From: Balakrishnan Sambath <balakrishnan.s@microchip.com>
To: <linux-media@vger.kernel.org>
Cc: <eugen.hristev@linaro.org>, <mchehab@kernel.org>,
<hverkuil@kernel.org>, <nicolas.ferre@microchip.com>,
<linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>
Subject: [PATCH v2 03/15] media: microchip-isc: fix race condition on stream stop
Date: Tue, 12 May 2026 21:13:27 +0530 [thread overview]
Message-ID: <20260512154339.210444-4-balakrishnan.s@microchip.com> (raw)
In-Reply-To: <20260512154339.210444-1-balakrishnan.s@microchip.com>
Disable histogram and drain AWB work queue before releasing DMA
buffers to prevent use-after-free if histogram IRQ fires during
stream stop.
Fixes: 91b4e487b0c6 ("media: microchip: add ISC driver as Microchip ISC")
Cc: stable@vger.kernel.org
Signed-off-by: Balakrishnan Sambath <balakrishnan.s@microchip.com>
---
.../platform/microchip/microchip-isc-base.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/microchip/microchip-isc-base.c b/drivers/media/platform/microchip/microchip-isc-base.c
index 45b94f1e89d8..b19c5a63b4bd 100644
--- a/drivers/media/platform/microchip/microchip-isc-base.c
+++ b/drivers/media/platform/microchip/microchip-isc-base.c
@@ -427,6 +427,14 @@ static void isc_stop_streaming(struct vb2_queue *vq)
mutex_unlock(&isc->awb_mutex);
+ /*
+ * Disable the histogram so the ISR stops firing HISREQ, then drain
+ * any work that was already queued before returning. This must happen
+ * after releasing awb_mutex because isc_awb_work also takes it.
+ */
+ isc_set_histogram(isc, false);
+ cancel_work_sync(&isc->awb_work);
+
/* Disable DMA interrupt */
regmap_write(isc->regmap, ISC_INTDIS, ISC_INT_DDONE);
@@ -1519,10 +1527,17 @@ static int isc_s_awb_ctrl(struct v4l2_ctrl *ctrl)
}
mutex_unlock(&isc->awb_mutex);
- /* if we have autowhitebalance on, start histogram procedure */
+ /*
+ * If AWB auto mode is requested and we are streaming RAW,
+ * start the histogram procedure, but only if it is not
+ * already running. Repeated enable requests would reset
+ * hist_id, preventing the 4-channel Bayer cycle from
+ * completing.
+ */
if (ctrls->awb == ISC_WB_AUTO &&
vb2_is_streaming(&isc->vb2_vidq) &&
- ISC_IS_FORMAT_RAW(isc->config.sd_format->mbus_code))
+ ISC_IS_FORMAT_RAW(isc->config.sd_format->mbus_code) &&
+ ctrls->hist_stat != HIST_ENABLED)
isc_set_histogram(isc, true);
/*
--
2.34.1
next prev parent reply other threads:[~2026-05-12 15:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20251009155251.102472-1-balamanikandan.gunasundar@microchip.com>
[not found] ` <20260512154339.210444-1-balakrishnan.s@microchip.com>
2026-05-12 15:43 ` [PATCH v2 01/15] media: microchip-isc: fix SBGGR10 Bayer pattern Balakrishnan Sambath
2026-05-12 15:43 ` [PATCH v2 02/15] media: microchip-isc: mask WB offset and gain register fields Balakrishnan Sambath
2026-05-12 15:43 ` Balakrishnan Sambath [this message]
2026-05-12 15:43 ` [PATCH v2 04/15] media: microchip-isc: fix PM runtime leak in AWB work handler Balakrishnan Sambath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512154339.210444-4-balakrishnan.s@microchip.com \
--to=balakrishnan.s@microchip.com \
--cc=eugen.hristev@linaro.org \
--cc=hverkuil@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=nicolas.ferre@microchip.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox