commit 69a85aec488ba3146deb3acb0943b29dc0d6ce02
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 18 17:41:50 2026 +0200

sys-kernel/pf-sources: drop alicef SRC_URI from 7.0_p4

alicef's 7.0 genpatches series stops at 7.0-4 (both /dist/genpatches/
and /genpatches/tarballs/ confirmed) — they haven't published 7.0-9
yet. distfiles.gentoo.org and mpagano carry it. The 6.X pf-sources
ebuilds that rely on alicef's /tarballs/ as their sole mirror stay
unchanged: those K versions ARE on alicef, just not on the other
two mirrors.

commit b2b041161a374cd5db45d803640a1ba3a0c69c93
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Fri May 15 13:57:11 2026 +0200

sys-kernel/pf-sources: drop 7.0_p3, 7.0_p3-r1

Superseded by 7.0_p4 (upstream tag v7.0-pf4, 2026-05-15T13:22+02:00).

7.0_p3 (vanilla pf-7.0-pf3, K=4) and 7.0_p3-r1 (K=9 + our local ptrace
dumpable surgical) both ship strict subsets of what 7.0_p4 carries:

- The ptrace fix from our surgical is now native in v7.0-pf4 source
(natalenko cherry-pick 05a817f2664a of Linus 31e62c2ebbfd).
- The genpatches-7.0-9 extras 7.0_p3-r1 brought (1500_net-skbuff-prop-
shared-frag-marker, 2902_Replace-CONST-CAST, etc.) carry forward to
7.0_p4 with K=9.
- v7.0-pf4 also adds the rest of natalenko's 2026-05-15 batch (rxrpc/
crypto-krb5 trio, audit pair, cgroup pair, ipv6 flowlabel pair, ACPI
revert, workqueue, netfilter pair, x86/AMD Zen2 op cache, exit
TASK_DEAD preemption) that 7.0_p3-based ebuilds had no path to.

7.0_p2-r1 stays as the last-resort rollback (K=4 + extra-stuff CVE
bundle).

The files/pf-sources-7.0_p3-ptrace-dumpable.patch is removed as it has
no remaining ebuild consumer; the patch and the two ebuilds remain
recoverable via git log.

commit fc9bee342044b9d1f8d8be03c9d52870c71b04c3
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Fri May 15 13:56:39 2026 +0200

sys-kernel/pf-sources: add 7.0_p4

Upstream pf-kernel tagged v7.0-pf4 on 2026-05-15T13:22+02:00, ~15
minutes after our 7.0_p3-r1 landed. The new tag merges fixes-7.0
(which natalenko cherry-pick-batched this morning at 08:31-08:44) into
the pf-7.0 spine. The merged batch carries:

- 05a817f2664a ptrace: slightly saner 'get_dumpable()' logic
(the same Linus 31e62c2ebbfd Qualys advisory fix our 7.0_p3-r1
carried surgically)
- f8e23c169fe5 net: skbuff: propagate shared-frag marker through
frag-transfer helpers
- 0366ab33fcc3 / 5bc2623305a5 / 0e2686755f1f — rxrpc + crypto/krb5
decrypt-safety trio (David Howells, swapped in for the older
skb_ensure_writable approach which natalenko explicitly reverted
as 3723a353b65a)
- audit hardening pair (AUDIT_LOCKED + CAPSET inheritable)
- cgroup/cpuset DL migration reset + cgroup/dmem ENOMEM
- ipv6 flowlabel locking pair
- ACPI CPPC revert + workqueue cpu_pwq leak + netfilter pair
- x86/CPU/AMD Zen2 op cache (3fbca3ae46be)
- exit: prevent preemption of oopsing TASK_DEAD (03ae034048e4)

Our 7.0_p3-r1 ptrace surgical is now obsolete — the fix ships in
v7.0-pf4's source natively. K_GENPATCHES_VER stays at 9 with one
filter: genpatches-7.0-9's 1500_net-skbuff-prop-shared-frag-marker-
through-pskb-copy.patch is the same fix natalenko cherry-picked, so
applying both would collide on net/core/skbuff.c. Drop the duplicate
in src_prepare before the eapply loop.

SRC_URI keeps the distfiles + mpagano + alicef genpatches mirror set
inherited from -r1.

commit 7378d7c65cf6e92243981d2f3a68ae319d9f4adb
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Fri May 15 13:41:38 2026 +0200

sys-kernel/pf-sources: add 7.0_p3-r1

Bump K_GENPATCHES_VER 4 -> 9 and carry the ptrace dumpable surgical.

K=9 vs K=4 brings two new extras patches that the prior r1 draft missed:
- 1500_net-skbuff-prop-shared-frag-marker-through-pskb-copy.patch
(shared-frag marker propagation through pskb_copy, follow-up to the
CVE-2026-43284 family — closes a gap pf-sources's 10*linux*patch
delete-step would otherwise leave open even with v7.0-pf3's
upstream-cherry-picked esp4 fix)
- 2902_Replace-CONST-CAST-with-const-cast.patch (correctness fix in
the genpatches extras layer)

Mainline ptrace fix carried as a surgical (torvalds 31e62c2ebbfd,
2026-05-13, Qualys advisory): caches user-dumpable bit at exit_mm() so
ptrace_may_access() still enforces dumpable for tasks past mm teardown.
Not in v7.0-pf3's source — natalenko cherry-picked into fixes-7.1 on
2026-05-15, but fixes-7.0 is still at dde10a5a7771 (pre-ptrace). Not
yet in linux-7.0.y stable. pf-sources's src_prepare deletes
10*linux*patch in genpatches so a future K bump alone cannot route the
fix in; surgical is the only path until natalenko cherry-picks into
fixes-7.0 (which would land via a future v7.0-pfN tarball).

SRC_URI gains distfiles.gentoo.org + ~mpagano fallbacks because
genpatches-7.0-9 lives on those mirrors only — ~alicef alone serves
7.0- but not the post-7.0.4 series.

Drop the surgical on whichever lands first.

commit e5b6e4674c3038158dbe19af3cef0bcac6fa6a97
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 13 19:17:43 2026 +0200

sys-kernel: migrate r70-model ebuilds to pf-sources-extended

The r70 model (vanilla kernel + Gentoo genpatches + curated pf delta)
is a distinct variant from the original pf-sources models and deserves
its own package name. Rename to sys-kernel/pf-sources-extended.

20 ebuilds moved (6.1_p6 through 7.0_p2), dropping the -r70/-r71
revision suffix — the package name now differentiates the model.
KEYWORDS="" — new package, requires explicit package.accept_keywords.
Distfile bundles on extra-stuff moved in parallel from
sys-kernel/pf-sources/ to sys-kernel/pf-sources-extended/ under new
tags (pf-curated-X.Y-r70-1, pf-genpatches-X.Y-r70-1).

sys-kernel/pf-sources retains the original two models:
- active (no suffix): pf-kernel sourcetree + genpatches
- CVE-backported (-r1/-r2): active base + surgical CVE patches
for vulns pf-kernel hasn't picked up

Both packages' metadata.xml updated: pf-sources gets all three
extra-stuff remote-ids (github/gitlab/codeberg); pf-sources-extended
gets the same, without codeberg:pf-kernel/linux which belongs only
to pf-sources (that package fetches from there; extended fetches
vanilla kernel.org tarballs).

commit 2d149d1c89807b5e45db42b0a0b9df92db0f837f
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 13 16:47:46 2026 +0200

sys-kernel/pf-sources: add 7.0_p3; track upstream in nvchecker

Ships the gentoo-sources-based pf-sources variant for the v7.0-pf3
slot. Same stack as 7.0_p2-r71: vanilla linux-7.0 + genpatches-7.0-4
(linux-stable through 7.0.3) + pf-curated-7.0-r70-0 bundle (BBRv3,
ISA levels, AES-NI, v4l2loopback, DDCCI, AMD-pstate).

pf3 adds 78 linux-stable backport commits over pf2; those commits are
not yet covered by genpatches-7.0-4. pkg_postinst notes the gap; a
future -r1 revision will add them once genpatches-7.0-5 is available
or the commits are pulled into the curated bundle directly.

Also adds gitea nvchecker entry for pf-kernel/linux on Codeberg so
future pf tag advances surface as drift automatically.

commit 243278fd8d71766bda324b41fe4c85a01f45dfc2
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 13 15:28:00 2026 +0200

sys-kernel/pf-sources: add Codeberg + GitLab SRC_URI mirrors for extra-stuff

extra-stuff is now mirrored from GitHub to Codeberg and GitLab via
the Actions workflow added in the previous commit. Add the mirror
URLs as additional SRC_URI entries for every bundle that currently
points at raw.githubusercontent.com. Portage tries each URL in
order, so existing installs continue to use GitHub; the Codeberg
and GitLab entries serve as fall-through for users who hit rate
limits or GitHub outages.

URL shapes:
Codeberg: codeberg.org/istitov/extra-stuff/raw/tag/<TAG>/...
GitLab: gitlab.com/istitov/extra-stuff/-/raw/<TAG>/...

All 35 ebuilds across 6.1–6.19, 7.0 and the gwyddion3 sidecar
are updated; the distfile -> rename is the same for all three
mirror entries so Portage identifies them as the same file.

commit 07976bc8c1c6c3ee54a5fd12826d21296f6cfc5c
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 10 10:12:40 2026 +0200

sys-kernel/pf-sources: 6.19_p5-r70 -> -r71, K_GENPATCHES_VER 13 -> 11

The -r70 ebuild was authored on 2026-05-03 (commit f42639c6) with
K_GENPATCHES_VER=13. Our Manifest still carries valid hashes for
genpatches-6.19-13.{base,extras}.tar.xz, so those bytes existed at
authoring time. alicef's dist/ now publishes 6.19-1, -2, -3, -4, -5,
-6, -8, -10, -11 (gaps at -7, -9, -12, -13); -13 is gone and the
SRC_URI returns 404. When between then and now the rotation happened
isn't recorded.

Catch down to K=11 (stable 6.19.12), the highest currently fetchable
level — two linux-stable point releases behind the original -13
target. Drop the orphan 6.19-13 DIST entries from Manifest. The
ebuild's elog claim to a "fresh gentoo-sources-6.19.14 tree" was
aspirational regardless: ::gentoo never shipped gentoo-sources-6.19.*
(current state stops at 6.6.x and 7.0.5). Dial the elog version
reference back to .X.

Verified end-to-end: ebuild ... clean unpack prepare succeeds — the
genpatches-6.19-11 stack (linux-stable 6.19.2 through .12 plus
1500/1700/2000/2900/3000/4500-series distro patches) and the 4-patch
pf-curated delta (BBRv3, cpuidle, kbuild tweaks, stable backports)
all apply with normal fuzz only, no rejects.

Bump revision (-r70 -> -r71) so existing -r70 users actually re-pull
the K=11 SRC_URI; otherwise the slot stays stuck on the 404.

commit b8013891cb3bb4be8c67f9603573b6f32769f841
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 10 09:59:23 2026 +0200

sys-kernel/pf-sources: 7.0_p2-r70 -> -r71 (elog now points at GA-only -r1)

The -r70 pkg_postinst elog referenced pf-sources-7.0_p2 as the GA-only
fallback atom, but the GA-only variant was just renamed to
pf-sources-7.0_p2-r1 (commit a5a2e71e). Update the elog wording to
match — and bump the curated revision to -r71 so users on the existing
-r70 install actually re-emerge to pick up the corrected message.

Verified -r70 patchset still applies cleanly under the new K=4: ebuild
... clean unpack prepare succeeds end-to-end on the same source layout
(linux-7.0.3 + genpatches-7.0-4 + curated 5-patch pf delta), no rejects,
only normal fuzz on the 1500/1700/2000-series hunks.

commit 20d189725bb3c76d3bef1398e36823b9ed59c431
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 10 00:35:55 2026 +0200

sys-kernel/pf-sources: 7.0_p2 (K=3) -> 7.0_p2-r1 (K=4) catch-up

alicef withdrew genpatches-7.0-3 from dist/ shortly after upload — the
directory now holds 7.0-1, 7.0-2, and 7.0-4, with -3 silently re-cut as
-4. Drop the GA-only no-r filename (its SRC_URI is permanently 404) and
ship the bumped K as a proper -r1 revision so emerge actually re-pulls
users on the existing slot.

Manifest drops the orphan 7.0-3 DIST entries; the K=4 distfiles are
already referenced from -r70/-r71, so no new fetch is triggered.

commit 0b8bcac88bfa26d967186f97e508b3d0bd772d2c
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:20 2026 +0200

sys-kernel/pf-sources: 7.0_p2-r70 patches → extra-stuff distfile

Move the curated pf-kernel patch series for the 7.0 slot out of the
overlay's files/ tree into a tarball hosted on the sister overlay at
github.com/istitov/extra-stuff. Pinned to tag pf-curated-7.0-r70-0
so the SRC_URI URL is immutable; bumping patches creates a new tag
suffix (-r70-1, -r70-2, ...).

commit 343addd0c257fa4fb39917f41147e2829e7821ab
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:20 2026 +0200

sys-kernel/pf-sources: 6.19_p5-r70 + -r1 surgical → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.19-r70-0 — curated pf-kernel patch series
* pf-cves-surgical-r1-0 — three shared surgical CVE patches
(CVE-2026-31431 algif_aead revert + CVE-2026-43037 ip6_tunnel
cb[] clear + CVE-2026-43038 icmpv6 cb[] clear). The same bundle
is reused by all four surgical -r1 slots (6.16/6.17/6.18/6.19);
they apply identical bytes, so the in-tree patches are removed
atomically in 6.19's commit.

commit 0259371948462c967304fd518da0a8c05f71d011
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:19 2026 +0200

sys-kernel/pf-sources: 6.18_p6-r70 + -r1 surgical → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.18-r70-0 — curated pf-kernel patch series
* pf-cves-surgical-r1-0 — three shared surgical CVE patches
(CVE-2026-31431 algif_aead revert + CVE-2026-43037 ip6_tunnel
cb[] clear + CVE-2026-43038 icmpv6 cb[] clear). The same bundle
is reused by all four surgical -r1 slots (6.16/6.17/6.18/6.19);
they apply identical bytes, so the in-tree patches are removed
atomically in 6.19's commit.

commit cdf90067ea217bbca585fb1e969125a7d468482c
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:19 2026 +0200

sys-kernel/pf-sources: 6.17_p4-r70 + -r1 surgical → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.17-r70-0 — curated pf-kernel patch series
* pf-cves-surgical-r1-0 — three shared surgical CVE patches
(CVE-2026-31431 algif_aead revert + CVE-2026-43037 ip6_tunnel
cb[] clear + CVE-2026-43038 icmpv6 cb[] clear). The same bundle
is reused by all four surgical -r1 slots (6.16/6.17/6.18/6.19);
they apply identical bytes, so the in-tree patches are removed
atomically in 6.19's commit.

commit c35c69da56302f9d5bbff8c065df99935a142039
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:19 2026 +0200

sys-kernel/pf-sources: 6.16_p5-r70 + -r1 surgical → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.16-r70-0 — curated pf-kernel patch series
* pf-cves-surgical-r1-0 — three shared surgical CVE patches
(CVE-2026-31431 algif_aead revert + CVE-2026-43037 ip6_tunnel
cb[] clear + CVE-2026-43038 icmpv6 cb[] clear). The same bundle
is reused by all four surgical -r1 slots (6.16/6.17/6.18/6.19);
they apply identical bytes, so the in-tree patches are removed
atomically in 6.19's commit.

commit 9d903142686f1f312c7595f1d9477a221ec3f121
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:19 2026 +0200

sys-kernel/pf-sources: 6.15_p6-r70 patches → extra-stuff distfile

Move the curated pf-kernel patch series for the 6.15 slot out of the
overlay's files/ tree into a tarball hosted on the sister overlay at
github.com/istitov/extra-stuff. Pinned to tag pf-curated-6.15-r70-0
so the SRC_URI URL is immutable; bumping patches creates a new tag
suffix (-r70-1, -r70-2, ...).

commit 707048f0e03e0be792990979e397956f6e47a0e5
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:18 2026 +0200

sys-kernel/pf-sources: 6.14_p6-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.14-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.14-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit d6b7ea6f17acf88ab0c5901b714ea1340b5bac7d
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:18 2026 +0200

sys-kernel/pf-sources: 6.13_p6-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.13-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.13-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit 941dac30a31d75eb18414e1e76a564e355fe6ab2
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:18 2026 +0200

sys-kernel/pf-sources: 6.12_p4-r70 + -r2 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.12-r70-0 — curated pf-kernel patch series
on top of vanilla kernel.org + Gentoo's genpatches stack
* pf-cves-cumulative-6.12-r2-0 — CVE-2026-31431 + 43037/43038
cumulative LTS patches for the verbatim-natalenko 6.12_p4-r2 ebuild
(the surgical revert's context can't apply on this slot's
v6.12.0 + pf base)

commit 8feace112918ac784421281d74c61f30473c3d67
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:17 2026 +0200

sys-kernel/pf-sources: 6.11_p4-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.11-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.11-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit 08307f884cd11af365052f82fd5f6e873f15ce38
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:17 2026 +0200

sys-kernel/pf-sources: 6.10_p4-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.10-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.10-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit 2b0a8dae6d57ca6a7f51acaaa10fa8e9e6b74b4e
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:17 2026 +0200

sys-kernel/pf-sources: 6.9_p6-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.9-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.9-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit 2386bd07be9ccd53a775320a48e279b0b86b7178
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:16 2026 +0200

sys-kernel/pf-sources: 6.8_p9-r70 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.8-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.8-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

commit 468a5b726d7fc04822ee4f2f8dab0856141bf19d
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:16 2026 +0200

sys-kernel/pf-sources: 6.7_p7-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.7-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.7-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit fa4098c3bc162fb391788328226955078a116951
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:16 2026 +0200

sys-kernel/pf-sources: 6.6_p6-r70 + -r2 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.6-r70-0 — curated pf-kernel patch series
on top of vanilla kernel.org + Gentoo's genpatches stack
* pf-cves-cumulative-6.6-r2-0 — CVE-2026-31431 + 43037/43038
cumulative LTS patches for the verbatim-natalenko 6.6_p6-r2 ebuild
(the surgical revert's context can't apply on this slot's
v6.6.0 + pf base)

commit 04a8bb41d7b7f4ed905a6cafe8dedb3e485aa4dd
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:15 2026 +0200

sys-kernel/pf-sources: 6.5_p6-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.5-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.5-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit 487befed9696ae7d7d0fa7335898c0c9dcd42e9b
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:15 2026 +0200

sys-kernel/pf-sources: 6.4_p6-r70 + -r1 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.4-r70-0 — curated pf-kernel patch series
* pf-genpatches-6.4-r70-0 — snapshot of alicef's genpatches trunk
for this branch (the trunk dir is a live working dir, not a
release archive; the bundle is the durable byte-pinned reference)

The -r70 ebuild uses every patch from both bundles. The -r1 ebuild
reuses the pf-genpatches bundle and selects a subset via
GENPATCHES_PATCHES — pf-kernel's codeberg base already includes the
stable backports, so -r1 only needs the extras.

commit 8cc040d7e9bdcd7ff1f13261c76e75cc7a111d60
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:15 2026 +0200

sys-kernel/pf-sources: 6.3_p5-r70 patches → extra-stuff distfile

Move the curated pf-kernel patch series for the 6.3 slot out of the
overlay's files/ tree into a tarball hosted on the sister overlay at
github.com/istitov/extra-stuff. Pinned to tag pf-curated-6.3-r70-0
so the SRC_URI URL is immutable; bumping patches creates a new tag
suffix (-r70-1, -r70-2, ...).

commit 783ddcea95f74e0130cfb237e1b0843ae604302b
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:15 2026 +0200

sys-kernel/pf-sources: 6.2_p7-r70 patches → extra-stuff distfile

Move the curated pf-kernel patch series for the 6.2 slot out of the
overlay's files/ tree into a tarball hosted on the sister overlay at
github.com/istitov/extra-stuff. Pinned to tag pf-curated-6.2-r70-0
so the SRC_URI URL is immutable; bumping patches creates a new tag
suffix (-r70-1, -r70-2, ...).

commit 8177f2a6bab8634f6477916a83f58816b7961f5d
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Wed May 6 01:11:14 2026 +0200

sys-kernel/pf-sources: 6.1_p6-r70 + -r2 → extra-stuff distfiles

Move all this slot's non-kernel.org SRC_URIs to the sister overlay
extra-stuff (https://github.com/istitov/extra-stuff), pinned by tags:

* pf-curated-6.1-r70-0 — curated pf-kernel patch series
on top of vanilla kernel.org + Gentoo's genpatches stack
* pf-cves-cumulative-6.1-r2-0 — CVE-2026-31431 + 43037/43038
cumulative LTS patches for the verbatim-natalenko 6.1_p6-r2 ebuild
(the surgical revert's context can't apply on this slot's
v6.1.0 + pf base)

commit 4b26707210e2ca0cfecbb1a9b425ce6f09698d34
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 23:44:05 2026 +0200

sys-kernel/pf-sources: add 6.8_p9-r70, gentoo-sources base + curated pf delta

Variant B (trunk-pinned). alicef released only one bundled tarball
for the 6.8 branch (-10) and it stops at stable 6.8.7; the trunk dir
continued tracking up to 6.8.12 (upstream EOL), so this ebuild
fetches each patch directly from the trunk and pins their byte
hashes in Manifest. Full stable coverage 6.8.1-6.8.12.

arch/x86/Kconfig.cpu and arch/x86/Makefile fall into pf-only
naturally (no genpatch touches them). pf's identity ISA-level on
this slot is GENERIC_CPU2/3/4 Kconfig (the convention pf used
between 6.6's MK8SSE3/MZEN era and 6.12+'s X86_64_ISA_LEVEL era),
plus the matching cflags-$(CONFIG_GENERIC_CPU2..4) +=
-march=x86-64-v[2..4] additions in arch/x86/Makefile. arch/x86/Kconfig
is dropped (six stable backports modify it).

5010 + 5020 + 5021: NOT included.

Curated pf delta is 114 files / 25k lines. Closes the 6.8 r70 gap.

commit a10c7509c913dfb98da86fa6d38e97b4d907d80e
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 23:09:18 2026 +0200

sys-kernel/pf-sources: add 6.15_p6-r70, gentoo-sources base + curated pf delta

Variant A (dist-tarball-pinned). genpatches-6.15-13 covers stable
through 6.15.11 (one release short of upstream EOL at .12). pf delta
is small: 39 files / 253 KiB.

arch/x86/Kconfig.cpu and arch/x86/Makefile fall into pf-only naturally
(no genpatch touches them on this branch). arch/x86/Kconfig is dropped
from the curated subset because stable backports 1003/1005/1006 modify
it in ways pf reverts; user gets vanilla Kconfig top-level + pf's
ISA-level Kconfig and cflags machinery.

Closes the 6.15 r70 gap from the 2026-05-04 sweep.

commit 3c45e332dc3cba08eefd7f889adad445184902dd
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 13:23:59 2026 +0200

sys-kernel/pf-sources: add 7.0_p2-r70, gentoo-sources base + curated pf delta

Variant A (dist-tarball-pinned). genpatches-7.0-4 covers stable through
7.0.3 (current upstream). Active stable branch — backports continue to
arrive via genpatches bumps.

Cleanest partition yet: 179 pf-only files / 33 both-touched / 0
collisions on arch/x86 trio. Curated patch is 433 KiB.

Closes the parked 7.0 r70 work item from the 2026-05-03 sweep.

commit c4c1da8ecf75b8c3d53a09145424d29e04c7760a
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 13:14:05 2026 +0200

sys-kernel/pf-sources: add 6.17_p4-r70, gentoo-sources base + curated pf delta

Variant A (dist-tarball-pinned). genpatches-6.17-16 covers stable through
6.17.13 (linux-stable EOL). pf delta is small: 50 files / 414 KiB.

arch/x86/Kconfig.cpu falls into pf-only naturally; arch/x86/Makefile is
hand-promoted from both-touched after confirming pf's version preserves
1007_linux-6.17.8's -mno-sse4a addition (pf's diff is additive on top of
the stable backport, no reverts). Result: pf's full ISA Kconfig +
Makefile cflags wiring.

commit f2ea9fbe32577f5439417953136275327ff49ee2
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 12:44:00 2026 +0200

sys-kernel/pf-sources: add 6.16_p5-r70, gentoo-sources base + curated pf delta

Variant A (dist-tarball-pinned) recipe — alicef released
genpatches-6.16-15 as bundled tarballs, so SRC_URI fetches the
two .tar.xz files directly. Stable backport coverage is full
(1000_..1011_ -> 6.16.1 through 6.16.12, where linux-stable ended).

pf delta on 6.16 is unusually small: 38 partition pf-only files /
246 KiB curated patch. pf-pf5 sits very close to vanilla 6.16 so most
of pf's changes overlap with stable-tracking work. Both arch/x86/Kconfig.cpu
and arch/x86/Makefile fall to pf-only naturally — no surgical
hand-port needed.

Stripped two symlink targets from the curated subset:
* include/dt-bindings/input/linux-event-codes.h
* scripts/dtc/include-prefixes/dt-bindings/input/linux-event-codes.h
Both symlinks point to ../../uapi/linux/input-event-codes.h, which is
patched directly. Same hazard as 6.12 LTS's arch/arm64 syscall_64.tbl.

5xxx not applicable — dist tarballs only ship base + extras.

commit 548d9a978c46b644f5ebbe447166112685165684
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 12:34:24 2026 +0200

sys-kernel/pf-sources: add 6.14_p6-r70, gentoo-sources base + curated pf delta

Same trunk-pinned model as 6.4-6.13. 23 trunk genpatches (full
6.14.1-6.14.11 stable coverage). Per-branch judgment:

* 5010 + 5020 + 5021: NOT included.
* arch/x86/Makefile: naturally pf-only (no genpatch touches it on
this branch). pf's Makefile additions are clean (no reverts), so
the partition includes pf's full Makefile.
* arch/x86/Kconfig.cpu: hand-promoted into pf-only AFTER fixing pf's
X86_CMPXCHG64 line to match 1001's MGEODEGX1+MGEODE_LX additions.
Net pf addition lands clean: X86_64_ISA_LEVEL Kconfig +
BROADCAST_TLB_FLUSH.
* arch/x86/Kconfig (top-level): NOT promoted. Stable backports
1001/1002/1006/1008 modify it with KASAN/KCSAN GCC-compat checks,
EISA x86_32 restriction, RUST RUSTC version condition, conditional
MICROCODE deps; pf reverts all of them. Drop pf's top-level Kconfig.

Curated pf delta is 114 files / 33k lines (1.4 MB).

This is the first slot using the surgical hand-port pattern (option 3
in the recipe note): in-place edit pf's Kconfig.cpu to match stable
backport content for the colliding line, then promote. Keeps pf's
identity ISA Kconfig without losing stable improvements.

commit c8a9618407f1f67b436cfb0c4f01b493a26d1cc8
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 12:17:55 2026 +0200

sys-kernel/pf-sources: add 6.13_p6-r70, gentoo-sources base + curated pf delta

Same trunk-pinned model as 6.4-6.11. 24 trunk genpatches (full
6.13.1-6.13.12 stable coverage). Per-branch judgment:

* 5010 + 5020 + 5021: NOT included.
* arch/x86/Kconfig + Kconfig.cpu + Makefile: NOT promoted into curated
subset. 1003/1005/1010/1011 stable backports + 2980 GCC15 fix all
modify these files in ways pf would revert (KASAN/KCSAN GCC-compat,
MMU_GATHER conditional, EISA x86_32-only, MGEODE_LX support,
$(CSTD_FLAG) parameterization). Same trade-off as 6.11; user gets
vanilla x86 family selection.

Curated pf delta is 135 files / 30k lines (1.4 MB). syscall_64.tbl
symlink stripped (gpatch refuses to write through symlink).

commit ecdb82ac66d874dc8ae03a225d8ad61df0833568
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 11:59:03 2026 +0200

sys-kernel/pf-sources: add 6.11_p4-r70, gentoo-sources base + curated pf delta

Same trunk-pinned model as 6.4-6.10. 28 trunk genpatches (full
6.11.1-6.11.11 stable backport coverage; non-stable additions include
DTrace 2995, GCC15 fix 2980, libbpf workarounds 2951/2952/2990/2991,
HID Y900P revert 2600). Per-branch judgment:

* 5010 + 5020 + 5021: NOT included (pf-flavored vanilla mismatch + BMQ).
* arch/x86/Kconfig.cpu + arch/x86/Makefile: NOT promoted into curated
subset. 1009_linux-6.11.10 (stack protector guard rename) and 2980
(GCC15 fix) both modify arch/x86/Makefile, while pf's Makefile would
revert both. We keep the security/build fixes; cost is no pf-style
ISA-level CPU options on this branch (user gets vanilla x86 family
selection). syscall_64.tbl symlink stripped from curated subset
(gpatch refuses to write through symlink; content lands via
scripts/syscall.tbl).

Curated pf delta is 128 files / 25k lines (1.1 MB).

commit ee3ec5682db5a3de404331b6308de4f50e464784
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 11:38:56 2026 +0200

sys-kernel/pf-sources: add 6.10_p4-r70, gentoo-sources base + curated pf delta

Same trunk-pinned model as 6.4-6.9. 27 trunk genpatches (full
6.10.1-6.10.14 stable backport coverage; non-stable additions include
DTrace 2995 and libbpf 2911/2990 workarounds). Per-branch judgment:

* 5010 (CPU-opt Kconfig): NOT included. Same pf-flavored-vanilla
mismatch as 6.9 — section anchors don't align with kernel.org
pristine vanilla. Dropping 5010 lets the partition classify pf's
arch/x86 as pf-only and the curated subset applies pf's full ISA
Kconfig.
* 5020 BMQ + 5021 BMQ-gentoo-defaults: NOT included (out of scope).

Curated pf delta is 171 files / ~37k lines (1.4 MB). pf-pf4 on 6.10
has a sizeable footprint relative to 6.7 (151 paths) — not because of
new features, but because pf's working tree drifted further from
kernel.org's vanilla 6.10.0.

commit b0fb5d6e18d33d85cf4cece0cda04000ed64b0b4
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 11:28:58 2026 +0200

sys-kernel/pf-sources: add 6.9_p6-r70, gentoo-sources base + curated pf delta

Same trunk-pinned model as 6.4/6.5/6.7. 21 trunk genpatches (full
6.9.1-6.9.12 stable backport coverage + non-stable additions). Per-branch
judgment on 5xxx:

* 5010 (CPU-opt Kconfig): NOT included. trunk's 5010 is calibrated
against pf's view of arch/x86/Kconfig.cpu, not pristine vanilla 6.9
from kernel.org — section anchors are ~15 lines off, hunk #10
fails. Drop 5010, partition naturally classifies pf's arch/x86 as
pf-only (since stable backports don't touch them on this slot), and
the curated subset applies pf's full ISA Kconfig.
* 5020 BMQ + 5021 BMQ-gentoo-defaults: NOT included (out of scope).

Curated pf delta is 112 files / ~38k lines (1.5 MB). pf-pf6 delta on
6.9 happens to be larger than older slots — pf reverted some files that
look like vanilla but differ from kernel.org's vanilla 6.9.0 by a small
margin (visible in the build_curated diff size).

commit 03a7bc10fb180a4a83a02aa34806073bece96abd
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 11:06:47 2026 +0200

sys-kernel/pf-sources: add 6.7_p7-r70, gentoo-sources base + curated pf delta

Same trunk-pinned model as 6.4/6.5; 25 trunk genpatches (full 6.7.1
through 6.7.12 stable backports + non-stable additions). Per-branch
judgment on 5xxx:

* 5010 (CPU-opt Kconfig): NOT included. 1005_linux-6.7.6 modifies
arch/x86/Kconfig.cpu, shifting line numbers enough that 5010's
hunk #10 cannot relocate within fuzz tolerance. Rather than drop
1005 (loses all 6.7.6 stable fixes) we drop 5010 and hand-promote
pf's own arch/x86/Kconfig{,.cpu} into the curated subset. Result:
pf-style ISA levels (MNATIVE / X86_64_ISA_LEVEL) plus
AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT and the AMD-pstate-friendly
SCHED_MC_PRIO depend tweak.
* 5020 BMQ scheduler: NOT included (out of scope for r70 model).

Curated pf delta is 118 files / 24k lines (116 partition pf-only +
2 hand-promoted from both-touched).

commit 18162f5e9ccc52296a904684206ee7367066333f
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 10:05:32 2026 +0200

sys-kernel/pf-sources: add 6.5_p6-r70, gentoo-sources base + curated pf delta

Same trunk-pinned model as 6.4 — alicef never released bundled tarballs
for the 6.5 branch, so each genpatches patch is fetched directly from
the trunk dir with Manifest hashes pinned. Stable backport coverage is
full (1000_..1012_ -> 6.5.1 through 6.5.13, where linux-stable ended).

Per-branch judgment on 5xxx (genpatches "experimental" category):
* 5010_enable-cpu-optimizations-universal: included. Small Kconfig
addition (3 files); the partition would drop pf's both-touched
arch/x86 changes either way, so genpatches' MK8SSE3/MZEN naming
wins. User-visible feature delivered.
* 5020_BMQ-and-PDS-io-scheduler: NOT included. 40 files / 11k lines
of opt-in alternative scheduler is out of scope for the "minimal pf
identity on gentoo-sources" model. Users wanting BMQ/PDS stay on
-r1 (which applies pf's own scheduler tweaks).

Curated pf delta is 133 files / 24k lines.

commit 0ec8fe3320c2e3f747f3f5176529870377231b10
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 09:17:18 2026 +0200

sys-kernel/pf-sources: 6.4_p6-r70 elog accuracy fix

The original elog claimed pf provides "x86 ISA levels (arch/x86/Kconfig.cpu
+ Makefile)". On this slot the trunk patch 5010_enable-cpu-optimizations-
universal touches the same files, so the partition classifies them as
both-touched and the curated subset drops pf's version. genpatches' 5010
Kconfig (MK8SSE3, MZEN, MZEN2) wins instead. Feature is delivered, just
via different symbol names — note that explicitly so users picking ISA
levels know what they're looking at.

commit 8b4d118cd3aab9d5c552d7f2989b456e8225cce5
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 09:10:15 2026 +0200

sys-kernel/pf-sources: add 6.4_p6-r70, gentoo-sources base + curated pf delta

Same r70 model as 6.2/6.3, with the genpatches stack pinned per-patch
against alicef's live trunk dir — the 6.4 branch never got release
tarballs, the trunk dir is the only place these patches still live.
Manifest captures byte hashes so an in-place edit upstream fails fetch
loudly rather than silently changing behaviour.

Stable backport coverage is full (1000_..1015_ -> 6.4.1 through 6.4.16,
which is also where linux-stable ended for 6.4). Curated pf delta is
122 files / 24k lines.

Retained: BBRv3, x86 ISA levels, zstd lib bump, DDCCI driver, AMD-pstate
enhancements, syscall.tbl additions across arches, mm/include hooks.

Dropped: kernel/sched/{core,fair,rt}.c (gentoo's helpers are newer),
fs/cifs/* + fs/ksmbd/* (stable backports already cover those fixes),
and the bulk of "minor fixes" overlapping linux-stable's 6.4.X
cherry-picks.

commit 4c6c4e7db974665b576e83117cbf148d75da0643
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 08:39:27 2026 +0200

sys-kernel/pf-sources: add 6.3_p5-r70, gentoo-sources base + curated pf delta

Same r70 model as 6.2: vanilla 6.3 from kernel.org, alicef's
genpatches-6.3-12 stack on top (linux-stable through 6.3.9, since 6.3
is EOL upstream and the last bundle stops there), then a curated
subset of natalenko's pf-pf5 delta — 150 pf-only files, 26k lines.

Retained: BBRv3, x86 ISA levels, zstd lib bump, DDCCI driver, AMD-pstate
enhancements, syscall.tbl additions across arches, mm/include hooks.

Dropped: kernel/sched/{core,fair,rt}.c (gentoo's helpers are newer),
fs/cifs + fs/ksmbd (stable backports already cover those fixes), and
the bulk of "minor fixes" overlapping linux-stable's 6.3.X cherry-picks.

Users wanting the full pf patchset stay on -r1 (GA-frozen). Users wanting
linux-stable through .9 + pf identity move to -r70.

commit 980b248a6225ad1c994e7ef3410b2c3e2a15d3cb
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Mon May 4 00:12:14 2026 +0200

sys-kernel/pf-sources: add 6.2_p7-r70, gentoo-sources base + curated pf delta

Same r70 model as the LTS slots: vanilla 6.2 from kernel.org, alicef's
genpatches-6.2-14 stack on top (linux-stable through 6.2.12, since 6.2 is
EOL upstream and the last bundle stops there), then a curated subset of
natalenko's pf-pf7 delta — 156 pf-only files, 27k lines, generated by
diff-restricting pf state to the paths gentoo-sources doesn't touch.

Retained: BBRv3, x86 ISA levels, zstd lib bump, DDCCI driver, AMD-pstate
enhancements, syscall.tbl additions across arches, mm/include hooks
(madvise/ksm/smpboot).

Dropped: kernel/sched/{core,fair,rt}.c (gentoo's uclamp+thermal helpers
are newer), fs/cifs (~30 files; stable backports already cover the same
fixes in newer form), and the bulk of "minor fixes" that overlap
linux-stable's 6.2.X cherry-picks.

Users wanting the full pf patchset stay on -r1 (GA-frozen, no stable
backports past 6.2.0). Users wanting linux-stable through .12 + pf
identity move to -r70.

commit c149814a8ff0f94a7377c53a09a93eb8d044ceb9
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 23:39:37 2026 +0200

sys-kernel/pf-sources: add 6.18_p6-r70, gentoo-sources base + curated pf delta

Same approach as 6.1_p6-r70 / 6.6_p6-r70 / 6.12_p4-r70 / 6.19_p5-r70: vanilla
6.18.tar.xz + Gentoo genpatches (K_GENPATCHES_VER=26, matching gentoo-
sources-6.18.26) + curated pf delta. CVE backports auto-arrive with each linux-stable
bump. Validated: source prepared cleanly, post-prepare af_alg_pull_tsgl is the
3-param form (CVE-2026-31431 closed via stable backport), pf identity present
(X86_64_ISA_LEVEL Kconfig + cflag plumbing in arch/x86/Makefile, BBRv3,
AESNI/AVX10/VAES crypto bumps, v4l2loopback). Curated pf patchset is 25 files / 11k
lines. Curated pf features RETAINED: - BBRv3 TCP congestion control + helpers - x86
ISA levels (X86_64_ISA_LEVEL=1..4) - AES-NI / AVX10 / VAES crypto improvements
(arch/x86/crypto/) - v4l2loopback driver - Subset of mm/include hooks Patches
DROPPED, with reasons: - drivers/cpuidle/governors/{teo,menu}.c: gentoo-sources has
newer governor logic; keeping pf's would regress. - The vast 'minor fixes' overlap
is already in linux-stable's 6.18.X backports. Users wanting full pf identity can
stay on pf-sources-6.18_p6-r1 (GA-frozen). The -r70 path prioritizes linux-stable
security tracking.

commit f42639c67569edd858e15714af24e8721fe9bbb4
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 23:06:56 2026 +0200

sys-kernel/pf-sources: add 6.19_p5-r70, gentoo-sources base + curated pf delta

Same approach as 6.1_p6-r70 / 6.6_p6-r70 / 6.12_p4-r70: vanilla 6.19.tar.xz + Gentoo
genpatches (K_GENPATCHES_VER=13, matching gentoo-sources-6.19.14) + curated pf delta.
CVE backports auto-arrive with each linux-stable bump. Validated: source prepared
cleanly, post-prepare af_alg_pull_tsgl is the 3-param form (CVE-2026-31431 closed via
stable backport in 6.19.12), pf identity present (X86_64_ISA_LEVEL Kconfig + cflag
plumbing, BBRv3, TEO cpuidle, v4l2loopback, ovpn data-channel offload). 6.19 is the
youngest active branch and pf-only set is much smaller (34 files / 4k lines) than the
LTS slots — pf hasn't had time to accumulate 'minor fixes' that overlap with stable.
arch/x86/Kconfig.cpu, arch/x86/Makefile, drivers/cpuidle/governors/teo.c are all in
pf-only territory (no hand-port needed, unlike 6.1/6.6/6.12 LTS where stable also
touched arch/x86/). Curated pf features RETAINED: - BBRv3 TCP congestion control +
TCP rate/timer/output helpers - x86 ISA levels (X86_64_ISA_LEVEL=1..4) - TEO cpuidle
governor + haltpoll + governor helpers - zstd compression library updates -
v4l2loopback driver - ovpn (OpenVPN data-channel offload) updates - Subset of
fs/smb/client/ tweaks (cifsencrypt, smb2transport) Patches DROPPED, with reasons: -
kernel/futex/pi.c, kernel/sched/{core,sched.h}: gentoo-sources has newer helpers;
keeping pf's would regress. - The vast 'minor fixes' overlap is already in linux-
stable's 6.19.X backports. Users wanting full pf identity can stay on pf-
sources-6.19_p5-r1 (GA-frozen). The -r70 path prioritizes linux-stable security
tracking.

commit d63946de898f274d05f9d2c350e970392469be0d
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 22:44:41 2026 +0200

sys-kernel/pf-sources: add 6.12_p4-r70, gentoo-sources base + curated pf delta

Same approach as 6.1_p6-r70 / 6.6_p6-r70: vanilla 6.12.tar.xz + Gentoo genpatches
(K_GENPATCHES_VER=90, matching gentoo-sources-6.12.85) + curated pf delta. CVE
backports auto-arrive with each linux-stable bump. Validated: source prepared
cleanly, post-prepare af_alg_pull_tsgl is the 3-param form (CVE-2026-31431 closed via
stable backport in 6.12.85), pf identity present (X86_64_ISA_LEVEL Kconfig + cflag
plumbing in arch/x86/Makefile, BBRv3, v4l2loopback). Curated pf patchset is 112 files
/ 26.3k lines. Note: 1 pf-touched file (arch/arm64/tools/syscall_64.tbl) is a
symlink to scripts/syscall.tbl in gentoo-sources-6.12.85; gpatch refuses to write
through symlinks. Stripped from the consolidated patch since scripts/syscall.tbl
carries the same content via the symlink target. Curated pf features RETAINED: -
BBRv3 TCP congestion control + Kconfig - x86 ISA levels (X86_64_ISA_LEVEL=1..4) -
zstd compression library bump - v4l2loopback driver - DDCCI / DDCCI-backlight drivers
- syscall.tbl additions across architectures - vmlinux.lds.S section additions
Patches DROPPED, with reasons: - fs/cifs/* + fs/ksmbd/* if any: linux-stable
backported the fs/cifs -> fs/smb/{client,server} rename + substantial code rework.
pf's pre-rewrite patches are obsolete; stable's rework supersedes them. -
kernel/futex/{core,syscalls}.c: mostly comment wording differences. - kernel/sched/*
tweaks: gentoo-sources has newer scheduler helpers (uclamp/thermal handling).
Keeping pf's older form would regress, not improve, scheduler behaviour. Users
wanting full pf identity can stay on pf-sources-6.12_p4-r2 (GA-frozen + per-CVE
surgical). The -r70 path prioritizes linux-stable security tracking over pf-purity.

commit ebbf9c87e669caa60536118e77204df7f52d194d
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 22:18:58 2026 +0200

sys-kernel/pf-sources: add 6.6_p6-r70, gentoo-sources base + curated pf delta

Same approach as 6.1_p6-r70: vanilla 6.6.tar.xz + Gentoo genpatches
(K_GENPATCHES_VER=144, matching gentoo-sources-6.6.137) + curated pf delta. CVE
backports auto-arrive with each linux-stable bump. Validated: source prepared
cleanly, post-prepare af_alg_pull_tsgl is the 3-param form (CVE-2026-31431 closed),
pf identity present (BBRv3, GENERIC_CPU2/3/4 = x86-64-v2/v3/v4 ISA levels in
arch/x86/Kconfig.cpu, v4l2loopback driver). Curated pf patchset is 87 files / 22.7k
lines. Curated pf features RETAINED: - BBRv3 TCP congestion control + Kconfig - x86
generic ISA levels (GENERIC_CPU2/3/4) - zstd compression library bump - v4l2loopback
driver - DDCCI / DDCCI-backlight drivers - syscall.tbl additions across architectures
- vmlinux.lds.S section additions Patches DROPPED, with reasons: - fs/cifs/* +
fs/ksmbd/*: linux-stable backported the fs/cifs -> fs/smb/{client,server} rename +
substantial code rework. pf's pre-rewrite patches are obsolete; stable's rework
supersedes them. - kernel/futex/{core,syscalls}.c: mostly comment wording
differences; functional additions not worth per-bump merge cost. -
kernel/sched/{core,fair,deadline,rt,topology}.c: gentoo-sources has newer scheduler
helpers (uclamp/thermal handling). Keeping pf's older form would regress, not
improve, scheduler behaviour. Users wanting full pf identity can stay on pf-
sources-6.6_p6-r2 (GA-frozen + per-CVE surgical). The -r70 path prioritizes linux-
stable security tracking over pf-purity.

commit 03db0618792525fa252fed884b7f8051953cda47
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 21:58:33 2026 +0200

sys-kernel/pf-sources: add 6.1_p6-r70, gentoo-sources base + curated pf delta

This revision is fundamentally different from pf-sources-6.1_p6{,-r1,-r2}. Instead of
fetching pf-kernel/codeberg's GA-only sourcetree, it builds on top of the same
vanilla 6.1.tar.xz + Gentoo genpatches stack that gentoo-sources-6.1.170 uses, then
applies a curated subset of natalenko's pf-kernel delta on top. CVE backports now
arrive automatically with each linux-stable bump; the per-CVE patches we previously
carried in files/ no longer apply against this base. Validated: source prepared
cleanly (vanilla 6.1 -> +180 genpatches stable -> +genpatches non-stable -> +curated
pf delta, no fuzz/conflicts in any phase). Post-prepare af_alg_pull_tsgl signature is
the 3-param form (so CVE-2026-31431 is closed by stable's backport), and pf identity
features verified present (BBRv3, MZEN3/MK8SSE3 in arch/x86/Kconfig.cpu, v4l2loopback
driver). Curated pf features RETAINED from natalenko's patchset (97 files, 32k
lines, applies on a fresh gentoo-sources-6.1.170 tree with zero offsets): - BBRv3 TCP
congestion control + Kconfig - x86 ISA levels (MK8SSE3, MK10, MBARCELONA, MZEN/2/3,
MNATIVE_INTEL, MNATIVE_AMD, etc.) - zstd compression library bump - v4l2loopback
driver - DDCCI / DDCCI-backlight drivers - syscall.tbl additions across architectures
- vmlinux.lds.S section additions Patches DROPPED from natalenko's patchset, with
reasons: - fs/cifs/* + fs/ksmbd/* (29 files): linux-stable backported the fs/cifs
-> fs/smb/{client,server} rename together with substantial code rework. pf's pre-
rewrite patches are obsolete; even after mechanical path rewriting, 90% of hunks
fail because stable's rework supersedes them. - kernel/futex/{core,syscalls}.c:
most differences were just comment wording in handle_futex_death(); the one real
functional addition (futex_parse_waitv before futex_wait_multiple) wasn't worth the
per-bump merge cost. - kernel/sched/{core,fair,psi}.c: gentoo-sources has newer
scheduler helpers (e.g. util_fits_cpu replacing task_fits_capacity, with full
uclamp/thermal handling). Keeping pf's older form would regress, not improve,
scheduler behaviour. Users who specifically need pf-kernel's full scheduler
heuristics, futex2 extensions, or the pre-rewrite SMB stack can stay on pf-
sources-6.1_p6-r2 (GA-frozen + per-CVE surgical patches). The -r70 path is for users
who prioritize linux-stable security tracking over pf-purity.

commit 78985a3be3e5e581d1e02452a7b369abbe1f6ceb
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 19:20:44 2026 +0200

sys-kernel/pf-sources: add 6.1_p6-r2, patch CVE-2026-31431 + CVE-2026-43037/43038 (LTS)

Carry two cumulative diffs (v6.1 → v6.1.170) on top of natalenko's
v6.1.0 + pf source — same shape as the original 6.1_p6-r2 design,
extended to cover the IPv6 cb[] surgical fixes alongside Copy Fail:

* CVE-2026-31431 — Copy Fail (algif_aead). Backport landed in
6.1.170. Cumulative over crypto/{af_alg,algif_aead,algif_skcipher}.c
+ include/crypto/if_alg.h.
* CVE-2026-43037 — ip6_tunnel ip4ip6_err() (mainline 2edfa31769a4).
Stack OOB write via cb[] type confusion. Backport landed in
6.1.168. CVSS 9.8 net.
* CVE-2026-43038 — ipv6 icmp ip6_err_gen_icmpv6_unreach()
(mainline 86ab3e55673a). OOB read via the same cb[] pattern.
Backport landed in 6.1.168. CVSS 9.8 net.

The surgical mainline patches' context targets a later 6.1.X codebase
and does not match v6.1.0 + pf, so cumulative is the only viable form
for this LTS slot. The two cumulatives are restricted to the affected
files only (4 crypto + 2 net = 6 files) so they don't drag the rest of
linux-stable into the build. Verified by 'ebuild ... prepare':
post-prepare source carries memset(IPCB(skb2),...) at ip6_tunnel.c:605
and memset(IP6CB(skb2),...) at icmp.c:681.

commit eaf9d82ca3d3dff6b391929f0eb8414610058900
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 18:28:49 2026 +0200

sys-kernel/pf-sources: add 6.12_p4-r2, patch CVE-2026-31431 + CVE-2026-43037/43038 (LTS)

Carry two cumulative diffs (v6.12 → v6.12.85) on top of natalenko's
v6.12.0 + pf source — same shape as the original 6.12_p4-r2 design,
extended to cover the IPv6 cb[] surgical fixes alongside Copy Fail:

* CVE-2026-31431 — Copy Fail (algif_aead). Backport landed in
6.12.85. Cumulative over crypto/{af_alg,algif_aead,algif_skcipher}.c
+ include/crypto/if_alg.h.
* CVE-2026-43037 — ip6_tunnel ip4ip6_err() (mainline 2edfa31769a4).
Stack OOB write via cb[] type confusion. Backport landed in
6.12.81. CVSS 9.8 net.
* CVE-2026-43038 — ipv6 icmp ip6_err_gen_icmpv6_unreach()
(mainline 86ab3e55673a). OOB read via the same cb[] pattern.
Backport landed in 6.12.81. CVSS 9.8 net.

The surgical mainline patches' context targets a later 6.12.X codebase
and does not match v6.12.0 + pf, so cumulative is the only viable form.
The two cumulatives are restricted to the affected files only (4
crypto + 2 net = 6 files). Verified by 'ebuild ... prepare':
post-prepare source carries memset(IPCB(skb2),...) at ip6_tunnel.c
and memset(IP6CB(skb2),...) at icmp.c.

commit 8537a39cffef26fbc2969589a5d9af4ba462ddca
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 18:14:50 2026 +0200

sys-kernel/pf-sources: add 6.6_p6-r2, patch CVE-2026-31431 + CVE-2026-43037/43038 (LTS)

Carry two cumulative diffs (v6.6 → v6.6.137) on top of natalenko's
v6.6.0 + pf source — same shape as the original 6.6_p6-r2 design,
extended to cover the IPv6 cb[] surgical fixes alongside Copy Fail:

* CVE-2026-31431 — Copy Fail (algif_aead). Backport landed in
6.6.137. Cumulative over crypto/{af_alg,algif_aead,algif_skcipher}.c
+ include/crypto/if_alg.h.
* CVE-2026-43037 — ip6_tunnel ip4ip6_err() (mainline 2edfa31769a4).
Stack OOB write via cb[] type confusion. Backport landed in
6.6.134. CVSS 9.8 net.
* CVE-2026-43038 — ipv6 icmp ip6_err_gen_icmpv6_unreach()
(mainline 86ab3e55673a). OOB read via the same cb[] pattern.
Backport landed in 6.6.134. CVSS 9.8 net.

The surgical mainline patches' context targets a later 6.6.X codebase
and does not match v6.6.0 + pf, so cumulative is the only viable form.
The two cumulatives are restricted to the affected files only (4
crypto + 2 net = 6 files). Verified by 'ebuild ... prepare':
post-prepare source carries memset(IPCB(skb2),...) at ip6_tunnel.c
and memset(IP6CB(skb2),...) at icmp.c.

commit 4a02877a1020abd355bcac98542095e1d9b9543e
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 17:00:26 2026 +0200

sys-kernel/pf-sources: add 6.16_p5-r1, patch CVE-2026-31431 + CVE-2026-43037/43038

Carry the upstream algif_aead in-place revert (a664bf3d603d) plus the
two related IPv6 cb[] surgical fixes from Eric Dumazet's
20260326155138.2429480-1 patchset:

* CVE-2026-31431 — Copy Fail (algif_aead). Local LPE.
* CVE-2026-43037 — ip6_tunnel ip4ip6_err() (mainline 2edfa31769a4).
Stack OOB write via cb[] type confusion. CVSS 9.8 net.
* CVE-2026-43038 — ipv6 icmp ip6_err_gen_icmpv6_unreach() (mainline
86ab3e55673a). OOB read via the same cb[] pattern. CVSS 9.8 net.

All three apply cleanly to v6.16.0 + pf. 6.16 has no continuing
linux-stable line; this -r1 is the only patched 6.16 path the overlay
ships. Verified by 'ebuild ... prepare'.

commit 8923ab98fa7a88e7bc43aca03c5b216049166c14
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 16:59:33 2026 +0200

sys-kernel/pf-sources: add 6.17_p4-r1, patch CVE-2026-31431 + CVE-2026-43037/43038

Carry the upstream algif_aead in-place revert (a664bf3d603d) plus the
two related IPv6 cb[] surgical fixes from Eric Dumazet's
20260326155138.2429480-1 patchset:

* CVE-2026-31431 — Copy Fail (algif_aead). Local LPE.
* CVE-2026-43037 — ip6_tunnel ip4ip6_err() (mainline 2edfa31769a4).
Stack OOB write via cb[] type confusion. CVSS 9.8 net.
* CVE-2026-43038 — ipv6 icmp ip6_err_gen_icmpv6_unreach() (mainline
86ab3e55673a). OOB read via the same cb[] pattern. CVSS 9.8 net.

All three apply cleanly to v6.17.0 + pf. 6.17 has no continuing
linux-stable line; this -r1 is the only patched 6.17 path the overlay
ships. Verified by 'ebuild ... prepare'.

commit 1ff419976ca84ab3b5a60a64e11279158d9eaaf1
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 16:58:03 2026 +0200

sys-kernel/pf-sources: add 6.18_p6-r1, patch CVE-2026-31431 + CVE-2026-43037/43038

Carry the upstream algif_aead in-place revert (a664bf3d603d) plus the
two related IPv6 cb[] surgical fixes from Eric Dumazet's
20260326155138.2429480-1 patchset:

* CVE-2026-31431 — Copy Fail (algif_aead). Local LPE.
* CVE-2026-43037 — ip6_tunnel ip4ip6_err() (mainline 2edfa31769a4).
Stack OOB write via cb[] type confusion. CVSS 9.8 net.
* CVE-2026-43038 — ipv6 icmp ip6_err_gen_icmpv6_unreach() (mainline
86ab3e55673a). OOB read via the same cb[] pattern. CVSS 9.8 net.

All three apply cleanly to v6.18.0 + pf. linux-stable backported them
into 6.18.22 but pf-kernel is GA-only by design and never picks up
linux-stable. Verified by 'ebuild ... prepare'.

commit 219cf74c679d09a7e806bae60efae85ee48019fe
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sun May 3 16:55:54 2026 +0200

sys-kernel/pf-sources: add 6.19_p5-r1, patch CVE-2026-31431 + CVE-2026-43037/43038

Carry the upstream algif_aead in-place revert (a664bf3d603d) as a local files/ patch;
pf-kernel is GA-only by design and never picks up the linux-stable 6.19.12 backport.
Verified by 'ebuild ... prepare': patch applies cleanly and post-prepare
af_alg_pull_tsgl signature is the 3-param form.

Bundle two more 9.8-critical IPv6 surgical fixes from the same linux-stable
6.19.12 backport batch (Eric Dumazet patchset 20260326155138.2429480-1):

* CVE-2026-43037 — ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Mainline 2edfa31769a4. Stack OOB write via inet6_skb_parm /
inet_skb_parm cb[] type confusion on cloned skb.

* CVE-2026-43038 — ipv6: icmp: clear skb2->cb[] in
ip6_err_gen_icmpv6_unreach(). Mainline 86ab3e55673a. OOB read via
the same cb[] type-confusion pattern, reachable via forged ICMPv4
error with CIPSO IP option.

Both apply cleanly to v6.19.0 + pf and clear the same GA-only gap as
CVE-2026-31431. Verified by 'ebuild ... prepare'.

commit 4b6569bf28ca641351d4afd14805fa9d7a231f21
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Thu Apr 30 10:36:40 2026 +0200

sys-kernel/pf-sources: add 7.0_p2

Signed-off-by: Ivan S. Titov <iohann.s.titov@gmail.com>

commit 2510770d920606b2a6f11ba245b4fb6a953a191b
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sat Apr 25 12:54:17 2026 +0200

sys-kernel/pf-sources: drop dead mpagano fallback from SRC_URI

Replace the eclass-supplied $ (which expands to both
~alicef and ~mpagano paths) with explicit ~alicef-only URLs.
~mpagano/dist/genpatches/ has been 404 across the board for a long
time, and pkgcheck --net flags it as a DeadUrl on every pf-sources
ebuild that used $. ~alicef is the live primary, so
fetches succeeded already; this just stops asking the dead one.

The eclass's UNIPATCH_LIST_GENPATCHES still finds the tarballs in
DISTDIR by filename, so src_unpack/src_prepare are unaffected.

Touched: 6.12_p4-r1, 6.15_p6-r1, 6.16_p5, 6.17_p4, 6.18_p6,
6.19_p5, 7.0_p1.

commit 433f71511c128576cc76a2c86236cff979796505
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sat Apr 25 12:38:02 2026 +0200

sys-kernel/pf-sources: drop 15 originals superseded by r1 counterparts

Each dropped slot now has a working -r1 ebuild that supersedes it.
Most originals were unfetchable (their genpatches-X-1.{base,extras}
distfiles got pruned from gentoo distfiles after gentoo-sources
stopped carrying the branch, and from alicef's release tarballs);
6.1_p6 still fetched via the eclass-supplied alicef dist/ fallback
even though its hardcoded SRC_URI line was 404; 6.15_p6's gp=8
distfiles were still reachable on alicef. Either way, all 15 are
fully redundant with their r1s.

Dropped: 6.1_p6, 6.2_p7, 6.3_p5, 6.4_p6, 6.5_p6, 6.6_p6, 6.7_p7,
6.8_p9, 6.9_p6, 6.10_p4, 6.11_p4, 6.12_p4, 6.13_p6, 6.14_p6,
6.15_p6.

Manifest cleanup: removes 30 stale genpatches DIST entries (the
unfetchable .base / .extras tarball pairs the originals referenced).
Kernel-source DIST entries (linux-X.Y-pfN.tar.gz) stay because the
r1 ebuilds reference the same files.

commit 6d8811e275d5c17fa945aa7a77d1ffceeb9fa62e
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sat Apr 25 12:34:20 2026 +0200

sys-kernel/pf-sources: add 6.14_p6-r1, per-patch SRC_URI from genpatches trunk

Resurrect the 6.14 slot. The original 6.14_p6 ebuild's distfiles
(genpatches-6.14-8.{base,extras}.tar.xz) are no longer hosted —
gentoo distfiles dropped them when gentoo-sources stopped carrying
6.14, and alicef's release tarballs for this branch are gone.

Strategy choice: per-patch SRC_URI / many DIST entries / no
vendoring, sourced from alicef's live genpatches trunk dir
(https://dev.gentoo.org/~alicef/genpatches/trunk/6.14/).

Skips 1740_x86-insn-decoder-test-allow-longer-symbol-names.patch
(same incompatibility as 6.13_p6-r1: expects later-stable state in
arch/x86/tools/insn_decoder_test.c that v6.14-pf6 does not match).
The remaining 11 base+extras patches all apply cleanly.

commit 19b50b0f6a875b58489a8582418b9e77753c37a5
Author: Ivan S. Titov <iohann.s.titov@gmail.com>
Date: Sat Apr 25 12:32:53 2026 +0200

sys-kernel/pf-sources: add 6.13_p6-r1, per-patch SRC_URI from genpatches trunk

Resurrect the 6.13 slot. The original 6.13_p6 ebuild's distfiles
(genpatches-6.13-7.{base,extras}.tar.xz) are no longer hosted —
gentoo distfiles dropped them when gentoo-sources stopped carrying
6.1