[PATCH 4.5 196/238] mmc: sdhci: plug DMA mapping leak on error

[Greg Kroah-Hartman]

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx>

commit 054cedff5e025a54ceefff891c6ea42ee8b37eab upstream.

If we terminate a command early, we fail to properly clean up the DMA
mappings for the data part of the request.  Put this clean up to the
tasklet, which is the common path for finishing a request so we always
clean up after ourselves.

Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx>
[ Split original patch so that it now contains only the fix ]
Signed-off-by: Adrian Hunter <adrian.hunter@xxxxxxxxx>
Tested-by: Gregory CLEMENT <gregory.clement@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Ulf Hansson <ulf.hansson@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/mmc/host/sdhci.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2207,6 +2207,22 @@ static void sdhci_tasklet_finish(unsigne
 	mrq = host->mrq;
 
 	/*
+	 * Always unmap the data buffers if they were mapped by
+	 * sdhci_prepare_data() whenever we finish with a request.
+	 * This avoids leaking DMA mappings on error.
+	 */
+	if (host->flags & SDHCI_REQ_USE_DMA) {
+		struct mmc_data *data = mrq->data;
+
+		if (data && data->host_cookie == COOKIE_MAPPED) {
+			dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len,
+				     (data->flags & MMC_DATA_READ) ?
+				     DMA_FROM_DEVICE : DMA_TO_DEVICE);
+			data->host_cookie = COOKIE_UNMAPPED;
+		}
+	}
+
+	/*
 	 * The controller needs a reset of internal state machines
 	 * upon error conditions.
 	 */