From ed96506116e96ac112c2ff689bb0f0f12720daf5 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Mon, 2 Dec 2024 14:26:57 +0800 Subject: [PATCH] docker:fix missing lock in ensurelayer --- VERSION-vendor | 2 +- docker.spec | 8 +- git-commit | 2 +- ...next-fix-missing-lock-in-ensurelayer.patch | 79 +++++++++++++++++++ series.conf | 1 + 5 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch diff --git a/VERSION-vendor b/VERSION-vendor index f74a46d..537aef2 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.342 +18.09.0.343 diff --git a/docker.spec b/docker.spec index ec80a02..8048ec5 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 342 +Release: 343 Epoch: 2 Summary: The open-source application container engine Group: Tools/Docker @@ -227,6 +227,12 @@ fi %endif %changelog +* Mon Dec 02 2024 zhongjiawei - 2:18.09.0-343 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix missing lock in ensurelayer + * Fri Oct 25 2024 zhongjiawei - 2:18.09.0-342 - Type:bugfix - CVE:NA diff --git a/git-commit b/git-commit index 91fea79..b3a868d 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -26b8df427648c7fa5fef833419438cd4e9d3443b +7eac36667dc348e0fd7583140599b9d5d1180519 diff --git a/patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch b/patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch new file mode 100644 index 0000000..21b60a6 --- /dev/null +++ b/patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch @@ -0,0 +1,79 @@ +From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Wed, 6 Mar 2024 23:11:32 -0800 +Subject: [PATCH] builder-next: fix missing lock in ensurelayer + +When this was called concurrently from the moby image +exporter there could be a data race where a layer was +written to the refs map when it was already there. + +In that case the reference count got mixed up and on +release only one of these layers was actually released. + +Signed-off-by: Tonis Tiigi +--- + .../builder-next/adapters/snapshot/layer.go | 3 +++ + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go +index ffde5eec..13847d5a 100644 +--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go ++++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go +@@ -13,6 +13,9 @@ import ( + ) + + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { ++ s.layerCreateLocker.Lock(key) ++ defer s.layerCreateLocker.Unlock(key) ++ + if l, err := s.getLayer(key, true); err != nil { + return nil, err + } else if l != nil { +diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go +index c1388da7..2b1d33d7 100644 +--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go ++++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go +@@ -11,6 +11,7 @@ import ( + "github.com/containerd/containerd/snapshots" + "github.com/docker/docker/daemon/graphdriver" + "github.com/docker/docker/layer" ++ "github.com/docker/docker/pkg/locker" + "github.com/moby/buildkit/identity" + "github.com/moby/buildkit/snapshot" + digest "github.com/opencontainers/go-digest" +@@ -43,10 +44,11 @@ type checksumCalculator interface { + type snapshotter struct { + opt Opt + +- refs map[string]layer.Layer +- db *bolt.DB +- mu sync.Mutex +- reg graphIDRegistrar ++ refs map[string]layer.Layer ++ db *bolt.DB ++ mu sync.Mutex ++ reg graphIDRegistrar ++ layerCreateLocker *locker.Locker + } + + var _ snapshot.SnapshotterBase = &snapshotter{} +@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) { + } + + s := &snapshotter{ +- opt: opt, +- db: db, +- refs: map[string]layer.Layer{}, +- reg: reg, ++ opt: opt, ++ db: db, ++ refs: map[string]layer.Layer{}, ++ reg: reg, ++ layerCreateLocker: locker.New(), + } + return s, nil + } +-- +2.33.0 + diff --git a/series.conf b/series.conf index ed501a7..015466a 100644 --- a/series.conf +++ b/series.conf @@ -278,4 +278,5 @@ patch/0277-backport-fix-CVE-2024-41110.patch patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch +patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch #end -- Gitee