From: sashiko-bot@kernel.org
To: "Balakrishnan Sambath" <balakrishnan.s@microchip.com>
Cc: linux-media@vger.kernel.org
Subject: Re: [PATCH v6 03/12] media: microchip-isc: fix race condition on stream stop
Date: Wed, 03 Jun 2026 07:22:54 +0000 [thread overview]
Message-ID: <20260603072255.136481F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260603-microchip-isc-fixes-v6-3-8c3d7474a768@microchip.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-after-destroy in `isc_async_unbind()` due to incorrect teardown ordering.
- [High] Missing histogram disable and workqueue cancellation in the `isc_start_streaming` error path leads to a kernel panic.
- [High] Missing IRQ synchronization in `isc_stop_streaming()` leads to a synchronous external abort.
--
commit 9cf229b57997c74f4db26f1539c0b73c428dd501
Author: Balakrishnan Sambath <balakrishnan.s@microchip.com>
media: microchip-isc: fix race condition on stream stop
Disable histogram and drain AWB work queue before releasing DMA
buffers to prevent use-after-free if histogram IRQ fires during
stream stop.
Cc: stable@vger.kernel.org
> diff --git a/drivers/media/platform/microchip/microchip-isc-base.c b/drivers/media/platform/microchip/microchip-isc-base.c
> index 45b94f1e89d86..b19c5a63b4bdc 100644
> --- a/drivers/media/platform/microchip/microchip-isc-base.c
> +++ b/drivers/media/platform/microchip/microchip-isc-base.c
> @@ -427,6 +427,14 @@ static void isc_stop_streaming(struct vb2_queue *vq)
>
> mutex_unlock(&isc->awb_mutex);
>
> + /*
> + * Disable the histogram so the ISR stops firing HISREQ, then drain
> + * any work that was already queued before returning. This must happen
> + * after releasing awb_mutex because isc_awb_work also takes it.
> + */
> + isc_set_histogram(isc, false);
> + cancel_work_sync(&isc->awb_work);
> +
> /* Disable DMA interrupt */
> regmap_write(isc->regmap, ISC_INTDIS, ISC_INT_DDONE);
>
> pm_runtime_put_sync(isc->dev);
[Severity: High]
This isn't a bug introduced by this patch, but I noticed that device power is
synchronously disabled here without waiting for in-flight IRQs to finish
executing.
Because the interrupt is registered via devm_request_irq() without a call to
synchronize_irq() here, microchip_isc_interrupt() may already be executing on
another CPU when the clocks are disabled.
The ISR performs a regmap_read() on ISC_INTSR, which will crash the system
with a bus fault/external abort when attempting to read the unclocked
memory-mapped registers. Could we add a call to synchronize_irq() before
shutting down power?
[ ... ]
While reviewing this file, I noticed a couple of other pre-existing issues:
drivers/media/platform/microchip/microchip-isc-base.c:isc_start_streaming() {
...
ret = isc_configure(isc);
if (unlikely(ret))
goto err_configure;
...
err_configure:
pm_runtime_put_sync(isc->dev);
...
}
[Severity: High]
This is a pre-existing issue, but the error path fails to call
isc_set_histogram(isc, false) and cancel_work_sync(), leaving the hardware
enabled and the workqueue vulnerable to accessing unpowered registers.
If isc_configure() succeeds (enabling the histogram hardware and its
ISC_INT_HISDONE interrupt) but a subsequent step times out, the error path
calls pm_runtime_put_sync() to power down the device clocks. It fails to
disable the histogram interrupt or cancel isc->awb_work.
The hardware can trigger the interrupt before or during shutdown, scheduling
the work. When isc_awb_work() runs, it bypasses the enabled check and calls
isc_hist_count(), which performs a regmap_bulk_read() on unpowered registers.
This causes a synchronous external abort (bus fault) and crashes the system.
Should this error path be updated to clean up the histogram state and
workqueue?
drivers/media/platform/microchip/microchip-isc-base.c:isc_async_unbind() {
...
mutex_destroy(&isc->awb_mutex);
cancel_work_sync(&isc->awb_work);
...
}
[Severity: High]
This is a pre-existing issue, but the mutex is incorrectly destroyed before
the asynchronous work using it is definitively flushed and cancelled.
The isc_awb_work handler fundamentally relies on isc->awb_mutex to serialize
its execution. If the work is running or scheduled when unbind is triggered,
the worker thread will attempt to lock a destroyed/poisoned mutex. Would it be
safer to call cancel_work_sync() before mutex_destroy()?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260603-microchip-isc-fixes-v6-0-8c3d7474a768@microchip.com?part=3
next prev parent reply other threads:[~2026-06-03 7:22 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 6:58 [PATCH v6 00/12] media: microchip-isc: fixes and enhancements Balakrishnan Sambath
2026-06-03 6:58 ` [PATCH v6 01/12] media: microchip-isc: fix SBGGR10 Bayer pattern Balakrishnan Sambath
2026-06-03 6:58 ` [PATCH v6 02/12] media: microchip-isc: fix WB offset and gain register field masking Balakrishnan Sambath
2026-06-03 7:14 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 03/12] media: microchip-isc: fix race condition on stream stop Balakrishnan Sambath
2026-06-03 7:22 ` sashiko-bot [this message]
2026-06-03 6:58 ` [PATCH v6 04/12] media: microchip-isc: fix PM runtime leak in AWB work handler Balakrishnan Sambath
2026-06-03 7:17 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 05/12] media: microchip-isc: add driver documentation Balakrishnan Sambath
2026-06-03 7:09 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 06/12] media: microchip-isc: set SAM9X7 maximum resolution to 2560x1920 Balakrishnan Sambath
2026-06-03 7:11 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 07/12] media: microchip-isc: configure DPC and pipeline for SAMA7G5 Balakrishnan Sambath
2026-06-03 7:11 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 08/12] media: microchip-isc: add gamma 1.8 and 2.4 correction curves Balakrishnan Sambath
2026-06-03 6:58 ` [PATCH v6 09/12] media: microchip-isc: add SAMA7G5 hue and saturation controls Balakrishnan Sambath
2026-06-03 7:21 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 10/12] media: microchip-isc: use weighted averages for Grey World AWB Balakrishnan Sambath
2026-06-03 7:14 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 11/12] media: microchip-isc: smooth AWB gains with EMA filter Balakrishnan Sambath
2026-06-03 7:18 ` sashiko-bot
2026-06-03 6:58 ` [PATCH v6 12/12] media: microchip-isc: scale DPC black level to sensor bit depth Balakrishnan Sambath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603072255.136481F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=balakrishnan.s@microchip.com \
--cc=linux-media@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.