From 468ac9c17e0a9bc5d3e927bf04695a55cd86ab88 Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
Date: Apr 19 2024 08:35:21 +0000
Subject: - scripts/check-kernel-fix: allow explicit git fixes

- scripts/common-functions:

change -f from flat mode to -f fixes and use -t for the flat mode.
It seems that the security team is not using the flat mode anyway so we
might drop it eventually. Let's keep it to play around, it is a trivial
code anyway.

-f "sha"  now allows to specify explicit Fixes commit shas which would
extend existing ones.

---

diff --git a/scripts/check-kernel-fix b/scripts/check-kernel-fix
index 538f908..21dd730 100755
--- a/scripts/check-kernel-fix
+++ b/scripts/check-kernel-fix
@@ -44,11 +44,14 @@ usage()
     echo "	-v: verbose mode: show state of each branch and even NOP actions"
     echo "	-r: refresh any cached data. Use if cve->sha or cve->cvss fails"
     echo "	    (git pull VULNS_GIT, cve, bsc medata)"
-    echo "	-f: flat mode. Do not filter output based on cvss scoring or common"
+    echo "	-t: flat mode. Do not filter output based on cvss scoring or common"
     echo "	    ancestors."
     echo "	-s CVSS: override the CVSS score if known. This can be useful when"
     echo "	   the CVE->CVSS DB is not synced yet."
     echo "	-b bsc#NUMBER: override the bugzilla number if known"
+    echo "	-f sha: provide explicit Fixes tag. Use when the one in the commit is"
+    echo "	   unknown but you could figure it from the code inspection."
+    echo "	   Specify repeteadly if more are required"
 }
 
 branch=
@@ -95,11 +98,14 @@ check_branch_state()
 {
     local branch="$1"
     local sha="$2"
-    shift 2
+    local expl_fixes="$3"
+    shift 3
     local references="$@"
 
     [ -z "$branch" ] && fail "check_branch_state: No branch provided"
     [ -z "$sha" ] && fail "check_branch_state: No sha provided"
+    # FIXME ugh
+    [ "$expl_fixes" = "none" ] && expl_fixes=""
 
     local patch=
     local base=
@@ -141,9 +147,9 @@ check_branch_state()
 
     # Sha is not backported
     # Do we need to backport it because of the Fixes tag?
-    local sha_git_fixes=$(sha_get_upstream_git_fixes $sha)
-    if [ -n "$sha_git_fixes" ] ; then
-	local affected_by_git_fixes="$(affected_by_git_fixes "$branch" "$base" $sha_git_fixes)"
+    local sha_git_fixes="$(sha_get_upstream_git_fixes $sha)"
+    if [ -n "$sha_git_fixes" -o -n "$expl_fixes" ] ; then
+	local affected_by_git_fixes="$(affected_by_git_fixes "$branch" "$base" $sha_git_fixes $expl_fixes)"
 
 	if [ -n "$affected_by_git_fixes" ] ; then
 	    print_branch_state "$msg_prefix:missing_patch:$affected_by_git_fixes"
@@ -329,8 +335,9 @@ find_and_print_toplevel_actions()
 verbose_mode=
 quiet_mode=
 flat_mode=0
+expl_fixes=""
 
-while getopts "hvrqfs:b:" OPT
+while getopts "hvrqts:b:f:" OPT
 do
     case $OPT in
 	h)
@@ -346,7 +353,7 @@ do
 	q)
 	    quiet_mode=1
 	    ;;
-	f)
+	t)
 	    flat_mode=1
 	    ;;
 	s)
@@ -354,10 +361,17 @@ do
 	    ;;
 	b)
 	    bsc=$OPTARG
+	    ;;
+	f)
+	    expl_fixes="$expl_fixes $OPTARG"
 
     esac
 done
 
+# Fixme: Ugh but we have to send this as a parameter to a function and it
+# cannot be the last (implicit one)
+[ -z "$expl_fixes" ] && expl_fixes="none"
+
 shift "$(($OPTIND-1))"
 
 [ -n "$verbose_mode" ] && quiet_mode=
@@ -378,7 +392,7 @@ if ! sha_in_upstream "$1" ; then
 	fi
 fi
 
-print_upstream_sha_summary $sha
+print_upstream_sha_summary $sha "$expl_fixes"
 
 cve=$(sha2cve $sha $refresh)
 if [ -n "$cve" ]
@@ -399,7 +413,7 @@ references="$cve $bsc"
 branches_conf="$(fetch_branches $refresh)"
 
 # Check state of each branch
-for_each_build_branch "$branches_conf" check_branch_state $sha $references
+for_each_build_branch "$branches_conf" check_branch_state $sha "$expl_fixes" $references
 
 # Newline after the dots showing progress
 [ -z "$quiet_mode" ] && echo
diff --git a/scripts/common-functions b/scripts/common-functions
index f5b8aee..11e01ff 100644
--- a/scripts/common-functions
+++ b/scripts/common-functions
@@ -172,11 +172,15 @@ print_upstream_sha_info()
 print_upstream_sha_summary()
 {
     local sha=$1
-    local upstream_git=${2:-$LINUX_GIT}
+    local expl_fixes=$2
+    local upstream_git=${3:-$LINUX_GIT}
     local has_fixes=0
 
+    # FIXME ugh
+    [ "$expl_fixes" = "none" ] && expl_fixes=""
+
     print_upstream_sha_info $sha $upstream_git
-    for fix in $(sha_get_upstream_git_fixes $1 $upstream_git)
+    for fix in $(sha_get_upstream_git_fixes $1 $upstream_git) $expl_fixes
     do
 	    echo -n "Fixes: "
 	    print_upstream_sha_info $fix $upstream_git