diff -Nru systemd-248.3/debian/changelog systemd-248.3/debian/changelog
--- systemd-248.3/debian/changelog	2022-01-09 23:07:51.000000000 -0500
+++ systemd-248.3/debian/changelog	2022-04-01 16:39:25.000000000 -0400
@@ -1,3 +1,33 @@
+systemd (248.3-1ubuntu8.5) impish; urgency=medium
+
+  * debian/tests/boot-and-services: Ignore failed snap mount units in test_no_failed (LP: #1967576)
+
+ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Fri, 01 Apr 2022 16:39:25 -0400
+
+systemd (248.3-1ubuntu8.4) impish; urgency=medium
+
+  [ Lukas Märdian ]
+  * Fix deadlock between pid1 and dbus-daemon (LP: #1871538)
+    Author: Lukas Märdian
+    File: debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
+    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f79535077473902bad911dc2652a2fff4066fa30
+  * Don't override Ubuntu's default sysctl values (LP: #1962038)
+    Author: Lukas Märdian
+    File: debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch
+    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3ba2764d8f77e616461c9722923f685fad79f8c6
+
+ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Wed, 23 Mar 2022 13:02:23 -0400
+
+systemd (248.3-1ubuntu8.3) impish; urgency=medium
+
+  [ Jeremy Szu ]
+  * Add a allowlist to unblock intel-hid on new HP machines (LP: #1955997)
+    Author: Jeremy Szu
+    File: debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch
+    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=554d46e6a6ab80befd424ead7ffa8e6f993b5f66
+
+ -- Lukas Märdian <slyon@ubuntu.com>  Tue, 08 Feb 2022 17:59:43 +0100
+
 systemd (248.3-1ubuntu8.2) impish-security; urgency=medium
 
   * SECURITY UPDATE: systemd-tmpfiles could be made to crash.
diff -Nru systemd-248.3/debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch systemd-248.3/debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch
--- systemd-248.3/debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch	1969-12-31 19:00:00.000000000 -0500
+++ systemd-248.3/debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch	2022-03-30 15:45:03.000000000 -0400
@@ -0,0 +1,30 @@
+From: =?utf-8?q?Lukas_M=C3=A4rdian?= <slyon@ubuntu.com>
+Date: Fri, 25 Feb 2022 12:01:25 +0100
+Subject: Don't override Ubuntu's default sysctl values (LP: #1962038)
+
+---
+ sysctl.d/50-default.conf | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
+index f41e24b..ea442a8 100644
+--- a/sysctl.d/50-default.conf
++++ b/sysctl.d/50-default.conf
+@@ -16,7 +16,7 @@
+ # Use kernel.sysrq = 1 to allow all keys.
+ # See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for a list
+ # of values and keys.
+-kernel.sysrq = 16
++#kernel.sysrq = 16 # Ubuntu uses /etc/sysctl.d/10-magic-sysrq.conf
+ 
+ # Append the PID to the core filename
+ kernel.core_uses_pid = 1
+@@ -24,7 +24,7 @@ kernel.core_uses_pid = 1
+ # Source route verification
+ net.ipv4.conf.default.rp_filter = 2
+ net.ipv4.conf.*.rp_filter = 2
+--net.ipv4.conf.all.rp_filter
++#-net.ipv4.conf.all.rp_filter # Ubuntu uses /etc/sysctl.d/10-network-security.conf
+ 
+ # Do not accept source routing
+ net.ipv4.conf.default.accept_source_route = 0
diff -Nru systemd-248.3/debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch systemd-248.3/debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch
--- systemd-248.3/debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch	1969-12-31 19:00:00.000000000 -0500
+++ systemd-248.3/debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch	2022-04-01 15:17:06.000000000 -0400
@@ -0,0 +1,30 @@
+From: Jeremy Szu <jeremy.szu@canonical.com>
+Date: Tue, 8 Feb 2022 17:22:15 +0100
+Subject: lp1955997: add a allowlist to unblock intel-hid on HP machines
+
+For LP: #1955997, HP retired hp-wireless since 2022 and also confirmed the
+correct source should be intel-hid instead of atkbd. Upstream already unblock
+intel-hid on HP machines but it's risky to backport to stable series because
+of pre-2022 machines.
+I propose to maintain a allowlist on impish. For jammy, please refer to
+LP: #1955997 for more details
+---
+ hwdb.d/60-keyboard.hwdb | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hwdb.d/60-keyboard.hwdb b/hwdb.d/60-keyboard.hwdb
+index 22f06c5..3a9705b 100644
+--- a/hwdb.d/60-keyboard.hwdb
++++ b/hwdb.d/60-keyboard.hwdb
+@@ -501,6 +501,11 @@ evdev:input:b0003v0458p0708*
+ evdev:name:Intel HID events:dmi:bvn*:bvr*:bd*:svnHP*:pn*:*
+  KEYBOARD_KEY_8=unknown                                 # Use hp-wireless instead
+ 
++# The allowlist to unblock intel-hid on HP machines.
++evdev:name:Intel HID events:dmi:bvn*:bvr*:bd*:svnHP*:pnHPZBookFury16inchG9MobileWorkstationPC:pvr*
++evdev:name:Intel HID events:dmi:bvn*:bvr*:bd*:svnHP*:pnHPZBookStudio16.0InchMobileWorkstationPC:pvr*
++ KEYBOARD_KEY_8=wlan
++
+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*:*
+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHP*:pn*:*
+  KEYBOARD_KEY_81=fn_esc
diff -Nru systemd-248.3/debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch systemd-248.3/debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
--- systemd-248.3/debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch	1969-12-31 19:00:00.000000000 -0500
+++ systemd-248.3/debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch	2022-04-01 15:17:06.000000000 -0400
@@ -0,0 +1,91 @@
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 17 Feb 2022 14:49:54 +0100
+Subject: pid1: set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+There's currently a deadlock between PID 1 and dbus-daemon: in some
+cases dbus-daemon will do NSS lookups (which are blocking) at the same
+time PID 1 synchronously blocks on some call to dbus-daemon. Let's break
+that by setting SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon,
+which will disable synchronously blocking varlink calls from nss-systemd
+to PID 1.
+
+In the long run we should fix this differently: remove all synchronous
+calls to dbus-daemon from PID 1. This is not trivial however: so far we
+had the rule that synchronous calls from PID 1 to the dbus broker are OK
+as long as they only go to interfaces implemented by the broke itself
+rather than services reachable through it. Given that the relationship
+between PID 1 and dbus is kinda special anyway, this was considered
+acceptable for the sake of simplicity, since we quite often need
+metadata about bus peers from the broker, and the asynchronous logic
+would substantially complicate even the simplest method handlers.
+
+This mostly reworks the existing code that sets SYSTEMD_NSS_BYPASS_BUS=
+(which is a similar hack to deal with deadlocks between nss-systemd and
+dbus-daemon itself) to set SYSTEMD_NSS_DYNAMIC_BYPASS=1 instead. No code
+was checking SYSTEMD_NSS_BYPASS_BUS= anymore anyway, and it used to
+solve a similar problem, hence it's an obvious piece of code to rework
+like this.
+
+Issue originally tracked down by Lukas Märdian. This patch is inspired
+and closely based on his patch:
+
+       https://github.com/systemd/systemd/pull/22038
+
+Fixes: #15316
+Co-authored-by: Lukas Märdian <slyon@ubuntu.com>
+---
+ src/core/execute.c | 10 +++++-----
+ src/core/execute.h |  2 +-
+ src/core/service.c |  2 +-
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index ca40874..b8d1ae4 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -1829,11 +1829,11 @@ static int build_environment(
+                 our_env[n_env++] = x;
+         }
+ 
+-        /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
+-         * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
+-         * check the database directly. */
+-        if (p->flags & EXEC_NSS_BYPASS_BUS) {
+-                x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
++        /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use blocking
++         * Varlink calls back to us for look up dynamic users in PID 1. Break the deadlock between D-Bus and
++         * PID 1 by disabling use of PID1' NSS interface for looking up dynamic users. */
++        if (p->flags & EXEC_NSS_DYNAMIC_BYPASS) {
++                x = strdup("SYSTEMD_NSS_DYNAMIC_BYPASS=1");
+                 if (!x)
+                         return -ENOMEM;
+                 our_env[n_env++] = x;
+diff --git a/src/core/execute.h b/src/core/execute.h
+index 4c7a5b8..2a261f3 100644
+--- a/src/core/execute.h
++++ b/src/core/execute.h
+@@ -348,7 +348,7 @@ typedef enum ExecFlags {
+         EXEC_APPLY_TTY_STDIN   = 1 << 2,
+         EXEC_PASS_LOG_UNIT     = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */
+         EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */
+-        EXEC_NSS_BYPASS_BUS    = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */
++        EXEC_NSS_DYNAMIC_BYPASS    = 1 << 5, /* Set the SYSTEMD_NSS_DYNAMIC_BYPASS environment variable, to disable nss-systemd blocking on PID 1, for use by dbus-daemon */
+         EXEC_CGROUP_DELEGATE   = 1 << 6,
+         EXEC_IS_CONTROL        = 1 << 7,
+         EXEC_CONTROL_CGROUP    = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */
+diff --git a/src/core/service.c b/src/core/service.c
+index 7b90822..debd9d6 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -1569,7 +1569,7 @@ static int service_spawn(
+                 return -ENOMEM;
+ 
+         /* System D-Bus needs nss-systemd disabled, so that we don't deadlock */
+-        SET_FLAG(exec_params.flags, EXEC_NSS_BYPASS_BUS,
++        SET_FLAG(exec_params.flags, EXEC_NSS_DYNAMIC_BYPASS,
+                  MANAGER_IS_SYSTEM(UNIT(s)->manager) && unit_has_name(UNIT(s), SPECIAL_DBUS_SERVICE));
+ 
+         strv_free_and_replace(exec_params.environment, final_env);
diff -Nru systemd-248.3/debian/patches/series systemd-248.3/debian/patches/series
--- systemd-248.3/debian/patches/series	2022-01-09 23:06:49.000000000 -0500
+++ systemd-248.3/debian/patches/series	2022-04-01 15:17:06.000000000 -0400
@@ -74,3 +74,6 @@
 CVE-2021-3997-1.patch
 CVE-2021-3997-2.patch
 CVE-2021-3997-3.patch
+lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch
+pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
+debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch
diff -Nru systemd-248.3/debian/tests/boot-and-services systemd-248.3/debian/tests/boot-and-services
--- systemd-248.3/debian/tests/boot-and-services	2021-12-10 03:56:36.000000000 -0500
+++ systemd-248.3/debian/tests/boot-and-services	2022-04-01 15:33:42.000000000 -0400
@@ -57,6 +57,9 @@
         failed = [f for f in failed if 'console-setup' not in f]
         # cpi.service fails on s390x
         failed = [f for f in failed if 'cpi.service' not in f]
+        # If snapd is not properly removed/purged, it can leave behind
+        # snap-*.mount units which will always fail.
+        failed = [f for f in failed if not re.match(r'snap-.*\.mount.*', f)]
         # https://bugs.debian.org/926138
         if is_container:
             failed = [f for f in failed if 'e2scrub_reap.service' not in f]