another round of memory leak fixes (the last one)

Makefile

@@ -13,6 +13,10 @@ ccflags-y += -foptimize-sibling-calls \
 			 -Wall -g \
 			 #-Dd_m3LogCompile=1
 
+# The wasm compiler module is not sanitized since it does a lot of recursion at the
+# beginning and it's causing a stack overflow together with the sanitized code.
+KASAN_SANITIZE_m3_compile.o := n
+
 # Enable floating point arithmetic
 ARCH := $(shell uname -m)
 ifeq ($(ARCH), x86_64)

README.md

@@ -132,14 +132,39 @@ Between two applications - both of them intercepted by this module - the traffic
 
 ## Debugging
 
-Most of the logs of this module are on debug level and can be shown using [dynamic debug](https://www.kernel.org/doc/html/latest/admin-guide/dynamic-debug-howto.html) feature of the Linux kernel.
+### Logging
 
-Use the following command to turn on debug level logging for the module:
+Most of the logs of this module are on the debug level and can be shown using the [dynamic debug](https://www.kernel.org/doc/html/latest/admin-guide/dynamic-debug-howto.html) feature of the Linux kernel.
+
+Use the following command to turn on debug-level logging for the module:
 
 ```bash
 echo -n '-p; module camblet file opa.c  +pftl' | sudo tee /proc/dynamic_debug/control > /dev/null
 ```
 
+### Kernel debugging environment
+
+The kernel module can be traced for memory leaks and other issues with the help of fine tools, like [KASAN](https://www.kernel.org/doc/html/latest/dev-tools/kasan.html) and [Kmemleak](https://www.kernel.org/doc/html/latest/dev-tools/kmemleak.html).
+
+To create a kernel debugging environment on Fedora, follow these steps:
+
+```bash
+limactl start --name fedora-debug template://fedora --vm-type vz --set '.mounts[0].writable=true'
+
+# Enter the VM
+limactl shell fedora-debug
+
+sudo dnf update
+sudo dnf install kernel-debug kernel-debug-devel
+
+# Check the current debug kernel version, and set it as default (ls /boot/)
+CURRENT_DEBUG_KERNEL=vmlinuz-6.8.7-200.fc39.aarch64+debug
+
+sudo grubby --set-default ${CURRENT_DEBUG_KERNEL}
+sudo grubby --update-kernel=${CURRENT_DEBUG_KERNEL} --args kmemleak=on kasan=on
+sudo reboot
+```
+
 ### Test mTLS
 
 The kernel module offers TLS termination on certain ports selected by an [OPA](https://www.openpolicyagent.org) rule-set:

include/augmentation.h

@@ -35,4 +35,6 @@ void augmentation_response_put(augmentation_response *response);
  */
 augmentation_response *augment_workload(void);
 
+void free_augmentation_cache(void);
+
 #endif

include/cert_tools.h

@@ -61,4 +61,6 @@ int set_cert_validity(x509_certificate *x509_cert);
 
 size_t linkedlist_length(struct list_head *head);
 
-#endif
+void free_cert_cache(void);
+
+#endif

include/csr.h

@@ -44,5 +44,6 @@ wasm_vm_result csr_free(csr_module *csr, i32 ptr);
 wasm_vm_module *get_csr_module(csr_module *csr);
 void csr_lock(csr_module *csr);
 void csr_unlock(csr_module *csr);
+void free_csr_modules(void);
 
 #endif

include/opa.h

@@ -38,5 +38,6 @@ void opa_socket_context_free(opa_socket_context ctx);
 wasm_vm_result init_opa_for(wasm_vm *vm, wasm_vm_module *module);
 opa_socket_context this_cpu_opa_socket_eval(const char *input);
 void load_opa_data(const char *data);
+void free_opa_modules(void);
 
 #endif

src/augmentation.c

@@ -268,3 +268,18 @@ augmentation_response *augment_workload()
     augmentation_response_free(response);
     return error;
 }
+
+// cleanup the cache
+void free_augmentation_cache()
+{
+    augmentation_response_cache_entry *entry, *tmp;
+
+    augmentation_response_cache_lock();
+
+    list_for_each_entry_safe(entry, tmp, &augmentation_response_cache, list)
+    {
+        augmentation_response_cache_remove_locked(entry);
+    }
+
+    augmentation_response_cache_unlock();
+}

src/cert_tools.c

@@ -247,3 +247,17 @@ void x509_certificate_put(x509_certificate *cert)
 
     kref_put(&cert->kref, x509_certificate_release);
 }
+
+void free_cert_cache()
+{
+    cert_with_key *cert_bundle, *tmp;
+
+    cert_cache_lock();
+
+    list_for_each_entry_safe(cert_bundle, tmp, &cert_cache, list)
+    {
+        remove_cert_from_cache_locked(cert_bundle);
+    }
+
+    cert_cache_unlock();
+}

src/csr.c

@@ -46,19 +46,28 @@ void csr_unlock(csr_module *csr)
     wasm_vm_unlock(csr->vm);
 }
 
+static void free_csr_module(csr_module *csr)
+{
+    if (csr)
+    {
+        kfree(csr);
+    }
+}
+
 wasm_vm_result init_csr_for(wasm_vm *vm, wasm_vm_module *module)
 {
     wasm_vm_result result;
-    csr_module *csr = csr_modules[wasm_vm_cpu(vm)];
-    if (csr == NULL)
+    unsigned cpu = wasm_vm_cpu(vm);
+    csr_module *csr = csr_modules[cpu];
+    if (!csr)
     {
         csr = kzalloc(sizeof(struct csr_module), GFP_KERNEL);
         if (!csr)
         {
             return wasm_vm_error("could not allocate memory");
         }
         csr->vm = vm;
-        csr_modules[wasm_vm_cpu(vm)] = csr;
+        csr_modules[cpu] = csr;
     }
     wasm_vm_try_get_function(csr->generate_csr, wasm_vm_get_function(vm, module->name, "csr_gen"));
     wasm_vm_try_get_function(csr->csr_malloc, wasm_vm_get_function(vm, module->name, "csr_malloc"));
@@ -68,6 +77,10 @@ wasm_vm_result init_csr_for(wasm_vm *vm, wasm_vm_module *module)
     if (result.err)
     {
         pr_crit("csr module function lookups failed # module[%s] result_err[%s] wasm_last_err[%s]", module->name, result.err, wasm_vm_last_error(module));
+
+        free_csr_module(csr);
+        csr_modules[cpu] = NULL;
+
         return result;
     }
 
@@ -172,3 +185,18 @@ csr_result csr_gen(csr_module *csr, i32 priv_key_buff_ptr, i32 priv_key_buff_len
     }
     return result;
 }
+
+void free_csr_modules(void)
+{
+    unsigned cpu;
+
+    for_each_online_cpu(cpu)
+    {
+        csr_module *csr = csr_modules[cpu];
+        if (csr)
+        {
+            free_csr_module(csr);
+            csr_modules[cpu] = NULL;
+        }
+    }
+}

src/main.c

@@ -13,6 +13,7 @@
 #include <linux/module.h>
 
 #include "device_driver.h"
+#include "csr.h"
 #include "opa.h"
 #include "socket.h"
 #include "wasm.h"
@@ -42,6 +43,8 @@ MODULE_PARM_DESC(ktls_available, "Marks if kTLS is available on the system");
 typedef struct camblet_init_status
 {
     bool wasm;
+    bool wasm_opa;
+    bool wasm_csr;
     bool chardev;
     bool socket;
     bool sd_table;
@@ -56,6 +59,10 @@ static void __camblet_exit(void)
         socket_exit();
     if (__camblet_init_status.chardev)
         chardev_exit();
+    if (__camblet_init_status.wasm_csr)
+        free_csr_modules();
+    if (__camblet_init_status.wasm_opa)
+        free_opa_modules();
     if (__camblet_init_status.wasm)
         wasm_vm_destroy_per_cpu();
     if (__camblet_init_status.sd_table)
@@ -138,6 +145,8 @@ static int __init camblet_init(void)
         goto out;
     }
 
+    __camblet_init_status.wasm_csr = true;
+
     result = load_module("socket_opa", socket_wasm, socket_wasm_len, NULL);
     if (result.err)
     {
@@ -146,6 +155,8 @@ static int __init camblet_init(void)
         goto out;
     }
 
+    __camblet_init_status.wasm_opa = true;
+
 out:
     if (ret < 0)
         __camblet_exit();

src/opa.c

@@ -686,7 +686,7 @@ wasm_vm_result init_opa_for(wasm_vm *vm, wasm_vm_module *module)
     wasm_vm_result result;
     wasm_vm_function *builtinsFunc;
 
-    opa_wrapper *opa = kmalloc(sizeof(struct opa_wrapper), GFP_KERNEL);
+    opa_wrapper *opa = kzalloc(sizeof(struct opa_wrapper), GFP_KERNEL);
     if (!opa)
     {
         return wasm_vm_error("could not allocate memory");
@@ -824,3 +824,19 @@ void load_opa_data(const char *data)
         }
     }
 }
+
+void free_opa_modules(void)
+{
+    unsigned cpu;
+
+    for_each_online_cpu(cpu)
+    {
+        opa_wrapper *opa = opas[cpu];
+        if (opa)
+        {
+            kfree(opa->builtins);
+            kfree(opa);
+            opas[cpu] = NULL;
+        }
+    }
+}

src/socket.c

@@ -2323,5 +2323,8 @@ void socket_exit(void)
 	free_rsa_private_key(rsa_priv);
 	free_rsa_public_key(rsa_pub);
 
+	free_augmentation_cache();
+	free_cert_cache();
+
 	pr_info("socket support unloaded");
 }

third-party/picohttpparser/picohttpparser.c

@@ -26,7 +26,7 @@
 
 #include "assert.h"
 #include <linux/slab.h>
-#ifdef __SSE4_2__
+#if __SSE4_2__ && !__KERNEL__
 #ifdef _MSC_VER
 #include <nmmintrin.h>
 #else
@@ -104,7 +104,7 @@ static const char *token_char_map = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
 static const char *findchar_fast(const char *buf, const char *buf_end, const char *ranges, size_t ranges_size, int *found)
 {
     *found = 0;
-#if __SSE4_2__
+#if __SSE4_2__ && !__KERNEL__
     if (likely(buf_end - buf >= 16)) {
         __m128i ranges16 = _mm_loadu_si128((const __m128i *)ranges);
 
@@ -134,7 +134,7 @@ static const char *get_token_to_eol(const char *buf, const char *buf_end, const
 {
     const char *token_start = buf;
 
-#ifdef __SSE4_2__
+#if __SSE4_2__ && !__KERNEL__
     static const char ALIGNED(16) ranges1[16] = "\0\010"    /* allow HT */
                                                 "\012\037"  /* allow SP and up to but not including DEL */
                                                 "\177\177"; /* allow chars w. MSB set */