Linux' struct address_space & FreeBSD's vm_object

Sat Oct 29 21:37:21 UTC 2016

Hi!

I'm tracking a memory leak in the drm-next-4.7 branch [1]. I found the
issue, however, I'm unsure of the solution for now. Let me sum up what I
understand (or what I think I understand :):

In Linux, they use a `struct vm_area_struct` to represent a mapping of
an object. It holds the callback functions (open, close and fault) of
the device driver and the private data to be used with those callbacks.

All `struct vm_area_struct` are stored in a tree in another structure
called `struct address_space` which belongs to the owner of the resource
(an inode in the case of DRM). This structure holds references to pages
loaded from the inode, so it acts as a page cache.

So:
  struct inode
  `-- struct address_space
      |-- tree of pages
      `-- tree of struct vm_area_struct

In DRM, there is a `struct vm_area_struct` for each mapping of each
graphics object. But those mapping are all stored in the same `struct
address_space` belonging to an "anonymous inode" attached to the device.
Furthermore, a DRM driver creates three character devices in /dev for
each real device, and all three character devices use this same
anonymous inode.

Therefore, if I understand correctly, all mappings for all three
character devices use the same list of pages. Thus the memory is shared.

In DRM, when a mapping must be released, eg. i915_gem_release_mmap()
indirectly calls unmap_mapping_range() with the anonymous inode's
`struct address_space`. This function removes all mappings of a given
graphics object, thus removes all `struct vm_area_struct` from `struct
address` which are covered by the specified range.

Currently, on FreeBSD, `struct address_space` is replaced by the
vm_object returned by cdev_pager_allocate(). The first issue is that we
never create the equivalent of `struct address_space` for the global
anonymous inode. Therefore the code responsible for removing mappings
does nothing and mappings & pages are leaked. Anyway, the d_mmap_single
implementation doesn't even try to fill the equivalent of `struct
address_space`.

So that's my understanding of the issue. First, I'm not 100% sure of
what I described and second, I don't see how to implement the same
shared page cache in FreeBSD because a device pager vm_object can't be
shared by multiple mappings (or can it?).

Can you confirm my comprehension? Do you have any ideas to implement that?

Thank you very much for your time!

[1] In the development tree for DRM:
https://github.com/FreeBSDDesktop/freebsd-base-graphics

-- 
Jean-Sébastien Pédron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20161029/33b2dae9/attachment.sig>