diff --git a/0001-generator-setup-use-RET_GATHER.patch b/0001-generator-setup-use-RET_GATHER.patch
new file mode 100644
index 0000000..220b210
--- /dev/null
+++ b/0001-generator-setup-use-RET_GATHER.patch
@@ -0,0 +1,42 @@
+From 89713133365b14634ed3f7e2812d4ddc17be0390 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 29 May 2024 11:45:50 +0200
+Subject: [PATCH 1/3] generator-setup: use RET_GATHER()
+
+---
+ src/core/generator-setup.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/src/core/generator-setup.c b/src/core/generator-setup.c
+index 00d6ad61fa..b16211e8f4 100644
+--- a/src/core/generator-setup.c
++++ b/src/core/generator-setup.c
+@@ -8,7 +8,7 @@
+ #include "rm-rf.h"
+
+ int lookup_paths_mkdir_generator(LookupPaths *p) {
+- int r, q;
++ int r;
+
+ assert(p);
+
+@@ -16,14 +16,8 @@ int lookup_paths_mkdir_generator(LookupPaths *p) {
+ return -EINVAL;
+
+ r = mkdir_p_label(p->generator, 0755);
+-
+- q = mkdir_p_label(p->generator_early, 0755);
+- if (q < 0 && r >= 0)
+- r = q;
+-
+- q = mkdir_p_label(p->generator_late, 0755);
+- if (q < 0 && r >= 0)
+- r = q;
++ RET_GATHER(r, mkdir_p_label(p->generator_early, 0755));
++ RET_GATHER(r, mkdir_p_label(p->generator_late, 0755));
+
+ return r;
+ }
+--
+2.45.0
+
diff --git a/0002-exec-util-use-the-stdio-array-of-safe_fork_full-wher.patch b/0002-exec-util-use-the-stdio-array-of-safe_fork_full-wher.patch
new file mode 100644
index 0000000..ae26e94
--- /dev/null
+++ b/0002-exec-util-use-the-stdio-array-of-safe_fork_full-wher.patch
@@ -0,0 +1,71 @@
+From 064e901cb34b1a3dddbbe98595a2731bb85c4424 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 29 May 2024 11:46:51 +0200
+Subject: [PATCH 2/3] exec-util: use the stdio array of safe_fork_full() where
+ appropriate
+
+---
+ src/shared/exec-util.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/src/shared/exec-util.c b/src/shared/exec-util.c
+index 1c7b14d98d..dc0974572f 100644
+--- a/src/shared/exec-util.c
++++ b/src/shared/exec-util.c
+@@ -36,27 +36,35 @@
+ /* Put this test here for a lack of better place */
+ assert_cc(EAGAIN == EWOULDBLOCK);
+
+-static int do_spawn(const char *path, char *argv[], int stdout_fd, pid_t *pid, bool set_systemd_exec_pid) {
+- pid_t _pid;
++static int do_spawn(
++ const char *path,
++ char *argv[],
++ int stdout_fd,
++ pid_t *ret_pid,
++ bool set_systemd_exec_pid) {
++
+ int r;
+
++ assert(path);
++ assert(ret_pid);
++
+ if (null_or_empty_path(path) > 0) {
+ log_debug("%s is empty (a mask).", path);
+ return 0;
+ }
+
+- r = safe_fork("(direxec)", FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, &_pid);
++ pid_t pid;
++ r = safe_fork_full(
++ "(direxec)",
++ (const int[]) { STDIN_FILENO, stdout_fd < 0 ? STDOUT_FILENO : stdout_fd, STDERR_FILENO },
++ /* except_fds= */ NULL, /* n_except_fds= */ 0,
++ FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE|FORK_REARRANGE_STDIO,
++ &pid);
+ if (r < 0)
+ return r;
+ if (r == 0) {
+ char *_argv[2];
+
+- if (stdout_fd >= 0) {
+- r = rearrange_stdio(STDIN_FILENO, TAKE_FD(stdout_fd), STDERR_FILENO);
+- if (r < 0)
+- _exit(EXIT_FAILURE);
+- }
+-
+ if (set_systemd_exec_pid) {
+ r = setenv_systemd_exec_pid(false);
+ if (r < 0)
+@@ -75,7 +83,7 @@ static int do_spawn(const char *path, char *argv[], int stdout_fd, pid_t *pid, b
+ _exit(EXIT_FAILURE);
+ }
+
+- *pid = _pid;
++ *ret_pid = pid;
+ return 1;
+ }
+
+--
+2.45.0
+
diff --git a/0003-exec-util-make-sure-to-close-all-fds-for-invoked-gen.patch b/0003-exec-util-make-sure-to-close-all-fds-for-invoked-gen.patch
new file mode 100644
index 0000000..d2d95ac
--- /dev/null
+++ b/0003-exec-util-make-sure-to-close-all-fds-for-invoked-gen.patch
@@ -0,0 +1,28 @@
+From 8263be4e65e565d8abb1d00f1c0e6ca9af44a4d1 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 29 May 2024 11:50:54 +0200
+Subject: [PATCH 3/3] exec-util: make sure to close all fds for invoked
+ generators
+
+We should really have set O_CLOEXEC for all our fds, but better be safe
+than sorry.
+---
+ src/shared/exec-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/shared/exec-util.c b/src/shared/exec-util.c
+index dc0974572f..ac1c150ab1 100644
+--- a/src/shared/exec-util.c
++++ b/src/shared/exec-util.c
+@@ -58,7 +58,7 @@ static int do_spawn(
+ "(direxec)",
+ (const int[]) { STDIN_FILENO, stdout_fd < 0 ? STDOUT_FILENO : stdout_fd, STDERR_FILENO },
+ /* except_fds= */ NULL, /* n_except_fds= */ 0,
+- FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE|FORK_REARRANGE_STDIO,
++ FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE|FORK_REARRANGE_STDIO|FORK_CLOSE_ALL_FDS,
+ &pid);
+ if (r < 0)
+ return r;
+--
+2.45.0
+
diff --git a/systemd.spec b/systemd.spec
index dc9782c..ba0c1d6 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -106,11 +106,15 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# Reverts https://github.com/systemd/systemd/commit/5b44c81ff868a4d1b78a74e4770f7a8b2f1d0f91.
Patch0001: 0001-Revert-machined-add-varlink-interface-for-registerin.patch
+Patch0002: 0001-generator-setup-use-RET_GATHER.patch
+Patch0003: 0002-exec-util-use-the-stdio-array-of-safe_fork_full-wher.patch
+Patch0004: 0003-exec-util-make-sure-to-close-all-fds-for-invoked-gen.patch
+
%if 0%{?fedora} < 41
# Work-around for dracut issue: run generators directly when we are in initrd
# https://bugzilla.redhat.com/show_bug.cgi?id=2164404
# Drop when dracut-060 is available.
-Patch0002: https://github.com/systemd/systemd/pull/26494.patch
+Patch0010: https://github.com/systemd/systemd/pull/26494.patch
%endif
# Those are downstream-only patches, but we don't want them in packit builds: