Bind mounts do not interact properly with `chroot` within a `RUN`

[PigeonF]

Contributing guidelines and issue reporting guide

• I've read the contributing guidelines and wholeheartedly agree. I've also read the issue reporting guide.

Well-formed report checklist

• I have found a bug that the documentation does not mention anything about my problem
• I have found a bug that there are no open or closed issues that are related to my problem
• I have provided version/information about my environment and done my best to provide a reproducer

Description of bug

Bug description

When running chroot from within a RUN which has bind mounts into the chroot-ed directory the bind mounted directories are not restored to previous state after the RUN. I'm unsure if the mounts never go through at all, or if just the "resetting" after the RUN does not work.

When building the same dockerfile below without buildkit (just docker build instead of docker buildx build) the build suceeds.

Reproduction

# ./Dockerfile
FROM docker.io/library/debian:trixie

RUN --mount=type=tmpfs,target=/var/log/ \
    apt-get update && apt-get install -y fakeroot debootstrap
RUN test ! -r /var/log/apt/history.log

RUN --mount=type=tmpfs,target=/sysroot/var/log/ \
    fakeroot debootstrap --variant=minbase bookworm /sysroot/
RUN test ! -r /sysroot/var/log/apt/history.log

RUN --mount=type=tmpfs,target=/sysroot/var/log/ \
    chroot /sysroot/ sh -c 'apt-get update && apt-get install -y libc6-dev'
RUN test ! -r /sysroot/var/log/apt/history.log

$ docker buildx build . --progress=plain
...
#10 [stage-0 7/7] RUN test ! -r /sysroot/var/log/apt/history.log
#10 ERROR: process "/bin/sh -c test ! -r /sysroot/var/log/apt/history.log" did not complete successfully: exit code: 1
$ docker build . --progress=plain
...
#11 DONE 0.2s

Version information

docker buildx version

$ docker buildx version && docker buildx inspect
github.com/docker/buildx v0.31.1
Name:          buildkit-latest
Driver:        docker-container
Last Activity: 2026-06-14 09:39:34 +0000 UTC

Nodes:
Name:                  buildkit-latest0
Endpoint:              unix:///var/run/docker.sock
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement=network.host
BuildKit version:      v0.30.0
Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         96e2b3ec0668
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:            false
 Filters:        type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration:  48h0m0s
 Max Used Space: 488.3MiB
GC Policy rule#1:
 All:            false
 Keep Duration:  1440h0m0s
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 155.5GiB
GC Policy rule#2:
 All:            false
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 155.5GiB
GC Policy rule#3:
 All:            true
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 155.5GiB

docker version

$ docker version && docker info

Client:
 Version:           29.5.3
 API version:       1.54
 Go version:        go1.26.3
 Git commit:        v29.5.3
 Built:             Thu Jan  1 00:00:00 1970
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          29.5.3
  API version:      1.54 (minimum version 1.40)
  Go version:       go1.26.3
  Git commit:       v29.5.3
  Built:            Tue Jan  1 00:00:00 1980
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.3.0
  GitCommit:        refs/tags/v2.3.0
 runc:
  Version:          1.3.5
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:
Client:
 Version:    29.5.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.31.1
    Path:     /nix/store/8fkc3bx2x6wzvdwmhbkcwwgs96h3fvxd-docker-buildx-0.31.1/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  5.1.4
    Path:     /nix/store/10lkwjrsagc44zs0vn3gzpy12vjgi91b-docker-compose-5.1.4/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 3
  Running: 3
  Paused: 0
  Stopped: 0
 Images: 7
 Server Version: 29.5.3
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: journald
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: refs/tags/v2.3.0
 runc version:
 init version:
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.18.33
 Operating System: NixOS 26.05 (Yarara)
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 31.11GiB
 Name: hl-dev-x-01
 ID: 6e01ff43-a290-48cc-bd19-094bc7463e5a
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Firewall Backend: iptables
  EnableUserlandProxy: true
  UserlandProxyPath: /nix/store/xf6x4j7mx40vzzg4ri4xn4m7xvyspyd8-moby-29.5.3/libexec/docker/docker-proxy