From f4a58c098954317a9e9030a80c081174f96c4076 Mon Sep 17 00:00:00 2001
From: Paul White <paul@shasta.cloud>
Date: Wed, 13 Aug 2025 14:39:38 +0200
Subject: [PATCH] qca-ssdk: Move MIB loop cnt variable to handle

The MIB loop cnt variable was defined as a static variable in the function that
implements the loop, however this function can be called for more than one switch
on some platforms.   This results in a race condition that leads to memory
corruption and kernel crashes.

The fix moves the loop cnt variable to the passed in switch handle, this way
there is one per switch chip.   Thix fix was identified by looking at newer
versions of the qca-ssdk software package from QCA.

Signed-off-by: Paul White <paul@shasta.cloud>
---
 .../500-define-mib-loop-cnt-to-gobal.patch    | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 feeds/ipq807x_v5.4/qca-ssdk/patches/500-define-mib-loop-cnt-to-gobal.patch

diff --git a/feeds/ipq807x_v5.4/qca-ssdk/patches/500-define-mib-loop-cnt-to-gobal.patch b/feeds/ipq807x_v5.4/qca-ssdk/patches/500-define-mib-loop-cnt-to-gobal.patch
new file mode 100644
index 000000000..e0a2bd9c4
--- /dev/null
+++ b/feeds/ipq807x_v5.4/qca-ssdk/patches/500-define-mib-loop-cnt-to-gobal.patch
@@ -0,0 +1,61 @@
+--- a/include/init/ssdk_plat.h
++++ b/include/init/ssdk_plat.h
+@@ -330,6 +330,7 @@ struct qca_phy_priv {
+ 	struct mii_bus *miibus;
+ /*qca808x_end*/
+ 	u64 *mib_counters;
++	a_uint32_t mib_loop_cnt;
+ 	/* dump buf */
+ 	a_uint8_t  buf[2048];
+ 	a_uint32_t link_polling_required;
+--- a/src/ref/ref_mib.c
++++ b/src/ref/ref_mib.c
+@@ -479,39 +479,37 @@ qca_ar8327_sw_get_port_mib(struct switch
+ #endif
+
+ int
+-_qca_ar8327_sw_capture_port_tx_counter(struct qca_phy_priv *priv, int port)
++_qca_ar8327_sw_capture_port_tx_counter(a_uint32_t dev_id, int port)
+ {
+     fal_mib_info_t  mib_Info;
+
+     memset(&mib_Info, 0, sizeof(fal_mib_info_t));
+-    fal_get_tx_mib_info(priv->device_id, port, &mib_Info);
++    fal_get_tx_mib_info(dev_id, port, &mib_Info);
+
+     return 0;
+ }
+
+ int
+-_qca_ar8327_sw_capture_port_rx_counter(struct qca_phy_priv *priv, int port)
++_qca_ar8327_sw_capture_port_rx_counter(a_uint32_t dev_id, int port)
+ {
+     fal_mib_info_t  mib_Info;
+
+     memset(&mib_Info, 0, sizeof(fal_mib_info_t));
+-    fal_get_rx_mib_info(priv->device_id, port, &mib_Info);
++    fal_get_rx_mib_info(dev_id, port, &mib_Info);
+     return 0;
+ }
+
+ void
+ qca_ar8327_sw_mib_task(struct qca_phy_priv *priv)
+ {
+-	static int loop = 0;
+-
+ 	mutex_lock(&priv->reg_mutex);
+-	if ((loop % 2) == 0)
+-		_qca_ar8327_sw_capture_port_rx_counter(priv, loop/2);
++	if ((priv->mib_loop_cnt % 2) == 0)
++		_qca_ar8327_sw_capture_port_rx_counter(priv->device_id, priv->mib_loop_cnt/2);
+ 	else
+-		_qca_ar8327_sw_capture_port_tx_counter(priv, loop/2);
++		_qca_ar8327_sw_capture_port_tx_counter(priv->device_id, priv->mib_loop_cnt/2);
+
+-	if(++loop == (2 * (priv->ports))) {
+-		loop = 0;
++	if(++priv->mib_loop_cnt == (2 * (priv->ports))) {
++		priv->mib_loop_cnt = 0;
+ 	}
+
+ 	mutex_unlock(&priv->reg_mutex);