Re: [PATCH 01/23] gpiolib: Correct wrong kfree() usage for `kobj->name`

[Tzung-Bi Shih <tzungbi@kernel.org>]

On Fri, Jan 16, 2026 at 03:38:37PM +0100, Bartosz Golaszewski wrote:
> On Fri, Jan 16, 2026 at 3:14 PM Jason Gunthorpe <jgg@nvidia.com> wrote:
> >
> > On Fri, Jan 16, 2026 at 08:10:14AM +0000, Tzung-Bi Shih wrote:
> > > `kobj->name` should be freed by kfree_const()[1][2].  Correct it.
> > >
> > > [1] https://elixir.bootlin.com/linux/v6.18/source/lib/kasprintf.c#L41
> > > [2] https://elixir.bootlin.com/linux/v6.18/source/lib/kobject.c#L695
> > >
> > > Cc: stable@vger.kernel.org
> > > Fixes: c351bb64cbe6 ("gpiolib: free device name on error path to fix kmemleak")
> > > Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
> > > ---
> > >  drivers/gpio/gpiolib.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
> > > index 5eb918da7ea2..ba9323432e3a 100644
> > > --- a/drivers/gpio/gpiolib.c
> > > +++ b/drivers/gpio/gpiolib.c
> > > @@ -1263,7 +1263,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
> > >  err_free_descs:
> > >       kfree(gdev->descs);
> > >  err_free_dev_name:
> > > -     kfree(dev_name(&gdev->dev));
> > > +     kfree_const(dev_name(&gdev->dev));
> > >  err_free_ida:
> > >       ida_free(&gpio_ida, gdev->id);
> > >  err_free_gdev:
> >         kfree(gdev);
> >
> > I don't think users should be open coding this, put_device() frees the
> > dev_name properly. The issue here is that the code doesn't call
> > device_initialize() before doing dev_set_name() and then tries to
> > fiddle a weird teardown sequence when it eventually does get initialized:
> >
> > err_remove_from_list:
> >         if (gdev->dev.release) {
> >                 /* release() has been registered by gpiochip_setup_dev() */
> >                 gpio_device_put(gdev);
> >                 goto err_print_message;
> >         }
> >
> > If gpiochip_add_data_with_key() is split into two functions, one that
> > does kzalloc(), some initialization and then ends with
> > device_initialize(), then a second function that calls the first and
> > does the rest of the initialization and error unwinds with
> > put_device() it will work a lot better.

That's basically what the aggressive patch 03/23 tries to do without
separating the first half to an indepedent function.

Generally, I think we can try to move device_initialize() earlier in the
function.  On error handling paths, just put_device() for it.  In the
.release() callback, free the resource iff it has initialized.

> In theory yes but you wouldn't be the first one to attempt to improve
> it. This code is very brittle when it comes to GPIO chips that need to
> be initialized very early into the boot process. I'm talking old
> drivers in arch which call this function without even an associated
> parent struct device. When I'm looking at it now, it does seem
> possible to call device_initialize() early but whether that will work
> correctly for all existing users is a bigger question.

FWIW: found a very early stage calling path when I was investigating
`gpiolib_initialized`: start_kernel() -> init_IRQ() -> dove_init_irq() ->
orion_gpio_init() -> gpiochip_add_data() -> gpiochip_add_data_with_key().

Prior to aab5c6f20023 ("gpio: set device type for GPIO chips"),
device_initialize() is also called in gpiochip_add_data_with_key().  It
seems to me it's possible to move it back to gpiochip_add_data_with_key()
as 03/23 does, and move it earlier in the function.