *network) EndpointByID(id string) (Endpoint, error) {
+ func (n *network) updateSvcRecord(ep *endpoint, localEps []*endpoint, isAdd bool) {
+ 	var ipv6 net.IP
+ 	epName := ep.Name()
+-	if iface := ep.Iface(); iface.Address() != nil {
++	if iface := ep.Iface(); iface != nil && iface.Address() != nil {
+ 		myAliases := ep.MyAliases()
+ 		if iface.AddressIPv6() != nil {
+ 			ipv6 = iface.AddressIPv6().IP
+-- 
+2.33.0
+
diff --git a/patch/0249-docker-plugin-fix-a-double-RLock-bug.patch b/patch/0249-docker-plugin-fix-a-double-RLock-bug.patch
new file mode 100644
index 0000000..36819a2
--- /dev/null
+++ b/patch/0249-docker-plugin-fix-a-double-RLock-bug.patch
@@ -0,0 +1,29 @@
+From 2fd68d3c6bb43ba68dbc4c9fb0bb3498c825cd28 Mon Sep 17 00:00:00 2001
+From: Ziheng Liu <lzhfromustc@gmail.com>
+Date: Tue, 25 Feb 2020 13:51:13 -0500
+Subject: [PATCH 09/14] plugin: fix a double RLock bug
+
+Signed-off-by: Ziheng Liu <lzhfromustc@gmail.com>
+Upstream-commit: 34837febc42859f7e8804a3417db133c963e38b3
+Component: engine
+---
+ components/engine/plugin/store.go | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/components/engine/plugin/store.go b/components/engine/plugin/store.go
+index b862b08aba..b74772e1a6 100644
+--- a/components/engine/plugin/store.go
++++ b/components/engine/plugin/store.go
+@@ -188,9 +188,7 @@ func (ps *Store) GetAllByCap(capability string) ([]plugingetter.CompatPlugin, er
+ 	 * bypassing the daemon. For such tests, this check is necessary.
+ 	 */
+ 	if ps != nil {
+-		ps.RLock()
+ 		result = ps.getAllByCap(capability)
+-		ps.RUnlock()
+ 	}
+ 
+ 	// Lookup with legacy model
+-- 
+2.33.0
+
diff --git a/patch/0250-docker-Handle-error-case-when-fixed-cidr-ipv6-is-empty.patch b/patch/0250-docker-Handle-error-case-when-fixed-cidr-ipv6-is-empty.patch
new file mode 100644
index 0000000..d4a2507
--- /dev/null
+++ b/patch/0250-docker-Handle-error-case-when-fixed-cidr-ipv6-is-empty.patch
@@ -0,0 +1,34 @@
+From 273b764b75fab0f2148caea3b8d0122a2661fc45 Mon Sep 17 00:00:00 2001
+From: Arko Dasgupta <arko.dasgupta@docker.com>
+Date: Fri, 10 Jan 2020 18:53:59 -0800
+Subject: [PATCH 10/14] Handle error case when fixed-cidr-ipv6 is empty
+
+When IPv6 is enabled, make sure fixed-cidr-ipv6 is set
+by the user since there is no default IPv6 local subnet
+in the IPAM
+
+Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
+Upstream-commit: bdad16b0eeaefd4313e92ee6f6978e4285bfaf8d
+Component: engine
+---
+ components/engine/daemon/daemon_unix.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
+index 8c21807dfb..10d0b3197d 100644
+--- a/components/engine/daemon/daemon_unix.go
++++ b/components/engine/daemon/daemon_unix.go
+@@ -1077,7 +1077,9 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *config.Co
+ 	}
+ 
+ 	var deferIPv6Alloc bool
+-	if config.BridgeConfig.FixedCIDRv6 != "" {
++	if config.BridgeConfig.EnableIPv6 && config.BridgeConfig.FixedCIDRv6 == "" {
++		return errors.New("IPv6 is enabled for the default bridge, but no subnet is configured. Specify an IPv6 subnet using --fixed-cidr-v6")
++	} else if config.BridgeConfig.FixedCIDRv6 != "" {
+ 		_, fCIDRv6, err := net.ParseCIDR(config.BridgeConfig.FixedCIDRv6)
+ 		if err != nil {
+ 			return err
+-- 
+2.33.0
+
diff --git a/patch/0251-docker-daemon-containerStart-fix-unhandled-error-for-saveAp.patch b/patch/0251-docker-daemon-containerStart-fix-unhandled-error-for-saveAp.patch
new file mode 100644
index 0000000..458c7f3
--- /dev/null
+++ b/patch/0251-docker-daemon-containerStart-fix-unhandled-error-for-saveAp.patch
@@ -0,0 +1,29 @@
+From 9b812e1dfa003cd937f872cc4789bcc924685604 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Thu, 29 Aug 2019 20:28:58 +0200
+Subject: [PATCH 11/14] daemon:containerStart() fix unhandled error for
+ saveApparmorConfig
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+Upstream-commit: 1250e42a43e5c2dd3efbcbc20c7fa3804c3dc3fb
+Component: engine
+---
+ components/engine/daemon/start.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/start.go b/components/engine/daemon/start.go
+index 7a7e2b2ee9..301639eedc 100644
+--- a/components/engine/daemon/start.go
++++ b/components/engine/daemon/start.go
+@@ -176,7 +176,7 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
+ 		container.ResetRestartManager(true)
+ 	}
+ 
+-	if daemon.saveApparmorConfig(container); err != nil {
++	if err := daemon.saveApparmorConfig(container); err != nil {
+ 		return err
+ 	}
+ 
+-- 
+2.33.0
+
diff --git a/patch/0252-docker-Prevent-panic-on-network-attach.patch b/patch/0252-docker-Prevent-panic-on-network-attach.patch
new file mode 100644
index 0000000..0882712
--- /dev/null
+++ b/patch/0252-docker-Prevent-panic-on-network-attach.patch
@@ -0,0 +1,82 @@
+From 8d0cbacc2f9153bf95c71189455e2488b49c328b Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Mon, 22 Jul 2019 14:44:04 +0200
+Subject: [PATCH 12/14] Prevent panic on network attach
+
+In situations where `container.NetworkSettings` was not nil, but
+`container.NetworkSettings.Networks` was, a panic could occur:
+
+```
+2019-06-10 15:26:50.548309 I | http: panic serving @: assignment to entry in nil map
+goroutine 1376 [running]:
+net/http.(*conn).serve.func1(0xc4211068c0)
+	/usr/local/go/src/net/http/server.go:1726 +0xd2
+panic(0x558939d7e1e0, 0x55893a0c4410)
+	/usr/local/go/src/runtime/panic.go:502 +0x22d
+github.com/docker/docker/daemon.(*Daemon).updateNetworkSettings(0xc42090c5a0, 0xc420fb6fc0, 0x55893a101140, 0xc4210e0540, 0xc42112aa80, 0xc4217d77a0, 0x0)
+	/go/src/github.com/docker/docker/daemon/container_operations.go:275 +0x40e
+github.com/docker/docker/daemon.(*Daemon).updateNetworkConfig(0xc42090c5a0, 0xc420fb6fc0, 0x55893a101140, 0xc4210e0540, 0xc42112aa80, 0x55893a101101, 0xc4210e0540, 0x0)
+	/go/src/github.com/docker/docker/daemon/container_operations.go:683 +0x219
+github.com/docker/docker/daemon.(*Daemon).connectToNetwork(0xc42090c5a0, 0xc420fb6fc0, 0xc420e8290f, 0x40, 0xc42112aa80, 0x558937eabd01, 0x0, 0x0)
+	/go/src/github.com/docker/docker/daemon/container_operations.go:728 +0x1cb
+github.com/docker/docker/daemon.(*Daemon).ConnectToNetwork(0xc42090c5a0, 0xc420fb6fc0, 0xc420e8290f, 0x40, 0xc42112aa80, 0x0, 0x0)
+	/go/src/github.com/docker/docker/daemon/container_operations.go:1046 +0x2b3
+github.com/docker/docker/daemon.(*Daemon).ConnectContainerToNetwork(0xc42090c5a0, 0xc4214ca580, 0x40, 0xc420e8290f, 0x40, 0xc42112aa80, 0x2, 0xe600000000000001)
+	/go/src/github.com/docker/docker/daemon/network.go:450 +0xa1
+github.com/docker/docker/api/server/router/network.(*networkRouter).postNetworkConnect(0xc42121bbc0, 0x55893a0edee0, 0xc420de7cb0, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600, 0xc420de7980, 0x5589394707cc, 0x5)
+	/go/src/github.com/docker/docker/api/server/router/network/network_routes.go:278 +0x330
+github.com/docker/docker/api/server/router/network.(*networkRouter).(github.com/docker/docker/api/server/router/network.postNetworkConnect)-fm(0x55893a0edee0, 0xc420de7cb0, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600, 0xc420de7980, 0x558937fd89dc, 0x558939f2cec0)
+	/go/src/github.com/docker/docker/api/server/router/network/network.go:37 +0x6b
+github.com/docker/docker/api/server/middleware.ExperimentalMiddleware.WrapHandler.func1(0x55893a0edee0, 0xc420de7cb0, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600, 0xc420de7980, 0x55893a0edee0, 0xc420de7cb0)
+	/go/src/github.com/docker/docker/api/server/middleware/experimental.go:26 +0xda
+github.com/docker/docker/api/server/middleware.VersionMiddleware.WrapHandler.func1(0x55893a0edee0, 0xc420de7a70, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600, 0xc420de7980, 0x0, 0x0)
+	/go/src/github.com/docker/docker/api/server/middleware/version.go:62 +0x401
+github.com/docker/docker/pkg/authorization.(*Middleware).WrapHandler.func1(0x55893a0edee0, 0xc420de7a70, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600, 0xc420de7980, 0x0, 0x558939640868)
+	/go/src/github.com/docker/docker/pkg/authorization/middleware.go:59 +0x7ab
+github.com/docker/docker/api/server/middleware.DebugRequestMiddleware.func1(0x55893a0edee0, 0xc420de7a70, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600, 0xc420de7980, 0x55893a0edee0, 0xc420de7a70)
+	/go/src/github.com/docker/docker/api/server/middleware/debug.go:53 +0x4b8
+github.com/docker/docker/api/server.(*Server).makeHTTPHandler.func1(0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600)
+	/go/src/github.com/docker/docker/api/server/server.go:141 +0x19a
+net/http.HandlerFunc.ServeHTTP(0xc420e0c0e0, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600)
+	/usr/local/go/src/net/http/server.go:1947 +0x46
+github.com/docker/docker/vendor/github.com/gorilla/mux.(*Router).ServeHTTP(0xc420ce5950, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600)
+	/go/src/github.com/docker/docker/vendor/github.com/gorilla/mux/mux.go:103 +0x228
+github.com/docker/docker/api/server.(*routerSwapper).ServeHTTP(0xc421078330, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600)
+	/go/src/github.com/docker/docker/api/server/router_swapper.go:29 +0x72
+net/http.serverHandler.ServeHTTP(0xc420902f70, 0x55893a0ec2e0, 0xc4207f0e00, 0xc420173600)
+	/usr/local/go/src/net/http/server.go:2697 +0xbe
+net/http.(*conn).serve(0xc4211068c0, 0x55893a0ede20, 0xc420d81440)
+	/usr/local/go/src/net/http/server.go:1830 +0x653
+created by net/http.(*Server).Serve
+	/usr/local/go/src/net/http/server.go:2798 +0x27d
+```
+
+I have not been able to reproduce the situation, but preventing a panic should
+not hurt.
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+Upstream-commit: 651e694508563e6fb3e8f5d7037641cc136b2c44
+Component: engine
+---
+ components/engine/daemon/container_operations.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/container_operations.go b/components/engine/daemon/container_operations.go
+index 39b52b0374..cee4021544 100644
+--- a/components/engine/daemon/container_operations.go
++++ b/components/engine/daemon/container_operations.go
+@@ -238,7 +238,10 @@ func (daemon *Daemon) buildSandboxOptions(container *container.Container) ([]lib
+ 
+ func (daemon *Daemon) updateNetworkSettings(container *container.Container, n libnetwork.Network, endpointConfig *networktypes.EndpointSettings) error {
+ 	if container.NetworkSettings == nil {
+-		container.NetworkSettings = &network.Settings{Networks: make(map[string]*network.EndpointSettings)}
++		container.NetworkSettings = &network.Settings{}
++	}
++	if container.NetworkSettings.Networks == nil {
++		container.NetworkSettings.Networks = make(map[string]*network.EndpointSettings)
+ 	}
+ 
+ 	if !container.HostConfig.NetworkMode.IsHost() && containertypes.NetworkMode(n.Type()).IsHost() {
+-- 
+2.33.0
+
diff --git a/patch/0253-docker-build-fix-panic-when-exporting-to-tar.patch b/patch/0253-docker-build-fix-panic-when-exporting-to-tar.patch
new file mode 100644
index 0000000..1011714
--- /dev/null
+++ b/patch/0253-docker-build-fix-panic-when-exporting-to-tar.patch
@@ -0,0 +1,34 @@
+From 6837bc977c1687431060a5bce88fdd3c75579275 Mon Sep 17 00:00:00 2001
+From: Tibor Vass <tibor@docker.com>
+Date: Mon, 3 Jun 2019 22:34:13 +0000
+Subject: [PATCH 13/14] build: fix panic when exporting to tar
+
+Fixes a panic on `docker build -t foo -o - . >/dev/null`
+
+Signed-off-by: Tibor Vass <tibor@docker.com>
+Upstream-commit: 6104eb1ae2890371ef0f7440514ee505d73d2c0a
+Component: engine
+---
+ components/engine/api/server/backend/build/backend.go | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/api/server/backend/build/backend.go b/components/engine/api/server/backend/build/backend.go
+index 33df264cca..26e5dcd16f 100644
+--- a/components/engine/api/server/backend/build/backend.go
++++ b/components/engine/api/server/backend/build/backend.go
+@@ -82,8 +82,11 @@ func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string
+ 	if !useBuildKit {
+ 		stdout := config.ProgressWriter.StdoutFormatter
+ 		fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
+-		err = tagger.TagImages(image.ID(imageID))
++		if imageID != "" {
++			err = tagger.TagImages(image.ID(imageID))
++		}
+ 	}
++
+ 	return imageID, err
+ }
+ 
+-- 
+2.33.0
+
diff --git a/patch/0254-docker-bugfix-fetch-the-right-device-number-which-great-tha.patch b/patch/0254-docker-bugfix-fetch-the-right-device-number-which-great-tha.patch
new file mode 100644
index 0000000..d9a42e6
--- /dev/null
+++ b/patch/0254-docker-bugfix-fetch-the-right-device-number-which-great-tha.patch
@@ -0,0 +1,42 @@
+From 2b8319c4bf394c5c8037997de87756dc798e46f9 Mon Sep 17 00:00:00 2001
+From: frankyang <yyb196@gmail.com>
+Date: Tue, 14 May 2019 15:21:55 +0800
+Subject: [PATCH 14/14] bugfix: fetch the right device number which great than
+ 255
+
+Signed-off-by: frankyang <yyb196@gmail.com>
+Upstream-commit: b9f31912deb511e732763e4fa5ecd0208b104eb2
+Component: engine
+---
+ components/engine/daemon/daemon_unix.go | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
+index 10d0b3197d..06b3ee39fc 100644
+--- a/components/engine/daemon/daemon_unix.go
++++ b/components/engine/daemon/daemon_unix.go
+@@ -179,8 +179,8 @@ func getBlkioWeightDevices(config containertypes.Resources) ([]specs.LinuxWeight
+ 		}
+ 		weight := weightDevice.Weight
+ 		d := specs.LinuxWeightDevice{Weight: &weight}
+-		d.Major = int64(stat.Rdev / 256)
+-		d.Minor = int64(stat.Rdev % 256)
++		d.Major = int64(unix.Major(stat.Rdev))
++		d.Minor = int64(unix.Minor(stat.Rdev))
+ 		blkioWeightDevices = append(blkioWeightDevices, d)
+ 	}
+ 
+@@ -265,8 +265,8 @@ func getBlkioThrottleDevices(devs []*blkiodev.ThrottleDevice) ([]specs.LinuxThro
+ 			return nil, errors.Wrapf(err, "Failed to stat device %q", d.Path)
+ 		}
+ 		d := specs.LinuxThrottleDevice{Rate: d.Rate}
+-		d.Major = int64(stat.Rdev / 256)
+-		d.Minor = int64(stat.Rdev % 256)
++		d.Major = int64(unix.Major(stat.Rdev))
++		d.Minor = int64(unix.Minor(stat.Rdev))
+ 		throttleDevices = append(throttleDevices, d)
+ 	}
+ 
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index ccd4c94..1ef69b6 100644
--- a/series.conf
+++ b/series.conf
@@ -237,4 +237,16 @@ patch/0236-docker-set-freezer.state-to-Thawed-to-increase-freez.patch
 patch/0237-docker-stats-fix-panic.patch
 patch/0238-docker-fix-container-missing-after-restarting-docker.patch
 patch/0239-docker-try-http-for-docker-manifest-insecure.patch
+patch/0243-docker-fix-potential-goroutine-leak-by-making-channel-non-b.patch
+patch/0244-docker-Fix-off-by-one-bug.patch
+patch/0245-docker-plugin-remove-Rlock-in-resolvePluginID-to-fix-double.patch
+patch/0246-docker-On-startup-actually-shutdown-the-container.patch
+patch/0247-docker-builder-fix-concurrent-map-write.patch
+patch/0248-docker-Fix-NPE-due-to-null-value-returned-by-ep.Iface.patch
+patch/0249-docker-plugin-fix-a-double-RLock-bug.patch
+patch/0250-docker-Handle-error-case-when-fixed-cidr-ipv6-is-empty.patch
+patch/0251-docker-daemon-containerStart-fix-unhandled-error-for-saveAp.patch
+patch/0252-docker-Prevent-panic-on-network-attach.patch
+patch/0253-docker-build-fix-panic-when-exporting-to-tar.patch
+patch/0254-docker-bugfix-fetch-the-right-device-number-which-great-tha.patch
 #end
-- 
Gitee