722 		state->stack[spi].slot_type[i] = STACK_DYNPTR;  in mark_stack_slots_dynptr()
723 		state->stack[spi - 1].slot_type[i] = STACK_DYNPTR;  in mark_stack_slots_dynptr()
730 	state->stack[spi].spilled_ptr.dynptr.first_slot = true;  in mark_stack_slots_dynptr()
731 	state->stack[spi].spilled_ptr.dynptr.type = type;  in mark_stack_slots_dynptr()
732 	state->stack[spi - 1].spilled_ptr.dynptr.type = type;  in mark_stack_slots_dynptr()
740 		state->stack[spi].spilled_ptr.id = id;  in mark_stack_slots_dynptr()
741 		state->stack[spi - 1].spilled_ptr.id = id;  in mark_stack_slots_dynptr()
758 		state->stack[spi].slot_type[i] = STACK_INVALID;  in unmark_stack_slots_dynptr()
759 		state->stack[spi - 1].slot_type[i] = STACK_INVALID;  in unmark_stack_slots_dynptr()
763 	if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type)) {  in unmark_stack_slots_dynptr()
764 		release_reference(env, state->stack[spi].spilled_ptr.id);  in unmark_stack_slots_dynptr()
765 		state->stack[spi].spilled_ptr.id = 0;  in unmark_stack_slots_dynptr()
766 		state->stack[spi - 1].spilled_ptr.id = 0;  in unmark_stack_slots_dynptr()
769 	state->stack[spi].spilled_ptr.dynptr.first_slot = false;  in unmark_stack_slots_dynptr()
770 	state->stack[spi].spilled_ptr.dynptr.type = 0;  in unmark_stack_slots_dynptr()
771 	state->stack[spi - 1].spilled_ptr.dynptr.type = 0;  in unmark_stack_slots_dynptr()
786 		if (state->stack[spi].slot_type[i] == STACK_DYNPTR ||  in is_dynptr_reg_valid_uninit()
787 		    state->stack[spi - 1].slot_type[i] == STACK_DYNPTR)  in is_dynptr_reg_valid_uninit()
802 	    !state->stack[spi].spilled_ptr.dynptr.first_slot)  in is_dynptr_reg_valid_init()
806 		if (state->stack[spi].slot_type[i] != STACK_DYNPTR ||  in is_dynptr_reg_valid_init()
807 		    state->stack[spi - 1].slot_type[i] != STACK_DYNPTR)  in is_dynptr_reg_valid_init()
828 	return state->stack[spi].spilled_ptr.dynptr.type == dynptr_type;  in is_dynptr_type_expected()
834 static bool is_spilled_reg(const struct bpf_stack_state *stack)  in is_spilled_reg()  argument
836 	return stack->slot_type[BPF_REG_SIZE - 1] == STACK_SPILL;  in is_spilled_reg()
946 			if (state->stack[i].slot_type[j] != STACK_INVALID)  in print_verifier_state()
949 					state->stack[i].slot_type[j]];  in print_verifier_state()
957 		print_liveness(env, state->stack[i].spilled_ptr.live);  in print_verifier_state()
958 		if (is_spilled_reg(&state->stack[i])) {  in print_verifier_state()
959 			reg = &state->stack[i].spilled_ptr;  in print_verifier_state()
1078 	dst->stack = copy_array(dst->stack, src->stack, n, sizeof(struct bpf_stack_state),  in copy_stack_state()
1080 	if (!dst->stack)  in copy_stack_state()
1105 	state->stack = realloc_array(state->stack, old_n, n, sizeof(struct bpf_stack_state));  in grow_stack_state()
1106 	if (!state->stack)  in grow_stack_state()
1162 	kfree(state->stack);  in free_func_state()
2828 				if (!is_spilled_reg(&func->stack[j]))  in mark_all_scalars_precise()
2830 				reg = &func->stack[j].spilled_ptr;  in mark_all_scalars_precise()
2854 			if (!is_spilled_reg(&func->stack[j]))  in mark_all_scalars_imprecise()
2856 			reg = &func->stack[j].spilled_ptr;  in mark_all_scalars_imprecise()
2983 		if (!is_spilled_reg(&func->stack[spi])) {  in __mark_chain_precision()
2987 		reg = &func->stack[spi].spilled_ptr;  in __mark_chain_precision()
3108 			if (!is_spilled_reg(&func->stack[i])) {  in __mark_chain_precision()
3112 			reg = &func->stack[i].spilled_ptr;  in __mark_chain_precision()
3231 	copy_register_state(&state->stack[spi].spilled_ptr, reg);  in save_register_state()
3233 		state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;  in save_register_state()
3236 		state->stack[spi].slot_type[i - 1] = STACK_SPILL;  in save_register_state()
3240 		scrub_spilled_slot(&state->stack[spi].slot_type[i - 1]);  in save_register_state()
3270 	    is_spilled_reg(&state->stack[spi]) &&  in check_stack_write_fixed_off()
3283 			u8 type = state->stack[spi].slot_type[i];  in check_stack_write_fixed_off()
3312 			state->stack[spi].spilled_ptr.id = 0;  in check_stack_write_fixed_off()
3336 		state->stack[spi].spilled_ptr.type = NOT_INIT;  in check_stack_write_fixed_off()
3338 		if (is_spilled_reg(&state->stack[spi]))  in check_stack_write_fixed_off()
3340 				scrub_spilled_slot(&state->stack[spi].slot_type[i]);  in check_stack_write_fixed_off()
3351 			state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;  in check_stack_write_fixed_off()
3365 			state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =  in check_stack_write_fixed_off()
3427 		stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];  in check_stack_write_var_off()
3448 		state->stack[spi].spilled_ptr.type = NOT_INIT;  in check_stack_write_var_off()
3502 		stype = ptr_state->stack[spi].slot_type;  in mark_reg_stack_read()
3550 	stype = reg_state->stack[spi].slot_type;  in check_stack_read_fixed_off()
3551 	reg = &reg_state->stack[spi].spilled_ptr;  in check_stack_read_fixed_off()
3553 	if (is_spilled_reg(&reg_state->stack[spi])) {  in check_stack_read_fixed_off()
4454 	u16 stack = env->subprog_info[func->subprogno].stack_depth;  in update_stack_depth()  local
4456 	if (stack >= -off)  in update_stack_depth()
5404 		stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];  in check_stack_range_initialized()
5415 		if (is_spilled_reg(&state->stack[spi]) &&  in check_stack_range_initialized()
5416 		    (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||  in check_stack_range_initialized()
5419 				__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);  in check_stack_range_initialized()
5421 					scrub_spilled_slot(&state->stack[spi].slot_type[j]);  in check_stack_range_initialized()
5442 		mark_reg_read(env, &state->stack[spi].spilled_ptr,  in check_stack_range_initialized()
5443 			      state->stack[spi].spilled_ptr.parent,  in check_stack_range_initialized()
6148 	return state->stack[spi].spilled_ptr.id;  in stack_slot_get_id()
6215 			    !state->stack[spi].spilled_ptr.id) {  in check_func_arg()
11708 		live = st->stack[i].spilled_ptr.live;  in clean_func_state()
11710 		st->stack[i].spilled_ptr.live |= REG_LIVE_DONE;  in clean_func_state()
11712 			__mark_reg_not_init(env, &st->stack[i].spilled_ptr);  in clean_func_state()
11714 				st->stack[i].slot_type[j] = STACK_INVALID;  in clean_func_state()
11917 		if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)) {  in stacksafe()
11923 		if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID)  in stacksafe()
11936 		if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC &&  in stacksafe()
11937 		    cur->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_ZERO)  in stacksafe()
11939 		if (old->stack[spi].slot_type[i % BPF_REG_SIZE] !=  in stacksafe()
11940 		    cur->stack[spi].slot_type[i % BPF_REG_SIZE])  in stacksafe()
11949 		if (!is_spilled_reg(&old->stack[spi]))  in stacksafe()
11951 		if (!regsafe(env, &old->stack[spi].spilled_ptr,  in stacksafe()
11952 			     &cur->stack[spi].spilled_ptr, idmap))  in stacksafe()
12121 			parent_reg = &parent->stack[i].spilled_ptr;  in propagate_liveness()
12122 			state_reg = &state->stack[i].spilled_ptr;  in propagate_liveness()
12158 			if (!is_spilled_reg(&state->stack[i]))  in propagate_precision()
12160 			state_reg = &state->stack[i].spilled_ptr;  in propagate_precision()
12413 			frame->stack[i].spilled_ptr.live = REG_LIVE_NONE;  in is_state_visited()
12414 			frame->stack[i].spilled_ptr.parent =  in is_state_visited()
12415 						&newframe->stack[i].spilled_ptr;  in is_state_visited()