Backport a bunch of patches and update hwdb

This is needed because an additional property was added and the
tests fail otherwise. I think adding of the property is OK, it's
fully backwards compatible.

Also use %if 0 syntax to make it easy to copy&paste the commands.

.gitignore

@@ -1,4 +1,3 @@
-*~
 /systemd-*/
 /.build-*.log
 /x86_64/

0001-dhcp-server-add-two-missing-OOM-checks.patch

@@ -0,0 +1,35 @@
+From a75dde1983510900243f247b41a8cb935590ac7b Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 9 Feb 2017 10:16:52 +0100
+Subject: [PATCH] dhcp-server: add two missing OOM checks
+
+(cherry picked from commit 357e1b17b901b48714fa5301c745ae5389661798)
+---
+ src/libsystemd-network/sd-dhcp-server.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
+index 2890681561..315cbf1ac5 100644
+--- a/src/libsystemd-network/sd-dhcp-server.c
++++ b/src/libsystemd-network/sd-dhcp-server.c
+@@ -197,7 +197,11 @@ int sd_dhcp_server_new(sd_dhcp_server **ret, int ifindex) {
+         server->address = htobe32(INADDR_ANY);
+         server->netmask = htobe32(INADDR_ANY);
+         server->ifindex = ifindex;
++
+         server->leases_by_client_id = hashmap_new(&client_id_hash_ops);
++        if (!server->leases_by_client_id)
++                return -ENOMEM;
++
+         server->default_lease_time = DIV_ROUND_UP(DHCP_DEFAULT_LEASE_TIME_USEC, USEC_PER_SEC);
+         server->max_lease_time = DIV_ROUND_UP(DHCP_MAX_LEASE_TIME_USEC, USEC_PER_SEC);
+ 
+@@ -857,6 +861,8 @@ int dhcp_server_handle_message(sd_dhcp_server *server, DHCPMessage *message,
+ 
+                         if (!existing_lease) {
+                                 lease = new0(DHCPLease, 1);
++                                if (!lease)
++                                        return -ENOMEM;
+                                 lease->address = address;
+                                 lease->client_id.data = memdup(req->client_id.data,
+                                                                req->client_id.length);

0001-test-path-util-do-not-fail-if-the-fd_is_mount_point-.patch

@@ -1,70 +0,0 @@
-From 2e9d763e7cbeb33954bbe3f96fd94de2cd62edf7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Thu, 12 Nov 2020 14:28:24 +0100
-Subject: [PATCH] test-path-util: do not fail if the fd_is_mount_point check
- fails
-
-This test fails on i686 and ppc64le in koji:
-/* test_path */
-Assertion 'fd_is_mount_point(fd, "/", 0) > 0' failed at src/test/test-path-util.c:85, function test_path(). Aborting.
-
-I guess some permission error is the most likely.
----
- src/test/test-path-util.c | 23 +++++++++++++++++------
- 1 file changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c
-index f4f8d0550b..be428334f3 100644
---- a/src/test/test-path-util.c
-+++ b/src/test/test-path-util.c
-@@ -40,8 +40,6 @@ static void test_path_simplify(const char *in, const char *out, const char *out_
- }
- 
- static void test_path(void) {
--        _cleanup_close_ int fd = -1;
--
-         log_info("/* %s */", __func__);
- 
-         test_path_compare("/goo", "/goo", 0);
-@@ -80,10 +78,6 @@ static void test_path(void) {
-         assert_se(streq(basename("/aa///file..."), "file..."));
-         assert_se(streq(basename("file.../"), ""));
- 
--        fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
--        assert_se(fd >= 0);
--        assert_se(fd_is_mount_point(fd, "/", 0) > 0);
--
-         test_path_simplify("aaa/bbb////ccc", "aaa/bbb/ccc", "aaa/bbb/ccc");
-         test_path_simplify("//aaa/.////ccc", "/aaa/./ccc", "/aaa/ccc");
-         test_path_simplify("///", "/", "/");
-@@ -120,6 +114,22 @@ static void test_path(void) {
-         assert_se(!path_equal_ptr(NULL, "/a"));
- }
- 
-+static void test_path_is_mountpoint(void) {
-+        _cleanup_close_ int fd = -1;
-+        int r;
-+
-+        log_info("/* %s */", __func__);
-+
-+        fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
-+        assert_se(fd >= 0);
-+
-+        r = fd_is_mount_point(fd, "/", 0);
-+        if (r < 0)
-+                log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m");
-+        else
-+                assert_se(r == 1);
-+}
-+
- static void test_path_equal_root(void) {
-         /* Nail down the details of how path_equal("/", ...) works. */
- 
-@@ -714,6 +724,7 @@ int main(int argc, char **argv) {
- 
-         test_print_paths();
-         test_path();
-+        test_path_is_mountpoint();
-         test_path_equal_root();
-         test_find_executable_full();
-         test_find_executable(argv[0]);

0001-test-path-util-ignore-test-failure.patch

@@ -1,33 +0,0 @@
-From e8bca4ba55f855260eda684a16e8feb5f20b1deb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Thu, 12 Nov 2020 15:06:12 +0100
-Subject: [PATCH] test-path-util: ignore test failure
-
----
- src/test/test-path-util.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/src/test/test-path-util.c b/src/test/test-path-util.c
-index be428334f3..207c659b8b 100644
---- a/src/test/test-path-util.c
-+++ b/src/test/test-path-util.c
-@@ -120,14 +120,17 @@ static void test_path_is_mountpoint(void) {
- 
-         log_info("/* %s */", __func__);
- 
-+        (void) system("uname -a");
-+        (void) system("mountpoint /");
-+
-         fd = open("/", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY);
-         assert_se(fd >= 0);
- 
-         r = fd_is_mount_point(fd, "/", 0);
-         if (r < 0)
-                 log_warning_errno(r, "Failed to check if / is a mount point, ignoring: %m");
--        else
--                assert_se(r == 1);
-+        else if (r == 0)
-+                log_warning("/ is not a mountpoint?");
- }
- 
- static void test_path_equal_root(void) {

0002-import-bump-image-size-safety-limit-for-machinectl-p.patch

@@ -0,0 +1,25 @@
+From eea54ddfeac9e4c19dff45a5cd9f1389646de114 Mon Sep 17 00:00:00 2001
+From: Dax Kelson <dkelson@gurulabs.com>
+Date: Sun, 5 Mar 2017 05:03:53 -0700
+Subject: [PATCH] import: bump image size safety limit for machinectl pull
+ (#5535)
+
+We currenly use 40GB images in our environment
+(cherry picked from commit 055c521ad4e9d2f923e9373ac12e214a1e896cc7)
+---
+ src/import/pull-job.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/import/pull-job.c b/src/import/pull-job.c
+index e550df2c57..70aaa5c291 100644
+--- a/src/import/pull-job.c
++++ b/src/import/pull-job.c
+@@ -527,7 +527,7 @@ int pull_job_new(PullJob **ret, const char *url, CurlGlue *glue, void *userdata)
+         j->glue = glue;
+         j->content_length = (uint64_t) -1;
+         j->start_usec = now(CLOCK_MONOTONIC);
+-        j->compressed_max = j->uncompressed_max = 8LLU * 1024LLU * 1024LLU * 1024LLU; /* 8GB */
++        j->compressed_max = j->uncompressed_max = 64LLU * 1024LLU * 1024LLU * 1024LLU; /* 64GB safety limit */
+ 
+         j->url = strdup(url);
+         if (!j->url)

0003-coredump-fix-handling-of-premature-eof-data-for-back.patch

@@ -0,0 +1,41 @@
+From 26bffa023b572b25ec8ef6be70b4ed114492a592 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 5 Mar 2017 10:35:44 -0500
+Subject: [PATCH] coredump: fix handling of premature-eof data for --backtrace
+
+We'd fail with an assert in journal_importer_process_data(),
+because that function requires the caller to handle EOF themselves.
+
+(cherry picked from commit d74dc4f2d00644c04ad9dc900ef43050fcadaa8b)
+---
+ src/basic/journal-importer.c | 2 +-
+ src/coredump/coredump.c      | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/basic/journal-importer.c b/src/basic/journal-importer.c
+index 4c13e46a49..d25fd358e8 100644
+--- a/src/basic/journal-importer.c
++++ b/src/basic/journal-importer.c
+@@ -314,7 +314,7 @@ int journal_importer_process_data(JournalImporter *imp) {
+                         return r;
+                 if (r == 0) {
+                         imp->state = IMPORTER_STATE_EOF;
+-                        return r;
++                        return 0;
+                 }
+                 assert(n > 0);
+                 assert(line[n-1] == '\n');
+diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
+index 4c4f36aea0..5828e949e3 100644
+--- a/src/coredump/coredump.c
++++ b/src/coredump/coredump.c
+@@ -1326,7 +1326,8 @@ static int process_backtrace(int argc, char *argv[]) {
+                         log_error_errno(r, "Failed to parse journal entry on stdin: %m");
+                         goto finish;
+                 }
+-                if (r == 1)
++                if (r == 1 ||                        /* complete entry */
++                    journal_importer_eof(&importer)) /* end of data */
+                         break;
+         }
+ 

0004-cgtop-use-PRIu64-to-print-uint64_t-5544.patch

@@ -0,0 +1,25 @@
+From 16037d22ebb2682dc948e6a1fc869635d0c949e3 Mon Sep 17 00:00:00 2001
+From: "Thomas H. P. Andersen" <phomes@gmail.com>
+Date: Tue, 7 Mar 2017 07:47:18 +0100
+Subject: [PATCH] cgtop: use PRIu64 to print uint64_t (#5544)
+
+Commit 59f448cf replaced usage of off_t with uint64_t. Change the
+format string to use PRIu64 to match it.
+(cherry picked from commit 557e36934d21b08acafbe2baf6ebfde761fbae25)
+---
+ src/cgtop/cgtop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c
+index a1c0f48c89..67f3a99860 100644
+--- a/src/cgtop/cgtop.c
++++ b/src/cgtop/cgtop.c
+@@ -118,7 +118,7 @@ static const char *maybe_format_bytes(char *buf, size_t l, bool is_valid, uint64
+         if (!is_valid)
+                 return "-";
+         if (arg_raw) {
+-                snprintf(buf, l, "%jd", t);
++                snprintf(buf, l, "%" PRIu64, t);
+                 return buf;
+         }
+         return format_bytes(buf, l, t);

0005-man-fix-typo-5556.patch

@@ -0,0 +1,23 @@
+From 5fba61468e476e1d224655d23915b543dd900a78 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Torstein=20Huseb=C3=B8?= <torstein@huseboe.net>
+Date: Wed, 8 Mar 2017 13:54:22 +0100
+Subject: [PATCH] man: fix typo (#5556)
+
+(cherry picked from commit 6cf5a9648928be1e2b8fcdbf2903761000f6e803)
+---
+ man/systemd.exec.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
+index 5d4986b6bf..fb64cd6d8e 100644
+--- a/man/systemd.exec.xml
++++ b/man/systemd.exec.xml
+@@ -138,7 +138,7 @@
+       <varlistentry>
+         <term><varname>RootImage=</varname></term>
+         <listitem><para>Takes a path to a block device node or regular file as argument. This call is similar to
+-        <varname>RootDirectory=</varname> however mounts a file system hierarchy from a block device node or loopack
++        <varname>RootDirectory=</varname> however mounts a file system hierarchy from a block device node or loopback
+         file instead of a directory. The device node or file system image file needs to contain a file system without a
+         partition table, or a file system within an MBR/MS-DOS or GPT partition table with only a single
+         Linux-compatible partition, or a set of file systems within a GPT partition table that follows the <ulink

0006-Fix-typo-in-function-name-5565.patch

@@ -0,0 +1,46 @@
+From 400d52221daba3d0480b11b631a6c9972b7ba939 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekletar@users.noreply.github.com>
+Date: Fri, 10 Mar 2017 15:16:24 +0100
+Subject: [PATCH] Fix typo in function name (#5565)
+
+(cherry picked from commit 8feabc46263079cffba8a39c4082563320aeffc0)
+---
+ man/sd_journal_get_fd.xml    | 4 ++--
+ man/sd_login_monitor_new.xml | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/sd_journal_get_fd.xml b/man/sd_journal_get_fd.xml
+index 61293f7f99..2e686caccb 100644
+--- a/man/sd_journal_get_fd.xml
++++ b/man/sd_journal_get_fd.xml
+@@ -146,7 +146,7 @@ if (t == (uint64_t) -1)
+ else {
+   struct timespec ts;
+   uint64_t n;
+-  clock_getttime(CLOCK_MONOTONIC, &amp;ts);
++  clock_gettime(CLOCK_MONOTONIC, &amp;ts);
+   n = (uint64_t) ts.tv_sec * 1000000 + ts.tv_nsec / 1000;
+   msec = t > n ? (int) ((t - n + 999) / 1000) : 0;
+ }</programlisting>
+@@ -304,7 +304,7 @@ int wait_for_changes(sd_journal *j) {
+   else {
+     struct timespec ts;
+     uint64_t n;
+-    clock_getttime(CLOCK_MONOTONIC, &amp;ts);
++    clock_gettime(CLOCK_MONOTONIC, &amp;ts);
+     n = (uint64_t) ts.tv_sec * 1000000 + ts.tv_nsec / 1000;
+     msec = t > n ? (int) ((t - n + 999) / 1000) : 0;
+   }
+diff --git a/man/sd_login_monitor_new.xml b/man/sd_login_monitor_new.xml
+index 5625ab9207..129c99f97d 100644
+--- a/man/sd_login_monitor_new.xml
++++ b/man/sd_login_monitor_new.xml
+@@ -203,7 +203,7 @@ if (t == (uint64_t) -1)
+ else {
+          struct timespec ts;
+          uint64_t n;
+-         clock_getttime(CLOCK_MONOTONIC, &amp;ts);
++         clock_gettime(CLOCK_MONOTONIC, &amp;ts);
+          n = (uint64_t) ts.tv_sec * 1000000 + ts.tv_nsec / 1000;
+          msec = t > n ? (int) ((t - n + 999) / 1000) : 0;
+ }</programlisting>

0007-resolve-add-missing-space-in-output-message-5574.patch

@@ -0,0 +1,25 @@
+From 90eee306291a39b888ec13b3bd2f418f1f5aba0d Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 13 Mar 2017 09:12:03 +0900
+Subject: [PATCH] resolve: add missing space in output message (#5574)
+
+(cherry picked from commit 44ccb3d72315f68d0b4b07217c99bad35b055ec3)
+---
+ src/resolve/resolve-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
+index 32537ce6e8..c62058917f 100644
+--- a/src/resolve/resolve-tool.c
++++ b/src/resolve/resolve-tool.c
+@@ -114,8 +114,8 @@ static void print_source(uint64_t flags, usec_t rtt) {
+                        flags & SD_RESOLVED_DNS ? " DNS" :"",
+                        flags & SD_RESOLVED_LLMNR_IPV4 ? " LLMNR/IPv4" : "",
+                        flags & SD_RESOLVED_LLMNR_IPV6 ? " LLMNR/IPv6" : "",
+-                       flags & SD_RESOLVED_MDNS_IPV4 ? "mDNS/IPv4" : "",
+-                       flags & SD_RESOLVED_MDNS_IPV6 ? "mDNS/IPv6" : "");
++                       flags & SD_RESOLVED_MDNS_IPV4 ? " mDNS/IPv4" : "",
++                       flags & SD_RESOLVED_MDNS_IPV6 ? " mDNS/IPv6" : "");
+ 
+         assert_se(format_timespan(rtt_str, sizeof(rtt_str), rtt, 100));
+ 

0008-headers-check-that-__INCLUDE_LEVEL__-is-defined-befo.patch

@@ -0,0 +1,28 @@
+From cc60212ef3acc982eb0da5f2e6839af84a3a2f10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 13 Mar 2017 03:11:24 -0400
+Subject: [PATCH] headers: check that __INCLUDE_LEVEL__ is defined before using
+ it (#5575)
+
+That macro is a gcc extension, and while widely supported, not ubiquitous.
+In particular the coverity scanner is having trouble with it.
+(cherry picked from commit 1070d271fa8fa553d57dd5f74dd1e3f60732d0b9)
+---
+ src/systemd/_sd-common.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/systemd/_sd-common.h b/src/systemd/_sd-common.h
+index 3bb886be75..97c3943861 100644
+--- a/src/systemd/_sd-common.h
++++ b/src/systemd/_sd-common.h
+@@ -22,8 +22,8 @@
+ 
+ /* This is a private header; never even think of including this directly! */
+ 
+-#if __INCLUDE_LEVEL__ <= 1
+-#error "Do not include _sd-common.h directly; it is a private header."
++#if defined(__INCLUDE_LEVEL__) && __INCLUDE_LEVEL__ <= 1
++#  error "Do not include _sd-common.h directly; it is a private header."
+ #endif
+ 
+ #ifndef _sd_printf_

0009-journal-prevent-integer-overflow-while-validating-he.patch

@@ -0,0 +1,55 @@
+From bdd5ae00e8cf4f45183a20e5bc89efd3dcc02266 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Mon, 13 Mar 2017 08:14:42 +0100
+Subject: [PATCH] journal: prevent integer overflow while validating header
+ (#5569)
+
+It is possible to overflow uint64_t while validating the header of
+a journal file. To prevent this, the addition itself is checked to
+be within the limits of UINT64_MAX first.
+
+To keep this readable, I have introduced two stack variables which
+hold the converted values during validation.
+(cherry picked from commit 6f94e420e8355421fc31713a0df760d6b20473ac)
+---
+ src/journal/journal-file.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
+index a6ccb679a8..14cb01a600 100644
+--- a/src/journal/journal-file.c
++++ b/src/journal/journal-file.c
+@@ -546,6 +546,8 @@ static bool warn_wrong_flags(const JournalFile *f, bool compatible) {
+ }
+ 
+ static int journal_file_verify_header(JournalFile *f) {
++        uint64_t arena_size, header_size;
++
+         assert(f);
+         assert(f->header);
+ 
+@@ -564,17 +566,21 @@ static int journal_file_verify_header(JournalFile *f) {
+         if (f->header->state >= _STATE_MAX)
+                 return -EBADMSG;
+ 
++        header_size = le64toh(f->header->header_size);
++
+         /* The first addition was n_data, so check that we are at least this large */
+-        if (le64toh(f->header->header_size) < HEADER_SIZE_MIN)
++        if (header_size < HEADER_SIZE_MIN)
+                 return -EBADMSG;
+ 
+         if (JOURNAL_HEADER_SEALED(f->header) && !JOURNAL_HEADER_CONTAINS(f->header, n_entry_arrays))
+                 return -EBADMSG;
+ 
+-        if ((le64toh(f->header->header_size) + le64toh(f->header->arena_size)) > (uint64_t) f->last_stat.st_size)
++        arena_size = le64toh(f->header->arena_size);
++
++        if (UINT64_MAX - header_size < arena_size || header_size + arena_size > (uint64_t) f->last_stat.st_size)
+                 return -ENODATA;
+ 
+-        if (le64toh(f->header->tail_object_offset) > (le64toh(f->header->header_size) + le64toh(f->header->arena_size)))
++        if (le64toh(f->header->tail_object_offset) > header_size + arena_size)
+                 return -ENODATA;
+ 
+         if (!VALID64(le64toh(f->header->data_hash_table_offset)) ||

0010-machinectl-don-t-return-1-in-case-we-couldn-t-figure.patch

@@ -0,0 +1,27 @@
+From fb724063b60139468caceec06b946b82235578bc Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekletar@users.noreply.github.com>
+Date: Tue, 14 Mar 2017 22:38:19 +0100
+Subject: [PATCH] machinectl: don't return 1 in case we couldn't figure out
+ container IP addresses (#5587)
+
+This is in spirit very similar to commit
+4b2419165ce409ee55ce96a926302f89685f2293.
+
+Fixes: #5581
+(cherry picked from commit 3c302cddfb2e921578d1238ebcc0cb5ff34fbebe)
+---
+ src/machine/machinectl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
+index 28384286fb..3031ed5def 100644
+--- a/src/machine/machinectl.c
++++ b/src/machine/machinectl.c
+@@ -340,6 +340,7 @@ static int list_machines(int argc, char *argv[], void *userdata) {
+                         printf("No machines.\n");
+         }
+ 
++        r = 0;
+ out:
+         clean_machine_info(machines, n_machines);
+         return r;

0011-man-Document-when-pam_systemd-sets-XDG_RUNTIME_DIR-5.patch

@@ -0,0 +1,34 @@
+From 7883270b0b0ac13a84bd4f25eba1264ae82afa79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Adrian=20Heine=20n=C3=A9=20Lang?= <mail@adrianheine.de>
+Date: Tue, 14 Mar 2017 22:42:18 +0100
+Subject: [PATCH] man: Document when pam_systemd sets XDG_RUNTIME_DIR (#5570)
+
+https://github.com/systemd/systemd/blob/f97b34a6/src/login/pam_systemd.c#L439
+(cherry picked from commit 5c50321ca9c660dac39976ab29ed2f28f872628d)
+---
+ man/pam_systemd.xml | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml
+index 6e1aa0dd9a..cef5445c1c 100644
+--- a/man/pam_systemd.xml
++++ b/man/pam_systemd.xml
+@@ -88,7 +88,7 @@
+       and so will the user's slice unit.</para></listitem>
+ 
+       <listitem><para>If the last concurrent session of a user ends,
+-      the <varname>$XDG_RUNTIME_DIR</varname> directory and all its
++      the user runtime directory <filename>/run/user/$UID</filename> and all its
+       contents are removed, too.</para></listitem>
+     </orderedlist>
+ 
+@@ -192,7 +192,8 @@
+         offers the greatest possible file system feature set the
+         operating system provides. For further details, see the <ulink
+         url="http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html">XDG
+-        Base Directory Specification</ulink>.</para></listitem>
++        Base Directory Specification</ulink>. <varname>$XDG_RUNTIME_DIR</varname>
++        is not set if the current user is not the original user of the session.</para></listitem>
+       </varlistentry>
+ 
+     </variablelist>

0012-man-Fix-a-simple-grammar-error-in-systemd.service.xm.patch

@@ -0,0 +1,24 @@
+From abb0fd4473c325ee48d551e8d1b790dad3234c85 Mon Sep 17 00:00:00 2001
+From: AlexanderKurtz <alexander@kurtz.be>
+Date: Thu, 16 Mar 2017 01:33:56 +0100
+Subject: [PATCH] man: Fix a simple grammar error in systemd.service.xml
+ (#5594)
+
+(cherry picked from commit bda99fab3104095420d3ee03593d07469153f6c4)
+---
+ man/systemd.service.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/systemd.service.xml b/man/systemd.service.xml
+index 52eb2bb424..a452e3a672 100644
+--- a/man/systemd.service.xml
++++ b/man/systemd.service.xml
+@@ -184,7 +184,7 @@
+         process has to exit before systemd starts follow-up units.
+         <varname>RemainAfterExit=</varname> is particularly useful for
+         this type of service. This is the implied default if neither
+-        <varname>Type=</varname> or <varname>ExecStart=</varname> are
++        <varname>Type=</varname> nor <varname>ExecStart=</varname> are
+         specified.</para>
+ 
+         <para>Behavior of <option>dbus</option> is similar to

0013-systemctl-fix-broken-vertical-lines-in-list-dependen.patch

@@ -0,0 +1,23 @@
+From 47ae16f221555779be1d1781f4a9f5cbb2b56680 Mon Sep 17 00:00:00 2001
+From: Felix Zhang <fezhang@suse.com>
+Date: Mon, 20 Mar 2017 18:27:39 +0800
+Subject: [PATCH] systemctl: fix broken vertical lines in list-dependencies
+ --all (#5608)
+
+(cherry picked from commit 60705040152c9953a200eea16fffb5fef894c613)
+---
+ src/systemctl/systemctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
+index d78e56d777..cb9ca9ae1e 100644
+--- a/src/systemctl/systemctl.c
++++ b/src/systemctl/systemctl.c
+@@ -1780,6 +1780,7 @@ static int list_dependencies_one(
+         STRV_FOREACH(c, deps) {
+                 if (strv_contains(*units, *c)) {
+                         if (!arg_plain) {
++                                printf("  ");
+                                 r = list_dependencies_print("...", level + 1, (branches << 1) | (c[1] == NULL ? 0 : 1), 1);
+                                 if (r < 0)
+                                         return r;

0014-basic-journal-importer-Fix-unaligned-access-in-get_d.patch

@@ -0,0 +1,32 @@
+From a7637ee87936b9530b0ed56b5520a3e22bd04f94 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Date: Wed, 22 Mar 2017 03:36:50 +0100
+Subject: [PATCH] basic/journal-importer: Fix unaligned access in
+ get_data_size() (#5622)
+
+(cherry picked from commit f652c62d71a412704efe7c73c2066d1baaf83456)
+---
+ src/basic/journal-importer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/journal-importer.c b/src/basic/journal-importer.c
+index d25fd358e8..66119d2de1 100644
+--- a/src/basic/journal-importer.c
++++ b/src/basic/journal-importer.c
+@@ -24,6 +24,7 @@
+ #include "fd-util.h"
+ #include "parse-util.h"
+ #include "string-util.h"
++#include "unaligned.h"
+ 
+ enum {
+         IMPORTER_STATE_LINE = 0,    /* waiting to read, or reading line */
+@@ -203,7 +204,7 @@ static int get_data_size(JournalImporter *imp) {
+         if (r <= 0)
+                 return r;
+ 
+-        imp->data_size = le64toh( *(uint64_t *) data );
++        imp->data_size = unaligned_read_le64(data);
+         if (imp->data_size > DATA_SIZE_MAX) {
+                 log_error("Stream declares field with size %zu > DATA_SIZE_MAX = %u",
+                           imp->data_size, DATA_SIZE_MAX);

0015-basic-don-t-link-libm.so-into-libbasic.so-5628.patch

@@ -0,0 +1,29 @@
+From b4e76a669bedc420f9616c4a7d8b3e15b43fca78 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Fri, 24 Mar 2017 15:36:06 +0100
+Subject: [PATCH] basic: don't link "libm.so" into "libbasic.so" (#5628)
+
+Very few parts of the systemd source require <math.h> or "libm.so".
+Linking libbasic with -lm drags the mathematical library in for all
+systemd components, and in turn for all users of systemd libraries.
+
+It's just unneeded.
+(cherry picked from commit 1539a651a9d31c18273df917bbfe175ab3606025)
+---
+ Makefile.am | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 2a5610740e..a767a5aa0d 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1005,8 +1005,7 @@ libbasic_la_CFLAGS = \
+ libbasic_la_LIBADD = \
+ 	$(SELINUX_LIBS) \
+ 	$(CAP_LIBS) \
+-	-lrt \
+-	-lm
++	-lrt
+ 
+ # -----------------------------------------------------------------------------
+ noinst_LTLIBRARIES += \

0016-units-make-enablement-of-s-n-wait-online.service-fol.patch

@@ -0,0 +1,49 @@
+From edfdd314c82f42d2e571a24d6a8bdc674a892b43 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 27 Mar 2017 06:55:55 -0400
+Subject: [PATCH] units: make enablement of s-n-wait-online.service follow
+ systemd-networkd.service (#5635)
+
+In 58a6dd15582c038a25bd7059435833943e2e4617 s-n-wait-online.service was added
+to presets to synchronize the presets with the state after installation. But it
+is harmful to have s-n-wait-online.service enabled when s-n.service is
+disabled, because s-n-wait-online.service has Requsite=s-n.service and cannot
+be activated. Thus remove s-n-wait-online.service from presets again, and let
+it be enabled whenever s-n.service is enabled.
+
+During installation we create enablement symlinks by hand, and since s-n.service
+is enabled, s-n-w-o.service should be enabled too, so the symlink should still
+be created during installation.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1433459#c15(cherry picked from commit 9e49656037717b96c06b1f1507a41550bdb2c795)
+---
+ system-preset/90-systemd.preset      | 1 -
+ units/systemd-networkd.service.m4.in | 6 ++++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/system-preset/90-systemd.preset b/system-preset/90-systemd.preset
+index 6b5349dc8d..3ba4bb760d 100644
+--- a/system-preset/90-systemd.preset
++++ b/system-preset/90-systemd.preset
+@@ -15,7 +15,6 @@ enable getty@.service
+ enable systemd-timesyncd.service
+ enable systemd-networkd.service
+ enable systemd-resolved.service
+-enable systemd-networkd-wait-online.service
+ 
+ disable console-getty.service
+ disable debug-shell.service
+diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
+index d1cf3fc133..2623b21947 100644
+--- a/units/systemd-networkd.service.m4.in
++++ b/units/systemd-networkd.service.m4.in
+@@ -39,3 +39,9 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete
+ [Install]
+ WantedBy=multi-user.target
+ Also=systemd-networkd.socket
++
++# We want to enable systemd-networkd-wait-online.service whenever this service
++# is enabled. systemd-networkd-wait-online.service has
++# WantedBy=network-online.target, so enabling it only has an effect if
++# network-online.target itself is enabled or pulled in by some other unit.
++Also=systemd-networkd-wait-online.service

0017-basic-forbid-rm_rf-to-remove-paths-ending-with-.-565.patch

@@ -0,0 +1,29 @@
+From 677a50e8e931741a174f45d9cae981253dfae3ff Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jan.synacek@gmail.com>
+Date: Wed, 29 Mar 2017 08:25:52 +0200
+Subject: [PATCH] basic: forbid rm_rf() to remove paths ending with ".."
+ (#5653)
+
+Fixes: #5644(cherry picked from commit ab883125704b9310dcdfcf7451a27e85609da76c)
+---
+ src/basic/rm-rf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/basic/rm-rf.c b/src/basic/rm-rf.c
+index 08497af729..bdaca264ff 100644
+--- a/src/basic/rm-rf.c
++++ b/src/basic/rm-rf.c
+@@ -187,6 +187,13 @@ int rm_rf(const char *path, RemoveFlags flags) {
+                 return -EPERM;
+         }
+ 
++        /* Another safe-check. Removing "/path/.." could easily remove entire root as well.
++         * It's especially easy to do using globs in tmpfiles, like "/path/.*", which the glob()
++         * function expands to both "/path/." and "/path/..".
++         * Return -EINVAL to be consistent with rmdir("/path/."). */
++        if (endswith(path, "/..") || endswith(path, "/../"))
++                return -EINVAL;
++
+         if ((flags & (REMOVE_SUBVOLUME|REMOVE_ROOT|REMOVE_PHYSICAL)) == (REMOVE_SUBVOLUME|REMOVE_ROOT|REMOVE_PHYSICAL)) {
+                 /* Try to remove as subvolume first */
+                 r = btrfs_subvol_remove(path, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);

0018-journal-fix-up-syslog-facility-when-forwarding-nativ.patch

@@ -0,0 +1,29 @@
+From 709ea8522339275193a9cef277f9b86926ba4068 Mon Sep 17 00:00:00 2001
+From: Michael Biebl <mbiebl@gmail.com>
+Date: Thu, 30 Mar 2017 11:56:25 +0200
+Subject: [PATCH] journal: fix up syslog facility when forwarding native
+ messages (#5667)
+
+Native journal messages (_TRANSPORT=journal) typically don't have a
+syslog facility attached to it. As a result when forwarding the messages
+to syslog they ended up with facility 0 (LOG_KERN).
+Apply syslog_fixup_facility() so we use LOG_USER instead.
+
+Fixes: #5640(cherry picked from commit b6a20306fa5dbb8129dd09e07efeacfcfc57363f)
+---
+ src/journal/journald-native.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
+index 3c03b83754..c9bf3832c7 100644
+--- a/src/journal/journald-native.c
++++ b/src/journal/journald-native.c
+@@ -279,7 +279,7 @@ void server_process_native_message(
+ 
+         if (message) {
+                 if (s->forward_to_syslog)
+-                        server_forward_syslog(s, priority, identifier, message, ucred, tv);
++                        server_forward_syslog(s, syslog_fixup_facility(priority), identifier, message, ucred, tv);
+ 
+                 if (s->forward_to_kmsg)
+                         server_forward_kmsg(s, priority, identifier, message, ucred);

0019-networkd-fix-route_new_static-assert-when-IPv4LLRout.patch

@@ -0,0 +1,24 @@
+From 817b7724521ad886045fd89097c64c468fa9f87a Mon Sep 17 00:00:00 2001
+From: Susant Sahani <ssahani@users.noreply.github.com>
+Date: Fri, 31 Mar 2017 11:59:20 +0530
+Subject: [PATCH] networkd: fix route_new_static assert when IPv4LLRoute=true
+ (#5676)
+
+fixes: #5664(cherry picked from commit 0b180d754cd9b171f38e39554495841f666060f7)
+---
+ src/network/networkd-network.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
+index ab372568de..fac42d8478 100644
+--- a/src/network/networkd-network.c
++++ b/src/network/networkd-network.c
+@@ -428,7 +428,7 @@ int network_apply(Network *network, Link *link) {
+         if (network->ipv4ll_route) {
+                 Route *route;
+ 
+-                r = route_new_static(network, "Network", 0, &route);
++                r = route_new_static(network, NULL, 0, &route);
+                 if (r < 0)
+                         return r;
+ 

0020-logind-Stopped-inhibitions-should-be-considered-inac.patch

@@ -0,0 +1,34 @@
+From 1bcc1b6eba1505f816c91db504098b5b8509311e Mon Sep 17 00:00:00 2001
+From: afrantzis <alexandros.frantzis@canonical.com>
+Date: Wed, 5 Apr 2017 11:32:55 +0300
+Subject: [PATCH] logind: Stopped inhibitions should be considered inactive
+ (#5698)
+
+(cherry picked from commit 5e8273acac6af57d8c9cdec57388bab451a4cbc0)
+---
+ src/login/logind-inhibit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/login/logind-inhibit.c b/src/login/logind-inhibit.c
+index 5ca42b1ca2..1e6f383738 100644
+--- a/src/login/logind-inhibit.c
++++ b/src/login/logind-inhibit.c
+@@ -347,7 +347,7 @@ InhibitWhat manager_inhibit_what(Manager *m, InhibitMode mm) {
+         assert(m);
+ 
+         HASHMAP_FOREACH(i, m->inhibitors, j)
+-                if (i->mode == mm)
++                if (i->mode == mm && i->started)
+                         what |= i->what;
+ 
+         return what;
+@@ -388,6 +388,9 @@ bool manager_is_inhibited(
+         assert(w > 0 && w < _INHIBIT_WHAT_MAX);
+ 
+         HASHMAP_FOREACH(i, m->inhibitors, j) {
++                if (!i->started)
++                        continue;
++
+                 if (!(i->what & w))
+                         continue;
+ 

0021-core-downgrade-legit-error-logs-5705.patch

@@ -0,0 +1,36 @@
+From 678199bb6dbc8ee15ccffe6dc9d62b42e5ac6da8 Mon Sep 17 00:00:00 2001
+From: umuttl <umut@tezduyar.com>
+Date: Mon, 10 Apr 2017 13:12:25 +0200
+Subject: [PATCH] core: downgrade legit error logs (#5705)
+
+manager_sync_bus_names() function retrieves the dbus names
+and compares it with unit bus names. It could be right
+after the list is retrieved, the dbus peer is disconnected.
+In this case it is really not an ERROR print if
+sd_bus_get_name_creds() or sd_bus_creds_get_unique_name()
+fail.
+(cherry picked from commit ddbf0d4b92733a54de50724c756fd48237ad70c9)
+---
+ src/core/dbus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/dbus.c b/src/core/dbus.c
+index 065f2d81d6..cfc045d282 100644
+--- a/src/core/dbus.c
++++ b/src/core/dbus.c
+@@ -753,13 +753,13 @@ int manager_sync_bus_names(Manager *m, sd_bus *bus) {
+                         /* If it is, determine its current owner */
+                         r = sd_bus_get_name_creds(bus, name, SD_BUS_CREDS_UNIQUE_NAME, &creds);
+                         if (r < 0) {
+-                                log_error_errno(r, "Failed to get bus name owner %s: %m", name);
++                                log_full_errno(r == -ENXIO ? LOG_DEBUG : LOG_ERR, r, "Failed to get bus name owner %s: %m", name);
+                                 continue;
+                         }
+ 
+                         r = sd_bus_creds_get_unique_name(creds, &unique);
+                         if (r < 0) {
+-                                log_error_errno(r, "Failed to get unique name for %s: %m", name);
++                                log_full_errno(r == -ENXIO ? LOG_DEBUG : LOG_ERR, r, "Failed to get unique name for %s: %m", name);
+                                 continue;
+                         }
+ 

0022-core-fix-values-of-BindPaths-and-BindReadOnlyPaths-p.patch

@@ -0,0 +1,32 @@
+From 22b4881bf042aceaf079efec71447ef17aa7e913 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 10 Apr 2017 14:20:17 +0300
+Subject: [PATCH] core: fix values of BindPaths and BindReadOnlyPaths
+ properties on 32-bit platforms (#5713)
+
+$ busctl get-property \
+    org.freedesktop.systemd1 \
+    /org/freedesktop/systemd1/unit/run_2dr471de87550554a6dbb165501c33c5dab_2eservice \
+    org.freedesktop.systemd1.Service BindReadOnlyPaths
+
+a(ssbt) 1 "/etc" "/etc" false 9228635523571007488
+
+The correct values are 0 and 16384
+(cherry picked from commit c9b061085678a8b00cf3631b123378fc6104a56f)
+---
+ src/core/dbus-execute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
+index 7df4cab3f6..0454a28e12 100644
+--- a/src/core/dbus-execute.c
++++ b/src/core/dbus-execute.c
+@@ -710,7 +710,7 @@ static int property_get_bind_paths(
+                                 c->bind_mounts[i].source,
+                                 c->bind_mounts[i].destination,
+                                 c->bind_mounts[i].ignore_enoent,
+-                                c->bind_mounts[i].recursive ? MS_REC : 0);
++                                c->bind_mounts[i].recursive ? (uint64_t) MS_REC : (uint64_t) 0);
+                 if (r < 0)
+                         return r;
+         }

0023-tmpfiles-downgrade-error-message-when-operation-is-n.patch

@@ -0,0 +1,25 @@
+From 4dfc537efdff7b6297ff809a5c3f1a445f707c44 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 10 Apr 2017 20:22:18 +0900
+Subject: [PATCH] tmpfiles: downgrade error message when operation is not
+ supported (#5692)
+
+Fixes #5607
+(cherry picked from commit c258349f1a56b987fd91a5c136fd15536eec3890)
+---
+ src/tmpfiles/tmpfiles.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 7326597b8c..ed6a9adaa6 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -973,7 +973,7 @@ static int path_set_attribute(Item *item, const char *path) {
+ 
+         r = chattr_fd(fd, f, item->attribute_mask);
+         if (r < 0)
+-                log_full_errno(r == -ENOTTY ? LOG_DEBUG : LOG_WARNING,
++                log_full_errno(r == -ENOTTY || r == -EOPNOTSUPP ? LOG_DEBUG : LOG_WARNING,
+                                r,
+                                "Cannot set file attribute for '%s', value=0x%08x, mask=0x%08x: %m",
+                                path, item->attribute_value, item->attribute_mask);

0024-loginctl-fix-typo-causing-ignoring-multiple-session-.patch

@@ -0,0 +1,25 @@
+From 1371c920fcdd9cef144e09547a72884c01581cf9 Mon Sep 17 00:00:00 2001
+From: slodki <slodki@users.noreply.github.com>
+Date: Thu, 13 Apr 2017 12:34:59 +0200
+Subject: [PATCH] loginctl: fix typo causing ignoring multiple session IDs
+ (#5732)
+
+Fixes #5733
+(cherry picked from commit b0d08b056e73007695f2f001213da73d19802e23)
+---
+ src/login/loginctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/login/loginctl.c b/src/login/loginctl.c
+index 7dea5c0859..68cac4cb08 100644
+--- a/src/login/loginctl.c
++++ b/src/login/loginctl.c
+@@ -929,7 +929,7 @@ static int show_session(int argc, char *argv[], void *userdata) {
+                 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
+                 _cleanup_free_ char *path = NULL;
+ 
+-                r = get_session_path(bus, argv[1], &error, &path);
++                r = get_session_path(bus, argv[i], &error, &path);
+                 if (r < 0) {
+                         log_error("Failed to get session path: %s", bus_error_message(&error, r));
+                         return r;

0025-man-Fix-reference-to-timer-sync.target-instead-of-ti.patch

@@ -0,0 +1,40 @@
+From 432c3bd7c14c83306b66b3d3fdd7f834acd1856c Mon Sep 17 00:00:00 2001
+From: Philip Withnall <philip@tecnocode.co.uk>
+Date: Thu, 20 Apr 2017 11:34:26 +0100
+Subject: [PATCH] man: Fix reference to timer-sync.target instead of
+ time-sync.target (#5764)
+
+Also fix an erroneous reference to it in the NEWS file, for posterity.
+
+Signed-off-by: Philip Withnall <withnall@endlessm.com>(cherry picked from commit 46ae28d8c3b3c438dd1796b78bbff8f9dc188b31)
+---
+ NEWS                  | 2 +-
+ man/systemd.timer.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index da9e203832..05822a2cdc 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3315,7 +3315,7 @@ CHANGES WITH 216:
+           like Cockpit which register web clients as PAM sessions.
+ 
+         * timer units with at least one OnCalendar= setting will now
+-          be started only after timer-sync.target has been
++          be started only after time-sync.target has been
+           reached. This way they will not elapse before the system
+           clock has been corrected by a local NTP client or
+           similar. This is particular useful on RTC-less embedded
+diff --git a/man/systemd.timer.xml b/man/systemd.timer.xml
+index 4fe140e4bc..7102d626e1 100644
+--- a/man/systemd.timer.xml
++++ b/man/systemd.timer.xml
+@@ -93,7 +93,7 @@
+     on <filename>timers.target</filename>, as well as <varname>Conflicts=</varname> and <varname>Before=</varname> on
+     <filename>shutdown.target</filename> to ensure that they are stopped cleanly prior to system shutdown.  Timer units
+     with at least one <varname>OnCalendar=</varname> directive will have an additional <varname>After=</varname>
+-    dependency on <filename>timer-sync.target</filename> to avoid being started before the system clock has been
++    dependency on <filename>time-sync.target</filename> to avoid being started before the system clock has been
+     correctly set. Only timer units involved with early boot or late system shutdown should disable the
+     <varname>DefaultDependencies=</varname> option.</para>
+   </refsect1>

0026-units-systemd-resolved-should-start-before-network-o.patch

@@ -0,0 +1,32 @@
+From b8a7de0282ed299ec0897d00d0743bcf58492063 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 21 Apr 2017 18:21:17 +0900
+Subject: [PATCH] units: systemd-resolved should start before
+ network-online.target and nss-lookup.target (#5691)
+
+systemd-resolved provides
+1. local API via NSS and D-Bus
+2. kind of a local "DNS proxy" through its stub listener
+The 1st item should be started before nss-lookup.target.
+The 2nd item should be started before network-online.target,
+because if the networking works in general, then DNS (and DNS proxy) should too.
+
+Fixes #5650
+(cherry picked from commit 3e06055500755053050620a45236ef606507e1bd)
+---
+ units/systemd-resolved.service.m4.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
+index d3b8f81601..41f696abe5 100644
+--- a/units/systemd-resolved.service.m4.in
++++ b/units/systemd-resolved.service.m4.in
+@@ -12,6 +12,8 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/resolved
+ Documentation=http://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
+ Documentation=http://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
+ After=systemd-networkd.service network.target
++Before=network-online.target nss-lookup.target
++Wants=nss-lookup.target
+ 
+ # On kdbus systems we pull in the busname explicitly, because it
+ # carries policy that allows the daemon to acquire its name.

0027-sd-journal-return-SD_JOURNAL_INVALIDATE-only-if-jour.patch

@@ -0,0 +1,37 @@
+From 89a8044039733dea760056d4109bb201300e9b65 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekletar@users.noreply.github.com>
+Date: Mon, 24 Apr 2017 18:33:12 +0200
+Subject: [PATCH] sd-journal: return SD_JOURNAL_INVALIDATE only if journal
+ files were actually deleted/moved (#5580)
+
+When caller invokes sd_journal_open() we usually open at least one
+directory with journal files. add_root_directory() function increments
+current_invalidate_counter. After sd_journal_open() returns
+current_invalidate_counter != last_invalidate_counter.
+
+After caller waits for journal events (e.g. waits for new messages in
+journal) then it usually calls sd_journal_process(). However, on first
+call to sd_journal_process(), function determine_change() returns
+SD_JOURNAL_INVALIDATE even though no journal files were
+deleted/moved. This is because current_invalidate_counter !=
+last_invalidate_counter.
+
+After the fix we make sure counters has the same value before we begin
+processing inotify events.
+(cherry picked from commit f934644424daa6c86fd2284fe8f33ea233ece874)
+---
+ src/journal/sd-journal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/journal/sd-journal.c b/src/journal/sd-journal.c
+index 71967a0f33..86afb4985d 100644
+--- a/src/journal/sd-journal.c
++++ b/src/journal/sd-journal.c
+@@ -2424,6 +2424,7 @@ _public_ int sd_journal_process(sd_journal *j) {
+         assert_return(!journal_pid_changed(j), -ECHILD);
+ 
+         j->last_process_usec = now(CLOCK_MONOTONIC);
++        j->last_invalidate_counter = j->current_invalidate_counter;
+ 
+         for (;;) {
+                 union inotify_event_buffer buffer;

0028-fstab-generator-do-not-skip-Before-ordering-for-noau.patch

@@ -0,0 +1,24 @@
+From fd22bede6e06da50ca072cdfdd7b9acbb5f1fc06 Mon Sep 17 00:00:00 2001
+From: Ivan Shapovalov <intelfx@intelfx.name>
+Date: Mon, 24 Apr 2017 20:38:53 +0400
+Subject: [PATCH] fstab-generator: do not skip Before= ordering for noauto
+ mountpoints (#5547)
+
+(cherry picked from commit bd6bcce4d7fd9f34f84588888fa9d0e664e0500b)
+---
+ src/fstab-generator/fstab-generator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c
+index 2677a3fb32..50d350fce8 100644
+--- a/src/fstab-generator/fstab-generator.c
++++ b/src/fstab-generator/fstab-generator.c
+@@ -358,7 +358,7 @@ static int add_mount(
+                 "Documentation=man:fstab(5) man:systemd-fstab-generator(8)\n",
+                 source);
+ 
+-        if (!noauto && !nofail && !automount)
++        if (!nofail && !automount)
+                 fprintf(f, "Before=%s\n", post);
+ 
+         if (!automount && opts) {

0029-journald-fix-assertion-failure-on-journal_file_link_.patch

@@ -0,0 +1,32 @@
+From f88105d528645b5c99dbe5dcbd0300948a01c9c9 Mon Sep 17 00:00:00 2001
+From: Yusuke Nojima <nojima718@gmail.com>
+Date: Sun, 30 Apr 2017 02:37:53 +0900
+Subject: [PATCH] journald: fix assertion failure on journal_file_link_data.
+ (#5843)
+
+When some error occurs during the initialization of JournalFile,
+the JournalFile can be left without hash tables created.  When later
+trying to append an entry to that file, the assertion in
+journal_file_link_data() fails, and journald crashes.
+
+This patch fix this issue by checking *_hash_table_size in
+journal_file_verify_header().
+(cherry picked from commit 5b3cc0c86aeddd4615e7e28e79aa89e5b77a6507)
+---
+ src/journal/journal-file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
+index 14cb01a600..243d5198d9 100644
+--- a/src/journal/journal-file.c
++++ b/src/journal/journal-file.c
+@@ -613,6 +613,9 @@ static int journal_file_verify_header(JournalFile *f) {
+                         return -EBUSY;
+                 }
+ 
++                if (f->header->field_hash_table_size == 0 || f->header->data_hash_table_size == 0)
++                        return -EBADMSG;
++
+                 /* Don't permit appending to files from the future. Because otherwise the realtime timestamps wouldn't
+                  * be strictly ordered in the entries in the file anymore, and we can't have that since it breaks
+                  * bisection. */

0030-networkd-Add-check-to-ensure-link-is-down-before-att.patch

@@ -0,0 +1,85 @@
+From e6715ab647230fae7b489a5cc3edcb2d59c98e2f Mon Sep 17 00:00:00 2001
+From: Roelf Wichertjes <roelf@roelf.org>
+Date: Sun, 30 Apr 2017 13:12:32 +0200
+Subject: [PATCH] networkd: Add check to ensure link is down before attempting
+ to enslave (#5853)
+
+netdev to bond.
+
+There are situations where a link can be in an "UP" state when
+ systemd-networkd attempts to add the link to a bond device.
+This is a problem because the bonding driver will refuse to
+ enslave a link if it is in the "UP" state.
+This check ensures systemd-networkd sets the link to "DOWN"
+ before attempting to add the link to the bond.
+
+Fixes #5838.
+(cherry picked from commit 14b6bb776287e72887071dafae3d4c2c65ee926d)
+---
+ src/network/netdev/netdev.c | 8 ++++++++
+ src/network/networkd-link.c | 4 ++--
+ src/network/networkd-link.h | 3 +++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c
+index 9b9e83d9db..f70117e6f9 100644
+--- a/src/network/netdev/netdev.c
++++ b/src/network/netdev/netdev.c
+@@ -28,6 +28,7 @@
+ #include "network-internal.h"
+ #include "netdev/netdev.h"
+ #include "networkd-manager.h"
++#include "networkd-link.h"
+ #include "siphash24.h"
+ #include "stat-util.h"
+ #include "string-table.h"
+@@ -218,6 +219,13 @@ static int netdev_enslave_ready(NetDev *netdev, Link* link, sd_netlink_message_h
+         assert(link);
+         assert(callback);
+ 
++        if (link->flags & IFF_UP) {
++                log_netdev_debug(netdev, "Link '%s' was up when attempting to enslave it. Bringing link down.", link->ifname);
++                r = link_down(link);
++                if (r < 0)
++                        return log_netdev_error_errno(netdev, r, "Could not bring link down: %m");
++        }
++
+         r = sd_rtnl_message_new_link(netdev->manager->rtnl, &req, RTM_SETLINK, link->ifindex);
+         if (r < 0)
+                 return log_netdev_error_errno(netdev, r, "Could not allocate RTM_SETLINK message: %m");
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 0c1229336b..c37bc7f602 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1598,7 +1598,7 @@ static int link_up_handler(sd_netlink *rtnl, sd_netlink_message *m, void *userda
+         return 1;
+ }
+ 
+-static int link_up(Link *link) {
++int link_up(Link *link) {
+         _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL;
+         uint8_t ipv6ll_mode;
+         int r;
+@@ -1719,7 +1719,7 @@ static int link_down_handler(sd_netlink *rtnl, sd_netlink_message *m, void *user
+         return 1;
+ }
+ 
+-static int link_down(Link *link) {
++int link_down(Link *link) {
+         _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL;
+         int r;
+ 
+diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h
+index e6190fbe57..be5c4f3284 100644
+--- a/src/network/networkd-link.h
++++ b/src/network/networkd-link.h
+@@ -138,6 +138,9 @@ int link_get(Manager *m, int ifindex, Link **ret);
+ int link_add(Manager *manager, sd_netlink_message *message, Link **ret);
+ void link_drop(Link *link);
+ 
++int link_up(Link *link);
++int link_down(Link *link);
++
+ int link_address_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, void *userdata);
+ int link_route_remove_handler(sd_netlink *rtnl, sd_netlink_message *m, void *userdata);
+ 

0031-execute-Properly-log-errors-considering-socket-fds-5.patch

@@ -0,0 +1,36 @@
+From 66ff3b83bae08e5c3ddd9f62d2bdfbef2aaf95fb Mon Sep 17 00:00:00 2001
+From: Aggelos Avgerinos <evaggelos.avgerinos@gmail.com>
+Date: Tue, 9 May 2017 02:09:22 +0300
+Subject: [PATCH] execute: Properly log errors considering socket fds (#5910)
+
+Till now if the params->n_fds was 0, systemd was logging that there were
+more than one sockets.
+
+Thanks @gregoryp and @VFXcode who did the most work debugging this.
+(cherry picked from commit 488ab41cb89828e68162f34fb68241bbda700c05)
+---
+ src/core/execute.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index d7798387c5..aa655cfae8 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -2927,11 +2927,16 @@ int exec_spawn(Unit *unit,
+             context->std_output == EXEC_OUTPUT_SOCKET ||
+             context->std_error == EXEC_OUTPUT_SOCKET) {
+ 
+-                if (params->n_fds != 1) {
++                if (params->n_fds > 1) {
+                         log_unit_error(unit, "Got more than one socket.");
+                         return -EINVAL;
+                 }
+ 
++                if (params->n_fds == 0) {
++                        log_unit_error(unit, "Got no socket.");
++                        return -EINVAL;
++                }
++
+                 socket_fd = params->fds[0];
+         } else {
+                 socket_fd = -1;

0032-pid1-improve-logging-when-failing-to-remount-ro-5940.patch

@@ -0,0 +1,100 @@
+From 207b45b46c41b84cbd2be29331c105308d66b3bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 11 May 2017 12:12:41 -0400
+Subject: [PATCH] pid1: improve logging when failing to remount / ro (#5940)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1227736#c49
+
+We counted how many filesystems could not be unmounted, but only for those
+filesystems which we tried to unmount. Since we only remount / ro, without
+attempting to unmount, we would emit a confusing error message:
+
+Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
+Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
+Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
+All filesystems unmounted.
+
+Warn when remount-ro fails, and for filesystems which we won't try to unmount,
+include the failure to remount-ro in n_failed.
+
+A few minor cleanups:
+- remove unecessary goto which jumps to the next line anyway
+- always calculate n_failed, even if log_error is false. This causes no change
+  in behaviour, but I think the code is easier to follow, since the log setting
+  cannot influence other logic.
+(cherry picked from commit c826cd3f7cfd950c8a86d57dfa6303f70de3e207)
+---
+ src/core/umount.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/src/core/umount.c b/src/core/umount.c
+index 2f4b12bdb9..77b5bd9556 100644
+--- a/src/core/umount.c
++++ b/src/core/umount.c
+@@ -369,6 +369,14 @@ static int delete_dm(dev_t devnum) {
+         return 0;
+ }
+ 
++static bool nonunmountable_path(const char *path) {
++        return path_equal(path, "/")
++#ifndef HAVE_SPLIT_USR
++                || path_equal(path, "/usr")
++#endif
++                || path_startswith(path, "/run/initramfs");
++}
++
+ static int mount_points_list_umount(MountPoint **head, bool *changed, bool log_error) {
+         MountPoint *m, *n;
+         int n_failed = 0;
+@@ -404,21 +412,21 @@ static int mount_points_list_umount(MountPoint **head, bool *changed, bool log_e
+                          * somehwere else via a bind mount. If we
+                          * explicitly remount the super block of that
+                          * alias read-only we hence should be
+-                         * relatively safe regarding keeping the fs we
+-                         * can otherwise not see dirty. */
++                         * relatively safe regarding keeping dirty an fs
++                         * we cannot otherwise see. */
+                         log_info("Remounting '%s' read-only with options '%s'.", m->path, options);
+-                        (void) mount(NULL, m->path, NULL, MS_REMOUNT|MS_RDONLY, options);
++                        if (mount(NULL, m->path, NULL, MS_REMOUNT|MS_RDONLY, options) < 0) {
++                                if (log_error)
++                                        log_notice_errno(errno, "Failed to remount '%s' read-only: %m", m->path);
++                                if (nonunmountable_path(m->path))
++                                        n_failed++;
++                        }
+                 }
+ 
+                 /* Skip / and /usr since we cannot unmount that
+                  * anyway, since we are running from it. They have
+                  * already been remounted ro. */
+-                if (path_equal(m->path, "/")
+-#ifndef HAVE_SPLIT_USR
+-                    || path_equal(m->path, "/usr")
+-#endif
+-                    || path_startswith(m->path, "/run/initramfs")
+-                )
++                if (nonunmountable_path(m->path))
+                         continue;
+ 
+                 /* Trying to umount. We don't force here since we rely
+@@ -430,8 +438,9 @@ static int mount_points_list_umount(MountPoint **head, bool *changed, bool log_e
+                                 *changed = true;
+ 
+                         mount_point_free(head, m);
+-                } else if (log_error) {
+-                        log_warning_errno(errno, "Could not unmount %s: %m", m->path);
++                } else {
++                        if (log_error)
++                                log_warning_errno(errno, "Could not unmount %s: %m", m->path);
+                         n_failed++;
+                 }
+         }
+@@ -555,8 +564,6 @@ int umount_all(bool *changed) {
+ 
+         /* umount one more time with logging enabled */
+         r = mount_points_list_umount(&mp_list_head, &umount_changed, true);
+-        if (r <= 0)
+-                goto end;
+ 
+   end:
+         mount_points_list_free(&mp_list_head);

0033-sd-bus-fix-c-compatibility-5941.patch

@@ -0,0 +1,35 @@
+From 05fdab5434369be3fefef47d072403ca2c5b0aeb Mon Sep 17 00:00:00 2001
+From: Matthijs van Duin <matthijsvanduin@gmail.com>
+Date: Fri, 12 May 2017 00:55:26 +0200
+Subject: [PATCH] sd-bus: fix c++ compatibility (#5941)
+
+g++ annoyingly requires a non-empty struct-initializer to initialize all
+struct members, in order of declaration.
+
+Signed-off-by: Matthijs van Duin <matthijsvanduin@gmail.com>(cherry picked from commit cc9daff2289381d2fe7fb5ee7c3fa3435e8fc478)
+---
+ src/systemd/sd-bus-vtable.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/systemd/sd-bus-vtable.h b/src/systemd/sd-bus-vtable.h
+index 3563a2b126..1e82cae038 100644
+--- a/src/systemd/sd-bus-vtable.h
++++ b/src/systemd/sd-bus-vtable.h
+@@ -131,6 +131,7 @@ struct sd_bus_vtable {
+                         .member = _member,                              \
+                         .signature = _signature,                        \
+                         .get = _get,                                    \
++                        .set = NULL,                                    \
+                         .offset = _offset,                              \
+                     },                                                  \
+                 },                                                      \
+@@ -154,6 +155,9 @@ struct sd_bus_vtable {
+ #define SD_BUS_VTABLE_END                                               \
+         {                                                               \
+                 .type = _SD_BUS_VTABLE_END,                             \
++                .flags = 0,                                             \
++                .x = {                                                  \
++                },                                                      \
+         }
+ 
+ _SD_END_DECLARATIONS;

0034-man-fix-typo-network-zones-network-zone.patch

@@ -0,0 +1,27 @@
+From 6a9a1a31feb8b7144e9d02046bfdc8404409e513 Mon Sep 17 00:00:00 2001
+From: Elias Probst <mail@eliasprobst.eu>
+Date: Sat, 13 May 2017 20:55:03 +0200
+Subject: [PATCH] =?UTF-8?q?man:=20fix=20typo=20(`--network-zones`=20?=
+ =?UTF-8?q?=E2=86=92=20`--network-zone`)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit cf917c27b654d4f1ee719ea27f49c6db93a3ec9c)
+---
+ man/systemd-nspawn.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
+index a7af8c25db..ae7082776d 100644
+--- a/man/systemd-nspawn.xml
++++ b/man/systemd-nspawn.xml
+@@ -636,7 +636,7 @@
+         broadcast domain, here called a "zone". Each container may only be part of one zone, but each zone may contain
+         any number of containers. Each zone is referenced by its name. Names may be chosen freely (as long as they form
+         valid network interface names when prefixed with <literal>vz-</literal>), and it is sufficient to pass the same
+-        name to the <option>--network-zones=</option> switch of the various concurrently running containers to join
++        name to the <option>--network-zone=</option> switch of the various concurrently running containers to join
+         them in one zone.</para>
+ 
+         <para>Note that

0035-env-util-fix-memory-leak-5962.patch

@@ -0,0 +1,56 @@
+From 429a69d0dd273a431f396fe8f5846a8e8a1a0ac7 Mon Sep 17 00:00:00 2001
+From: Ronny Chevalier <chevalier.ronny@gmail.com>
+Date: Sun, 14 May 2017 16:30:40 +0200
+Subject: [PATCH] env-util: fix memory leak (#5962)
+
+If cunescape succeeds, but the assignment is not valid, uce is not freed.
+(cherry picked from commit 16eefcafedeecf0e282add6c1eadeebcb3ad0609)
+---
+ src/basic/env-util.c     |  4 +++-
+ src/test/test-env-util.c | 10 ++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/env-util.c b/src/basic/env-util.c
+index 1ec574e8a0..e79b441ab6 100644
+--- a/src/basic/env-util.c
++++ b/src/basic/env-util.c
+@@ -799,8 +799,10 @@ int deserialize_environment(char ***environment, const char *line) {
+         if (r < 0)
+                 return r;
+ 
+-        if (!env_assignment_is_valid(uce))
++        if (!env_assignment_is_valid(uce)) {
++                free(uce);
+                 return -EINVAL;
++        }
+ 
+         return strv_env_replace(environment, uce);
+ }
+diff --git a/src/test/test-env-util.c b/src/test/test-env-util.c
+index e5cc2a2df8..904c50f0ed 100644
+--- a/src/test/test-env-util.c
++++ b/src/test/test-env-util.c
+@@ -314,6 +314,15 @@ static void test_env_assignment_is_valid(void) {
+         assert_se(!env_assignment_is_valid("głąb=printf \"\x1b]0;<mock-chroot>\x07<mock-chroot>\""));
+ }
+ 
++static void test_deserialize_environment(void) {
++        _cleanup_strv_free_ char **env = strv_new("A=1", NULL);
++
++        assert_se(deserialize_environment(&env, "env=test") < 0);
++        assert_se(deserialize_environment(&env, "env=B=2") >= 0);
++
++        assert_se(strv_equal(env, STRV_MAKE("A=1", "B=2")));
++}
++
+ int main(int argc, char *argv[]) {
+         test_strv_env_delete();
+         test_strv_env_get();
+@@ -330,6 +339,7 @@ int main(int argc, char *argv[]) {
+         test_env_name_is_valid();
+         test_env_value_is_valid();
+         test_env_assignment_is_valid();
++        test_deserialize_environment();
+ 
+         return 0;
+ }

0036-conf-parser-fix-wrong-argument-given-to-log_syntax_i.patch

@@ -0,0 +1,46 @@
+From 8061fde2d95f0b67d299815a5944abeed0b1ee46 Mon Sep 17 00:00:00 2001
+From: Ronny Chevalier <chevalier.ronny@gmail.com>
+Date: Sun, 14 May 2017 13:19:11 +0200
+Subject: [PATCH] conf-parser: fix wrong argument given to
+ log_syntax_invalid_utf8
+
+The condition is on "word", hence we give word instead of rvalue.
+
+An assert would be triggered if !utf8_is_valid(word) is true and
+rvalue == NULL, since log_syntax_invalid_utf8 calls utf8_escape_invalid
+which calls assert(str).
+
+A test case has been added to test with valid and invalid utf8.
+
+(cherry picked from commit b4958f42af08a72cf02e845c8db8d60fe2e5a82f)
+---
+ src/shared/conf-parser.c    | 2 +-
+ src/test/test-conf-parser.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c
+index 265ac83dc0..863034d18a 100644
+--- a/src/shared/conf-parser.c
++++ b/src/shared/conf-parser.c
+@@ -792,7 +792,7 @@ int config_parse_strv(const char *unit,
+                 }
+ 
+                 if (!utf8_is_valid(word)) {
+-                        log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, rvalue);
++                        log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, word);
+                         free(word);
+                         continue;
+                 }
+diff --git a/src/test/test-conf-parser.c b/src/test/test-conf-parser.c
+index be5d2611f8..26ff27035b 100644
+--- a/src/test/test-conf-parser.c
++++ b/src/test/test-conf-parser.c
+@@ -180,6 +180,8 @@ static void test_config_parse_strv(void) {
+         test_config_parse_strv_one("foo", STRV_MAKE("foo"));
+         test_config_parse_strv_one("foo bar foo", STRV_MAKE("foo", "bar", "foo"));
+         test_config_parse_strv_one("\"foo bar\" foo", STRV_MAKE("foo bar", "foo"));
++        test_config_parse_strv_one("\xc3\x80", STRV_MAKE("\xc3\x80"));
++        test_config_parse_strv_one("\xc3\x7f", STRV_MAKE_EMPTY);
+ }
+ 
+ static void test_config_parse_mode(void) {

0037-test-conf-parser-add-valid-and-invalid-utf8-test-for.patch

@@ -0,0 +1,26 @@
+From fa32003951787e5fb4e974d72700bfaf3ab1aa80 Mon Sep 17 00:00:00 2001
+From: Ronny Chevalier <chevalier.ronny@gmail.com>
+Date: Sun, 14 May 2017 13:19:11 +0200
+Subject: [PATCH] test-conf-parser: add valid and invalid utf8 test for
+ config_parse_path
+
+(cherry picked from commit d5ade2d6027c67ef5a16d4a0e38c9fa38fd68212)
+---
+ src/test/test-conf-parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/test/test-conf-parser.c b/src/test/test-conf-parser.c
+index 26ff27035b..77fcbc0dd3 100644
+--- a/src/test/test-conf-parser.c
++++ b/src/test/test-conf-parser.c
+@@ -109,8 +109,10 @@ static void test_config_parse_path(void) {
+         test_config_parse_path_one("/path", "/path");
+         test_config_parse_path_one("/path//////////", "/path");
+         test_config_parse_path_one("///path/foo///bar////bar//", "/path/foo/bar/bar");
++        test_config_parse_path_one("/path/\xc3\x80", "/path/\xc3\x80");
+ 
+         test_config_parse_path_one("not_absolute/path", NULL);
++        test_config_parse_path_one("/path/\xc3\x7f", NULL);
+ }
+ 
+ static void test_config_parse_log_level(void) {

0038-man-fix-typo-m86k-m68k-5993.patch

@@ -0,0 +1,27 @@
+From 7785a2b82fcc11171699ccb9839a147ad6bf258d Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 19 May 2017 11:37:30 +0200
+Subject: [PATCH] =?UTF-8?q?man:=20fix=20typo=20m86k=20=E2=86=92=20m68k=20(?=
+ =?UTF-8?q?#5993)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit 215a2db41972230e1df7733d29727247685d58dc)
+---
+ man/systemd.unit.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
+index 44841ac7dd..c963a93531 100644
+--- a/man/systemd.unit.xml
++++ b/man/systemd.unit.xml
+@@ -859,7 +859,7 @@
+         <varname>arm64-be</varname>,
+         <varname>sh</varname>,
+         <varname>sh64</varname>,
+-        <varname>m86k</varname>,
++        <varname>m68k</varname>,
+         <varname>tilegx</varname>,
+         <varname>cris</varname> to test
+         against a specific architecture. The architecture is

0039-journal-journald-console-fix-format-specifier-issue.patch

@@ -0,0 +1,33 @@
+From d91fd10aaee61ae9281f96f0661d2a3564ed4274 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Date: Wed, 22 Mar 2017 21:34:32 +0100
+Subject: [PATCH] journal/journald-console: fix format-specifier issue
+
+timespec::tv_nsec can have different sizes depending on the
+host architecture. On x32 in particular, it is 8 bytes long
+while the long int type is only 4 bytes long. Hence, using
+ld as a format specifier will trigger a format error. Thus,
+explicitly cast timespec::tv_nsec to nsec_t and use PRI_NSEC
+as the format specifier to make sure the sizes for both match.
+
+(cherry picked from commit b123d975ca50c5b44adaeb407cfd7da36c123b03)
+---
+ src/journal/journald-console.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/journal/journald-console.c b/src/journal/journald-console.c
+index 5126c2160e..5fbcdb43c2 100644
+--- a/src/journal/journald-console.c
++++ b/src/journal/journald-console.c
+@@ -72,9 +72,9 @@ void server_forward_console(
+         /* First: timestamp */
+         if (prefix_timestamp()) {
+                 assert_se(clock_gettime(CLOCK_MONOTONIC, &ts) == 0);
+-                xsprintf(tbuf, "[%5"PRI_TIME".%06ld] ",
++                xsprintf(tbuf, "[%5"PRI_TIME".%06"PRI_NSEC"] ",
+                          ts.tv_sec,
+-                         ts.tv_nsec / 1000);
++                         (nsec_t)ts.tv_nsec / 1000);
+                 IOVEC_SET_STRING(iovec[n++], tbuf);
+         }
+ 

0040-udev-udevadm-monitor-fix-format-specifier-issue.patch

@@ -0,0 +1,33 @@
+From e7327ee6a1c1bc10afa422587f4d7716f04f32bc Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Date: Wed, 22 Mar 2017 21:40:51 +0100
+Subject: [PATCH] udev/udevadm-monitor: fix format-specifier issue
+
+timespec::tv_nsec can have different sizes depending on the
+host architecture. On x32 in particular, it is 8 bytes long
+while the long int type is only 4 bytes long. Hence, using
+ld as a format specifier will trigger a format error. Thus,
+explicitly cast timespec::tv_nsec to nsec_t and use PRI_NSEC
+as the format specifier to make sure the sizes for both match.
+
+(cherry picked from commit cc9211b030c1fa7dd8d0e14df1de3e2aba32e50c)
+---
+ src/udev/udevadm-monitor.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/udev/udevadm-monitor.c b/src/udev/udevadm-monitor.c
+index f631834341..94a59186ed 100644
+--- a/src/udev/udevadm-monitor.c
++++ b/src/udev/udevadm-monitor.c
+@@ -41,9 +41,9 @@ static void print_device(struct udev_device *device, const char *source, int pro
+         struct timespec ts;
+ 
+         assert_se(clock_gettime(CLOCK_MONOTONIC, &ts) == 0);
+-        printf("%-6s[%"PRI_TIME".%06ld] %-8s %s (%s)\n",
++        printf("%-6s[%"PRI_TIME".%06"PRI_NSEC"] %-8s %s (%s)\n",
+                source,
+-               ts.tv_sec, ts.tv_nsec/1000,
++               ts.tv_sec, (nsec_t)ts.tv_nsec/1000,
+                udev_device_get_action(device),
+                udev_device_get_devpath(device),
+                udev_device_get_subsystem(device));

0041-timesync-timesyncd-manager-fix-format-specifier-issu.patch

@@ -0,0 +1,52 @@
+From 589fa9087a49e4250099bb6a4cf00358379fa3a4 Mon Sep 17 00:00:00 2001
+From: Matija Skala <mskala@gmx.com>
+Date: Fri, 19 May 2017 14:36:12 +0200
+Subject: [PATCH] timesync/timesyncd-manager: fix format-specifier issues
+
+timex::time::tv_usec and timex::freq can have different sizes
+depending on the host architecture. On x32 in particular,
+it is 8 bytes long while the long int type is only 4 bytes
+long. Hence, using li as a format specifier will trigger
+a format error. Thus, introduce a new format specifier
+PRI_TIMEX which is defined as PRIi64 on x32 and li
+everywhere else.
+
+(cherry picked from commit 3bd7ef833caae7431a9c50450ce7b303234d45eb)
+---
+ src/basic/format-util.h          | 6 ++++++
+ src/timesync/timesyncd-manager.c | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/basic/format-util.h b/src/basic/format-util.h
+index 39a185f59b..ae42a8f89e 100644
+--- a/src/basic/format-util.h
++++ b/src/basic/format-util.h
+@@ -54,6 +54,12 @@
+ #  error Unknown time_t size
+ #endif
+ 
++#if defined __x86_64__ && defined __ILP32__
++#  define PRI_TIMEX PRIi64
++#else
++#  define PRI_TIMEX "li"
++#endif
++
+ #if SIZEOF_RLIM_T == 8
+ #  define RLIM_FMT "%" PRIu64
+ #elif SIZEOF_RLIM_T == 4
+diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c
+index 6a6c1577c6..11c495e291 100644
+--- a/src/timesync/timesyncd-manager.c
++++ b/src/timesync/timesyncd-manager.c
+@@ -379,9 +379,9 @@ static int manager_adjust_clock(Manager *m, double offset, int leap_sec) {
+ 
+         log_debug("  status       : %04i %s\n"
+                   "  time now     : %li.%03"PRI_USEC"\n"
+-                  "  constant     : %li\n"
++                  "  constant     : %"PRI_TIMEX"\n"
+                   "  offset       : %+.3f sec\n"
+-                  "  freq offset  : %+li (%i ppm)\n",
++                  "  freq offset  : %+"PRI_TIMEX" (%i ppm)\n",
+                   tmx.status, tmx.status & STA_UNSYNC ? "unsync" : "sync",
+                   tmx.time.tv_sec, tmx.time.tv_usec / NSEC_PER_MSEC,
+                   tmx.constant,

0042-timesync-timesyncd-manager-fix-format-specifier-issu.patch

@@ -0,0 +1,30 @@
+From 416ca19f3149e44fee7fee2df9b8e63042076fda Mon Sep 17 00:00:00 2001
+From: Matija Skala <mskala@gmx.com>
+Date: Fri, 19 May 2017 14:36:40 +0200
+Subject: [PATCH] timesync/timesyncd-manager: fix format-specifier issue
+
+timex::time::tv_sec can have different sizes depending on the
+host architecture. On x32 in particular, it is 8 bytes
+long while the long int type is only 4 bytes  long. Hence,
+using li as a format specifier will trigger a format
+error. Thus, better use PRI_TIME instead of li which is
+actually the right format specifier to use for time_t.
+
+(cherry picked from commit 0060bb8f5bbad433bc29405cc76b955d3125d8e9)
+---
+ src/timesync/timesyncd-manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c
+index 11c495e291..ae8514550a 100644
+--- a/src/timesync/timesyncd-manager.c
++++ b/src/timesync/timesyncd-manager.c
+@@ -378,7 +378,7 @@ static int manager_adjust_clock(Manager *m, double offset, int leap_sec) {
+         m->drift_ppm = tmx.freq / 65536;
+ 
+         log_debug("  status       : %04i %s\n"
+-                  "  time now     : %li.%03"PRI_USEC"\n"
++                  "  time now     : %"PRI_TIME".%03"PRI_USEC"\n"
+                   "  constant     : %"PRI_TIMEX"\n"
+                   "  offset       : %+.3f sec\n"
+                   "  freq offset  : %+"PRI_TIMEX" (%i ppm)\n",

0043-DHCP-when-adding-static-routes-set-scopes-properly-5.patch

@@ -0,0 +1,85 @@
+From c19df00f6def1ee74ae0812b529f2a1b589c256f Mon Sep 17 00:00:00 2001
+From: Daniel Wang <wonderfly@users.noreply.github.com>
+Date: Sat, 20 May 2017 04:05:18 -0700
+Subject: [PATCH] DHCP: when adding static routes set scopes properly (#5982)
+
+DHCP responses could include static routes, but unfortunately not an
+option to tell what scope to use. So it's important that the client sets
+it properly.
+
+This mimics what the `ip route add` command does when adding a static
+route without an explicit scope:
+
+* If the destination IP is on the local host, use scope `host`
+* Otherwise if the gateway IP is null (direct route), use scope `link`
+* If anything else, use the current default `global`.
+
+Fixes #5979.
+(cherry picked from commit d6eac9bd06066c8d041449538a9cdee0fd928835)
+---
+ man/systemd.network.xml      |  8 +++++---
+ src/network/networkd-dhcp4.c | 17 +++++++++++++++--
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/man/systemd.network.xml b/man/systemd.network.xml
+index b807ebf29b..aaa7b0968d 100644
+--- a/man/systemd.network.xml
++++ b/man/systemd.network.xml
+@@ -937,9 +937,11 @@
+         <varlistentry>
+           <term><varname>UseRoutes=</varname></term>
+           <listitem>
+-            <para>When true (the default), the static routes will be
+-            requested from the DHCP server and added to the routing
+-            table with a metric of 1024.</para>
++            <para>When true (the default), the static routes will be requested from the DHCP server and added to the
++              routing table with a metric of 1024, and a scope of "global", "link" or "host", depending on the route's
++              destination and gateway. If the destination is on the local host, e.g., 127.x.x.x, or the same as the
++              link's own address, the scope will be set to "host". Otherwise if the gateway is null (a direct route), a
++              "link" scope will be used. For anything else, scope defaults to "global".</para>
+           </listitem>
+         </varlistentry>
+ 
+diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c
+index c5c5b95c8f..ae0f78daab 100644
+--- a/src/network/networkd-dhcp4.c
++++ b/src/network/networkd-dhcp4.c
+@@ -52,8 +52,21 @@ static int dhcp4_route_handler(sd_netlink *rtnl, sd_netlink_message *m,
+         return 1;
+ }
+ 
++static int route_scope_from_address(const Route *route, const struct in_addr *self_addr) {
++        assert(route);
++        assert(self_addr);
++
++        if (in_addr_is_localhost(AF_INET, &route->dst) ||
++            (self_addr->s_addr && route->dst.in.s_addr == self_addr->s_addr))
++                return RT_SCOPE_HOST;
++        else if (in4_addr_is_null(&route->gw.in))
++                return RT_SCOPE_LINK;
++        else
++                return RT_SCOPE_UNIVERSE;
++}
++
+ static int link_set_dhcp_routes(Link *link) {
+-        struct in_addr gateway;
++        struct in_addr gateway, address;
+         _cleanup_free_ sd_dhcp_route **static_routes = NULL;
+         int r, n, i;
+ 
+@@ -69,7 +82,6 @@ static int link_set_dhcp_routes(Link *link) {
+                 return log_link_warning_errno(link, r, "DHCP error: could not get gateway: %m");
+ 
+         if (r >= 0) {
+-                struct in_addr address;
+                 _cleanup_route_free_ Route *route = NULL;
+                 _cleanup_route_free_ Route *route_gw = NULL;
+ 
+@@ -141,6 +153,7 @@ static int link_set_dhcp_routes(Link *link) {
+                 assert_se(sd_dhcp_route_get_destination_prefix_length(static_routes[i], &route->dst_prefixlen) >= 0);
+                 route->priority = link->network->dhcp_route_metric;
+                 route->table = link->network->dhcp_route_table;
++                route->scope = route_scope_from_address(route, &address);
+ 
+                 r = route_configure(route, link, dhcp4_route_handler);
+                 if (r < 0)

0044-journald-use-unaligned_read-instead-of-memcpy.patch

@@ -0,0 +1,40 @@
+From 32fb431ebca202f885257c50574bf1c13939e5e9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 13 May 2017 22:42:08 -0400
+Subject: [PATCH] journald: use unaligned_read instead of memcpy
+
+(cherry picked from commit 731e10f3c588a31936454d3207155c497219d99a)
+---
+ src/journal/journald-native.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
+index c9bf3832c7..d839e04488 100644
+--- a/src/journal/journald-native.c
++++ b/src/journal/journald-native.c
+@@ -40,6 +40,7 @@
+ #include "selinux-util.h"
+ #include "socket-util.h"
+ #include "string-util.h"
++#include "unaligned.h"
+ 
+ bool valid_user_field(const char *p, size_t l, bool allow_protected) {
+         const char *a;
+@@ -218,7 +219,6 @@ void server_process_native_message(
+                         p = e + 1;
+                         continue;
+                 } else {
+-                        le64_t l_le;
+                         uint64_t l;
+                         char *k;
+ 
+@@ -227,8 +227,7 @@ void server_process_native_message(
+                                 break;
+                         }
+ 
+-                        memcpy(&l_le, e + 1, sizeof(uint64_t));
+-                        l = le64toh(l_le);
++                        l = unaligned_read_le64(e + 1);
+ 
+                         if (l > DATA_SIZE_MAX) {
+                                 log_debug("Received binary data block of %"PRIu64" bytes is too large, ignoring.", l);

0045-journal-remote-fix-memleak-of-the-name-of-the-remote.patch

@@ -0,0 +1,36 @@
+From d56ab41b58a760907c5fda19b79bcb01aa9611d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 13 May 2017 22:42:14 -0400
+Subject: [PATCH] journal-remote: fix memleak of the name of the remote source
+
+(cherry picked from commit 2ddb70d26f9a284fbf38bca37ea857f24c3f39de)
+---
+ src/basic/journal-importer.c              | 1 +
+ src/journal-remote/journal-remote-parse.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/journal-importer.c b/src/basic/journal-importer.c
+index 66119d2de1..7d72effdea 100644
+--- a/src/basic/journal-importer.c
++++ b/src/basic/journal-importer.c
+@@ -69,6 +69,7 @@ void journal_importer_cleanup(JournalImporter *imp) {
+                 safe_close(imp->fd);
+         }
+ 
++        free(imp->name);
+         free(imp->buf);
+         iovw_free_contents(&imp->iovw);
+ }
+diff --git a/src/journal-remote/journal-remote-parse.c b/src/journal-remote/journal-remote-parse.c
+index 79afe6604c..d61d1c18f6 100644
+--- a/src/journal-remote/journal-remote-parse.c
++++ b/src/journal-remote/journal-remote-parse.c
+@@ -41,7 +41,7 @@ void source_free(RemoteSource *source) {
+ 
+ /**
+  * Initialize zero-filled source with given values. On success, takes
+- * ownerhship of fd and writer, otherwise does not touch them.
++ * ownership of fd, name, and writer, otherwise does not touch them.
+  */
+ RemoteSource* source_new(int fd, bool passive_fd, char *name, Writer *writer) {
+ 

0046-shared-logs-show-avoid-printing-null-when-timestamp-.patch

@@ -0,0 +1,57 @@
+From c5af9aa2ccab078cf6f5bf68b88a3defa2f768f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 13 May 2017 16:40:09 -0400
+Subject: [PATCH] shared/logs-show: avoid printing "(null)" when timestamp is
+ not specified
+
+$ perl -e 'print("MESSAGE\n", pack("q<", 1), "A\n\nMESSAGE=test2\n")' > message.bin
+$ systemd-journal-remote -o /tmp/out.journal message.bin
+$ journalctl -o export --file /tmp/out.journal
+__CURSOR=s=b16c464c2db44384b29e75a564d8388e;i=1;b=6b0be47627bd4932913dc126012c21c0;m=0;t=0;x=b04263a253e357a
+__REALTIME_TIMESTAMP=0
+__MONOTONIC_TIMESTAMP=0
+_BOOT_ID=6b0be47627bd4932913dc126012c21c0
+MESSAGE=A
+
+$ journalctl -o verbose --file /tmp/out.journal
+(null) [s=b16c464c2db44384b29e75a564d8388e;i=1;b=6b0be47627bd4932913dc126012c21c0;m=0;t=0;x=b04263a253e357a]
+    MESSAGE=A
+
+This is changed to
+$ build/journalctl -o verbose --file /tmp/out.journal
+(no timestamp) [s=b16c464c2db44384b29e75a564d8388e;i=1;b=6b0be47627bd4932913dc126012c21c0;m=0;t=0;x=b04263a253e357a]
+    MESSAGE=A
+
+We should deal gracefully with unexpected input.
+
+(cherry picked from commit 8924973ae2e1f0a0c131dcec0578669dc26e5e26)
+---
+ src/shared/logs-show.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
+index 72c43e80cb..b4c72215c4 100644
+--- a/src/shared/logs-show.c
++++ b/src/shared/logs-show.c
+@@ -473,6 +473,7 @@ static int output_verbose(
+         _cleanup_free_ char *cursor = NULL;
+         uint64_t realtime = 0;
+         char ts[FORMAT_TIMESTAMP_MAX + 7];
++        const char *timestamp;
+         int r;
+ 
+         assert(f);
+@@ -508,10 +509,10 @@ static int output_verbose(
+         if (r < 0)
+                 return log_error_errno(r, "Failed to get cursor: %m");
+ 
++        timestamp = flags & OUTPUT_UTC ? format_timestamp_us_utc(ts, sizeof ts, realtime)
++                                       : format_timestamp_us(ts, sizeof ts, realtime);
+         fprintf(f, "%s [%s]\n",
+-                flags & OUTPUT_UTC ?
+-                format_timestamp_us_utc(ts, sizeof(ts), realtime) :
+-                format_timestamp_us(ts, sizeof(ts), realtime),
++                timestamp ?: "(no timestamp)",
+                 cursor);
+ 
+         JOURNAL_FOREACH_DATA_RETVAL(j, data, length, r) {

0047-journald-properly-process-multiple-entries-in-the-sa.patch

@@ -0,0 +1,207 @@
+From 88cf51c38bb39b49e2b11cdde7ac20ca851ea344 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 13 May 2017 22:34:40 -0400
+Subject: [PATCH] journald: properly process multiple entries in the same
+ native packet
+
+For all except the last entry in a single packet, we would dispatch the
+message to the journal, but not forward it, nor perform proper cleanup.
+Rewrite the code to process each entry in a helper function, and make
+server_process_native_message() just call this function in a loop.
+
+Fixes #5643.
+
+v2:
+- properly decrement *remaining when processing entry separator
+
+(cherry picked from commit 68944f196bc85b067de71c4fe1631d824d0aded5)
+---
+ src/journal/journald-native.c | 83 +++++++++++++++++++++++++------------------
+ 1 file changed, 49 insertions(+), 34 deletions(-)
+
+diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
+index d839e04488..83250c34e1 100644
+--- a/src/journal/journald-native.c
++++ b/src/journal/journald-native.c
+@@ -81,60 +81,52 @@ static bool allow_object_pid(const struct ucred *ucred) {
+         return ucred && ucred->uid == 0;
+ }
+ 
+-void server_process_native_message(
++static int server_process_entry(
+                 Server *s,
+-                const void *buffer, size_t buffer_size,
++                const void *buffer, size_t *remaining,
+                 const struct ucred *ucred,
+                 const struct timeval *tv,
+                 const char *label, size_t label_len) {
+ 
++        /* Process a single entry from a native message.
++         * Returns 0 if nothing special happened and the message processing should continue,
++         * and a negative or positive value otherwise.
++         *
++         * Note that *remaining is altered on both success and failure. */
++
+         struct iovec *iovec = NULL;
+         unsigned n = 0, j, tn = (unsigned) -1;
+         const char *p;
+-        size_t remaining, m = 0, entry_size = 0;
++        size_t m = 0, entry_size = 0;
+         int priority = LOG_INFO;
+         char *identifier = NULL, *message = NULL;
+         pid_t object_pid = 0;
+-
+-        assert(s);
+-        assert(buffer || buffer_size == 0);
++        int r = 0;
+ 
+         p = buffer;
+-        remaining = buffer_size;
+ 
+-        while (remaining > 0) {
++        while (*remaining > 0) {
+                 const char *e, *q;
+ 
+-                e = memchr(p, '\n', remaining);
++                e = memchr(p, '\n', *remaining);
+ 
+                 if (!e) {
+                         /* Trailing noise, let's ignore it, and flush what we collected */
+                         log_debug("Received message with trailing noise, ignoring.");
++                        r = 1; /* finish processing of the message */
+                         break;
+                 }
+ 
+                 if (e == p) {
+                         /* Entry separator */
+-
+-                        if (entry_size + n + 1 > ENTRY_SIZE_MAX) { /* data + separators + trailer */
+-                                log_debug("Entry is too big with %u properties and %zu bytes, ignoring.", n, entry_size);
+-                                continue;
+-                        }
+-
+-                        server_dispatch_message(s, iovec, n, m, ucred, tv, label, label_len, NULL, priority, object_pid);
+-                        n = 0;
+-                        priority = LOG_INFO;
+-                        entry_size = 0;
+-
+-                        p++;
+-                        remaining--;
+-                        continue;
++                        *remaining -= 1;
++                        break;
+                 }
+ 
+                 if (*p == '.' || *p == '#') {
+                         /* Ignore control commands for now, and
+                          * comments too. */
+-                        remaining -= (e - p) + 1;
++                        *remaining -= (e - p) + 1;
+                         p = e + 1;
+                         continue;
+                 }
+@@ -143,7 +135,7 @@ void server_process_native_message(
+ 
+                 /* n existing properties, 1 new, +1 for _TRANSPORT */
+                 if (!GREEDY_REALLOC(iovec, m, n + 2 + N_IOVEC_META_FIELDS + N_IOVEC_OBJECT_FIELDS)) {
+-                        log_oom();
++                        r = log_oom();
+                         break;
+                 }
+ 
+@@ -160,7 +152,7 @@ void server_process_native_message(
+                                  * field */
+                                 iovec[n].iov_base = (char*) p;
+                                 iovec[n].iov_len = l;
+-                                entry_size += iovec[n].iov_len;
++                                entry_size += l;
+                                 n++;
+ 
+                                 /* We need to determine the priority
+@@ -210,19 +202,18 @@ void server_process_native_message(
+                                         memcpy(buf, p + strlen("OBJECT_PID="), l - strlen("OBJECT_PID="));
+                                         buf[l-strlen("OBJECT_PID=")] = '\0';
+ 
+-                                        /* ignore error */
+-                                        parse_pid(buf, &object_pid);
++                                        (void) parse_pid(buf, &object_pid);
+                                 }
+                         }
+ 
+-                        remaining -= (e - p) + 1;
++                        *remaining -= (e - p) + 1;
+                         p = e + 1;
+                         continue;
+                 } else {
+                         uint64_t l;
+                         char *k;
+ 
+-                        if (remaining < e - p + 1 + sizeof(uint64_t) + 1) {
++                        if (*remaining < e - p + 1 + sizeof(uint64_t) + 1) {
+                                 log_debug("Failed to parse message, ignoring.");
+                                 break;
+                         }
+@@ -234,7 +225,7 @@ void server_process_native_message(
+                                 break;
+                         }
+ 
+-                        if ((uint64_t) remaining < e - p + 1 + sizeof(uint64_t) + l + 1 ||
++                        if ((uint64_t) *remaining < e - p + 1 + sizeof(uint64_t) + l + 1 ||
+                             e[1+sizeof(uint64_t)+l] != '\n') {
+                                 log_debug("Failed to parse message, ignoring.");
+                                 break;
+@@ -258,13 +249,15 @@ void server_process_native_message(
+                         } else
+                                 free(k);
+ 
+-                        remaining -= (e - p) + 1 + sizeof(uint64_t) + l + 1;
++                        *remaining -= (e - p) + 1 + sizeof(uint64_t) + l + 1;
+                         p = e + 1 + sizeof(uint64_t) + l + 1;
+                 }
+         }
+ 
+-        if (n <= 0)
++        if (n <= 0) {
++                r = 1;
+                 goto finish;
++        }
+ 
+         tn = n++;
+         IOVEC_SET_STRING(iovec[tn], "_TRANSPORT=journal");
+@@ -298,13 +291,35 @@ finish:
+                         continue;
+ 
+                 if (iovec[j].iov_base < buffer ||
+-                    (const uint8_t*) iovec[j].iov_base >= (const uint8_t*) buffer + buffer_size)
++                    (const char*) iovec[j].iov_base >= p + *remaining)
+                         free(iovec[j].iov_base);
+         }
+ 
+         free(iovec);
+         free(identifier);
+         free(message);
++
++        return r;
++}
++
++void server_process_native_message(
++                Server *s,
++                const void *buffer, size_t buffer_size,
++                const struct ucred *ucred,
++                const struct timeval *tv,
++                const char *label, size_t label_len) {
++
++        int r;
++        size_t remaining = buffer_size;
++
++        assert(s);
++        assert(buffer || buffer_size == 0);
++
++        do {
++                r = server_process_entry(s,
++                                         (const uint8_t*) buffer + (buffer_size - remaining), &remaining,
++                                         ucred, tv, label, label_len);
++        } while (r == 0);
+ }
+ 
+ void server_process_native_file(

0048-journald-process-binary-fields-the-same-as-text-fiel.patch

@@ -0,0 +1,168 @@
+From 6a4bb8712d25a3e8e4700c7a3c6c9bd614c74d7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 19 May 2017 11:59:47 -0400
+Subject: [PATCH] journald: process "binary" fields the same as text fields
+
+MESSAGE=data\n and MESSAGE\n40000000data\n are both valid serializations, so
+they should be stored in the journal. Before, MESSAGE, SYSLOG_FACILITY,
+SYSLOG_IDENTIFIER, PRIORITY, and OBJECT_PID would be only honoured if they were
+given in the first form.
+
+Fixed #5973.
+
+(cherry picked from commit 4b29a7f41fa1f418520d66362fd904a504f67c02)
+---
+ src/journal/journald-native.c | 120 ++++++++++++++++++++++++------------------
+ 1 file changed, 70 insertions(+), 50 deletions(-)
+
+diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
+index 83250c34e1..db3fdcf1df 100644
+--- a/src/journal/journald-native.c
++++ b/src/journal/journald-native.c
+@@ -81,6 +81,64 @@ static bool allow_object_pid(const struct ucred *ucred) {
+         return ucred && ucred->uid == 0;
+ }
+ 
++static void server_process_entry_meta(
++                const char *p, size_t l,
++                const struct ucred *ucred,
++                int *priority,
++                char **identifier,
++                char **message,
++                pid_t *object_pid) {
++
++        /* We need to determine the priority of this entry for the rate limiting logic */
++
++        if (l == 10 &&
++            startswith(p, "PRIORITY=") &&
++            p[9] >= '0' && p[9] <= '9')
++                *priority = (*priority & LOG_FACMASK) | (p[9] - '0');
++
++        else if (l == 17 &&
++                 startswith(p, "SYSLOG_FACILITY=") &&
++                 p[16] >= '0' && p[16] <= '9')
++                *priority = (*priority & LOG_PRIMASK) | ((p[16] - '0') << 3);
++
++        else if (l == 18 &&
++                 startswith(p, "SYSLOG_FACILITY=") &&
++                 p[16] >= '0' && p[16] <= '9' &&
++                 p[17] >= '0' && p[17] <= '9')
++                *priority = (*priority & LOG_PRIMASK) | (((p[16] - '0')*10 + (p[17] - '0')) << 3);
++
++        else if (l >= 19 &&
++                 startswith(p, "SYSLOG_IDENTIFIER=")) {
++                char *t;
++
++                t = strndup(p + 18, l - 18);
++                if (t) {
++                        free(*identifier);
++                        *identifier = t;
++                }
++
++        } else if (l >= 8 &&
++                   startswith(p, "MESSAGE=")) {
++                char *t;
++
++                t = strndup(p + 8, l - 8);
++                if (t) {
++                        free(*message);
++                        *message = t;
++                }
++
++        } else if (l > strlen("OBJECT_PID=") &&
++                   l < strlen("OBJECT_PID=")  + DECIMAL_STR_MAX(pid_t) &&
++                   startswith(p, "OBJECT_PID=") &&
++                   allow_object_pid(ucred)) {
++                char buf[DECIMAL_STR_MAX(pid_t)];
++                memcpy(buf, p + strlen("OBJECT_PID="), l - strlen("OBJECT_PID="));
++                buf[l-strlen("OBJECT_PID=")] = '\0';
++
++                (void) parse_pid(buf, object_pid);
++        }
++}
++
+ static int server_process_entry(
+                 Server *s,
+                 const void *buffer, size_t *remaining,
+@@ -148,62 +206,18 @@ static int server_process_entry(
+ 
+                                 /* If the field name starts with an
+                                  * underscore, skip the variable,
+-                                 * since that indidates a trusted
++                                 * since that indicates a trusted
+                                  * field */
+                                 iovec[n].iov_base = (char*) p;
+                                 iovec[n].iov_len = l;
+                                 entry_size += l;
+                                 n++;
+ 
+-                                /* We need to determine the priority
+-                                 * of this entry for the rate limiting
+-                                 * logic */
+-                                if (l == 10 &&
+-                                    startswith(p, "PRIORITY=") &&
+-                                    p[9] >= '0' && p[9] <= '9')
+-                                        priority = (priority & LOG_FACMASK) | (p[9] - '0');
+-
+-                                else if (l == 17 &&
+-                                         startswith(p, "SYSLOG_FACILITY=") &&
+-                                         p[16] >= '0' && p[16] <= '9')
+-                                        priority = (priority & LOG_PRIMASK) | ((p[16] - '0') << 3);
+-
+-                                else if (l == 18 &&
+-                                         startswith(p, "SYSLOG_FACILITY=") &&
+-                                         p[16] >= '0' && p[16] <= '9' &&
+-                                         p[17] >= '0' && p[17] <= '9')
+-                                        priority = (priority & LOG_PRIMASK) | (((p[16] - '0')*10 + (p[17] - '0')) << 3);
+-
+-                                else if (l >= 19 &&
+-                                         startswith(p, "SYSLOG_IDENTIFIER=")) {
+-                                        char *t;
+-
+-                                        t = strndup(p + 18, l - 18);
+-                                        if (t) {
+-                                                free(identifier);
+-                                                identifier = t;
+-                                        }
+-
+-                                } else if (l >= 8 &&
+-                                           startswith(p, "MESSAGE=")) {
+-                                        char *t;
+-
+-                                        t = strndup(p + 8, l - 8);
+-                                        if (t) {
+-                                                free(message);
+-                                                message = t;
+-                                        }
+-
+-                                } else if (l > strlen("OBJECT_PID=") &&
+-                                           l < strlen("OBJECT_PID=")  + DECIMAL_STR_MAX(pid_t) &&
+-                                           startswith(p, "OBJECT_PID=") &&
+-                                           allow_object_pid(ucred)) {
+-                                        char buf[DECIMAL_STR_MAX(pid_t)];
+-                                        memcpy(buf, p + strlen("OBJECT_PID="), l - strlen("OBJECT_PID="));
+-                                        buf[l-strlen("OBJECT_PID=")] = '\0';
+-
+-                                        (void) parse_pid(buf, &object_pid);
+-                                }
++                                server_process_entry_meta(p, l, ucred,
++                                                          &priority,
++                                                          &identifier,
++                                                          &message,
++                                                          &object_pid);
+                         }
+ 
+                         *remaining -= (e - p) + 1;
+@@ -246,6 +260,12 @@ static int server_process_entry(
+                                 iovec[n].iov_len = (e - p) + 1 + l;
+                                 entry_size += iovec[n].iov_len;
+                                 n++;
++
++                                server_process_entry_meta(k, (e - p) + 1 + l, ucred,
++                                                          &priority,
++                                                          &identifier,
++                                                          &message,
++                                                          &object_pid);
+                         } else
+                                 free(k);
+ 

0049-journald-fix-trivial-memleak.patch

@@ -0,0 +1,39 @@
+From 68a923966fcbce01bb867108a877e9c2fa783dc9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 19 May 2017 12:52:05 -0400
+Subject: [PATCH] journald: fix trivial memleak
+
+Fixes #5516.
+
+(cherry picked from commit c6e9e16f7702188127bf8dfbac45a87f8d1a3512)
+---
+ src/journal/journald-server.c | 2 ++
+ src/journal/journald-server.h | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
+index 6466e46ccc..da85260ccd 100644
+--- a/src/journal/journald-server.c
++++ b/src/journal/journald-server.c
+@@ -2177,6 +2177,8 @@ void server_done(Server *s) {
+         free(s->tty_path);
+         free(s->cgroup_root);
+         free(s->hostname_field);
++        free(s->runtime_storage.path);
++        free(s->system_storage.path);
+ 
+         if (s->mmap)
+                 mmap_cache_unref(s->mmap);
+diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
+index 75ac114d24..203460c50a 100644
+--- a/src/journal/journald-server.h
++++ b/src/journal/journald-server.h
+@@ -61,7 +61,7 @@ typedef struct JournalStorageSpace {
+ 
+ typedef struct JournalStorage {
+         const char *name;
+-        const char *path;
++        char *path;
+ 
+         JournalMetrics metrics;
+         JournalStorageSpace space;

0050-core-load-droping-avoid-oom-warning-when-the-unit-sy.patch

@@ -0,0 +1,38 @@
+From 90c0dc446632c7b5b2ed6251e0ce94c714b5a180 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 20 May 2017 19:34:50 -0400
+Subject: [PATCH] core/load-droping: avoid oom warning when the unit symlink is
+ not a template
+
+unit_name_template returns -EINVAL if the unit name is not a template, but
+the code assumed that OOM is the only failure mode. Fix that to emit the warning
+if a non-template unit is encountered (because in this case we expect the name
+to match exactly), and just skip the warning on other errors (presumably oom).
+
+Fixes #5543.
+
+(cherry picked from commit e450032f0990067c0076068774162265db99d22c)
+---
+ src/core/load-dropin.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/load-dropin.c b/src/core/load-dropin.c
+index ff3636149a..3180f911bb 100644
+--- a/src/core/load-dropin.c
++++ b/src/core/load-dropin.c
+@@ -38,10 +38,12 @@ static bool unit_name_compatible(const char *a, const char *b) {
+                 return true;
+ 
+         r = unit_name_template(a, &prefix);
+-        if (r < 0) {
+-                log_oom();
++        if (r == -EINVAL)
++                /* not a template */
++                return false;
++        if (r < 0)
++                /* oom, or some other failure. Just skip the warning. */
+                 return true;
+-        }
+ 
+         /* an instance name points to a target that is just the template name */
+         if (streq(prefix, b))

0051-sd-login-read-list-of-uids-of-sessions-from-UIDS-not.patch

@@ -0,0 +1,36 @@
+From 5dd32bbe8c4cb06df63cadb7e40ecd92997f001d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 18 May 2017 20:58:23 -0400
+Subject: [PATCH] sd-login: read list of uids of sessions from UIDS not
+ ACTIVE_SESSIONS
+
+As described by Luke Shumaker:
+
+  sd_seat_get_sessions looks at /run/systemd/seats/${seat_name}:SESSIONS to get
+  the list of sessions (which I believe is correct), and at
+  /run/systemd/seats/${seat_name}:ACTIVE_SESSIONS for the list of users (which
+  I believe is incorrect); I believe that it should look at the UIDS field for
+  the list of users. As far as I can tell, the ACTIVE_SESSIONS field is never
+  even present in the seats file. I also believe that this has been broken
+  since the function was first committed almost 6 years ago.
+
+Fixes #5743.
+
+(cherry picked from commit d3cfab3148de482649e22d9dbbfec6e967a80856)
+---
+ src/libsystemd/sd-login/sd-login.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd/sd-login/sd-login.c b/src/libsystemd/sd-login/sd-login.c
+index d2cfbdf5b0..cdbdc37856 100644
+--- a/src/libsystemd/sd-login/sd-login.c
++++ b/src/libsystemd/sd-login/sd-login.c
+@@ -687,7 +687,7 @@ _public_ int sd_seat_get_sessions(const char *seat, char ***sessions, uid_t **ui
+ 
+         r = parse_env_file(p, NEWLINE,
+                            "SESSIONS", &s,
+-                           "ACTIVE_SESSIONS", &t,
++                           "UIDS", &t,
+                            NULL);
+         if (r == -ENOENT)
+                 return -ENXIO;

0052-Allow-bad-MTU-values-with-warning-to-be-able-to-conn.patch

@@ -0,0 +1,29 @@
+From 557d5e9fecff500b010a9be44dda1ae000f45039 Mon Sep 17 00:00:00 2001
+From: Matthias Greiner <magreiner@users.noreply.github.com>
+Date: Mon, 22 May 2017 03:11:25 +0200
+Subject: [PATCH] Allow bad MTU values with warning to be able to connect to
+ the machine. (#5954)
+
+Ensure the MTU value is valid. Emit a warning and ignore otherwise.
+
+(cherry picked from commit 955d99edc7991386a36e3d33924cc584931fde91)
+---
+ src/libsystemd-network/sd-dhcp-lease.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c
+index 7fed55c5fc..565ec4cbe4 100644
+--- a/src/libsystemd-network/sd-dhcp-lease.c
++++ b/src/libsystemd-network/sd-dhcp-lease.c
+@@ -594,6 +594,11 @@ int dhcp_lease_parse_options(uint8_t code, uint8_t len, const void *option, void
+                 r = lease_parse_u16(option, len, &lease->mtu, 68);
+                 if (r < 0)
+                         log_debug_errno(r, "Failed to parse MTU, ignoring: %m");
++                if (lease->mtu < DHCP_DEFAULT_MIN_SIZE) {
++                        log_warning("MTU value of %d too small. Using default MTU value of %d instead.", lease->mtu, DHCP_DEFAULT_MIN_SIZE);
++                        lease->mtu = DHCP_DEFAULT_MIN_SIZE;
++                }
++
+                 break;
+ 
+         case SD_DHCP_OPTION_DOMAIN_NAME:

0053-tree-wide-fix-incorrect-uses-of-m.patch

@@ -0,0 +1,123 @@
+From a530427e4eaf7ca69f223a86173ec37c282a34f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 13 May 2017 11:24:37 -0400
+Subject: [PATCH] tree-wide: fix incorrect uses of %m
+
+In those cases errno was not set, so we would be logging some unrelated error
+or "Success".
+
+(cherry picked from commit 35bca925f9bf78df3f64e321ab4830936fcef662)
+---
+ src/import/import-raw.c                  | 4 ++--
+ src/import/import-tar.c                  | 4 ++--
+ src/libsystemd/sd-bus/test-bus-objects.c | 2 --
+ src/nspawn/nspawn.c                      | 2 +-
+ src/stdio-bridge/stdio-bridge.c          | 4 ++--
+ src/test/test-loopback.c                 | 2 +-
+ 6 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/src/import/import-raw.c b/src/import/import-raw.c
+index 808eae38f8..55cf8e8edd 100644
+--- a/src/import/import-raw.c
++++ b/src/import/import-raw.c
+@@ -355,7 +355,7 @@ static int raw_import_process(RawImport *i) {
+         }
+         if (l == 0) {
+                 if (i->compress.type == IMPORT_COMPRESS_UNKNOWN) {
+-                        log_error("Premature end of file: %m");
++                        log_error("Premature end of file.");
+                         r = -EIO;
+                         goto finish;
+                 }
+@@ -369,7 +369,7 @@ static int raw_import_process(RawImport *i) {
+         if (i->compress.type == IMPORT_COMPRESS_UNKNOWN) {
+                 r = import_uncompress_detect(&i->compress, i->buffer, i->buffer_size);
+                 if (r < 0) {
+-                        log_error("Failed to detect file compression: %m");
++                        log_error_errno(r, "Failed to detect file compression: %m");
+                         goto finish;
+                 }
+                 if (r == 0) /* Need more data */
+diff --git a/src/import/import-tar.c b/src/import/import-tar.c
+index 1c229ec82f..ba140bccbd 100644
+--- a/src/import/import-tar.c
++++ b/src/import/import-tar.c
+@@ -284,7 +284,7 @@ static int tar_import_process(TarImport *i) {
+         }
+         if (l == 0) {
+                 if (i->compress.type == IMPORT_COMPRESS_UNKNOWN) {
+-                        log_error("Premature end of file: %m");
++                        log_error("Premature end of file.");
+                         r = -EIO;
+                         goto finish;
+                 }
+@@ -298,7 +298,7 @@ static int tar_import_process(TarImport *i) {
+         if (i->compress.type == IMPORT_COMPRESS_UNKNOWN) {
+                 r = import_uncompress_detect(&i->compress, i->buffer, i->buffer_size);
+                 if (r < 0) {
+-                        log_error("Failed to detect file compression: %m");
++                        log_error_errno(r, "Failed to detect file compression: %m");
+                         goto finish;
+                 }
+                 if (r == 0) /* Need more data */
+diff --git a/src/libsystemd/sd-bus/test-bus-objects.c b/src/libsystemd/sd-bus/test-bus-objects.c
+index 233a21a523..0b33ab7a3a 100644
+--- a/src/libsystemd/sd-bus/test-bus-objects.c
++++ b/src/libsystemd/sd-bus/test-bus-objects.c
+@@ -525,8 +525,6 @@ int main(int argc, char *argv[]) {
+         void *p;
+         int r, q;
+ 
+-        zero(c);
+-
+         c.automatic_integer_property = 4711;
+         assert_se(c.automatic_string_property = strdup("dudeldu"));
+ 
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 1fc0501c2e..236c0f3149 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -2012,7 +2012,7 @@ static int determine_names(void) {
+                         if (r < 0)
+                                 return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine);
+                         if (r == 0) {
+-                                log_error("No image for machine '%s': %m", arg_machine);
++                                log_error("No image for machine '%s'.", arg_machine);
+                                 return -ENOENT;
+                         }
+ 
+diff --git a/src/stdio-bridge/stdio-bridge.c b/src/stdio-bridge/stdio-bridge.c
+index ce8efce3d5..02ba5269dd 100644
+--- a/src/stdio-bridge/stdio-bridge.c
++++ b/src/stdio-bridge/stdio-bridge.c
+@@ -115,7 +115,7 @@ int main(int argc, char *argv[]) {
+                 in_fd = SD_LISTEN_FDS_START;
+                 out_fd = SD_LISTEN_FDS_START;
+         } else {
+-                log_error("Illegal number of file descriptors passed\n");
++                log_error("Illegal number of file descriptors passed.");
+                 goto finish;
+         }
+ 
+@@ -190,7 +190,7 @@ int main(int argc, char *argv[]) {
+         }
+ 
+         for (;;) {
+-                _cleanup_(sd_bus_message_unrefp)sd_bus_message *m = NULL;
++                _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
+                 int events_a, events_b, fd;
+                 uint64_t timeout_a, timeout_b, t;
+                 struct timespec _ts, *ts;
+diff --git a/src/test/test-loopback.c b/src/test/test-loopback.c
+index 7b67337331..8ebd0e0e01 100644
+--- a/src/test/test-loopback.c
++++ b/src/test/test-loopback.c
+@@ -31,7 +31,7 @@ int main(int argc, char* argv[]) {
+ 
+         r = loopback_setup();
+         if (r < 0)
+-                log_error("loopback: %m");
++                log_error_errno(r, "loopback: %m");
+ 
+         return r >= 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+ }

0054-sd-dhcp-library-code-shouldn-t-log-above-LOG_DEBUG-6.patch

@@ -0,0 +1,29 @@
+From b2d91572a13de1cf5bdf78c3926b50cacc8a5dd3 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 22 May 2017 14:38:01 +0200
+Subject: [PATCH] sd-dhcp: library code shouldn't log above LOG_DEBUG (#6001)
+
+Let's downgrade the warning introduced by
+955d99edc7991386a36e3d33924cc584931fde91 to debug, as we really
+shouldn't log at more than debug level from library code.
+
+(And while we are at it, print the MTU as the right (unsigned) type in
+the format string.)
+(cherry picked from commit 4dd53da97daf3f064149380b6ca9e53273d77d88)
+---
+ src/libsystemd-network/sd-dhcp-lease.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c
+index 565ec4cbe4..13dc6e4386 100644
+--- a/src/libsystemd-network/sd-dhcp-lease.c
++++ b/src/libsystemd-network/sd-dhcp-lease.c
+@@ -595,7 +595,7 @@ int dhcp_lease_parse_options(uint8_t code, uint8_t len, const void *option, void
+                 if (r < 0)
+                         log_debug_errno(r, "Failed to parse MTU, ignoring: %m");
+                 if (lease->mtu < DHCP_DEFAULT_MIN_SIZE) {
+-                        log_warning("MTU value of %d too small. Using default MTU value of %d instead.", lease->mtu, DHCP_DEFAULT_MIN_SIZE);
++                        log_debug("MTU value of %" PRIu16 " too small. Using default MTU value of %d instead.", lease->mtu, DHCP_DEFAULT_MIN_SIZE);
+                         lease->mtu = DHCP_DEFAULT_MIN_SIZE;
+                 }
+ 

0055-networkd-link-Receive-LLDP-on-Bridge-slaves-not-mast.patch

@@ -0,0 +1,34 @@
+From 3aeb9ea17c3f3d84077c3bb2367835d96fd57432 Mon Sep 17 00:00:00 2001
+From: sjoerd-ccu <sjoerd.simons@collabora.co.uk>
+Date: Tue, 23 May 2017 09:10:59 +0200
+Subject: [PATCH] networkd-link: Receive LLDP on Bridge slaves not master
+ (#5995)
+
+LLDP should be received on bridge slaves as they're the entities
+directly connected to a peer. Receiving LLDP on the bridge device makes
+little sense, Linux by default even filters out LLDP going onto the
+bridge device.
+
+Flip the current logic, receive LLDP on bridge slaves don't listen for
+them on the bridge itself.
+(cherry picked from commit 764febc23ee9a22fa64981adb0be901f964df93d)
+---
+ src/network/networkd-link.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index c37bc7f602..b1282931f3 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -131,7 +131,10 @@ static bool link_lldp_rx_enabled(Link *link) {
+         if (!link->network)
+                 return false;
+ 
+-        if (link->network->bridge)
++        /* LLDP should be handled on bridge slaves as those have a direct
++         * connection to their peers not on the bridge master. Linux doesn't
++         * even (by default) forward lldp packets to the bridge master.*/
++        if (streq_ptr("bridge", link->kind))
+                 return false;
+ 
+         return link->network->lldp_mode != LLDP_MODE_NO;

0056-nspawn-add-nosuid-and-nodev-to-tmp-mount-6004.patch

@@ -0,0 +1,30 @@
+From 2d148f574c5c1e8bf7bf7da964e0f063395d42c8 Mon Sep 17 00:00:00 2001
+From: tomty89 <tom.ty89@gmail.com>
+Date: Tue, 23 May 2017 15:41:36 +0800
+Subject: [PATCH] nspawn: add nosuid and nodev to /tmp mount (#6004)
+
+When automatic /tmp mount was introduced to nspawn in v219, it was done without having the nosuid and nodev mount options, which was the same case as systemd's default tmp.mount unit back then.
+
+nosuid and nodev was added to tmp.mount(.m4) in v231 for security reasons. matching the nspawn /tmp mount entry against that.
+
+Ref.:
+https://github.com/systemd/systemd/commit/2f9df7c96a25adb42093ee3ee201577f3e01da42
+https://github.com/systemd/systemd/commit/bbb99c30d01a8bcdc27fb151cc6376a7877a6b07
+(cherry picked from commit e8a94ce83ebc5e5fa0dd312d8340d589506528f9)
+---
+ src/nspawn/nspawn-mount.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
+index d276994120..ac7290732e 100644
+--- a/src/nspawn/nspawn-mount.c
++++ b/src/nspawn/nspawn-mount.c
+@@ -552,7 +552,7 @@ int mount_all(const char *dest,
+                 { NULL,                  "/proc/sysrq-trigger", NULL,    NULL,        MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,             MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO },                          /* ... then, make it r/o */
+ 
+                 /* outer child mounts */
+-                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_STRICTATIME,                                            MOUNT_FATAL },
++                { "tmpfs",               "/tmp",                "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,                                            MOUNT_FATAL },
+                 { "tmpfs",               "/sys",                "tmpfs", "mode=755",  MS_NOSUID|MS_NOEXEC|MS_NODEV,                              MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
+                 { "sysfs",               "/sys",                "sysfs", NULL,        MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,                    MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO },    /* skipped if above was mounted */
+                 { "sysfs",               "/sys",                "sysfs", NULL,                  MS_NOSUID|MS_NOEXEC|MS_NODEV,                    MOUNT_FATAL },                          /* skipped if above was mounted */

0057-Allow-TimeoutSec-0-to-work-as-documented-in-mount-un.patch

@@ -0,0 +1,81 @@
+From a28e8d4e77d1bbca7f0b13c6a2eebc4883ba1123 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Tue, 23 May 2017 17:42:26 +1000
+Subject: [PATCH] Allow TimeoutSec=0 to work as documented in mount units and
+ elsewhere (#6013)
+
+Since commit 36c16a7cdd6c ("core: rework unit timeout handling, and add
+new setting RuntimeMaxSec=") TimeoutSec=0 in mount units has
+cause the mount to timeout immediately instead of never as documented.
+
+There is a similar problem with Socket.TimeoutSec and Swap.TimeoutSec.
+
+These are easily fixed using config_parse_sec_fix_0().
+
+Automount.TimeoutIdleSec looks like it could have the same problem,
+but doesn't because the kernel treats '0' as 'no timeout'.
+It handle USEC_INFINITY correctly only because that constant has
+the value '-1', and when round up, it becomes zero.
+To avoid possible confusion, use config_parse_sec_fix_0() as well, and
+explicitly handle USEC_INFINITY.
+(cherry picked from commit 2d79a0bbb9f651656384a0a86ed814e6306fb5dd)
+---
+ src/core/automount.c                  | 7 +++++--
+ src/core/load-fragment-gperf.gperf.m4 | 8 ++++----
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/core/automount.c b/src/core/automount.c
+index 99e8047620..ccc113b598 100644
+--- a/src/core/automount.c
++++ b/src/core/automount.c
+@@ -415,8 +415,11 @@ static int autofs_set_timeout(int dev_autofs_fd, int ioctl_fd, usec_t usec) {
+         init_autofs_dev_ioctl(&param);
+         param.ioctlfd = ioctl_fd;
+ 
+-        /* Convert to seconds, rounding up. */
+-        param.timeout.timeout = (usec + USEC_PER_SEC - 1) / USEC_PER_SEC;
++        if (usec == USEC_INFINITY)
++                param.timeout.timeout = 0;
++        else
++                /* Convert to seconds, rounding up. */
++                param.timeout.timeout = (usec + USEC_PER_SEC - 1) / USEC_PER_SEC;
+ 
+         if (ioctl(dev_autofs_fd, AUTOFS_DEV_IOCTL_TIMEOUT, &param) < 0)
+                 return -errno;
+diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
+index cb9e6fea27..3f7cbaa0d0 100644
+--- a/src/core/load-fragment-gperf.gperf.m4
++++ b/src/core/load-fragment-gperf.gperf.m4
+@@ -298,7 +298,7 @@ Socket.ExecStartPre,             config_parse_exec,                  SOCKET_EXEC
+ Socket.ExecStartPost,            config_parse_exec,                  SOCKET_EXEC_START_POST,        offsetof(Socket, exec_command)
+ Socket.ExecStopPre,              config_parse_exec,                  SOCKET_EXEC_STOP_PRE,          offsetof(Socket, exec_command)
+ Socket.ExecStopPost,             config_parse_exec,                  SOCKET_EXEC_STOP_POST,         offsetof(Socket, exec_command)
+-Socket.TimeoutSec,               config_parse_sec,                   0,                             offsetof(Socket, timeout_usec)
++Socket.TimeoutSec,               config_parse_sec_fix_0,             0,                             offsetof(Socket, timeout_usec)
+ Socket.SocketUser,               config_parse_user_group,            0,                             offsetof(Socket, user)
+ Socket.SocketGroup,              config_parse_user_group,            0,                             offsetof(Socket, group)
+ Socket.SocketMode,               config_parse_mode,                  0,                             offsetof(Socket, socket_mode)
+@@ -362,7 +362,7 @@ Mount.What,                      config_parse_unit_string_printf,    0,
+ Mount.Where,                     config_parse_path,                  0,                             offsetof(Mount, where)
+ Mount.Options,                   config_parse_unit_string_printf,    0,                             offsetof(Mount, parameters_fragment.options)
+ Mount.Type,                      config_parse_string,                0,                             offsetof(Mount, parameters_fragment.fstype)
+-Mount.TimeoutSec,                config_parse_sec,                   0,                             offsetof(Mount, timeout_usec)
++Mount.TimeoutSec,                config_parse_sec_fix_0,             0,                             offsetof(Mount, timeout_usec)
+ Mount.DirectoryMode,             config_parse_mode,                  0,                             offsetof(Mount, directory_mode)
+ Mount.SloppyOptions,             config_parse_bool,                  0,                             offsetof(Mount, sloppy_options)
+ Mount.LazyUnmount,               config_parse_bool,                  0,                             offsetof(Mount, lazy_unmount)
+@@ -373,12 +373,12 @@ KILL_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl
+ m4_dnl
+ Automount.Where,                 config_parse_path,                  0,                             offsetof(Automount, where)
+ Automount.DirectoryMode,         config_parse_mode,                  0,                             offsetof(Automount, directory_mode)
+-Automount.TimeoutIdleSec,        config_parse_sec,                   0,                             offsetof(Automount, timeout_idle_usec)
++Automount.TimeoutIdleSec,        config_parse_sec_fix_0,             0,                             offsetof(Automount, timeout_idle_usec)
+ m4_dnl
+ Swap.What,                       config_parse_path,                  0,                             offsetof(Swap, parameters_fragment.what)
+ Swap.Priority,                   config_parse_int,                   0,                             offsetof(Swap, parameters_fragment.priority)
+ Swap.Options,                    config_parse_unit_string_printf,    0,                             offsetof(Swap, parameters_fragment.options)
+-Swap.TimeoutSec,                 config_parse_sec,                   0,                             offsetof(Swap, timeout_usec)
++Swap.TimeoutSec,                 config_parse_sec_fix_0,             0,                             offsetof(Swap, timeout_usec)
+ EXEC_CONTEXT_CONFIG_ITEMS(Swap)m4_dnl
+ CGROUP_CONTEXT_CONFIG_ITEMS(Swap)m4_dnl
+ KILL_CONTEXT_CONFIG_ITEMS(Swap)m4_dnl

0058-resolved-bugfix-of-null-pointer-p-question-dereferen.patch

@@ -0,0 +1,26 @@
+From cb58341c27c8a28f43245e2846360226a0605b14 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 24 May 2017 08:56:48 +0300
+Subject: [PATCH] resolved: bugfix of null pointer p->question dereferencing
+ (#6020)
+
+See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
+(cherry picked from commit a924f43f30f9c4acaf70618dd2a055f8b0f166be)
+---
+ src/resolve/resolved-dns-packet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 652970284e..240ee448f4 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -2269,6 +2269,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
+         if (r < 0)
+                 return r;
+ 
++        if (!p->question)
++                return 0;
++
+         if (p->question->n_keys != 1)
+                 return 0;
+ 

0059-DHCP-Fail-link_dhcp_set_routes-promotely-if-no-addre.patch

@@ -0,0 +1,45 @@
+From 57497d1f0367e4418c7c5e419ba0f911ad840ce9 Mon Sep 17 00:00:00 2001
+From: Daniel Wang <wonderfly@users.noreply.github.com>
+Date: Wed, 24 May 2017 05:05:49 -0700
+Subject: [PATCH] DHCP: Fail link_dhcp_set_routes promotely if no address is
+ assigned from lease (#6009)
+
+Currently the local variable `address` is unintialized if the DHCP lease
+doesn't provide a router address (when r == -ENODATA). Thus the
+subsequent call to route_scope_from_address will result in accessing an
+unintialized variable.
+
+As a matter of fact, sd-dhcp-client ignores DHCP leases without an
+address so link_dhcp_set_routes probably will never be called without a
+valid address.
+(cherry picked from commit b23aec0d6b98bc99998786506a8769e1a1ea1841)
+---
+ src/network/networkd-dhcp4.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c
+index ae0f78daab..9229b5753c 100644
+--- a/src/network/networkd-dhcp4.c
++++ b/src/network/networkd-dhcp4.c
+@@ -77,6 +77,10 @@ static int link_set_dhcp_routes(Link *link) {
+         if (!link->network->dhcp_use_routes)
+                 return 0;
+ 
++        r = sd_dhcp_lease_get_address(link->dhcp_lease, &address);
++        if (r < 0)
++                return log_link_warning_errno(link, r, "DHCP error: could not get address: %m");
++
+         r = sd_dhcp_lease_get_router(link->dhcp_lease, &gateway);
+         if (r < 0 && r != -ENODATA)
+                 return log_link_warning_errno(link, r, "DHCP error: could not get gateway: %m");
+@@ -85,10 +89,6 @@ static int link_set_dhcp_routes(Link *link) {
+                 _cleanup_route_free_ Route *route = NULL;
+                 _cleanup_route_free_ Route *route_gw = NULL;
+ 
+-                r = sd_dhcp_lease_get_address(link->dhcp_lease, &address);
+-                if (r < 0)
+-                        return log_link_warning_errno(link, r, "DHCP error: could not get address: %m");
+-
+                 r = route_new(&route);
+                 if (r < 0)
+                         return log_link_error_errno(link, r, "Could not allocate route: %m");

0060-timesyncd-don-t-use-compiled-in-list-if-FallbackNTP-.patch

@@ -0,0 +1,97 @@
+From fff58beb5618e6cabdf716418de7e5976ed8d87f Mon Sep 17 00:00:00 2001
+From: Michael Biebl <biebl@debian.org>
+Date: Sun, 21 May 2017 03:22:43 +0200
+Subject: [PATCH] timesyncd: don't use compiled-in list if FallbackNTP has been
+ configured explicitly
+
+Parse the config files first and only apply the compiled-in list of
+fallback servers if no NTP server was configured via FallbackNTP.
+
+Closes: #5091
+(cherry picked from commit 3745770ae4dcf262707882a38f6c5ba2684329a3)
+---
+ src/timesync/timesyncd-conf.c    | 10 ++++++++++
+ src/timesync/timesyncd-conf.h    |  1 +
+ src/timesync/timesyncd-manager.c |  4 ----
+ src/timesync/timesyncd-manager.h |  2 ++
+ src/timesync/timesyncd.c         |  2 ++
+ 5 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/src/timesync/timesyncd-conf.c b/src/timesync/timesyncd-conf.c
+index bf25b112e1..b4a4f19976 100644
+--- a/src/timesync/timesyncd-conf.c
++++ b/src/timesync/timesyncd-conf.c
+@@ -34,6 +34,9 @@ int manager_parse_server_string(Manager *m, ServerType type, const char *string)
+ 
+         first = type == SERVER_FALLBACK ? m->fallback_servers : m->system_servers;
+ 
++        if (type == SERVER_FALLBACK)
++                 m->have_fallbacks = true;
++
+         for (;;) {
+                 _cleanup_free_ char *word = NULL;
+                 bool found = false;
+@@ -63,6 +66,13 @@ int manager_parse_server_string(Manager *m, ServerType type, const char *string)
+         return 0;
+ }
+ 
++int manager_parse_fallback_string(Manager *m, const char *string) {
++        if (m->have_fallbacks)
++                return 0;
++
++        return manager_parse_server_string(m, SERVER_FALLBACK, string);
++}
++
+ int config_parse_servers(
+                 const char *unit,
+                 const char *filename,
+diff --git a/src/timesync/timesyncd-conf.h b/src/timesync/timesyncd-conf.h
+index 0280697e9c..0c4b44e707 100644
+--- a/src/timesync/timesyncd-conf.h
++++ b/src/timesync/timesyncd-conf.h
+@@ -29,3 +29,4 @@ int manager_parse_server_string(Manager *m, ServerType type, const char *string)
+ int config_parse_servers(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
+ 
+ int manager_parse_config_file(Manager *m);
++int manager_parse_fallback_string(Manager *m, const char *string);
+diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c
+index ae8514550a..a24c821bdc 100644
+--- a/src/timesync/timesyncd-manager.c
++++ b/src/timesync/timesyncd-manager.c
+@@ -1124,10 +1124,6 @@ int manager_new(Manager **ret) {
+ 
+         RATELIMIT_INIT(m->ratelimit, RATELIMIT_INTERVAL_USEC, RATELIMIT_BURST);
+ 
+-        r = manager_parse_server_string(m, SERVER_FALLBACK, NTP_SERVERS);
+-        if (r < 0)
+-                return r;
+-
+         r = sd_event_default(&m->event);
+         if (r < 0)
+                 return r;
+diff --git a/src/timesync/timesyncd-manager.h b/src/timesync/timesyncd-manager.h
+index efe3e60d3e..cf681f6098 100644
+--- a/src/timesync/timesyncd-manager.h
++++ b/src/timesync/timesyncd-manager.h
+@@ -38,6 +38,8 @@ struct Manager {
+         LIST_HEAD(ServerName, link_servers);
+         LIST_HEAD(ServerName, fallback_servers);
+ 
++        bool have_fallbacks:1;
++
+         RateLimit ratelimit;
+         bool exhausted_servers;
+ 
+diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
+index b67d672a6a..052329f61e 100644
+--- a/src/timesync/timesyncd.c
++++ b/src/timesync/timesyncd.c
+@@ -132,6 +132,8 @@ int main(int argc, char *argv[]) {
+         if (r < 0)
+                 log_warning_errno(r, "Failed to parse configuration file: %m");
+ 
++        assert_se(manager_parse_fallback_string(m, NTP_SERVERS) >= 0);
++
+         log_debug("systemd-timesyncd running as pid " PID_FMT, getpid());
+         sd_notify(false,
+                   "READY=1\n"

0061-timesyncd-properly-handle-OOM-errors-when-parsing-fa.patch

@@ -0,0 +1,28 @@
+From d7215ee47b09ca190b2eadfe3af71f810cd94418 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 30 May 2017 14:49:35 +0200
+Subject: [PATCH] timesyncd: properly handle OOM errors when parsing fallback
+ servers (#6047)
+
+(cherry picked from commit c4c069121cbd5f882ef2e7effba5cdd3673c0a1f)
+---
+ src/timesync/timesyncd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
+index 052329f61e..ff90f04070 100644
+--- a/src/timesync/timesyncd.c
++++ b/src/timesync/timesyncd.c
+@@ -132,7 +132,11 @@ int main(int argc, char *argv[]) {
+         if (r < 0)
+                 log_warning_errno(r, "Failed to parse configuration file: %m");
+ 
+-        assert_se(manager_parse_fallback_string(m, NTP_SERVERS) >= 0);
++        r = manager_parse_fallback_string(m, NTP_SERVERS);
++        if (r < 0) {
++                log_error_errno(r, "Failed to parse fallback server strings: %m");
++                goto finish;
++        }
+ 
+         log_debug("systemd-timesyncd running as pid " PID_FMT, getpid());
+         sd_notify(false,

0062-rules-Handle-MMC-boot-partitions-by-path-correctly-6.patch

@@ -0,0 +1,44 @@
+From 3d1922335f63c10b50527f210c05e039a51f69de Mon Sep 17 00:00:00 2001
+From: George McCollister <george.mccollister@gmail.com>
+Date: Thu, 25 May 2017 21:13:50 -0500
+Subject: [PATCH] rules: Handle MMC boot partitions by-path correctly (#6026)
+
+Many eMMC devices have separate boot partitions that aren't part of the
+normal partition table that show up as /dev/mmcblk[0-9]boot[0-9]. These
+partitions are generally small (128KB to 16MB) and typically hold a boot
+loader, boot loader data or a recovery image. Match these and create
+-boot%n by-path symlinks.
+
+Prior to this change by-path symlinks for the main device would be
+incorrectly linked to one of the boot partitions.
+
+For instance before:
+/dev/disk/by-path/platform-219c000.usdhc linked to /dev/mmcblk1boot1
+
+Now:
+/dev/disk/by-path/platform-219c000.usdhc links to /dev/mmcblk1
+/dev/disk/by-path/platform-219c000.usdhc-boot0 links to /dev/mmcblk1boot0
+/dev/disk/by-path/platform-219c000.usdhc-boot1 links to /dev/mmcblk1boot1
+
+On systems that support multiple SD/MMC devices it can be essential to
+have by-path links to these devices since device names vary depending on
+which other devices are connected.
+(cherry picked from commit 4e3f07029ad7b86773ce85db422bbce95ac578cf)
+---
+ rules/60-persistent-storage.rules | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/rules/60-persistent-storage.rules b/rules/60-persistent-storage.rules
+index 9817e9c64b..d2745f65f4 100644
+--- a/rules/60-persistent-storage.rules
++++ b/rules/60-persistent-storage.rules
+@@ -64,7 +64,8 @@ KERNEL=="msblk[0-9]p[0-9]|mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}
+ 
+ # by-path
+ ENV{DEVTYPE}=="disk", DEVPATH!="*/virtual/*", IMPORT{builtin}="path_id"
+-ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}"
++KERNEL=="mmcblk[0-9]boot[0-9]", ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-boot%n"
++KERNEL!="mmcblk[0-9]boot[0-9]", ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}"
+ ENV{DEVTYPE}=="partition", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-part%n"
+ 
+ # legacy virtio-pci by-path links (deprecated)

0063-vconsole-setup-add-more-log-messages.patch

@@ -0,0 +1,63 @@
+From 3d3190669482604d552250259654573c6fb01deb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 24 May 2017 23:25:10 -0400
+Subject: [PATCH] vconsole-setup: add more log messages
+
+This makes it quite a bit easier to see what failed.
+
+strv_join is called inline in log_debug so that it is under the conditional
+that kills the whole thing if debugging is disabled.
+
+(cherry picked from commit 3d62378088593a7868d58b840ef5ca25dd357339)
+---
+ src/vconsole/vconsole-setup.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/vconsole/vconsole-setup.c b/src/vconsole/vconsole-setup.c
+index a0ab5990fc..2401077be5 100644
+--- a/src/vconsole/vconsole-setup.c
++++ b/src/vconsole/vconsole-setup.c
+@@ -41,6 +41,7 @@
+ #include "signal-util.h"
+ #include "stdio-util.h"
+ #include "string-util.h"
++#include "strv.h"
+ #include "terminal-util.h"
+ #include "util.h"
+ #include "virt.h"
+@@ -124,6 +125,7 @@ static int toggle_utf8_sysfs(bool utf8) {
+ }
+ 
+ static int keyboard_load_and_wait(const char *vc, const char *map, const char *map_toggle, bool utf8) {
++        _cleanup_free_ char *cmd = NULL;
+         const char *args[8];
+         int i = 0;
+         pid_t pid;
+@@ -143,6 +145,9 @@ static int keyboard_load_and_wait(const char *vc, const char *map, const char *m
+                 args[i++] = map_toggle;
+         args[i++] = NULL;
+ 
++        log_debug("Executing \"%s\"...",
++                  strnull((cmd = strv_join((char**) args, " "))));
++
+         pid = fork();
+         if (pid < 0)
+                 return log_error_errno(errno, "Failed to fork: %m");
+@@ -159,6 +164,7 @@ static int keyboard_load_and_wait(const char *vc, const char *map, const char *m
+ }
+ 
+ static int font_load_and_wait(const char *vc, const char *font, const char *map, const char *unimap) {
++        _cleanup_free_ char *cmd = NULL;
+         const char *args[9];
+         int i = 0;
+         pid_t pid;
+@@ -182,6 +188,9 @@ static int font_load_and_wait(const char *vc, const char *font, const char *map,
+                 args[i++] = font;
+         args[i++] = NULL;
+ 
++        log_debug("Executing \"%s\"...",
++                  strnull((cmd = strv_join((char**) args, " "))));
++
+         pid = fork();
+         if (pid < 0)
+                 return log_error_errno(errno, "Failed to fork: %m");

0064-vconsole-setup-skip-setting-fonts-when-setfont-retur.patch

@@ -0,0 +1,115 @@
+From d80b4dbf2c0d91ad54c2c0a0296096293ed59b39 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 24 May 2017 23:25:44 -0400
+Subject: [PATCH] vconsole-setup: skip setting fonts when setfont returns
+ EX_OSERR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On a machine without a VGA console, /dev/tty{0,1,…} exist, so
+systemd-vconsole-setup is started, but all setfont operations fail.
+
+setfont has a bunch of return codes for different failure modes. It uses
+EX_OSERR when the communication with the kernel using ioctls fails. This isn't
+too specific, but at least it's only used this general class of errors. Let's
+swallow the error in this case to avoid systemd-vconsole-setup.service failing
+on cloud vms.
+
+On a machine from https://bugzilla.redhat.com/show_bug.cgi?id=1272686#c4:
+$ build/systemd-vconsole-setup
+setfont: putfont: 512,8x16:  failed: -1
+putfont: PIO_FONT: Invalid argument
+/usr/bin/setfont failed with error code 71.
+Setting fonts failed with a "system error", ignoring.
+
+$ SYSTEMD_LOG_LEVEL=debug build/systemd-vconsole-setup
+Found container virtualization none.
+Sysfs UTF-8 flag enabled
+UTF-8 kbdmode enabled on /dev/tty0
+Executing "/usr/bin/setfont -C /dev/tty0 eurlatgr"...
+setfont: putfont: 512,8x16:  failed: -1
+putfont: PIO_FONT: Invalid argument
+/usr/bin/setfont failed with error code 71.
+Executing "/usr/bin/loadkeys -q -C /dev/tty0 -u us"...
+/usr/bin/loadkeys succeeded.
+Setting fonts failed with a "system error", ignoring.
+
+$ lspci | grep -i vga
+
+$ ls /dev/tty?
+/dev/tty0  /dev/tty2  /dev/tty4  /dev/tty6  /dev/tty8
+/dev/tty1  /dev/tty3  /dev/tty5  /dev/tty7  /dev/tty9
+
+If we have a better test for /dev/tty? being connected to something that has a
+font, we could avoid running setfont at all… ATM, I'm not aware of a simple
+test like that.
+
+(cherry picked from commit 93c9a9d235e2304500c490b4868534385f925c76)
+---
+ src/vconsole/vconsole-setup.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/vconsole/vconsole-setup.c b/src/vconsole/vconsole-setup.c
+index 2401077be5..dc63bb530c 100644
+--- a/src/vconsole/vconsole-setup.c
++++ b/src/vconsole/vconsole-setup.c
+@@ -28,6 +28,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <sys/ioctl.h>
++#include <sysexits.h>
+ #include <termios.h>
+ #include <unistd.h>
+ 
+@@ -336,8 +337,8 @@ int main(int argc, char **argv) {
+                 *vc_keymap = NULL, *vc_keymap_toggle = NULL,
+                 *vc_font = NULL, *vc_font_map = NULL, *vc_font_unimap = NULL;
+         _cleanup_close_ int fd = -1;
+-        bool utf8, font_copy = false, font_ok, keyboard_ok;
+-        int r = EXIT_FAILURE;
++        bool utf8, font_copy = false, keyboard_ok;
++        int r;
+ 
+         log_set_target(LOG_TARGET_AUTO);
+         log_parse_environment();
+@@ -382,7 +383,6 @@ int main(int argc, char **argv) {
+                            "FONT_MAP", &vc_font_map,
+                            "FONT_UNIMAP", &vc_font_unimap,
+                            NULL);
+-
+         if (r < 0 && r != -ENOENT)
+                 log_warning_errno(r, "Failed to read /etc/vconsole.conf: %m");
+ 
+@@ -399,22 +399,27 @@ int main(int argc, char **argv) {
+                                    "vconsole.font.map", &vc_font_map,
+                                    "vconsole.font.unimap", &vc_font_unimap,
+                                    NULL);
+-
+                 if (r < 0 && r != -ENOENT)
+                         log_warning_errno(r, "Failed to read /proc/cmdline: %m");
+         }
+ 
+         toggle_utf8_sysfs(utf8);
+         toggle_utf8(vc, fd, utf8);
+-        font_ok = font_load_and_wait(vc, vc_font, vc_font_map, vc_font_unimap) == 0;
++
++        r = font_load_and_wait(vc, vc_font, vc_font_map, vc_font_unimap);
+         keyboard_ok = keyboard_load_and_wait(vc, vc_keymap, vc_keymap_toggle, utf8) == 0;
+ 
+         if (font_copy) {
+-                if (font_ok)
++                if (r == 0)
+                         setup_remaining_vcs(fd, utf8);
++                else if (r == EX_OSERR)
++                        /* setfont returns EX_OSERR when ioctl(KDFONTOP/PIO_FONTX/PIO_FONTX) fails.
++                         * This might mean various things, but in particular lack of a graphical
++                         * console. Let's be generous and not treat this as an error. */
++                        log_notice("Setting fonts failed with a \"system error\", ignoring.");
+                 else
+                         log_warning("Setting source virtual console failed, ignoring remaining ones");
+         }
+ 
+-        return font_ok && keyboard_ok ? EXIT_SUCCESS : EXIT_FAILURE;
++        return IN_SET(r, 0, EX_OSERR) && keyboard_ok ? EXIT_SUCCESS : EXIT_FAILURE;
+ }

0065-shell-completion-add-systemctl-revert-6042.patch

@@ -0,0 +1,49 @@
+From 16f48ba5c9c432bc9daa215ceadbe739be1a1928 Mon Sep 17 00:00:00 2001
+From: Lucas Werkmeister <mail@lucaswerkmeister.de>
+Date: Mon, 29 May 2017 15:01:01 +0200
+Subject: [PATCH] shell-completion: add systemctl revert (#6042)
+
+The `systemctl revert` command was added in v230 (commit 344ca7556b),
+but was missing from the shell completion specifications.
+
+Fixes #5978.
+(cherry picked from commit 0f8158bd26ded859ffcca70c4750939800ea6c51)
+---
+ shell-completion/bash/systemctl.in | 2 +-
+ shell-completion/zsh/_systemctl.in | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in
+index e4ccad8799..3e553c1e6c 100644
+--- a/shell-completion/bash/systemctl.in
++++ b/shell-completion/bash/systemctl.in
+@@ -189,7 +189,7 @@ _systemctl () {
+         fi
+ 
+         local -A VERBS=(
+-                [ALL_UNITS]='is-active is-failed is-enabled status show cat mask preset help list-dependencies edit set-property'
++                [ALL_UNITS]='is-active is-failed is-enabled status show cat mask preset help list-dependencies edit set-property revert'
+             [ENABLED_UNITS]='disable'
+            [DISABLED_UNITS]='enable'
+         [REENABLABLE_UNITS]='reenable'
+diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in
+index 92a56ba99a..7d3d47bef9 100644
+--- a/shell-completion/zsh/_systemctl.in
++++ b/shell-completion/zsh/_systemctl.in
+@@ -58,6 +58,7 @@
+     "kexec:Shut down and reboot the system with kexec"
+     "exit:Ask for user instance termination"
+     "switch-root:Change root directory"
++    "revert:Revert unit files to their vendor versions"
+   )
+ 
+   if (( CURRENT == 1 )); then
+@@ -157,7 +158,7 @@ _systemctl_unit_state() { typeset -gA _sys_unit_state; _sys_unit_state=( $(__sys
+ 
+ local fun
+ # Completion functions for ALL_UNITS
+-for fun in is-active is-failed is-enabled status show cat mask preset help list-dependencies edit ; do
++for fun in is-active is-failed is-enabled status show cat mask preset help list-dependencies edit revert ; do
+   (( $+functions[_systemctl_$fun] )) || _systemctl_$fun()
+   {
+     _systemctl_really_all_units

0066-rules-watch-metadata-changes-in-mmcblk-devices-6050.patch

@@ -0,0 +1,25 @@
+From d6bc07b87a56804a8bc063c16ee0106cdb86f72d Mon Sep 17 00:00:00 2001
+From: kjackiewicz <kjackiewicz@users.noreply.github.com>
+Date: Tue, 30 May 2017 15:19:03 +0200
+Subject: [PATCH] rules: watch metadata changes in mmcblk devices (#6050)
+
+Formatting sd-cards does not trigger "change" uevents. As a result clients
+using udev API don't get any updates afterwards and get outdated information
+about the device.
+
+Include mmcblk* in a match for watch option assignment.
+(cherry picked from commit e74d0a9a5cdd8562aeaab1994ebd9c4cd07e82c3)
+---
+ rules/60-block.rules | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rules/60-block.rules b/rules/60-block.rules
+index 42c75974a5..343fc06f85 100644
+--- a/rules/60-block.rules
++++ b/rules/60-block.rules
+@@ -8,4 +8,4 @@ ACTION=="add", SUBSYSTEM=="module", KERNEL=="block", ATTR{parameters/events_dfl_
+ ACTION=="change", SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST=="block", ATTR{block/*/uevent}="change"
+ 
+ # watch metadata changes, caused by tools closing the device node which was opened for writing
+-ACTION!="remove", SUBSYSTEM=="block", KERNEL=="loop*|nvme*|sd*|vd*|xvd*|pmem*", OPTIONS+="watch"
++ACTION!="remove", SUBSYSTEM=="block", KERNEL=="loop*|nvme*|sd*|vd*|xvd*|pmem*|mmcblk*", OPTIONS+="watch"

0067-systemctl-avoid-spurious-warning-about-missing-reboo.patch

@@ -0,0 +1,49 @@
+From 59cf3f439d358163d895093bb8adfbe1db650131 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 30 May 2017 23:14:31 -0400
+Subject: [PATCH] systemctl: avoid spurious warning about missing reboot-param
+ file
+
+$ reboot -f
+Failed to read reboot parameter file: No such file or directory
+
+It seems that the warning on ENOENT was inadvertently introduced in
+27c06cb516c3b87c34f2a1c2c227152997d05c8c.
+
+The warning reported in #5646 comes from systemctl, but let's fix the other
+call site in the same way too.
+
+Fixes #5646.
+
+(cherry picked from commit 19fbf49cdec0e12fa0ee13d6ff6f858ea0f27479)
+---
+ src/core/shutdown.c       | 2 +-
+ src/systemctl/systemctl.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/shutdown.c b/src/core/shutdown.c
+index a2309b7726..a7d5e57936 100644
+--- a/src/core/shutdown.c
++++ b/src/core/shutdown.c
+@@ -403,7 +403,7 @@ int main(int argc, char *argv[]) {
+                         _cleanup_free_ char *param = NULL;
+ 
+                         r = read_one_line_file("/run/systemd/reboot-param", &param);
+-                        if (r < 0)
++                        if (r < 0 && r != -ENOENT)
+                                 log_warning_errno(r, "Failed to read reboot parameter file: %m");
+ 
+                         if (!isempty(param)) {
+diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
+index cb9ca9ae1e..1a47cb564e 100644
+--- a/src/systemctl/systemctl.c
++++ b/src/systemctl/systemctl.c
+@@ -8260,7 +8260,7 @@ static int halt_now(enum action a) {
+                 _cleanup_free_ char *param = NULL;
+ 
+                 r = read_one_line_file("/run/systemd/reboot-param", &param);
+-                if (r < 0)
++                if (r < 0 && r != -ENOENT)
+                         log_warning_errno(r, "Failed to read reboot parameter file: %m");
+ 
+                 if (!isempty(param)) {

0068-man-don-t-say-that-ExecStart-syntax-is-very-shell.patch

@@ -0,0 +1,30 @@
+From d657efda431dc0bdac8a421336a6735daf6fc776 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 30 May 2017 16:31:51 -0400
+Subject: [PATCH] man: don't say that ExecStart syntax is "very shell"
+
+Fixes #6035.
+
+(cherry picked from commit 0e3f51cf8d1004375e72d080f2aceddb9432b430)
+---
+ man/systemd.service.xml | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/man/systemd.service.xml b/man/systemd.service.xml
+index a452e3a672..555719186e 100644
+--- a/man/systemd.service.xml
++++ b/man/systemd.service.xml
+@@ -926,10 +926,9 @@
+     result in a warning. In particular, any backslashes should be doubled. Finally, a trailing
+     backslash (<literal>\</literal>) may be used to merge lines.</para>
+ 
+-    <para>This syntax is intended to be very similar to shell syntax,
+-    but only the meta-characters and expansions described in the
+-    following paragraphs are understood. Specifically, redirection
+-    using
++    <para>This syntax is inspired by shell syntax, but only the meta-characters and expansions
++    described in the following paragraphs are understood, and the expansion of variables is
++    different. Specifically, redirection using
+     <literal>&lt;</literal>,
+     <literal>&lt;&lt;</literal>,
+     <literal>&gt;</literal>, and

0069-man-update-MemoryDenyWriteExecute-description-for-ex.patch

@@ -0,0 +1,31 @@
+From adc6a92ae92647c9b098ffb5ff257c8ab685411e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 30 May 2017 16:43:48 -0400
+Subject: [PATCH] man: update MemoryDenyWriteExecute description for executable
+ stacks
+
+Without going into details, mention that libraries are also covered by the
+filters, and that executable stacks are a no no.
+
+Closes #5970.
+
+(cherry picked from commit 03c3c520402db803cffd5abc7ea0c55fba95fbb3)
+---
+ man/systemd.exec.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
+index fb64cd6d8e..9a9387b798 100644
+--- a/man/systemd.exec.xml
++++ b/man/systemd.exec.xml
+@@ -1655,8 +1655,8 @@
+         <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
+         <constant>PROT_EXEC</constant> set and
+         <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
+-        <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs that generate program
+-        code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code
++        <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs and libraries that
++        generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code
+         "trampoline" feature of various C compilers. This option improves service security, as it makes harder for
+         software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and
+         partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. Note that

0070-hwdb-use-path_join-to-generate-the-hwdb_bin-path-606.patch

@@ -0,0 +1,32 @@
+From 4f7c12c0147e9467a4adb76c5587cc2fe9bb627a Mon Sep 17 00:00:00 2001
+From: Michael Biebl <mbiebl@gmail.com>
+Date: Thu, 1 Jun 2017 03:21:11 +0200
+Subject: [PATCH] hwdb: use path_join() to generate the hwdb_bin path (#6063)
+
+This avoids having double slashes which can confuse selinux.
+(cherry picked from commit 0aac506b64dd6102374635290ca979b080d1192f)
+---
+ src/hwdb/hwdb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/hwdb/hwdb.c b/src/hwdb/hwdb.c
+index a23b614791..df79fbc275 100644
+--- a/src/hwdb/hwdb.c
++++ b/src/hwdb/hwdb.c
+@@ -31,6 +31,7 @@
+ #include "hwdb-util.h"
+ #include "label.h"
+ #include "mkdir.h"
++#include "path-util.h"
+ #include "selinux-util.h"
+ #include "strbuf.h"
+ #include "string-util.h"
+@@ -670,7 +671,7 @@ static int hwdb_update(int argc, char *argv[], void *userdata) {
+         log_debug("strings dedup'ed: %8zu bytes (%8zu)",
+                   trie->strings->dedup_len, trie->strings->dedup_count);
+ 
+-        hwdb_bin = strjoin(arg_root, "/", arg_hwdb_bin_dir, "/hwdb.bin");
++        hwdb_bin = path_join(arg_root, arg_hwdb_bin_dir, "hwdb.bin");
+         if (!hwdb_bin)
+                 return -ENOMEM;
+ 

0071-systemd-nspawn-.service-start-after-var-lib-machines.patch

@@ -0,0 +1,25 @@
+From dd8fe7cf46d372a012d01192949b8ba62887c996 Mon Sep 17 00:00:00 2001
+From: Josef Gajdusek <atx@atx.name>
+Date: Tue, 6 Jun 2017 17:18:22 +0200
+Subject: [PATCH] systemd-nspawn@.service: start after /var/lib/machines is
+ mounted (#6079)
+
+This fixes a race condition during boot, where an nspawn container would start
+before /var/lib/machines got mounted resulting in a failure.
+(cherry picked from commit be5bd2ec62dd7cedd56da82296b9296918806b48)
+---
+ units/systemd-nspawn@.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
+index 8c0685aef5..5e80054a57 100644
+--- a/units/systemd-nspawn@.service.in
++++ b/units/systemd-nspawn@.service.in
+@@ -11,6 +11,7 @@ Documentation=man:systemd-nspawn(1)
+ PartOf=machines.target
+ Before=machines.target
+ After=network.target systemd-resolved.service
++RequiresMountsFor=/var/lib/machines
+ 
+ [Service]
+ ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i

0072-zsh-add-completion-for-add-wants-and-add-requires-60.patch

@@ -0,0 +1,32 @@
+From 6389db18b0cec4637af4483923b57a7a0a125317 Mon Sep 17 00:00:00 2001
+From: Felipe Sateler <fsateler@users.noreply.github.com>
+Date: Tue, 6 Jun 2017 21:32:15 -0400
+Subject: [PATCH] zsh: add completion for add-wants and add-requires (#6082)
+
+(cherry picked from commit d739ce98f33fce467e1d5b447140eb53262244d3)
+---
+ shell-completion/zsh/_systemctl.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in
+index 7d3d47bef9..aad700b739 100644
+--- a/shell-completion/zsh/_systemctl.in
++++ b/shell-completion/zsh/_systemctl.in
+@@ -29,6 +29,8 @@
+     "list-unit-files:List installed unit files"
+     "enable:Enable one or more unit files"
+     "disable:Disable one or more unit files"
++    "add-wants:Add Wants= dependencies to a unit"
++    "add-requires:Add Requires= dependencies to a unit"
+     "reenable:Reenable one or more unit files"
+     "preset:Enable/disable one or more unit files based on preset configuration"
+     "set-default:Set the default target"
+@@ -158,7 +160,7 @@ _systemctl_unit_state() { typeset -gA _sys_unit_state; _sys_unit_state=( $(__sys
+ 
+ local fun
+ # Completion functions for ALL_UNITS
+-for fun in is-active is-failed is-enabled status show cat mask preset help list-dependencies edit revert ; do
++for fun in is-active is-failed is-enabled status show cat mask preset help list-dependencies edit revert add-wants add-requires ; do
+   (( $+functions[_systemctl_$fun] )) || _systemctl_$fun()
+   {
+     _systemctl_really_all_units

0073-udev-stop-freeing-value-after-using-it-for-setting-s.patch

@@ -0,0 +1,80 @@
+From a52e62a329f27e5f0a35402cdbd194c9ed4542a7 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 7 Jun 2017 04:47:47 +0300
+Subject: [PATCH] udev: stop freeing value after using it for setting sysattr
+ (#6094)
+
+This prevents udev from double-freeing and crashing.
+
+See https://github.com/systemd/systemd/issues/6040#issuecomment-306589836
+==351== Invalid free() / delete / delete[] / realloc()
+==351==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==351==    by 0x13CBE8: hashmap_clear_free_free (hashmap.c:900)
+==351==    by 0x13CBE8: hashmap_free_free_free (hashmap.c:852)
+==351==    by 0x147F4F: sd_device_unref (sd-device.c:88)
+==351==    by 0x130CCC: udev_device_unref (libudev-device.c:552)
+==351==    by 0x130CD5: udev_device_unref (libudev-device.c:553)
+==351==    by 0x11FBBB: worker_spawn (udevd.c:488)
+==351==    by 0x1216E5: event_run (udevd.c:584)
+==351==    by 0x1216E5: event_queue_start (udevd.c:823)
+==351==    by 0x122213: on_uevent (udevd.c:927)
+==351==    by 0x141F2F: source_dispatch (sd-event.c:2272)
+==351==    by 0x142D52: sd_event_dispatch (sd-event.c:2631)
+==351==    by 0x142D52: sd_event_run (sd-event.c:2690)
+==351==    by 0x142D52: sd_event_loop (sd-event.c:2710)
+==351==    by 0x1159CB: run (udevd.c:1643)
+==351==    by 0x1159CB: main (udevd.c:1772)
+==351==  Address 0x81745b0 is 0 bytes inside a block of size 1 free'd
+==351==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==351==    by 0x1447F0: freep (alloc-util.h:57)
+==351==    by 0x1447F0: sd_device_set_sysattr_value (sd-device.c:1859)
+==351==    by 0x132081: udev_device_set_sysattr_value (libudev-device.c:849)
+==351==    by 0x12E777: set_trackpoint_sensitivity (udev-builtin-keyboard.c:180)
+==351==    by 0x12E777: builtin_keyboard.lto_priv.170 (udev-builtin-keyboard.c:263)
+==351==    by 0x14D03F: udev_builtin_run.constprop.75 (udev-builtin.c:133)
+==351==    by 0x11FAEB: udev_event_execute_run (udev-event.c:957)
+==351==    by 0x11FAEB: worker_spawn (udevd.c:461)
+==351==    by 0x1216E5: event_run (udevd.c:584)
+==351==    by 0x1216E5: event_queue_start (udevd.c:823)
+==351==    by 0x122213: on_uevent (udevd.c:927)
+==351==    by 0x141F2F: source_dispatch (sd-event.c:2272)
+==351==    by 0x142D52: sd_event_dispatch (sd-event.c:2631)
+==351==    by 0x142D52: sd_event_run (sd-event.c:2690)
+==351==    by 0x142D52: sd_event_loop (sd-event.c:2710)
+==351==    by 0x1159CB: run (udevd.c:1643)
+==351==    by 0x1159CB: main (udevd.c:1772)
+==351==  Block was alloc'd at
+==351==    at 0x4C2CF35: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+==351==    by 0x144853: sd_device_set_sysattr_value (sd-device.c:1888)
+==351==    by 0x132081: udev_device_set_sysattr_value (libudev-device.c:849)
+==351==    by 0x12E777: set_trackpoint_sensitivity (udev-builtin-keyboard.c:180)
+==351==    by 0x12E777: builtin_keyboard.lto_priv.170 (udev-builtin-keyboard.c:263)
+==351==    by 0x14D03F: udev_builtin_run.constprop.75 (udev-builtin.c:133)
+==351==    by 0x11FAEB: udev_event_execute_run (udev-event.c:957)
+==351==    by 0x11FAEB: worker_spawn (udevd.c:461)
+==351==    by 0x1216E5: event_run (udevd.c:584)
+==351==    by 0x1216E5: event_queue_start (udevd.c:823)
+==351==    by 0x122213: on_uevent (udevd.c:927)
+==351==    by 0x141F2F: source_dispatch (sd-event.c:2272)
+==351==    by 0x142D52: sd_event_dispatch (sd-event.c:2631)
+==351==    by 0x142D52: sd_event_run (sd-event.c:2690)
+==351==    by 0x142D52: sd_event_loop (sd-event.c:2710)
+==351==    by 0x1159CB: run (udevd.c:1643)
+==351==    by 0x1159CB: main (udevd.c:1772)
+(cherry picked from commit 3bd82598a1b48d27b17baf4b43bdf1104bcb1021)
+---
+ src/libsystemd/sd-device/sd-device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c
+index 04ead29338..81d8d61ba9 100644
+--- a/src/libsystemd/sd-device/sd-device.c
++++ b/src/libsystemd/sd-device/sd-device.c
+@@ -1892,6 +1892,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr,
+                 r = device_add_sysattr_value(device, sysattr, value);
+                 if (r < 0)
+                         return r;
++                value = NULL;
+ 
+                 return -ENXIO;
+         }

0074-core-mount-pass-c-flag-to-bin-umount-6093.patch

@@ -0,0 +1,42 @@
+From e0a8e194a2e3ca0a405dadfcbc9b5347e46fe8c0 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Wed, 7 Jun 2017 22:28:23 +1000
+Subject: [PATCH] core/mount: pass "-c" flag to /bin/umount (#6093)
+
+"-c", which is short for "--no-canonicalize", tells /bin/umount
+that the path name is canonical (no .. or symlinks etc).
+
+systemd always uses a canonical name, so this flag is appropriate
+for systemd to use.
+Knowing that the path is canonical allows umount to avoid
+some calls to lstat() on the path.
+
+From v2.30 "-c" goes further and causes umount to avoid all
+attempts to 'lstat()' (or similar) the path.  This is important
+when automatically unmounting a filesystem, as lstat() can
+hang indefinitely in some cases such as when an NFS server
+is not accessible.
+
+"-c" has been supported since util-linux 2.17 which is before the
+earliest version supported by systemd.
+So "-c" is safe to use now, and once util-linux v2.30 is in use,
+it will allow mounts from non-responsive NFS servers to be
+unmounted.
+(cherry picked from commit 83897d5470190a9818df50026cf38cd97114f77d)
+---
+ src/core/mount.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/mount.c b/src/core/mount.c
+index ca0c4b0d5e..214364d87d 100644
+--- a/src/core/mount.c
++++ b/src/core/mount.c
+@@ -886,7 +886,7 @@ static void mount_enter_unmounting(Mount *m) {
+         m->control_command_id = MOUNT_EXEC_UNMOUNT;
+         m->control_command = m->exec_command + MOUNT_EXEC_UNMOUNT;
+ 
+-        r = exec_command_set(m->control_command, UMOUNT_PATH, m->where, NULL);
++        r = exec_command_set(m->control_command, UMOUNT_PATH, m->where, "-c", NULL);
+         if (r >= 0 && m->lazy_unmount)
+                 r = exec_command_append(m->control_command, "-l", NULL);
+         if (r >= 0 && m->force_unmount)

0075-man-systemd-timesyncd.service-8-6109.patch

@@ -0,0 +1,28 @@
+From 27c7bc970d9e7ffe060688a8dd77b7747503a564 Mon Sep 17 00:00:00 2001
+From: Pat Riehecky <jcpunk@gmail.com>
+Date: Fri, 9 Jun 2017 17:48:25 -0500
+Subject: [PATCH] man: systemd-timesyncd.service(8) (#6109)
+
+Updates the documentation to note use of SNTP (resolves #5735)
+(cherry picked from commit 42d3bf86bb75842602d3712caa2baccd09a1c795)
+---
+ man/systemd-timesyncd.service.xml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/man/systemd-timesyncd.service.xml b/man/systemd-timesyncd.service.xml
+index 6ec384313b..3edcaf1b4e 100644
+--- a/man/systemd-timesyncd.service.xml
++++ b/man/systemd-timesyncd.service.xml
+@@ -64,6 +64,12 @@
+     reboots to ensure it monotonically advances even if the system
+     lacks a battery-buffered RTC chip.</para>
+ 
++    <para>The <filename>systemd-timesyncd</filename> service
++    specifically implements only SNTP. This minimalistic
++    service will set the system clock for large offsets or
++    slowly adjust it for smaller deltas. More complex use
++    cases are not covered by <filename>systemd-timesyncd</filename>.</para>
++
+     <para>The NTP servers contacted are determined from the global
+     settings in
+     <citerefentry><refentrytitle>timesyncd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,

0076-fix-includes.patch

@@ -0,0 +1,40 @@
+From 93dc6dbed1ee66619f5005f6209920ea051474a8 Mon Sep 17 00:00:00 2001
+From: Matija Skala <mskala@gmx.com>
+Date: Wed, 15 Mar 2017 13:21:10 +0100
+Subject: [PATCH] fix includes
+
+linux/sockios.h is needed for the SIOCGSTAMPNS macro
+
+xlocale.h is included indirectly in glibc and doesn't even exist in
+other libcs
+
+(cherry picked from commit 284d1cd0a12cad96a5ea61d1afb0dd677dbd147e)
+---
+ src/basic/parse-util.c           | 1 -
+ src/libsystemd-network/sd-lldp.c | 1 +
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/basic/parse-util.c b/src/basic/parse-util.c
+index 6e58ced6f5..d86700736d 100644
+--- a/src/basic/parse-util.c
++++ b/src/basic/parse-util.c
+@@ -23,7 +23,6 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <xlocale.h>
+ 
+ #include "alloc-util.h"
+ #include "extract-word.h"
+diff --git a/src/libsystemd-network/sd-lldp.c b/src/libsystemd-network/sd-lldp.c
+index 0702241506..39ddb2461a 100644
+--- a/src/libsystemd-network/sd-lldp.c
++++ b/src/libsystemd-network/sd-lldp.c
+@@ -19,6 +19,7 @@
+ ***/
+ 
+ #include <arpa/inet.h>
++#include <linux/sockios.h>
+ 
+ #include "sd-lldp.h"
+ 

0077-test-resolved-packet-add-a-simple-test-for-our-alloc.patch

@@ -0,0 +1,109 @@
+From 7586bc7e5006fd7df55199283de4766b2775f60f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 18 Jun 2017 15:53:15 -0400
+Subject: [PATCH] test-resolved-packet: add a simple test for our allocation
+ functions
+
+(cherry picked from commit 751ca3f1de316ca79b60001334dbdf54077e1d01)
+---
+ .gitignore                         |  1 +
+ Makefile.am                        | 14 ++++++++++++
+ src/resolve/test-resolved-packet.c | 45 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 60 insertions(+)
+ create mode 100644 src/resolve/test-resolved-packet.c
+
+diff --git a/.gitignore b/.gitignore
+index 01cb6e7db7..25b976a0e3 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -269,6 +269,7 @@
+ /test-replace-var
+ /test-resolve
+ /test-resolve-tables
++/test-resolved-packet
+ /test-ring
+ /test-rlimit-util
+ /test-sched-prio
+diff --git a/Makefile.am b/Makefile.am
+index a767a5aa0d..e97a66e0fa 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -5663,6 +5663,7 @@ dist_zshcompletion_data += \
+ tests += \
+ 	test-dns-packet \
+ 	test-resolve-tables \
++	test-resolved-packet \
+ 	test-dnssec
+ 
+ manual_tests += \
+@@ -5684,6 +5685,19 @@ test_resolve_tables_LDADD = \
+ 	$(GCRYPT_LIBS) \
+ 	-lm
+ 
++test_resolved_packet_SOURCES = \
++	src/resolve/test-resolved-packet.c \
++	$(basic_dns_sources)
++
++test_resolved_packet_CFLAGS = \
++	$(AM_CFLAGS) \
++	$(GCRYPT_CFLAGS)
++
++test_resolved_packet_LDADD = \
++	libsystemd-shared.la \
++	$(GCRYPT_LIBS) \
++	-lm
++
+ test_dns_packet_SOURCES = \
+ 	src/resolve/test-dns-packet.c \
+ 	$(basic_dns_sources)
+diff --git a/src/resolve/test-resolved-packet.c b/src/resolve/test-resolved-packet.c
+new file mode 100644
+index 0000000000..8b7da1408d
+--- /dev/null
++++ b/src/resolve/test-resolved-packet.c
+@@ -0,0 +1,45 @@
++/***
++  This file is part of systemd
++
++  Copyright 2017 Zbigniew Jędrzejewski-Szmek
++
++  systemd is free software; you can redistribute it and/or modify it
++  under the terms of the GNU Lesser General Public License as published by
++  the Free Software Foundation; either version 2.1 of the License, or
++  (at your option) any later version.
++
++  systemd is distributed in the hope that it will be useful, but
++  WITHOUT ANY WARRANTY; without even the implied warranty of
++  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++  Lesser General Public License for more details.
++
++  You should have received a copy of the GNU Lesser General Public License
++  along with systemd; If not, see <http://www.gnu.org/licenses/>.
++***/
++
++#include "log.h"
++#include "resolved-dns-packet.h"
++
++static void test_dns_packet_new(void) {
++        size_t i;
++
++        for (i = 0; i < DNS_PACKET_SIZE_MAX + 2; i++) {
++                _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
++
++                assert_se(dns_packet_new(&p, DNS_PROTOCOL_DNS, i) == 0);
++
++                log_debug("dns_packet_new: %zu → %zu", i, p->allocated);
++                assert_se(p->allocated >= MIN(DNS_PACKET_SIZE_MAX, i));
++        }
++}
++
++int main(int argc, char **argv) {
++
++        log_set_max_level(LOG_DEBUG);
++        log_parse_environment();
++        log_open();
++
++        test_dns_packet_new();
++
++        return 0;
++}

0078-resolved-simplify-alloc-size-calculation.patch

@@ -0,0 +1,50 @@
+From fa30043f5a3e4eaff50a72bad95601d582ac045d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 18 Jun 2017 16:07:57 -0400
+Subject: [PATCH] resolved: simplify alloc size calculation
+
+The allocation size was calculated in a complicated way, and for values
+close to the page size we would actually allocate less than requested.
+
+Reported by Chris Coulson <chris.coulson@canonical.com>.
+
+CVE-2017-9445
+
+(cherry picked from commit db848813bae4d28c524b3b6a7dad135e426659ce)
+---
+ src/resolve/resolved-dns-packet.c | 8 +-------
+ src/resolve/resolved-dns-packet.h | 2 --
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 240ee448f4..821b66e266 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
+ 
+         assert(ret);
+ 
+-        if (mtu <= UDP_PACKET_HEADER_SIZE)
+-                a = DNS_PACKET_SIZE_START;
+-        else
+-                a = mtu - UDP_PACKET_HEADER_SIZE;
+-
+-        if (a < DNS_PACKET_HEADER_SIZE)
+-                a = DNS_PACKET_HEADER_SIZE;
++        a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
+ 
+         /* round up to next page size */
+         a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
+diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
+index 2c92392e4d..3abcaf8cf3 100644
+--- a/src/resolve/resolved-dns-packet.h
++++ b/src/resolve/resolved-dns-packet.h
+@@ -66,8 +66,6 @@ struct DnsPacketHeader {
+ /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */
+ #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096
+ 
+-#define DNS_PACKET_SIZE_START 512
+-
+ struct DnsPacket {
+         int n_ref;
+         DnsProtocol protocol;

0079-resolved-do-not-allocate-packets-with-minimum-size.patch

@@ -0,0 +1,47 @@
+From b38575cb49041e586b0732d759a06801e587bb90 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 27 Jun 2017 14:20:00 -0400
+Subject: [PATCH] resolved: do not allocate packets with minimum size
+
+dns_packet_new() is sometimes called with mtu == 0, and in that case we should
+allocate more than the absolute minimum (which is the dns packet header size),
+otherwise we have to resize immediately again after appending the first data to
+the packet.
+
+This partially reverts the previous commit.
+
+(cherry picked from commit 88795538726a5bbfd9efc13d441cb05e1d7fc139)
+---
+ src/resolve/resolved-dns-packet.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 821b66e266..d1f0f760a4 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -28,6 +28,9 @@
+ 
+ #define EDNS0_OPT_DO (1<<15)
+ 
++#define DNS_PACKET_SIZE_START 512
++assert_cc(DNS_PACKET_SIZE_START > UDP_PACKET_HEADER_SIZE)
++
+ typedef struct DnsPacketRewinder {
+         DnsPacket *packet;
+         size_t saved_rindex;
+@@ -47,7 +50,14 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
+ 
+         assert(ret);
+ 
+-        a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
++        /* When dns_packet_new() is called with mtu == 0, allocate more than the
++         * absolute minimum (which is the dns packet header size), to avoid
++         * resizing immediately again after appending the first data to the packet.
++         */
++        if (mtu < UDP_PACKET_HEADER_SIZE)
++                a = DNS_PACKET_SIZE_START;
++        else
++                a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
+ 
+         /* round up to next page size */
+         a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));

0080-resolved-define-various-packet-sizes-as-unsigned.patch

@@ -0,0 +1,48 @@
+From d0553ece1ec2b4c586ac033ae2cb9baf22d0af33 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 27 Jun 2017 16:59:06 -0400
+Subject: [PATCH] resolved: define various packet sizes as unsigned
+
+This seems like the right thing to do, and apparently at least some compilers
+warn about signed/unsigned comparisons with DNS_PACKET_SIZE_MAX.
+
+(cherry picked from commit 64a21fdaca7c93f1c30b21f6fdbd2261798b161a)
+---
+ src/resolve/resolved-dns-packet.c | 2 +-
+ src/resolve/resolved-dns-packet.h | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index d1f0f760a4..a486216d68 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -28,7 +28,7 @@
+ 
+ #define EDNS0_OPT_DO (1<<15)
+ 
+-#define DNS_PACKET_SIZE_START 512
++#define DNS_PACKET_SIZE_START 512u
+ assert_cc(DNS_PACKET_SIZE_START > UDP_PACKET_HEADER_SIZE)
+ 
+ typedef struct DnsPacketRewinder {
+diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
+index 3abcaf8cf3..5dff272fd9 100644
+--- a/src/resolve/resolved-dns-packet.h
++++ b/src/resolve/resolved-dns-packet.h
+@@ -58,13 +58,13 @@ struct DnsPacketHeader {
+ /* The various DNS protocols deviate in how large a packet can grow,
+    but the TCP transport has a 16bit size field, hence that appears to
+    be the absolute maximum. */
+-#define DNS_PACKET_SIZE_MAX 0xFFFF
++#define DNS_PACKET_SIZE_MAX 0xFFFFu
+ 
+ /* RFC 1035 say 512 is the maximum, for classic unicast DNS */
+-#define DNS_PACKET_UNICAST_SIZE_MAX 512
++#define DNS_PACKET_UNICAST_SIZE_MAX 512u
+ 
+ /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */
+-#define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096
++#define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096u
+ 
+ struct DnsPacket {
+         int n_ref;

0081-virt-enable-detecting-QEMU-TCG-via-CPUID-6399.patch

@@ -0,0 +1,32 @@
+From c21be74a657c56bfc4091428b54189682c354640 Mon Sep 17 00:00:00 2001
+From: Daniel Berrange <berrange@redhat.com>
+Date: Wed, 19 Jul 2017 10:06:07 +0100
+Subject: [PATCH] virt: enable detecting QEMU (TCG) via CPUID (#6399)
+
+QEMU >= 2.10 will include a CPUID leaf with value "TCGTCGTCGTCG"
+on x86 when running with the TCG CPU emulator:
+
+  https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05231.html
+
+Existing methods of detecting QEMU are left unchanged for sake of
+backcompatibility.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit 5588612e9e8828691f13141e3fcebe08a59201fe)
+(cherry picked from commit ce0609bc26d33e47b23fbbe1aa7465283a10fb10)
+---
+ src/basic/virt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/basic/virt.c b/src/basic/virt.c
+index ff4491d6d6..b69076214e 100644
+--- a/src/basic/virt.c
++++ b/src/basic/virt.c
+@@ -46,6 +46,7 @@ static int detect_vm_cpuid(void) {
+         } cpuid_vendor_table[] = {
+                 { "XenVMMXenVMM", VIRTUALIZATION_XEN       },
+                 { "KVMKVMKVM",    VIRTUALIZATION_KVM       },
++                { "TCGTCGTCGTCG", VIRTUALIZATION_QEMU      },
+                 /* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */
+                 { "VMwareVMware", VIRTUALIZATION_VMWARE    },
+                 /* https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs */

0082-rfkill-fix-erroneous-behavior-when-polling-the-udev-.patch

@@ -0,0 +1,46 @@
+From 638c0dbabd348a664c85cbaf0ab10f317468b576 Mon Sep 17 00:00:00 2001
+From: "S. Fan" <sfanxiang@gmail.com>
+Date: Mon, 31 Jul 2017 05:10:10 -0500
+Subject: [PATCH] rfkill: fix erroneous behavior when polling the udev monitor
+ (#6489)
+
+Comparing udev_device_get_sysname(device) and sysname will always return
+true. We need to check the device received from udev monitor instead.
+
+Also, fd_wait_for_event() sometimes never exits. Better set a timeout
+here.
+
+(cherry picked from commit 8ec1a07998758f6a85f3ea5bf2ed14d87609398f)
+(cherry picked from commit cd8a9ccb7c06394a64bfe0cd2a88fad7be8e3f9f)
+---
+ src/rfkill/rfkill.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c
+index c0f138b4f4..470853d1d2 100644
+--- a/src/rfkill/rfkill.c
++++ b/src/rfkill/rfkill.c
+@@ -138,17 +138,21 @@ static int wait_for_initialized(
+         for (;;) {
+                 _cleanup_udev_device_unref_ struct udev_device *t = NULL;
+ 
+-                r = fd_wait_for_event(watch_fd, POLLIN, USEC_INFINITY);
++                r = fd_wait_for_event(watch_fd, POLLIN, EXIT_USEC);
+                 if (r == -EINTR)
+                         continue;
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to watch udev monitor: %m");
++                if (r == 0) {
++                        log_error("Timed out wating for udev monitor.");
++                        return -ETIMEDOUT;
++                }
+ 
+                 t = udev_monitor_receive_device(monitor);
+                 if (!t)
+                         continue;
+ 
+-                if (streq_ptr(udev_device_get_sysname(device), sysname)) {
++                if (streq_ptr(udev_device_get_sysname(t), sysname)) {
+                         *ret = udev_device_ref(t);
+                         return 0;
+                 }

0083-process-util-update-the-end-pointer-of-the-process-n.patch

@@ -0,0 +1,64 @@
+From 40f2740483074ba47cc78f0a88cfbc02dc108fb4 Mon Sep 17 00:00:00 2001
+From: Jouke Witteveen <j.witteveen@gmail.com>
+Date: Wed, 2 Aug 2017 17:08:31 +0200
+Subject: [PATCH] process-util: update the end pointer of the process name on
+ rename (#6492)
+
+We only updated the end pointer when allocating new memory, i.e. on the first
+call to rename_process.
+
+(cherry picked from commit 01f989c66253ea923679ffddf266ea13339c295b)
+(cherry picked from commit 4caa10a6bedf7a18b42e011bdbdb4b9c425c0d6d)
+---
+ src/basic/process-util.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/src/basic/process-util.c b/src/basic/process-util.c
+index 0df3fed640..923f6bcb70 100644
+--- a/src/basic/process-util.c
++++ b/src/basic/process-util.c
+@@ -312,19 +312,18 @@ int rename_process(const char name[]) {
+         /* Third step, completely replace the argv[] array the kernel maintains for us. This requires privileges, but
+          * has the advantage that the argv[] array is exactly what we want it to be, and not filled up with zeros at
+          * the end. This is the best option for changing /proc/self/cmdline. */
+-        if (mm_size < l+1) {
++
++        /* Let's not bother with this if we don't have euid == 0. Strictly speaking we should check for the
++         * CAP_SYS_RESOURCE capability which is independent of the euid. In our own code the capability generally is
++         * present only for euid == 0, hence let's use this as quick bypass check, to avoid calling mmap() if
++         * PR_SET_MM_ARG_{START,END} fails with EPERM later on anyway. After all geteuid() is dead cheap to call, but
++         * mmap() is not. */
++        if (geteuid() != 0)
++                log_debug("Skipping PR_SET_MM, as we don't have privileges.");
++        else if (mm_size < l+1) {
+                 size_t nn_size;
+                 char *nn;
+ 
+-                /* Let's not bother with this if we don't have euid == 0. Strictly speaking if people do weird stuff
+-                 * with capabilities this could work even for euid != 0, but our own code generally doesn't do that,
+-                 * hence let's use this as quick bypass check, to avoid calling mmap() if PR_SET_MM_ARG_START fails
+-                 * with EPERM later on anyway. After all geteuid() is dead cheap to call, but mmap() is not. */
+-                if (geteuid() != 0) {
+-                        log_debug("Skipping PR_SET_MM_ARG_START, as we don't have privileges.");
+-                        goto use_saved_argv;
+-                }
+-
+                 nn_size = PAGE_ALIGN(l+1);
+                 nn = mmap(NULL, nn_size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+                 if (nn == MAP_FAILED) {
+@@ -351,9 +350,14 @@ int rename_process(const char name[]) {
+ 
+                 mm = nn;
+                 mm_size = nn_size;
+-        } else
++        } else {
+                 strncpy(mm, name, mm_size);
+ 
++                /* Update the end pointer, continuing regardless of any failure. */
++                if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) mm + l + 1, 0, 0) < 0)
++                        log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m");
++        }
++
+ use_saved_argv:
+         /* Fourth step: in all cases we'll also update the original argv[], so that our own code gets it right too if
+          * it still looks here */

0084-cryptsetup-generator-do-not-bind-to-the-decrypted-de.patch

@@ -0,0 +1,30 @@
+From 4f009bfa85683a6a7b72afef64d756d38e77f7e1 Mon Sep 17 00:00:00 2001
+From: Ivan Shapovalov <intelfx@intelfx.name>
+Date: Wed, 30 Aug 2017 19:49:07 +0300
+Subject: [PATCH] cryptsetup-generator: do not bind to the decrypted device
+ unit (#6538)
+
+This breaks things when the decrypted device is not immediately
+`SYSTEMD_READY=1` (e. g. when a multi-device btrfs system is placed on
+multiple cryptsetup devices).
+
+Fixes #6537.
+
+(cherry picked from commit e9ea4526a3a3b41eced29b8d742498cc36750424)
+(cherry picked from commit f5f367d4a9872453888da79bdff3a50f78a9758a)
+---
+ src/cryptsetup/cryptsetup-generator.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
+index b58b6db7c9..f737f82b55 100644
+--- a/src/cryptsetup/cryptsetup-generator.c
++++ b/src/cryptsetup/cryptsetup-generator.c
+@@ -109,7 +109,6 @@ static int create_disk(
+               "SourcePath=/etc/crypttab\n"
+               "DefaultDependencies=no\n"
+               "Conflicts=umount.target\n"
+-              "BindsTo=dev-mapper-%i.device\n"
+               "IgnoreOnIsolate=true\n"
+               "After=cryptsetup-pre.target\n",
+               f);

0085-Load-virtio_rng-early-in-the-game-6710.patch

@@ -0,0 +1,92 @@
+From ac860fcf38603499b79d86c382a825db8305c79d Mon Sep 17 00:00:00 2001
+From: Harald Hoyer <harald@hoyer.xyz>
+Date: Thu, 31 Aug 2017 15:33:33 +0200
+Subject: [PATCH] Load virtio_rng early in the game (#6710)
+
+If true randomness is needed before udev is triggered, which would load
+virtio_rng, reading /dev/random takes forever and the boot stalls for a
+long time.
+
+(cherry picked from commit 6c1f72f626355615daee0e5a7ef7044759251a23)
+(cherry picked from commit 59e70293dbf06106c2f4a152f234581e284fae5f)
+---
+ src/core/kmod-setup.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/src/core/kmod-setup.c b/src/core/kmod-setup.c
+index fd1021f706..9f69a6d925 100644
+--- a/src/core/kmod-setup.c
++++ b/src/core/kmod-setup.c
+@@ -17,6 +17,7 @@
+   along with systemd; If not, see <http://www.gnu.org/licenses/>.
+ ***/
+ 
++#include <ftw.h>
+ #include <string.h>
+ #include <unistd.h>
+ 
+@@ -24,10 +25,13 @@
+ #include <libkmod.h>
+ #endif
+ 
++#include "alloc-util.h"
+ #include "bus-util.h"
+ #include "capability-util.h"
++#include "fileio.h"
+ #include "kmod-setup.h"
+ #include "macro.h"
++#include "string-util.h"
+ 
+ #ifdef HAVE_KMOD
+ static void systemd_kmod_log(
+@@ -45,6 +49,41 @@ static void systemd_kmod_log(
+ }
+ #endif
+ 
++static int has_virtio_rng_nftw_cb(
++                const char *fpath,
++                const struct stat *sb,
++                int tflag,
++                struct FTW *ftwbuf) {
++
++        _cleanup_free_ char *alias = NULL;
++        int r;
++
++        if ((FTW_D == tflag) && (ftwbuf->level > 2))
++                return FTW_SKIP_SUBTREE;
++
++        if (FTW_F != tflag)
++                return FTW_CONTINUE;
++
++        if (!endswith(fpath, "/modalias"))
++                return FTW_CONTINUE;
++
++        r = read_one_line_file(fpath, &alias);
++        if (r < 0)
++                return FTW_SKIP_SIBLINGS;
++
++        if (startswith(alias, "pci:v00001AF4d00001005"))
++                return FTW_STOP;
++
++        if (startswith(alias, "pci:v00001AF4d00001044"))
++                return FTW_STOP;
++
++        return FTW_SKIP_SIBLINGS;
++}
++
++static bool has_virtio_rng(void) {
++        return (nftw("/sys/devices/pci0000:00", has_virtio_rng_nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL) == FTW_STOP);
++}
++
+ int kmod_setup(void) {
+ #ifdef HAVE_KMOD
+ 
+@@ -68,6 +107,8 @@ int kmod_setup(void) {
+                 /* netfilter is needed by networkd, nspawn among others, and cannot be autoloaded */
+                 { "ip_tables", "/proc/net/ip_tables_names", false,  false,   NULL      },
+ #endif
++                /* virtio_rng would be loaded by udev later, but real entropy might be needed very early */
++                { "virtio_rng", NULL,                       false,  false,   has_virtio_rng },
+         };
+         struct kmod_ctx *ctx = NULL;
+         unsigned int i;

0086-sd-bus-extend-D-Bus-authentication-timeout-considera.patch

@@ -0,0 +1,63 @@
+From e603498db86b6f8df5a761ec53711e1ab949b1a5 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 13 Sep 2017 19:08:26 +0200
+Subject: [PATCH] sd-bus: extend D-Bus authentication timeout considerably
+ (#6813)
+
+As it turns out the authentication phase times out too often than is
+good, mostly due to PRNG pools not being populated during boot. Hence,
+let's increase the authentication timeout from 25s to 90s, to cover for
+that.
+
+(Note that we leave the D-Bus method call timeout at 25s, matching the
+reference implementation's value. And if the auth phase managed to
+complete then the pools should be populated enough and mehtod calls
+shouldn't take needlessly long anymore).
+
+Fixes: #6418
+(cherry picked from commit 036d61b32e7e684a532904ec26a6ebaa1b850ab9)
+(cherry picked from commit 7f4b159f88d8d3b932e24646b50e4bdcac885581)
+---
+ src/libsystemd/sd-bus/bus-internal.h | 6 ++++++
+ src/libsystemd/sd-bus/bus-socket.c   | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
+index bb0414c4d6..2417fe66b8 100644
+--- a/src/libsystemd/sd-bus/bus-internal.h
++++ b/src/libsystemd/sd-bus/bus-internal.h
+@@ -27,6 +27,7 @@
+ #include "bus-error.h"
+ #include "bus-kernel.h"
+ #include "bus-match.h"
++#include "def.h"
+ #include "hashmap.h"
+ #include "kdbus.h"
+ #include "list.h"
+@@ -326,8 +327,13 @@ struct sd_bus {
+         LIST_HEAD(sd_bus_track, tracks);
+ };
+ 
++/* For method calls we time-out at 25s, like in the D-Bus reference implementation */
+ #define BUS_DEFAULT_TIMEOUT ((usec_t) (25 * USEC_PER_SEC))
+ 
++/* For the authentication phase we grant 90s, to provide extra room during boot, when RNGs and such are not filled up
++ * with enough entropy yet and might delay the boot */
++#define BUS_AUTH_TIMEOUT ((usec_t) DEFAULT_TIMEOUT_USEC)
++
+ #define BUS_WQUEUE_MAX (192*1024)
+ #define BUS_RQUEUE_MAX (192*1024)
+ 
+diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
+index e6ed15eb71..32a22113e0 100644
+--- a/src/libsystemd/sd-bus/bus-socket.c
++++ b/src/libsystemd/sd-bus/bus-socket.c
+@@ -661,7 +661,7 @@ int bus_socket_start_auth(sd_bus *b) {
+         bus_get_peercred(b);
+ 
+         b->state = BUS_AUTHENTICATING;
+-        b->auth_timeout = now(CLOCK_MONOTONIC) + BUS_DEFAULT_TIMEOUT;
++        b->auth_timeout = now(CLOCK_MONOTONIC) + BUS_AUTH_TIMEOUT;
+ 
+         if (sd_is_socket(b->input_fd, AF_UNIX, 0, 0) <= 0)
+                 b->hello_flags &= ~KDBUS_HELLO_ACCEPT_FD;

0087-timer-don-t-use-persietent-file-timestamps-from-the-.patch

@@ -0,0 +1,49 @@
+From e84f292c9de368e512597736fbb1917a885586ec Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 14 Sep 2017 18:26:10 +0200
+Subject: [PATCH] timer: don't use persietent file timestamps from the future
+ (#6823)
+
+Also, use the mtime rather than the atime of the timestamp file. While
+the atime is not completely wrong, the mtime appears more appropriate
+as that's what we actually explicitly change, and is not effected by
+mere reading.
+
+Fixes: #6821
+(cherry picked from commit 77542a7905520f1d637912bf47bddb4855506e41)
+(cherry picked from commit eb877dacc9f98f646ff9509d6df5c71bd4a33a17)
+---
+ src/core/timer.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/timer.c b/src/core/timer.c
+index af67b7591a..63665554fe 100644
+--- a/src/core/timer.c
++++ b/src/core/timer.c
+@@ -633,9 +633,23 @@ static int timer_start(Unit *u) {
+         if (t->stamp_path) {
+                 struct stat st;
+ 
+-                if (stat(t->stamp_path, &st) >= 0)
+-                        t->last_trigger.realtime = timespec_load(&st.st_atim);
+-                else if (errno == ENOENT)
++                if (stat(t->stamp_path, &st) >= 0) {
++                        usec_t ft;
++
++                        /* Load the file timestamp, but only if it is actually in the past. If it is in the future,
++                         * something is wrong with the system clock. */
++
++                        ft = timespec_load(&st.st_mtim);
++                        if (ft < now(CLOCK_REALTIME))
++                                t->last_trigger.realtime = ft;
++                        else {
++                                char z[FORMAT_TIMESTAMP_MAX];
++
++                                log_unit_warning(u, "Not using persistent file timestamp %s as it is in the future.",
++                                                 format_timestamp(z, sizeof(z), ft));
++                        }
++
++                } else if (errno == ENOENT)
+                         /* The timer has never run before,
+                          * make sure a stamp file exists.
+                          */

0088-shared-end-string-with-if-one-was-found-at-the-end-o.patch

@@ -0,0 +1,47 @@
+From 3d4e63e3655bb1464f73a2ee11571d4bd1355cda Mon Sep 17 00:00:00 2001
+From: Felipe Sateler <fsateler@users.noreply.github.com>
+Date: Thu, 14 Sep 2017 14:51:20 -0300
+Subject: [PATCH] shared: end string with % if one was found at the end of a
+ expandible string (#6828)
+
+Current behavior is that %X where X is an unidentified specifier, then the result is
+the same %X string. This was not the case when the string ended with a stray %, where
+the character would have not been output. Lets add that missing character.
+
+Fixes: #6374
+(cherry picked from commit 038492aed3e0293fd9cf4998fd891addb597b954)
+(cherry picked from commit 760a486ff45797b65093c5f0550cc42bfd5d70aa)
+---
+ src/shared/specifier.c    | 4 ++++
+ src/test/test-unit-name.c | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/shared/specifier.c b/src/shared/specifier.c
+index 1c17eb5251..81379041cc 100644
+--- a/src/shared/specifier.c
++++ b/src/shared/specifier.c
+@@ -107,6 +107,10 @@ int specifier_printf(const char *text, const Specifier table[], void *userdata,
+                         *(t++) = *f;
+         }
+ 
++        /* if string ended with a stray %, also end with % */
++        if (percent)
++                *(t++) = '%';
++
+         *t = 0;
+         *_ret = ret;
+         return 0;
+diff --git a/src/test/test-unit-name.c b/src/test/test-unit-name.c
+index 2fd83f321c..2af90c69ee 100644
+--- a/src/test/test-unit-name.c
++++ b/src/test/test-unit-name.c
+@@ -237,7 +237,8 @@ static int test_unit_printf(void) {
+         /* general tests */
+         expect(u, "%%", "%");
+         expect(u, "%%s", "%s");
+-        expect(u, "%", "");    // REALLY?
++        expect(u, "%,", "%,");
++        expect(u, "%", "%");
+ 
+         /* normal unit */
+         expect(u, "%n", "blah.service");

0089-string-util-use-size_t-for-strjoina-macro-6914.patch

@@ -0,0 +1,26 @@
+From 977a616317fec7199947de72103f9a9e9f6632d9 Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jlebon@users.noreply.github.com>
+Date: Mon, 25 Sep 2017 15:56:57 -0400
+Subject: [PATCH] string-util: use size_t for strjoina macro (#6914)
+
+`strlen` returns a `size_t` and `alloca` expects a `size_t`.
+
+(cherry picked from commit 35207e259ef44f62faf71acc4bbc7d43311a4583)
+(cherry picked from commit 3c2e58887a5d9282670b3e41b6e584367a2bda18)
+---
+ src/basic/string-util.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/basic/string-util.h b/src/basic/string-util.h
+index be44dedff4..f8dde61549 100644
+--- a/src/basic/string-util.h
++++ b/src/basic/string-util.h
+@@ -120,7 +120,7 @@ char *strjoin_real(const char *x, ...) _sentinel_;
+         ({                                                              \
+                 const char *_appendees_[] = { a, __VA_ARGS__ };         \
+                 char *_d_, *_p_;                                        \
+-                int _len_ = 0;                                          \
++                size_t _len_ = 0;                                          \
+                 unsigned _i_;                                           \
+                 for (_i_ = 0; _i_ < ELEMENTSOF(_appendees_) && _appendees_[_i_]; _i_++) \
+                         _len_ += strlen(_appendees_[_i_]);              \

0090-resolved-fix-loop-on-packets-with-pseudo-dns-types.patch

@@ -0,0 +1,39 @@
+From 655ae23e5b73816fb7ebdc5dc61271cf8ffa0007 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 25 Oct 2017 11:19:19 +0200
+Subject: [PATCH] resolved: fix loop on packets with pseudo dns types
+
+Reported by Karim Hossen & Thomas Imbert from Sogeti ESEC R&D.
+
+https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351
+(cherry picked from commit 9f939335a07085aa9a9663efd1dca06ef6405d62)
+(cherry picked from commit 743b771c559c6101544f7358a42c8c519fe4b0db)
+(cherry picked from commit 1e20ca63e06337b95f4b0deedc062511d2ff31cc)
+---
+ src/resolve/resolved-dns-packet.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index a486216d68..48615034e3 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -1495,7 +1495,7 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta
+ 
+                 found = true;
+ 
+-                while (bitmask) {
++                for (; bitmask; bit++, bitmask >>= 1)
+                         if (bitmap[i] & bitmask) {
+                                 uint16_t n;
+ 
+@@ -1509,10 +1509,6 @@ static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *sta
+                                 if (r < 0)
+                                         return r;
+                         }
+-
+-                        bit++;
+-                        bitmask >>= 1;
+-                }
+         }
+ 
+         if (!found)

0091-cryptsetup-generator-add-a-helper-utility-to-create-.patch

@@ -0,0 +1,144 @@
+From 6172788a3f90962b42564b5248f540b4cb729470 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 9 Jul 2017 23:31:47 -0400
+Subject: [PATCH] cryptsetup-generator: add a helper utility to create symlinks
+
+It seems that there's a common pattern among the various generators. Let's add
+a helper function for it and make use of it in cryptsetup-generator.
+
+This fixes a bunch of theoretical memleaks in error paths, since *to wasn't
+generally freed properly. Not thath it matters.
+
+(cherry picked from commit b559616f2321643c5194b474d39a722cefaf6059)
+(cherry picked from commit ea8cb69ee23cd67ef45ca34f1b192c9adb5fa878)
+---
+ src/cryptsetup/cryptsetup-generator.c | 53 ++++++++++-------------------------
+ src/shared/generator.c                | 15 ++++++++++
+ src/shared/generator.h                |  2 ++
+ 3 files changed, 32 insertions(+), 38 deletions(-)
+
+diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
+index f737f82b55..f10e9fdc24 100644
+--- a/src/cryptsetup/cryptsetup-generator.c
++++ b/src/cryptsetup/cryptsetup-generator.c
+@@ -58,11 +58,11 @@ static int create_disk(
+                 const char *password,
+                 const char *options) {
+ 
+-        _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL,
++        _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *e = NULL,
+                 *filtered = NULL;
+         _cleanup_fclose_ FILE *f = NULL;
++        const char *dmname;
+         bool noauto, nofail, tmp, swap;
+-        char *from;
+         int r;
+ 
+         assert(name);
+@@ -120,7 +120,7 @@ static int create_disk(
+         if (password) {
+                 if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
+                         fputs("After=systemd-random-seed.service\n", f);
+-                else if (!streq(password, "-") && !streq(password, "none")) {
++                else if (!STR_IN_SET(password, "-", "none")) {
+                         _cleanup_free_ char *uu;
+ 
+                         uu = fstab_node_to_udev_node(password);
+@@ -186,46 +186,23 @@ static int create_disk(
+         if (r < 0)
+                 return log_error_errno(r, "Failed to write file %s: %m", p);
+ 
+-        from = strjoina("../", n);
+-
+         if (!noauto) {
+-
+-                to = strjoin(arg_dest, "/", d, ".wants/", n);
+-                if (!to)
+-                        return log_oom();
+-
+-                mkdir_parents_label(to, 0755);
+-                if (symlink(from, to) < 0)
+-                        return log_error_errno(errno, "Failed to create symlink %s: %m", to);
+-
+-                free(to);
+-                if (!nofail)
+-                        to = strjoin(arg_dest, "/cryptsetup.target.requires/", n);
+-                else
+-                        to = strjoin(arg_dest, "/cryptsetup.target.wants/", n);
+-                if (!to)
+-                        return log_oom();
+-
+-                mkdir_parents_label(to, 0755);
+-                if (symlink(from, to) < 0)
+-                        return log_error_errno(errno, "Failed to create symlink %s: %m", to);
++                r = generator_add_symlink(arg_dest, d, "wants", n);
++                if (r < 0)
++                        return r;
++
++                r = generator_add_symlink(arg_dest, "cryptsetup.target",
++                                          nofail ? "wants" : "requires", n);
++                if (r < 0)
++                        return r;
+         }
+ 
+-        free(to);
+-        to = strjoin(arg_dest, "/dev-mapper-", e, ".device.requires/", n);
+-        if (!to)
+-                return log_oom();
+-
+-        mkdir_parents_label(to, 0755);
+-        if (symlink(from, to) < 0)
+-                return log_error_errno(errno, "Failed to create symlink %s: %m", to);
++        dmname = strjoina("dev-mapper-", e, ".device");
++        r = generator_add_symlink(arg_dest, dmname, "requires", n);
++        if (r < 0)
++                return r;
+ 
+         if (!noauto && !nofail) {
+-                _cleanup_free_ char *dmname;
+-                dmname = strjoin("dev-mapper-", e, ".device");
+-                if (!dmname)
+-                        return log_oom();
+-
+                 r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
+                                   "# Automatically generated by systemd-cryptsetup-generator \n\n"
+                                   "[Unit]\nJobTimeoutSec=0");
+diff --git a/src/shared/generator.c b/src/shared/generator.c
+index 9a069b2f97..c01e9cb519 100644
+--- a/src/shared/generator.c
++++ b/src/shared/generator.c
+@@ -37,6 +37,21 @@
+ #include "unit-name.h"
+ #include "util.h"
+ 
++int generator_add_symlink(const char *root, const char *dst, const char *dep_type, const char *src) {
++        /* Adds a symlink from <dst>.<dep_type>.d/ to ../<src> */
++
++        const char *from, *to;
++
++        from = strjoina("../", src);
++        to = strjoina(root, "/", dst, ".", dep_type, "/", src);
++
++        mkdir_parents_label(to, 0755);
++        if (symlink(from, to) < 0)
++                return log_error_errno(errno, "Failed to create symlink \"%s\": %m", to);
++
++        return 0;
++}
++
+ static int write_fsck_sysroot_service(const char *dir, const char *what) {
+         _cleanup_free_ char *device = NULL, *escaped = NULL;
+         _cleanup_fclose_ FILE *f = NULL;
+diff --git a/src/shared/generator.h b/src/shared/generator.h
+index a6017c1b76..7bafda03f2 100644
+--- a/src/shared/generator.h
++++ b/src/shared/generator.h
+@@ -21,6 +21,8 @@
+ 
+ #include <stdio.h>
+ 
++int generator_add_symlink(const char *root, const char *dst, const char *dep_type, const char *src);
++
+ int generator_write_fsck_deps(
+         FILE *f,
+         const char *dir,

0092-units-order-cryptsetup-pre.target-before-cryptsetup..patch

@@ -0,0 +1,25 @@
+From 84838295cc120a2f5d7ebe2af246483c4d1aa82e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 5 Sep 2017 09:14:51 +0200
+Subject: [PATCH] units: order cryptsetup-pre.target before cryptsetup.target
+
+Normally this happens automatically, but if it happened that both targets were
+pulled in, even though there were no cryptsetup units, they could be started
+in reverse order, which would be somewhat confusing. Add an explicit ordering
+to avoid this potential issue.
+
+(cherry picked from commit 947d21171bdd8375db6482bc7d758d74b27f7dd4)
+(cherry picked from commit c55ccd92b9503bc074e6ffb07925f09024e9949d)
+---
+ units/cryptsetup-pre.target | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target
+index 65353419fc..42e35dd4e4 100644
+--- a/units/cryptsetup-pre.target
++++ b/units/cryptsetup-pre.target
+@@ -9,3 +9,4 @@
+ Description=Encrypted Volumes (Pre)
+ Documentation=man:systemd.special(7)
+ RefuseManualStart=yes
++Before=cryptsetup.target

0093-units-add-remote-cryptsetup.target-and-remote-crypts.patch

@@ -0,0 +1,139 @@
+From 7786edcaaf8d5c61586a154c4b0c7bc763ae75d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 5 Sep 2017 10:15:13 +0200
+Subject: [PATCH] units: add remote-cryptsetup.target and
+ remote-cryptsetup-pre.target
+
+The pair is similar to remote-fs.target and remote-fs-pre.target. Any
+cryptsetup devices which require network shall be ordered after
+remote-cryptsetup-pre.target and before remote-cryptsetup.target.
+
+(cherry picked from commit 889128b8b27abb13e1691a72e4ce0562c564e257)
+(cherry picked from commit ca24b1e7731260a972af22387aad16e506dc1826)
+---
+ Makefile.am                        |  3 ++-
+ man/systemd.special.xml            | 23 +++++++++++++++++++++++
+ units/cryptsetup-pre.target        |  2 +-
+ units/cryptsetup.target            |  2 +-
+ units/remote-cryptsetup-pre.target | 15 +++++++++++++++
+ units/remote-cryptsetup.target     | 10 ++++++++++
+ 6 files changed, 52 insertions(+), 3 deletions(-)
+ create mode 100644 units/remote-cryptsetup-pre.target
+ create mode 100644 units/remote-cryptsetup.target
+
+diff --git a/Makefile.am b/Makefile.am
+index e97a66e0fa..3163e4bf67 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -4906,7 +4906,8 @@ systemgenerator_PROGRAMS += \
+ 
+ dist_systemunit_DATA += \
+ 	units/cryptsetup.target \
+-	units/cryptsetup-pre.target
++	units/cryptsetup-pre.target \
++	units/remote-cryptsetup.target
+ 
+ systemd_cryptsetup_SOURCES = \
+ 	src/cryptsetup/cryptsetup.c
+diff --git a/man/systemd.special.xml b/man/systemd.special.xml
+index fa3dc1c5d4..bb5cd5b49a 100644
+--- a/man/systemd.special.xml
++++ b/man/systemd.special.xml
+@@ -81,6 +81,8 @@
+     <filename>poweroff.target</filename>,
+     <filename>printer.target</filename>,
+     <filename>reboot.target</filename>,
++    <filename>remote-cryptsetup-pre.target</filename>,
++    <filename>remote-cryptsetup.target</filename>,
+     <filename>remote-fs-pre.target</filename>,
+     <filename>remote-fs.target</filename>,
+     <filename>rescue.target</filename>,
+@@ -450,6 +452,27 @@
+           this target unit, for compatibility with SysV.</para>
+         </listitem>
+       </varlistentry>
++      <varlistentry>
++        <term><filename>remote-cryptsetup-pre.target</filename></term>
++        <listitem>
++          <para>This target unit is automatically ordered before all cryptsetup devices
++          marked with the <option>_netdev</option>. It can be used to execute additional
++          units before such devices are set up.</para>
++
++          <para>It is ordered after <filename>network.target</filename> and
++          <filename>network-online.target</filename>, and also pulls the latter in as a
++          <varname>Wants=</varname> dependency.</para>
++        </listitem>
++      </varlistentry>
++      <varlistentry>
++        <term><filename>remote-cryptsetup.target</filename></term>
++        <listitem>
++          <para>Similar to <filename>cryptsetup.target</filename>, but for encrypted
++          devices which are accessed over the network. It is used for
++          <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++          entries marked with <option>_netdev</option>.</para>
++        </listitem>
++      </varlistentry>
+       <varlistentry>
+         <term><filename>remote-fs.target</filename></term>
+         <listitem>
+diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target
+index 42e35dd4e4..6cb28a61ae 100644
+--- a/units/cryptsetup-pre.target
++++ b/units/cryptsetup-pre.target
+@@ -6,7 +6,7 @@
+ #  (at your option) any later version.
+ 
+ [Unit]
+-Description=Encrypted Volumes (Pre)
++Description=Local Encrypted Volumes (Pre)
+ Documentation=man:systemd.special(7)
+ RefuseManualStart=yes
+ Before=cryptsetup.target
+diff --git a/units/cryptsetup.target b/units/cryptsetup.target
+index 25d3e33f6a..10b17fd387 100644
+--- a/units/cryptsetup.target
++++ b/units/cryptsetup.target
+@@ -6,5 +6,5 @@
+ #  (at your option) any later version.
+ 
+ [Unit]
+-Description=Encrypted Volumes
++Description=Local Encrypted Volumes
+ Documentation=man:systemd.special(7)
+diff --git a/units/remote-cryptsetup-pre.target b/units/remote-cryptsetup-pre.target
+new file mode 100644
+index 0000000000..a375e61889
+--- /dev/null
++++ b/units/remote-cryptsetup-pre.target
+@@ -0,0 +1,15 @@
++#  This file is part of systemd.
++#
++#  systemd is free software; you can redistribute it and/or modify it
++#  under the terms of the GNU Lesser General Public License as published by
++#  the Free Software Foundation; either version 2.1 of the License, or
++#  (at your option) any later version.
++
++[Unit]
++Description=Remote Encrypted Volumes (Pre)
++Documentation=man:systemd.special(7)
++RefuseManualStart=yes
++Before=remote-cryptsetup.target
++
++After=network.target network-online.target
++Wants=network-online.target
+diff --git a/units/remote-cryptsetup.target b/units/remote-cryptsetup.target
+new file mode 100644
+index 0000000000..60943bd1cb
+--- /dev/null
++++ b/units/remote-cryptsetup.target
+@@ -0,0 +1,10 @@
++#  This file is part of systemd.
++#
++#  systemd is free software; you can redistribute it and/or modify it
++#  under the terms of the GNU Lesser General Public License as published by
++#  the Free Software Foundation; either version 2.1 of the License, or
++#  (at your option) any later version.
++
++[Unit]
++Description=Remote Encrypted Volumes
++Documentation=man:systemd.special(7)

0094-cryptsetup-generator-use-remote-cryptsetup.target-wh.patch

@@ -0,0 +1,107 @@
+From ee2deebc855d1db93b89000f3524b4e22e5d0d71 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 5 Sep 2017 11:30:33 +0200
+Subject: [PATCH] cryptsetup-generator: use remote-cryptsetup.target when
+ _netdev is present
+
+This allows such devices to depend on the network. Their startup will
+be delayed similarly to network mount units.
+
+Fixes #4642.
+
+(cherry picked from commit b001ad61e91b6499897f0c977045c7608c233bfa)
+(cherry picked from commit 8f21747f369f6d88768d1409d95527c60f2cd7c7)
+---
+ man/crypttab.xml                      | 13 +++++++++++++
+ src/cryptsetup/cryptsetup-generator.c | 30 +++++++++++++++++-------------
+ 2 files changed, 30 insertions(+), 13 deletions(-)
+
+diff --git a/man/crypttab.xml b/man/crypttab.xml
+index 17976f3704..162377ebc1 100644
+--- a/man/crypttab.xml
++++ b/man/crypttab.xml
+@@ -213,6 +213,19 @@
+         <option>size=</option>.</para></listitem>
+       </varlistentry>
+ 
++      <varlistentry>
++        <term><option>_netdev</option></term>
++
++        <listitem><para>Marks this cryptsetup device as requiring network. It will be
++        started after the network is available, similarly to
++        <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
++        units marked with <option>_netdev</option>. The service unit to set up this device
++        will be ordered between <filename>remote-cryptsetup-pre.target</filename> and
++        <filename>remote-cryptsetup.target</filename>, instead of
++        <filename>cryptsetup-pre.target</filename> and
++        <filename>cryptsetup.target</filename>.</para></listitem>
++      </varlistentry>
++
+       <varlistentry>
+         <term><option>noauto</option></term>
+ 
+diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
+index f10e9fdc24..7d3f480a2a 100644
+--- a/src/cryptsetup/cryptsetup-generator.c
++++ b/src/cryptsetup/cryptsetup-generator.c
+@@ -62,7 +62,7 @@ static int create_disk(
+                 *filtered = NULL;
+         _cleanup_fclose_ FILE *f = NULL;
+         const char *dmname;
+-        bool noauto, nofail, tmp, swap;
++        bool noauto, nofail, tmp, swap, netdev;
+         int r;
+ 
+         assert(name);
+@@ -72,6 +72,7 @@ static int create_disk(
+         nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
+         tmp = fstab_test_option(options, "tmp\0");
+         swap = fstab_test_option(options, "swap\0");
++        netdev = fstab_test_option(options, "_netdev\0");
+ 
+         if (tmp && swap) {
+                 log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
+@@ -102,20 +103,22 @@ static int create_disk(
+         if (!f)
+                 return log_error_errno(errno, "Failed to create unit file %s: %m", p);
+ 
+-        fputs("# Automatically generated by systemd-cryptsetup-generator\n\n"
+-              "[Unit]\n"
+-              "Description=Cryptography Setup for %I\n"
+-              "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
+-              "SourcePath=/etc/crypttab\n"
+-              "DefaultDependencies=no\n"
+-              "Conflicts=umount.target\n"
+-              "IgnoreOnIsolate=true\n"
+-              "After=cryptsetup-pre.target\n",
+-              f);
++        fprintf(f,
++                "# Automatically generated by systemd-cryptsetup-generator\n\n"
++                "[Unit]\n"
++                "Description=Cryptography Setup for %%I\n"
++                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
++                "SourcePath=/etc/crypttab\n"
++                "DefaultDependencies=no\n"
++                "Conflicts=umount.target\n"
++                "IgnoreOnIsolate=true\n"
++                "After=%s\n",
++                netdev ? "remote-cryptsetup-pre.target" : "cryptsetup-pre.target");
+ 
+         if (!nofail)
+                 fprintf(f,
+-                        "Before=cryptsetup.target\n");
++                        "Before=%s\n",
++                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
+ 
+         if (password) {
+                 if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
+@@ -191,7 +194,8 @@ static int create_disk(
+                 if (r < 0)
+                         return r;
+ 
+-                r = generator_add_symlink(arg_dest, "cryptsetup.target",
++                r = generator_add_symlink(arg_dest,
++                                          netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
+                                           nofail ? "wants" : "requires", n);
+                 if (r < 0)
+                         return r;

0095-units-add-Install-section-to-remote-cryptsetup.targe.patch

@@ -0,0 +1,45 @@
+From a27db12a63b3bbb220798ec899fc8c97eb4d52b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 12 Oct 2017 22:13:03 +0200
+Subject: [PATCH] units: add [Install] section to remote-cryptsetup.target
+
+This makes this target the same as remote-fs.target in this regard. In practice
+it probably doesn't make that much difference, because all encrypted devices
+that are part of remote-fs.target (marked with _netdev) will be used for mount
+points, so they will be pulled in anyway individually, but with this change any
+such device will be configured, even if it is not pulled by any other unit.
+
+(cherry picked from commit 8f462b074eb9830d6d5029f70c9010ce50e68357)
+(cherry picked from commit eaaa52cc40bc7f94762ca622d4bd3e9440ccee90)
+(cherry picked from commit e937bdf0271e664ede61fafd74f8487334745d01)
+---
+ system-preset/90-systemd.preset | 1 +
+ units/remote-cryptsetup.target  | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/system-preset/90-systemd.preset b/system-preset/90-systemd.preset
+index 3ba4bb760d..98bc4c3c55 100644
+--- a/system-preset/90-systemd.preset
++++ b/system-preset/90-systemd.preset
+@@ -9,6 +9,7 @@
+ # generally follow a default-off policy.
+ 
+ enable remote-fs.target
++enable remote-cryptsetup.target
+ enable machines.target
+ 
+ enable getty@.service
+diff --git a/units/remote-cryptsetup.target b/units/remote-cryptsetup.target
+index 60943bd1cb..c306d521f7 100644
+--- a/units/remote-cryptsetup.target
++++ b/units/remote-cryptsetup.target
+@@ -8,3 +8,9 @@
+ [Unit]
+ Description=Remote Encrypted Volumes
+ Documentation=man:systemd.special(7)
++After=remote-cryptsetup-pre.target
++DefaultDependencies=no
++Conflicts=shutdown.target
++
++[Install]
++WantedBy=multi-user.target

0096-units-replace-remote-cryptsetup-pre.target-with-remo.patch

@@ -0,0 +1,138 @@
+From 5c80b45d6dff40e8280973d248e4eba6991b5cbe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 12 Oct 2017 22:34:54 +0200
+Subject: [PATCH] units: replace remote-cryptsetup-pre.target with
+ remote-fs-pre.target
+
+remote-cryptsetup-pre.target was designed as an active unit (that pulls in
+network-online.target), the opposite of remote-fs-pre.target (a passive unit,
+with individual provider services ordering itself before it and pulling it in,
+for example iscsi.service and nfs-client.target).
+
+To make remote-cryptsetup-pre.target really work, those services should be
+ordered before it too. But this would require updates to all those services,
+not just changes from systemd side.
+
+But the requirements for remote-fs-pre.target and remote-cryptset-pre.target
+are fairly similar (e.g. iscsi devices can certainly be used for both), so
+let's reuse remote-fs-pre.target also for remote cryptsetup units. This loses
+a bit of flexibility, but does away with the requirement for various provider
+services to know about remote-cryptsetup-pre.target.
+
+(cherry picked from commit a0dd209763f9e67054ee322a2dfd52bccf345c2e)
+(cherry picked from commit c5e8935962eadc9e901f4fe13e187aaaad487142)
+(cherry picked from commit e4340effce763b111fc14a64f759beef6ed3a276)
+---
+ man/crypttab.xml                      |  2 +-
+ man/systemd.special.xml               | 20 ++++----------------
+ src/cryptsetup/cryptsetup-generator.c |  2 +-
+ units/remote-cryptsetup-pre.target    | 15 ---------------
+ units/remote-cryptsetup.target        |  2 +-
+ 5 files changed, 7 insertions(+), 34 deletions(-)
+ delete mode 100644 units/remote-cryptsetup-pre.target
+
+diff --git a/man/crypttab.xml b/man/crypttab.xml
+index 162377ebc1..239bbfa87d 100644
+--- a/man/crypttab.xml
++++ b/man/crypttab.xml
+@@ -220,7 +220,7 @@
+         started after the network is available, similarly to
+         <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+         units marked with <option>_netdev</option>. The service unit to set up this device
+-        will be ordered between <filename>remote-cryptsetup-pre.target</filename> and
++        will be ordered between <filename>remote-fs-pre.target</filename> and
+         <filename>remote-cryptsetup.target</filename>, instead of
+         <filename>cryptsetup-pre.target</filename> and
+         <filename>cryptsetup.target</filename>.</para></listitem>
+diff --git a/man/systemd.special.xml b/man/systemd.special.xml
+index bb5cd5b49a..7f7003e782 100644
+--- a/man/systemd.special.xml
++++ b/man/systemd.special.xml
+@@ -81,7 +81,6 @@
+     <filename>poweroff.target</filename>,
+     <filename>printer.target</filename>,
+     <filename>reboot.target</filename>,
+-    <filename>remote-cryptsetup-pre.target</filename>,
+     <filename>remote-cryptsetup.target</filename>,
+     <filename>remote-fs-pre.target</filename>,
+     <filename>remote-fs.target</filename>,
+@@ -452,18 +451,6 @@
+           this target unit, for compatibility with SysV.</para>
+         </listitem>
+       </varlistentry>
+-      <varlistentry>
+-        <term><filename>remote-cryptsetup-pre.target</filename></term>
+-        <listitem>
+-          <para>This target unit is automatically ordered before all cryptsetup devices
+-          marked with the <option>_netdev</option>. It can be used to execute additional
+-          units before such devices are set up.</para>
+-
+-          <para>It is ordered after <filename>network.target</filename> and
+-          <filename>network-online.target</filename>, and also pulls the latter in as a
+-          <varname>Wants=</varname> dependency.</para>
+-        </listitem>
+-      </varlistentry>
+       <varlistentry>
+         <term><filename>remote-cryptsetup.target</filename></term>
+         <listitem>
+@@ -864,9 +851,10 @@
+         <term><filename>remote-fs-pre.target</filename></term>
+         <listitem>
+           <para>This target unit is automatically ordered before all
+-          remote mount point units (see above). It can be used to run
+-          certain units before the remote mounts are established. Note
+-          that this unit is generally not part of the initial
++          mount point units (see above) and cryptsetup devices
++          marked with the <option>_netdev</option>. It can be used to run
++          certain units before remote encrypted devices and mounts are established.
++          Note that this unit is generally not part of the initial
+           transaction, unless the unit that wants to be ordered before
+           all remote mounts pulls it in via a
+           <varname>Wants=</varname> type dependency. If the unit wants
+diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
+index 7d3f480a2a..0c30867c49 100644
+--- a/src/cryptsetup/cryptsetup-generator.c
++++ b/src/cryptsetup/cryptsetup-generator.c
+@@ -113,7 +113,7 @@ static int create_disk(
+                 "Conflicts=umount.target\n"
+                 "IgnoreOnIsolate=true\n"
+                 "After=%s\n",
+-                netdev ? "remote-cryptsetup-pre.target" : "cryptsetup-pre.target");
++                netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
+ 
+         if (!nofail)
+                 fprintf(f,
+diff --git a/units/remote-cryptsetup-pre.target b/units/remote-cryptsetup-pre.target
+deleted file mode 100644
+index a375e61889..0000000000
+--- a/units/remote-cryptsetup-pre.target
++++ /dev/null
+@@ -1,15 +0,0 @@
+-#  This file is part of systemd.
+-#
+-#  systemd is free software; you can redistribute it and/or modify it
+-#  under the terms of the GNU Lesser General Public License as published by
+-#  the Free Software Foundation; either version 2.1 of the License, or
+-#  (at your option) any later version.
+-
+-[Unit]
+-Description=Remote Encrypted Volumes (Pre)
+-Documentation=man:systemd.special(7)
+-RefuseManualStart=yes
+-Before=remote-cryptsetup.target
+-
+-After=network.target network-online.target
+-Wants=network-online.target
+diff --git a/units/remote-cryptsetup.target b/units/remote-cryptsetup.target
+index c306d521f7..d485b06726 100644
+--- a/units/remote-cryptsetup.target
++++ b/units/remote-cryptsetup.target
+@@ -8,7 +8,7 @@
+ [Unit]
+ Description=Remote Encrypted Volumes
+ Documentation=man:systemd.special(7)
+-After=remote-cryptsetup-pre.target
++After=remote-fs-pre.target
+ DefaultDependencies=no
+ Conflicts=shutdown.target
+ 

0097-man-add-a-note-about-_netdev-usage.patch

@@ -0,0 +1,42 @@
+From 2832dc102f81e5206c1213aef7c7b9aceaac20e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 12 Oct 2017 22:43:58 +0200
+Subject: [PATCH] man: add a note about _netdev usage
+
+(cherry picked from commit 288c26165e0ff71857394f360f42432bc808556f)
+(cherry picked from commit 51f2176d0df1088407afbadc138aeaa9dbe017e8)
+(cherry picked from commit 3557377795afb0410c703707633dd5ad589fdd11)
+---
+ man/crypttab.xml | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/man/crypttab.xml b/man/crypttab.xml
+index 239bbfa87d..88f8909a60 100644
+--- a/man/crypttab.xml
++++ b/man/crypttab.xml
+@@ -223,7 +223,16 @@
+         will be ordered between <filename>remote-fs-pre.target</filename> and
+         <filename>remote-cryptsetup.target</filename>, instead of
+         <filename>cryptsetup-pre.target</filename> and
+-        <filename>cryptsetup.target</filename>.</para></listitem>
++        <filename>cryptsetup.target</filename>.</para>
++
++        <para>Hint: if this device is used for a mount point that is specified in
++        <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
++        the <option>_netdev</option> option should also be used for the mount
++        point. Otherwise, a dependency loop might be created where the mount point
++        will be pulled in by <filename>local-fs.target</filename>, while the
++        service to configure the network is usually only started <emphasis>after</emphasis>
++        the local file system has been mounted.</para>
++        </listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+@@ -431,6 +440,7 @@ hidden     /mnt/tc_hidden  /dev/null    tcrypt-hidden,tcrypt-keyfile=/etc/keyfil
+       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+       <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+       <citerefentry><refentrytitle>systemd-cryptsetup-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++      <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+       <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+       <citerefentry project='man-pages'><refentrytitle>mkswap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+       <citerefentry project='man-pages'><refentrytitle>mke2fs</refentrytitle><manvolnum>8</manvolnum></citerefentry>