TEST TEST TEST PR Checker

.github/workflows/pr-commit-processing.yml

@@ -0,0 +1,167 @@
+name: PR Commit Processing
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  commit-validation:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout kernel-src-tree
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref }}
+
+      - name: Fetch base branch
+        run: |
+          git fetch origin ${{ github.base_ref }}:${{ github.base_ref }}
+
+      - name: Checkout kernel-src-tree-tools
+        uses: actions/checkout@v4
+        with:
+          repository: ctrliq/kernel-src-tree-tools
+          ref: '{jmaple}_pr_jira_test'
+          path: kernel-src-tree-tools
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install jira
+
+      # ============================================================
+      # Step 1: Upstream Commit Check
+      # ============================================================
+
+      - name: Download check_kernel_commits.py
+        run: |
+          curl -sL \
+            https://raw.githubusercontent.com/ctrliq/kernel-src-tree-tools/mainline/check_kernel_commits.py \
+            -o check_kernel_commits.py
+          chmod +x check_kernel_commits.py
+
+      - name: Run upstream fixes check
+        id: checkkernel
+        run: |
+          python3 check_kernel_commits.py --repo . --pr_branch "${{ github.head_ref }}" --base_branch "${{ github.base_ref }}" --markdown | tee result.txt
+          # Save non-empty results for PR comment
+          if grep -q -v "All referenced commits exist upstream and have no Fixes: tags." result.txt; then
+            echo "has_findings=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Comment on PR if upstream issues found
+        if: steps.checkkernel.outputs.has_findings == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr comment ${{ github.event.pull_request.number }} \
+            --body "$(cat result.txt)" \
+            --repo ${{ github.repository }}
+
+      # ============================================================
+      # Step 2: JIRA PR Check
+      # ============================================================
+
+      - name: Mask JIRA credentials
+        run: |
+          echo "::add-mask::${{ secrets.JIRA_API_USER }}"
+          echo "::add-mask::${{ secrets.JIRA_API_TOKEN }}"
+
+      - name: Run JIRA PR Check
+        id: jira_check
+        continue-on-error: true
+        env:
+          JIRA_URL: ${{ secrets.JIRA_URL }}
+          JIRA_API_USER: ${{ secrets.JIRA_API_USER }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+        run: |
+          cd kernel-src-tree-tools
+
+          # Run script and capture output, ensuring credentials are never echoed
+          set +x  # Disable command echo to prevent credential exposure
+          set +e  # Don't exit on error, we want to capture the output
+          OUTPUT=$(python3 jira_pr_check.py \
+            --jira-url "${JIRA_URL}" \
+            --jira-user "${JIRA_API_USER}" \
+            --jira-key "${JIRA_API_TOKEN}" \
+            --kernel-src-tree .. \
+            --merge-target ${{ github.base_ref }} \
+            --pr-branch ${{ github.head_ref }} 2>&1)
+          EXIT_CODE=$?
+
+          # Filter out any potential credential leaks from output
+          FILTERED_OUTPUT=$(echo "$OUTPUT" | grep -v "jira-user\|jira-key\|basic_auth\|Authorization" || true)
+
+          echo "$FILTERED_OUTPUT"
+          echo "output<<EOF" >> $GITHUB_OUTPUT
+          echo "$FILTERED_OUTPUT" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+          # Check if there are any issues based on output patterns
+          if echo "$FILTERED_OUTPUT" | grep -q "❌ Errors:"; then
+            echo "has_issues=true" >> $GITHUB_OUTPUT
+
+            # Check specifically for LTS mismatch errors
+            if echo "$FILTERED_OUTPUT" | grep -q "expects branch"; then
+              echo "has_lts_mismatch=true" >> $GITHUB_OUTPUT
+            else
+              echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
+            fi
+          elif echo "$FILTERED_OUTPUT" | grep -q "⚠️ Warnings:"; then
+            echo "has_issues=true" >> $GITHUB_OUTPUT
+            echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_issues=false" >> $GITHUB_OUTPUT
+            echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT
+          fi
+
+          # Exit with the script's exit code
+          exit $EXIT_CODE
+
+      - name: Comment PR with JIRA issues
+        if: steps.jira_check.outputs.has_issues == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = process.env.CHECK_OUTPUT;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });
+        env:
+          CHECK_OUTPUT: ${{ steps.jira_check.outputs.output }}
+
+      - name: Request changes if LTS mismatch
+        if: steps.jira_check.outputs.has_lts_mismatch == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              event: 'REQUEST_CHANGES',
+              body: '⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.'
+            });
+
+      - name: Fail workflow if JIRA errors found
+        if: steps.jira_check.outcome == 'failure'
+        run: |
+          echo "❌ JIRA PR check failed - errors were found in one or more commits"
+          exit 1

fs/nfs/export.c

@@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid,
 {
 	struct nfs_fattr *fattr = NULL;
 	struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
-	size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
+	size_t fh_size = offsetof(struct nfs_fh, data);
 	const struct nfs_rpc_ops *rpc_ops;
 	struct dentry *dentry;
 	struct inode *inode;
-	int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
+	int len = EMBED_FH_OFF;
 	u32 *p = fid->raw;
 	int ret;
 
+	/* Initial check of bounds */
+	if (fh_len < len + XDR_QUADLEN(fh_size) ||
+	    fh_len > XDR_QUADLEN(NFS_MAXFHSIZE))
+		return NULL;
+	/* Calculate embedded filehandle size */
+	fh_size += server_fh->size;
+	len += XDR_QUADLEN(fh_size);
 	/* NULL translates to ESTALE */
 	if (fh_len < len || fh_type != len)
 		return NULL;

net/sched/sch_hfsc.c

@@ -964,6 +964,7 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 
 	if (cl != NULL) {
 		int old_flags;
+		int len = 0;
 
 		if (parentid) {
 			if (cl->cl_parent &&
@@ -994,9 +995,13 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 		if (usc != NULL)
 			hfsc_change_usc(cl, usc, cur_time);
 
+		if (cl->qdisc->q.qlen != 0)
+			len = qdisc_peek_len(cl->qdisc);
+		/* Check queue length again since some qdisc implementations
+		 * (e.g., netem/codel) might empty the queue during the peek
+		 * operation.
+		 */
 		if (cl->qdisc->q.qlen != 0) {
-			int len = qdisc_peek_len(cl->qdisc);
-
 			if (cl->cl_flags & HFSC_RSC) {
 				if (old_flags & HFSC_RSC)
 					update_ed(cl, len);

net/sctp/input.c

@@ -129,7 +129,7 @@ int sctp_rcv(struct sk_buff *skb)
 	 * it's better to just linearize it otherwise crc computing
 	 * takes longer.
 	 */
-	if ((!is_gso && skb_linearize(skb)) ||
+	if (((!is_gso || skb_cloned(skb)) && skb_linearize(skb)) ||
 	    !pskb_may_pull(skb, sizeof(struct sctphdr)))
 		goto discard_it;