200 static int release_reference_nomark(struct bpf_verifier_state *state, int ref_obj_id);
201 static int release_reference(struct bpf_verifier_env *env, int ref_obj_id);
280 	int ref_obj_id;  member
301 	u32 ref_obj_id;  member
335 		u32 ref_obj_id;  member
774 		state->stack[spi].spilled_ptr.ref_obj_id = id;  in mark_stack_slots_dynptr()
775 		state->stack[spi - 1].spilled_ptr.ref_obj_id = id;  in mark_stack_slots_dynptr()
824 	int spi, ref_obj_id, i;  in unmark_stack_slots_dynptr()  local
835 	ref_obj_id = state->stack[spi].spilled_ptr.ref_obj_id;  in unmark_stack_slots_dynptr()
845 	WARN_ON_ONCE(release_reference(env, ref_obj_id));  in unmark_stack_slots_dynptr()
849 		if (state->stack[i].spilled_ptr.ref_obj_id != ref_obj_id)  in unmark_stack_slots_dynptr()
1048 		st->ref_obj_id = i == 0 ? id : 0;  in mark_stack_slots_iter()
1078 			WARN_ON_ONCE(release_reference(env, st->ref_obj_id));  in unmark_stack_slots_iter()
1138 		if (i == 0 && !st->ref_obj_id)  in is_iter_reg_valid_init()
1140 		if (i != 0 && st->ref_obj_id)  in is_iter_reg_valid_init()
1180 	st->ref_obj_id = id;  in mark_stack_slot_irq_flag()
1214 	err = release_irq_state(env->cur_state, st->ref_obj_id);  in unmark_stack_slot_irq_flag()
1281 	if (!st->ref_obj_id)  in is_irq_flag_reg_valid_init()
2094 	reg->ref_obj_id = 0;  in __mark_reg_known()
2659 	reg->ref_obj_id = 0;  in __mark_reg_unknown_imprecise()
6124 			if (info->ref_obj_id &&  in check_ctx_access()
6125 			    !find_reference_state(env->cur_state, info->ref_obj_id)) {  in check_ctx_access()
6273 	if (reg->ref_obj_id)  in is_trusted_reg()
7168 		    !(reg->type & MEM_RCU) && !reg->ref_obj_id) {  in check_ptr_to_btf_access()
7556 					regs[value_regno].ref_obj_id = info.ref_obj_id;  in check_mem_access()
8598 	return state->stack[spi].spilled_ptr.ref_obj_id;  in iter_ref_obj_id()
8708 		meta->ref_obj_id = iter_ref_obj_id(env, reg, spi);  in process_iter_arg()
9378 		return reg->ref_obj_id;  in dynptr_ref_obj_id()
9382 	return state->stack[spi].spilled_ptr.ref_obj_id;  in dynptr_ref_obj_id()
9587 				if (spi < 0 || !state->stack[spi].spilled_ptr.ref_obj_id) {  in check_func_arg()
9595 		} else if (!reg->ref_obj_id && !register_is_null(reg)) {  in check_func_arg()
9607 	if (reg->ref_obj_id && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {  in check_func_arg()
9608 		if (meta->ref_obj_id) {  in check_func_arg()
9610 				regno, reg->ref_obj_id,  in check_func_arg()
9611 				meta->ref_obj_id);  in check_func_arg()
9614 		meta->ref_obj_id = reg->ref_obj_id;  in check_func_arg()
10203 static int release_reference_nomark(struct bpf_verifier_state *state, int ref_obj_id)  in release_reference_nomark()  argument
10210 		if (state->refs[i].id == ref_obj_id) {  in release_reference_nomark()
10223 static int release_reference(struct bpf_verifier_env *env, int ref_obj_id)  in release_reference()  argument
10230 	err = release_reference_nomark(vstate, ref_obj_id);  in release_reference()
10235 		if (reg->ref_obj_id == ref_obj_id)  in release_reference()
11062 		    reg->ref_obj_id == state->refs[i].id)  in check_reference_leak()
11361 		} else if (func_id == BPF_FUNC_kptr_xchg && meta.ref_obj_id) {  in check_helper_call()
11362 			u32 ref_obj_id = meta.ref_obj_id;  in check_helper_call()  local
11367 			err = release_reference_nomark(env->cur_state, ref_obj_id);  in check_helper_call()
11370 					if (reg->ref_obj_id == ref_obj_id) {  in check_helper_call()
11372 							reg->ref_obj_id = 0;  in check_helper_call()
11381 		} else if (meta.ref_obj_id) {  in check_helper_call()
11382 			err = release_reference(env, meta.ref_obj_id);  in check_helper_call()
11466 		int id, ref_obj_id;  in check_helper_call()  local
11477 		if (meta.ref_obj_id) {  in check_helper_call()
11488 		ref_obj_id = dynptr_ref_obj_id(env, reg);  in check_helper_call()
11489 		if (ref_obj_id < 0) {  in check_helper_call()
11491 			return ref_obj_id;  in check_helper_call()
11495 		meta.ref_obj_id = ref_obj_id;  in check_helper_call()
11705 		regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;  in check_helper_call()
11714 		regs[BPF_REG_0].ref_obj_id = id;  in check_helper_call()
12371 	if ((is_kfunc_release(meta) && reg->ref_obj_id) ||  in process_kf_arg_ptr_to_btf_id()
12471 static int ref_convert_owning_non_owning(struct bpf_verifier_env *env, u32 ref_obj_id)  in ref_convert_owning_non_owning()  argument
12478 	if (!ref_obj_id) {  in ref_convert_owning_non_owning()
12485 		if (state->refs[i].id != ref_obj_id)  in ref_convert_owning_non_owning()
12492 			if (reg->ref_obj_id == ref_obj_id) {  in ref_convert_owning_non_owning()
12493 				reg->ref_obj_id = 0;  in ref_convert_owning_non_owning()
12967 		if (reg->ref_obj_id) {  in check_kfunc_args()
12968 			if (is_kfunc_release(meta) && meta->ref_obj_id) {  in check_kfunc_args()
12970 					regno, reg->ref_obj_id,  in check_kfunc_args()
12971 					meta->ref_obj_id);  in check_kfunc_args()
12974 			meta->ref_obj_id = reg->ref_obj_id;  in check_kfunc_args()
13055 		if (is_kfunc_release(meta) && reg->ref_obj_id)  in check_kfunc_args()
13091 			if (!reg->ref_obj_id) {  in check_kfunc_args()
13125 				clone_ref_obj_id = meta->initialized_dynptr.ref_obj_id;  in check_kfunc_args()
13145 				meta->initialized_dynptr.ref_obj_id = dynptr_ref_obj_id(env, reg);  in check_kfunc_args()
13167 			if (reg->type == (PTR_TO_BTF_ID | MEM_ALLOC) && !reg->ref_obj_id) {  in check_kfunc_args()
13181 			if (reg->type == (PTR_TO_BTF_ID | MEM_ALLOC) && !reg->ref_obj_id) {  in check_kfunc_args()
13194 			if (!reg->ref_obj_id) {  in check_kfunc_args()
13204 				if (!type_is_non_owning_ref(reg->type) || reg->ref_obj_id) {  in check_kfunc_args()
13217 				if (!reg->ref_obj_id) {  in check_kfunc_args()
13585 		err = release_reference(env, regs[meta.release_regno].ref_obj_id);  in check_kfunc_call()
13596 		release_ref_obj_id = regs[BPF_REG_2].ref_obj_id;  in check_kfunc_call()
13847 			if (meta.ref_obj_id)  in check_kfunc_call()
13848 				regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;  in check_kfunc_call()
13883 			regs[BPF_REG_0].ref_obj_id = id;  in check_kfunc_call()
16130 			reg->ref_obj_id = 0;  in mark_ptr_or_null_reg()
16157 	u32 ref_obj_id = regs[regno].ref_obj_id;  in mark_ptr_or_null_regs()  local
16160 	if (ref_obj_id && ref_obj_id == id && is_null)  in mark_ptr_or_null_regs()
16842 			if (ret_type && ret_type == reg_type && reg->ref_obj_id)  in check_return_code()
18298 	       check_ids(rold->ref_obj_id, rcur->ref_obj_id, idmap);  in regs_exact()
18402 		       check_ids(rold->ref_obj_id, rcur->ref_obj_id, idmap);  in regsafe()
18567 			    !check_ids(old_reg->ref_obj_id, cur_reg->ref_obj_id, idmap))  in stacksafe()
18583 			    !check_ids(old_reg->ref_obj_id, cur_reg->ref_obj_id, idmap))  in stacksafe()
18589 			if (!check_ids(old_reg->ref_obj_id, cur_reg->ref_obj_id, idmap) ||  in stacksafe()
22772 			aux->ctx_arg_info[i].ref_obj_id = aux->ctx_arg_info[i].refcounted ?  in do_check_common()