@@ -81,7 +81,7 @@ require (

 	github.com/morikuni/aec v1.0.0

 	github.com/opencontainers/go-digest v1.0.0

 	github.com/opencontainers/image-spec v1.1.0

-	github.com/opencontainers/runc v1.2.0

+	github.com/opencontainers/runc v1.2.2

 	github.com/opencontainers/runtime-spec v1.2.0

 	github.com/opencontainers/selinux v1.11.1

 	github.com/pelletier/go-toml v1.9.5

@@ -418,8 +418,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8

 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=

 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=

-github.com/opencontainers/runc v1.2.0 h1:qke7ZVCmJcKrJVY2iHJVC+0kql9uYdkusOPsQOOeBw4=

-github.com/opencontainers/runc v1.2.0/go.mod h1:/PXzF0h531HTMsYQnmxXkBD7YaGShm/2zcRB79dksUc=

+github.com/opencontainers/runc v1.2.2 h1:jTg3Vw2A5f0N9PoxFTEwUhvpANGaNPT3689Yfd/zaX0=

+github.com/opencontainers/runc v1.2.2/go.mod h1:/PXzF0h531HTMsYQnmxXkBD7YaGShm/2zcRB79dksUc=

 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=

 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=

 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=

@@ -251,27 +251,39 @@ again:

 // RemovePath aims to remove cgroup path. It does so recursively,

 // by removing any subdirectories (sub-cgroups) first.

 func RemovePath(path string) error {

-	// Try the fast path first.

+	// Try the fast path first; don't retry on EBUSY yet.

 	if err := rmdir(path, false); err == nil {

 		return nil

 	}

+	// There are many reasons why rmdir can fail, including:

+	// 1. cgroup have existing sub-cgroups;

+	// 2. cgroup (still) have some processes (that are about to vanish);

+	// 3. lack of permission (one example is read-only /sys/fs/cgroup mount,

+	//    in which case rmdir returns EROFS even for for a non-existent path,

+	//    see issue 4518).

+	//

+	// Using os.ReadDir here kills two birds with one stone: check if

+	// the directory exists (handling scenario 3 above), and use

+	// directory contents to remove sub-cgroups (handling scenario 1).

 	infos, err := os.ReadDir(path)

-	if err != nil && !os.IsNotExist(err) {

+	if err != nil {

+		if os.IsNotExist(err) {

+			return nil

+		}

 		return err

 	}

+	// Let's remove sub-cgroups, if any.

 	for _, info := range infos {

 		if info.IsDir() {

-			// We should remove subcgroup first.

 			if err = RemovePath(filepath.Join(path, info.Name())); err != nil {

-				break

+				return err

 			}

 		}

 	}

-	if err == nil {

-		err = rmdir(path, true)

-	}

-	return err

+	// Finally, try rmdir again, this time with retries on EBUSY,

+	// which may help with scenario 2 above.

+	return rmdir(path, true)

 }

 // RemovePaths iterates over the provided paths removing them.

@@ -415,26 +427,29 @@ func ConvertCPUSharesToCgroupV2Value(cpuShares uint64) uint64 {

 // ConvertMemorySwapToCgroupV2Value converts MemorySwap value from OCI spec

 // for use by cgroup v2 drivers. A conversion is needed since Resources.MemorySwap

-// is defined as memory+swap combined, while in cgroup v2 swap is a separate value.

+// is defined as memory+swap combined, while in cgroup v2 swap is a separate value,

+// so we need to subtract memory from it where it makes sense.

 func ConvertMemorySwapToCgroupV2Value(memorySwap, memory int64) (int64, error) {

-	// for compatibility with cgroup1 controller, set swap to unlimited in

-	// case the memory is set to unlimited, and swap is not explicitly set,

-	// treating the request as "set both memory and swap to unlimited".

-	if memory == -1 && memorySwap == 0 {

+	switch {

+	case memory == -1 && memorySwap == 0:

+		// For compatibility with cgroup1 controller, set swap to unlimited in

+		// case the memory is set to unlimited and the swap is not explicitly set,

+		// treating the request as "set both memory and swap to unlimited".

 		return -1, nil

-	}

-	if memorySwap == -1 || memorySwap == 0 {

-		// -1 is "max", 0 is "unset", so treat as is

+	case memorySwap == -1, memorySwap == 0:

+		// Treat -1 ("max") and 0 ("unset") swap as is.

 		return memorySwap, nil

-	}

-	// sanity checks

-	if memory == 0 || memory == -1 {

+	case memory == -1:

+		// Unlimited memory, so treat swap as is.

+		return memorySwap, nil

+	case memory == 0:

+		// Unset or unknown memory, can't calculate swap.

 		return 0, errors.New("unable to set swap limit without memory limit")

-	}

-	if memory < 0 {

+	case memory < 0:

+		// Does not make sense to subtract a negative value.

 		return 0, fmt.Errorf("invalid memory value: %d", memory)

-	}

-	if memorySwap < memory {

+	case memorySwap < memory:

+		// Sanity check.

 		return 0, errors.New("memory+swap limit should be >= memory limit")

 	}

@@ -988,7 +988,7 @@ github.com/opencontainers/go-digest/digestset

 github.com/opencontainers/image-spec/identity

 github.com/opencontainers/image-spec/specs-go

 github.com/opencontainers/image-spec/specs-go/v1

-# github.com/opencontainers/runc v1.2.0

+# github.com/opencontainers/runc v1.2.2

 ## explicit; go 1.22

 github.com/opencontainers/runc/libcontainer/cgroups

 github.com/opencontainers/runc/libcontainer/configs