diff --git a/.golangci.yml b/.golangci.yml
index b6964c071..8f8fe1745 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -9,6 +9,7 @@ linters:
     - durationcheck
     - errname
     - errorlint
+    - fatcontext
     - forbidigo
     - gocritic
     - gosec
diff --git a/cache/blobs_linux.go b/cache/blobs_linux.go
index 1b70d1089..07f0300e8 100644
--- a/cache/blobs_linux.go
+++ b/cache/blobs_linux.go
@@ -45,7 +45,7 @@ func (sr *immutableRef) tryComputeOverlayBlob(ctx context.Context, lower, upper
 
 	defer func() {
 		if cw != nil {
-			ctx = context.WithoutCancel(ctx)
+			ctx := context.WithoutCancel(ctx)
 			// after commit success cw will be set to nil, if cw isn't nil, error
 			// happened before commit, we should abort this ingest, and because the
 			// error may incured by ctx cancel, use a new context here. And since
diff --git a/cmd/buildctl/common/trace.go b/cmd/buildctl/common/trace.go
index c62576dc8..47e6ad5e9 100644
--- a/cmd/buildctl/common/trace.go
+++ b/cmd/buildctl/common/trace.go
@@ -41,6 +41,7 @@ func AttachAppContext(app *cli.App) error {
 					}
 				}
 
+				ctx := ctx
 				ctx, span = tracer.Start(ctx, name, trace.WithAttributes(
 					attribute.StringSlice("command", os.Args),
 				))
diff --git a/exporter/attestation/make.go b/exporter/attestation/make.go
index d982f798b..13c2df520 100644
--- a/exporter/attestation/make.go
+++ b/exporter/attestation/make.go
@@ -20,7 +20,7 @@ import (
 func ReadAll(ctx context.Context, s session.Group, att exporter.Attestation) ([]byte, error) {
 	var content []byte
 	if att.ContentFunc != nil {
-		data, err := att.ContentFunc()
+		data, err := att.ContentFunc(ctx)
 		if err != nil {
 			return nil, err
 		}
diff --git a/exporter/attestation/unbundle.go b/exporter/attestation/unbundle.go
index 49ec61bca..d68a2a5b2 100644
--- a/exporter/attestation/unbundle.go
+++ b/exporter/attestation/unbundle.go
@@ -166,7 +166,7 @@ func unbundle(root string, bundle exporter.Attestation) ([]exporter.Attestation,
 			Kind:        gatewaypb.AttestationKind_InToto,
 			Metadata:    bundle.Metadata,
 			Path:        path.Join(bundle.Path, entry.Name()),
-			ContentFunc: func() ([]byte, error) { return predicate, nil },
+			ContentFunc: func(context.Context) ([]byte, error) { return predicate, nil },
 			InToto: result.InTotoAttestation{
 				PredicateType: stmt.PredicateType,
 				Subjects:      subjects,
diff --git a/exporter/containerimage/attestations.go b/exporter/containerimage/attestations.go
index bea8c0c0b..8d6928473 100644
--- a/exporter/containerimage/attestations.go
+++ b/exporter/containerimage/attestations.go
@@ -118,7 +118,7 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
 	return exporter.Attestation{
 		Kind:        att.Kind,
 		Path:        att.Path,
-		ContentFunc: func() ([]byte, error) { return content, nil },
+		ContentFunc: func(context.Context) ([]byte, error) { return content, nil },
 		InToto:      att.InToto,
 	}, nil
 }
diff --git a/session/sshforward/ssh.go b/session/sshforward/ssh.go
index 8a041b311..7cd257bc3 100644
--- a/session/sshforward/ssh.go
+++ b/session/sshforward/ssh.go
@@ -40,7 +40,7 @@ func (s *server) run(ctx context.Context, l net.Listener, id string) error {
 
 			opts := make(map[string][]string)
 			opts[KeySSHID] = []string{id}
-			ctx = metadata.NewOutgoingContext(ctx, opts)
+			ctx := metadata.NewOutgoingContext(ctx, opts)
 
 			stream, err := client.ForwardAgent(ctx)
 			if err != nil {
diff --git a/solver/llbsolver/proc/provenance.go b/solver/llbsolver/proc/provenance.go
index 0bd4f4255..618906866 100644
--- a/solver/llbsolver/proc/provenance.go
+++ b/solver/llbsolver/proc/provenance.go
@@ -66,8 +66,8 @@ func ProvenanceProcessor(attrs map[string]string) llbsolver.Processor {
 					PredicateType: slsa02.PredicateSLSAProvenance,
 				},
 				Path: filename,
-				ContentFunc: func() ([]byte, error) {
-					pr, err := pc.Predicate()
+				ContentFunc: func(ctx context.Context) ([]byte, error) {
+					pr, err := pc.Predicate(ctx)
 					if err != nil {
 						return nil, err
 					}
diff --git a/solver/llbsolver/provenance.go b/solver/llbsolver/provenance.go
index fe6c1f93b..e3423a764 100644
--- a/solver/llbsolver/provenance.go
+++ b/solver/llbsolver/provenance.go
@@ -333,7 +333,7 @@ type ProvenanceCreator struct {
 	pr        *provenancetypes.ProvenancePredicate
 	j         *solver.Job
 	sampler   *resources.SysSampler
-	addLayers func() error
+	addLayers func(context.Context) error
 }
 
 func NewProvenanceCreator(ctx context.Context, cp *provenance.Capture, res solver.ResultProxy, attrs map[string]string, j *solver.Job, usage *resources.SysSampler) (*ProvenanceCreator, error) {
@@ -377,7 +377,7 @@ func NewProvenanceCreator(ctx context.Context, cp *provenance.Capture, res solve
 
 	pr.Builder.ID = attrs["builder-id"]
 
-	var addLayers func() error
+	var addLayers func(context.Context) error
 
 	switch mode {
 	case "min":
@@ -408,7 +408,7 @@ func NewProvenanceCreator(ctx context.Context, cp *provenance.Capture, res solve
 			return nil, errors.Errorf("invalid worker ref %T", r.Sys())
 		}
 
-		addLayers = func() error {
+		addLayers = func(ctx context.Context) error {
 			e := newCacheExporter()
 
 			if wref.ImmutableRef != nil {
@@ -460,12 +460,12 @@ func NewProvenanceCreator(ctx context.Context, cp *provenance.Capture, res solve
 	return pc, nil
 }
 
-func (p *ProvenanceCreator) Predicate() (*provenancetypes.ProvenancePredicate, error) {
+func (p *ProvenanceCreator) Predicate(ctx context.Context) (*provenancetypes.ProvenancePredicate, error) {
 	end := p.j.RegisterCompleteTime()
 	p.pr.Metadata.BuildFinishedOn = &end
 
 	if p.addLayers != nil {
-		if err := p.addLayers(); err != nil {
+		if err := p.addLayers(ctx); err != nil {
 			return nil, err
 		}
 	}
diff --git a/solver/llbsolver/solver.go b/solver/llbsolver/solver.go
index 82eec97b0..36fc7fd08 100644
--- a/solver/llbsolver/solver.go
+++ b/solver/llbsolver/solver.go
@@ -237,7 +237,7 @@ func (s *Solver) recordBuildHistory(ctx context.Context, id string, req frontend
 			if err != nil {
 				return nil, nil, err
 			}
-			pr, err := prc.Predicate()
+			pr, err := prc.Predicate(ctx)
 			if err != nil {
 				return nil, nil, err
 			}
@@ -756,7 +756,7 @@ func runCacheExporters(ctx context.Context, exporters []RemoteCacheExporter, j *
 			err = inBuilderContext(ctx, j, exp.Name(), id, func(ctx context.Context, _ session.Group) error {
 				prepareDone := progress.OneOff(ctx, "preparing build cache for export")
 				if err := result.EachRef(cached, inp, func(res solver.CachedResult, ref cache.ImmutableRef) error {
-					ctx = withDescHandlerCacheOpts(ctx, ref)
+					ctx := withDescHandlerCacheOpts(ctx, ref)
 
 					// Configure compression
 					compressionConfig := exp.Config().Compression
diff --git a/solver/result/attestation.go b/solver/result/attestation.go
index 2fee27824..de56e3c40 100644
--- a/solver/result/attestation.go
+++ b/solver/result/attestation.go
@@ -1,6 +1,8 @@
 package result
 
 import (
+	"context"
+
 	pb "github.com/moby/buildkit/frontend/gateway/pb"
 	digest "github.com/opencontainers/go-digest"
 )
@@ -23,7 +25,7 @@ type Attestation[T any] struct {
 
 	Ref         T
 	Path        string
-	ContentFunc func() ([]byte, error)
+	ContentFunc func(context.Context) ([]byte, error)
 
 	InToto InTotoAttestation
 }
diff --git a/sourcepolicy/engine.go b/sourcepolicy/engine.go
index 624c8fd1d..4a6100b83 100644
--- a/sourcepolicy/engine.go
+++ b/sourcepolicy/engine.go
@@ -74,6 +74,7 @@ func (e *Engine) Evaluate(ctx context.Context, op *pb.SourceOp) (bool, error) {
 			return mutated, errors.Wrapf(ErrTooManyOps, "too many mutations on a single source")
 		}
 
+		ctx := ctx
 		if i == 0 {
 			ctx = bklog.WithLogger(ctx, bklog.G(ctx).WithField("orig", op))
 		} else {
diff --git a/util/appcontext/appcontext.go b/util/appcontext/appcontext.go
index d5a785ef6..28626fd7a 100644
--- a/util/appcontext/appcontext.go
+++ b/util/appcontext/appcontext.go
@@ -25,11 +25,11 @@ func Context() context.Context {
 
 		ctx := context.Background()
 		for _, f := range inits {
-			ctx = f(ctx)
+			ctx = f(ctx) //nolint:fatcontext
 		}
 
 		ctx, cancel := context.WithCancelCause(ctx)
-		appContextCache = ctx
+		appContextCache = ctx //nolint:fatcontext
 
 		go func() {
 			for {
diff --git a/util/network/cniprovider/cni_linux.go b/util/network/cniprovider/cni_linux.go
index 4b393eab6..526fc71bc 100644
--- a/util/network/cniprovider/cni_linux.go
+++ b/util/network/cniprovider/cni_linux.go
@@ -86,7 +86,7 @@ func withDetachedNetNSIfAny(ctx context.Context, fn func(context.Context) error)
 		detachedNetNS := filepath.Join(stateDir, "netns")
 		if _, err := os.Lstat(detachedNetNS); !errors.Is(err, os.ErrNotExist) {
 			return ns.WithNetNSPath(detachedNetNS, func(_ ns.NetNS) error {
-				ctx = context.WithValue(ctx, contextKeyDetachedNetNS, detachedNetNS)
+				ctx := context.WithValue(ctx, contextKeyDetachedNetNS, detachedNetNS)
 				bklog.G(ctx).Debugf("Entering RootlessKit's detached netns %q", detachedNetNS)
 				err2 := fn(ctx)
 				bklog.G(ctx).WithError(err2).Debugf("Leaving RootlessKit's detached netns %q", detachedNetNS)