166 	int insn_idx;  member
620 static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)  in acquire_reference_state()  argument
631 	state->refs[new_ofs].insn_idx = insn_idx;  in acquire_reference_state()
777 		     int *insn_idx)  in pop_stack()  argument
791 	if (insn_idx)  in pop_stack()
792 		*insn_idx = head->insn_idx;  in pop_stack()
804 					     int insn_idx, int prev_insn_idx,  in push_stack()  argument
815 	elem->insn_idx = insn_idx;  in push_stack()
1363 	struct bpf_insn *insn = env->prog->insnsi + env->insn_idx;  in check_reg_arg()
1396 		reg->subreg_def = rw64 ? DEF_NOT_SUBREG : env->insn_idx + 1;  in check_reg_arg()
1414 	p[cnt - 1].idx = env->insn_idx;  in push_jmp_history()
1665 	int last_idx = env->insn_idx;  in __mark_chain_precision()
1886 			     int off, int size, int value_regno, int insn_idx)  in check_stack_write()  argument
1890 	u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;  in check_stack_write()
1928 			verbose_linfo(env, insn_idx, "; ");  in check_stack_write()
1950 				int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;  in check_stack_write()
1967 						insn_idx, *poff, soff);  in check_stack_write()
2033 				verbose_linfo(env, env->insn_idx, "; ");  in check_stack_read()
2333 static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,  in check_ctx_access()  argument
2351 		env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size;  in check_ctx_access()
2374 static int check_sock_access(struct bpf_verifier_env *env, int insn_idx,  in check_sock_access()  argument
2408 		env->insn_aux_data[insn_idx].ctx_field_size =  in check_sock_access()
2748 static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno,  in check_mem_access()  argument
2795 		err = check_ctx_access(env, insn_idx, off, size, t, &reg_type);  in check_mem_access()
2831 						value_regno, insn_idx);  in check_mem_access()
2866 		err = check_sock_access(env, insn_idx, regno, off, size, t);  in check_mem_access()
2887 static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn)  in check_xadd()  argument
2923 	err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,  in check_xadd()
2929 	return check_mem_access(env, insn_idx, insn->dst_reg, insn->off,  in check_xadd()
3751 			   int *insn_idx)  in check_func_call()  argument
3763 	target_insn = *insn_idx + insn->imm;  in check_func_call()
3789 			*insn_idx /* callsite */,  in check_func_call()
3814 	*insn_idx = target_insn;  in check_func_call()
3825 static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)  in prepare_func_exit()  argument
3855 	*insn_idx = callee->callsite + 1;  in prepare_func_exit()
3859 		verbose(env, "to caller at %d:\n", *insn_idx);  in prepare_func_exit()
3887 		int func_id, int insn_idx)  in record_func_map()  argument
3889 	struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx];  in record_func_map()
3935 			state->refs[i].id, state->refs[i].insn_idx);  in check_reference_leak()
3940 static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)  in check_helper_call()  argument
4005 	err = record_func_map(env, &meta, func_id, insn_idx);  in check_helper_call()
4013 		err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B,  in check_helper_call()
4104 		int id = acquire_reference_state(env, insn_idx);  in check_helper_call()
4200 	return &env->insn_aux_data[env->insn_idx];  in cur_aux()
4314 	ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);  in sanitize_ptr_alu()
5004 					dst_reg->subreg_def = env->insn_idx + 1;  in check_alu_op()
5790 			     struct bpf_insn *insn, int *insn_idx)  in check_cond_jmp_op()  argument
5855 		*insn_idx += insn->off;  in check_cond_jmp_op()
5864 	other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,  in check_cond_jmp_op()
6099 	regs[BPF_REG_0].subreg_def = env->insn_idx + 1;  in check_ld_abs()
6800 		if (sl->state.insn_idx != insn ||  in clean_live_states()
7225 static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)  in is_state_visited()  argument
7234 	if (!env->insn_aux_data[insn_idx].prune_point)  in is_state_visited()
7252 	pprev = explored_state(env, insn_idx);  in is_state_visited()
7255 	clean_live_states(env, insn_idx, cur);  in is_state_visited()
7259 		if (sl->state.insn_idx != insn_idx)  in is_state_visited()
7264 				verbose_linfo(env, insn_idx, "; ");  in is_state_visited()
7265 				verbose(env, "infinite loop detected at insn %d\n", insn_idx);  in is_state_visited()
7388 	new->insn_idx = insn_idx;  in is_state_visited()
7390 		  "BUG is_state_visited:branches_to_explore=%d insn %d\n", new->branches, insn_idx);  in is_state_visited()
7393 	cur->first_insn_idx = insn_idx;  in is_state_visited()
7395 	new_sl->next = *explored_state(env, insn_idx);  in is_state_visited()
7396 	*explored_state(env, insn_idx) = new_sl;  in is_state_visited()
7501 		if (env->insn_idx >= insn_cnt) {  in do_check()
7503 				env->insn_idx, insn_cnt);  in do_check()
7507 		insn = &insns[env->insn_idx];  in do_check()
7517 		err = is_state_visited(env, env->insn_idx);  in do_check()
7525 						env->prev_insn_idx, env->insn_idx,  in do_check()
7529 					verbose(env, "%d: safe\n", env->insn_idx);  in do_check()
7543 				verbose(env, "%d:", env->insn_idx);  in do_check()
7546 					env->prev_insn_idx, env->insn_idx,  in do_check()
7559 			verbose_linfo(env, env->insn_idx, "; ");  in do_check()
7560 			verbose(env, "%d: ", env->insn_idx);  in do_check()
7565 			err = bpf_prog_offload_verify_insn(env, env->insn_idx,  in do_check()
7572 		env->insn_aux_data[env->insn_idx].seen = true;  in do_check()
7573 		prev_insn_idx = env->insn_idx;  in do_check()
7599 			err = check_mem_access(env, env->insn_idx, insn->src_reg,  in do_check()
7605 			prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;  in do_check()
7630 				err = check_xadd(env, env->insn_idx, insn);  in do_check()
7633 				env->insn_idx++;  in do_check()
7649 			err = check_mem_access(env, env->insn_idx, insn->dst_reg,  in do_check()
7655 			prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;  in do_check()
7683 			err = check_mem_access(env, env->insn_idx, insn->dst_reg,  in do_check()
7711 					err = check_func_call(env, insn, &env->insn_idx);  in do_check()
7713 					err = check_helper_call(env, insn->imm, env->insn_idx);  in do_check()
7727 				env->insn_idx += insn->off + 1;  in do_check()
7747 					err = prepare_func_exit(env, &env->insn_idx);  in do_check()
7779 						&env->insn_idx);  in do_check()
7789 				err = check_cond_jmp_op(env, insn, &env->insn_idx);  in do_check()
7806 				env->insn_idx++;  in do_check()
7807 				env->insn_aux_data[env->insn_idx].seen = true;  in do_check()
7817 		env->insn_idx++;  in do_check()