macsmc: Fix race between backend and core on notifications

The core enables notifications (NTAP) before returning from the probe
function, before the backend has a chance to set smc->core. This leads
to a race if a notification arrives early.

We already rely on the core setting the drvdata to itself, so move that
ahead of NTAP=1 and drop smc->core entirely. That way it's safe for the
backend notification callback to fire before the core probe function
returns.

Signed-off-by: Hector Martin <[email protected]>

Author: marcan

drivers/platform/apple/smc.h

@@ -19,8 +19,7 @@ struct apple_smc_backend_ops {
 	int (*get_key_info)(void *cookie, smc_key key, struct apple_smc_key_info *info);
 };
 
-struct apple_smc *apple_smc_probe(struct device *dev, const struct apple_smc_backend_ops *ops,
-				  void *cookie);
+int apple_smc_probe(struct device *dev, const struct apple_smc_backend_ops *ops, void *cookie);
 void *apple_smc_get_cookie(struct apple_smc *smc);
 int apple_smc_remove(struct apple_smc *smc);
 void apple_smc_event_received(struct apple_smc *smc, uint32_t event);

drivers/platform/apple/smc_core.c

@@ -236,15 +236,15 @@ void *apple_smc_get_cookie(struct apple_smc *smc)
 }
 EXPORT_SYMBOL(apple_smc_get_cookie);
 
-struct apple_smc *apple_smc_probe(struct device *dev, const struct apple_smc_backend_ops *ops, void *cookie)
+int apple_smc_probe(struct device *dev, const struct apple_smc_backend_ops *ops, void *cookie)
 {
 	struct apple_smc *smc;
 	u32 count;
 	int ret;
 
 	smc = devm_kzalloc(dev, sizeof(*smc), GFP_KERNEL);
 	if (!smc)
-		return ERR_PTR(-ENOMEM);
+		return -ENOMEM;
 
 	smc->dev = dev;
 	smc->be_cookie = cookie;
@@ -254,30 +254,30 @@ struct apple_smc *apple_smc_probe(struct device *dev, const struct apple_smc_bac
 
 	ret = apple_smc_read_u32(smc, SMC_KEY(#KEY), &count);
 	if (ret)
-		return ERR_PTR(dev_err_probe(dev, ret, "Failed to get key count"));
+		return dev_err_probe(dev, ret, "Failed to get key count");
 	smc->key_count = be32_to_cpu(count);
 
 	ret = apple_smc_get_key_by_index(smc, 0, &smc->first_key);
 	if (ret)
-		return ERR_PTR(dev_err_probe(dev, ret, "Failed to get first key"));
+		return dev_err_probe(dev, ret, "Failed to get first key");
 
 	ret = apple_smc_get_key_by_index(smc, smc->key_count - 1, &smc->last_key);
 	if (ret)
-		return ERR_PTR(dev_err_probe(dev, ret, "Failed to get last key"));
+		return dev_err_probe(dev, ret, "Failed to get last key");
+
+	dev_set_drvdata(dev, smc);
 
 	/* Enable notifications */
 	apple_smc_write_flag(smc, SMC_KEY(NTAP), 1);
 
 	dev_info(dev, "Initialized (%d keys %p4ch..%p4ch)\n",
 		 smc->key_count, &smc->first_key, &smc->last_key);
 
-	dev_set_drvdata(dev, smc);
-
 	ret = mfd_add_devices(dev, -1, apple_smc_devs, ARRAY_SIZE(apple_smc_devs), NULL, 0, NULL);
 	if (ret)
-		return ERR_PTR(dev_err_probe(dev, ret, "Subdevice initialization failed"));
+		return dev_err_probe(dev, ret, "Subdevice initialization failed");
 
-	return smc;
+	return 0;
 }
 EXPORT_SYMBOL(apple_smc_probe);
 

drivers/platform/apple/smc_rtkit.c

@@ -40,7 +40,6 @@
 
 struct apple_smc_rtkit {
 	struct device *dev;
-	struct apple_smc *core;
 	struct apple_rtkit *rtk;
 
 	struct completion init_done;
@@ -321,6 +320,7 @@ static bool apple_smc_rtkit_recv_early(void *cookie, u8 endpoint, u64 message)
 static void apple_smc_rtkit_recv(void *cookie, u8 endpoint, u64 message)
 {
 	struct apple_smc_rtkit *smc = cookie;
+	struct apple_smc *core = dev_get_drvdata(smc->dev);
 
 	if (endpoint != SMC_ENDPOINT) {
 		dev_err(smc->dev, "Received message for unknown endpoint 0x%x\n", endpoint);
@@ -332,7 +332,7 @@ static void apple_smc_rtkit_recv(void *cookie, u8 endpoint, u64 message)
 		return;
 	}
 
-	apple_smc_event_received(smc->core, FIELD_GET(SMC_DATA, message));
+	apple_smc_event_received(core, FIELD_GET(SMC_DATA, message));
 }
 
 static const struct apple_rtkit_ops apple_smc_rtkit_ops = {
@@ -403,11 +403,9 @@ static int apple_smc_rtkit_probe(struct platform_device *pdev)
 		goto cleanup;
 	}
 
-	smc->core = apple_smc_probe(dev, &apple_smc_rtkit_be_ops, smc);
-	if (IS_ERR(smc->core)) {
-		ret = PTR_ERR(smc->core);
+	ret = apple_smc_probe(dev, &apple_smc_rtkit_be_ops, smc);
+	if (ret)
 		goto cleanup;
-	}
 
 	return 0;