Ubuntu
systemd package

Merge ~enr0n/ubuntu/+source/systemd:ubuntu-lunar-next into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-lunar

Proposed by Nick Rosbrook on 2023-02-10

Status:

Merged

Approved by:

Lukas Märdian on 2023-02-15

Approved revision:

e6a635d5dc87ed271d30e6bec1edd03d29525b0c

Merged at revision:

e6a635d5dc87ed271d30e6bec1edd03d29525b0c

Proposed branch:

~enr0n/ubuntu/+source/systemd:ubuntu-lunar-next

Merge into:

~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-lunar

Diff against target:

5254 lines (+1754/-807)

121 files modified

.packit.yml (+5/-0)
debian/changelog (+105/-0)
debian/control (+4/-15)
debian/patches/Deny-list-TEST-74-AUX-UTILS-on-s390x.patch (+16/-0)
debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch (+3/-3)
debian/patches/debian/Make-run-lock-tmpfs-an-API-fs.patch (+2/-0)
debian/patches/debian/Revert-core-one-step-back-again-for-nspawn-we-actual.patch (+1/-1)
debian/patches/lp2002445-sd-netlink-add-a-test-for-rtnl_set_link_name.patch (+72/-0)
debian/patches/lp2002445-sd-netlink-do-not-swap-old-name-and-alternative-name.patch (+62/-0)
debian/patches/lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch (+64/-0)
debian/patches/lp2002445-test-network-add-a-test-for-renaming-device-to-current-al.patch (+48/-0)
debian/patches/lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch (+63/-0)
debian/patches/lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch (+34/-0)
debian/patches/p11kit-switch-to-dlopen.patch (+3/-3)
debian/patches/series (+7/-3)
debian/rules (+1/-0)
debian/tests/boot-and-services (+2/-2)
debian/tests/control (+13/-8)
dev/null (+0/-323)
man/org.freedesktop.systemd1.xml (+6/-0)
man/systemd.mount.xml (+3/-1)
man/systemd.scope.xml (+2/-0)
man/systemd.service.xml (+9/-11)
src/basic/alloc-util.c (+4/-0)
src/basic/alloc-util.h (+29/-10)
src/basic/cgroup-util.c (+1/-1)
src/basic/hashmap.c (+1/-1)
src/basic/linux/README (+1/-0)
src/basic/linux/btrfs.h (+50/-12)
src/basic/linux/btrfs_tree.h (+240/-1)
src/basic/linux/genetlink.h (+3/-2)
src/basic/linux/if_bridge.h (+21/-0)
src/basic/linux/if_ether.h (+2/-0)
src/basic/linux/if_link.h (+16/-0)
src/basic/linux/if_macsec.h (+2/-0)
src/basic/linux/if_tun.h (+5/-1)
src/basic/linux/in.h (+9/-14)
src/basic/linux/l2tp.h (+0/-2)
src/basic/linux/netfilter/nf_tables.h (+29/-0)
src/basic/linux/netlink.h (+24/-7)
src/basic/linux/nl80211.h (+128/-7)
src/basic/linux/pkt_sched.h (+11/-0)
src/basic/linux/rtnetlink.h (+1/-1)
src/basic/linux/stddef.h (+46/-0)
src/basic/linux/update.sh (+1/-1)
src/basic/virt.c (+1/-1)
src/boot/efi/boot.c (+5/-2)
src/boot/efi/console.c (+0/-16)
src/boot/efi/cpio.c (+1/-1)
src/boot/efi/meson.build (+11/-2)
src/boot/efi/missing_efi.h (+0/-19)
src/boot/efi/secure-boot.c (+1/-1)
src/boot/efi/util.c (+5/-3)
src/busctl/busctl.c (+19/-2)
src/core/cgroup.c (+1/-1)
src/core/cgroup.h (+1/-0)
src/core/dbus-scope.c (+6/-0)
src/core/execute.c (+17/-0)
src/core/execute.h (+1/-0)
src/core/import-creds.c (+7/-0)
src/core/load-fragment-gperf.gperf.in (+1/-0)
src/core/mount.c (+18/-3)
src/core/scope.c (+20/-3)
src/core/scope.h (+2/-0)
src/core/slice.c (+3/-0)
src/core/swap.c (+1/-1)
src/core/unit.c (+1/-0)
src/cryptsetup/cryptsetup-fido2.c (+72/-57)
src/cryptsetup/cryptsetup-fido2.h (+24/-16)
src/cryptsetup/cryptsetup.c (+27/-42)
src/fundamental/macro-fundamental.h (+1/-0)
src/gpt-auto-generator/gpt-auto-generator.c (+5/-5)
src/import/curl-util.c (+4/-0)
src/import/pull-job.c (+5/-5)
src/journal-remote/microhttpd-util.h (+2/-2)
src/kernel-install/50-depmod.install (+2/-0)
src/libsystemd-network/sd-dhcp-client.c (+18/-20)
src/libsystemd-network/sd-dhcp-lease.c (+4/-4)
src/libsystemd-network/test-ndisc-ra.c (+6/-14)
src/libsystemd-network/test-ndisc-rs.c (+8/-13)
src/libsystemd/sd-device/test-sd-device.c (+8/-7)
src/libsystemd/sd-event/sd-event.c (+6/-1)
src/locale/localed.c (+8/-12)
src/login/logind-dbus.c (+6/-0)
src/network/netdev/l2tp-tunnel.c (+5/-5)
src/network/networkd-address.c (+5/-1)
src/network/networkd-ndisc.c (+11/-10)
src/network/networkd-route.c (+5/-1)
src/nspawn/nspawn-patch-uid.c (+3/-1)
src/partition/growfs.c (+6/-1)
src/resolve/resolvectl.c (+3/-3)
src/resolve/resolved-dns-scope.c (+2/-1)
src/resolve/resolved-dns-search-domain.c (+1/-1)
src/resolve/resolved-dns-server.h (+2/-2)
src/resolve/resolved-varlink.c (+2/-2)
src/shared/bootspec.c (+5/-3)
src/shared/bus-unit-util.c (+3/-0)
src/shared/creds-util.c (+16/-20)
src/shared/generator.c (+10/-1)
src/shared/install.c (+8/-3)
src/shared/install.h (+2/-2)
src/shared/mount-setup.c (+2/-0)
src/shared/sleep-config.c (+15/-17)
src/sleep/sleep.c (+6/-2)
src/test/test-execute.c (+3/-0)
src/test/test-unit-name.c (+3/-1)
src/tmpfiles/tmpfiles.c (+5/-2)
test/TEST-55-OOMD/test.sh (+6/-0)
test/fuzz/fuzz-unit-file/directives.scope (+1/-0)
test/test-functions (+16/-0)
test/test-network/conf/23-bond199.network (+0/-3)
test/test-network/systemd-networkd-tests.py (+19/-3)
test/test-shutdown.py (+1/-1)
test/units/testsuite-26.sh (+1/-1)
test/units/testsuite-55.sh (+3/-0)
test/units/testsuite-64.sh (+6/-5)
test/units/testsuite-65.sh (+10/-0)
test/units/testsuite-73.sh (+14/-3)
test/units/testsuite-74.firstboot.sh (+54/-15)
test/units/testsuite-75.sh (+22/-13)
units/systemd-userdbd.service.in (+1/-1)

Undecided

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Lukas Märdian		2023-02-10	Approve on 2023-02-15
Review via email: mp+437150@code.launchpad.net

Description of the change

Merge 252.5-2 from Debian unstable, and cherry-pick udev NIC renaming patches for bug 2002445.

PPA build: https://launchpad.net/~enr0n/+archive/ubuntu/systemd/+packages?field.name_filter=systemd&field.status_filter=published&field.series_filter=

autopkgtest:

systemd 252.5-2ubuntu1~ppa2 (ppc64el) -- Pass: https://autopkgtest.staging.ubuntu.com/results/autopkgtest-lunar-enr0n-systemd/lunar/ppc64el/s/systemd/20230209_190022_7d72f@/log.gz
systemd 252.5-2ubuntu1~ppa2 (s390x) -- Fail: https://autopkgtest.staging.ubuntu.com/results/autopkgtest-lunar-enr0n-systemd/lunar/s390x/s/systemd/20230209_201045_7d72f@/log.gz
systemd 252.5-2ubuntu1~ppa2 (amd64) -- Pass: https://autopkgtest.staging.ubuntu.com/results/autopkgtest-lunar-enr0n-systemd/lunar/amd64/s/systemd/20230209_203135_7d72f@/log.gz
systemd 252.5-2ubuntu1~ppa2 (arm64) -- Pass: https://autopkgtest.staging.ubuntu.com/results/autopkgtest-lunar-enr0n-systemd/lunar/arm64/s/systemd/20230210_060852_7d72f@/log.gz

It looks like armhf wasn't triggered on staging, but the previous PPA build passed for armhf:

systemd 252.5-2ubuntu1~ppa1 (armhf) -- Pass: https://autopkgtest.ubuntu.com/results/autopkgtest-lunar-enr0n-systemd/lunar/armhf/s/systemd/20230206_220736_e68eb@/log.gz

I think the s390x failure is flaky. I could not reproduce it in Canonistack, it passed just fine. Also, a previous run on arm64 failed with the same thing, but then passed the next run.

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2023-02-10 (last edit on 2023-02-10):

We tried the s390x test again in staging, and it still failed: https://autopkgtest.staging.ubuntu.com/results/autopkgtest-lunar-enr0n-systemd/lunar/s390x/s/systemd/20230210_182915_66bf1@/log.gz.

I will try again on Canonistack, but if I can't reproduce it maybe we should skip this test on s390x for now.

Revision history for this message

Lukas Märdian (slyon) wrote on 2023-02-13:

Thank you for preparing another upload, Nick!

I verified it matches upstream v252.5 and the cherry-picked patches match upstream, too. Kudos for dropping the (unused) systemd-fsckd autopkgtest in Debian!

* d/rules: The "-Dstatus-unit-format-default=combined" flag seems to be a change in behavior (for people parsing the log files...). It seems to be a sensible change, but maybe we should document it somewhere, especially how people could roll it back at runtime, by using a "[Manager] StatusUnitFormat=description" configuration (https://fedoraproject.org/wiki/Changes/Unit_Names_in_Systemd_Messages)

* I'm a bit concerned about the TEST-74-AUX-UTILS. It seems to be a real regression, as that one passed in previous build on s390x. It was touched in "252.4-2" and we should check what/why was done there. The test does not run on Debian at all, so they might have missed this regression:

upstream SKIP Test restriction "isolation-machine" requires testbed capability "isolation-machine"

Let's see what you find from your Canonistack investigation. It passes on non-s390x... But I think the very least we should do is open a bug report with Debian and/or upstream about this failure, before skipping it on s390x.

Other than those remarks this LGTM.

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2023-02-14:

Lukas and I discussed offline, and decided to skip TEST-74-AUX-UTILS on s390x for now. The test passes just fine on Canonistack s390x, so we think it may be a temporary infrastructure issue.

As for the other comment, I will make sure to mention this change in the Lunar Lobster release notes.

Revision history for this message

Lukas Märdian (slyon) wrote on 2023-02-15:

Thank you! +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Dimitri John Ledkov

Nick Rosbrook

Ubuntu Core Development Team

 diff --git a/.packit.yml b/.packit.yml
 index 1b49ddf..a226252 100644
 --- a/.packit.yml
 +++ b/.packit.yml
@@ -29,6 +29,11 @@ actions:
      # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the
      # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]).
+     #
++    # Remove ukify/new standalone handling, added in 253
++    - "sed -i '/ukify/d' .packit_rpm/split-files.py"
++    - "sed -i '/%files ukify/d' .packit_rpm/systemd.spec"
++    - "sed -i '/%files standalone-repart/d' .packit_rpm/systemd.spec"
++    - "sed -i '/%files standalone-shutdown/d' .packit_rpm/systemd.spec"
      # [0] https://github.com/mesonbuild/meson/issues/7360
      # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110
      - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
 diff --git a/debian/changelog b/debian/changelog
 index 8852311..2821604 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,108 @@
++systemd (252.5-2ubuntu1) lunar; urgency=medium
++
++  * Merge 252.5-2 from Debian unstable
++    - Drop test-handle-Debian-s-etc-default-locale-in-testsuite-74.f.patch.
++      Applied upstream: https://github.com/systemd/systemd/commit/9b42646b22
++      File: debian/patches/test-handle-Debian-s-etc-default-locale-in-testsuite-74.f.patch
++      https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1b0789416172ec60d8086fe2b458b5396bb7e857
++    - Drop test-make-sure-mount-point-exists-in-testsuite-64.sh.patch.
++      Applied upstream: https://github.com/systemd/systemd/commit/07e4787106
++      File: debian/patches/test-make-sure-mount-point-exists-in-testsuite-64.sh.patch
++      https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f97b2d5ae1a1f35668c4648f1c7fc715a588de50
++    - Drop test-remove-no-longer-needed-quirk-for-set-locale-on-Debi.patch.
++      Fixed upstream: https://github.com/systemd/systemd-stable/commit/1c325f6d7f
++      File: debian/patches/test-remove-no-longer-needed-quirk-for-set-locale-on-Debi.patch
++      https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5f85226d61393c08d7ea51c2f28db7fd4c79bcc6
++  * udev: avoid NIC renaming race with kernel (LP: #2002445)
++    Files:
++    - debian/patches/lp2002445-sd-netlink-add-a-test-for-rtnl_set_link_name.patch
++    - debian/patches/lp2002445-sd-netlink-do-not-swap-old-name-and-alternative-name.patch
++    - debian/patches/lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch
++    - debian/patches/lp2002445-test-network-add-a-test-for-renaming-device-to-current-al.patch
++    - debian/patches/lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch
++    - debian/patches/lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch
++    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=58d29c2b376f03c44ed5a719877c95b332018cdc
++  * Deny-list TEST-74-AUX-UTILS on s390x.
++    Since this currently is only known to fail on the autopkgtest
++    infrastructure, we believe this is a temporary issue.
++    File: debian/patches/Deny-list-TEST-74-AUX-UTILS-on-s390x.patch
++    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a3a059d86e2fe3a104419ae2afcab557171f9809
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Tue, 14 Feb 2023 11:52:31 -0500
++
++systemd (252.5-2) unstable; urgency=medium
++
++  * Fix boot-and-services autopkgtest.
++
++ -- Luca Boccassi <bluca@debian.org>  Mon, 30 Jan 2023 01:03:48 +0000
++
++systemd (252.5-1) unstable; urgency=medium
++
++  [ Nick Rosbrook ]
++  * debian/tests: remove systemd-fsckd autopkgtest. This test never runs
++    in Debian autopkgtest because of missing machine isolation
++    requirements, and it nevers runs in Ubuntu because:  SKIP: root file
++    system is being checked by initramfs already Since the test is not
++    providing any good feedback, and generally has not been maintained,
++    let's just remove it.
++
++  [ Luca Boccassi ]
++  * New upstream version 252.5
++  * Drop patches merged in v252.5
++  * Refresh patches
++  * Set default status format to 'combined': show both unit name and
++    description in logs/boot messages
++
++ -- Luca Boccassi <bluca@debian.org>  Sun, 29 Jan 2023 19:39:28 +0000
++
++systemd (252.4-2) unstable; urgency=medium
++
++  [ Michael Biebl ]
++  * Refresh patches
++  * Tweak description of systemd and systemd-sysv package.
++    Remove redundancy and de-emphasize sysvinit.
++  * autopkgtest: add psmsic to upstream suite.
++    Needed for the killall binary.
++    See https://github.com/systemd/systemd/pull/24569
++  * autopkgtest: add xkb-data, locales and locales-all to upstream suite.
++    Use locales-all so all necessary locales can be installed into the test
++    image without having to generate them on-the-fly.
++    See https://github.com/systemd/systemd/pull/23709
++  * autopkgtest: prefer knot-dnssecutils over knot-dnsutils for upstream
++    suite.
++    The kzonecheck utility required by TEST-75-RESOLVED was split out from
++    knot-dnsutils into knot-dnssecutils so update the test dependencies
++    accordingly. Keep knot-dnsutils as alternative dependency to make
++    backports easier.
++  * Cherry-pick upstream fixes for TEST-74-AUX-UTILS
++  * Cherry-pick upstream fix for TEST-73-LOCALE
++  * Skip firstboot --prompt-keymap check in TEST-74-AUX-UTILS.
++    This test requires compatible keymaps from kbd which are not available
++    in Debian.
++
++  [ Luca Boccassi ]
++  * autopkgtest: add netlabel-tools to networkd-test.py suite.
++    The netlabelctl tool is needed to test the NetLabel integration.
++    See https://github.com/systemd/systemd/pull/23888
++  * autopkgtest: add bsdutils to upstream suite.
++    The logger utility is now used in TEST-04-JOURNAL.
++    See https://github.com/systemd/systemd/pull/23086
++  * autopkgtest: add knot, knot-dnsutils, bind9-dnsutils, bind9-host to
++    upstream suite.
++    Needed by TEST-75-RESOLVED.
++    See https://github.com/systemd/systemd/pull/23104
++  * autopkgtest: add jq to upstream suite.
++    Needed by TEST-58-REPART.
++    See https://github.com/systemd/systemd/pull/24572
++  * autopkgtest: add mtools to upstream suite.
++    Needed by TEST-58-REPART.
++    See https://github.com/systemd/systemd/pull/24944
++  * autopkgtest: add erofs-utils to upstream suite.
++    Needed by TEST-58-REPART.
++    See https://github.com/systemd/systemd/pull/25686
++
++ -- Michael Biebl <biebl@debian.org>  Wed, 25 Jan 2023 09:17:24 +0100
++
  systemd (252.4-1ubuntu1) lunar; urgency=medium
    * Drop oomd-fix-unreachable-test-case-in-test-oomd-util.patch.
 diff --git a/debian/control b/debian/control
 index 812a8c5..c84c218 100644
 --- a/debian/control
 +++ b/debian/control
@@ -118,9 +118,6 @@ Description: system and service manager
   Linux control groups, maintains mount and automount points and implements an
   elaborate transactional dependency-based service control logic.
+  .
-- systemd is compatible with SysV and LSB init scripts and can work as a
-- drop-in replacement for sysvinit.
-- .
   Installing the systemd package will not switch your init system unless you
   boot with init=/lib/systemd/systemd or install systemd-sysv in addition.
@@ -137,19 +134,11 @@ Depends: systemd (= ${binary:Version}),
           ${misc:Depends}
  Recommends: libpam-systemd,
              libnss-systemd
--Description: system and service manager - SysV links
-- systemd is a system and service manager for Linux. It provides aggressive
-- parallelization capabilities, uses socket and D-Bus activation for starting
-- services, offers on-demand starting of daemons, keeps track of processes using
-- Linux control groups, maintains mount and automount points and implements an
-- elaborate transactional dependency-based service control logic.
-- .
-- systemd is compatible with SysV and LSB init scripts and can work as a
-- drop-in replacement for sysvinit.
++Description: system and service manager - SysV compatibility symlinks
++ This package provides manual pages and compatibility symlinks needed for
++ systemd to replace sysvinit.
+  .
-- This package provides the manual pages and links needed for systemd
-- to replace sysvinit. Installing systemd-sysv will overwrite /sbin/init with a
-- link to systemd.
++ Installing systemd-sysv will overwrite /sbin/init with a symlink to systemd.
  Package: systemd-container
  Build-Profiles: <!stage1>
 diff --git a/debian/patches/Deny-list-TEST-74-AUX-UTILS-on-s390x.patch b/debian/patches/Deny-list-TEST-74-AUX-UTILS-on-s390x.patch
 new file mode 100644
 index 0000000..f230a88
 --- /dev/null
 +++ b/debian/patches/Deny-list-TEST-74-AUX-UTILS-on-s390x.patch
@@ -0,0 +1,16 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Tue, 14 Feb 2023 11:43:42 -0500
++Subject: Deny-list TEST-74-AUX-UTILS on s390x
++
++---
++ test/TEST-74-AUX-UTILS/deny-list-upstream-ci-s390x | 1 +
++ 1 file changed, 1 insertion(+)
++ create mode 100644 test/TEST-74-AUX-UTILS/deny-list-upstream-ci-s390x
++
++diff --git a/test/TEST-74-AUX-UTILS/deny-list-upstream-ci-s390x b/test/TEST-74-AUX-UTILS/deny-list-upstream-ci-s390x
++new file mode 100644
++index 0000000..b7bd53b
++--- /dev/null
+++++ b/test/TEST-74-AUX-UTILS/deny-list-upstream-ci-s390x
++@@ -0,0 +1 @@
+++# Currently failing on autopkgtest infra, but appears to be a temporary issue.
 diff --git a/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch b/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
 index 29b6fa8..7f02cc3 100644
 --- a/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
 +++ b/debian/patches/debian/Downgrade-a-couple-of-warnings-to-debug.patch
@@ -51,10 +51,10 @@ index 3c5df6c..24eff86 100644
                                       "Please update package to include a native systemd unit file, in order to make it more safe and robust.", fpath);
  diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
--index 18bb757..1f60913 100644
++index 3501ccf..d8423dd 100644
  --- a/src/tmpfiles/tmpfiles.c
  +++ b/src/tmpfiles/tmpfiles.c
--@@ -2987,6 +2987,7 @@ static int specifier_expansion_from_arg(const Specifier *specifier_table, Item *
++@@ -2990,6 +2990,7 @@ static int specifier_expansion_from_arg(const Specifier *specifier_table, Item *
   static int patch_var_run(const char *fname, unsigned line, char **path) {
           const char *k;
           char *n;
@@ -62,7 +62,7 @@ index 18bb757..1f60913 100644
           assert(path);
           assert(*path);
--@@ -3012,7 +3013,8 @@ static int patch_var_run(const char *fname, unsigned line, char **path) {
++@@ -3015,7 +3016,8 @@ static int patch_var_run(const char *fname, unsigned line, char **path) {
           /* Also log about this briefly. We do so at LOG_NOTICE level, as we fixed up the situation automatically, hence
            * there's no immediate need for action by the user. However, in the interest of making things less confusing
            * to the user, let's still inform the user that these snippets should really be updated. */
 diff --git a/debian/patches/debian/Make-run-lock-tmpfs-an-API-fs.patch b/debian/patches/debian/Make-run-lock-tmpfs-an-API-fs.patch
 index 6f4d2ac..4ab8117 100644
 --- a/debian/patches/debian/Make-run-lock-tmpfs-an-API-fs.patch
 +++ b/debian/patches/debian/Make-run-lock-tmpfs-an-API-fs.patch
@@ -15,6 +15,8 @@ Closes: #751392
   tmpfiles.d/legacy.conf.in | 1 -
 files changed, 2 insertions(+), 1 deletion(-)
++diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
++index 6882b62..c54e632 100644
  --- a/src/shared/mount-setup.c
  +++ b/src/shared/mount-setup.c
@@ -86,6 +86,8 @@
 diff --git a/debian/patches/debian/Revert-core-one-step-back-again-for-nspawn-we-actual.patch b/debian/patches/debian/Revert-core-one-step-back-again-for-nspawn-we-actual.patch
 index 0410005..deafad8 100644
 --- a/debian/patches/debian/Revert-core-one-step-back-again-for-nspawn-we-actual.patch
 +++ b/debian/patches/debian/Revert-core-one-step-back-again-for-nspawn-we-actual.patch
@@ -14,7 +14,7 @@ Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1141137
 file changed, 1 insertion(+), 10 deletions(-)
  diff --git a/src/core/unit.c b/src/core/unit.c
--index bed5544..48d76f2 100644
++index 3ac56c1..3b73c7c 100644
  --- a/src/core/unit.c
  +++ b/src/core/unit.c
@@ -4615,16 +4615,7 @@ int unit_kill_context(
 diff --git a/debian/patches/lp2002445-sd-netlink-add-a-test-for-rtnl_set_link_name.patch b/debian/patches/lp2002445-sd-netlink-add-a-test-for-rtnl_set_link_name.patch
 new file mode 100644
 index 0000000..8d9f0b3
 --- /dev/null
 +++ b/debian/patches/lp2002445-sd-netlink-add-a-test-for-rtnl_set_link_name.patch
@@ -0,0 +1,72 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Tue, 22 Nov 2022 17:01:47 -0500
++Subject: sd-netlink: add a test for rtnl_set_link_name()
++
++Origin: upstream, https://github.com/systemd/systemd/commit/b338a8bb40
++Bug-Ubuntu: https://launchpad.net/bugs/2002445
++
++Add a test that verifies a deleted alternative name is restored on error
++in rtnl_set_link_name().
++---
++ src/libsystemd/sd-netlink/test-netlink.c | 27 +++++++++++++++++++++++++++
++ 1 file changed, 27 insertions(+)
++
++diff --git a/src/libsystemd/sd-netlink/test-netlink.c b/src/libsystemd/sd-netlink/test-netlink.c
++index 3f74ecc..2d93f9e 100644
++--- a/src/libsystemd/sd-netlink/test-netlink.c
+++++ b/src/libsystemd/sd-netlink/test-netlink.c
++@@ -8,6 +8,7 @@
++ #include <linux/if_macsec.h>
++ #include <linux/l2tp.h>
++ #include <linux/nl80211.h>
+++#include <unistd.h>
++
++ #include "sd-netlink.h"
++
++@@ -16,6 +17,7 @@
++ #include "macro.h"
++ #include "netlink-genl.h"
++ #include "netlink-internal.h"
+++#include "netlink-util.h"
++ #include "socket-util.h"
++ #include "stdio-util.h"
++ #include "string-util.h"
++@@ -667,6 +669,30 @@ static void test_genl(void) {
++         }
++ }
++
+++static void test_rtnl_set_link_name(sd_netlink *rtnl, int ifindex) {
+++        _cleanup_strv_free_ char **alternative_names = NULL;
+++        int r;
+++
+++        log_debug("/* %s */", __func__);
+++
+++        if (geteuid() != 0)
+++                return (void) log_tests_skipped("not root");
+++
+++        /* Test that the new name (which is currently an alternative name) is
+++         * restored as an alternative name on error. Create an error by using
+++         * an invalid device name, namely one that exceeds IFNAMSIZ
+++         * (alternative names can exceed IFNAMSIZ, but not regular names). */
+++        r = rtnl_set_link_alternative_names(&rtnl, ifindex, STRV_MAKE("testlongalternativename"));
+++        if (r == -EPERM)
+++                return (void) log_tests_skipped("missing required capabilities");
+++
+++        assert_se(r >= 0);
+++        assert_se(rtnl_set_link_name(&rtnl, ifindex, "testlongalternativename") == -EINVAL);
+++        assert_se(rtnl_get_link_alternative_names(&rtnl, ifindex, &alternative_names) >= 0);
+++        assert_se(strv_contains(alternative_names, "testlongalternativename"));
+++        assert_se(rtnl_delete_link_alternative_names(&rtnl, ifindex, STRV_MAKE("testlongalternativename")) >= 0);
+++}
+++
++ int main(void) {
++         sd_netlink *rtnl;
++         sd_netlink_message *m;
++@@ -698,6 +724,7 @@ int main(void) {
++         test_pipe(if_loopback);
++         test_event_loop(if_loopback);
++         test_link_configure(rtnl, if_loopback);
+++        test_rtnl_set_link_name(rtnl, if_loopback);
++
++         test_get_addresses(rtnl);
++         test_message_link_bridge(rtnl);
 diff --git a/debian/patches/lp2002445-sd-netlink-do-not-swap-old-name-and-alternative-name.patch b/debian/patches/lp2002445-sd-netlink-do-not-swap-old-name-and-alternative-name.patch
 new file mode 100644
 index 0000000..2388bf2
 --- /dev/null
 +++ b/debian/patches/lp2002445-sd-netlink-do-not-swap-old-name-and-alternative-name.patch
@@ -0,0 +1,62 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Fri, 2 Dec 2022 15:26:18 -0500
++Subject: sd-netlink: do not swap old name and alternative name
++
++Origin: upstream, https://github.com/systemd/systemd/commit/080afbb57c
++Bug-Ubuntu: https://launchpad.net/bugs/2002445
++
++Commit 434a348380 ("netlink: do not fail when new interface name is
++already used as an alternative name") added logic to set the old
++interface name as an alternative name, but only when the new name is
++currently an alternative name. This is not the desired outcome in most
++cases, and the important part of this commit was to delete the new name
++from the list of alternative names if necessary.
++---
++ src/libsystemd/sd-netlink/netlink-util.c | 13 -------------
++ 1 file changed, 13 deletions(-)
++
++diff --git a/src/libsystemd/sd-netlink/netlink-util.c b/src/libsystemd/sd-netlink/netlink-util.c
++index 12cdc99..6b4c25f 100644
++--- a/src/libsystemd/sd-netlink/netlink-util.c
+++++ b/src/libsystemd/sd-netlink/netlink-util.c
++@@ -3,7 +3,6 @@
++ #include "sd-netlink.h"
++
++ #include "fd-util.h"
++-#include "format-util.h"
++ #include "io-util.h"
++ #include "memory-util.h"
++ #include "netlink-internal.h"
++@@ -15,7 +14,6 @@
++ int rtnl_set_link_name(sd_netlink **rtnl, int ifindex, const char *name) {
++         _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *message = NULL;
++         _cleanup_strv_free_ char **alternative_names = NULL;
++-        char old_name[IF_NAMESIZE] = {};
++         int r;
++
++         assert(rtnl);
++@@ -35,10 +33,6 @@ int rtnl_set_link_name(sd_netlink **rtnl, int ifindex, const char *name) {
++                 if (r < 0)
++                         return log_debug_errno(r, "Failed to remove '%s' from alternative names on network interface %i: %m",
++                                                name, ifindex);
++-
++-                r = format_ifname(ifindex, old_name);
++-                if (r < 0)
++-                        return log_debug_errno(r, "Failed to get current name of network interface %i: %m", ifindex);
++         }
++
++         r = sd_rtnl_message_new_link(*rtnl, &message, RTM_SETLINK, ifindex);
++@@ -53,13 +47,6 @@ int rtnl_set_link_name(sd_netlink **rtnl, int ifindex, const char *name) {
++         if (r < 0)
++                 return r;
++
++-        if (!isempty(old_name)) {
++-                r = rtnl_set_link_alternative_names(rtnl, ifindex, STRV_MAKE(old_name));
++-                if (r < 0)
++-                        log_debug_errno(r, "Failed to set '%s' as an alternative name on network interface %i, ignoring: %m",
++-                                        old_name, ifindex);
++-        }
++-
++         return 0;
++ }
++
 diff --git a/debian/patches/lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch b/debian/patches/lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch
 new file mode 100644
 index 0000000..07ca306
 --- /dev/null
 +++ b/debian/patches/lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch
@@ -0,0 +1,64 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Wed, 2 Nov 2022 05:36:14 -0400
++Subject: sd-netlink: restore altname on error in rtnl_set_link_name
++
++Origin: upstream, https://github.com/systemd/systemd/commit/4d600667f8
++Bug-Ubuntu: https://launchpad.net/bugs/2002445
++
++If a current alternative name is to be used to rename a network
++interface, the alternative name must be removed first. If interface
++renaming fails, restore the alternative name that was deleted if
++necessary.
++---
++ src/libsystemd/sd-netlink/netlink-util.c | 19 ++++++++++++++++---
++ 1 file changed, 16 insertions(+), 3 deletions(-)
++
++diff --git a/src/libsystemd/sd-netlink/netlink-util.c b/src/libsystemd/sd-netlink/netlink-util.c
++index 6b4c25f..cfcf257 100644
++--- a/src/libsystemd/sd-netlink/netlink-util.c
+++++ b/src/libsystemd/sd-netlink/netlink-util.c
++@@ -14,6 +14,7 @@
++ int rtnl_set_link_name(sd_netlink **rtnl, int ifindex, const char *name) {
++         _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *message = NULL;
++         _cleanup_strv_free_ char **alternative_names = NULL;
+++        bool altname_deleted = false;
++         int r;
++
++         assert(rtnl);
++@@ -33,21 +34,33 @@ int rtnl_set_link_name(sd_netlink **rtnl, int ifindex, const char *name) {
++                 if (r < 0)
++                         return log_debug_errno(r, "Failed to remove '%s' from alternative names on network interface %i: %m",
++                                                name, ifindex);
+++
+++                altname_deleted = true;
++         }
++
++         r = sd_rtnl_message_new_link(*rtnl, &message, RTM_SETLINK, ifindex);
++         if (r < 0)
++-                return r;
+++                goto fail;
++
++         r = sd_netlink_message_append_string(message, IFLA_IFNAME, name);
++         if (r < 0)
++-                return r;
+++                goto fail;
++
++         r = sd_netlink_call(*rtnl, message, 0, NULL);
++         if (r < 0)
++-                return r;
+++                goto fail;
++
++         return 0;
+++
+++fail:
+++        if (altname_deleted) {
+++                int q = rtnl_set_link_alternative_names(rtnl, ifindex, STRV_MAKE(name));
+++                if (q < 0)
+++                        log_debug_errno(q, "Failed to restore '%s' as an alternative name on network interface %i, ignoring: %m",
+++                                        name, ifindex);
+++        }
+++
+++        return r;
++ }
++
++ int rtnl_set_link_properties(
 diff --git a/debian/patches/lp2002445-test-network-add-a-test-for-renaming-device-to-current-al.patch b/debian/patches/lp2002445-test-network-add-a-test-for-renaming-device-to-current-al.patch
 new file mode 100644
 index 0000000..bea8407
 --- /dev/null
 +++ b/debian/patches/lp2002445-test-network-add-a-test-for-renaming-device-to-current-al.patch
@@ -0,0 +1,48 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Wed, 7 Dec 2022 12:28:28 -0500
++Subject: test-network: add a test for renaming device to current altname
++
++Origin: upstream, https://github.com/systemd/systemd/commit/f68f644a16
++Bug-Ubuntu: https://launchpad.net/bugs/2002445
++
++---
++ test/test-network/conf/12-dummy-rename-to-altname.link |  7 +++++++
++ test/test-network/systemd-networkd-tests.py            | 11 +++++++++++
++ 2 files changed, 18 insertions(+)
++ create mode 100644 test/test-network/conf/12-dummy-rename-to-altname.link
++
++diff --git a/test/test-network/conf/12-dummy-rename-to-altname.link b/test/test-network/conf/12-dummy-rename-to-altname.link
++new file mode 100644
++index 0000000..bef4bf3
++--- /dev/null
+++++ b/test/test-network/conf/12-dummy-rename-to-altname.link
++@@ -0,0 +1,7 @@
+++# SPDX-License-Identifier: LGPL-2.1-or-later
+++[Match]
+++OriginalName=dummy98
+++
+++[Link]
+++Name=dummyalt
+++AlternativeName=dummyalt hogehogehogehogehogehoge
++diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
++index 5a731f5..a04f302 100755
++--- a/test/test-network/systemd-networkd-tests.py
+++++ b/test/test-network/systemd-networkd-tests.py
++@@ -936,6 +936,17 @@ class NetworkctlTests(unittest.TestCase, Utilities):
++         output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env)
++         self.assertRegex(output, 'hogehogehogehogehogehoge')
++
+++    @expectedFailureIfAlternativeNameIsNotAvailable()
+++    def test_rename_to_altname(self):
+++        copy_network_unit('26-netdev-link-local-addressing-yes.network',
+++                          '12-dummy.netdev', '12-dummy-rename-to-altname.link')
+++        start_networkd()
+++        self.wait_online(['dummyalt:degraded'])
+++
+++        output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummyalt', env=env)
+++        self.assertIn('hogehogehogehogehogehoge', output)
+++        self.assertNotIn('dummy98', output)
+++
++     def test_reconfigure(self):
++         copy_network_unit('25-address-static.network', '12-dummy.netdev')
++         start_networkd()
 diff --git a/debian/patches/lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch b/debian/patches/lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch
 new file mode 100644
 index 0000000..4e0240e
 --- /dev/null
 +++ b/debian/patches/lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch
@@ -0,0 +1,63 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Fri, 2 Dec 2022 15:35:25 -0500
++Subject: udev: attempt device rename even if interface is up
++
++Origin: upstream, https://github.com/systemd/systemd/commit/53584e7b61
++Bug-Ubuntu: https://launchpad.net/bugs/2002445
++
++Currently rename_netif() will not attempt to rename a device if it is
++already up, because the kernel will return -EBUSY unless live renaming
++is allowed on the device. This restriction will be removed in a future
++kernel version [1].
++
++To cover both cases, always attempt to rename the interface and return 0
++if we get -EBUSY.
++
++[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=bd039b5ea2a9
++---
++ src/udev/udev-event.c | 18 ++++++------------
++ 1 file changed, 6 insertions(+), 12 deletions(-)
++
++diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
++index b3d92d5..08d69cf 100644
++--- a/src/udev/udev-event.c
+++++ b/src/udev/udev-event.c
++@@ -862,7 +862,6 @@ int udev_event_spawn(
++ static int rename_netif(UdevEvent *event) {
++         const char *oldname;
++         sd_device *dev;
++-        unsigned flags;
++         int ifindex, r;
++
++         assert(event);
++@@ -896,17 +895,7 @@ static int rename_netif(UdevEvent *event) {
++                 return 0;
++         }
++
++-        r = rtnl_get_link_info(&event->rtnl, ifindex, NULL, &flags, NULL, NULL, NULL);
++-        if (r < 0)
++-                return log_device_warning_errno(dev, r, "Failed to get link flags: %m");
++-
++-        if (FLAGS_SET(flags, IFF_UP)) {
++-                log_device_info(dev, "Network interface '%s' is already up, refusing to rename to '%s'.",
++-                                oldname, event->name);
++-                return 0;
++-        }
++-
++-        /* Set ID_RENAMING boolean property here, and drop it in the corresponding move uevent later. */
+++        /* Set ID_RENAMING boolean property here. It will be dropped when the corresponding move uevent is processed. */
++         r = device_add_property(dev, "ID_RENAMING", "1");
++         if (r < 0)
++                 return log_device_warning_errno(dev, r, "Failed to add 'ID_RENAMING' property: %m");
++@@ -927,6 +916,11 @@ static int rename_netif(UdevEvent *event) {
++                 return log_device_debug_errno(event->dev_db_clone, r, "Failed to update database under /run/udev/data/: %m");
++
++         r = rtnl_set_link_name(&event->rtnl, ifindex, event->name);
+++        if (r == -EBUSY) {
+++                log_device_info(dev, "Network interface '%s' is already up, cannot rename to '%s'.",
+++                                oldname, event->name);
+++                return 0;
+++        }
++         if (r < 0)
++                 return log_device_error_errno(dev, r, "Failed to rename network interface %i from '%s' to '%s': %m",
++                                               ifindex, oldname, event->name);
 diff --git a/debian/patches/lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch b/debian/patches/lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch
 new file mode 100644
 index 0000000..0b78d7f
 --- /dev/null
 +++ b/debian/patches/lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch
@@ -0,0 +1,34 @@
++From: Nick Rosbrook <nick.rosbrook@canonical.com>
++Date: Wed, 2 Nov 2022 11:05:01 -0400
++Subject: udev/net: allow new link name as an altname before renaming happens
++
++Origin: upstream, https://github.com/systemd/systemd/commit/d0b31efc1a
++Bug-Ubuntu: https://launchpad.net/bugs/2002445
++
++When configuring a link's alternative names, the link's new name to-be
++is not allowed to be included because interface renaming will fail if
++the new name is already present as an alternative name. However,
++rtnl_set_link_name will delete the conflicting alternative name before
++renaming the device, if necessary.
++
++Allow the new link name to be set as an alternative name before the
++device is renamed. This means that if the rename is later skipped (i.e.
++because the link is already up), then the name can at least still be
++present as an alternative name.
++---
++ src/udev/net/link-config.c | 2 --
++ 1 file changed, 2 deletions(-)
++
++diff --git a/src/udev/net/link-config.c b/src/udev/net/link-config.c
++index e408725..5d28526 100644
++--- a/src/udev/net/link-config.c
+++++ b/src/udev/net/link-config.c
++@@ -841,8 +841,6 @@ static int link_apply_alternative_names(Link *link, sd_netlink **rtnl) {
++                         }
++                 }
++
++-        if (link->new_name)
++-                strv_remove(altnames, link->new_name);
++         strv_remove(altnames, link->ifname);
++
++         r = rtnl_get_link_alternative_names(rtnl, link->ifindex, &current_altnames);
 diff --git a/debian/patches/p11kit-switch-to-dlopen.patch b/debian/patches/p11kit-switch-to-dlopen.patch
 index 0cdb8c3..d9fd919 100644
 --- a/debian/patches/p11kit-switch-to-dlopen.patch
 +++ b/debian/patches/p11kit-switch-to-dlopen.patch
@@ -718,10 +718,10 @@ index 85dbb81..55728c2 100644
+  }
  diff --git a/test/test-functions b/test/test-functions
--index 5613215..7f0ab56 100644
++index ae0a993..be3b686 100644
  --- a/test/test-functions
  +++ b/test/test-functions
--@@ -1275,7 +1275,7 @@ install_missing_libraries() {
++@@ -1276,7 +1276,7 @@ install_missing_libraries() {
       local lib path
       # A number of dependencies is now optional via dlopen, so the install
       # script will not pick them up, since it looks at linkage.
@@ -730,7 +730,7 @@ index 5613215..7f0ab56 100644
           ddebug "Searching for $lib via pkg-config"
           if pkg-config --exists "$lib"; then
                   path="$(pkg-config --variable=libdir "$lib")"
--@@ -1287,6 +1287,10 @@ install_missing_libraries() {
++@@ -1288,6 +1288,10 @@ install_missing_libraries() {
                   if ! [[ ${lib} =~ ^lib ]]; then
                           lib="lib${lib}"
                   fi
 diff --git a/debian/patches/series b/debian/patches/series
 index 663fefb..654d909 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -37,9 +37,6 @@ debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch
  test-increase-QEMU_MEM-for-some-tests.patch
  lp1981042-core-firstboot-workaround-timezone-issues-caused-by-Ubunt.patch
  test-denylist-TEST-29-PORTABLE-again.patch
--test-remove-no-longer-needed-quirk-for-set-locale-on-Debi.patch
--test-make-sure-mount-point-exists-in-testsuite-64.sh.patch
--test-handle-Debian-s-etc-default-locale-in-testsuite-74.f.patch
  test-skip-some-tests-when-machine-id-is-not-initialized.patch
  lp1999275-stat-util-introduce-fd_is_read_only_fs.patch
  lp1999275-binfmt-util-split-out-binfmt_mounted.patch
@@ -47,3 +44,10 @@ lp1999275-binfmt-util-also-check-if-binfmt-is-mounted-in-read-write.patch
  lp1999275-binfmt-check-if-binfmt-is-mounted-before-applying-rules.patch
  lp1999275-unit-check-more-specific-path-to-be-written-by-systemd-bi.patch
  debian/Skip-flaky-test_resolved_domain_restricted_dns-in-network.patch
++lp2002445-udev-net-allow-new-link-name-as-an-altname-before-renamin.patch
++lp2002445-sd-netlink-do-not-swap-old-name-and-alternative-name.patch
++lp2002445-sd-netlink-restore-altname-on-error-in-rtnl_set_link_name.patch
++lp2002445-udev-attempt-device-rename-even-if-interface-is-up.patch
++lp2002445-sd-netlink-add-a-test-for-rtnl_set_link_name.patch
++lp2002445-test-network-add-a-test-for-renaming-device-to-current-al.patch
++Deny-list-TEST-74-AUX-UTILS-on-s390x.patch
 diff --git a/debian/patches/test-handle-Debian-s-etc-default-locale-in-testsuite-74.f.patch b/debian/patches/test-handle-Debian-s-etc-default-locale-in-testsuite-74.f.patch
 deleted file mode 100644
 index e192136..0000000
 --- a/debian/patches/test-handle-Debian-s-etc-default-locale-in-testsuite-74.f.patch
 +++ /dev/null
@@ -1,107 +0,0 @@
--From: Nick Rosbrook <nick.rosbrook@canonical.com>
--Date: Tue, 22 Nov 2022 12:50:33 -0500
--Subject: test: handle Debian's /etc/default/locale in
-- testsuite-74.firstboot.sh
--
--Origin: upstream, https://github.com/systemd/systemd/commit/bb59fdc1e3a7119f3680d309147020fce9bf67b5
--
--This handles a Debian-specific quirk where /etc/default/locale is used
--instead of /etc/locale.conf. There is currently special handling for
--this in testsuite-73.sh, so the quirk should be handled here too for
--consistency.
--
--This patch was modified to apply to v251.1.
-----
-- test/units/testsuite-74.firstboot.sh | 40 ++++++++++++++++--------------------
-- 1 file changed, 18 insertions(+), 22 deletions(-)
--
--diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh
--index 02f9f5c..1bcc3da 100755
----- a/test/units/testsuite-74.firstboot.sh
--+++ b/test/units/testsuite-74.firstboot.sh
--@@ -24,6 +24,12 @@ ROOT_HASHED_PASSWORD1='$6$foobarsalt$YbwdaATX6IsFxvWbY3QcZj2gB31R/LFRFrjlFrJtTTq
-- # shellcheck disable=SC2016
-- ROOT_HASHED_PASSWORD2='$6$foobarsalt$q.P2932zYMLbKnjFwIxPI8y3iuxeuJ2BgE372LcZMMnj3Gcg/9mJg2LPKUl.ha0TG/.fRNNnRQcLfzM0SNot3.'
--
--+# Debian and Ubuntu use /etc/default/locale instead of /etc/locale.conf. Make
--+# sure we use the appropriate path for locale configuration.
--+LOCALE_PATH="/etc/locale.conf"
--+[ -e "$LOCALE_PATH" ] || LOCALE_PATH="/etc/default/locale"
--+[ -e "$LOCALE_PATH" ] || systemd-firstboot --locale=C.UTF-8
--+
-- # Create a minimal root so we don't modify the testbed
-- ROOT=test-root
-- mkdir -p "$ROOT/bin"
--@@ -31,15 +37,15 @@ mkdir -p "$ROOT/bin"
-- touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell"
--
-- systemd-firstboot --root="$ROOT" --locale=foo
---grep -q "LANG=foo" "$ROOT/etc/locale.conf"
---rm -fv "$ROOT/etc/locale.conf"
--+grep -q "LANG=foo" "$ROOT$LOCALE_PATH"
--+rm -fv "$ROOT$LOCALE_PATH"
-- # FIXME: https://github.com/systemd/systemd/issues/25249
-- #systemd-firstboot --root="$ROOT" --locale-messages=foo
---#grep -q "LC_MESSAGES=foo" "$ROOT/etc/locale.conf"
---#rm -fv "$ROOT/etc/locale.conf"
--+#grep -q "LC_MESSAGES=foo" "$ROOT$LOCALE_PATH"
--+#rm -fv "$ROOT$LOCALE_PATH"
-- systemd-firstboot --root="$ROOT" --locale=foo --locale-messages=bar
---grep -q "LANG=foo" "$ROOT/etc/locale.conf"
---grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf"
--+grep -q "LANG=foo" "$ROOT$LOCALE_PATH"
--+grep -q "LC_MESSAGES=bar" "$ROOT$LOCALE_PATH"
--
-- systemd-firstboot --root="$ROOT" --keymap=foo
-- grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf"
--@@ -83,8 +89,8 @@ systemd-firstboot --root="$ROOT" \
--                   --root-password-hashed="$ROOT_HASHED_PASSWORD2" \
--                   --root-shell=/bin/barshell \
--                   --kernel-command-line="hello.world=0"
---grep -q "LANG=foo" "$ROOT/etc/locale.conf"
---grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf"
--+grep -q "LANG=foo" "$ROOT$LOCALE_PATH"
--+grep -q "LC_MESSAGES=bar" "$ROOT$LOCALE_PATH"
-- grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf"
-- readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$"
-- grep -q "foobar" "$ROOT/etc/hostname"
--@@ -104,8 +110,8 @@ systemd-firstboot --root="$ROOT" --force \
--                   --root-password-hashed="$ROOT_HASHED_PASSWORD2" \
--                   --root-shell=/bin/barshell \
--                   --kernel-command-line="hello.world=0"
---grep -q "LANG=locale-overwrite" "$ROOT/etc/locale.conf"
---grep -q "LC_MESSAGES=messages-overwrite" "$ROOT/etc/locale.conf"
--+grep -q "LANG=locale-overwrite" "$ROOT$LOCALE_PATH"
--+grep -q "LC_MESSAGES=messages-overwrite" "$ROOT$LOCALE_PATH"
-- grep -q "KEYMAP=keymap-overwrite" "$ROOT/etc/vconsole.conf"
-- readlink "$ROOT/etc/localtime" | grep -q "/CET$"
-- grep -q "hostname-overwrite" "$ROOT/etc/hostname"
--@@ -119,7 +125,7 @@ rm -fr "$ROOT"
-- mkdir "$ROOT"
-- # Copy everything at once (--copy)
-- systemd-firstboot --root="$ROOT" --copy
---diff /etc/locale.conf "$ROOT/etc/locale.conf"
--+diff $LOCALE_PATH "$ROOT$LOCALE_PATH"
-- diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd")
-- diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow")
-- [[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf"
--@@ -128,18 +134,8 @@ rm -fr "$ROOT"
-- mkdir "$ROOT"
-- # Copy everything at once, but now by using separate switches
-- systemd-firstboot --root="$ROOT" --copy-locale --copy-keymap --copy-timezone --copy-root-password --copy-root-shell
---diff /etc/locale.conf "$ROOT/etc/locale.conf"
--+diff $LOCALE_PATH "$ROOT$LOCALE_PATH"
-- diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd")
-- diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow")
-- [[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf"
-- [[ -e /etc/localtime ]] && diff <(readlink /etc/localtime) <(readlink "$ROOT/etc/localtime")
---
---# Assorted tests
---rm -fr "$ROOT"
---mkdir "$ROOT"
---
---systemd-firstboot --root="$ROOT" --setup-machine-id
---grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id"
---
---systemd-firstboot --root="$ROOT" --delete-root-password
---diff <(echo) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow")
 diff --git a/debian/patches/test-make-sure-mount-point-exists-in-testsuite-64.sh.patch b/debian/patches/test-make-sure-mount-point-exists-in-testsuite-64.sh.patch
 deleted file mode 100644
 index ab71bce..0000000
 --- a/debian/patches/test-make-sure-mount-point-exists-in-testsuite-64.sh.patch
 +++ /dev/null
@@ -1,22 +0,0 @@
--From: Nick Rosbrook <nick.rosbrook@canonical.com>
--Date: Tue, 22 Nov 2022 12:43:51 -0500
--Subject: test: make sure mount point exists in testsuite-64.sh
--
--Origin: upstream, https://github.com/systemd/systemd/commit/84e5b9225d12f8a1a7d414ef01f97fcd6881c14f
--
-----
-- test/units/testsuite-64.sh | 1 +
-- 1 file changed, 1 insertion(+)
--
--diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh
--index 7673036..8e46533 100755
----- a/test/units/testsuite-64.sh
--+++ b/test/units/testsuite-64.sh
--@@ -243,6 +243,7 @@ EOF
--     echo "${FUNCNAME[0]}: test failover"
--     local device expected link mpoint part
--     local -a devices
--+    mkdir -p /mnt
--     mpoint="$(mktemp -d /mnt/mpathXXX)"
--     wwid="deaddeadbeef0000"
--     path="/dev/disk/by-id/wwn-0x$wwid"
 diff --git a/debian/patches/test-remove-no-longer-needed-quirk-for-set-locale-on-Debi.patch b/debian/patches/test-remove-no-longer-needed-quirk-for-set-locale-on-Debi.patch
 deleted file mode 100644
 index 0adbd1f..0000000
 --- a/debian/patches/test-remove-no-longer-needed-quirk-for-set-locale-on-Debi.patch
 +++ /dev/null
@@ -1,23 +0,0 @@
--From: Nick Rosbrook <nick.rosbrook@canonical.com>
--Date: Thu, 17 Nov 2022 11:29:03 -0500
--Subject: test: remove no-longer-needed quirk for set-locale on Debian/Ubuntu
--
-----
-- test/units/testsuite-73.sh | 4 +---
-- 1 file changed, 1 insertion(+), 3 deletions(-)
--
--diff --git a/test/units/testsuite-73.sh b/test/units/testsuite-73.sh
--index f9e2dce..1e493c0 100755
----- a/test/units/testsuite-73.sh
--+++ b/test/units/testsuite-73.sh
--@@ -118,9 +118,7 @@ LC_CTYPE=$i"
--
--         assert_rc 0 localectl set-locale "$i"
--         if [[ -f /etc/default/locale ]]; then
---            # Debian/Ubuntu patch is buggy, and LC_CTYPE= still exists.
---            assert_eq "$(cat /etc/default/locale)" "LANG=$i
---LC_CTYPE=$i"
--+            assert_eq "$(cat /etc/default/locale)" "LANG=$i"
--         else
--             assert_eq "$(cat /etc/locale.conf)" "LANG=$i"
--         fi
 diff --git a/debian/rules b/debian/rules
 index 73ef33f..ce2c49f 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -100,6 +100,7 @@ CONFFLAGS = \
  	-Dnss-resolve=true \
  	-Dnss-systemd=true \
  	-Dresolve=true \
++	-Dstatus-unit-format-default=combined \
  	-Dstandalone-binaries=true
  ifeq (, $(filter stage1, $(DEB_BUILD_PROFILES)))
 diff --git a/debian/tests/boot-and-services b/debian/tests/boot-and-services
 index 4c2d7a8..fc0eb9b 100755
 --- a/debian/tests/boot-and-services
 +++ b/debian/tests/boot-and-services
@@ -119,7 +119,7 @@ class ServicesTest(unittest.TestCase):
              # has kernel messages
              self.assertRegex(log, 'kernel:.*')
          # has init messages
--        self.assertRegex(log, 'systemd.*Reached target Graphical Interface')
++        self.assertRegex(log, 'systemd.*Reached target(?: graphical.target -)? Graphical Interface')
          # has other services
          self.assertRegex(log, 'NetworkManager.*:')
@@ -199,7 +199,7 @@ class JournalTest(unittest.TestCase):
              # has kernel messages
              self.assertRegex(out, b'kernel:.*')
          # has init messages
--        self.assertRegex(out, b'systemd.*Reached target Graphical Interface')
++        self.assertRegex(out, b'systemd.*Reached target(?: graphical.target -)? Graphical Interface')
          # has other services
          self.assertRegex(out, b'NetworkManager.*:.*starting')
 diff --git a/debian/tests/control b/debian/tests/control
 index 34a3a05..0e0a97c 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -48,6 +48,7 @@ Depends: systemd,
    cryptsetup-bin,
    systemd-sysv,
    polkitd | policykit-1,
++  netlabel-tools,
    dnsmasq-base
  Restrictions: needs-root, isolation-container, breaks-testbed
@@ -182,6 +183,8 @@ Depends: systemd-tests,
    squashfs-tools,
    vim-tiny,
    dosfstools,
++  mtools,
++  erofs-utils,
    libdw-dev,
    libelf-dev,
    dbus-user-session,
@@ -195,6 +198,16 @@ Depends: systemd-tests,
    tpm2-tools,
    libgcc-s1,
    openssl,
++  bsdutils,
++  knot,
++  knot-dnssecutils | knot-dnsutils,
++  bind9-dnsutils,
++  bind9-host,
++  jq,
++  psmisc,
++  xkb-data,
++  locales,
++  locales-all,
  Restrictions: needs-root, allow-stderr, isolation-machine
  Tests: boot-smoke
@@ -205,11 +218,3 @@ Depends: systemd-sysv,
    systemd,
    udev,
  Restrictions: needs-root, isolation-container, allow-stderr, breaks-testbed
--
--# NOUPSTREAM: Do not run these tests for upstream builds
--
--Tests: systemd-fsckd
--Depends: systemd-sysv,
--  python3,
--  plymouth
--Restrictions: needs-root, isolation-machine, breaks-testbed, skippable, flaky
 diff --git a/debian/tests/fsck b/debian/tests/fsck
 deleted file mode 100755
 index 77b50d7..0000000
 --- a/debian/tests/fsck
 +++ /dev/null
@@ -1,27 +0,0 @@
--#!/bin/bash
--fd=0
--
--OPTIND=1
--while getopts "C:aTlM" opt; do
--    case "$opt" in
--        C)
--            fd=$OPTARG
--            ;;
--        \?);;
--    esac
--done
--
--shift "$((OPTIND-1))"
--device=$1
--
--echo "Running fake fsck on $device"
--
--declare -a maxpass=(30 5 2 30 60)
--
--for pass in {1..5}; do
--    maxprogress=${maxpass[$((pass-1))]}
--    for (( current=0; current<=${maxprogress}; current++)); do
--        echo "$pass $current $maxprogress $device">&$fd
--        sleep 0.1
--    done
--done
 diff --git a/debian/tests/systemd-fsckd b/debian/tests/systemd-fsckd
 deleted file mode 100755
 index 7f5e535..0000000
 --- a/debian/tests/systemd-fsckd
 +++ /dev/null
@@ -1,323 +0,0 @@
--#!/usr/bin/python3
--# autopkgtest check: Ensure that systemd-fsckd can report progress and cancel
--# (C) 2015 Canonical Ltd.
--# Author: Didier Roche <didrocks@ubuntu.com>
--
--import fileinput
--import inspect
--import os
--import platform
--import re
--import shutil
--import stat
--import subprocess
--import sys
--import time
--import unittest
--
--from contextlib import suppress
--from pathlib import Path
--
--SYSTEMD_FSCK_ROOT_DROPIN_PATH = '/etc/systemd/system/systemd-fsck-root.service.d/autopkgtest.conf'
--SYSTEMD_FSCK_ROOT_DROPIN_CONTENT = '''
--[Unit]
--ConditionPathIsReadWrite=
--ConditionPathExists=
--
--[Install]
--WantedBy=local-fs.target
--'''
--
--KILL_SERVICE_PATH = '/etc/systemd/system/kill@.service'
--KILL_SERVICE_CONTENT = '''
--[Unit]
--DefaultDependencies=no
--StartLimitInterval=0
--Before=systemd-fsckd.service
--
--[Service]
--RestartSec=1
--Restart=on-failure
--ExecStart=/bin/sh -c "/bin/sleep 5; /usr/bin/pkill -x %i"
--
--[Install]
--WantedBy=systemd-fsckd.service
--'''
--
--DEFAULT_SYSTEM_RUNNING_TIMEOUT = 600
--DEFAULT_SYSTEMD_FSCKD_TIMEOUT = 600
--
--FSCK_PATH = '/sbin/fsck'
--FSCK_BACKUP_PATH = '/sbin/fsck.backup'
--
--RE_SPLASH_QUIET = r'\b\s*(splash|quiet)\b'
--
--
--def tests_setup():
--    # enable persistent journal
--    Path('/var/log/journal').mkdir(parents=True, exist_ok=True)
--    subprocess.run('systemctl -q restart systemd-journald'.split())
--    Path(SYSTEMD_FSCK_ROOT_DROPIN_PATH).parent.mkdir(parents=True, exist_ok=True)
--    Path(SYSTEMD_FSCK_ROOT_DROPIN_PATH).write_text(SYSTEMD_FSCK_ROOT_DROPIN_CONTENT)
--    Path(KILL_SERVICE_PATH).parent.mkdir(parents=True, exist_ok=True)
--    Path(KILL_SERVICE_PATH).write_text(KILL_SERVICE_CONTENT)
--    subprocess.run('systemctl -q daemon-reload'.split())
--    subprocess.run('systemctl -q enable systemd-fsck-root'.split())
--    Path(FSCK_PATH).rename(FSCK_BACKUP_PATH)
--    Path(FSCK_PATH).write_text(Path(__file__).with_name('fsck').read_text())
--    Path(FSCK_PATH).chmod(0o755)
--
--def tests_teardown():
--    Path('/etc/systemd/system/local-fs.target.wants/systemd-fsck-root.service').unlink()
--    subprocess.run('systemctl -q disable systemd-fsck-root'.split())
--    Path(SYSTEMD_FSCK_ROOT_DROPIN_PATH).unlink()
--    Path(KILL_SERVICE_PATH).unlink()
--    subprocess.run('systemctl -q daemon-reload'.split())
--    Path(FSCK_BACKUP_PATH).replace(FSCK_PATH)
--
--def is_system_running():
--    running = subprocess.run('systemctl is-system-running'.split(),
--                             encoding='utf-8',
--                             stdout=subprocess.PIPE).stdout.strip()
--    return running in ['running', 'degraded']
--
--def is_unit_active(unit):
--    return subprocess.run(f'systemctl -q is-active {unit}'.split()).returncode == 0
--
--def has_unit_failed(unit):
--    '''check if this unit failed at least once, this boot'''
--    journal = subprocess.run(f'journalctl -b -u {unit}'.split(),
--                             encoding='utf-8',
--                             stdout=subprocess.PIPE).stdout.strip()
--    return f'{unit}.service: Failed' in journal
--
--def has_unit_started(unit):
--    return subprocess.run(f'systemctl show --value -p ExecMainStartTimestampMonotonic {unit}'.split(),
--                          encoding='utf-8',
--                          stdout=subprocess.PIPE).stdout.strip() != '0'
--
--def get_unit_exec_status(unit):
--    return subprocess.run(f'systemctl show --value -p ExecMainStatus {unit}'.split(),
--                          encoding='utf-8',
--                          stdout=subprocess.PIPE).stdout.strip()
--
--class FsckdTest(unittest.TestCase):
--    '''Check that we run, report and can cancel fsck'''
--    def __init__(self, test_name, after_reboot):
--        super().__init__(test_name)
--        self._test_name = test_name
--        self._after_reboot = after_reboot
--
--    def setUp(self):
--        super().setUp()
--        if self._after_reboot:
--            self.wait_system_running()
--            self.wait_systemd_fsckd()
--        else:
--            configure_plymouth()
--
--    def tearDown(self):
--        super().tearDown()
--
--    def enable_kill_service(self, proc):
--        subprocess.run(f'systemctl -q enable kill@{proc}'.split())
--
--    def disable_kill_service(self, proc):
--        subprocess.run(f'systemctl -q disable kill@{proc}'.split())
--
--    def wait_system_running(self, timeout=DEFAULT_SYSTEM_RUNNING_TIMEOUT):
--        end = time.monotonic() + timeout
--        while time.monotonic() <= end:
--            if is_system_running():
--                return
--            time.sleep(1)
--        self.fail('timeout waiting for system running')
--
--    def wait_systemd_fsckd(self, timeout=DEFAULT_SYSTEMD_FSCKD_TIMEOUT):
--        end = time.monotonic() + timeout
--        while time.monotonic() <= end:
--            if not is_unit_active('systemd-fsckd'):
--                return
--            time.sleep(1)
--        self.fail('timeout waiting for systemd-fsckd to finish')
--
--    def check_systemd_fsckd(self):
--        unit = 'systemd-fsckd'
--        self.assertUnitStarted(unit)
--        self.assertUnitNotActive(unit)
--        self.assertSystemdFsckdNotFailed()
--
--    def check_systemd_fsck_root(self):
--        unit = 'systemd-fsck-root'
--        self.assertUnitStarted(unit)
--        self.assertUnitActive(unit)
--        self.assertUnitNotFailed(unit)
--
--    def check_plymouth_start(self):
--        unit = 'plymouth-start'
--        self.assertUnitStarted(unit)
--        # stays active in 20.10 and later
--        self.assertUnitActive(unit)
--        self.assertUnitNotFailed(unit)
--
--    def test_systemd_fsckd_run(self):
--        '''Ensure we can boot after a fsck was processed'''
--        if not self._after_reboot:
--            self.reboot()
--        else:
--            self.check_systemd_fsckd()
--            self.check_systemd_fsck_root()
--            self.check_plymouth_start()
--
--    def test_systemd_fsckd_run_without_plymouth(self):
--        '''Ensure we can boot without plymouth after a fsck was processed'''
--        if not self._after_reboot:
--            configure_plymouth(enable=False)
--            self.reboot()
--        else:
--            self.check_systemd_fsckd()
--            self.check_systemd_fsck_root()
--            self.assertUnitNeverStarted('plymouth-start')
--
--    def test_fsck_failure(self):
--        '''Ensure that a failing fsck doesn't prevent fsckd to stop'''
--        if not self._after_reboot:
--            self.enable_kill_service('fsck')
--            self.reboot()
--        else:
--            self.check_systemd_fsckd()
--            self.assertUnitFailed('systemd-fsck-root')
--            self.check_plymouth_start()
--            self.disable_kill_service('fsck')
--
--    def test_systemd_fsck_failure(self):
--        '''Ensure that a failing systemd-fsck doesn't prevent fsckd to stop'''
--        if not self._after_reboot:
--            self.enable_kill_service('systemd-fsck')
--            self.reboot()
--        else:
--            self.check_systemd_fsckd()
--            self.assertUnitFailed('systemd-fsck-root')
--            self.check_plymouth_start()
--            self.disable_kill_service('systemd-fsck')
--
--    def test_systemd_fsckd_failure(self):
--        '''Ensure that a failing systemd-fsckd doesn't prevent system to boot'''
--        if not self._after_reboot:
--            self.enable_kill_service('systemd-fsckd')
--            self.reboot()
--        else:
--            self.assertSystemdFsckdFailed()
--            self.assertUnitFailed('systemd-fsck-root')
--            self.check_plymouth_start()
--            self.disable_kill_service('systemd-fsckd')
--
--    def assertUnitActive(self, unit):
--        self.assertTrue(is_unit_active(unit))
--
--    def assertUnitNotActive(self, unit):
--        self.assertFalse(is_unit_active(unit))
--
--    def assertUnitFailed(self, unit):
--        self.assertTrue(has_unit_failed(unit))
--
--    def assertUnitNotFailed(self, unit):
--        self.assertFalse(has_unit_failed(unit))
--
--    def assertUnitStarted(self, unit):
--        self.assertTrue(has_unit_started(unit))
--
--    def assertUnitNeverStarted(self, unit):
--        self.assertFalse(has_unit_started(unit))
--
--    def assertSystemdFsckdFailed(self):
--        self.assertNotEqual(get_unit_exec_status('systemd-fsckd'), '0')
--
--    def assertSystemdFsckdNotFailed(self):
--        self.assertEqual(get_unit_exec_status('systemd-fsckd'), '0')
--
--    def reboot(self):
--        '''Reboot the system with the current test marker'''
--        subprocess.run(f'/tmp/autopkgtest-reboot {self._test_name}'.split())
--
--
--def configure_plymouth_grub(enable=True):
--    grubcfg = Path('/etc/default/grub')
--    grubcfgdir = Path('/etc/default/grub.d')
--    grubcfgdir.mkdir(parents=True, exist_ok=True)
--    mygrubcfg = grubcfgdir.joinpath('99-autopkgtest.cfg')
--    if enable:
--        content = 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT splash quiet"'
--        mygrubcfg.write_text(content)
--    else:
--        mygrubcfg.unlink()
--        for f in [grubcfg] + list(grubcfgdir.glob('*.cfg')):
--            content = f.read_text()
--            if re.search(RE_SPLASH_QUIET, content):
--                f.write_text(re.sub(RE_SPLASH_QUIET, ' ', content))
--    subprocess.run(['update-grub'], stderr=subprocess.DEVNULL, check=True)
--
--def configure_plymouth_zipl(enable=True):
--    ziplcfg = Path('/etc/zipl.conf')
--    content = re.sub(RE_SPLASH_QUIET, ' ', ziplcfg.read_text())
--    if enable:
--        content = re.sub(r'(?m)^(parameters.*[^\'"])(\s*[\'"]?)$', r'\1 splash quiet\2', content)
--    ziplcfg.write_text(content)
--    subprocess.run(['zipl'], stderr=subprocess.DEVNULL, check=True)
--
--def configure_plymouth(enable=True):
--    if platform.processor() == 's390x':
--        configure_plymouth_zipl(enable)
--    else:
--        configure_plymouth_grub(enable)
--
--def getAllTests(unitTestClass):
--    '''get all test names in predictable sorted order from unitTestClass'''
--    return sorted([test[0] for test in inspect.getmembers(unitTestClass, predicate=inspect.isfunction)
--                  if test[0].startswith('test_')])
--
--
--# AUTOPKGTEST_REBOOT_MARK contains the test name to pursue after reboot
--# (to check results and states after reboot, mostly).
--# we append the previous global return code (0 or 1) to it.
--# Example: AUTOPKGTEST_REBOOT_MARK=test_foo:0
--if __name__ == '__main__':
--    if os.path.exists('/run/initramfs/fsck-root'):
--        print('SKIP: root file system is being checked by initramfs already')
--        sys.exit(77)
--
--    if platform.processor() == 'aarch64':
--        print('SKIP: cannot reboot properly on arm64, see https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1748280')
--        sys.exit(77)
--
--    all_tests = getAllTests(FsckdTest)
--    current_test = os.getenv('AUTOPKGTEST_REBOOT_MARK')
--
--    if not current_test:
--        tests_setup()
--        after_reboot = False
--        current_test = all_tests[0]
--    else:
--        after_reboot = True
--
--    # loop on remaining tests to run
--    try:
--        remaining_tests = all_tests[all_tests.index(current_test):]
--    except ValueError:
--        print(f'Invalid value for AUTOPKGTEST_REBOOT_MARK, {current_test} is not a valid test name')
--        sys.exit(2)
--
--    # run all remaining tests
--    for test_name in remaining_tests:
--        suite = unittest.TestSuite()
--        suite.addTest(FsckdTest(test_name, after_reboot))
--        result = unittest.TextTestRunner(stream=sys.stdout, verbosity=2).run(suite)
--        if len(result.failures) != 0 or len(result.errors) != 0:
--            j = os.path.join(os.getenv('AUTOPKGTEST_ARTIFACTS'), 'systemd-fsckd-journal.txt')
--            with open(j, 'w') as f:
--                subprocess.run('journalctl -a --no-pager'.split(), encoding='utf-8', stdout=f)
--            sys.exit(1)
--        after_reboot = False
--
--    tests_teardown()
--    sys.exit(0)
 diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
 index 5e08b35..7dbf98d 100644
 --- a/man/org.freedesktop.systemd1.xml
 +++ b/man/org.freedesktop.systemd1.xml
@@ -10139,6 +10139,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
        readonly t RuntimeMaxUSec = ...;
        @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
        readonly t RuntimeRandomizedExtraUSec = ...;
++      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
++      readonly s OOMPolicy = '...';
        @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
        readonly s Slice = '...';
        @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
@@ -10313,6 +10315,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
      <!--property RuntimeRandomizedExtraUSec is not documented!-->
++    <!--property OOMPolicy is not documented!-->
++
      <!--property Slice is not documented!-->
      <!--property ControlGroupId is not documented!-->
@@ -10495,6 +10499,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
      <variablelist class="dbus-property" generated="True" extra-ref="RuntimeRandomizedExtraUSec"/>
++    <variablelist class="dbus-property" generated="True" extra-ref="OOMPolicy"/>
++
      <variablelist class="dbus-property" generated="True" extra-ref="Slice"/>
      <variablelist class="dbus-property" generated="True" extra-ref="ControlGroup"/>
 diff --git a/man/systemd.mount.xml b/man/systemd.mount.xml
 index 773ca04..da6ade8 100644
 --- a/man/systemd.mount.xml
 +++ b/man/systemd.mount.xml
@@ -476,7 +476,9 @@
          <term><varname>Where=</varname></term>
          <listitem><para>Takes an absolute path of a file or directory for the mount point; in particular, the
          destination cannot be a symbolic link.  If the mount point does not exist at the time of mounting, it
--        is created as directory. This string must be reflected in the unit filename. (See above.) This option
++        is created as either a directory or a file. The former is the usual case; the latter is done only if this mount
++        is a bind mount and the source (<varname>What=</varname>) is not a directory.
++        This string must be reflected in the unit filename. (See above.) This option
          is mandatory.</para></listitem>
        </varlistentry>
 diff --git a/man/systemd.scope.xml b/man/systemd.scope.xml
 index 17d2700..95969bf 100644
 --- a/man/systemd.scope.xml
 +++ b/man/systemd.scope.xml
@@ -105,6 +105,8 @@
      of scope units are the following:</para>
      <variablelist class='unit-directives'>
++      <xi:include href="systemd.service.xml" xpointer="oom-policy" />
++
        <varlistentry>
          <term><varname>RuntimeMaxSec=</varname></term>
 diff --git a/man/systemd.service.xml b/man/systemd.service.xml
 index 8d8dd77..6d3537b 100644
 --- a/man/systemd.service.xml
 +++ b/man/systemd.service.xml
@@ -1120,7 +1120,7 @@
          above.</para></listitem>
        </varlistentry>
--      <varlistentry>
++      <varlistentry id='oom-policy'>
          <term><varname>OOMPolicy=</varname></term>
          <listitem><para>Configure the out-of-memory (OOM) kernel killer policy. Note that the userspace OOM
@@ -1133,17 +1133,16 @@
          for itself, it might decide to kill a running process in order to free up memory and reduce memory
          pressure. This setting takes one of <constant>continue</constant>, <constant>stop</constant> or
          <constant>kill</constant>. If set to <constant>continue</constant> and a process of the service is
--        killed by the kernel's OOM killer this is logged but the service continues running. If set to
--        <constant>stop</constant> the event is logged but the service is terminated cleanly by the service
--        manager. If set to <constant>kill</constant> and one of the service's processes is killed by the OOM
--        killer the kernel is instructed to kill all remaining processes of the service too, by setting the
++        killed by the OOM killer, this is logged but the unit continues running. If set to
++        <constant>stop</constant> the event is logged but the unit is terminated cleanly by the service
++        manager. If set to <constant>kill</constant> and one of the unit's processes is killed by the OOM
++        killer the kernel is instructed to kill all remaining processes of the unit too, by setting the
          <filename>memory.oom.group</filename> attribute to <constant>1</constant>; also see <ulink
--        url="https://docs.kernel.org/admin-guide/cgroup-v2.html">kernel documentation</ulink>.
--        </para>
++        url="https://docs.kernel.org/admin-guide/cgroup-v2.html">kernel documentation</ulink>.</para>
          <para>Defaults to the setting <varname>DefaultOOMPolicy=</varname> in
          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
--        is set to, except for services where <varname>Delegate=</varname> is turned on, where it defaults to
++        is set to, except for units where <varname>Delegate=</varname> is turned on, where it defaults to
          <constant>continue</constant>.</para>
          <para>Use the <varname>OOMScoreAdjust=</varname> setting to configure whether processes of the unit
@@ -1153,10 +1152,9 @@
          details.</para>
          <para>This setting also applies to <command>systemd-oomd</command>. Similarly to the kernel OOM
--        kills, this setting determines the state of the service after <command>systemd-oomd</command> kills a
--        cgroup associated with the service.</para></listitem>
++        kills, this setting determines the state of the unit after <command>systemd-oomd</command> kills a
++        cgroup associated with it.</para></listitem>
        </varlistentry>
--
      </variablelist>
      <para id='shared-unit-options'>Check
 diff --git a/src/basic/alloc-util.c b/src/basic/alloc-util.c
 index b030f45..6063943 100644
 --- a/src/basic/alloc-util.c
 +++ b/src/basic/alloc-util.c
@@ -102,3 +102,7 @@ void* greedy_realloc0(
          return q;
+ }
++
++void *expand_to_usable(void *ptr, size_t newsize _unused_) {
++        return ptr;
++}
 diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h
 index b38db7d..bf783b1 100644
 --- a/src/basic/alloc-util.h
 +++ b/src/basic/alloc-util.h
@@ -2,6 +2,7 @@
  #pragma once
  #include <alloca.h>
++#include <malloc.h>
  #include <stddef.h>
  #include <stdlib.h>
  #include <string.h>
@@ -184,17 +185,35 @@ void* greedy_realloc0(void **p, size_t need, size_t size);
  #  define msan_unpoison(r, s)
  #endif
--/* This returns the number of usable bytes in a malloc()ed region as per malloc_usable_size(), in a way that
-- * is compatible with _FORTIFY_SOURCES. If _FORTIFY_SOURCES is used many memory operations will take the
-- * object size as returned by __builtin_object_size() into account. Hence, let's return the smaller size of
-- * malloc_usable_size() and __builtin_object_size() here, so that we definitely operate in safe territory by
-- * both the compiler's and libc's standards. Note that __builtin_object_size() evaluates to SIZE_MAX if the
-- * size cannot be determined, hence the MIN() expression should be safe with dynamically sized memory,
-- * too. Moreover, when NULL is passed malloc_usable_size() is documented to return zero, and
-- * __builtin_object_size() returns SIZE_MAX too, hence we also return a sensible value of 0 in this corner
-- * case. */
++/* Dummy allocator to tell the compiler that the new size of p is newsize. The implementation returns the
++ * pointer as is; the only reason for its existence is as a conduit for the _alloc_ attribute.  This must not
++ * be inlined (hence a non-static function with _noinline_ because LTO otherwise tries to inline it) because
++ * gcc then loses the attributes on the function.
++ * See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96503 */
++void *expand_to_usable(void *p, size_t newsize) _alloc_(2) _returns_nonnull_ _noinline_;
++
++static inline size_t malloc_sizeof_safe(void **xp) {
++        if (_unlikely_(!xp || !*xp))
++                return 0;
++
++        size_t sz = malloc_usable_size(*xp);
++        *xp = expand_to_usable(*xp, sz);
++        /* GCC doesn't see the _returns_nonnull_ when built with ubsan, so yet another hint to make it doubly
++         * clear that expand_to_usable won't return NULL.
++         * See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79265 */
++        if (!*xp)
++                assert_not_reached();
++        return sz;
++}
++
++/* This returns the number of usable bytes in a malloc()ed region as per malloc_usable_size(), which may
++ * return a value larger than the size that was actually allocated. Access to that additional memory is
++ * discouraged because it violates the C standard; a compiler cannot see that this as valid. To help the
++ * compiler out, the MALLOC_SIZEOF_SAFE macro 'allocates' the usable size using a dummy allocator function
++ * expand_to_usable. There is a possibility of malloc_usable_size() returning different values during the
++ * lifetime of an object, which may cause problems, but the glibc allocator does not do that at the moment. */
  #define MALLOC_SIZEOF_SAFE(x) \
--        MIN(malloc_usable_size(x), __builtin_object_size(x, 0))
++        malloc_sizeof_safe((void**) &__builtin_choose_expr(__builtin_constant_p(x), (void*) { NULL }, (x)))
  /* Inspired by ELEMENTSOF() but operates on malloc()'ed memory areas: typesafely returns the number of items
   * that fit into the specified memory block */
 diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
 index b03cc70..17c0170 100644
 --- a/src/basic/cgroup-util.c
 +++ b/src/basic/cgroup-util.c
@@ -1238,7 +1238,7 @@ static const char *skip_session(const char *p) {
                   * here. */
                  if (!session_id_valid(buf))
--                        return false;
++                        return NULL;
                  p += n;
                  p += strspn(p, "/");
 diff --git a/src/basic/hashmap.c b/src/basic/hashmap.c
 index f68cd36..6a14ea9 100644
 --- a/src/basic/hashmap.c
 +++ b/src/basic/hashmap.c
@@ -1751,7 +1751,7 @@ HashmapBase* _hashmap_copy(HashmapBase *h  HASHMAP_DEBUG_PARAMS) {
+         }
          if (r < 0)
--                return _hashmap_free(copy, false, false);
++                return _hashmap_free(copy, NULL, NULL);
          return copy;
+ }
 diff --git a/src/basic/linux/README b/src/basic/linux/README
 index 2bb70fd..1abc945 100644
 --- a/src/basic/linux/README
 +++ b/src/basic/linux/README
@@ -4,3 +4,4 @@ The files in this directory are copied from current kernel master
  modifications are applied:
  - btrfs.h: drop '__user' attributes
  - if.h: drop '#include <linux/compiler.h>' and '__user' attributes
++- stddef.h: drop '#include <linux/compiler_types.h>'
 diff --git a/src/basic/linux/btrfs.h b/src/basic/linux/btrfs.h
 index 6a0442b..0a53bdc 100644
 --- a/src/basic/linux/btrfs.h
 +++ b/src/basic/linux/btrfs.h
@@ -19,8 +19,14 @@
  #ifndef _UAPI_LINUX_BTRFS_H
  #define _UAPI_LINUX_BTRFS_H
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
  #include <linux/types.h>
  #include <linux/ioctl.h>
++#include <linux/fs.h>
  #define BTRFS_IOCTL_MAGIC 0x94
  #define BTRFS_VOL_NAME_MAX 255
@@ -93,7 +99,7 @@ struct btrfs_qgroup_inherit {
  	__u64	num_ref_copies;
  	__u64	num_excl_copies;
  	struct btrfs_qgroup_limit lim;
--	__u64	qgroups[0];
++	__u64	qgroups[];
  };
  struct btrfs_ioctl_qgroup_limit_args {
@@ -290,6 +296,12 @@ struct btrfs_ioctl_fs_info_args {
  #define BTRFS_FEATURE_COMPAT_RO_FREE_SPACE_TREE_VALID	(1ULL << 1)
  #define BTRFS_FEATURE_COMPAT_RO_VERITY			(1ULL << 2)
++/*
++ * Put all block group items into a dedicated block group tree, greatly
++ * reducing mount time for large filesystem due to better locality.
++ */
++#define BTRFS_FEATURE_COMPAT_RO_BLOCK_GROUP_TREE	(1ULL << 3)
++
  #define BTRFS_FEATURE_INCOMPAT_MIXED_BACKREF	(1ULL << 0)
  #define BTRFS_FEATURE_INCOMPAT_DEFAULT_SUBVOL	(1ULL << 1)
  #define BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS	(1ULL << 2)
@@ -327,6 +339,12 @@ struct btrfs_ioctl_feature_flags {
   */
  struct btrfs_balance_args {
  	__u64 profiles;
++
++	/*
++	 * usage filter
++	 * BTRFS_BALANCE_ARGS_USAGE with a single value means '0..N'
++	 * BTRFS_BALANCE_ARGS_USAGE_RANGE - range syntax, min..max
++	 */
  	union {
  		__u64 usage;
  		struct {
@@ -543,7 +561,7 @@ struct btrfs_ioctl_search_header {
  	__u64 offset;
  	__u32 type;
  	__u32 len;
--};
++} __attribute__ ((__may_alias__));
  #define BTRFS_SEARCH_ARGS_BUFSIZE (4096 - sizeof(struct btrfs_ioctl_search_key))
  /*
@@ -556,18 +574,23 @@ struct btrfs_ioctl_search_args {
  	char buf[BTRFS_SEARCH_ARGS_BUFSIZE];
  };
++/*
++ * Extended version of TREE_SEARCH ioctl that can return more than 4k of bytes.
++ * The allocated size of the buffer is set in buf_size.
++ */
  struct btrfs_ioctl_search_args_v2 {
  	struct btrfs_ioctl_search_key key; /* in/out - search parameters */
  	__u64 buf_size;		   /* in - size of buffer
  					    * out - on EOVERFLOW: needed size
  					    *       to store item */
--	__u64 buf[0];                       /* out - found items */
++	__u64 buf[];                       /* out - found items */
  };
++/* With a @src_length of zero, the range from @src_offset->EOF is cloned! */
  struct btrfs_ioctl_clone_range_args {
--  __s64 src_fd;
--  __u64 src_offset, src_length;
--  __u64 dest_offset;
++	__s64 src_fd;
++	__u64 src_offset, src_length;
++	__u64 dest_offset;
  };
  /*
@@ -632,7 +655,7 @@ struct btrfs_ioctl_same_args {
  	__u16 dest_count;	/* in - total elements in info array */
  	__u16 reserved1;
  	__u32 reserved2;
--	struct btrfs_ioctl_same_extent_info info[0];
++	struct btrfs_ioctl_same_extent_info info[];
  };
  struct btrfs_ioctl_space_info {
@@ -644,7 +667,7 @@ struct btrfs_ioctl_space_info {
  struct btrfs_ioctl_space_args {
  	__u64 space_slots;
  	__u64 total_spaces;
--	struct btrfs_ioctl_space_info spaces[0];
++	struct btrfs_ioctl_space_info spaces[];
  };
  struct btrfs_data_container {
@@ -652,7 +675,7 @@ struct btrfs_data_container {
  	__u32	bytes_missing;	/* out -- additional bytes needed for result */
  	__u32	elem_cnt;	/* out */
  	__u32	elem_missed;	/* out */
--	__u64	val[0];		/* out */
++	__u64	val[];		/* out */
  };
  struct btrfs_ioctl_ino_path_args {
@@ -671,8 +694,11 @@ struct btrfs_ioctl_logical_ino_args {
  	/* struct btrfs_data_container	*inodes;	out   */
  	__u64				inodes;
  };
--/* Return every ref to the extent, not just those containing logical block.
-- * Requires logical == extent bytenr. */
++
++/*
++ * Return every ref to the extent, not just those containing logical block.
++ * Requires logical == extent bytenr.
++ */
  #define BTRFS_LOGICAL_INO_ARGS_IGNORE_OFFSET	(1ULL << 0)
  enum btrfs_dev_stat_values {
@@ -777,11 +803,19 @@ struct btrfs_ioctl_received_subvol_args {
   */
  #define BTRFS_SEND_FLAG_VERSION			0x8
++/*
++ * Send compressed data using the ENCODED_WRITE command instead of decompressing
++ * the data and sending it with the WRITE command. This requires protocol
++ * version >= 2.
++ */
++#define BTRFS_SEND_FLAG_COMPRESSED		0x10
++
  #define BTRFS_SEND_FLAG_MASK \
  	(BTRFS_SEND_FLAG_NO_FILE_DATA | \
  	 BTRFS_SEND_FLAG_OMIT_STREAM_HEADER | \
  	 BTRFS_SEND_FLAG_OMIT_END_CMD | \
--	 BTRFS_SEND_FLAG_VERSION)
++	 BTRFS_SEND_FLAG_VERSION | \
++	 BTRFS_SEND_FLAG_COMPRESSED)
  struct btrfs_ioctl_send_args {
  	__s64 send_fd;			/* in */
@@ -1130,4 +1164,8 @@ enum btrfs_err_code {
  #define BTRFS_IOC_ENCODED_WRITE _IOW(BTRFS_IOCTL_MAGIC, 64, \
  				     struct btrfs_ioctl_encoded_io_args)
++#ifdef __cplusplus
++}
++#endif
++
  #endif /* _UAPI_LINUX_BTRFS_H */
 diff --git a/src/basic/linux/btrfs_tree.h b/src/basic/linux/btrfs_tree.h
 index d411715..ab38d0f 100644
 --- a/src/basic/linux/btrfs_tree.h
 +++ b/src/basic/linux/btrfs_tree.h
@@ -10,6 +10,23 @@
  #include <stddef.h>
  #endif
++/* ASCII for _BHRfS_M, no terminating nul */
++#define BTRFS_MAGIC 0x4D5F53665248425FULL
++
++#define BTRFS_MAX_LEVEL 8
++
++/*
++ * We can actually store much bigger names, but lets not confuse the rest of
++ * linux.
++ */
++#define BTRFS_NAME_LEN 255
++
++/*
++ * Theoretical limit is larger, but we keep this down to a sane value. That
++ * should limit greatly the possibility of collisions on inode ref items.
++ */
++#define BTRFS_LINK_MAX 65535U
++
  /*
   * This header contains the structure definitions and constants used
   * by file system objects that can be retrieved using
@@ -359,6 +376,50 @@ enum btrfs_csum_type {
  #define BTRFS_FT_SYMLINK	7
  #define BTRFS_FT_XATTR		8
  #define BTRFS_FT_MAX		9
++/* Directory contains encrypted data */
++#define BTRFS_FT_ENCRYPTED	0x80
++
++static inline __u8 btrfs_dir_flags_to_ftype(__u8 flags)
++{
++	return flags & ~BTRFS_FT_ENCRYPTED;
++}
++
++/*
++ * Inode flags
++ */
++#define BTRFS_INODE_NODATASUM		(1U << 0)
++#define BTRFS_INODE_NODATACOW		(1U << 1)
++#define BTRFS_INODE_READONLY		(1U << 2)
++#define BTRFS_INODE_NOCOMPRESS		(1U << 3)
++#define BTRFS_INODE_PREALLOC		(1U << 4)
++#define BTRFS_INODE_SYNC		(1U << 5)
++#define BTRFS_INODE_IMMUTABLE		(1U << 6)
++#define BTRFS_INODE_APPEND		(1U << 7)
++#define BTRFS_INODE_NODUMP		(1U << 8)
++#define BTRFS_INODE_NOATIME		(1U << 9)
++#define BTRFS_INODE_DIRSYNC		(1U << 10)
++#define BTRFS_INODE_COMPRESS		(1U << 11)
++
++#define BTRFS_INODE_ROOT_ITEM_INIT	(1U << 31)
++
++#define BTRFS_INODE_FLAG_MASK						\
++	(BTRFS_INODE_NODATASUM |					\
++	 BTRFS_INODE_NODATACOW |					\
++	 BTRFS_INODE_READONLY |						\
++	 BTRFS_INODE_NOCOMPRESS |					\
++	 BTRFS_INODE_PREALLOC |						\
++	 BTRFS_INODE_SYNC |						\
++	 BTRFS_INODE_IMMUTABLE |					\
++	 BTRFS_INODE_APPEND |						\
++	 BTRFS_INODE_NODUMP |						\
++	 BTRFS_INODE_NOATIME |						\
++	 BTRFS_INODE_DIRSYNC |						\
++	 BTRFS_INODE_COMPRESS |						\
++	 BTRFS_INODE_ROOT_ITEM_INIT)
++
++#define BTRFS_INODE_RO_VERITY		(1U << 0)
++
++#define BTRFS_INODE_RO_FLAG_MASK	(BTRFS_INODE_RO_VERITY)
  /*
   * The key defines the order in the tree, and so it also defines (optimal)
@@ -389,6 +450,109 @@ struct btrfs_key {
  	__u64 offset;
  } __attribute__ ((__packed__));
++/*
++ * Every tree block (leaf or node) starts with this header.
++ */
++struct btrfs_header {
++	/* These first four must match the super block */
++	__u8 csum[BTRFS_CSUM_SIZE];
++	/* FS specific uuid */
++	__u8 fsid[BTRFS_FSID_SIZE];
++	/* Which block this node is supposed to live in */
++	__le64 bytenr;
++	__le64 flags;
++
++	/* Allowed to be different from the super from here on down */
++	__u8 chunk_tree_uuid[BTRFS_UUID_SIZE];
++	__le64 generation;
++	__le64 owner;
++	__le32 nritems;
++	__u8 level;
++} __attribute__ ((__packed__));
++
++/*
++ * This is a very generous portion of the super block, giving us room to
++ * translate 14 chunks with 3 stripes each.
++ */
++#define BTRFS_SYSTEM_CHUNK_ARRAY_SIZE 2048
++
++/*
++ * Just in case we somehow lose the roots and are not able to mount, we store
++ * an array of the roots from previous transactions in the super.
++ */
++#define BTRFS_NUM_BACKUP_ROOTS 4
++struct btrfs_root_backup {
++	__le64 tree_root;
++	__le64 tree_root_gen;
++
++	__le64 chunk_root;
++	__le64 chunk_root_gen;
++
++	__le64 extent_root;
++	__le64 extent_root_gen;
++
++	__le64 fs_root;
++	__le64 fs_root_gen;
++
++	__le64 dev_root;
++	__le64 dev_root_gen;
++
++	__le64 csum_root;
++	__le64 csum_root_gen;
++
++	__le64 total_bytes;
++	__le64 bytes_used;
++	__le64 num_devices;
++	/* future */
++	__le64 unused_64[4];
++
++	__u8 tree_root_level;
++	__u8 chunk_root_level;
++	__u8 extent_root_level;
++	__u8 fs_root_level;
++	__u8 dev_root_level;
++	__u8 csum_root_level;
++	/* future and to align */
++	__u8 unused_8[10];
++} __attribute__ ((__packed__));
++
++/*
++ * A leaf is full of items. offset and size tell us where to find the item in
++ * the leaf (relative to the start of the data area)
++ */
++struct btrfs_item {
++	struct btrfs_disk_key key;
++	__le32 offset;
++	__le32 size;
++} __attribute__ ((__packed__));
++
++/*
++ * Leaves have an item area and a data area:
++ * [item0, item1....itemN] [free space] [dataN...data1, data0]
++ *
++ * The data is separate from the items to get the keys closer together during
++ * searches.
++ */
++struct btrfs_leaf {
++	struct btrfs_header header;
++	struct btrfs_item items[];
++} __attribute__ ((__packed__));
++
++/*
++ * All non-leaf blocks are nodes, they hold only keys and pointers to other
++ * blocks.
++ */
++struct btrfs_key_ptr {
++	struct btrfs_disk_key key;
++	__le64 blockptr;
++	__le64 generation;
++} __attribute__ ((__packed__));
++
++struct btrfs_node {
++	struct btrfs_header header;
++	struct btrfs_key_ptr ptrs[];
++} __attribute__ ((__packed__));
++
  struct btrfs_dev_item {
  	/* the internal btrfs device id */
  	__le64 devid;
@@ -472,6 +636,69 @@ struct btrfs_chunk {
  	/* additional stripes go here */
  } __attribute__ ((__packed__));
++/*
++ * The super block basically lists the main trees of the FS.
++ */
++struct btrfs_super_block {
++	/* The first 4 fields must match struct btrfs_header */
++	__u8 csum[BTRFS_CSUM_SIZE];
++	/* FS specific UUID, visible to user */
++	__u8 fsid[BTRFS_FSID_SIZE];
++	/* This block number */
++	__le64 bytenr;
++	__le64 flags;
++
++	/* Allowed to be different from the btrfs_header from here own down */
++	__le64 magic;
++	__le64 generation;
++	__le64 root;
++	__le64 chunk_root;
++	__le64 log_root;
++
++	/*
++	 * This member has never been utilized since the very beginning, thus
++	 * it's always 0 regardless of kernel version.  We always use
++	 * generation + 1 to read log tree root.  So here we mark it deprecated.
++	 */
++	__le64 __unused_log_root_transid;
++	__le64 total_bytes;
++	__le64 bytes_used;
++	__le64 root_dir_objectid;
++	__le64 num_devices;
++	__le32 sectorsize;
++	__le32 nodesize;
++	__le32 __unused_leafsize;
++	__le32 stripesize;
++	__le32 sys_chunk_array_size;
++	__le64 chunk_root_generation;
++	__le64 compat_flags;
++	__le64 compat_ro_flags;
++	__le64 incompat_flags;
++	__le16 csum_type;
++	__u8 root_level;
++	__u8 chunk_root_level;
++	__u8 log_root_level;
++	struct btrfs_dev_item dev_item;
++
++	char label[BTRFS_LABEL_SIZE];
++
++	__le64 cache_generation;
++	__le64 uuid_tree_generation;
++
++	/* The UUID written into btree blocks */
++	__u8 metadata_uuid[BTRFS_FSID_SIZE];
++
++	__u64 nr_global_roots;
++
++	/* Future expansion */
++	__le64 reserved[27];
++	__u8 sys_chunk_array[BTRFS_SYSTEM_CHUNK_ARRAY_SIZE];
++	struct btrfs_root_backup super_roots[BTRFS_NUM_BACKUP_ROOTS];
++
++	/* Padded to 4096 bytes */
++	__u8 padding[565];
++} __attribute__ ((__packed__));
++
  #define BTRFS_FREE_SPACE_EXTENT	1
  #define BTRFS_FREE_SPACE_BITMAP	2
@@ -526,6 +753,14 @@ struct btrfs_extent_item_v0 {
  /* use full backrefs for extent pointers in the block */
  #define BTRFS_BLOCK_FLAG_FULL_BACKREF	(1ULL << 8)
++#define BTRFS_BACKREF_REV_MAX		256
++#define BTRFS_BACKREF_REV_SHIFT		56
++#define BTRFS_BACKREF_REV_MASK		(((u64)BTRFS_BACKREF_REV_MAX - 1) << \
++					 BTRFS_BACKREF_REV_SHIFT)
++
++#define BTRFS_OLD_BACKREF_REV		0
++#define BTRFS_MIXED_BACKREF_REV		1
++
  /*
   * this flag is only used internally by scrub and may be changed at any time
   * it is only declared here to avoid collisions
@@ -575,7 +810,7 @@ struct btrfs_inode_extref {
  	__le64 parent_objectid;
  	__le64 index;
  	__le16 name_len;
--	__u8   name[0];
++	__u8   name[];
  	/* name goes here */
  } __attribute__ ((__packed__));
@@ -965,6 +1200,10 @@ static inline __u16 btrfs_qgroup_level(__u64 qgroupid)
   */
  #define BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT	(1ULL << 2)
++#define BTRFS_QGROUP_STATUS_FLAGS_MASK	(BTRFS_QGROUP_STATUS_FLAG_ON |		\
++					 BTRFS_QGROUP_STATUS_FLAG_RESCAN |	\
++					 BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT)
++
  #define BTRFS_QGROUP_STATUS_VERSION        1
  struct btrfs_qgroup_status_item {
 diff --git a/src/basic/linux/genetlink.h b/src/basic/linux/genetlink.h
 index d83f214..ddba3ca 100644
 --- a/src/basic/linux/genetlink.h
 +++ b/src/basic/linux/genetlink.h
@@ -87,6 +87,8 @@ enum {
  	__CTRL_ATTR_MCAST_GRP_MAX,
  };
++#define CTRL_ATTR_MCAST_GRP_MAX (__CTRL_ATTR_MCAST_GRP_MAX - 1)
++
  enum {
  	CTRL_ATTR_POLICY_UNSPEC,
  	CTRL_ATTR_POLICY_DO,
@@ -96,7 +98,6 @@ enum {
  	CTRL_ATTR_POLICY_DUMP_MAX = __CTRL_ATTR_POLICY_DUMP_MAX - 1
  };
--#define CTRL_ATTR_MCAST_GRP_MAX (__CTRL_ATTR_MCAST_GRP_MAX - 1)
--
++#define CTRL_ATTR_POLICY_MAX (__CTRL_ATTR_POLICY_DUMP_MAX - 1)
  #endif /* _UAPI__LINUX_GENERIC_NETLINK_H */
 diff --git a/src/basic/linux/if_bridge.h b/src/basic/linux/if_bridge.h
 index a86a7e7..d9de241 100644
 --- a/src/basic/linux/if_bridge.h
 +++ b/src/basic/linux/if_bridge.h
@@ -723,10 +723,31 @@ enum {
  enum {
  	MDBE_ATTR_UNSPEC,
  	MDBE_ATTR_SOURCE,
++	MDBE_ATTR_SRC_LIST,
++	MDBE_ATTR_GROUP_MODE,
++	MDBE_ATTR_RTPROT,
  	__MDBE_ATTR_MAX,
  };
  #define MDBE_ATTR_MAX (__MDBE_ATTR_MAX - 1)
++/* per mdb entry source */
++enum {
++	MDBE_SRC_LIST_UNSPEC,
++	MDBE_SRC_LIST_ENTRY,
++	__MDBE_SRC_LIST_MAX,
++};
++#define MDBE_SRC_LIST_MAX (__MDBE_SRC_LIST_MAX - 1)
++
++/* per mdb entry per source attributes
++ * these are embedded in MDBE_SRC_LIST_ENTRY
++ */
++enum {
++	MDBE_SRCATTR_UNSPEC,
++	MDBE_SRCATTR_ADDRESS,
++	__MDBE_SRCATTR_MAX,
++};
++#define MDBE_SRCATTR_MAX (__MDBE_SRCATTR_MAX - 1)
++
  /* Embedded inside LINK_XSTATS_TYPE_BRIDGE */
  enum {
  	BRIDGE_XSTATS_UNSPEC,
 diff --git a/src/basic/linux/if_ether.h b/src/basic/linux/if_ether.h
 index 1d0bccc..69e0457 100644
 --- a/src/basic/linux/if_ether.h
 +++ b/src/basic/linux/if_ether.h
@@ -116,6 +116,7 @@
  #define ETH_P_QINQ3	0x9300		/* deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] */
  #define ETH_P_EDSA	0xDADA		/* Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ] */
  #define ETH_P_DSA_8021Q	0xDADB		/* Fake VLAN Header for DSA [ NOT AN OFFICIALLY REGISTERED ID ] */
++#define ETH_P_DSA_A5PSW	0xE001		/* A5PSW Tag Value [ NOT AN OFFICIALLY REGISTERED ID ] */
  #define ETH_P_IFE	0xED3E		/* ForCES inter-FE LFB type */
  #define ETH_P_AF_IUCV   0xFBFB		/* IBM af_iucv [ NOT AN OFFICIALLY REGISTERED ID ] */
@@ -137,6 +138,7 @@
  #define ETH_P_LOCALTALK 0x0009		/* Localtalk pseudo type 	*/
  #define ETH_P_CAN	0x000C		/* CAN: Controller Area Network */
  #define ETH_P_CANFD	0x000D		/* CANFD: CAN flexible data rate*/
++#define ETH_P_CANXL	0x000E		/* CANXL: eXtended frame Length */
  #define ETH_P_PPPTALK	0x0010		/* Dummy type for Atalk over PPP*/
  #define ETH_P_TR_802_2	0x0011		/* 802.2 frames 		*/
  #define ETH_P_MOBITEX	0x0015		/* Mobitex (kaz@cafe.net)	*/
 diff --git a/src/basic/linux/if_link.h b/src/basic/linux/if_link.h
 index 5f58dcf..1021a7e 100644
 --- a/src/basic/linux/if_link.h
 +++ b/src/basic/linux/if_link.h
@@ -370,6 +370,9 @@ enum {
  	IFLA_GRO_MAX_SIZE,
  	IFLA_TSO_MAX_SIZE,
  	IFLA_TSO_MAX_SEGS,
++	IFLA_ALLMULTI,		/* Allmulti count: > 0 means acts ALLMULTI */
++
++	IFLA_DEVLINK_PORT,
  	__IFLA_MAX
  };
@@ -560,6 +563,7 @@ enum {
  	IFLA_BRPORT_MCAST_EHT_HOSTS_LIMIT,
  	IFLA_BRPORT_MCAST_EHT_HOSTS_CNT,
  	IFLA_BRPORT_LOCKED,
++	IFLA_BRPORT_MAB,
  	__IFLA_BRPORT_MAX
  };
  #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
@@ -694,6 +698,7 @@ enum {
  	IFLA_XFRM_UNSPEC,
  	IFLA_XFRM_LINK,
  	IFLA_XFRM_IF_ID,
++	IFLA_XFRM_COLLECT_METADATA,
  	__IFLA_XFRM_MAX
  };
@@ -963,6 +968,7 @@ enum {
  	IFLA_BOND_SLAVE_AD_AGGREGATOR_ID,
  	IFLA_BOND_SLAVE_AD_ACTOR_OPER_PORT_STATE,
  	IFLA_BOND_SLAVE_AD_PARTNER_OPER_PORT_STATE,
++	IFLA_BOND_SLAVE_PRIO,
  	__IFLA_BOND_SLAVE_MAX,
  };
@@ -1373,4 +1379,14 @@ enum {
  #define IFLA_MCTP_MAX (__IFLA_MCTP_MAX - 1)
++/* DSA section */
++
++enum {
++	IFLA_DSA_UNSPEC,
++	IFLA_DSA_MASTER,
++	__IFLA_DSA_MAX,
++};
++
++#define IFLA_DSA_MAX	(__IFLA_DSA_MAX - 1)
++
  #endif /* _UAPI_LINUX_IF_LINK_H */
 diff --git a/src/basic/linux/if_macsec.h b/src/basic/linux/if_macsec.h
 index 3af2aa0..d5b6d1f 100644
 --- a/src/basic/linux/if_macsec.h
 +++ b/src/basic/linux/if_macsec.h
@@ -22,6 +22,8 @@
  #define MACSEC_KEYID_LEN 16
++#define MACSEC_SALT_LEN 12
++
  /* cipher IDs as per IEEE802.1AE-2018 (Table 14-1) */
  #define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL
  #define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL
 diff --git a/src/basic/linux/if_tun.h b/src/basic/linux/if_tun.h
 index 454ae31..287cdc8 100644
 --- a/src/basic/linux/if_tun.h
 +++ b/src/basic/linux/if_tun.h
@@ -67,6 +67,8 @@
  #define IFF_TAP		0x0002
  #define IFF_NAPI	0x0010
  #define IFF_NAPI_FRAGS	0x0020
++/* Used in TUNSETIFF to bring up tun/tap without carrier */
++#define IFF_NO_CARRIER	0x0040
  #define IFF_NO_PI	0x1000
  /* This flag has no real effect */
  #define IFF_ONE_QUEUE	0x2000
@@ -88,6 +90,8 @@
  #define TUN_F_TSO6	0x04	/* I can handle TSO for IPv6 packets */
  #define TUN_F_TSO_ECN	0x08	/* I can handle TSO with ECN bits. */
  #define TUN_F_UFO	0x10	/* I can handle UFO packets */
++#define TUN_F_USO4	0x20	/* I can handle USO for IPv4 packets */
++#define TUN_F_USO6	0x40	/* I can handle USO for IPv6 packets */
  /* Protocol info prepended to the packets (when IFF_NO_PI is not set) */
  #define TUN_PKT_STRIP	0x0001
@@ -108,7 +112,7 @@ struct tun_pi {
  struct tun_filter {
  	__u16  flags; /* TUN_FLT_ flags see above */
  	__u16  count; /* Number of addresses */
--	__u8   addr[0][ETH_ALEN];
++	__u8   addr[][ETH_ALEN];
  };
  #endif /* _UAPI__IF_TUN_H */
 diff --git a/src/basic/linux/in.h b/src/basic/linux/in.h
 index 1416822..07a4cb1 100644
 --- a/src/basic/linux/in.h
 +++ b/src/basic/linux/in.h
@@ -20,6 +20,7 @@
  #define _UAPI_LINUX_IN_H
  #include <linux/types.h>
++#include <linux/stddef.h>
  #include <linux/libc-compat.h>
  #include <linux/socket.h>
@@ -68,6 +69,8 @@ enum {
  #define IPPROTO_PIM		IPPROTO_PIM
    IPPROTO_COMP = 108,		/* Compression Header Protocol		*/
  #define IPPROTO_COMP		IPPROTO_COMP
++  IPPROTO_L2TP = 115,		/* Layer 2 Tunnelling Protocol		*/
++#define IPPROTO_L2TP		IPPROTO_L2TP
    IPPROTO_SCTP = 132,		/* Stream Control Transport Protocol	*/
  #define IPPROTO_SCTP		IPPROTO_SCTP
    IPPROTO_UDPLITE = 136,	/* UDP-Lite (RFC 3828)			*/
@@ -188,21 +191,13 @@ struct ip_mreq_source {
  };
  struct ip_msfilter {
++	__be32		imsf_multiaddr;
++	__be32		imsf_interface;
++	__u32		imsf_fmode;
++	__u32		imsf_numsrc;
  	union {
--		struct {
--			__be32		imsf_multiaddr_aux;
--			__be32		imsf_interface_aux;
--			__u32		imsf_fmode_aux;
--			__u32		imsf_numsrc_aux;
--			__be32		imsf_slist[1];
--		};
--		struct {
--			__be32		imsf_multiaddr;
--			__be32		imsf_interface;
--			__u32		imsf_fmode;
--			__u32		imsf_numsrc;
--			__be32		imsf_slist_flex[];
--		};
++		__be32		imsf_slist[1];
++		__DECLARE_FLEX_ARRAY(__be32, imsf_slist_flex);
  	};
  };
 diff --git a/src/basic/linux/l2tp.h b/src/basic/linux/l2tp.h
 index bab8c97..7d81c3e 100644
 --- a/src/basic/linux/l2tp.h
 +++ b/src/basic/linux/l2tp.h
@@ -13,8 +13,6 @@
  #include <linux/in.h>
  #include <linux/in6.h>
--#define IPPROTO_L2TP		115
--
  /**
   * struct sockaddr_l2tpip - the sockaddr structure for L2TP-over-IP sockets
   * @l2tp_family:  address family number AF_L2TPIP.
 diff --git a/src/basic/linux/netfilter/nf_tables.h b/src/basic/linux/netfilter/nf_tables.h
 index 466fd3f..cfa844d 100644
 --- a/src/basic/linux/netfilter/nf_tables.h
 +++ b/src/basic/linux/netfilter/nf_tables.h
@@ -97,6 +97,7 @@ enum nft_verdicts {
   * @NFT_MSG_NEWFLOWTABLE: add new flow table (enum nft_flowtable_attributes)
   * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes)
   * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes)
++ * @NFT_MSG_GETRULE_RESET: get rules and reset stateful expressions (enum nft_obj_attributes)
   */
  enum nf_tables_msg_types {
  	NFT_MSG_NEWTABLE,
@@ -124,6 +125,7 @@ enum nf_tables_msg_types {
  	NFT_MSG_NEWFLOWTABLE,
  	NFT_MSG_GETFLOWTABLE,
  	NFT_MSG_DELFLOWTABLE,
++	NFT_MSG_GETRULE_RESET,
  	NFT_MSG_MAX,
  };
@@ -760,6 +762,7 @@ enum nft_payload_bases {
  	NFT_PAYLOAD_NETWORK_HEADER,
  	NFT_PAYLOAD_TRANSPORT_HEADER,
  	NFT_PAYLOAD_INNER_HEADER,
++	NFT_PAYLOAD_TUN_HEADER,
  };
  /**
@@ -779,6 +782,32 @@ enum nft_payload_csum_flags {
  	NFT_PAYLOAD_L4CSUM_PSEUDOHDR = (1 << 0),
  };
++enum nft_inner_type {
++	NFT_INNER_UNSPEC	= 0,
++	NFT_INNER_VXLAN,
++	NFT_INNER_GENEVE,
++};
++
++enum nft_inner_flags {
++	NFT_INNER_HDRSIZE	= (1 << 0),
++	NFT_INNER_LL		= (1 << 1),
++	NFT_INNER_NH		= (1 << 2),
++	NFT_INNER_TH		= (1 << 3),
++};
++#define NFT_INNER_MASK		(NFT_INNER_HDRSIZE | NFT_INNER_LL | \
++				 NFT_INNER_NH | NFT_INNER_TH)
++
++enum nft_inner_attributes {
++	NFTA_INNER_UNSPEC,
++	NFTA_INNER_NUM,
++	NFTA_INNER_TYPE,
++	NFTA_INNER_FLAGS,
++	NFTA_INNER_HDRSIZE,
++	NFTA_INNER_EXPR,
++	__NFTA_INNER_MAX
++};
++#define NFTA_INNER_MAX	(__NFTA_INNER_MAX - 1)
++
  /**
   * enum nft_payload_attributes - nf_tables payload expression netlink attributes
+  *
 diff --git a/src/basic/linux/netlink.h b/src/basic/linux/netlink.h
 index 855dffb..e2ae82e 100644
 --- a/src/basic/linux/netlink.h
 +++ b/src/basic/linux/netlink.h
@@ -20,7 +20,7 @@
  #define NETLINK_CONNECTOR	11
  #define NETLINK_NETFILTER	12	/* netfilter subsystem */
  #define NETLINK_IP6_FW		13
--#define NETLINK_DNRTMSG		14	/* DECnet routing messages */
++#define NETLINK_DNRTMSG		14	/* DECnet routing messages (obsolete) */
  #define NETLINK_KOBJECT_UEVENT	15	/* Kernel messages to userspace */
  #define NETLINK_GENERIC		16
  /* leave room for NETLINK_DM (DM Events) */
@@ -41,12 +41,20 @@ struct sockaddr_nl {
         	__u32		nl_groups;	/* multicast groups mask */
  };
++/**
++ * struct nlmsghdr - fixed format metadata header of Netlink messages
++ * @nlmsg_len:   Length of message including header
++ * @nlmsg_type:  Message content type
++ * @nlmsg_flags: Additional flags
++ * @nlmsg_seq:   Sequence number
++ * @nlmsg_pid:   Sending process port ID
++ */
  struct nlmsghdr {
--	__u32		nlmsg_len;	/* Length of message including header */
--	__u16		nlmsg_type;	/* Message content */
--	__u16		nlmsg_flags;	/* Additional flags */
--	__u32		nlmsg_seq;	/* Sequence number */
--	__u32		nlmsg_pid;	/* Sending process port ID */
++	__u32		nlmsg_len;
++	__u16		nlmsg_type;
++	__u16		nlmsg_flags;
++	__u32		nlmsg_seq;
++	__u32		nlmsg_pid;
  };
  /* Flags values */
@@ -54,7 +62,7 @@ struct nlmsghdr {
  #define NLM_F_REQUEST		0x01	/* It is request message. 	*/
  #define NLM_F_MULTI		0x02	/* Multipart message, terminated by NLMSG_DONE */
  #define NLM_F_ACK		0x04	/* Reply with ack, with zero or error code */
--#define NLM_F_ECHO		0x08	/* Echo this request 		*/
++#define NLM_F_ECHO		0x08	/* Receive resulting notifications */
  #define NLM_F_DUMP_INTR		0x10	/* Dump was inconsistent due to sequence change */
  #define NLM_F_DUMP_FILTERED	0x20	/* Dump was filtered as requested */
@@ -132,6 +140,10 @@ struct nlmsgerr {
   *	be used - in the success case - to identify a created
   *	object or operation or similar (binary)
   * @NLMSGERR_ATTR_POLICY: policy for a rejected attribute
++ * @NLMSGERR_ATTR_MISS_TYPE: type of a missing required attribute,
++ *	%NLMSGERR_ATTR_MISS_NEST will not be present if the attribute was
++ *	missing at the message level
++ * @NLMSGERR_ATTR_MISS_NEST: offset of the nest where attribute was missing
   * @__NLMSGERR_ATTR_MAX: number of attributes
   * @NLMSGERR_ATTR_MAX: highest attribute number
   */
@@ -141,6 +153,8 @@ enum nlmsgerr_attrs {
  	NLMSGERR_ATTR_OFFS,
  	NLMSGERR_ATTR_COOKIE,
  	NLMSGERR_ATTR_POLICY,
++	NLMSGERR_ATTR_MISS_TYPE,
++	NLMSGERR_ATTR_MISS_NEST,
  	__NLMSGERR_ATTR_MAX,
  	NLMSGERR_ATTR_MAX = __NLMSGERR_ATTR_MAX - 1
@@ -337,6 +351,9 @@ enum netlink_attribute_type {
   *	bitfield32 type (U32)
   * @NL_POLICY_TYPE_ATTR_MASK: mask of valid bits for unsigned integers (U64)
   * @NL_POLICY_TYPE_ATTR_PAD: pad attribute for 64-bit alignment
++ *
++ * @__NL_POLICY_TYPE_ATTR_MAX: number of attributes
++ * @NL_POLICY_TYPE_ATTR_MAX: highest attribute number
   */
  enum netlink_policy_type_attr {
  	NL_POLICY_TYPE_ATTR_UNSPEC,
 diff --git a/src/basic/linux/nl80211.h b/src/basic/linux/nl80211.h
 index d9490e3..c14a91b 100644
 --- a/src/basic/linux/nl80211.h
 +++ b/src/basic/linux/nl80211.h
@@ -324,6 +324,17 @@
   */
  /**
++ * DOC: Multi-Link Operation
++ *
++ * In Multi-Link Operation, a connection between to MLDs utilizes multiple
++ * links. To use this in nl80211, various commands and responses now need
++ * to or will include the new %NL80211_ATTR_MLO_LINKS attribute.
++ * Additionally, various commands that need to operate on a specific link
++ * now need to be given the %NL80211_ATTR_MLO_LINK_ID attribute, e.g. to
++ * use %NL80211_CMD_START_AP or similar functions.
++ */
++
++/**
   * enum nl80211_commands - supported nl80211 commands
+  *
   * @NL80211_CMD_UNSPEC: unspecified command to catch errors
@@ -366,14 +377,22 @@
   *	the non-transmitting interfaces are deleted as well.
+  *
   * @NL80211_CMD_GET_KEY: Get sequence counter information for a key specified
-- *	by %NL80211_ATTR_KEY_IDX and/or %NL80211_ATTR_MAC.
++ *	by %NL80211_ATTR_KEY_IDX and/or %NL80211_ATTR_MAC. %NL80211_ATTR_MAC
++ *	represents peer's MLD address for MLO pairwise key. For MLO group key,
++ *	the link is identified by %NL80211_ATTR_MLO_LINK_ID.
   * @NL80211_CMD_SET_KEY: Set key attributes %NL80211_ATTR_KEY_DEFAULT,
   *	%NL80211_ATTR_KEY_DEFAULT_MGMT, or %NL80211_ATTR_KEY_THRESHOLD.
++ *	For MLO connection, the link to set default key is identified by
++ *	%NL80211_ATTR_MLO_LINK_ID.
   * @NL80211_CMD_NEW_KEY: add a key with given %NL80211_ATTR_KEY_DATA,
   *	%NL80211_ATTR_KEY_IDX, %NL80211_ATTR_MAC, %NL80211_ATTR_KEY_CIPHER,
-- *	and %NL80211_ATTR_KEY_SEQ attributes.
++ *	and %NL80211_ATTR_KEY_SEQ attributes. %NL80211_ATTR_MAC represents
++ *	peer's MLD address for MLO pairwise key. The link to add MLO
++ *	group key is identified by %NL80211_ATTR_MLO_LINK_ID.
   * @NL80211_CMD_DEL_KEY: delete a key identified by %NL80211_ATTR_KEY_IDX
-- *	or %NL80211_ATTR_MAC.
++ *	or %NL80211_ATTR_MAC. %NL80211_ATTR_MAC represents peer's MLD address
++ *	for MLO pairwise key. The link to delete group key is identified by
++ *	%NL80211_ATTR_MLO_LINK_ID.
+  *
   * @NL80211_CMD_GET_BEACON: (not used)
   * @NL80211_CMD_SET_BEACON: change the beacon on an access point interface
@@ -753,6 +772,13 @@
   *	%NL80211_ATTR_CSA_C_OFFSETS_TX is an array of offsets to CSA
   *	counters which will be updated to the current value. This attribute
   *	is used during CSA period.
++ *	For TX on an MLD, the frequency can be omitted and the link ID be
++ *	specified, or if transmitting to a known peer MLD (with MLD addresses
++ *	in the frame) both can be omitted and the link will be selected by
++ *	lower layers.
++ *	For RX notification, %NL80211_ATTR_RX_HW_TIMESTAMP may be included to
++ *	indicate the frame RX timestamp and %NL80211_ATTR_TX_HW_TIMESTAMP may
++ *	be included to indicate the ack TX timestamp.
   * @NL80211_CMD_FRAME_WAIT_CANCEL: When an off-channel TX was requested, this
   *	command may be used with the corresponding cookie to cancel the wait
   *	time if it is known that it is no longer necessary.  This command is
@@ -763,7 +789,9 @@
   *	transmitted with %NL80211_CMD_FRAME. %NL80211_ATTR_COOKIE identifies
   *	the TX command and %NL80211_ATTR_FRAME includes the contents of the
   *	frame. %NL80211_ATTR_ACK flag is included if the recipient acknowledged
-- *	the frame.
++ *	the frame. %NL80211_ATTR_TX_HW_TIMESTAMP may be included to indicate the
++ *	tx timestamp and %NL80211_ATTR_RX_HW_TIMESTAMP may be included to
++ *	indicate the ack RX timestamp.
   * @NL80211_CMD_ACTION_TX_STATUS: Alias for @NL80211_CMD_FRAME_TX_STATUS for
   *	backward compatibility.
+  *
@@ -1108,6 +1136,12 @@
   *	has been received. %NL80211_ATTR_FRAME is used to specify the
   *	frame contents.  The frame is the raw EAPoL data, without ethernet or
   *	802.11 headers.
++ *	For an MLD transmitter, the %NL80211_ATTR_MLO_LINK_ID may be given and
++ *	its effect will depend on the destination: If the destination is known
++ *	to be an MLD, this will be used as a hint to select the link to transmit
++ *	the frame on. If the destination is not an MLD, this will select both
++ *	the link to transmit on and the source address will be set to the link
++ *	address of that link.
   *	When used as an event indication %NL80211_ATTR_CONTROL_PORT_ETHERTYPE,
   *	%NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT and %NL80211_ATTR_MAC are added
   *	indicating the protocol type of the received frame; whether the frame
@@ -1237,6 +1271,16 @@
   *      to describe the BSSID address of the AP and %NL80211_ATTR_TIMEOUT to
   *      specify the timeout value.
+  *
++ * @NL80211_CMD_ADD_LINK: Add a new link to an interface. The
++ *	%NL80211_ATTR_MLO_LINK_ID attribute is used for the new link.
++ * @NL80211_CMD_REMOVE_LINK: Remove a link from an interface. This may come
++ *	without %NL80211_ATTR_MLO_LINK_ID as an easy way to remove all links
++ *	in preparation for e.g. roaming to a regular (non-MLO) AP.
++ *
++ * @NL80211_CMD_ADD_LINK_STA: Add a link to an MLD station
++ * @NL80211_CMD_MODIFY_LINK_STA: Modify a link of an MLD station
++ * @NL80211_CMD_REMOVE_LINK_STA: Remove a link of an MLD station
++ *
   * @NL80211_CMD_MAX: highest used command number
   * @__NL80211_CMD_AFTER_LAST: internal use
   */
@@ -1481,6 +1525,13 @@ enum nl80211_commands {
  	NL80211_CMD_ASSOC_COMEBACK,
++	NL80211_CMD_ADD_LINK,
++	NL80211_CMD_REMOVE_LINK,
++
++	NL80211_CMD_ADD_LINK_STA,
++	NL80211_CMD_MODIFY_LINK_STA,
++	NL80211_CMD_REMOVE_LINK_STA,
++
  	/* add new commands above here */
  	/* used to define NL80211_CMD_MAX below */
@@ -2340,8 +2391,10 @@ enum nl80211_commands {
+  *
   * @NL80211_ATTR_IFTYPE_EXT_CAPA: Nested attribute of the following attributes:
   *	%NL80211_ATTR_IFTYPE, %NL80211_ATTR_EXT_CAPA,
-- *	%NL80211_ATTR_EXT_CAPA_MASK, to specify the extended capabilities per
-- *	interface type.
++ *	%NL80211_ATTR_EXT_CAPA_MASK, to specify the extended capabilities and
++ *	other interface-type specific capabilities per interface type. For MLO,
++ *	%NL80211_ATTR_EML_CAPABILITY and %NL80211_ATTR_MLD_CAPA_AND_OPS are
++ *	present.
+  *
   * @NL80211_ATTR_MU_MIMO_GROUP_DATA: array of 24 bytes that defines a MU-MIMO
   *	groupID for monitor mode.
@@ -2663,6 +2716,41 @@ enum nl80211_commands {
   *	association request when used with NL80211_CMD_NEW_STATION). Can be set
   *	only if %NL80211_STA_FLAG_WME is set.
+  *
++ * @NL80211_ATTR_MLO_LINK_ID: A (u8) link ID for use with MLO, to be used with
++ *	various commands that need a link ID to operate.
++ * @NL80211_ATTR_MLO_LINKS: A nested array of links, each containing some
++ *	per-link information and a link ID.
++ * @NL80211_ATTR_MLD_ADDR: An MLD address, used with various commands such as
++ *	authenticate/associate.
++ *
++ * @NL80211_ATTR_MLO_SUPPORT: Flag attribute to indicate user space supports MLO
++ *	connection. Used with %NL80211_CMD_CONNECT. If this attribute is not
++ *	included in NL80211_CMD_CONNECT drivers must not perform MLO connection.
++ *
++ * @NL80211_ATTR_MAX_NUM_AKM_SUITES: U16 attribute. Indicates maximum number of
++ *	AKM suites allowed for %NL80211_CMD_CONNECT, %NL80211_CMD_ASSOCIATE and
++ *	%NL80211_CMD_START_AP in %NL80211_CMD_GET_WIPHY response. If this
++ *	attribute is not present userspace shall consider maximum number of AKM
++ *	suites allowed as %NL80211_MAX_NR_AKM_SUITES which is the legacy maximum
++ *	number prior to the introduction of this attribute.
++ *
++ * @NL80211_ATTR_EML_CAPABILITY: EML Capability information (u16)
++ * @NL80211_ATTR_MLD_CAPA_AND_OPS: MLD Capabilities and Operations (u16)
++ *
++ * @NL80211_ATTR_TX_HW_TIMESTAMP: Hardware timestamp for TX operation in
++ *	nanoseconds (u64). This is the device clock timestamp so it will
++ *	probably reset when the device is stopped or the firmware is reset.
++ *	When used with %NL80211_CMD_FRAME_TX_STATUS, indicates the frame TX
++ *	timestamp. When used with %NL80211_CMD_FRAME RX notification, indicates
++ *	the ack TX timestamp.
++ * @NL80211_ATTR_RX_HW_TIMESTAMP: Hardware timestamp for RX operation in
++ *	nanoseconds (u64). This is the device clock timestamp so it will
++ *	probably reset when the device is stopped or the firmware is reset.
++ *	When used with %NL80211_CMD_FRAME_TX_STATUS, indicates the ack RX
++ *	timestamp. When used with %NL80211_CMD_FRAME RX notification, indicates
++ *	the incoming frame RX timestamp.
++ * @NL80211_ATTR_TD_BITMAP: Transition Disable bitmap, for subsequent
++ *	(re)associations.
   * @NUM_NL80211_ATTR: total number of nl80211_attrs available
   * @NL80211_ATTR_MAX: highest attribute number currently defined
   * @__NL80211_ATTR_AFTER_LAST: internal use
@@ -3177,6 +3265,21 @@ enum nl80211_attrs {
  	NL80211_ATTR_DISABLE_EHT,
++	NL80211_ATTR_MLO_LINKS,
++	NL80211_ATTR_MLO_LINK_ID,
++	NL80211_ATTR_MLD_ADDR,
++
++	NL80211_ATTR_MLO_SUPPORT,
++
++	NL80211_ATTR_MAX_NUM_AKM_SUITES,
++
++	NL80211_ATTR_EML_CAPABILITY,
++	NL80211_ATTR_MLD_CAPA_AND_OPS,
++
++	NL80211_ATTR_TX_HW_TIMESTAMP,
++	NL80211_ATTR_RX_HW_TIMESTAMP,
++	NL80211_ATTR_TD_BITMAP,
++
  	/* add attributes here, update the policy in nl80211.c */
  	__NL80211_ATTR_AFTER_LAST,
@@ -3231,6 +3334,11 @@ enum nl80211_attrs {
  #define NL80211_HE_MIN_CAPABILITY_LEN           16
  #define NL80211_HE_MAX_CAPABILITY_LEN           54
  #define NL80211_MAX_NR_CIPHER_SUITES		5
++
++/*
++ * NL80211_MAX_NR_AKM_SUITES is obsolete when %NL80211_ATTR_MAX_NUM_AKM_SUITES
++ * present in %NL80211_CMD_GET_WIPHY response.
++ */
  #define NL80211_MAX_NR_AKM_SUITES		2
  #define NL80211_EHT_MIN_CAPABILITY_LEN          13
  #define NL80211_EHT_MAX_CAPABILITY_LEN          51
@@ -4853,6 +4961,8 @@ enum nl80211_bss_scan_width {
   *	Contains a nested array of signal strength attributes (u8, dBm),
   *	using the nesting index as the antenna number.
   * @NL80211_BSS_FREQUENCY_OFFSET: frequency offset in KHz
++ * @NL80211_BSS_MLO_LINK_ID: MLO link ID of the BSS (u8).
++ * @NL80211_BSS_MLD_ADDR: MLD address of this BSS if connected to it.
   * @__NL80211_BSS_AFTER_LAST: internal
   * @NL80211_BSS_MAX: highest BSS attribute
   */
@@ -4878,6 +4988,8 @@ enum nl80211_bss {
  	NL80211_BSS_PARENT_BSSID,
  	NL80211_BSS_CHAIN_SIGNAL,
  	NL80211_BSS_FREQUENCY_OFFSET,
++	NL80211_BSS_MLO_LINK_ID,
++	NL80211_BSS_MLD_ADDR,
  	/* keep last */
  	__NL80211_BSS_AFTER_LAST,
@@ -5874,7 +5986,7 @@ enum nl80211_ap_sme_features {
   * @NL80211_FEATURE_INACTIVITY_TIMER: This driver takes care of freeing up
   *	the connected inactive stations in AP mode.
   * @NL80211_FEATURE_CELL_BASE_REG_HINTS: This driver has been tested
-- *	to work properly to suppport receiving regulatory hints from
++ *	to work properly to support receiving regulatory hints from
   *	cellular base stations.
   * @NL80211_FEATURE_P2P_DEVICE_NEEDS_CHANNEL: (no longer available, only
   *	here to reserve the value for API/ABI compatibility)
@@ -6174,6 +6286,14 @@ enum nl80211_feature_flags {
   * @NL80211_EXT_FEATURE_RADAR_BACKGROUND: Device supports background radar/CAC
   *	detection.
+  *
++ * @NL80211_EXT_FEATURE_POWERED_ADDR_CHANGE: Device can perform a MAC address
++ *	change without having to bring the underlying network device down
++ *	first. For example, in station mode this can be used to vary the
++ *	origin MAC address prior to a connection to a new AP for privacy
++ *	or other reasons. Note that certain driver specific restrictions
++ *	might apply, e.g. no scans in progress, no offchannel operations
++ *	in progress, and no active connections.
++ *
   * @NUM_NL80211_EXT_FEATURES: number of extended features.
   * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
   */
@@ -6241,6 +6361,7 @@ enum nl80211_ext_feature_index {
  	NL80211_EXT_FEATURE_BSS_COLOR,
  	NL80211_EXT_FEATURE_FILS_CRYPTO_OFFLOAD,
  	NL80211_EXT_FEATURE_RADAR_BACKGROUND,
++	NL80211_EXT_FEATURE_POWERED_ADDR_CHANGE,
  	/* add new features before the definition below */
  	NUM_NL80211_EXT_FEATURES,
 diff --git a/src/basic/linux/pkt_sched.h b/src/basic/linux/pkt_sched.h
 index f292b46..000eec1 100644
 --- a/src/basic/linux/pkt_sched.h
 +++ b/src/basic/linux/pkt_sched.h
@@ -1233,6 +1233,16 @@ enum {
  #define TCA_TAPRIO_ATTR_FLAG_FULL_OFFLOAD	_BITUL(1)
  enum {
++	TCA_TAPRIO_TC_ENTRY_UNSPEC,
++	TCA_TAPRIO_TC_ENTRY_INDEX,		/* u32 */
++	TCA_TAPRIO_TC_ENTRY_MAX_SDU,		/* u32 */
++
++	/* add new constants above here */
++	__TCA_TAPRIO_TC_ENTRY_CNT,
++	TCA_TAPRIO_TC_ENTRY_MAX = (__TCA_TAPRIO_TC_ENTRY_CNT - 1)
++};
++
++enum {
  	TCA_TAPRIO_ATTR_UNSPEC,
  	TCA_TAPRIO_ATTR_PRIOMAP, /* struct tc_mqprio_qopt */
  	TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST, /* nested of entry */
@@ -1245,6 +1255,7 @@ enum {
  	TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME_EXTENSION, /* s64 */
  	TCA_TAPRIO_ATTR_FLAGS, /* u32 */
  	TCA_TAPRIO_ATTR_TXTIME_DELAY, /* u32 */
++	TCA_TAPRIO_ATTR_TC_ENTRY, /* nest */
  	__TCA_TAPRIO_ATTR_MAX,
  };
 diff --git a/src/basic/linux/rtnetlink.h b/src/basic/linux/rtnetlink.h
 index 83849a3..eb2747d 100644
 --- a/src/basic/linux/rtnetlink.h
 +++ b/src/basic/linux/rtnetlink.h
@@ -440,7 +440,7 @@ struct rtnexthop {
  /* RTA_VIA */
  struct rtvia {
  	__kernel_sa_family_t	rtvia_family;
--	__u8			rtvia_addr[0];
++	__u8			rtvia_addr[];
  };
  /* RTM_CACHEINFO */
 diff --git a/src/basic/linux/stddef.h b/src/basic/linux/stddef.h
 new file mode 100644
 index 0000000..1a73963
 --- /dev/null
 +++ b/src/basic/linux/stddef.h
@@ -0,0 +1,46 @@
++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
++#ifndef _UAPI_LINUX_STDDEF_H
++#define _UAPI_LINUX_STDDEF_H
++
++
++#ifndef __always_inline
++#define __always_inline inline
++#endif
++
++/**
++ * __struct_group() - Create a mirrored named and anonyomous struct
++ *
++ * @TAG: The tag name for the named sub-struct (usually empty)
++ * @NAME: The identifier name of the mirrored sub-struct
++ * @ATTRS: Any struct attributes (usually empty)
++ * @MEMBERS: The member declarations for the mirrored structs
++ *
++ * Used to create an anonymous union of two structs with identical layout
++ * and size: one anonymous and one named. The former's members can be used
++ * normally without sub-struct naming, and the latter can be used to
++ * reason about the start, end, and size of the group of struct members.
++ * The named struct can also be explicitly tagged for layer reuse, as well
++ * as both having struct attributes appended.
++ */
++#define __struct_group(TAG, NAME, ATTRS, MEMBERS...) \
++	union { \
++		struct { MEMBERS } ATTRS; \
++		struct TAG { MEMBERS } ATTRS NAME; \
++	}
++
++/**
++ * __DECLARE_FLEX_ARRAY() - Declare a flexible array usable in a union
++ *
++ * @TYPE: The type of each flexible array element
++ * @NAME: The name of the flexible array member
++ *
++ * In order to have a flexible array member in a union or alone in a
++ * struct, it needs to be wrapped in an anonymous struct with at least 1
++ * named member, but that member can be empty.
++ */
++#define __DECLARE_FLEX_ARRAY(TYPE, NAME)	\
++	struct { \
++		struct { } __empty_ ## NAME; \
++		TYPE NAME[]; \
++	}
++#endif
 diff --git a/src/basic/linux/update.sh b/src/basic/linux/update.sh
 index 72e133d..6aff039 100755
 --- a/src/basic/linux/update.sh
 +++ b/src/basic/linux/update.sh
@@ -6,5 +6,5 @@ set -o pipefail
  for i in *.h */*.h; do
      curl --fail "https://raw.githubusercontent.com/torvalds/linux/master/include/uapi/linux/$i" -o "$i"
--    sed -i -e 's/__user //g' -e '/^#include <linux\/compiler.h>/ d' "$i"
++    sed -r -i -e 's/__user //g' -e '/^#include <linux\/compiler(_types)?.h>/ d' "$i"
  done
 diff --git a/src/basic/virt.c b/src/basic/virt.c
 index f800bba..c6914d5 100644
 --- a/src/basic/virt.c
 +++ b/src/basic/virt.c
@@ -778,7 +778,7 @@ translate_name:
                  /* Some images hardcode container=oci, but OCI is not a specific container manager.
                   * Try to detect one based on well-known files. */
                  v = detect_container_files();
--                if (v != VIRTUALIZATION_NONE)
++                if (v == VIRTUALIZATION_NONE)
                          v = VIRTUALIZATION_CONTAINER_OTHER;
                  goto finish;
+         }
 diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
 index 25a0215..1f4a7db 100644
 --- a/src/boot/efi/boot.c
 +++ b/src/boot/efi/boot.c
@@ -1573,7 +1573,7 @@ static EFI_STATUS efivar_get_timeout(const char16_t *var, uint32_t *ret_value) {
  static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
          _cleanup_free_ char *content = NULL;
--        UINTN value;
++        UINTN value = 0;  /* avoid false maybe-uninitialized warning */
          EFI_STATUS err;
          assert(root_dir);
@@ -2257,7 +2257,7 @@ static void config_load_xbootldr(
                  EFI_HANDLE *device) {
          _cleanup_(file_closep) EFI_FILE *root_dir = NULL;
--        EFI_HANDLE new_device;
++        EFI_HANDLE new_device = NULL;  /* avoid false maybe-uninitialized warning */
          EFI_STATUS err;
          assert(config);
@@ -2319,6 +2319,9 @@ static EFI_STATUS initrd_prepare(
                  if (err != EFI_SUCCESS)
                          return err;
++                if (info->FileSize == 0) /* Automatically skip over empty files */
++                        continue;
++
                  UINTN new_size, read_size = info->FileSize;
                  if (__builtin_add_overflow(size, read_size, &new_size))
                          return EFI_OUT_OF_RESOURCES;
 diff --git a/src/boot/efi/console.c b/src/boot/efi/console.c
 index cd980fd..14c0008 100644
 --- a/src/boot/efi/console.c
 +++ b/src/boot/efi/console.c
@@ -12,20 +12,6 @@
  #define VERTICAL_MAX_OK 1080
  #define VIEWPORT_RATIO 10
--static EFI_STATUS console_connect(void) {
--        EFI_BOOT_MANAGER_POLICY_PROTOCOL *boot_policy;
--        EFI_STATUS err;
--
--        /* This should make console devices appear/fully initialize on fastboot firmware. */
--
--        err = BS->LocateProtocol(
--                        &(EFI_GUID) EFI_BOOT_MANAGER_POLICY_PROTOCOL_GUID, NULL, (void **) &boot_policy);
--        if (err != EFI_SUCCESS)
--                return err;
--
--        return boot_policy->ConnectDeviceClass(boot_policy, &(EFI_GUID) EFI_BOOT_MANAGER_POLICY_CONSOLE_GUID);
--}
--
  static inline void event_closep(EFI_EVENT *event) {
          if (!*event)
                  return;
@@ -61,8 +47,6 @@ EFI_STATUS console_key_read(uint64_t *key, uint64_t timeout_usec) {
          assert(key);
          if (!checked) {
--                console_connect();
--
                  /* Get the *first* TextInputEx device.*/
                  err = BS->LocateProtocol(&SimpleTextInputExProtocol, NULL, (void **) &extraInEx);
                  if (err != EFI_SUCCESS || BS->CheckEvent(extraInEx->WaitForKeyEx) == EFI_INVALID_PARAMETER)
 diff --git a/src/boot/efi/cpio.c b/src/boot/efi/cpio.c
 index 76e2cd7..79b5d43 100644
 --- a/src/boot/efi/cpio.c
 +++ b/src/boot/efi/cpio.c
@@ -468,7 +468,7 @@ EFI_STATUS pack_cpio(
          for (UINTN i = 0; i < n_items; i++) {
                  _cleanup_free_ char *content = NULL;
--                UINTN contentsize;
++                UINTN contentsize = 0;  /* avoid false maybe-uninitialized warning */
                  err = file_read(extra_dir, items[i], 0, 0, &content, &contentsize);
                  if (err != EFI_SUCCESS) {
 diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
 index 0de4399..fa61c3e 100644
 --- a/src/boot/efi/meson.build
 +++ b/src/boot/efi/meson.build
@@ -55,6 +55,7 @@ if not cc.has_header_symbol('efi.h', 'EFI_IMAGE_MACHINE_X64',
  endif
  objcopy = run_command(cc.cmd_array(), '-print-prog-name=objcopy', check: true).stdout().strip()
++objcopy_2_38 = find_program('objcopy', version: '>=2.38', required: false)
  efi_ld = get_option('efi-ld')
  if efi_ld == 'auto'
@@ -283,9 +284,17 @@ foreach arg : ['-Wl,--no-warn-execstack',
          endif
  endforeach
--if efi_arch[1] in ['aarch64', 'arm', 'riscv64']
++# If using objcopy, crt0 must not include the PE/COFF header
++if run_command('grep', '-q', 'coff_header', efi_crt0, check: false).returncode() == 0
++        coff_header_in_crt0 = true
++else
++        coff_header_in_crt0 = false
++endif
++
++if efi_arch[1] in ['arm', 'riscv64'] or (efi_arch[1] == 'aarch64' and (not objcopy_2_38.found() or coff_header_in_crt0))
          efi_ldflags += ['-shared']
--        # Aarch64, ARM32 and 64bit RISC-V don't have an EFI capable objcopy.
++        # ARM32 and 64bit RISC-V don't have an EFI capable objcopy.
++        # Older objcopy doesn't support Aarch64 either.
          # Use 'binary' instead, and add required symbols manually.
          efi_ldflags += ['-Wl,--defsym=EFI_SUBSYSTEM=0xa']
          efi_format = ['-O', 'binary']
 diff --git a/src/boot/efi/missing_efi.h b/src/boot/efi/missing_efi.h
 index b446e03..250c84c 100644
 --- a/src/boot/efi/missing_efi.h
 +++ b/src/boot/efi/missing_efi.h
@@ -398,22 +398,3 @@ typedef struct {
          void *StdErr;
  } EFI_SHELL_PARAMETERS_PROTOCOL;
  #endif
--
--#ifndef EFI_BOOT_MANAGER_POLICY_PROTOCOL_GUID
--#define EFI_BOOT_MANAGER_POLICY_PROTOCOL_GUID \
--        { 0xFEDF8E0C, 0xE147, 0x11E3, { 0x99, 0x03, 0xB8, 0xE8, 0x56, 0x2C, 0xBA, 0xFA } }
--#define EFI_BOOT_MANAGER_POLICY_CONSOLE_GUID \
--        { 0xCAB0E94C, 0xE15F, 0x11E3, { 0x91, 0x8D, 0xB8, 0xE8, 0x56, 0x2C, 0xBA, 0xFA } }
--
--typedef struct EFI_BOOT_MANAGER_POLICY_PROTOCOL EFI_BOOT_MANAGER_POLICY_PROTOCOL;
--struct EFI_BOOT_MANAGER_POLICY_PROTOCOL {
--        UINT64 Revision;
--        EFI_STATUS (EFIAPI *ConnectDevicePath)(
--                EFI_BOOT_MANAGER_POLICY_PROTOCOL *This,
--                EFI_DEVICE_PATH *DevicePath,
--                BOOLEAN Recursive);
--        EFI_STATUS (EFIAPI *ConnectDeviceClass)(
--                EFI_BOOT_MANAGER_POLICY_PROTOCOL *This,
--                EFI_GUID *Class);
--};
--#endif
 diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
 index 65457bf..6212868 100644
 --- a/src/boot/efi/secure-boot.c
 +++ b/src/boot/efi/secure-boot.c
@@ -6,7 +6,7 @@
  #include "util.h"
  bool secure_boot_enabled(void) {
--        bool secure;
++        bool secure = false;  /* avoid false maybe-uninitialized warning */
          EFI_STATUS err;
          err = efivar_get_boolean_u8(EFI_GLOBAL_GUID, L"SecureBoot", &secure);
 diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c
 index f9aeeb4..51e483e 100644
 --- a/src/boot/efi/util.c
 +++ b/src/boot/efi/util.c
@@ -309,9 +309,11 @@ EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, UINTN off, UINTN size,
          UINTN extra = size % sizeof(char16_t) + sizeof(char16_t);
          buf = xmalloc(size + extra);
--        err = handle->Read(handle, &size, buf);
--        if (err != EFI_SUCCESS)
--                return err;
++        if (size > 0) {
++                err = handle->Read(handle, &size, buf);
++                if (err != EFI_SUCCESS)
++                        return err;
++        }
          /* Note that handle->Read() changes size to reflect the actually bytes read. */
          memset(buf + size, 0, extra);
 diff --git a/src/busctl/busctl.c b/src/busctl/busctl.c
 index f57a5d6..cc2d0e3 100644
 --- a/src/busctl/busctl.c
 +++ b/src/busctl/busctl.c
@@ -1022,10 +1022,11 @@ static int introspect(int argc, char **argv, void *userdata) {
                  for (;;) {
                          Member *z;
--                        _cleanup_free_ char *buf = NULL;
++                        _cleanup_free_ char *buf = NULL, *signature = NULL;
                          _cleanup_fclose_ FILE *mf = NULL;
                          size_t sz = 0;
--                        const char *name;
++                        const char *name, *contents;
++                        char type;
                          r = sd_bus_message_enter_container(reply, 'e', "sv");
                          if (r < 0)
@@ -1042,6 +1043,21 @@ static int introspect(int argc, char **argv, void *userdata) {
                          if (r < 0)
                                  return bus_log_parse_error(r);
++                        r = sd_bus_message_peek_type(reply, &type, &contents);
++                        if (r <= 0)
++                                return bus_log_parse_error(r == 0 ? EINVAL : r);
++
++                        if (type == SD_BUS_TYPE_STRUCT_BEGIN)
++                                signature = strjoin(CHAR_TO_STR(SD_BUS_TYPE_STRUCT_BEGIN), contents, CHAR_TO_STR(SD_BUS_TYPE_STRUCT_END));
++                        else if (type == SD_BUS_TYPE_DICT_ENTRY_BEGIN)
++                                signature = strjoin(CHAR_TO_STR(SD_BUS_TYPE_DICT_ENTRY_BEGIN), contents, CHAR_TO_STR(SD_BUS_TYPE_DICT_ENTRY_END));
++                        else if (contents)
++                                signature = strjoin(CHAR_TO_STR(type), contents);
++                        else
++                                signature = strdup(CHAR_TO_STR(type));
++                        if (!signature)
++                                return log_oom();
++
                          mf = open_memstream_unlocked(&buf, &sz);
                          if (!mf)
                                  return log_oom();
@@ -1055,6 +1071,7 @@ static int introspect(int argc, char **argv, void *userdata) {
                          z = set_get(members, &((Member) {
                                                  .type = "property",
                                                  .interface = m->interface,
++                                                .signature = signature,
                                                  .name = (char*) name }));
                          if (z)
                                  free_and_replace(z->value, buf);
 diff --git a/src/core/cgroup.c b/src/core/cgroup.c
 index 4c0a821..ba26066 100644
 --- a/src/core/cgroup.c
 +++ b/src/core/cgroup.c
@@ -2471,7 +2471,7 @@ static bool unit_has_mask_enables_realized(
                  ((u->cgroup_enabled_mask | enable_mask) & CGROUP_MASK_V2) == (u->cgroup_enabled_mask & CGROUP_MASK_V2);
+ }
--static void unit_add_to_cgroup_realize_queue(Unit *u) {
++void unit_add_to_cgroup_realize_queue(Unit *u) {
          assert(u);
          if (u->in_cgroup_realize_queue)
 diff --git a/src/core/cgroup.h b/src/core/cgroup.h
 index 4413eea..49fbd4f 100644
 --- a/src/core/cgroup.h
 +++ b/src/core/cgroup.h
@@ -262,6 +262,7 @@ int unit_realize_cgroup(Unit *u);
  void unit_prune_cgroup(Unit *u);
  int unit_watch_cgroup(Unit *u);
  int unit_watch_cgroup_memory(Unit *u);
++void unit_add_to_cgroup_realize_queue(Unit *u);
  void unit_release_cgroup(Unit *u);
  /* Releases the cgroup only if it is recursively empty.
 diff --git a/src/core/dbus-scope.c b/src/core/dbus-scope.c
 index 7d2ceb0..7b07bb8 100644
 --- a/src/core/dbus-scope.c
 +++ b/src/core/dbus-scope.c
@@ -5,6 +5,7 @@
  #include "bus-get-properties.h"
  #include "dbus-cgroup.h"
  #include "dbus-kill.h"
++#include "dbus-manager.h"
  #include "dbus-scope.h"
  #include "dbus-unit.h"
  #include "dbus-util.h"
@@ -39,6 +40,7 @@ int bus_scope_method_abandon(sd_bus_message *message, void *userdata, sd_bus_err
+ }
  static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_result, scope_result, ScopeResult);
++static BUS_DEFINE_SET_TRANSIENT_PARSE(oom_policy, OOMPolicy, oom_policy_from_string);
  const sd_bus_vtable bus_scope_vtable[] = {
          SD_BUS_VTABLE_START(0),
@@ -47,6 +49,7 @@ const sd_bus_vtable bus_scope_vtable[] = {
          SD_BUS_PROPERTY("Result", "s", property_get_result, offsetof(Scope, result), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
          SD_BUS_PROPERTY("RuntimeMaxUSec", "t", bus_property_get_usec, offsetof(Scope, runtime_max_usec), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("RuntimeRandomizedExtraUSec", "t", bus_property_get_usec, offsetof(Scope, runtime_rand_extra_usec), SD_BUS_VTABLE_PROPERTY_CONST),
++        SD_BUS_PROPERTY("OOMPolicy", "s", bus_property_get_oom_policy, offsetof(Scope, oom_policy), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_SIGNAL("RequestStop", NULL, 0),
          SD_BUS_METHOD("Abandon", NULL, NULL, bus_scope_method_abandon, SD_BUS_VTABLE_UNPRIVILEGED),
          SD_BUS_VTABLE_END
@@ -77,6 +80,9 @@ static int bus_scope_set_transient_property(
          if (streq(name, "RuntimeRandomizedExtraUSec"))
                  return bus_set_transient_usec(u, name, &s->runtime_rand_extra_usec, message, flags, error);
++        if (streq(name, "OOMPolicy"))
++                return bus_set_transient_oom_policy(u, name, &s->oom_policy, message, flags, error);
++
          if (streq(name, "PIDs")) {
                  _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
                  unsigned n = 0;
 diff --git a/src/core/execute.c b/src/core/execute.c
 index 6c3fbc2..13222dd 100644
 --- a/src/core/execute.c
 +++ b/src/core/execute.c
@@ -5479,6 +5479,23 @@ int exec_context_destroy_credentials(const ExecContext *c, const char *runtime_p
          return 0;
+ }
++int exec_context_destroy_mount_ns_dir(Unit *u) {
++        _cleanup_free_ char *p = NULL;
++
++        if (!u || !MANAGER_IS_SYSTEM(u->manager))
++                return 0;
++
++        p = path_join("/run/systemd/propagate/", u->id);
++        if (!p)
++                return -ENOMEM;
++
++        /* This is only filled transiently (see mount_in_namespace()), should be empty or even non-existent*/
++        if (rmdir(p) < 0 && errno != ENOENT)
++                log_unit_debug_errno(u, errno, "Unable to remove propagation dir '%s', ignoring: %m", p);
++
++        return 0;
++}
++
  static void exec_command_done(ExecCommand *c) {
          assert(c);
 diff --git a/src/core/execute.h b/src/core/execute.h
 index a2cf228..4c54422 100644
 --- a/src/core/execute.h
 +++ b/src/core/execute.h
@@ -453,6 +453,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix);
  int exec_context_destroy_runtime_directory(const ExecContext *c, const char *runtime_root);
  int exec_context_destroy_credentials(const ExecContext *c, const char *runtime_root, const char *unit);
++int exec_context_destroy_mount_ns_dir(Unit *u);
  const char* exec_context_fdname(const ExecContext *c, int fd_index);
 diff --git a/src/core/import-creds.c b/src/core/import-creds.c
 index 4685e43..dab7d36 100644
 --- a/src/core/import-creds.c
 +++ b/src/core/import-creds.c
@@ -19,6 +19,7 @@
  #include "proc-cmdline.h"
  #include "recurse-dir.h"
  #include "strv.h"
++#include "virt.h"
  /* This imports credentials passed in from environments higher up (VM manager, boot loader, …) and rearranges
   * them so that later code can access them using our regular credential protocol
@@ -369,6 +370,9 @@ static int import_credentials_qemu(ImportCredentialContext *c) {
          assert(c);
++        if (detect_container() > 0) /* don't access /sys/ in a container */
++                return 0;
++
          source_dir_fd = open(QEMU_FWCFG_PATH, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
          if (source_dir_fd < 0) {
                  if (errno == ENOENT) {
@@ -560,6 +564,9 @@ static int import_credentials_smbios(ImportCredentialContext *c) {
          /* Parses DMI OEM strings fields (SMBIOS type 11), as settable with qemu's -smbios type=11,value=… switch. */
++        if (detect_container() > 0) /* don't access /sys/ in a container */
++                return 0;
++
          for (unsigned i = 0;; i++) {
                  struct dmi_field_header {
                          uint8_t type;
 diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in
 index 7675b7b..81a5971 100644
 --- a/src/core/load-fragment-gperf.gperf.in
 +++ b/src/core/load-fragment-gperf.gperf.in
@@ -555,6 +555,7 @@ Path.TriggerLimitBurst,                  config_parse_unsigned,
  Scope.RuntimeMaxSec,                     config_parse_sec,                            0,                                  offsetof(Scope, runtime_max_usec)
  Scope.RuntimeRandomizedExtraSec,         config_parse_sec,                            0,                                  offsetof(Scope, runtime_rand_extra_usec)
  Scope.TimeoutStopSec,                    config_parse_sec,                            0,                                  offsetof(Scope, timeout_stop_usec)
++Scope.OOMPolicy,                         config_parse_oom_policy,                     0,                                  offsetof(Scope, oom_policy)
  {# The [Install] section is ignored here #}
  Install.Alias,                           NULL,                                        0,                                  0
  Install.WantedBy,                        NULL,                                        0,                                  0
 diff --git a/src/core/mount.c b/src/core/mount.c
 index dea7cd9..283426b 100644
 --- a/src/core/mount.c
 +++ b/src/core/mount.c
@@ -13,6 +13,7 @@
  #include "device.h"
  #include "exit-status.h"
  #include "format-util.h"
++#include "fs-util.h"
  #include "fstab-util.h"
  #include "libmount-util.h"
  #include "log.h"
@@ -26,6 +27,7 @@
  #include "process-util.h"
  #include "serialize.h"
  #include "special.h"
++#include "stat-util.h"
  #include "string-table.h"
  #include "string-util.h"
  #include "strv.h"
@@ -1073,6 +1075,7 @@ fail:
  static void mount_enter_mounting(Mount *m) {
          int r;
          MountParameters *p;
++        bool source_is_dir = true;
          assert(m);
@@ -1080,16 +1083,28 @@ static void mount_enter_mounting(Mount *m) {
          if (r < 0)
                  goto fail;
--        (void) mkdir_p_label(m->where, m->directory_mode);
++        p = get_mount_parameters_fragment(m);
++        if (p && mount_is_bind(p)) {
++                r = is_dir(p->what, /* follow = */ true);
++                if (r < 0 && r != -ENOENT)
++                        log_unit_info_errno(UNIT(m), r, "Failed to determine type of bind mount source '%s', ignoring: %m", p->what);
++                else if (r == 0)
++                        source_is_dir = false;
++        }
--        unit_warn_if_dir_nonempty(UNIT(m), m->where);
++        if (source_is_dir)
++                (void) mkdir_p_label(m->where, m->directory_mode);
++        else
++                (void) touch_file(m->where, /* parents = */ true, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
++
++        if (source_is_dir)
++                unit_warn_if_dir_nonempty(UNIT(m), m->where);
          unit_warn_leftover_processes(UNIT(m), unit_log_leftover_process_start);
          m->control_command_id = MOUNT_EXEC_MOUNT;
          m->control_command = m->exec_command + MOUNT_EXEC_MOUNT;
          /* Create the source directory for bind-mounts if needed */
--        p = get_mount_parameters_fragment(m);
          if (p && mount_is_bind(p)) {
                  r = mkdir_p_label(p->what, m->directory_mode);
                  /* mkdir_p_label() can return -EEXIST if the target path exists and is not a directory - which is
 diff --git a/src/core/scope.c b/src/core/scope.c
 index 54a6cc6..914d1cc 100644
 --- a/src/core/scope.c
 +++ b/src/core/scope.c
@@ -43,6 +43,7 @@ static void scope_init(Unit *u) {
          s->timeout_stop_usec = u->manager->default_timeout_stop_usec;
          u->ignore_on_isolate = true;
          s->user = s->group = NULL;
++        s->oom_policy = _OOM_POLICY_INVALID;
+ }
  static void scope_done(Unit *u) {
@@ -194,6 +195,11 @@ static int scope_add_extras(Scope *s) {
          if (r < 0)
                  return r;
++        if (s->oom_policy < 0)
++                s->oom_policy = s->cgroup_context.delegate ? OOM_CONTINUE : UNIT(s)->manager->default_oom_policy;
++
++        s->cgroup_context.memory_oom_group = s->oom_policy == OOM_KILL;
++
          return scope_add_default_dependencies(s);
+ }
@@ -286,11 +292,13 @@ static void scope_dump(Unit *u, FILE *f, const char *prefix) {
                  "%sScope State: %s\n"
                  "%sResult: %s\n"
                  "%sRuntimeMaxSec: %s\n"
--                "%sRuntimeRandomizedExtraSec: %s\n",
++                "%sRuntimeRandomizedExtraSec: %s\n"
++                "%sOOMPolicy: %s\n",
                  prefix, scope_state_to_string(s->state),
                  prefix, scope_result_to_string(s->result),
                  prefix, FORMAT_TIMESPAN(s->runtime_max_usec, USEC_PER_SEC),
--                prefix, FORMAT_TIMESPAN(s->runtime_rand_extra_usec, USEC_PER_SEC));
++                prefix, FORMAT_TIMESPAN(s->runtime_rand_extra_usec, USEC_PER_SEC),
++                prefix, oom_policy_to_string(s->oom_policy));
          cgroup_context_dump(UNIT(s), f, prefix);
          kill_context_dump(&s->kill_context, f, prefix);
@@ -635,11 +643,16 @@ static void scope_notify_cgroup_oom_event(Unit *u, bool managed_oom) {
          else
                  log_unit_debug(u, "Process of control group was killed by the OOM killer.");
--        /* This will probably need to be modified when scope units get an oom-policy */
++        if (s->oom_policy == OOM_CONTINUE)
++                return;
++
          switch (s->state) {
          case SCOPE_START_CHOWN:
          case SCOPE_RUNNING:
++                scope_enter_signal(s, SCOPE_STOP_SIGTERM, SCOPE_FAILURE_OOM_KILL);
++                break;
++
          case SCOPE_STOP_SIGTERM:
                  scope_enter_signal(s, SCOPE_STOP_SIGKILL, SCOPE_FAILURE_OOM_KILL);
                  break;
@@ -776,6 +789,10 @@ static void scope_enumerate_perpetual(Manager *m) {
          unit_add_to_load_queue(u);
          unit_add_to_dbus_queue(u);
++        /* Enqueue an explicit cgroup realization here. Unlike other cgroups this one already exists and is
++         * populated (by us, after all!) already, even when we are not in a reload cycle. Hence we cannot
++         * apply the settings at creation time anymore, but let's at least apply them asynchronously. */
++        unit_add_to_cgroup_realize_queue(u);
+ }
  static const char* const scope_result_table[_SCOPE_RESULT_MAX] = {
 diff --git a/src/core/scope.h b/src/core/scope.h
 index 6a228f1..c9574a3 100644
 --- a/src/core/scope.h
 +++ b/src/core/scope.h
@@ -38,6 +38,8 @@ struct Scope {
          char *user;
          char *group;
++
++        OOMPolicy oom_policy;
  };
  extern const UnitVTable scope_vtable;
 diff --git a/src/core/slice.c b/src/core/slice.c
 index c453aa0..4824a30 100644
 --- a/src/core/slice.c
 +++ b/src/core/slice.c
@@ -381,6 +381,9 @@ static int slice_freezer_action(Unit *s, FreezerAction action) {
+         }
          UNIT_FOREACH_DEPENDENCY(member, s, UNIT_ATOM_SLICE_OF) {
++                if (!member->cgroup_realized)
++                        continue;
++
                  if (action == FREEZER_FREEZE)
                          r = UNIT_VTABLE(member)->freeze(member);
                  else
 diff --git a/src/core/swap.c b/src/core/swap.c
 index 2196793..5c83c47 100644
 --- a/src/core/swap.c
 +++ b/src/core/swap.c
@@ -827,7 +827,7 @@ static void swap_enter_activating(Swap *s) {
+                 }
+         }
--        r = exec_command_set(s->control_command, "/sbin/swapon", NULL);
++        r = exec_command_set(s->control_command, "/sbin/swapon", "--fixpgsz", NULL);
          if (r < 0)
                  goto fail;
 diff --git a/src/core/unit.c b/src/core/unit.c
 index bed5544..3ac56c1 100644
 --- a/src/core/unit.c
 +++ b/src/core/unit.c
@@ -5732,6 +5732,7 @@ void unit_destroy_runtime_data(Unit *u, const ExecContext *context) {
                  exec_context_destroy_runtime_directory(context, u->manager->prefix[EXEC_DIRECTORY_RUNTIME]);
          exec_context_destroy_credentials(context, u->manager->prefix[EXEC_DIRECTORY_RUNTIME], u->id);
++        exec_context_destroy_mount_ns_dir(u);
+ }
  int unit_clean(Unit *u, ExecCleanMask mask) {
 diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c
 index 74053b8..a3bdedb 100644
 --- a/src/cryptsetup/cryptsetup-fido2.c
 +++ b/src/cryptsetup/cryptsetup-fido2.c
@@ -38,6 +38,10 @@ int acquire_fido2_key(
          size_t salt_size;
          int r;
++        if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && headless)
++                return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
++                                        "Local verification is required to unlock this volume, but the 'headless' parameter was set.");
++
          ask_password_flags |= ASK_PASSWORD_PUSH_CACHE | ASK_PASSWORD_ACCEPT_CACHED;
          assert(cid);
@@ -76,28 +80,6 @@ int acquire_fido2_key(
+         }
          for (;;) {
--                if (!FLAGS_SET(required, FIDO2ENROLL_PIN) || pins) {
--                        r = fido2_use_hmac_hash(
--                                        device,
--                                        rp_id ?: "io.systemd.cryptsetup",
--                                        salt, salt_size,
--                                        cid, cid_size,
--                                        pins,
--                                        required,
--                                        ret_decrypted_key,
--                                        ret_decrypted_key_size);
--                        if (!IN_SET(r,
--                                    -ENOANO,   /* needs pin */
--                                    -ENOLCK))  /* pin incorrect */
--                                return r;
--
--                        device_exists = true; /* that a PIN is needed/wasn't correct means that we managed to
--                                               * talk to a device */
--                }
--
--                if (headless)
--                        return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
--
                  if (!device_exists) {
                          /* Before we inquire for the PIN we'll need, if we never talked to the device, check
                           * if the device actually is plugged in. Otherwise we'll ask for the PIN already when
@@ -112,6 +94,30 @@ int acquire_fido2_key(
                          device_exists = true;  /* now we know for sure, a device exists, no need to ask again */
+                 }
++                /* Always make an attempt before asking for PIN.
++                 * fido2_use_hmac_hash() will perform a pre-flight check for whether the credential for
++                 * can be found on one of the connected devices. This way, we can avoid prompting the user
++                 * for a PIN when we are sure that no device can be used. */
++                r = fido2_use_hmac_hash(
++                                device,
++                                rp_id ?: "io.systemd.cryptsetup",
++                                salt, salt_size,
++                                cid, cid_size,
++                                pins,
++                                required,
++                                ret_decrypted_key,
++                                ret_decrypted_key_size);
++                if (!IN_SET(r,
++                            -ENOANO,   /* needs pin */
++                            -ENOLCK))  /* pin incorrect */
++                        return r;
++
++                device_exists = true; /* that a PIN is needed/wasn't correct means that we managed to
++                                       * talk to a device */
++
++                if (headless)
++                        return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
++
                  pins = strv_free_erase(pins);
                  r = ask_password_auto("Please enter security token PIN:", "drive-harddisk", NULL, "fido2-pin", "cryptsetup.fido2-pin", until, ask_password_flags, &pins);
                  if (r < 0)
@@ -121,35 +127,38 @@ int acquire_fido2_key(
+         }
+ }
--int find_fido2_auto_data(
++int acquire_fido2_key_auto(
                  struct crypt_device *cd,
--                char **ret_rp_id,
--                void **ret_salt,
--                size_t *ret_salt_size,
--                void **ret_cid,
--                size_t *ret_cid_size,
--                int *ret_keyslot,
--                Fido2EnrollFlags *ret_required) {
--
--        _cleanup_free_ void *cid = NULL, *salt = NULL;
--        size_t cid_size = 0, salt_size = 0;
--        _cleanup_free_ char *rp = NULL;
--        int r, keyslot = -1;
++                const char *name,
++                const char *friendly_name,
++                const char *fido2_device,
++                const char *key_file,
++                size_t key_file_size,
++                uint64_t key_file_offset,
++                usec_t until,
++                bool headless,
++                void **ret_decrypted_key,
++                size_t *ret_decrypted_key_size,
++                AskPasswordFlags ask_password_flags) {
++
++        _cleanup_free_ void *cid = NULL;
++        size_t cid_size = 0;
++        int r, ret = -ENOENT;
          Fido2EnrollFlags required = 0;
          assert(cd);
--        assert(ret_salt);
--        assert(ret_salt_size);
--        assert(ret_cid);
--        assert(ret_cid_size);
--        assert(ret_keyslot);
--        assert(ret_required);
++        assert(name);
++        assert(ret_decrypted_key);
++        assert(ret_decrypted_key_size);
          /* Loads FIDO2 metadata from LUKS2 JSON token headers. */
          for (int token = 0; token < sym_crypt_token_max(CRYPT_LUKS2); token ++) {
                  _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
                  JsonVariant *w;
++                _cleanup_free_ void *salt = NULL;
++                _cleanup_free_ char *rp = NULL;
++                size_t salt_size = 0;
                  int ks;
                  r = cryptsetup_get_token_as_json(cd, token, "systemd-fido2", &v);
@@ -166,13 +175,6 @@ int find_fido2_auto_data(
                          continue;
+                 }
--                if (cid)
--                        return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
--                                               "Multiple FIDO2 tokens enrolled, cannot automatically determine token.");
--
--                assert(keyslot < 0);
--                keyslot = ks;
--
                  w = json_variant_by_key(v, "fido2-credential");
                  if (!w || !json_variant_is_string(w))
                          return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@@ -243,20 +245,33 @@ int find_fido2_auto_data(
                          SET_FLAG(required, FIDO2ENROLL_UV, json_variant_boolean(w));
                  } else
                          required |= FIDO2ENROLL_UV_OMIT; /* compat with 248 */
++
++                ret = acquire_fido2_key(
++                                name,
++                                friendly_name,
++                                fido2_device,
++                                rp,
++                                cid, cid_size,
++                                key_file, key_file_size, key_file_offset,
++                                salt, salt_size,
++                                until,
++                                headless,
++                                required,
++                                ret_decrypted_key, ret_decrypted_key_size,
++                                ask_password_flags);
++                if (ret == 0)
++                        break;
+         }
          if (!cid)
                  return log_error_errno(SYNTHETIC_ERRNO(ENXIO),
                                         "No valid FIDO2 token data found.");
--        log_info("Automatically discovered security FIDO2 token unlocks volume.");
++        if (ret == -EAGAIN) /* fido2 device does not exist, or UV is blocked; caller will prompt for retry */
++                return log_debug_errno(ret, "FIDO2 token does not exist, or UV is blocked.");
++        if (ret < 0)
++                return log_error_errno(ret, "Failed to unlock LUKS volume with FIDO2 token: %m");
--        *ret_rp_id = TAKE_PTR(rp);
--        *ret_cid = TAKE_PTR(cid);
--        *ret_cid_size = cid_size;
--        *ret_salt = TAKE_PTR(salt);
--        *ret_salt_size = salt_size;
--        *ret_keyslot = keyslot;
--        *ret_required = required;
--        return 0;
++        log_info("Unlocked volume via automatically discovered security FIDO2 token.");
++        return ret;
+ }
 diff --git a/src/cryptsetup/cryptsetup-fido2.h b/src/cryptsetup/cryptsetup-fido2.h
 index 204f1e0..371bf21 100644
 --- a/src/cryptsetup/cryptsetup-fido2.h
 +++ b/src/cryptsetup/cryptsetup-fido2.h
@@ -29,15 +29,19 @@ int acquire_fido2_key(
                  size_t *ret_decrypted_key_size,
                  AskPasswordFlags ask_password_flags);
--int find_fido2_auto_data(
++int acquire_fido2_key_auto(
                  struct crypt_device *cd,
--                char **ret_rp_id,
--                void **ret_salt,
--                size_t *ret_salt_size,
--                void **ret_cid,
--                size_t *ret_cid_size,
--                int *ret_keyslot,
--                Fido2EnrollFlags *ret_required);
++                const char *name,
++                const char *friendly_name,
++                const char *fido2_device,
++                const char *key_file,
++                size_t key_file_size,
++                uint64_t key_file_offset,
++                usec_t until,
++                bool headless,
++                void **ret_decrypted_key,
++                size_t *ret_decrypted_key_size,
++                AskPasswordFlags ask_password_flags);
  #else
@@ -64,15 +68,19 @@ static inline int acquire_fido2_key(
                                 "FIDO2 token support not available.");
+ }
--static inline int find_fido2_auto_data(
++static inline int acquire_fido2_key_auto(
                  struct crypt_device *cd,
--                char **ret_rp_id,
--                void **ret_salt,
--                size_t *ret_salt_size,
--                void **ret_cid,
--                size_t *ret_cid_size,
--                int *ret_keyslot,
--                Fido2EnrollFlags *ret_required) {
++                const char *name,
++                const char *friendly_name,
++                const char *fido2_device,
++                const char *key_file,
++                size_t key_file_size,
++                uint64_t key_file_offset,
++                usec_t until,
++                bool headless,
++                void **ret_decrypted_key,
++                size_t *ret_decrypted_key_size,
++                AskPasswordFlags ask_password_flags) {
          return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                 "FIDO2 token support not available.");
 diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
 index 7aa36b4..a8cfc6d 100644
 --- a/src/cryptsetup/cryptsetup.c
 +++ b/src/cryptsetup/cryptsetup.c
@@ -1061,9 +1061,8 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
          _cleanup_(sd_device_monitor_unrefp) sd_device_monitor *monitor = NULL;
          _cleanup_(erase_and_freep) void *decrypted_key = NULL;
          _cleanup_(sd_event_unrefp) sd_event *event = NULL;
--        _cleanup_free_ void *discovered_salt = NULL, *discovered_cid = NULL;
--        size_t discovered_salt_size, discovered_cid_size, decrypted_key_size, cid_size = 0;
--        _cleanup_free_ char *friendly = NULL, *discovered_rp_id = NULL;
++        size_t decrypted_key_size, cid_size = 0;
++        _cleanup_free_ char *friendly = NULL;
          int keyslot = arg_key_slot, r;
          const char *rp_id = NULL;
          const void *cid = NULL;
@@ -1088,32 +1087,6 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                   * use PIN + UP when needed, and do not configure UV at all. Eventually, we should make this
                   * explicitly configurable. */
                  required = FIDO2ENROLL_PIN_IF_NEEDED | FIDO2ENROLL_UP_IF_NEEDED | FIDO2ENROLL_UV_OMIT;
--        } else if (!use_libcryptsetup_plugin) {
--                r = find_fido2_auto_data(
--                                cd,
--                                &discovered_rp_id,
--                                &discovered_salt,
--                                &discovered_salt_size,
--                                &discovered_cid,
--                                &discovered_cid_size,
--                                &keyslot,
--                                &required);
--
--                if (IN_SET(r, -ENOTUNIQ, -ENXIO))
--                        return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
--                                               "Automatic FIDO2 metadata discovery was not possible because missing or not unique, falling back to traditional unlocking.");
--                if (r < 0)
--                        return r;
--
--                if ((required & (FIDO2ENROLL_PIN | FIDO2ENROLL_UP | FIDO2ENROLL_UV)) && arg_headless)
--                        return log_error_errno(SYNTHETIC_ERRNO(ENOPKG),
--                                               "Local verification is required to unlock this volume, but the 'headless' parameter was set.");
--
--                rp_id = discovered_rp_id;
--                key_data = discovered_salt;
--                key_data_size = discovered_salt_size;
--                cid = discovered_cid;
--                cid_size = discovered_cid_size;
+         }
          friendly = friendly_disk_name(crypt_get_device_name(cd), name);
@@ -1128,19 +1101,31 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
                                                         "Automatic FIDO2 metadata discovery was not possible because missing or not unique, falling back to traditional unlocking.");
                  } else {
--                        r = acquire_fido2_key(
--                                        name,
--                                        friendly,
--                                        arg_fido2_device,
--                                        rp_id,
--                                        cid, cid_size,
--                                        key_file, arg_keyfile_size, arg_keyfile_offset,
--                                        key_data, key_data_size,
--                                        until,
--                                        arg_headless,
--                                        required,
--                                        &decrypted_key, &decrypted_key_size,
--                                        arg_ask_password_flags);
++                        if (cid)
++                                r = acquire_fido2_key(
++                                                name,
++                                                friendly,
++                                                arg_fido2_device,
++                                                rp_id,
++                                                cid, cid_size,
++                                                key_file, arg_keyfile_size, arg_keyfile_offset,
++                                                key_data, key_data_size,
++                                                until,
++                                                arg_headless,
++                                                required,
++                                                &decrypted_key, &decrypted_key_size,
++                                                arg_ask_password_flags);
++                        else
++                                r = acquire_fido2_key_auto(
++                                                cd,
++                                                name,
++                                                friendly,
++                                                arg_fido2_device,
++                                                key_file, arg_keyfile_size, arg_keyfile_offset,
++                                                until,
++                                                arg_headless,
++                                                &decrypted_key, &decrypted_key_size,
++                                                arg_ask_password_flags);
                          if (r >= 0)
                                  break;
+                 }
 diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
 index c11a5b1..e73174a 100644
 --- a/src/fundamental/macro-fundamental.h
 +++ b/src/fundamental/macro-fundamental.h
@@ -20,6 +20,7 @@
  #define _hidden_ __attribute__((__visibility__("hidden")))
  #define _likely_(x) (__builtin_expect(!!(x), 1))
  #define _malloc_ __attribute__((__malloc__))
++#define _noinline_ __attribute__((noinline))
  #define _noreturn_ _Noreturn
  #define _packed_ __attribute__((__packed__))
  #define _printf_(a, b) __attribute__((__format__(printf, a, b)))
 diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
 index 143faa0..30639b3 100644
 --- a/src/gpt-auto-generator/gpt-auto-generator.c
 +++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -414,14 +414,14 @@ static int add_automount(
  static const char *esp_or_xbootldr_options(const DissectedPartition *p) {
          assert(p);
--        /* if we probed vfat or have no idea about the file system then assume these file systems are vfat
--         * and thus understand "umask=0077". If we detected something else then don't specify any options and
--         * use kernel defaults. */
++        /* Discoveried ESP and XBOOTLDR partition are always hardened with "noexec,nosuid,nodev".
++         * If we probed vfat or have no idea about the file system then assume these file systems are vfat
++         * and thus understand "umask=0077". */
          if (!p->fstype || streq(p->fstype, "vfat"))
--                return "umask=0077";
++                return "umask=0077,noexec,nosuid,nodev";
--        return NULL;
++        return "noexec,nosuid,nodev";
+ }
  static int add_partition_xbootldr(DissectedPartition *p) {
 diff --git a/src/import/curl-util.c b/src/import/curl-util.c
 index c124c98..94f718d 100644
 --- a/src/import/curl-util.c
 +++ b/src/import/curl-util.c
@@ -252,7 +252,11 @@ int curl_glue_make(CURL **ret, const char *url, void *userdata) {
          if (curl_easy_setopt(c, CURLOPT_LOW_SPEED_LIMIT, 30L) != CURLE_OK)
                  return -EIO;
++#if LIBCURL_VERSION_NUM >= 0x075500 /* libcurl 7.85.0 */
++        if (curl_easy_setopt(c, CURLOPT_PROTOCOLS_STR, "HTTP,HTTPS,FILE") != CURLE_OK)
++#else
          if (curl_easy_setopt(c, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_FILE) != CURLE_OK)
++#endif
                  return -EIO;
          *ret = TAKE_PTR(c);
 diff --git a/src/import/pull-job.c b/src/import/pull-job.c
 index 1e105bc..d4d07a0 100644
 --- a/src/import/pull-job.c
 +++ b/src/import/pull-job.c
@@ -124,8 +124,8 @@ static int pull_job_restart(PullJob *j, const char *new_url) {
  void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
          PullJob *j = NULL;
++        char *scheme = NULL;
          CURLcode code;
--        long protocol;
          int r;
          if (curl_easy_getinfo(curl, CURLINFO_PRIVATE, (char **)&j) != CURLE_OK)
@@ -139,13 +139,13 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
                  goto finish;
+         }
--        code = curl_easy_getinfo(curl, CURLINFO_PROTOCOL, &protocol);
--        if (code != CURLE_OK) {
--                r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve response code: %s", curl_easy_strerror(code));
++        code = curl_easy_getinfo(curl, CURLINFO_SCHEME, &scheme);
++        if (code != CURLE_OK || !scheme) {
++                r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve URL scheme.");
                  goto finish;
+         }
--        if (IN_SET(protocol, CURLPROTO_HTTP, CURLPROTO_HTTPS)) {
++        if (STRCASE_IN_SET(scheme, "HTTP", "HTTPS")) {
                  long status;
                  code = curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &status);
 diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h
 index 7e7d1b5..df18335 100644
 --- a/src/journal-remote/microhttpd-util.h
 +++ b/src/journal-remote/microhttpd-util.h
@@ -64,11 +64,11 @@ void microhttpd_logger(void *arg, const char *fmt, va_list ap) _printf_(2, 0);
  int mhd_respondf(struct MHD_Connection *connection,
                   int error,
--                 unsigned code,
++                 enum MHD_RequestTerminationCode code,
                   const char *format, ...) _printf_(4,5);
  int mhd_respond(struct MHD_Connection *connection,
--                unsigned code,
++                enum MHD_RequestTerminationCode code,
                  const char *message);
  int mhd_respond_oom(struct MHD_Connection *connection);
 diff --git a/src/kernel-install/50-depmod.install b/src/kernel-install/50-depmod.install
 index 43bd87c..88f858f 100755
 --- a/src/kernel-install/50-depmod.install
 +++ b/src/kernel-install/50-depmod.install
@@ -23,6 +23,8 @@ set -e
  COMMAND="${1:?}"
  KERNEL_VERSION="${2:?}"
++[ -w "/lib/modules" ] || exit 0
++
  case "$COMMAND" in
      add)
          [ -d "/lib/modules/$KERNEL_VERSION/kernel" ] || exit 0
 diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
 index a106f7f..b755c12 100644
 --- a/src/libsystemd-network/sd-dhcp-client.c
 +++ b/src/libsystemd-network/sd-dhcp-client.c
@@ -188,35 +188,33 @@ int sd_dhcp_client_id_to_string(const void *data, size_t len, char **ret) {
                          r = asprintf(&t, "DATA");
                  break;
          case 1:
--                if (len != sizeof_field(sd_dhcp_client_id, eth))
--                        return -EINVAL;
--
--                r = asprintf(&t, "%02x:%02x:%02x:%02x:%02x:%02x",
--                             client_id->eth.haddr[0],
--                             client_id->eth.haddr[1],
--                             client_id->eth.haddr[2],
--                             client_id->eth.haddr[3],
--                             client_id->eth.haddr[4],
--                             client_id->eth.haddr[5]);
++                if (len == sizeof_field(sd_dhcp_client_id, eth))
++                        r = asprintf(&t, "%02x:%02x:%02x:%02x:%02x:%02x",
++                                     client_id->eth.haddr[0],
++                                     client_id->eth.haddr[1],
++                                     client_id->eth.haddr[2],
++                                     client_id->eth.haddr[3],
++                                     client_id->eth.haddr[4],
++                                     client_id->eth.haddr[5]);
++                else
++                        r = asprintf(&t, "ETHER");
                  break;
          case 2 ... 254:
                  r = asprintf(&t, "ARP/LL");
                  break;
          case 255:
--                if (len < 6)
--                        return -EINVAL;
--
--                uint32_t iaid = be32toh(client_id->ns.iaid);
--                uint16_t duid_type = be16toh(client_id->ns.duid.type);
--                if (dhcp_validate_duid_len(duid_type, len - 6, true) < 0)
--                        return -EINVAL;
--
--                r = asprintf(&t, "IAID:0x%x/DUID", iaid);
++                if (len < sizeof(uint32_t))
++                        r = asprintf(&t, "IAID/DUID");
++                else {
++                        uint32_t iaid = be32toh(client_id->ns.iaid);
++                        /* TODO: check and stringify DUID */
++                        r = asprintf(&t, "IAID:0x%x/DUID", iaid);
++                }
                  break;
+         }
--
          if (r < 0)
                  return -ENOMEM;
++
          *ret = TAKE_PTR(t);
          return 0;
+ }
 diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c
 index d9db35f..b14ad57 100644
 --- a/src/libsystemd-network/sd-dhcp-lease.c
 +++ b/src/libsystemd-network/sd-dhcp-lease.c
@@ -995,7 +995,7 @@ int dhcp_lease_save(sd_dhcp_lease *lease, const char *lease_file) {
          r = sd_dhcp_lease_get_router(lease, &addresses);
          if (r > 0) {
                  fputs("ROUTER=", f);
--                serialize_in_addrs(f, addresses, r, false, NULL);
++                serialize_in_addrs(f, addresses, r, NULL, NULL);
                  fputc('\n', f);
+         }
@@ -1030,21 +1030,21 @@ int dhcp_lease_save(sd_dhcp_lease *lease, const char *lease_file) {
          r = sd_dhcp_lease_get_dns(lease, &addresses);
          if (r > 0) {
                  fputs("DNS=", f);
--                serialize_in_addrs(f, addresses, r, false, NULL);
++                serialize_in_addrs(f, addresses, r, NULL, NULL);
                  fputc('\n', f);
+         }
          r = sd_dhcp_lease_get_ntp(lease, &addresses);
          if (r > 0) {
                  fputs("NTP=", f);
--                serialize_in_addrs(f, addresses, r, false, NULL);
++                serialize_in_addrs(f, addresses, r, NULL, NULL);
                  fputc('\n', f);
+         }
          r = sd_dhcp_lease_get_sip(lease, &addresses);
          if (r > 0) {
                  fputs("SIP=", f);
--                serialize_in_addrs(f, addresses, r, false, NULL);
++                serialize_in_addrs(f, addresses, r, NULL, NULL);
                  fputc('\n', f);
+         }
 diff --git a/src/libsystemd-network/test-ndisc-ra.c b/src/libsystemd-network/test-ndisc-ra.c
 index 001df4d..bd8c0fd 100644
 --- a/src/libsystemd-network/test-ndisc-ra.c
 +++ b/src/libsystemd-network/test-ndisc-ra.c
@@ -53,7 +53,6 @@ static uint8_t advertisement[] = {
  static bool test_stopped;
  static int test_fd[2];
--static sd_event_source *recv_router_advertisement;
  static struct {
          struct in6_addr address;
          unsigned char prefixlen;
@@ -281,9 +280,9 @@ static int radv_recv(sd_event_source *s, int fd, uint32_t revents, void *userdat
+ }
  TEST(ra) {
--        sd_event *e;
--        sd_radv *ra;
--        unsigned i;
++        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
++        _cleanup_(sd_event_source_unrefp) sd_event_source *recv_router_advertisement = NULL;
++        _cleanup_(sd_radv_unrefp) sd_radv *ra = NULL;
          assert_se(socketpair(AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC | SOCK_NONBLOCK, 0, test_fd) >= 0);
@@ -303,7 +302,7 @@ TEST(ra) {
          assert_se(sd_radv_set_rdnss(ra, 60, &test_rdnss, 1) >= 0);
          assert_se(sd_radv_set_dnssl(ra, 60, (char **)test_dnssl) >= 0);
--        for (i = 0; i < ELEMENTSOF(prefix); i++) {
++        for (unsigned i = 0; i < ELEMENTSOF(prefix); i++) {
                  sd_radv_prefix *p;
                  printf("Test prefix %u\n", i);
@@ -324,8 +323,8 @@ TEST(ra) {
                  assert_se(!p);
+         }
--        assert_se(sd_event_add_io(e, &recv_router_advertisement, test_fd[0],
--                                  EPOLLIN, radv_recv, ra) >= 0);
++        assert_se(sd_event_add_io(e, &recv_router_advertisement, test_fd[0], EPOLLIN, radv_recv, ra) >= 0);
++        assert_se(sd_event_source_set_io_fd_own(recv_router_advertisement, true) >= 0);
          assert_se(sd_event_add_time_relative(e, NULL, CLOCK_BOOTTIME,
 * USEC_PER_SEC, 0,
@@ -334,13 +333,6 @@ TEST(ra) {
          assert_se(sd_radv_start(ra) >= 0);
          assert_se(sd_event_loop(e) >= 0);
--
--        ra = sd_radv_unref(ra);
--        assert_se(!ra);
--
--        close(test_fd[0]);
--
--        sd_event_unref(e);
+ }
  DEFINE_TEST_MAIN(LOG_DEBUG);
 diff --git a/src/libsystemd-network/test-ndisc-rs.c b/src/libsystemd-network/test-ndisc-rs.c
 index 3c679f6..e501b64 100644
 --- a/src/libsystemd-network/test-ndisc-rs.c
 +++ b/src/libsystemd-network/test-ndisc-rs.c
@@ -10,6 +10,7 @@
  #include "sd-ndisc.h"
  #include "alloc-util.h"
++#include "fd-util.h"
  #include "hexdecoct.h"
  #include "icmp6-util.h"
  #include "socket-util.h"
@@ -255,8 +256,8 @@ static void test_callback(sd_ndisc *nd, sd_ndisc_event_t event, sd_ndisc_router
+ }
  TEST(rs) {
--        sd_event *e;
--        sd_ndisc *nd;
++        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
++        _cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL;
          send_ra_function = send_ra;
@@ -279,17 +280,13 @@ TEST(rs) {
          assert_se(sd_ndisc_start(nd) >= 0);
          assert_se(sd_ndisc_start(nd) >= 0);
          assert_se(sd_ndisc_stop(nd) >= 0);
++        test_fd[1] = safe_close(test_fd[1]);
          assert_se(sd_ndisc_start(nd) >= 0);
          assert_se(sd_event_loop(e) >= 0);
--        nd = sd_ndisc_unref(nd);
--        assert_se(!nd);
--
--        close(test_fd[1]);
--
--        sd_event_unref(e);
++        test_fd[1] = safe_close(test_fd[1]);
+ }
  static int test_timeout_value(uint8_t flags) {
@@ -342,8 +339,8 @@ static int test_timeout_value(uint8_t flags) {
+ }
  TEST(timeout) {
--        sd_event *e;
--        sd_ndisc *nd;
++        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
++        _cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL;
          send_ra_function = test_timeout_value;
@@ -367,9 +364,7 @@ TEST(timeout) {
          assert_se(sd_event_loop(e) >= 0);
--        nd = sd_ndisc_unref(nd);
--
--        sd_event_unref(e);
++        test_fd[1] = safe_close(test_fd[1]);
+ }
  DEFINE_TEST_MAIN(LOG_DEBUG);
 diff --git a/src/libsystemd/sd-device/test-sd-device.c b/src/libsystemd/sd-device/test-sd-device.c
 index 4ab8b38..ff4209e 100644
 --- a/src/libsystemd/sd-device/test-sd-device.c
 +++ b/src/libsystemd/sd-device/test-sd-device.c
@@ -180,15 +180,16 @@ static void test_sd_device_one(sd_device *d) {
          } else
                  assert_se(r == -ENOENT);
--        r = sd_device_get_sysattr_value(d, "name_assign_type", &val);
--        assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r) || IN_SET(r, -ENOENT, -EINVAL));
--
--        if (r > 0) {
++        r = sd_device_get_sysattr_value(d, "nsid", NULL);
++        if (r >= 0) {
                  unsigned x;
--                assert_se(device_get_sysattr_unsigned(d, "name_assign_type", NULL) >= 0);
--                assert_se(device_get_sysattr_unsigned(d, "name_assign_type", &x) >= 0);
--        }
++                assert_se(device_get_sysattr_unsigned(d, "nsid", NULL) >= 0);
++                r = device_get_sysattr_unsigned(d, "nsid", &x);
++                assert_se(r >= 0);
++                assert_se((x > 0) == (r > 0));
++        } else
++                assert_se(ERRNO_IS_PRIVILEGE(r) || IN_SET(r, -ENOENT, -EINVAL));
+ }
  TEST(sd_device_enumerator_devices) {
 diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
 index 778070a..4a4cc3a 100644
 --- a/src/libsystemd/sd-event/sd-event.c
 +++ b/src/libsystemd/sd-event/sd-event.c
@@ -658,7 +658,9 @@ static int event_make_signal_data(
          ss_copy = d->sigset;
          assert_se(sigaddset(&ss_copy, sig) >= 0);
--        r = signalfd(d->fd, &ss_copy, SFD_NONBLOCK|SFD_CLOEXEC);
++        r = signalfd(d->fd >= 0 ? d->fd : -1,   /* the first arg must be -1 or a valid signalfd */
++                     &ss_copy,
++                     SFD_NONBLOCK|SFD_CLOEXEC);
          if (r < 0) {
                  r = -errno;
                  goto fail;
@@ -2723,6 +2725,9 @@ _public_ int sd_event_source_set_time_relative(sd_event_source *s, uint64_t usec
          assert_return(s, -EINVAL);
          assert_return(EVENT_SOURCE_IS_TIME(s->type), -EDOM);
++        if (usec == USEC_INFINITY)
++                return sd_event_source_set_time(s, USEC_INFINITY);
++
          r = sd_event_now(s->event, event_source_type_to_clock(s->type), &t);
          if (r < 0)
                  return r;
 diff --git a/src/locale/localed.c b/src/locale/localed.c
 index 7aa47f1..8b1f0de 100644
 --- a/src/locale/localed.c
 +++ b/src/locale/localed.c
@@ -32,7 +32,7 @@
  #include "strv.h"
  #include "user-util.h"
--static int locale_update_system_manager(sd_bus *bus, char **l_set, char **l_unset) {
++static int reload_system_manager(sd_bus *bus) {
          _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
          _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
          int r;
@@ -43,21 +43,13 @@ static int locale_update_system_manager(sd_bus *bus, char **l_set, char **l_unse
                          "org.freedesktop.systemd1",
                          "/org/freedesktop/systemd1",
                          "org.freedesktop.systemd1.Manager",
--                        "UnsetAndSetEnvironment");
--        if (r < 0)
--                return bus_log_create_error(r);
--
--        r = sd_bus_message_append_strv(m, l_unset);
--        if (r < 0)
--                return bus_log_create_error(r);
--
--        r = sd_bus_message_append_strv(m, l_set);
++                        "Reload");
          if (r < 0)
                  return bus_log_create_error(r);
          r = sd_bus_call(bus, m, 0, &error, NULL);
          if (r < 0)
--                return log_error_errno(r, "Failed to update the manager environment: %s", bus_error_message(&error, r));
++                return log_error_errno(r, "Failed to reload system manager: %s", bus_error_message(&error, r));
          return 0;
+ }
@@ -393,7 +385,11 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
                  return sd_bus_error_set_errnof(error, r, "Failed to set locale: %m");
+         }
--        (void) locale_update_system_manager(sd_bus_message_get_bus(m), l_set, l_unset);
++        /* Since we just updated the locale configuration file, ask the system manager to read it again to
++         * update its default locale settings. It's important to not use UnsetAndSetEnvironment or a similar
++         * method because in this case unsetting variables means restoring them to PID1 default values, which
++         * may be outdated, since locale.conf has just changed and PID1 hasn't read it */
++        (void) reload_system_manager(sd_bus_message_get_bus(m));
          if (!strv_isempty(l_set)) {
                  _cleanup_free_ char *line = NULL;
 diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
 index 86a5dec..2ab26b9 100644
 --- a/src/login/logind-dbus.c
 +++ b/src/login/logind-dbus.c
@@ -3970,6 +3970,12 @@ int manager_start_scope(
          if (r < 0)
                  return r;
++        /* For login session scopes, if a process is OOM killed by the kernel, *don't* terminate the rest of
++           the scope */
++        r = sd_bus_message_append(m, "(sv)", "OOMPolicy", "s", "continue");
++        if (r < 0)
++                return r;
++
          /* disable TasksMax= for the session scope, rely on the slice setting for it */
          r = sd_bus_message_append(m, "(sv)", "TasksMax", "t", UINT64_MAX);
          if (r < 0)
 diff --git a/src/network/netdev/l2tp-tunnel.c b/src/network/netdev/l2tp-tunnel.c
 index 2bce0fc..fd2783e 100644
 --- a/src/network/netdev/l2tp-tunnel.c
 +++ b/src/network/netdev/l2tp-tunnel.c
@@ -522,7 +522,7 @@ int config_parse_l2tp_tunnel_local_address(
                          return log_oom();
+         }
--        type = l2tp_local_address_type_from_string(rvalue);
++        type = l2tp_local_address_type_from_string(addr_or_type);
          if (type >= 0) {
                  free_and_replace(t->local_ifname, ifname);
                  t->local_address_type = type;
@@ -535,15 +535,15 @@ int config_parse_l2tp_tunnel_local_address(
                  return 0;
+         }
--        r = in_addr_from_string_auto(rvalue, &f, &a);
++        r = in_addr_from_string_auto(addr_or_type, &f, &a);
          if (r < 0) {
                  log_syntax(unit, LOG_WARNING, filename, line, r,
--                           "Invalid L2TP Tunnel local address specified, ignoring assignment: %s", rvalue);
++                           "Invalid L2TP Tunnel local address \"%s\" specified, ignoring assignment: %s", addr_or_type, rvalue);
                  return 0;
+         }
          if (in_addr_is_null(f, &a)) {
--                log_syntax(unit, LOG_WARNING, filename, line, r,
++                log_syntax(unit, LOG_WARNING, filename, line, 0,
                             "L2TP Tunnel local address cannot be null, ignoring assignment: %s", rvalue);
                  return 0;
+         }
@@ -599,7 +599,7 @@ int config_parse_l2tp_tunnel_remote_address(
+         }
          if (in_addr_is_null(f, &a)) {
--                log_syntax(unit, LOG_WARNING, filename, line, r,
++                log_syntax(unit, LOG_WARNING, filename, line, 0,
                             "L2TP Tunnel remote address cannot be null, ignoring assignment: %s", rvalue);
                  return 0;
+         }
 diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
 index b614f6b..08b5bd8 100644
 --- a/src/network/networkd-address.c
 +++ b/src/network/networkd-address.c
@@ -1230,9 +1230,13 @@ int link_request_address(
          (void) address_get(link, address, &existing);
--        if (address->lifetime_valid_usec == 0)
++        if (address->lifetime_valid_usec == 0) {
++                if (consume_object)
++                        address_free(address);
++
                  /* The requested address is outdated. Let's remove it. */
                  return address_remove_and_drop(existing);
++        }
          if (!existing) {
                  _cleanup_(address_freep) Address *tmp = NULL;
 diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
 index a1402d7..5fb5d96 100644
 --- a/src/network/networkd-ndisc.c
 +++ b/src/network/networkd-ndisc.c
@@ -794,31 +794,24 @@ static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt) {
                          return log_link_error_errno(link, r, "Failed to get RA option type: %m");
                  switch (type) {
--
                  case SD_NDISC_OPTION_PREFIX_INFORMATION:
                          r = ndisc_router_process_prefix(link, rt);
--                        if (r < 0)
--                                return r;
                          break;
                  case SD_NDISC_OPTION_ROUTE_INFORMATION:
                          r = ndisc_router_process_route(link, rt);
--                        if (r < 0)
--                                return r;
                          break;
                  case SD_NDISC_OPTION_RDNSS:
                          r = ndisc_router_process_rdnss(link, rt);
--                        if (r < 0)
--                                return r;
                          break;
                  case SD_NDISC_OPTION_DNSSL:
                          r = ndisc_router_process_dnssl(link, rt);
--                        if (r < 0)
--                                return r;
                          break;
+                 }
++                if (r < 0 && r != -EBADMSG)
++                        return r;
+         }
+ }
@@ -1001,6 +994,10 @@ static int ndisc_router_handler(Link *link, sd_ndisc_router *rt) {
          assert(rt);
          r = sd_ndisc_router_get_address(rt, &router);
++        if (r == -ENODATA) {
++                log_link_debug(link, "Received RA without router address, ignoring.");
++                return 0;
++        }
          if (r < 0)
                  return log_link_error_errno(link, r, "Failed to get router address from RA: %m");
@@ -1015,6 +1012,10 @@ static int ndisc_router_handler(Link *link, sd_ndisc_router *rt) {
+         }
          r = sd_ndisc_router_get_timestamp(rt, CLOCK_BOOTTIME, &timestamp_usec);
++        if (r == -ENODATA) {
++                log_link_debug(link, "Received RA without timestamp, ignoring.");
++                return 0;
++        }
          if (r < 0)
                  return r;
@@ -1061,7 +1062,7 @@ static void ndisc_handler(sd_ndisc *nd, sd_ndisc_event_t event, sd_ndisc_router
          case SD_NDISC_EVENT_ROUTER:
                  r = ndisc_router_handler(link, rt);
--                if (r < 0) {
++                if (r < 0 && r != -EBADMSG) {
                          link_enter_failed(link);
                          return;
+                 }
 diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
 index d1f3bab..5214a8a 100644
 --- a/src/network/networkd-route.c
 +++ b/src/network/networkd-route.c
@@ -1437,9 +1437,13 @@ int link_request_route(
          (void) route_get(link->manager, link, route, &existing);
--        if (route->lifetime_usec == 0)
++        if (route->lifetime_usec == 0) {
++                if (consume_object)
++                        route_free(route);
++
                  /* The requested route is outdated. Let's remove it. */
                  return route_remove_and_drop(existing);
++        }
          if (!existing) {
                  _cleanup_(route_freep) Route *tmp = NULL;
 diff --git a/src/nspawn/nspawn-patch-uid.c b/src/nspawn/nspawn-patch-uid.c
 index 1535d19..75fa931 100644
 --- a/src/nspawn/nspawn-patch-uid.c
 +++ b/src/nspawn/nspawn-patch-uid.c
@@ -181,7 +181,9 @@ static int patch_acls(int fd, const char *name, const struct stat *st, uid_t shi
          if (S_ISDIR(st->st_mode)) {
                  acl_free(acl);
--                acl_free(shifted);
++
++                if (shifted)
++                        acl_free(shifted);
                  acl = shifted = NULL;
 diff --git a/src/partition/growfs.c b/src/partition/growfs.c
 index 8a04071..6280a24 100644
 --- a/src/partition/growfs.c
 +++ b/src/partition/growfs.c
@@ -3,12 +3,17 @@
  #include <errno.h>
  #include <fcntl.h>
  #include <getopt.h>
--#include <linux/btrfs.h>
  #include <linux/magic.h>
  #include <sys/ioctl.h>
  #include <sys/mount.h>
  #include <sys/types.h>
  #include <sys/vfs.h>
++/* This needs to be included after sys/mount.h, as since [0] linux/btrfs.h
++ * includes linux/fs.h causing build errors
++ * See: https://github.com/systemd/systemd/issues/8507
++ * [0] https://github.com/torvalds/linux/commit/a28135303a669917002f569aecebd5758263e4aa
++ */
++#include <linux/btrfs.h>
  #include "sd-device.h"
 diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c
 index b07761a..2d1caf7 100644
 --- a/src/resolve/resolvectl.c
 +++ b/src/resolve/resolvectl.c
@@ -1933,15 +1933,15 @@ static int status_global(sd_bus *bus, StatusMode mode, bool *empty_line) {
                          return table_log_add_error(r);
+         }
--        r = dump_list(table, "DNS Servers:", global_info.dns_ex ?: global_info.dns);
++        r = dump_list(table, "DNS Servers", global_info.dns_ex ?: global_info.dns);
          if (r < 0)
                  return r;
--        r = dump_list(table, "Fallback DNS Servers:", global_info.fallback_dns_ex ?: global_info.fallback_dns);
++        r = dump_list(table, "Fallback DNS Servers", global_info.fallback_dns_ex ?: global_info.fallback_dns);
          if (r < 0)
                  return r;
--        r = dump_list(table, "DNS Domain:", global_info.domains);
++        r = dump_list(table, "DNS Domain", global_info.domains);
          if (r < 0)
                  return r;
 diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
 index 4f74449..88830fb 100644
 --- a/src/resolve/resolved-dns-scope.c
 +++ b/src/resolve/resolved-dns-scope.c
@@ -474,7 +474,8 @@ static int dns_scope_socket(
                   * host result in EHOSTUNREACH, since Linux won't send the packets out of the specified
                   * interface, but delivers them directly to the local socket. */
                  if (s->link &&
--                    !manager_find_link_address(s->manager, sa.sa.sa_family, sockaddr_in_addr(&sa.sa))) {
++                    !manager_find_link_address(s->manager, sa.sa.sa_family, sockaddr_in_addr(&sa.sa)) &&
++                    in_addr_is_localhost(sa.sa.sa_family, sockaddr_in_addr(&sa.sa)) == 0) {
                          r = socket_bind_to_ifindex(fd, ifindex);
                          if (r < 0)
                                  return r;
 diff --git a/src/resolve/resolved-dns-search-domain.c b/src/resolve/resolved-dns-search-domain.c
 index bcbb275..647c0bd 100644
 --- a/src/resolve/resolved-dns-search-domain.c
 +++ b/src/resolve/resolved-dns-search-domain.c
@@ -52,7 +52,7 @@ int dns_search_domain_new(
                  l->n_search_domains++;
                  break;
--        case DNS_SERVER_SYSTEM:
++        case DNS_SEARCH_DOMAIN_SYSTEM:
                  LIST_APPEND(domains, m->search_domains, d);
                  m->n_search_domains++;
                  break;
 diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h
 index be9efb0..f939b53 100644
 --- a/src/resolve/resolved-dns-server.h
 +++ b/src/resolve/resolved-dns-server.h
@@ -44,8 +44,8 @@ typedef enum DnsServerFeatureLevel {
  #define DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_DO)
  #define DNS_SERVER_FEATURE_LEVEL_IS_UDP(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO)
--const char* dns_server_feature_level_to_string(int i) _const_;
--int dns_server_feature_level_from_string(const char *s) _pure_;
++const char* dns_server_feature_level_to_string(DnsServerFeatureLevel i) _const_;
++DnsServerFeatureLevel dns_server_feature_level_from_string(const char *s) _pure_;
  struct DnsServer {
          Manager *manager;
 diff --git a/src/resolve/resolved-varlink.c b/src/resolve/resolved-varlink.c
 index 8ba5eb9..f878d9e 100644
 --- a/src/resolve/resolved-varlink.c
 +++ b/src/resolve/resolved-varlink.c
@@ -243,7 +243,7 @@ static void vl_method_resolve_hostname_complete(DnsQuery *query) {
                                             JSON_BUILD_PAIR("flags", JSON_BUILD_INTEGER(dns_query_reply_flags_make(q)))));
  finish:
          if (r < 0) {
--                log_error_errno(r, "Failed to send hostname reply: %m");
++                log_full_errno(ERRNO_IS_DISCONNECT(r) ? LOG_DEBUG : LOG_ERR, r, "Failed to send hostname reply: %m");
                  r = varlink_error_errno(q->varlink_request, r);
+         }
+ }
@@ -462,7 +462,7 @@ static void vl_method_resolve_address_complete(DnsQuery *query) {
                                             JSON_BUILD_PAIR("flags", JSON_BUILD_INTEGER(dns_query_reply_flags_make(q)))));
  finish:
          if (r < 0) {
--                log_error_errno(r, "Failed to send address reply: %m");
++                log_full_errno(ERRNO_IS_DISCONNECT(r) ? LOG_DEBUG : LOG_ERR, r, "Failed to send address reply: %m");
                  r = varlink_error_errno(q->varlink_request, r);
+         }
+ }
 diff --git a/src/shared/bootspec.c b/src/shared/bootspec.c
 index 14bcbf6..ceb7012 100644
 --- a/src/shared/bootspec.c
 +++ b/src/shared/bootspec.c
@@ -740,9 +740,11 @@ static int boot_entry_load_unified(
          if (!tmp.title)
                  return log_oom();
--        tmp.sort_key = strdup(good_sort_key);
--        if (!tmp.sort_key)
--                return log_oom();
++        if (good_sort_key) {
++                tmp.sort_key = strdup(good_sort_key);
++                if (!tmp.sort_key)
++                        return log_oom();
++        }
          if (good_version) {
                  tmp.version = strdup(good_version);
 diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
 index b850a28..922011e 100644
 --- a/src/shared/bus-unit-util.c
 +++ b/src/shared/bus-unit-util.c
@@ -2142,6 +2142,9 @@ static int bus_append_scope_property(sd_bus_message *m, const char *field, const
          if (STR_IN_SET(field, "User", "Group"))
                  return bus_append_string(m, field, eq);
++        if (streq(field, "OOMPolicy"))
++                return bus_append_string(m, field, eq);
++
          return 0;
+ }
 diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
 index ecf90e2..eab0ca1 100644
 --- a/src/shared/creds-util.c
 +++ b/src/shared/creds-util.c
@@ -9,6 +9,7 @@
  #include "sd-id128.h"
  #include "blockdev-util.h"
++#include "capability-util.h"
  #include "chattr-util.h"
  #include "creds-util.h"
  #include "def.h"
@@ -173,10 +174,15 @@ static int make_credential_host_secret(
          assert(dfd >= 0);
          assert(fn);
--        fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400);
++        /* For non-root users creating a temporary file using the openat(2) over "." will fail later, in the
++         * linkat(2) step at the end.  The reason is that linkat(2) requires the CAP_DAC_READ_SEARCH
++         * capability when it uses the AT_EMPTY_PATH flag. */
++        if (have_effective_cap(CAP_DAC_READ_SEARCH) > 0) {
++                fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400);
++                if (fd < 0)
++                        log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
++        }
          if (fd < 0) {
--                log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
--
                  if (asprintf(&t, "credential.secret.%016" PRIx64, random_u64()) < 0)
                          return -ENOMEM;
@@ -602,24 +608,14 @@ int encrypt_credential_and_warn(
  #if HAVE_TPM2
          bool try_tpm2;
--        if (sd_id128_equal(with_key, _CRED_AUTO)) {
--                /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH
--                 * if user picks TPM2 explicitly, let's always honour the request and try. */
--
--                r = detect_container();
--                if (r < 0)
--                        log_debug_errno(r, "Failed to determine whether we are running in a container, ignoring: %m");
--                else if (r > 0)
--                        log_debug("Running in container, not attempting to use TPM2.");
--
--                try_tpm2 = r <= 0;
--        } else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) {
--                /* If automatic mode for initrds is selected, we'll use the TPM2 key if the firmware does it,
--                 * otherwise we'll use a fixed key */
++        if (sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) {
++                /* If automatic mode is selected lets see if a TPM2 it is present. If we are running in a
++                 * container tpm2_support will detect this, and will return a different flag combination of
++                 * TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */
--                try_tpm2 = efi_has_tpm2();
++                try_tpm2 = tpm2_support() == TPM2_SUPPORT_FULL;
                  if (!try_tpm2)
--                        log_debug("Firmware lacks TPM2 support, not attempting to use TPM2.");
++                        log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2.");
          } else
                  try_tpm2 = sd_id128_in_set(with_key,
                                             CRED_AES256_GCM_BY_TPM2_HMAC,
@@ -660,7 +656,7 @@ int encrypt_credential_and_warn(
                                &tpm2_primary_alg);
                  if (r < 0) {
                          if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
--                                log_warning("Firmware reported a TPM2 being present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
++                                log_warning("TPM2 present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
                          else if (!sd_id128_equal(with_key, _CRED_AUTO))
                                  return r;
 diff --git a/src/shared/generator.c b/src/shared/generator.c
 index 5d019f4..85a6316 100644
 --- a/src/shared/generator.c
 +++ b/src/shared/generator.c
@@ -467,6 +467,14 @@ int generator_hook_up_mkfs(
          log_debug("Creating %s", unit_file);
++        const char *fsck_unit;
++        if (in_initrd() && path_equal(where, "/sysroot"))
++                fsck_unit = SPECIAL_FSCK_ROOT_SERVICE;
++        else if (in_initrd() && path_equal(where, "/sysusr/usr"))
++                fsck_unit = SPECIAL_FSCK_USR_SERVICE;
++        else
++                fsck_unit = "systemd-fsck@%i.service";
++
          escaped = cescape(node);
          if (!escaped)
                  return log_oom();
@@ -492,7 +500,7 @@ int generator_hook_up_mkfs(
                  "After=%%i.device\n"
                  /* fsck might or might not be used, so let's be safe and order
                   * ourselves before both systemd-fsck@.service and the mount unit. */
--                "Before=shutdown.target systemd-fsck@%%i.service %s\n"
++                "Before=shutdown.target %s %s\n"
                  "\n"
                  "[Service]\n"
                  "Type=oneshot\n"
@@ -500,6 +508,7 @@ int generator_hook_up_mkfs(
                  "ExecStart="SYSTEMD_MAKEFS_PATH " %s %s\n"
                  "TimeoutSec=0\n",
                  program_invocation_short_name,
++                fsck_unit,
                  where_unit,
                  type,
                  escaped);
 diff --git a/src/shared/install.c b/src/shared/install.c
 index 834a1c5..2c030b8 100644
 --- a/src/shared/install.c
 +++ b/src/shared/install.c
@@ -284,6 +284,9 @@ InstallChangeType install_changes_add(
          assert(!changes == !n_changes);
          assert(INSTALL_CHANGE_TYPE_VALID(type));
++        /* Message formatting requires <path> to be set. */
++        assert(path);
++
          /* Register a change or error. Note that the return value may be the error
           * that was passed in, or -ENOMEM generated internally. */
@@ -339,7 +342,9 @@ void install_changes_dump(int r, const char *verb, const InstallChange *changes,
          assert(verb || r >= 0);
          for (size_t i = 0; i < n_changes; i++) {
--                assert(verb || changes[i].type >= 0);
++                if (changes[i].type < 0)
++                        assert(verb);
++                assert(changes[i].path);
                  /* When making changes here, make sure to also change install_error() in dbus-manager.c. */
@@ -376,7 +381,7 @@ void install_changes_dump(int r, const char *verb, const InstallChange *changes,
                          break;
                  case INSTALL_CHANGE_AUXILIARY_FAILED:
                          if (!quiet)
--                                log_warning("Failed to enable auxiliary unit %s, ignoring.", changes[i].source);
++                                log_warning("Failed to enable auxiliary unit %s, ignoring.", changes[i].path);
                          break;
                  case -EEXIST:
                          if (changes[i].source)
@@ -2126,7 +2131,7 @@ static int install_context_apply(
                  q = install_info_traverse(ctx, lp, i, flags, NULL);
                  if (q < 0) {
                          if (i->auxiliary) {
--                                q = install_changes_add(changes, n_changes, INSTALL_CHANGE_AUXILIARY_FAILED, NULL, i->name);
++                                q = install_changes_add(changes, n_changes, INSTALL_CHANGE_AUXILIARY_FAILED, i->name, NULL);
                                  if (q < 0)
                                          return q;
                                  continue;
 diff --git a/src/shared/install.h b/src/shared/install.h
 index 9bb412b..0abc738 100644
 --- a/src/shared/install.h
 +++ b/src/shared/install.h
@@ -197,7 +197,7 @@ int unit_file_exists(LookupScope scope, const LookupPaths *paths, const char *na
  int unit_file_get_list(LookupScope scope, const char *root_dir, Hashmap *h, char **states, char **patterns);
  Hashmap* unit_file_list_free(Hashmap *h);
--InstallChangeType install_changes_add(InstallChange **changes, size_t *n_changes, int type, const char *path, const char *source);
++InstallChangeType install_changes_add(InstallChange **changes, size_t *n_changes, InstallChangeType type, const char *path, const char *source);
  void install_changes_free(InstallChange *changes, size_t n_changes);
  void install_changes_dump(int r, const char *verb, const InstallChange *changes, size_t n_changes, bool quiet);
@@ -224,7 +224,7 @@ UnitFileState unit_file_state_from_string(const char *s) _pure_;
  /* from_string conversion is unreliable because of the overlap between -EPERM and -1 for error. */
  const char *install_change_type_to_string(InstallChangeType t) _const_;
--int install_change_type_from_string(const char *s) _pure_;
++InstallChangeType install_change_type_from_string(const char *s) _pure_;
  const char *unit_file_preset_mode_to_string(UnitFilePresetMode m) _const_;
  UnitFilePresetMode unit_file_preset_mode_from_string(const char *s) _pure_;
 diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
 index 975c027..6882b62 100644
 --- a/src/shared/mount-setup.c
 +++ b/src/shared/mount-setup.c
@@ -102,8 +102,10 @@ static const MountPoint mount_table[] = {
            cg_is_legacy_wanted, MNT_IN_CONTAINER     },
          { "cgroup",      "/sys/fs/cgroup/systemd",    "cgroup",     "none,name=systemd",                       MS_NOSUID|MS_NOEXEC|MS_NODEV,
            cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
++#if ENABLE_PSTORE
          { "pstore",      "/sys/fs/pstore",            "pstore",     NULL,                                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
            NULL,          MNT_NONE                   },
++#endif
  #if ENABLE_EFI
          { "efivarfs",    "/sys/firmware/efi/efivars", "efivarfs",   NULL,                                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
            is_efi_boot,   MNT_NONE                   },
 diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c
 index efc066c..1632132 100644
 --- a/src/shared/sleep-config.c
 +++ b/src/shared/sleep-config.c
@@ -116,7 +116,7 @@ int parse_sleep_config(SleepConfig **ret_sleep_config) {
          if (sc->hibernate_delay_sec == 0)
                  sc->hibernate_delay_sec = 2 * USEC_PER_HOUR;
--        /* ensure values set for all required fields */
++        /* Ensure values set for all required fields */
          if (!sc->states[SLEEP_SUSPEND] || !sc->modes[SLEEP_HIBERNATE]
              || !sc->states[SLEEP_HIBERNATE] || !sc->modes[SLEEP_HYBRID_SLEEP] || !sc->states[SLEEP_HYBRID_SLEEP])
                  return log_oom();
@@ -172,11 +172,11 @@ static int read_battery_capacity_percentage(sd_device *dev) {
          r = sd_device_get_property_value(dev, "POWER_SUPPLY_CAPACITY", &power_supply_capacity);
          if (r < 0)
--                return log_device_debug_errno(dev, r, "Failed to read battery capacity: %m");
++                return log_device_debug_errno(dev, r, "Failed to get property POWER_SUPPLY_CAPACITY: %m");
          r = safe_atoi(power_supply_capacity, &battery_capacity);
          if (r < 0)
--                return log_device_debug_errno(dev, r, "Failed to parse battery capacity: %m");
++                return log_device_debug_errno(dev, r, "Failed to parse property POWER_SUPPLY_CAPACITY: %m");
          if (battery_capacity < 0 || battery_capacity > 100)
                  return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ERANGE), "Invalid battery capacity");
@@ -184,14 +184,14 @@ static int read_battery_capacity_percentage(sd_device *dev) {
          return battery_capacity;
+ }
--/* If battery percentage capacity is less than equal to 5% return success */
++/* If battery percentage capacity is <= 5%, return success */
  int battery_is_low(void) {
          _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
          sd_device *dev;
          int r;
           /* We have not used battery capacity_level since value is set to full
--         * or Normal in case acpi is not working properly. In case of no battery
++         * or Normal in case ACPI is not working properly. In case of no battery
           * 0 will be returned and system will be suspended for 1st cycle then hibernated */
          r = battery_enumerator_new(&e);
@@ -234,14 +234,12 @@ int fetch_batteries_capacity_by_name(Hashmap **ret) {
                  int battery_capacity;
                  battery_capacity = r = read_battery_capacity_percentage(dev);
--                if (r < 0) {
--                        log_device_debug_errno(dev, r, "Failed to get battery capacity, ignoring: %m");
++                if (r < 0)
                          continue;
--                }
                  r = sd_device_get_property_value(dev, "POWER_SUPPLY_NAME", &battery_name);
                  if (r < 0) {
--                        log_device_debug_errno(dev, r, "Failed to read battery name, ignoring: %m");
++                        log_device_debug_errno(dev, r, "Failed to get POWER_SUPPLY_NAME property, ignoring: %m");
                          continue;
+                 }
@@ -272,11 +270,11 @@ static int get_battery_identifier(sd_device *dev, const char *property, struct s
          r = sd_device_get_property_value(dev, property, &x);
          if (r == -ENOENT)
--               log_device_debug_errno(dev, r, "battery device property %s is unavailable, ignoring: %m", property);
++               log_device_debug_errno(dev, r, "Battery device property %s is unavailable, ignoring: %m", property);
          else if (r < 0)
--               return log_device_debug_errno(dev, r, "Failed to read battery device property %s: %m", property);
++               return log_device_debug_errno(dev, r, "Failed to get battery device property %s: %m", property);
          else if (isempty(x))
--               log_device_debug(dev, "battery device property '%s' is null.", property);
++               log_device_debug(dev, "Battery device property '%s' is empty.", property);
          else
                 siphash24_compress_string(x, state);
@@ -319,7 +317,7 @@ static int get_system_battery_identifier_hash(sd_device *dev, uint64_t *ret) {
          return 0;
+ }
--/* battery percentage discharge rate per hour is in range 1-199 then return success */
++/* Return success if battery percentage discharge rate per hour is in the range 1–199 */
  static bool battery_discharge_rate_is_valid(int battery_discharge_rate) {
          return battery_discharge_rate > 0 && battery_discharge_rate < 200;
+ }
@@ -470,7 +468,7 @@ int estimate_battery_discharge_rate_per_hour(
          return 0;
+ }
--/* calculate the suspend interval for each battery and then return the sum of it */
++/* Calculate the suspend interval for each battery and then return their sum */
  int get_total_suspend_interval(Hashmap *last_capacity, usec_t *ret) {
          _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
          usec_t total_suspend_interval = 0;
@@ -495,7 +493,7 @@ int get_total_suspend_interval(Hashmap *last_capacity, usec_t *ret) {
                          continue;
+                 }
--                battery_last_capacity = PTR_TO_CAPACITY(hashmap_get(last_capacity, battery_name));
++                battery_last_capacity = get_capacity_by_name(last_capacity, battery_name);
                  if (battery_last_capacity <= 0)
                          continue;
@@ -516,8 +514,8 @@ int get_total_suspend_interval(Hashmap *last_capacity, usec_t *ret) {
                  total_suspend_interval = usec_add(total_suspend_interval, suspend_interval);
+         }
--        /* The previous discharge rate is stored in per hour basis so converted to minutes.
--         * Subtracted 30 minutes from the result to keep a buffer of 30 minutes before battery gets critical */
++        /* Previous discharge rate is stored in per hour basis converted to usec.
++         * Subtract 30 minutes from the result to keep a buffer of 30 minutes before battery gets critical */
          total_suspend_interval = usec_sub_unsigned(total_suspend_interval, 30 * USEC_PER_MINUTE);
          if (total_suspend_interval == 0)
                  return -ENOENT;
 diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c
 index 30ba5d2..84fd5d3 100644
 --- a/src/sleep/sleep.c
 +++ b/src/sleep/sleep.c
@@ -267,12 +267,12 @@ static int execute(
+ }
  static int custom_timer_suspend(const SleepConfig *sleep_config) {
--        _cleanup_hashmap_free_ Hashmap *last_capacity = NULL, *current_capacity = NULL;
          int r;
          assert(sleep_config);
          while (battery_is_low() == 0) {
++                _cleanup_hashmap_free_ Hashmap *last_capacity = NULL, *current_capacity = NULL;
                  _cleanup_close_ int tfd = -1;
                  struct itimerspec ts = {};
                  usec_t suspend_interval = sleep_config->hibernate_delay_sec, before_timestamp = 0, after_timestamp = 0, total_suspend_interval;
@@ -327,7 +327,8 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) {
+                 }
                  after_timestamp = now(CLOCK_BOOTTIME);
--                log_debug("Attempting to estimate battery discharge rate after wakeup from %s sleep", FORMAT_TIMESPAN(after_timestamp - before_timestamp, USEC_PER_HOUR));
++                log_debug("Attempting to estimate battery discharge rate after wakeup from %s sleep",
++                          FORMAT_TIMESPAN(after_timestamp - before_timestamp, USEC_PER_HOUR));
                  if (after_timestamp != before_timestamp) {
                          r = estimate_battery_discharge_rate_per_hour(last_capacity, current_capacity, before_timestamp, after_timestamp);
@@ -366,6 +367,9 @@ static int freeze_thaw_user_slice(const char **method) {
          if (r < 0)
                  return log_debug_errno(r, "Failed to open connection to systemd: %m");
++        /* Wait for 1.5 seconds at maximum for freeze operation */
++        (void) sd_bus_set_method_call_timeout(bus, 1500 * USEC_PER_MSEC);
++
          r = bus_call_method(bus, bus_systemd_mgr, *method, &error, NULL, "s", SPECIAL_USER_SLICE);
          if (r < 0)
                  return log_debug_errno(r, "Failed to execute operation: %s", bus_error_message(&error, r));
 diff --git a/src/test/test-execute.c b/src/test/test-execute.c
 index 0283cae..ce3489d 100644
 --- a/src/test/test-execute.c
 +++ b/src/test/test-execute.c
@@ -1228,6 +1228,9 @@ int main(int argc, char *argv[]) {
          if (r == -ENOMEDIUM)
                  return log_tests_skipped("cgroupfs not available");
++        if (path_is_read_only_fs("/sys") > 0)
++                return log_tests_skipped("/sys is mounted read-only");
++
          _cleanup_free_ char *unit_dir = NULL, *unit_paths = NULL;
          assert_se(get_testdata_dir("test-execute/", &unit_dir) >= 0);
          assert_se(runtime_dir = setup_fake_runtime_dir());
 diff --git a/src/test/test-unit-name.c b/src/test/test-unit-name.c
 index 43fdb15..eec4831 100644
 --- a/src/test/test-unit-name.c
 +++ b/src/test/test-unit-name.c
@@ -241,11 +241,13 @@ TEST_RET(unit_printf, .sd_booted = true) {
                  *user, *group, *uid, *gid, *home, *shell,
                  *tmp_dir, *var_tmp_dir;
          _cleanup_(manager_freep) Manager *m = NULL;
++        _cleanup_close_ int fd = -EBADF;
          Unit *u;
          int r;
          _cleanup_(unlink_tempfilep) char filename[] = "/tmp/test-unit_printf.XXXXXX";
--        assert_se(mkostemp_safe(filename) >= 0);
++        fd = mkostemp_safe(filename);
++        assert_se(fd >= 0);
          /* Using the specifier functions is admittedly a bit circular, but we don't want to reimplement the
           * logic a second time. We're at least testing that the hookup works. */
 diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
 index 18bb757..3501ccf 100644
 --- a/src/tmpfiles/tmpfiles.c
 +++ b/src/tmpfiles/tmpfiles.c
@@ -2849,8 +2849,11 @@ static void item_free_contents(Item *i) {
          strv_free(i->xattrs);
  #if HAVE_ACL
--        acl_free(i->acl_access);
--        acl_free(i->acl_default);
++        if (i->acl_access)
++                acl_free(i->acl_access);
++
++        if (i->acl_default)
++                acl_free(i->acl_default);
  #endif
+ }
 diff --git a/test/TEST-55-OOMD/test.sh b/test/TEST-55-OOMD/test.sh
 index 4dc4142..4032896 100755
 --- a/test/TEST-55-OOMD/test.sh
 +++ b/test/TEST-55-OOMD/test.sh
@@ -17,6 +17,12 @@ test_append_files() {
          cat >>"${initdir:?}/etc/fstab" <<EOF
  UUID=$(blkid -o value -s UUID "${LOOPDEV}p2")    none    swap    defaults 0 0
  EOF
++
++        mkdir -p "${initdir:?}/etc/systemd/system/init.scope.d/"
++        cat >>"${initdir:?}/etc/systemd/system/init.scope.d/test-55-oomd.conf" <<EOF
++[Scope]
++MemoryHigh=10G
++EOF
+     )
+ }
 diff --git a/test/fuzz/fuzz-unit-file/directives.scope b/test/fuzz/fuzz-unit-file/directives.scope
 index 4552d0b..2285587 100644
 --- a/test/fuzz/fuzz-unit-file/directives.scope
 +++ b/test/fuzz/fuzz-unit-file/directives.scope
@@ -47,6 +47,7 @@ MemoryMax=
  MemoryMin=
  MemorySwapMax=
  NetClass=
++OOMPolicy=
  RestartKillSignal=
  RestrictNetworkInterfaces=
  RuntimeMaxSec=
 diff --git a/test/test-functions b/test/test-functions
 index 5613215..ae0a993 100644
 --- a/test/test-functions
 +++ b/test/test-functions
@@ -158,6 +158,7 @@ BASICTOOLS=(
      cat
      chmod
      chown
++    chroot
      cmp
      cryptsetup
      cut
@@ -1908,6 +1909,21 @@ install_dbus() {
      </policy>
  </busconfig>
  EOF
++
++    # If we run without KVM, bump the service start timeout
++    if ! get_bool "$QEMU_KVM"; then
++        cat >"$initdir/etc/dbus-1/system.d/service.timeout.conf" <<EOF
++<?xml version="1.0"?>
++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
++        "https://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
++<busconfig>
++    <limit name="service_start_timeout">60000</limit>
++</busconfig>
++EOF
++        # Bump the client-side timeout in sd-bus as well
++        mkdir -p "$initdir/etc/systemd/system.conf.d"
++        echo -e '[Manager]\nDefaultEnvironment=SYSTEMD_BUS_TIMEOUT=60' >"$initdir/etc/systemd/system.conf.d/bus-timeout.conf"
++    fi
+ }
  install_user_dbus() {
 diff --git a/test/test-network/conf/23-bond199.network b/test/test-network/conf/23-bond199.network
 index 6a1f9a1..9f4879f 100644
 --- a/test/test-network/conf/23-bond199.network
 +++ b/test/test-network/conf/23-bond199.network
@@ -4,6 +4,3 @@ Name=bond199
  [Network]
  IPv6AcceptRA=no
--
--[Link]
--MACAddress=00:11:22:33:44:55
 diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
 index 693ddfa..5a731f5 100755
 --- a/test/test-network/systemd-networkd-tests.py
 +++ b/test/test-network/systemd-networkd-tests.py
@@ -1063,6 +1063,10 @@ class NetworkctlTests(unittest.TestCase, Utilities):
          self.assertRegex(output, r'Link File: (/usr)?/lib/systemd/network/99-default.link')
          self.assertRegex(output, r'Network File: /run/systemd/network/11-dummy.network')
++        # This test may be run on the system that has older udevd than 70f32a260b5ebb68c19ecadf5d69b3844896ba55 (v249).
++        # In that case, the udev DB for the loopback network interface may already have ID_NET_LINK_FILE property.
++        # Let's reprocess the interface and drop the property.
++        check_output(*udevadm_cmd, 'trigger', '--settle', '--action=add', '/sys/class/net/lo')
          output = check_output(*networkctl_cmd, '-n', '0', 'status', 'lo', env=env)
          print(output)
          self.assertRegex(output, r'Link File: n/a')
@@ -3799,7 +3803,7 @@ class NetworkdBondTests(unittest.TestCase, Utilities):
          output = check_output('ip -d link show bond199')
          print(output)
--        self.assertRegex(output, 'active_slave dummy98')
++        self.assertIn('active_slave dummy98', output)
      def test_bond_primary_slave(self):
          copy_network_unit('23-primary-slave.network', '23-bond199.network', '25-bond-active-backup-slave.netdev', '12-dummy.netdev')
@@ -3808,8 +3812,20 @@ class NetworkdBondTests(unittest.TestCase, Utilities):
          output = check_output('ip -d link show bond199')
          print(output)
--        self.assertRegex(output, 'primary dummy98')
--        self.assertIn('link/ether 00:11:22:33:44:55', output)
++        self.assertIn('primary dummy98', output)
++
++        # for issue #25627
++        mkdir_p(os.path.join(network_unit_dir, '23-bond199.network.d'))
++        for mac in ['00:11:22:33:44:55', '00:11:22:33:44:56']:
++            with open(os.path.join(network_unit_dir, '23-bond199.network.d/mac.conf'), mode='w', encoding='utf-8') as f:
++                f.write(f'[Link]\nMACAddress={mac}\n')
++
++            networkctl_reload()
++            self.wait_online(['dummy98:enslaved', 'bond199:degraded'])
++
++            output = check_output('ip -d link show bond199')
++            print(output)
++            self.assertIn(f'link/ether {mac}', output)
      def test_bond_operstate(self):
          copy_network_unit('25-bond.netdev', '11-dummy.netdev', '12-dummy.netdev',
 diff --git a/test/test-shutdown.py b/test/test-shutdown.py
 index e181f97..13e18ec 100755
 --- a/test/test-shutdown.py
 +++ b/test/test-shutdown.py
@@ -17,7 +17,7 @@ def run(args):
      logger.info("spawning test")
      console = pexpect.spawn(args.command, args.arg, env={
              "TERM": "linux",
--        }, encoding='utf-8', timeout=30)
++        }, encoding='utf-8', timeout=60)
      if args.verbose:
          console.logfile = sys.stdout
 diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh
 index a8e7a5a..37ae606 100755
 --- a/test/units/testsuite-26.sh
 +++ b/test/units/testsuite-26.sh
@@ -294,7 +294,7 @@ systemctl unset-environment IMPORT_THIS IMPORT_THIS_TOO
  # test for sysv-generator (issue #24990)
  if [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]; then
--
++    mkdir -p /etc/init.d
      # invalid dependency
      cat >/etc/init.d/issue-24990 <<\EOF
  #!/bin/bash
 diff --git a/test/units/testsuite-55.sh b/test/units/testsuite-55.sh
 index 8fa1d01..0887eac 100755
 --- a/test/units/testsuite-55.sh
 +++ b/test/units/testsuite-55.sh
@@ -5,6 +5,9 @@ set -o pipefail
  systemd-analyze log-level debug
++# Ensure that the init.scope.d drop-in is applied on boot
++test "$(cat /sys/fs/cgroup/init.scope/memory.high)" != "max"
++
  # Loose checks to ensure the environment has the necessary features for systemd-oomd
  [[ -e /proc/pressure ]] || echo "no PSI" >>/skipped
  cgroup_type="$(stat -fc %T /sys/fs/cgroup/)"
 diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh
 index 7673036..c4406f3 100755
 --- a/test/units/testsuite-64.sh
 +++ b/test/units/testsuite-64.sh
@@ -192,7 +192,7 @@ testcase_nvme_subsystem() {
  testcase_virtio_scsi_identically_named_partitions() {
      local num
--    if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then
++    if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then
          num=$((4 * 4))
      else
          num=$((16 * 8))
@@ -243,6 +243,7 @@ EOF
      echo "${FUNCNAME[0]}: test failover"
      local device expected link mpoint part
      local -a devices
++    mkdir -p /mnt
      mpoint="$(mktemp -d /mnt/mpathXXX)"
      wwid="deaddeadbeef0000"
      path="/dev/disk/by-id/wwn-0x$wwid"
@@ -305,7 +306,7 @@ testcase_simultaneous_events() {
      local -a devices symlinks
      local -A running
--    if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then
++    if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then
          num_part=2
          iterations=10
          timeout=240
@@ -400,7 +401,7 @@ testcase_lvm_basic() {
          /dev/disk/by-id/ata-foobar_deadbeeflvm{0..3}
+     )
--    if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then
++    if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then
          timeout=180
      else
          timeout=30
@@ -453,7 +454,7 @@ testcase_lvm_basic() {
      helper_check_device_units
      # Same as above, but now with more "stress"
--    if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then
++    if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then
          iterations=10
      else
          iterations=50
@@ -478,7 +479,7 @@ testcase_lvm_basic() {
      helper_check_device_units
      # Create & remove LVs in a loop, i.e. with more "stress"
--    if [[ -n "${ASAN_OPTIONS:-}" ]]; then
++    if [[ -v ASAN_OPTIONS ]]; then
          iterations=8
          partitions=16
      elif [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then
 diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
 index 1f34308..ebe1f57 100755
 --- a/test/units/testsuite-65.sh
 +++ b/test/units/testsuite-65.sh
@@ -139,6 +139,16 @@ systemd-analyze cat-config systemd/system.conf systemd/journald.conf >/dev/null
  systemd-analyze cat-config systemd/system.conf foo/bar systemd/journald.conf >/dev/null
  systemd-analyze cat-config foo/bar
++if [[ ! -v ASAN_OPTIONS ]]; then
++    # check that systemd-analyze cat-config paths work in a chroot
++    mkdir -p /tmp/root
++    mount --bind / /tmp/root
++    systemd-analyze cat-config systemd/system-preset >/tmp/out1
++    chroot /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out2
++    diff /tmp/out{1,2}
++fi
++
++# verify
  mkdir -p /tmp/img/usr/lib/systemd/system/
  mkdir -p /tmp/img/opt/
 diff --git a/test/units/testsuite-73.sh b/test/units/testsuite-73.sh
 index f9e2dce..4eae0f6 100755
 --- a/test/units/testsuite-73.sh
 +++ b/test/units/testsuite-73.sh
@@ -92,6 +92,19 @@ test_locale() {
          return
      fi
++    # start with a known default environment and make sure to also give a
++    # default value to LC_CTYPE= since we're about to also set/unset it. We
++    # also reload PID1 configuration to make sure that PID1 environment itself
++    # is updated as it's not always been the case.
++    assert_rc 0 localectl set-locale "LANG=en_US.UTF-8" "LC_CTYPE=C"

Ubuntusystemd package

Merge ~enr0n/ubuntu/+source/systemd:ubuntu-lunar-next into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-lunar

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
systemd package