[PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups

[PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups

[Joe Lawrence]

While backporting Michael's "pipe: fix limit handling" patchset to a
distro-kernel, Mikulas noticed that current upstream pipe limit handling
contains a few problems:

  1 - procfs signed wrap: echo'ing a large number into
      /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
      negative value.

  2 - round_pipe_size() nr_pages overflow on 32bit:  this would
      subsequently try roundup_pow_of_two(0), which is undefined.

  3 - visible non-rounded pipe-max-size value: there is no mutual
      exclusion or protection between the time pipe_max_size is assigned
      a raw value from proc_dointvec_minmax() and when it is rounded.

  4 - unsigned long -> unsigned int conversion makes for potential odd
      return errors from do_proc_douintvec_minmax_conv() and
      do_proc_dopipe_max_size_conv().

This version underwent the same testing as v1:
https://marc.info/?l=linux-kernel&m=150643571406022&w=2

v1 (from rfc):

- Re-arrange patchset order, push smaller fixes to the front
- Add a check so that round_pipe_size(size < pipe_min_size) will round
  up to round_pipe_size(pipe_min_size) as per man page [RD]
- Add new procfs proc_dopipe_max_size() and helpers to consolidate user
  space read / type validation / rounding / assignment [MP]

v2:
 - Fix !CONFIG_PROC_SYSCTL build case [buildbots]

v3:
 - s/proc_dointvec_minmax/proc_dopipe_max_size/ in comment 
   preceding pipe_proc_fn()
 - Added a fourth patch to address -ERANGE vs. -EINVAL inconsistencies in
   do_proc_douintvec_minmax_conv() and do_proc_dopipe_max_size_conv().

Joe Lawrence (4):
  pipe: match pipe_max_size data type with procfs
  pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
  pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
  sysctl: check for UINT_MAX before unsigned int min/max

 fs/pipe.c                 | 23 ++++++++++---------
 include/linux/pipe_fs_i.h |  1 +
 include/linux/sysctl.h    |  3 +++
 kernel/sysctl.c           | 57 ++++++++++++++++++++++++++++++++++++++++++++---
 4 files changed, 70 insertions(+), 14 deletions(-)

-- 
1.8.3.1

[PATCH v3 1/4] pipe: match pipe_max_size data type with procfs

[Joe Lawrence]

pipe_max_size is defined as an unsigned int:

  unsigned int pipe_max_size = 1048576;

but its procfs/sysctl representation is an integer:

  static struct ctl_table fs_table[] = {
          ...
          {
                  .procname       = "pipe-max-size",
                  .data           = &pipe_max_size,
                  .maxlen         = sizeof(int),
                  .mode           = 0644,
                  .proc_handler   = &pipe_proc_fn,
                  .extra1         = &pipe_min_size,
          },
          ...

that is signed:

  int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
                   size_t *lenp, loff_t *ppos)
  {
          ...
          ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)

This leads to signed results via procfs for large values of
pipe_max_size:

  % echo 2147483647 >/proc/sys/fs/pipe-max-size
  % cat /proc/sys/fs/pipe-max-size
  -2147483648

Use unsigned operations on this variable to avoid such negative values.

Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 fs/pipe.c       | 2 +-
 kernel/sysctl.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/pipe.c b/fs/pipe.c
index 97e5be897753..a21ad26de557 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1124,7 +1124,7 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
 {
 	int ret;
 
-	ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
+	ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
 	if (ret < 0 || !write)
 		return ret;
 
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 6648fbbb8157..c976719bf37a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1825,7 +1825,7 @@ static int sysrq_sysctl_handler(struct ctl_table *table, int write,
 	{
 		.procname	= "pipe-max-size",
 		.data		= &pipe_max_size,
-		.maxlen		= sizeof(int),
+		.maxlen		= sizeof(pipe_max_size),
 		.mode		= 0644,
 		.proc_handler	= &pipe_proc_fn,
 		.extra1		= &pipe_min_size,
-- 
1.8.3.1

[PATCH v3 2/4] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit

[Joe Lawrence]

The round_pipe_size() function contains a right-bit-shift expression
which may overflow, which would cause undefined results in a subsequent
roundup_pow_of_two() call.

  static inline unsigned int round_pipe_size(unsigned int size)
  {
          unsigned long nr_pages;

          nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
          return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
  }

PAGE_SIZE is defined as (1UL << PAGE_SHIFT), so:
  - 4 bytes wide on 32-bit (0 to 0xffffffff)
  - 8 bytes wide on 64-bit (0 to 0xffffffffffffffff)

That means that 32-bit round_pipe_size(), nr_pages may overflow to 0:

  size=0x00000000    nr_pages=0x0
  size=0x00000001    nr_pages=0x1
  size=0xfffff000    nr_pages=0xfffff
  size=0xfffff001    nr_pages=0x0         << !
  size=0xffffffff    nr_pages=0x0         << !

This is bad because roundup_pow_of_two(n) is undefined when n == 0!

64-bit is not a problem as the unsigned int size is 4 bytes wide
(similar to 32-bit) and the larger, 8 byte wide unsigned long, is
sufficient to handle the largest value of the bit shift expression:

  size=0xffffffff    nr_pages=100000

Modify round_pipe_size() to return 0 if n == 0 and updates its callers
to handle accordingly.

Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 fs/pipe.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/fs/pipe.c b/fs/pipe.c
index a21ad26de557..8cbc97d97753 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1017,13 +1017,19 @@ static int fifo_open(struct inode *inode, struct file *filp)
 
 /*
  * Currently we rely on the pipe array holding a power-of-2 number
- * of pages.
+ * of pages. Returns 0 on error.
  */
 static inline unsigned int round_pipe_size(unsigned int size)
 {
 	unsigned long nr_pages;
 
+	if (size < pipe_min_size)
+		size = pipe_min_size;
+
 	nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+	if (nr_pages == 0)
+		return 0;
+
 	return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
 }
 
@@ -1039,6 +1045,8 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
 	long ret = 0;
 
 	size = round_pipe_size(arg);
+	if (size == 0)
+		return -EINVAL;
 	nr_pages = size >> PAGE_SHIFT;
 
 	if (!nr_pages)
@@ -1122,13 +1130,18 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
 int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
 		 size_t *lenp, loff_t *ppos)
 {
+	unsigned int rounded_pipe_max_size;
 	int ret;
 
 	ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
 	if (ret < 0 || !write)
 		return ret;
 
-	pipe_max_size = round_pipe_size(pipe_max_size);
+	rounded_pipe_max_size = round_pipe_size(pipe_max_size);
+	if (rounded_pipe_max_size == 0)
+		return -EINVAL;
+
+	pipe_max_size = rounded_pipe_max_size;
 	return ret;
 }
 
-- 
1.8.3.1

[PATCH v3 3/4] pipe: add proc_dopipe_max_size() to safely assign pipe_max_size

[Joe Lawrence]

pipe_max_size is assigned directly via procfs sysctl:

  static struct ctl_table fs_table[] = {
          ...
          {
                  .procname       = "pipe-max-size",
                  .data           = &pipe_max_size,
                  .maxlen         = sizeof(int),
                  .mode           = 0644,
                  .proc_handler   = &pipe_proc_fn,
                  .extra1         = &pipe_min_size,
          },
          ...

  int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
                   size_t *lenp, loff_t *ppos)
  {
          ...
          ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
          ...

and then later rounded in-place a few statements later:

          ...
          pipe_max_size = round_pipe_size(pipe_max_size);
          ...

This leaves a window of time between initial assignment and rounding
that may be visible to other threads.  (For example, one thread sets a
non-rounded value to pipe_max_size while another reads its value.)

Similar reads of pipe_max_size are potentially racey:

  pipe.c :: alloc_pipe_info()
  pipe.c :: pipe_set_size()

Add a new proc_dopipe_max_size() function that consolidates reading the
new value from the user buffer, verifying bounds, and calling
round_pipe_size() with a single assignment to pipe_max_size.

Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 fs/pipe.c                 | 18 +++--------------
 include/linux/pipe_fs_i.h |  1 +
 include/linux/sysctl.h    |  3 +++
 kernel/sysctl.c           | 49 +++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 15 deletions(-)

diff --git a/fs/pipe.c b/fs/pipe.c
index 8cbc97d97753..e4eea5a51916 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1019,7 +1019,7 @@ static int fifo_open(struct inode *inode, struct file *filp)
  * Currently we rely on the pipe array holding a power-of-2 number
  * of pages. Returns 0 on error.
  */
-static inline unsigned int round_pipe_size(unsigned int size)
+unsigned int round_pipe_size(unsigned int size)
 {
 	unsigned long nr_pages;
 
@@ -1124,25 +1124,13 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
 }
 
 /*
- * This should work even if CONFIG_PROC_FS isn't set, as proc_dointvec_minmax
+ * This should work even if CONFIG_PROC_FS isn't set, as proc_dopipe_max_size
  * will return an error.
  */
 int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
 		 size_t *lenp, loff_t *ppos)
 {
-	unsigned int rounded_pipe_max_size;
-	int ret;
-
-	ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
-	if (ret < 0 || !write)
-		return ret;
-
-	rounded_pipe_max_size = round_pipe_size(pipe_max_size);
-	if (rounded_pipe_max_size == 0)
-		return -EINVAL;
-
-	pipe_max_size = rounded_pipe_max_size;
-	return ret;
+	return proc_dopipe_max_size(table, write, buf, lenp, ppos);
 }
 
 /*
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index e7497c9dde7f..485cf7a7aa8f 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -190,5 +190,6 @@ static inline int pipe_buf_steal(struct pipe_inode_info *pipe,
 struct pipe_inode_info *get_pipe_info(struct file *file);
 
 int create_pipe_files(struct file **, int);
+unsigned int round_pipe_size(unsigned int size);
 
 #endif
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1d4dba490fb6..ba24ca72800c 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -50,6 +50,9 @@ extern int proc_dointvec_minmax(struct ctl_table *, int,
 extern int proc_douintvec_minmax(struct ctl_table *table, int write,
 				 void __user *buffer, size_t *lenp,
 				 loff_t *ppos);
+extern int proc_dopipe_max_size(struct ctl_table *table, int write,
+				void __user *buffer, size_t *lenp,
+				loff_t *ppos);
 extern int proc_dointvec_jiffies(struct ctl_table *, int,
 				 void __user *, size_t *, loff_t *);
 extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index c976719bf37a..30b01b22014d 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -67,6 +67,7 @@
 #include <linux/kexec.h>
 #include <linux/bpf.h>
 #include <linux/mount.h>
+#include <linux/pipe_fs_i.h>
 
 #include <linux/uaccess.h>
 #include <asm/processor.h>
@@ -2631,6 +2632,47 @@ int proc_douintvec_minmax(struct ctl_table *table, int write,
 				 do_proc_douintvec_minmax_conv, &param);
 }
 
+struct do_proc_dopipe_max_size_conv_param {
+	unsigned int *min;
+};
+
+static int do_proc_dopipe_max_size_conv(unsigned long *lvalp,
+					unsigned int *valp,
+					int write, void *data)
+{
+	struct do_proc_dopipe_max_size_conv_param *param = data;
+
+	if (write) {
+		unsigned int val = round_pipe_size(*lvalp);
+
+		if (val == 0)
+			return -EINVAL;
+
+		if (param->min && *param->min > val)
+			return -ERANGE;
+
+		if (*lvalp > UINT_MAX)
+			return -EINVAL;
+
+		*valp = val;
+	} else {
+		unsigned int val = *valp;
+		*lvalp = (unsigned long) val;
+	}
+
+	return 0;
+}
+
+int proc_dopipe_max_size(struct ctl_table *table, int write,
+			 void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	struct do_proc_dopipe_max_size_conv_param param = {
+		.min = (unsigned int *) table->extra1,
+	};
+	return do_proc_douintvec(table, write, buffer, lenp, ppos,
+				 do_proc_dopipe_max_size_conv, &param);
+}
+
 static void validate_coredump_safety(void)
 {
 #ifdef CONFIG_COREDUMP
@@ -3136,6 +3178,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write,
 	return -ENOSYS;
 }
 
+int proc_dopipe_max_size(struct ctl_table *table, int write,
+			 void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+	return -ENOSYS;
+}
+
 int proc_dointvec_jiffies(struct ctl_table *table, int write,
 		    void __user *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -3179,6 +3227,7 @@ int proc_doulongvec_ms_jiffies_minmax(struct ctl_table *table, int write,
 EXPORT_SYMBOL(proc_dointvec_jiffies);
 EXPORT_SYMBOL(proc_dointvec_minmax);
 EXPORT_SYMBOL_GPL(proc_douintvec_minmax);
+EXPORT_SYMBOL_GPL(proc_dopipe_max_size);
 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
 EXPORT_SYMBOL(proc_dostring);
-- 
1.8.3.1

[PATCH v3 4/4] sysctl: check for UINT_MAX before unsigned int min/max

[Joe Lawrence]

Mikulas noticed in the existing do_proc_douintvec_minmax_conv() and
do_proc_dopipe_max_size_conv() introduced in this patchset, that they
inconsistently handle overflow and min/max range inputs:

For example:

  0 ... param->min - 1 ---> ERANGE
  param->min ... param->max ---> the value is accepted
  param->max + 1 ... 0x100000000L + param->min - 1 ---> ERANGE
  0x100000000L + param->min ... 0x100000000L + param->max ---> EINVAL
  0x100000000L + param->max + 1, 0x200000000L + param->min - 1 ---> ERANGE
  0x200000000L + param->min ... 0x200000000L + param->max ---> EINVAL
  0x200000000L + param->max + 1, 0x300000000L + param->min - 1 ---> ERANGE

In do_proc_do*() routines which store values into unsigned int variables
(4 bytes wide for 64-bit builds), first validate that the input unsigned
long value (8 bytes wide for 64-bit builds) will fit inside the smaller
unsigned int variable.  Then check that the unsigned int value falls
inside the specified parameter min, max range.  Otherwise the unsigned
long -> unsigned int conversion drops leading bits from the input value,
leading to the inconsistent pattern Mikulas documented above.

Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 kernel/sysctl.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 30b01b22014d..a04907158c90 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2587,12 +2587,13 @@ static int do_proc_douintvec_minmax_conv(unsigned long *lvalp,
 	if (write) {
 		unsigned int val = *lvalp;
 
+		if (*lvalp > UINT_MAX)
+			return -EINVAL;
+
 		if ((param->min && *param->min > val) ||
 		    (param->max && *param->max < val))
 			return -ERANGE;
 
-		if (*lvalp > UINT_MAX)
-			return -EINVAL;
 		*valp = val;
 	} else {
 		unsigned int val = *valp;
@@ -2643,17 +2644,18 @@ static int do_proc_dopipe_max_size_conv(unsigned long *lvalp,
 	struct do_proc_dopipe_max_size_conv_param *param = data;
 
 	if (write) {
-		unsigned int val = round_pipe_size(*lvalp);
+		unsigned int val;
 
+		if (*lvalp > UINT_MAX)
+			return -EINVAL;
+
+		val = round_pipe_size(*lvalp);
 		if (val == 0)
 			return -EINVAL;
 
 		if (param->min && *param->min > val)
 			return -ERANGE;
 
-		if (*lvalp > UINT_MAX)
-			return -EINVAL;
-
 		*valp = val;
 	} else {
 		unsigned int val = *valp;
-- 
1.8.3.1

Re: [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups

[Mikulas Patocka]

Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>


On Tue, 10 Oct 2017, Joe Lawrence wrote:

> While backporting Michael's "pipe: fix limit handling" patchset to a
> distro-kernel, Mikulas noticed that current upstream pipe limit handling
> contains a few problems:
> 
>   1 - procfs signed wrap: echo'ing a large number into
>       /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
>       negative value.
> 
>   2 - round_pipe_size() nr_pages overflow on 32bit:  this would
>       subsequently try roundup_pow_of_two(0), which is undefined.
> 
>   3 - visible non-rounded pipe-max-size value: there is no mutual
>       exclusion or protection between the time pipe_max_size is assigned
>       a raw value from proc_dointvec_minmax() and when it is rounded.
> 
>   4 - unsigned long -> unsigned int conversion makes for potential odd
>       return errors from do_proc_douintvec_minmax_conv() and
>       do_proc_dopipe_max_size_conv().
> 
> This version underwent the same testing as v1:
> https://marc.info/?l=linux-kernel&m=150643571406022&w=2
> 
> v1 (from rfc):
> 
> - Re-arrange patchset order, push smaller fixes to the front
> - Add a check so that round_pipe_size(size < pipe_min_size) will round
>   up to round_pipe_size(pipe_min_size) as per man page [RD]
> - Add new procfs proc_dopipe_max_size() and helpers to consolidate user
>   space read / type validation / rounding / assignment [MP]
> 
> v2:
>  - Fix !CONFIG_PROC_SYSCTL build case [buildbots]
> 
> v3:
>  - s/proc_dointvec_minmax/proc_dopipe_max_size/ in comment 
>    preceding pipe_proc_fn()
>  - Added a fourth patch to address -ERANGE vs. -EINVAL inconsistencies in
>    do_proc_douintvec_minmax_conv() and do_proc_dopipe_max_size_conv().
> 
> Joe Lawrence (4):
>   pipe: match pipe_max_size data type with procfs
>   pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
>   pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
>   sysctl: check for UINT_MAX before unsigned int min/max
> 
>  fs/pipe.c                 | 23 ++++++++++---------
>  include/linux/pipe_fs_i.h |  1 +
>  include/linux/sysctl.h    |  3 +++
>  kernel/sysctl.c           | 57 ++++++++++++++++++++++++++++++++++++++++++++---
>  4 files changed, 70 insertions(+), 14 deletions(-)
> 
> -- 
> 1.8.3.1
> 

Re: [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups

[Joe Lawrence]

On 10/10/2017 02:04 PM, Joe Lawrence wrote:
> While backporting Michael's "pipe: fix limit handling" patchset to a
> distro-kernel, Mikulas noticed that current upstream pipe limit handling
> contains a few problems:
> 
>   1 - procfs signed wrap: echo'ing a large number into
>       /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
>       negative value.
> 
>   2 - round_pipe_size() nr_pages overflow on 32bit:  this would
>       subsequently try roundup_pow_of_two(0), which is undefined.
> 
>   3 - visible non-rounded pipe-max-size value: there is no mutual
>       exclusion or protection between the time pipe_max_size is assigned
>       a raw value from proc_dointvec_minmax() and when it is rounded.
> 
>   4 - unsigned long -> unsigned int conversion makes for potential odd
>       return errors from do_proc_douintvec_minmax_conv() and
>       do_proc_dopipe_max_size_conv().
> 
> This version underwent the same testing as v1:
> https://marc.info/?l=linux-kernel&m=150643571406022&w=2
> 
> v1 (from rfc):
> 
> - Re-arrange patchset order, push smaller fixes to the front
> - Add a check so that round_pipe_size(size < pipe_min_size) will round
>   up to round_pipe_size(pipe_min_size) as per man page [RD]
> - Add new procfs proc_dopipe_max_size() and helpers to consolidate user
>   space read / type validation / rounding / assignment [MP]
> 
> v2:
>  - Fix !CONFIG_PROC_SYSCTL build case [buildbots]
> 
> v3:
>  - s/proc_dointvec_minmax/proc_dopipe_max_size/ in comment 
>    preceding pipe_proc_fn()
>  - Added a fourth patch to address -ERANGE vs. -EINVAL inconsistencies in
>    do_proc_douintvec_minmax_conv() and do_proc_dopipe_max_size_conv().
> 
> Joe Lawrence (4):
>   pipe: match pipe_max_size data type with procfs
>   pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
>   pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
>   sysctl: check for UINT_MAX before unsigned int min/max
> 
>  fs/pipe.c                 | 23 ++++++++++---------
>  include/linux/pipe_fs_i.h |  1 +
>  include/linux/sysctl.h    |  3 +++
>  kernel/sysctl.c           | 57 ++++++++++++++++++++++++++++++++++++++++++++---
>  4 files changed, 70 insertions(+), 14 deletions(-)
> 

Thanks for the reviews, now who do I need to bug to get this merged into
a tree?  :)

v1:
Reviewed-by: Michael Kerrisk <mtk.manpages@gmail.com>
"Looks good" from Randy Dunlap <rdunlap@infradead.org>

v3:
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>

-- Joe