188 	int regno;  member
580 				struct bpf_reg_state *regs, u32 regno)  in mark_reg_known_zero()  argument
582 	if (WARN_ON(regno >= MAX_BPF_REG)) {  in mark_reg_known_zero()
583 		verbose(env, "mark_reg_known_zero(regs, %u)\n", regno);  in mark_reg_known_zero()
585 		for (regno = 0; regno < MAX_BPF_REG; regno++)  in mark_reg_known_zero()
586 			__mark_reg_not_init(regs + regno);  in mark_reg_known_zero()
589 	__mark_reg_known_zero(regs + regno);  in mark_reg_known_zero()
695 			     struct bpf_reg_state *regs, u32 regno)  in mark_reg_unknown()  argument
697 	if (WARN_ON(regno >= MAX_BPF_REG)) {  in mark_reg_unknown()
698 		verbose(env, "mark_reg_unknown(regs, %u)\n", regno);  in mark_reg_unknown()
700 		for (regno = 0; regno < BPF_REG_FP; regno++)  in mark_reg_unknown()
701 			__mark_reg_not_init(regs + regno);  in mark_reg_unknown()
704 	__mark_reg_unknown(regs + regno);  in mark_reg_unknown()
714 			      struct bpf_reg_state *regs, u32 regno)  in mark_reg_not_init()  argument
716 	if (WARN_ON(regno >= MAX_BPF_REG)) {  in mark_reg_not_init()
717 		verbose(env, "mark_reg_not_init(regs, %u)\n", regno);  in mark_reg_not_init()
719 		for (regno = 0; regno < BPF_REG_FP; regno++)  in mark_reg_not_init()
720 			__mark_reg_not_init(regs + regno);  in mark_reg_not_init()
723 	__mark_reg_not_init(regs + regno);  in mark_reg_not_init()
883 				       u32 regno)  in skip_callee()  argument
898 	     regno >= BPF_REG_1 && regno <= BPF_REG_5) ||  in skip_callee()
900 	       regno == BPF_REG_0))  in skip_callee()
904 	    regno >= BPF_REG_6) {  in skip_callee()
921 	verbose(env, "verifier bug regno %d tmp %p\n", regno, tmp);  in skip_callee()
923 		regno, parent->curframe, state->curframe);  in skip_callee()
930 			 u32 regno)  in mark_reg_read()  argument
934 	if (regno == BPF_REG_FP)  in mark_reg_read()
940 		if (writes && state->frame[state->curframe]->regs[regno].live & REG_LIVE_WRITTEN)  in mark_reg_read()
942 		parent = skip_callee(env, state, parent, regno);  in mark_reg_read()
946 		parent->frame[parent->curframe]->regs[regno].live |= REG_LIVE_READ;  in mark_reg_read()
954 static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,  in check_reg_arg()  argument
961 	if (regno >= MAX_BPF_REG) {  in check_reg_arg()
962 		verbose(env, "R%d is invalid\n", regno);  in check_reg_arg()
968 		if (regs[regno].type == NOT_INIT) {  in check_reg_arg()
969 			verbose(env, "R%d !read_ok\n", regno);  in check_reg_arg()
972 		return mark_reg_read(env, vstate, vstate->parent, regno);  in check_reg_arg()
975 		if (regno == BPF_REG_FP) {  in check_reg_arg()
979 		regs[regno].live |= REG_LIVE_WRITTEN;  in check_reg_arg()
981 			mark_reg_unknown(env, regs, regno);  in check_reg_arg()
1237 static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,  in __check_map_access()  argument
1241 	struct bpf_map *map = regs[regno].map_ptr;  in __check_map_access()
1253 static int check_map_access(struct bpf_verifier_env *env, u32 regno,  in check_map_access()  argument
1258 	struct bpf_reg_state *reg = &state->regs[regno];  in check_map_access()
1275 			regno);  in check_map_access()
1278 	err = __check_map_access(env, regno, reg->smin_value + off, size,  in check_map_access()
1282 			regno);  in check_map_access()
1292 			regno);  in check_map_access()
1295 	err = __check_map_access(env, regno, reg->umax_value + off, size,  in check_map_access()
1299 			regno);  in check_map_access()
1334 static int __check_packet_access(struct bpf_verifier_env *env, u32 regno,  in __check_packet_access()  argument
1338 	struct bpf_reg_state *reg = &regs[regno];  in __check_packet_access()
1343 			off, size, regno, reg->id, reg->off, reg->range);  in __check_packet_access()
1349 static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,  in check_packet_access()  argument
1353 	struct bpf_reg_state *reg = &regs[regno];  in check_packet_access()
1366 			regno);  in check_packet_access()
1369 	err = __check_packet_access(env, regno, off, size, zero_size_allowed);  in check_packet_access()
1371 		verbose(env, "R%d offset is outside of the packet\n", regno);  in check_packet_access()
1416 static bool is_pointer_value(struct bpf_verifier_env *env, int regno)  in is_pointer_value()  argument
1418 	return __is_pointer_value(env->allow_ptr_leaks, cur_regs(env) + regno);  in is_pointer_value()
1421 static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)  in is_ctx_reg()  argument
1423 	const struct bpf_reg_state *reg = cur_regs(env) + regno;  in is_ctx_reg()
1428 static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)  in is_pkt_reg()  argument
1430 	const struct bpf_reg_state *reg = cur_regs(env) + regno;  in is_pkt_reg()
1622 			 const struct bpf_reg_state *reg, int regno)  in check_ctx_reg()  argument
1630 			regno, reg->off);  in check_ctx_reg()
1674 static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno,  in check_mem_access()  argument
1679 	struct bpf_reg_state *reg = regs + regno;  in check_mem_access()
1702 		err = check_map_access(env, regno, off, size, false);  in check_mem_access()
1715 		err = check_ctx_reg(env, reg, regno);  in check_mem_access()
1778 		err = check_packet_access(env, regno, off, size, false);  in check_mem_access()
1782 		verbose(env, "R%d invalid mem access '%s'\n", regno,  in check_mem_access()
1845 static int check_stack_boundary(struct bpf_verifier_env *env, int regno,  in check_stack_boundary()  argument
1849 	struct bpf_reg_state *reg = cur_regs(env) + regno;  in check_stack_boundary()
1859 		verbose(env, "R%d type=%s expected=%s\n", regno,  in check_stack_boundary()
1871 			regno, tn_buf);  in check_stack_boundary()
1878 			regno, off, access_size);  in check_stack_boundary()
1884 		meta->regno = regno;  in check_stack_boundary()
1917 static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,  in check_helper_mem_access()  argument
1921 	struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];  in check_helper_mem_access()
1926 		return check_packet_access(env, regno, reg->off, access_size,  in check_helper_mem_access()
1929 		return check_map_access(env, regno, reg->off, access_size,  in check_helper_mem_access()
1932 		return check_stack_boundary(env, regno, access_size,  in check_helper_mem_access()
1950 static int check_func_arg(struct bpf_verifier_env *env, u32 regno,  in check_func_arg()  argument
1954 	struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];  in check_func_arg()
1961 	err = check_reg_arg(env, regno, SRC_OP);  in check_func_arg()
1966 		if (is_pointer_value(env, regno)) {  in check_func_arg()
1968 				regno);  in check_func_arg()
1999 		err = check_ctx_reg(env, reg, regno);  in check_func_arg()
2038 		err = check_helper_mem_access(env, regno,  in check_func_arg()
2050 		err = check_helper_mem_access(env, regno,  in check_func_arg()
2075 				regno);  in check_func_arg()
2080 			err = check_helper_mem_access(env, regno - 1, 0,  in check_func_arg()
2089 				regno);  in check_func_arg()
2092 		err = check_helper_mem_access(env, regno - 1,  in check_func_arg()
2099 	verbose(env, "R%d type=%s expected=%s\n", regno,  in check_func_arg()
2546 		err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B,  in check_helper_call()
3667 static void mark_map_reg(struct bpf_reg_state *regs, u32 regno, u32 id,  in mark_map_reg()  argument
3670 	struct bpf_reg_state *reg = &regs[regno];  in mark_map_reg()
3702 static void mark_map_regs(struct bpf_verifier_state *vstate, u32 regno,  in mark_map_regs()  argument
3707 	u32 id = regs[regno].id;  in mark_map_regs()