From ce41876ba409d284b9ebe13ea2d928f51edd89bf Mon Sep 17 00:00:00 2001
From: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
Date: Fri, 20 Sep 2024 11:50:13 +0000
Subject: [PATCH 1/2] [ksyms] Do not cache ksyms to reduce memory consumption

[ upstream commit f6bc9f72dd93 ("[ksyms] Do not cache ksyms to reduce
memory consumption") ]

We use ksyms for checking the proper exit hooks when loading the base
sensor. Furthermore, we use it when we add a kprobe policy for a
function that is part of a kernel module.

Having that always in memory, uses a lot of memory. This patch makes the
read of ksyms when we need that.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
---
 pkg/ksyms/ksyms.go | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/pkg/ksyms/ksyms.go b/pkg/ksyms/ksyms.go
index 0799c5eafd9..7597d979424 100644
--- a/pkg/ksyms/ksyms.go
+++ b/pkg/ksyms/ksyms.go
@@ -11,7 +11,6 @@ import (
 	"sort"
 	"strconv"
 	"strings"
-	"sync"
 
 	"github.com/cilium/tetragon/pkg/logger"
 	"github.com/cilium/tetragon/pkg/option"
@@ -19,17 +18,8 @@ import (
 	lru "github.com/hashicorp/golang-lru/v2"
 )
 
-var (
-	kernelSymbols    *Ksyms
-	setKernelSymbols sync.Once
-)
-
 func KernelSymbols() (*Ksyms, error) {
-	var err error
-	setKernelSymbols.Do(func() {
-		kernelSymbols, err = NewKsyms(option.Config.ProcFS)
-	})
-	return kernelSymbols, err
+	return NewKsyms(option.Config.ProcFS)
 }
 
 type ksym struct {

From cc70591e47c9a32cd1966daa8b0b4730c9b7bec2 Mon Sep 17 00:00:00 2001
From: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
Date: Fri, 20 Sep 2024 12:34:40 +0000
Subject: [PATCH 2/2] [btf] Flush kernel spec (BTF) after loading a sensor

[ upstream commit 6f7092648172 ("[btf] Flush kernel spec (BTF) after
loading a sensor") ]

This patch flushes the BTF when we complete the loading of a sensor.

Signed-off-by: Anastasios Papagiannis <tasos.papagiannnis@gmail.com>
---
 pkg/bpf/detect.go             | 4 ++++
 pkg/sensors/load.go           | 4 ++++
 pkg/sensors/program/loader.go | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/pkg/bpf/detect.go b/pkg/bpf/detect.go
index 71d22e13402..0a84f35ae06 100644
--- a/pkg/bpf/detect.go
+++ b/pkg/bpf/detect.go
@@ -422,6 +422,10 @@ func HasMissedStatsKprobeMulti() bool {
 }
 
 func LogFeatures() string {
+	// once we have detected all features, flush the BTF spec
+	// we cache all values so calling again a Has* function will
+	// not load the BTF again
+	defer ebtf.FlushKernelSpec()
 	return fmt.Sprintf("override_return: %t, buildid: %t, kprobe_multi: %t, uprobe_multi %t, fmodret: %t, fmodret_syscall: %t, signal: %t, large: %t, link_pin: %t, lsm: %t, missed_stats_kprobe_multi: %t, missed_stats_kprobe: %t",
 		HasOverrideHelper(), HasBuildId(), HasKprobeMulti(), HasUprobeMulti(),
 		HasModifyReturn(), HasModifyReturnSyscall(), HasSignalHelper(), HasProgramLargeSize(),
diff --git a/pkg/sensors/load.go b/pkg/sensors/load.go
index 0d1be2e6519..821ed60dbfa 100644
--- a/pkg/sensors/load.go
+++ b/pkg/sensors/load.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/btf"
 	cachedbtf "github.com/cilium/tetragon/pkg/btf"
 	"github.com/cilium/tetragon/pkg/kernels"
 	"github.com/cilium/tetragon/pkg/logger"
@@ -115,6 +116,9 @@ func (s *Sensor) Load(bpfDir string) error {
 	progsAdd(s.Progs)
 	AllMaps = append(AllMaps, s.Maps...)
 
+	// cleanup the BTF once we have loaded all sensor's program
+	btf.FlushKernelSpec()
+
 	l.WithField("sensor", s.Name).Infof("Loaded BPF maps and events for sensor successfully")
 	s.Loaded = true
 	return nil
diff --git a/pkg/sensors/program/loader.go b/pkg/sensors/program/loader.go
index b904f2b1334..dddb77cbcbd 100644
--- a/pkg/sensors/program/loader.go
+++ b/pkg/sensors/program/loader.go
@@ -913,6 +913,11 @@ func doLoadProgram(
 
 	load.Prog = prog
 
+	// in KernelTypes, we use a non-standard BTF which is possibly annotated with symbols
+	// from kernel modules. At this point we don't need that anymore, so we can release
+	// the memory from it.
+	load.KernelTypes = nil
+
 	// Copy the loaded collection before it's destroyed
 	if KeepCollection {
 		return copyLoadedCollection(coll)