diff --git a/docker.spec b/docker.spec
index ddcfbc96f061b546e40d5d8cd344bf63ebe1fb7b..5e4ee8eaa6c95a0005c80e5d74dd07c277c59208 100644
--- a/docker.spec
+++ b/docker.spec
@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 108
+Release: 109
 Summary: The open-source application container engine
 Group: Tools/Docker
 
@@ -210,3 +210,16 @@ fi
 %endif
 
 %changelog
+* Fri Dec 27 2020 liuzekun<liuzekun@huawei.com> - 18.09.109
+- Type:bugfix
+- ID:NA
+- CVE:NA
+- SUG:restart
+- DESC:
+1.add more messages for ops when device not found
+2.do not add "-w" to LDFLAG
+3.add files in proc for mask
+4.fix docker load files leak
+5.do not sync if BYPAAS_SYNC is false
+6.fix panic on single-character volumes
+7.mask /proc/pin_memory
diff --git a/docker.yaml b/docker.yaml
index 6291420dcbae73b7078198dddca82c6875c7d853..30d6a74bc609ced528d59b0c64ba409549da912c 100644
--- a/docker.yaml
+++ b/docker.yaml
@@ -1,4 +1,4 @@
 version_control: github
-src_repo: docker
+src_repo: docker/docker-ce
 tag_prefix: ^v
 seperator: .
diff --git a/git-commit b/git-commit
index 5732905b4e019792c8eb9b7a5ced17810c22be68..4ac9680b7f968ac3ba4eaf7acccf1d03232aece2 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-9798d7077fc83c2be9182cbad441e371cae31303
+026550e43812d1fc2fcea9cc172e35a4b7f1a848
diff --git a/patch/0167-docker-add-more-messages-for-ops-when-device-not-fo.patch b/patch/0167-docker-add-more-messages-for-ops-when-device-not-fo.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4863e7637f42c51901e96643d3003a6e05d4a0f0
--- /dev/null
+++ b/patch/0167-docker-add-more-messages-for-ops-when-device-not-fo.patch
@@ -0,0 +1,27 @@
+From 19ce3a9a435ddb67a4e7a081cd23bb5cc19abc92 Mon Sep 17 00:00:00 2001
+From: liuzekun <liuzekun@huawei.com>
+Date: Thu, 30 Jul 2020 05:09:42 -0400
+Subject: [PATCH] dockerd: add more messages for ops when device not found in
+ the host
+
+Signed-off-by: liuzekun <liuzekun@huawei.com>
+---
+ components/engine/daemon/daemon_unix.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
+index 5a59b324..af50fa37 100644
+--- a/components/engine/daemon/daemon_unix.go
++++ b/components/engine/daemon/daemon_unix.go
+@@ -262,7 +262,7 @@ func getBlkioThrottleDevices(devs []*blkiodev.ThrottleDevice) ([]specs.LinuxThro
+ 
+ 	for _, d := range devs {
+ 		if err := unix.Stat(d.Path, &stat); err != nil {
+-			return nil, err
++			return nil, errors.Wrapf(err, "Failed to stat device %q", d.Path)
+ 		}
+ 		d := specs.LinuxThrottleDevice{Rate: d.Rate}
+ 		d.Major = int64(stat.Rdev / 256)
+-- 
+2.19.1
+
diff --git a/patch/0168-docker-do-not-add-w-to-LDFLAGS.patch b/patch/0168-docker-do-not-add-w-to-LDFLAGS.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5486839e9a6efc6789cf59502072a03d30305baa
--- /dev/null
+++ b/patch/0168-docker-do-not-add-w-to-LDFLAGS.patch
@@ -0,0 +1,79 @@
+From b23e7a179e68f194516b542bea375c44122e1037 Mon Sep 17 00:00:00 2001
+From: xiadanni1 <xiadanni1@huawei.com>
+Date: Tue, 11 Aug 2020 08:00:12 +0800
+Subject: [PATCH] docker: do not add "-w" to LDFLAG
+
+reason: for gdb debug, do not add "-w" to LDFLAGS
+
+Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
+---
+ components/cli/scripts/build/.variables | 1 -
+ components/cli/scripts/build/dynbinary  | 5 ++++-
+ components/engine/hack/make.sh          | 5 -----
+ components/engine/hack/make/.binary     | 5 ++++-
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/components/cli/scripts/build/.variables b/components/cli/scripts/build/.variables
+index a23e379..7b78e62 100755
+--- a/components/cli/scripts/build/.variables
++++ b/components/cli/scripts/build/.variables
+@@ -13,7 +13,6 @@ if test -n "${PLATFORM}"; then
+ fi
+ 
+ export LDFLAGS="\
+-    -w \
+     ${PLATFORM_LDFLAGS} \
+     -X \"github.com/docker/cli/cli.GitCommit=${GITCOMMIT}\" \
+     -X \"github.com/docker/cli/cli.BuildTime=${BUILDTIME}\" \
+diff --git a/components/cli/scripts/build/dynbinary b/components/cli/scripts/build/dynbinary
+index 2442166..40941bb 100755
+--- a/components/cli/scripts/build/dynbinary
++++ b/components/cli/scripts/build/dynbinary
+@@ -13,7 +13,10 @@ export CGO_ENABLED=1
+ BEP_DIR=/tmp/docker-build-bep
+ BEP_FLAGS="-tmpdir=$BEP_DIR"
+ mkdir -p $BEP_DIR
++GC_FLAGS="-gcflags=-trimpath=$GOPATH"
++ASM_FLAGS="-asmflags=-trimpath=$GOPATH"
+ 
+-go build -o "${TARGET}" -tags pkcs11 --ldflags " -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $BEP_FLAGS ${LDFLAGS}" -buildmode=pie "${SOURCE}"
++set -x
++go build $GC_FLAGS $ASM_FLAGS -o "${TARGET}" -tags pkcs11 --ldflags " -buildid=IdByIsula -extldflags=-zrelro -extldflags=-znow $BEP_FLAGS ${LDFLAGS}" -buildmode=pie "${SOURCE}"
+ 
+ ln -sf "$(basename "${TARGET}")" build/docker
+diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
+index f4a51e7..d24a7b7 100755
+--- a/components/engine/hack/make.sh
++++ b/components/engine/hack/make.sh
+@@ -137,12 +137,7 @@ if \
+ fi
+ 
+ # Use these flags when compiling the tests and final binary
+-
+ IAMSTATIC='true'
+-if [ -z "$DOCKER_DEBUG" ]; then
+-	LDFLAGS='-w'
+-fi
+-
+ LDFLAGS_STATIC=''
+ EXTLDFLAGS_STATIC='-static'
+ # ORIG_BUILDFLAGS is necessary for the cross target which cannot always build
+diff --git a/components/engine/hack/make/.binary b/components/engine/hack/make/.binary
+index f76b6f7..35bb836 100755
+--- a/components/engine/hack/make/.binary
++++ b/components/engine/hack/make/.binary
+@@ -63,7 +63,10 @@ echo "Building: $DEST/$BINARY_FULLNAME"
+ BEP_DIR=/tmp/dockerd-build-bep
+ BEP_FLAGS="-tmpdir=$BEP_DIR"
+ mkdir -p $BEP_DIR
+-go build \
++GC_FLAGS="-gcflags=-trimpath=$GOPATH"
++ASM_FLAGS="-asmflags=-trimpath=$GOPATH"
++set -x
++go build $GC_FLAGS $ASM_FLAGS \
+ 	-o "$DEST/$BINARY_FULLNAME" \
+ 	"${BUILDFLAGS[@]}" \
+ 	-ldflags "
+-- 
+1.8.3.1
+
diff --git a/patch/0169-docker-add-files-in-proc-for-mask.patch b/patch/0169-docker-add-files-in-proc-for-mask.patch
new file mode 100644
index 0000000000000000000000000000000000000000..18d6522e8a2d4f3edaef1603e19efece401b0e60
--- /dev/null
+++ b/patch/0169-docker-add-files-in-proc-for-mask.patch
@@ -0,0 +1,42 @@
+From c9db33aaad779afff04db8beb5b6d7e7e512a66d Mon Sep 17 00:00:00 2001
+From: liuzekun <liuzekun@huawei.com>
+Date: Mon, 24 Aug 2020 09:42:21 -0400
+Subject: [PATCH] docker: add files in proc for mask
+
+Signed-off-by: liuzekun <liuzekun@huawei.com>
+---
+ components/engine/oci/defaults.go | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
+index cd4985f5..ec748a6d 100644
+--- a/components/engine/oci/defaults.go
++++ b/components/engine/oci/defaults.go
+@@ -65,7 +65,7 @@ func DefaultLinuxSpec() specs.Spec {
+ 				Effective:   defaultCapabilities(),
+ 			},
+ 		},
+-		Root: &specs.Root{},
++		Root:  &specs.Root{},
+ 		Hooks: &specs.Hooks{},
+ 	}
+ 	s.Mounts = []specs.Mount{
+@@ -128,9 +128,15 @@ func DefaultLinuxSpec() specs.Spec {
+ 			"/proc/keys",
+ 			"/proc/latency_stats",
+ 			"/proc/livepatch",
++			"/proc/lru_info",
++			"/proc/lru_info_file",
+ 			"/proc/memstat",
+ 			"/proc/net_namespace",
+ 			"/proc/oom_extend",
++			"/proc/pagealloc_statistics",
++			"/proc/pagealloc_bt",
++			"/proc/slaballoc_bt",
++			"/proc/slaballoc_module",
+ 			"/proc/sched_debug",
+ 			"/proc/scsi",
+ 			"/proc/sig_catch",
+-- 
+2.19.1
+
diff --git a/patch/0170-docker-fix-docker-load-files-leak.patch b/patch/0170-docker-fix-docker-load-files-leak.patch
new file mode 100644
index 0000000000000000000000000000000000000000..75bfa1bb86de5c243589ee28aee3ab8d4a87292f
--- /dev/null
+++ b/patch/0170-docker-fix-docker-load-files-leak.patch
@@ -0,0 +1,27 @@
+From e7dd426dc3d962eae0e934dcb8fe4d805f8ea4ca Mon Sep 17 00:00:00 2001
+From: liuzekun <liuzekun@huawei.com>
+Date: Wed, 16 Sep 2020 22:40:49 -0400
+Subject: [PATCH] fix docker load files leak
+
+Signed-off-by: liuzekun <liuzekun@huawei.com>
+---
+ components/engine/daemon/graphdriver/devmapper/deviceset.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/components/engine/daemon/graphdriver/devmapper/deviceset.go b/components/engine/daemon/graphdriver/devmapper/deviceset.go
+index f5c0b04..ff90c44 100644
+--- a/components/engine/daemon/graphdriver/devmapper/deviceset.go
++++ b/components/engine/daemon/graphdriver/devmapper/deviceset.go
+@@ -2285,6 +2285,9 @@ func (devices *DeviceSet) unmountAndDeactivateAll(dir string) {
+ 		// and the device will be released when that container dies.
+ 		if err := unix.Unmount(fullname, unix.MNT_DETACH); err != nil && err != unix.EINVAL {
+ 			logger.Warnf("Shutdown unmounting %s, error: %s", fullname, err)
++		} else if err == nil {
++			logger.Debugf("Remove %s", fullname)
++			os.RemoveAll(fullname)
+ 		}
+ 
+ 		if devInfo, err := devices.lookupDevice(name); err != nil {
+-- 
+2.19.1
+
diff --git a/patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch b/patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch
new file mode 100644
index 0000000000000000000000000000000000000000..63334a2968a3539bca55b159a72418b2831c8cc7
--- /dev/null
+++ b/patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch
@@ -0,0 +1,28 @@
+From bbc6fce3870ff7f43c87efe13247bb185817aa67 Mon Sep 17 00:00:00 2001
+From: liuzekun <liuzekun@huawei.com>
+Date: Wed, 14 Oct 2020 04:36:56 -0400
+Subject: [PATCH] do not sync if BYPAAS_SYNC is false
+
+Signed-off-by: liuzekun <liuzekun@huawei.com>
+---
+ components/engine/pkg/devicemapper/devmapper.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/pkg/devicemapper/devmapper.go b/components/engine/pkg/devicemapper/devmapper.go
+index 06ddc3e9..a5c30cb3 100644
+--- a/components/engine/pkg/devicemapper/devmapper.go
++++ b/components/engine/pkg/devicemapper/devmapper.go
+@@ -477,7 +477,9 @@ func BlockDeviceDiscard(path string) error {
+ 
+ 	// Without this sometimes the remove of the device that happens after
+ 	// discard fails with EBUSY.
+-	unix.Sync()
++	if os.Getenv("DOCKER_BYPASS_SYNC_SYSCALL") != "false" {
++		unix.Sync()
++	}
+ 
+ 	return nil
+ }
+-- 
+2.19.1
+
diff --git a/patch/0172-docker-fix-panic-on-single-character-volumes.patch b/patch/0172-docker-fix-panic-on-single-character-volumes.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f0bdb97a48db6cb3a40b9d2c676e4fe94d8f5189
--- /dev/null
+++ b/patch/0172-docker-fix-panic-on-single-character-volumes.patch
@@ -0,0 +1,27 @@
+From 0a2c746c0d560d18502f84078d233166934e9eb9 Mon Sep 17 00:00:00 2001
+From: liuzekun <liuzekun@huawei.com>
+Date: Wed, 11 Nov 2020 23:47:30 -0500
+Subject: [PATCH] fix panic on single-character volumes
+
+Signed-off-by: liuzekun <liuzekun@huawei.com>
+---
+ components/cli/cli/compose/loader/volume.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/components/cli/cli/compose/loader/volume.go b/components/cli/cli/compose/loader/volume.go
+index 9c2792e0..f043f4aa 100644
+--- a/components/cli/cli/compose/loader/volume.go
++++ b/components/cli/cli/compose/loader/volume.go
+@@ -111,6 +111,9 @@ func isFilePath(source string) bool {
+ 	case '.', '/', '~':
+ 		return true
+ 	}
++	if len([]rune(source)) == 1 {
++		return false
++	}
+ 
+ 	// windows named pipes
+ 	if strings.HasPrefix(source, `\\`) {
+-- 
+2.19.1
+
diff --git a/patch/0173-docker-mask-proc-pin_memory.patch b/patch/0173-docker-mask-proc-pin_memory.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4b0502dfe6b59da17458842e31b48833455e02c1
--- /dev/null
+++ b/patch/0173-docker-mask-proc-pin_memory.patch
@@ -0,0 +1,25 @@
+From 017c3377f0bd5230c0fa1699bd193baa527f0b8f Mon Sep 17 00:00:00 2001
+From: xiadanni1 <xiadanni1@huawei.com>
+Date: Fri, 20 Nov 2020 18:34:45 +0800
+Subject: [PATCH] docker:mask /proc/pin_memory
+
+Signed-off-by: xiadanni1 <xiadanni1@huawei.com>
+---
+ components/engine/oci/defaults.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
+index ec748a6..e763cb7 100644
+--- a/components/engine/oci/defaults.go
++++ b/components/engine/oci/defaults.go
+@@ -135,6 +135,7 @@ func DefaultLinuxSpec() specs.Spec {
+ 			"/proc/oom_extend",
+ 			"/proc/pagealloc_statistics",
+ 			"/proc/pagealloc_bt",
++			"/proc/pin_memory",
+ 			"/proc/slaballoc_bt",
+ 			"/proc/slaballoc_module",
+ 			"/proc/sched_debug",
+-- 
+1.8.3.1
+
diff --git a/series.conf b/series.conf
index d3de6fdf726aa90ab49db3084bd162b592bd3023..3ea83f669a5a025c46cbe322d1426bf82afb6cb1 100644
--- a/series.conf
+++ b/series.conf
@@ -161,3 +161,11 @@ patch/0162-docker-delete-event-is-not-need-to-process.patch
 patch/0163-docker-stat-process-exit-file-when-kill-process-dire.patch
 patch/0164-docker-use-git-commit-to-store-commit-ID.patch
 patch/0165-docker-sync-cli-vendor.patch
+patch/0167-docker-add-more-messages-for-ops-when-device-not-fo.patch
+patch/0168-docker-do-not-add-w-to-LDFLAGS.patch
+patch/0169-docker-add-files-in-proc-for-mask.patch
+patch/0170-docker-fix-docker-load-files-leak.patch
+patch/0171-docker-do-not-sync-if-BYPAAS_SYNC-is-false.patch
+patch/0172-docker-fix-panic-on-single-character-volumes.patch
+patch/0173-docker-mask-proc-pin_memory.patch
+#end