6651 				   struct bpf_func_state *callee,
6660 	struct bpf_func_state *caller, *callee;  in __check_func_call()  local
6715 		callee = async_cb->frame[0];  in __check_func_call()
6716 		callee->async_entry_cnt = caller->async_entry_cnt + 1;  in __check_func_call()
6719 		err = set_callee_state_cb(env, caller, callee, *insn_idx);  in __check_func_call()
6730 	callee = kzalloc(sizeof(*callee), GFP_KERNEL);  in __check_func_call()
6731 	if (!callee)  in __check_func_call()
6733 	state->frame[state->curframe + 1] = callee;  in __check_func_call()
6739 	init_func_state(env, callee,  in __check_func_call()
6746 	err = copy_reference_state(callee, caller);  in __check_func_call()
6750 	err = set_callee_state_cb(env, caller, callee, *insn_idx);  in __check_func_call()
6766 		print_verifier_state(env, callee, true);  in __check_func_call()
6771 	free_func_state(callee);  in __check_func_call()
6778 				   struct bpf_func_state *callee)  in map_set_for_each_callback_args()  argument
6785 	callee->regs[BPF_REG_1] = caller->regs[BPF_REG_1];  in map_set_for_each_callback_args()
6787 	callee->regs[BPF_REG_2].type = PTR_TO_MAP_KEY;  in map_set_for_each_callback_args()
6788 	__mark_reg_known_zero(&callee->regs[BPF_REG_2]);  in map_set_for_each_callback_args()
6789 	callee->regs[BPF_REG_2].map_ptr = caller->regs[BPF_REG_1].map_ptr;  in map_set_for_each_callback_args()
6791 	callee->regs[BPF_REG_3].type = PTR_TO_MAP_VALUE;  in map_set_for_each_callback_args()
6792 	__mark_reg_known_zero(&callee->regs[BPF_REG_3]);  in map_set_for_each_callback_args()
6793 	callee->regs[BPF_REG_3].map_ptr = caller->regs[BPF_REG_1].map_ptr;  in map_set_for_each_callback_args()
6796 	callee->regs[BPF_REG_4] = caller->regs[BPF_REG_3];  in map_set_for_each_callback_args()
6799 	__mark_reg_not_init(env, &callee->regs[BPF_REG_5]);  in map_set_for_each_callback_args()
6805 			    struct bpf_func_state *callee, int insn_idx)  in set_callee_state()  argument
6813 		callee->regs[i] = caller->regs[i];  in set_callee_state()
6835 				       struct bpf_func_state *callee,  in set_map_elem_callback_state()  argument
6854 	err = map->ops->map_set_for_each_callback_args(env, caller, callee);  in set_map_elem_callback_state()
6858 	callee->in_callback_fn = true;  in set_map_elem_callback_state()
6859 	callee->callback_ret_range = tnum_range(0, 1);  in set_map_elem_callback_state()
6865 				   struct bpf_func_state *callee,  in set_loop_callback_state()  argument
6872 	callee->regs[BPF_REG_1].type = SCALAR_VALUE;  in set_loop_callback_state()
6873 	callee->regs[BPF_REG_2] = caller->regs[BPF_REG_3];  in set_loop_callback_state()
6876 	__mark_reg_not_init(env, &callee->regs[BPF_REG_3]);  in set_loop_callback_state()
6877 	__mark_reg_not_init(env, &callee->regs[BPF_REG_4]);  in set_loop_callback_state()
6878 	__mark_reg_not_init(env, &callee->regs[BPF_REG_5]);  in set_loop_callback_state()
6880 	callee->in_callback_fn = true;  in set_loop_callback_state()
6881 	callee->callback_ret_range = tnum_range(0, 1);  in set_loop_callback_state()
6887 				    struct bpf_func_state *callee,  in set_timer_callback_state()  argument
6895 	callee->regs[BPF_REG_1].type = CONST_PTR_TO_MAP;  in set_timer_callback_state()
6896 	__mark_reg_known_zero(&callee->regs[BPF_REG_1]);  in set_timer_callback_state()
6897 	callee->regs[BPF_REG_1].map_ptr = map_ptr;  in set_timer_callback_state()
6899 	callee->regs[BPF_REG_2].type = PTR_TO_MAP_KEY;  in set_timer_callback_state()
6900 	__mark_reg_known_zero(&callee->regs[BPF_REG_2]);  in set_timer_callback_state()
6901 	callee->regs[BPF_REG_2].map_ptr = map_ptr;  in set_timer_callback_state()
6903 	callee->regs[BPF_REG_3].type = PTR_TO_MAP_VALUE;  in set_timer_callback_state()
6904 	__mark_reg_known_zero(&callee->regs[BPF_REG_3]);  in set_timer_callback_state()
6905 	callee->regs[BPF_REG_3].map_ptr = map_ptr;  in set_timer_callback_state()
6908 	__mark_reg_not_init(env, &callee->regs[BPF_REG_4]);  in set_timer_callback_state()
6909 	__mark_reg_not_init(env, &callee->regs[BPF_REG_5]);  in set_timer_callback_state()
6910 	callee->in_async_callback_fn = true;  in set_timer_callback_state()
6911 	callee->callback_ret_range = tnum_range(0, 1);  in set_timer_callback_state()
6917 				       struct bpf_func_state *callee,  in set_find_vma_callback_state()  argument
6925 	callee->regs[BPF_REG_1] = caller->regs[BPF_REG_1];  in set_find_vma_callback_state()
6927 	callee->regs[BPF_REG_2].type = PTR_TO_BTF_ID;  in set_find_vma_callback_state()
6928 	__mark_reg_known_zero(&callee->regs[BPF_REG_2]);  in set_find_vma_callback_state()
6929 	callee->regs[BPF_REG_2].btf =  btf_vmlinux;  in set_find_vma_callback_state()
6930 	callee->regs[BPF_REG_2].btf_id = btf_tracing_ids[BTF_TRACING_TYPE_VMA],  in set_find_vma_callback_state()
6933 	callee->regs[BPF_REG_3] = caller->regs[BPF_REG_4];  in set_find_vma_callback_state()
6936 	__mark_reg_not_init(env, &callee->regs[BPF_REG_4]);  in set_find_vma_callback_state()
6937 	__mark_reg_not_init(env, &callee->regs[BPF_REG_5]);  in set_find_vma_callback_state()
6938 	callee->in_callback_fn = true;  in set_find_vma_callback_state()
6939 	callee->callback_ret_range = tnum_range(0, 1);  in set_find_vma_callback_state()
6945 					   struct bpf_func_state *callee,  in set_user_ringbuf_callback_state()  argument
6952 	__mark_reg_not_init(env, &callee->regs[BPF_REG_0]);  in set_user_ringbuf_callback_state()
6953 	callee->regs[BPF_REG_1].type = PTR_TO_DYNPTR | DYNPTR_TYPE_LOCAL;  in set_user_ringbuf_callback_state()
6954 	__mark_reg_known_zero(&callee->regs[BPF_REG_1]);  in set_user_ringbuf_callback_state()
6955 	callee->regs[BPF_REG_2] = caller->regs[BPF_REG_3];  in set_user_ringbuf_callback_state()
6958 	__mark_reg_not_init(env, &callee->regs[BPF_REG_3]);  in set_user_ringbuf_callback_state()
6959 	__mark_reg_not_init(env, &callee->regs[BPF_REG_4]);  in set_user_ringbuf_callback_state()
6960 	__mark_reg_not_init(env, &callee->regs[BPF_REG_5]);  in set_user_ringbuf_callback_state()
6962 	callee->in_callback_fn = true;  in set_user_ringbuf_callback_state()
6963 	callee->callback_ret_range = tnum_range(0, 1);  in set_user_ringbuf_callback_state()
6970 	struct bpf_func_state *caller, *callee;  in prepare_func_exit()  local
6974 	callee = state->frame[state->curframe];  in prepare_func_exit()
6975 	r0 = &callee->regs[BPF_REG_0];  in prepare_func_exit()
6988 	if (callee->in_callback_fn) {  in prepare_func_exit()
6990 		struct tnum range = callee->callback_ret_range;  in prepare_func_exit()
7010 	if (!callee->in_callback_fn) {  in prepare_func_exit()
7012 		err = copy_reference_state(caller, callee);  in prepare_func_exit()
7017 	*insn_idx = callee->callsite + 1;  in prepare_func_exit()
7020 		print_verifier_state(env, callee, true);  in prepare_func_exit()
7025 	free_func_state(callee);  in prepare_func_exit()