diff --git a/Makefile.rhelver b/Makefile.rhelver
index 89cdbf4ea..c6bac109a 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 8
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 629
+RHEL_RELEASE = 630
 
 #
 # ZSTREAM
diff --git a/dracut-virt.conf b/dracut-virt.conf
index dfe2b9087..f8a6ca4a4 100644
--- a/dracut-virt.conf
+++ b/dracut-virt.conf
@@ -17,6 +17,11 @@ dracutmodules+=" crypt crypt-loop tpm2-tss systemd-pcrphase "
 # modules: root disk integrity protection
 dracutmodules+=" systemd-veritysetup "
 
+# modules: root creation and encryption
+dracutmodules+=" systemd-repart "
+# FIXME: remove this once RHEL-103385 is merged
+install_items+=" /usr/sbin/mkfs.vfat /usr/sbin/mkfs.ext4 /usr/sbin/mkfs.xfs "
+
 # modules: FIPS
 dracutmodules+=" fips "
 # FIPS mode requires early crypto drivers test
diff --git a/kernel.changelog b/kernel.changelog
index f6c9bbd91..97742137c 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,16 @@
+* Sat Oct 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-630.el9]
+- crypto: xts - Handle EBUSY correctly (CKI Backport Bot) [RHEL-119237] {CVE-2023-53494}
+- xfrm: use kfree_sensitive() for SA secret zeroization (Sabrina Dubroca) [RHEL-115629]
+- espintcp: remove encap socket caching to avoid reference leak (Sabrina Dubroca) [RHEL-115629]
+- espintcp: fix skb leaks (Sabrina Dubroca) [RHEL-115629]
+- ext4: goto right label 'out_mmap_sem' in ext4_setattr() (Brian Foster) [RHEL-109217]
+- mm: zero range of eof folio exposed by inode size extension (Brian Foster) [RHEL-109217]
+- mm: convert pagecache_isize_extended to use a folio (Brian Foster) [RHEL-109217]
+- ext4: partial zero eof block on unaligned inode size extension (Brian Foster) [RHEL-109217]
+- ext4: do not mark inode dirty every time when appending using delalloc (Brian Foster) [RHEL-109217]
+- uki-virt: add systemd-repart module (Emanuele Giuseppe Esposito) [RHEL-107273]
+Resolves: RHEL-107273, RHEL-109217, RHEL-115629, RHEL-119237
+
 * Thu Oct 23 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-629.el9]
 - kexec_core: accept unaccepted kexec segments' destination addresses (Baoquan He) [RHEL-114163]
 - crash: fix spelling mistake "crahskernel" -> "crashkernel" (Baoquan He) [RHEL-114163]
diff --git a/kernel.spec b/kernel.spec
index 3a91068be..e11f95b4e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 629
+%define pkgrelease 630
 %define kversion 5
-%define tarfile_release 5.14.0-629.el9
+%define tarfile_release 5.14.0-630.el9
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 629%{?buildid}%{?dist}
+%define specrelease 630%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-629.el9
+%define kabiversion 5.14.0-630.el9
 
 #
 # End of genspec.sh variables
@@ -754,6 +754,8 @@ BuildRequires: lvm2
 BuildRequires: systemd-boot-unsigned
 # For systemd-pcrphase
 BuildRequires: systemd-udev >= 252-1
+# For systemd-repart
+BuildRequires: xfsprogs e2fsprogs dosfstools
 # For UKI kernel cmdline addons
 BuildRequires: systemd-ukify
 # For TPM operations in UKI initramfs
@@ -3692,6 +3694,18 @@ fi
 #
 #
 %changelog
+* Sat Oct 25 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-630.el9]
+- crypto: xts - Handle EBUSY correctly (CKI Backport Bot) [RHEL-119237] {CVE-2023-53494}
+- xfrm: use kfree_sensitive() for SA secret zeroization (Sabrina Dubroca) [RHEL-115629]
+- espintcp: remove encap socket caching to avoid reference leak (Sabrina Dubroca) [RHEL-115629]
+- espintcp: fix skb leaks (Sabrina Dubroca) [RHEL-115629]
+- ext4: goto right label 'out_mmap_sem' in ext4_setattr() (Brian Foster) [RHEL-109217]
+- mm: zero range of eof folio exposed by inode size extension (Brian Foster) [RHEL-109217]
+- mm: convert pagecache_isize_extended to use a folio (Brian Foster) [RHEL-109217]
+- ext4: partial zero eof block on unaligned inode size extension (Brian Foster) [RHEL-109217]
+- ext4: do not mark inode dirty every time when appending using delalloc (Brian Foster) [RHEL-109217]
+- uki-virt: add systemd-repart module (Emanuele Giuseppe Esposito) [RHEL-107273]
+
 * Thu Oct 23 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-629.el9]
 - kexec_core: accept unaccepted kexec segments' destination addresses (Baoquan He) [RHEL-114163]
 - crash: fix spelling mistake "crahskernel" -> "crashkernel" (Baoquan He) [RHEL-114163]
diff --git a/sources b/sources
index fa4d60214..569f07c2b 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.14.0-629.el9.tar.xz) = 1a1f8dea89d266ff2e892135f521865b92fe18dd9724d2e12f59044fce27a398aff7b07249a4b0d3ceb7174003c1a4a8d986e9a54f29197112a1ed0adf09c8da
-SHA512 (kernel-abi-stablelists-5.14.0-629.el9.tar.bz2) = 384486e03394350338293e9931bd9b69160f5b328236a4663d00c3908d708c1c9289d1bfdf4834623497bf15ddeb119639b4308f25ae400601aaae079f016289
-SHA512 (kernel-kabi-dw-5.14.0-629.el9.tar.bz2) = ac252ee4a781e2d8c8ba053e7fb390de96620e6dab43b06f8bf0c67de9a132af5d3ab32f7d6d09936165479d0d9dc93a6c6d5e33bf13dbc785787cda7a97c3bc
+SHA512 (linux-5.14.0-630.el9.tar.xz) = 3fed1a836d1550cc0d53a25719e9d76d1bb74f77ae60bd7cefa8aafd8a1578b07c8fd33357f50c4b7c974c859e7bd40a374f0e04318269491faf7a921c8ced4e
+SHA512 (kernel-abi-stablelists-5.14.0-630.el9.tar.bz2) = 7cb3140929e251d58fc621b7e10f2fedf5cea61c5d67c3bcb7f47eaa61c2100ba940b7d44070dcf4c99f43a26c83b2041aa9bc7330106ce5b0338ec3719d6e1f
+SHA512 (kernel-kabi-dw-5.14.0-630.el9.tar.bz2) = 9dd76e1e999abd3b9c64ec645bccab7a42b6e38698fcb375ff636b2cc35517b0d9c9e4b40ad0e1f8de74ef98586d2eae762a88b9708ae93e9e78d9c437acf2ad