pipe: Use head and tail pointers for the ring, not cursor and length

		.pos = *ppos,

		.u.data = &sgl,

	};

	unsigned int occupancy;

	/*

	 * Rproc_serial does not yet support splice. To support splice

	if (is_rproc_serial(port->out_vq->vdev))

		return -EINVAL;

	/*

	 * pipe->nrbufs == 0 means there are no data to transfer,

	 * so this returns just 0 for no data.

	 */

	pipe_lock(pipe);

	if (!pipe->nrbufs) {

	ret = 0;

	if (pipe_empty(pipe->head, pipe->tail))

		goto error_out;

	}

	ret = wait_port_writable(port, filp->f_flags & O_NONBLOCK);

	if (ret < 0)

		goto error_out;

	buf = alloc_buf(port->portdev->vdev, 0, pipe->nrbufs);

	occupancy = pipe_occupancy(pipe->head, pipe->tail);

	buf = alloc_buf(port->portdev->vdev, 0, occupancy);

	if (!buf) {

		ret = -ENOMEM;

		goto error_out;

	sgl.n = 0;

	sgl.len = 0;

	sgl.size = pipe->nrbufs;

	sgl.size = occupancy;

	sgl.sg = buf->sg;

	sg_init_table(sgl.sg, sgl.size);

	ret = __splice_from_pipe(pipe, &sd, pipe_to_sg);

			cs->pipebufs++;

			cs->nr_segs--;

		} else {

			if (cs->nr_segs == cs->pipe->buffers)

			if (cs->nr_segs >= cs->pipe->ring_size)

				return -EIO;

			page = alloc_page(GFP_HIGHUSER);

	struct pipe_buffer *buf;

	int err;

	if (cs->nr_segs == cs->pipe->buffers)

	if (cs->nr_segs >= cs->pipe->ring_size)

		return -EIO;

	err = unlock_request(cs->req);

	if (!fud)

		return -EPERM;

	bufs = kvmalloc_array(pipe->buffers, sizeof(struct pipe_buffer),

	bufs = kvmalloc_array(pipe->ring_size, sizeof(struct pipe_buffer),

			      GFP_KERNEL);

	if (!bufs)

		return -ENOMEM;

	if (ret < 0)

		goto out;

	if (pipe->nrbufs + cs.nr_segs > pipe->buffers) {

	if (pipe_occupancy(pipe->head, pipe->tail) + cs.nr_segs > pipe->ring_size) {

		ret = -EIO;

		goto out;

	}

				     struct file *out, loff_t *ppos,

				     size_t len, unsigned int flags)

{

	unsigned int head, tail, mask, count;

	unsigned nbuf;

	unsigned idx;

	struct pipe_buffer *bufs;

	pipe_lock(pipe);

	bufs = kvmalloc_array(pipe->nrbufs, sizeof(struct pipe_buffer),

			      GFP_KERNEL);

	head = pipe->head;

	tail = pipe->tail;

	mask = pipe->ring_size - 1;

	count = head - tail;

	bufs = kvmalloc_array(count, sizeof(struct pipe_buffer), GFP_KERNEL);

	if (!bufs) {

		pipe_unlock(pipe);

		return -ENOMEM;

	nbuf = 0;

	rem = 0;

	for (idx = 0; idx < pipe->nrbufs && rem < len; idx++)

		rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;

	for (idx = tail; idx < head && rem < len; idx++)

		rem += pipe->bufs[idx & mask].len;

	ret = -EINVAL;

	if (rem < len)

		struct pipe_buffer *ibuf;

		struct pipe_buffer *obuf;

		BUG_ON(nbuf >= pipe->buffers);

		BUG_ON(!pipe->nrbufs);

		ibuf = &pipe->bufs[pipe->curbuf];

		BUG_ON(nbuf >= pipe->ring_size);

		BUG_ON(tail == head);

		ibuf = &pipe->bufs[tail & mask];

		obuf = &bufs[nbuf];

		if (rem >= ibuf->len) {

			*obuf = *ibuf;

			ibuf->ops = NULL;

			pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);

			pipe->nrbufs--;

			tail++;

			pipe->tail = tail;

		} else {

			if (!pipe_buf_get(pipe, ibuf))

				goto out_free;

unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR;

/*

 * We use a start+len construction, which provides full use of the 

 * allocated memory.

 * -- Florian Coosmann (FGC)

 * We use head and tail indices that aren't masked off, except at the point of

 * dereference, but rather they're allowed to wrap naturally.  This means there

 * isn't a dead spot in the buffer, but the ring has to be a power of two and

 * <= 2^31.

 * -- David Howells 2019-09-23.

 *

 * Reads with count = 0 should always return 0.

 * -- Julian Bradfield 1999-06-07.

	ret = 0;

	__pipe_lock(pipe);

	for (;;) {

		int bufs = pipe->nrbufs;

		if (bufs) {

			int curbuf = pipe->curbuf;

			struct pipe_buffer *buf = pipe->bufs + curbuf;

		unsigned int head = pipe->head;

		unsigned int tail = pipe->tail;

		unsigned int mask = pipe->ring_size - 1;

		if (!pipe_empty(head, tail)) {

			struct pipe_buffer *buf = &pipe->bufs[tail & mask];

			size_t chars = buf->len;

			size_t written;

			int error;

			if (!buf->len) {

				pipe_buf_release(pipe, buf);

				curbuf = (curbuf + 1) & (pipe->buffers - 1);

				pipe->curbuf = curbuf;

				pipe->nrbufs = --bufs;

				tail++;

				pipe->tail = tail;

				do_wakeup = 1;

			}

			total_len -= chars;

			if (!total_len)

				break;	/* common path: read succeeded */

		}

		if (bufs)	/* More to do? */

			if (!pipe_empty(head, tail))	/* More to do? */

				continue;

		}

		if (!pipe->writers)

			break;

		if (!pipe->waiting_writers) {

{

	struct file *filp = iocb->ki_filp;

	struct pipe_inode_info *pipe = filp->private_data;

	unsigned int head, tail, max_usage, mask;

	ssize_t ret = 0;

	int do_wakeup = 0;

	size_t total_len = iov_iter_count(from);

		goto out;

	}

	tail = pipe->tail;

	head = pipe->head;

	max_usage = pipe->ring_size;

	mask = pipe->ring_size - 1;

	/* We try to merge small writes */

	chars = total_len & (PAGE_SIZE-1); /* size of the last buffer */

	if (pipe->nrbufs && chars != 0) {

		int lastbuf = (pipe->curbuf + pipe->nrbufs - 1) &

							(pipe->buffers - 1);

		struct pipe_buffer *buf = pipe->bufs + lastbuf;

	if (!pipe_empty(head, tail) && chars != 0) {

		struct pipe_buffer *buf = &pipe->bufs[(head - 1) & mask];

		int offset = buf->offset + buf->len;

		if (pipe_buf_can_merge(buf) && offset + chars <= PAGE_SIZE) {

	}

	for (;;) {

		int bufs;

		if (!pipe->readers) {

			send_sig(SIGPIPE, current, 0);

			if (!ret)

				ret = -EPIPE;

			break;

		}

		bufs = pipe->nrbufs;

		if (bufs < pipe->buffers) {

			int newbuf = (pipe->curbuf + bufs) & (pipe->buffers-1);

			struct pipe_buffer *buf = pipe->bufs + newbuf;

		tail = pipe->tail;

		if (!pipe_full(head, tail, max_usage)) {

			struct pipe_buffer *buf = &pipe->bufs[head & mask];

			struct page *page = pipe->tmp_page;

			int copied;

				buf->ops = &packet_pipe_buf_ops;

				buf->flags = PIPE_BUF_FLAG_PACKET;

			}

			pipe->nrbufs = ++bufs;

			head++;

			pipe->head = head;

			pipe->tmp_page = NULL;

			if (!iov_iter_count(from))

				break;

		}

		if (bufs < pipe->buffers)

		if (!pipe_full(head, tail, max_usage))

			continue;

		/* Wait for buffer space to become available. */

		if (filp->f_flags & O_NONBLOCK) {

			if (!ret)

				ret = -EAGAIN;

static long pipe_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)

{

	struct pipe_inode_info *pipe = filp->private_data;

	int count, buf, nrbufs;

	int count, head, tail, mask;

	switch (cmd) {

		case FIONREAD:

			__pipe_lock(pipe);

			count = 0;

			buf = pipe->curbuf;

			nrbufs = pipe->nrbufs;

			while (--nrbufs >= 0) {

				count += pipe->bufs[buf].len;

				buf = (buf+1) & (pipe->buffers - 1);

			head = pipe->head;

			tail = pipe->tail;

			mask = pipe->ring_size - 1;

			while (tail != head) {

				count += pipe->bufs[tail & mask].len;

				tail++;

			}

			__pipe_unlock(pipe);

{

	__poll_t mask;

	struct pipe_inode_info *pipe = filp->private_data;

	int nrbufs;

	unsigned int head = READ_ONCE(pipe->head);

	unsigned int tail = READ_ONCE(pipe->tail);

	poll_wait(filp, &pipe->wait, wait);

	BUG_ON(pipe_occupancy(head, tail) > pipe->ring_size);

	/* Reading only -- no need for acquiring the semaphore.  */

	nrbufs = pipe->nrbufs;

	mask = 0;

	if (filp->f_mode & FMODE_READ) {

		mask = (nrbufs > 0) ? EPOLLIN | EPOLLRDNORM : 0;

		if (!pipe_empty(head, tail))

			mask |= EPOLLIN | EPOLLRDNORM;

		if (!pipe->writers && filp->f_version != pipe->w_counter)

			mask |= EPOLLHUP;

	}

	if (filp->f_mode & FMODE_WRITE) {

		mask |= (nrbufs < pipe->buffers) ? EPOLLOUT | EPOLLWRNORM : 0;

		if (!pipe_full(head, tail, pipe->ring_size))

			mask |= EPOLLOUT | EPOLLWRNORM;

		/*

		 * Most Unices do not set EPOLLERR for FIFOs but on Linux they

		 * behave exactly like pipes for poll().

	if (pipe->bufs) {

		init_waitqueue_head(&pipe->wait);

		pipe->r_counter = pipe->w_counter = 1;

		pipe->buffers = pipe_bufs;

		pipe->ring_size = pipe_bufs;

		pipe->user = user;

		mutex_init(&pipe->mutex);

		return pipe;

{

	int i;

	(void) account_pipe_buffers(pipe->user, pipe->buffers, 0);

	(void) account_pipe_buffers(pipe->user, pipe->ring_size, 0);

	free_uid(pipe->user);

	for (i = 0; i < pipe->buffers; i++) {

	for (i = 0; i < pipe->ring_size; i++) {

		struct pipe_buffer *buf = pipe->bufs + i;

		if (buf->ops)

			pipe_buf_release(pipe, buf);

static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)

{

	struct pipe_buffer *bufs;

	unsigned int size, nr_pages;

	unsigned int size, nr_slots, head, tail, mask, n;

	unsigned long user_bufs;

	long ret = 0;

	size = round_pipe_size(arg);

	nr_pages = size >> PAGE_SHIFT;

	nr_slots = size >> PAGE_SHIFT;

	if (!nr_pages)

	if (!nr_slots)

		return -EINVAL;

	/*

	 * Decreasing the pipe capacity is always permitted, even

	 * if the user is currently over a limit.

	 */

	if (nr_pages > pipe->buffers &&

	if (nr_slots > pipe->ring_size &&

			size > pipe_max_size && !capable(CAP_SYS_RESOURCE))

		return -EPERM;

	user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);

	user_bufs = account_pipe_buffers(pipe->user, pipe->ring_size, nr_slots);

	if (nr_pages > pipe->buffers &&

	if (nr_slots > pipe->ring_size &&

			(too_many_pipe_buffers_hard(user_bufs) ||

			 too_many_pipe_buffers_soft(user_bufs)) &&

			is_unprivileged_user()) {

	}

	/*

	 * We can shrink the pipe, if arg >= pipe->nrbufs. Since we don't

	 * expect a lot of shrink+grow operations, just free and allocate

	 * again like we would do for growing. If the pipe currently

	 * We can shrink the pipe, if arg is greater than the ring occupancy.

	 * Since we don't expect a lot of shrink+grow operations, just free and

	 * allocate again like we would do for growing.  If the pipe currently

	 * contains more buffers than arg, then return busy.

	 */

	if (nr_pages < pipe->nrbufs) {

	mask = pipe->ring_size - 1;

	head = pipe->head;

	tail = pipe->tail;

	n = pipe_occupancy(pipe->head, pipe->tail);

	if (nr_slots < n) {

		ret = -EBUSY;

		goto out_revert_acct;

	}

	bufs = kcalloc(nr_pages, sizeof(*bufs),

	bufs = kcalloc(nr_slots, sizeof(*bufs),

		       GFP_KERNEL_ACCOUNT | __GFP_NOWARN);

	if (unlikely(!bufs)) {

		ret = -ENOMEM;

	/*

	 * The pipe array wraps around, so just start the new one at zero

	 * and adjust the indexes.

	 * and adjust the indices.

	 */

	if (pipe->nrbufs) {

		unsigned int tail;

		unsigned int head;

	if (n > 0) {

		unsigned int h = head & mask;

		unsigned int t = tail & mask;

		if (h > t) {

			memcpy(bufs, pipe->bufs + t,

			       n * sizeof(struct pipe_buffer));

		} else {

			unsigned int tsize = pipe->ring_size - t;

			if (h > 0)

				memcpy(bufs + tsize, pipe->bufs,

				       h * sizeof(struct pipe_buffer));

			memcpy(bufs, pipe->bufs + t,

			       tsize * sizeof(struct pipe_buffer));

		}

	}

		tail = pipe->curbuf + pipe->nrbufs;

		if (tail < pipe->buffers)

	head = n;

	tail = 0;

		else

			tail &= (pipe->buffers - 1);

		head = pipe->nrbufs - tail;

		if (head)

			memcpy(bufs, pipe->bufs + pipe->curbuf, head * sizeof(struct pipe_buffer));

		if (tail)

			memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer));

	}

	pipe->curbuf = 0;

	kfree(pipe->bufs);

	pipe->bufs = bufs;

	pipe->buffers = nr_pages;

	return nr_pages * PAGE_SIZE;

	pipe->ring_size = nr_slots;

	pipe->tail = tail;

	pipe->head = head;

	return pipe->ring_size * PAGE_SIZE;

out_revert_acct:

	(void) account_pipe_buffers(pipe->user, nr_pages, pipe->buffers);

	(void) account_pipe_buffers(pipe->user, nr_slots, pipe->ring_size);

	return ret;

}

		ret = pipe_set_size(pipe, arg);

		break;

	case F_GETPIPE_SZ:

		ret = pipe->buffers * PAGE_SIZE;

		ret = pipe->ring_size * PAGE_SIZE;

		break;

	default:

		ret = -EINVAL;

		       struct splice_pipe_desc *spd)

{

	unsigned int spd_pages = spd->nr_pages;

	unsigned int tail = pipe->tail;

	unsigned int head = pipe->head;

	unsigned int mask = pipe->ring_size - 1;

	int ret = 0, page_nr = 0;

	if (!spd_pages)

		goto out;

	}

	while (pipe->nrbufs < pipe->buffers) {

		int newbuf = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);

		struct pipe_buffer *buf = pipe->bufs + newbuf;

	while (!pipe_full(head, tail, pipe->ring_size)) {

		struct pipe_buffer *buf = &pipe->bufs[head & mask];

		buf->page = spd->pages[page_nr];

		buf->offset = spd->partial[page_nr].offset;

		buf->ops = spd->ops;

		buf->flags = 0;

		pipe->nrbufs++;

		head++;

		pipe->head = head;

		page_nr++;

		ret += buf->len;

ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)

{

	unsigned int head = pipe->head;

	unsigned int tail = pipe->tail;

	unsigned int mask = pipe->ring_size - 1;

	int ret;

	if (unlikely(!pipe->readers)) {

		send_sig(SIGPIPE, current, 0);

		ret = -EPIPE;

	} else if (pipe->nrbufs == pipe->buffers) {

	} else if (pipe_full(head, tail, pipe->ring_size)) {

		ret = -EAGAIN;

	} else {

		int newbuf = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);

		pipe->bufs[newbuf] = *buf;

		pipe->nrbufs++;

		pipe->bufs[head & mask] = *buf;

		pipe->head = head + 1;

		return buf->len;

	}

	pipe_buf_release(pipe, buf);

 */

int splice_grow_spd(const struct pipe_inode_info *pipe, struct splice_pipe_desc *spd)

{

	unsigned int buffers = READ_ONCE(pipe->buffers);

	unsigned int max_usage = READ_ONCE(pipe->ring_size);

	spd->nr_pages_max = buffers;

	if (buffers <= PIPE_DEF_BUFFERS)

	spd->nr_pages_max = max_usage;

	if (max_usage <= PIPE_DEF_BUFFERS)

		return 0;

	spd->pages = kmalloc_array(buffers, sizeof(struct page *), GFP_KERNEL);

	spd->partial = kmalloc_array(buffers, sizeof(struct partial_page),

	spd->pages = kmalloc_array(max_usage, sizeof(struct page *), GFP_KERNEL);

	spd->partial = kmalloc_array(max_usage, sizeof(struct partial_page),

				     GFP_KERNEL);

	if (spd->pages && spd->partial)

{

	struct iov_iter to;

	struct kiocb kiocb;

	int idx, ret;

	unsigned int i_head;

	int ret;

	iov_iter_pipe(&to, READ, pipe, len);

	idx = to.idx;

	i_head = to.head;

	init_sync_kiocb(&kiocb, in);

	kiocb.ki_pos = *ppos;

	ret = call_read_iter(in, &kiocb, &to);

		*ppos = kiocb.ki_pos;