sys-kernel/hardened-kernel: bump to v6.14.8

Add restrict-fs-causes-bpf-verifier.patch:
systemd's restrict-fs causes bpf verifier to fail due to 32bit sign extend
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119731

sys-kernel/hardened-kernel/files/linux-6.14/1189_restrict-fs-causes-bpf-verifier.patch

@@ -0,0 +1,23 @@
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 9000806ee..206cf1fb5 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -14029,11 +14029,13 @@ static void scalar_min_max_arsh(struct bpf_reg_state *dst_reg,
+ 	dst_reg->umin_value = 0;
+ 	dst_reg->umax_value = U64_MAX;
+ 
+-	/* Its not easy to operate on alu32 bounds here because it depends
+-	 * on bits being shifted in from upper 32-bits. Take easy way out
+-	 * and mark unbounded so we can recalculate later from tnum.
+-	 */
+-	__mark_reg32_unbounded(dst_reg);
++	/* When shifting, we track the signed 32bit values as the new value of 64bit values.  */
++	dst_reg->s32_min_value = dst_reg->smin_value;
++	dst_reg->s32_max_value = dst_reg->smax_value;
++
++	/* If the truncation of the min/max for 32bit is different, just mark it as unbounded.  */
++	if (dst_reg->s32_min_value != dst_reg->smin_value || dst_reg->s32_max_value != dst_reg->smax_value)
++		__mark_reg32_unbounded (dst_reg);
+ 	__update_reg_bounds(dst_reg);
+ }
+