On 8/17/23 08:25, Kim, Dongwon wrote: ... > Yeah, I know it frees 'struct dma_fence *f' but what about 'struct > virtio_gpu_fence *fence'? This is a device specific fence that contains > struct dma_fence *f. But hold on... so when fence->ops->release is > called then dma_fence_free won't be called here: > > if (fence->ops->release) > fence->ops->release(fence); > else > dma_fence_free(fence); > > In that case, I think virtio_gpu_fence_release should do > "dma_fence_free(f)" before freeing virtio_gpu_fence? Am I right? > Like, > > static void virtio_gpu_fence_release(struct dma_fence *f) > { > struct virtio_gpu_fence *fence = to_virtio_gpu_fence(f); > > dma_fence_free(f); > kfree(fence); > } That is a double free and wrong of course. Both dma_fence *f and virtio_gpu_fence *fence point at the same kmemory object. See to_virtio_gpu_fence() and please research how container_of() works. -- Best regards, Dmitry