patches/driver/bes2600/*-danctnix: reconstruct from cleanups (closes #29)

Replaces the 13 broken DKMS-path -danctnix mirrors from PR #17 + adds
9 new series-dirs for the c-stack patches that were never split
(Patches A/B/C-v3/F/D/E/C2/G/H) + retires the cumulative-c5x-danctnix
single-file interim from fleet/ohm.yaml.

Mechanism:
  cd marfrit/bes2600-dkms-mobian
  git format-patch fe73571..cleanups --no-merges -o /tmp/cleanups/
  git format-patch cleanups..bes2600/bh-c-fossil-cleanup --no-merges -o /tmp/h/
  for each commit: route to series-dir, sed-rewrite
                   a/bes2600/foo.c -> a/drivers/staging/bes2600/foo.c

The 29 cleanups commits + 1 Patch H commit map to 25 series-dirs (a
few series-dirs get multiple commits: lmac-recover gets c5.2 + c5.2.1
as 0001+0002; cw1200-fix-backports gets F3+F2+F1 as 0001-0003;
factory-series gets request_firmware + STANDARD_FACTORY_EFUSE_FLAG
as 0001+0002).

fleet/ohm.yaml apply order matches cleanups commit chronology, which
is what produced the working c5x interim. cumulative.patch from
ka-promote ohm now has 32 resolved patches (29 cleanups + 1 Patch H
+ scan-filter-5ghz + xor-neon SCS + besser#18-fix), 276 079 bytes,
b2sum 7418db5ddf8fe938b130bc9d0e9f7dc9060f3a13703cd50757835ac43140a13...

Apply order in cleanups + bh-c-fossil-cleanup:
  1   factory-series                       (c1 + factory-no-efuse-flag)
  3   factory-thread-dev
  4   pm-gate-on-handshake
  5   remove-chardev-user-interface
  6   enable-testmode
  7   tx-sdio-dma-oob-danctnix             (was 'staging-prep-series')
  8   factory-drop-kernel-write-danctnix
  9   drop-dpd-file-paths-danctnix
  10  drop-orphan-file-io-danctnix
  11  pm-timeout-silence-danctnix
  12  scan-defer-on-reject-danctnix        (c5.1)
  13  scan-defer-backoff-tune-danctnix     (c5.1.1)
  14  lmac-recover-via-mmc-hw-reset-danctnix  (c5.2 + c5.2.1)
  16  pm-state-resync-danctnix             (c6.1)
  17  pm-wake-consume-state-danctnix       (c6.2)
  18  pm-detect-firmware-unsupported-danctnix (c7)
  19  decrypt-storm-fast-recover-danctnix  (Patch A)
  20  connection-loss-fast-recover-danctnix (Patch B)
  21  cw1200-fix-backports-danctnix        (Patches F3 + F2 + F1)
  24  sdio-rx-no-relay-danctnix            (Patch C v3)
  25  license-spdx-restore-attribution-danctnix (Patch G)
  26  ba-lock-atomic-danctnix              (Patch D)
  27  ps-state-lock-skip-pm-disabled-danctnix (Patch E)
  28  rx-list-batch-delivery-danctnix      (Patch C2)
  29  bh-c-fossil-cleanup-danctnix         (Patch H)
  30  scan-filter-5ghz-danctnix            (besser#1)
  31  arch/arm64/xor-neon-...              (GCC 15 SCS)
  32  queue-pending-record-lock-bh-danctnix (besser#18)

Verification: pkgrel=6 build from this manifest in progress; if
srcversion == 26B0003FE9F2B05DCE838C4 (pkgrel=5's), source-tree is
byte-equivalent to the c5x interim + scan-filter + besser#18 stack
that's currently running on ohm.

Refs: #17 (the broken mirror), #28 (the interim PR that landed
cumulative-c5x), #31 (ka-promote trailer normalisation followup).

patches/driver/bes2600/cw1200-fix-backports-danctnix/0001-bes2600-replace-atomic_add-with-atomic_inc-cw1200-backport.patch

@@ -0,0 +1,92 @@
+From 4bc0a34c94094d9e896c5a2f45b54d8be6c0fca7 Mon Sep 17 00:00:00 2001
+From: Markus Fritsche <fritsche.markus@gmail.com>
+Date: Thu, 7 May 2026 21:19:49 +0200
+Subject: [PATCH 22/29] bes2600: replace a set of atomic_add()
+
+Backport of cw1200 mainline commit 07f995ca1951 ("cw1200: replace a set
+of atomic_add()", 2020-11-10).  atomic_inc() reads more naturally than
+atomic_add(1, &x).  Mechanical change, no functional impact.
+
+7 sites: 6 in bh.c (bh_term, bh_rx x2, bh_tx x3) and 1 in itp.c
+(awaiting_confirm).  Two of the bh_rx and three of the bh_tx sites are
+inside the cw1200-ancestor #if 0 block; replaced anyway to keep the
+file consistent with cw1200 mainline source style.
+
+Cherry-picked from upstream Linux:
+  07f995ca1951 cw1200: replace a set of atomic_add()
+  Author: Yejune Deng <yejune.deng@gmail.com>
+  Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+  Link: https://lore.kernel.org/r/1604991491-27908-1-git-send-email-yejune.deng@gmail.com
+---
+ bes2600/bh.c  | 12 ++++++------
+ bes2600/itp.c |  2 +-
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/staging/bes2600/bh.c b/drivers/staging/bes2600/bh.c
+index 6385312..1d2773c 100644
+--- a/drivers/staging/bes2600/bh.c
++++ b/drivers/staging/bes2600/bh.c
+@@ -101,7 +101,7 @@ void bes2600_unregister_bh(struct bes2600_common *hw_priv)
+ 	coex_deinit_mode(hw_priv);
+ #endif
+ 
+-	atomic_add(1, &hw_priv->bh_term);
++	atomic_inc(&hw_priv->bh_term);
+ 	wake_up(&hw_priv->bh_wq);
+ 
+ 	flush_workqueue(hw_priv->bh_workqueue);
+@@ -590,7 +590,7 @@ static int bes2600_bh(void *arg)
+ 			bes_devel("[BH] Device resume.\n");
+ 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
+ 			wake_up(&hw_priv->bh_evt_wq);
+-			atomic_add(1, &hw_priv->bh_rx);
++			atomic_inc(&hw_priv->bh_rx);
+ 			continue;
+ 		}
+ 
+@@ -758,9 +758,9 @@ tx:
+ 
+ #if 0 /* count is not implemented */
+ 				if (ret > 1)
+-					atomic_add(1, &hw_priv->bh_tx);
++					atomic_inc(&hw_priv->bh_tx);
+ #else
+-				atomic_add(1, &hw_priv->bh_tx);
++				atomic_inc(&hw_priv->bh_tx);
+ #endif
+ 
+ #if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
+@@ -1134,7 +1134,7 @@ static int bes2600_bh_tx_helper(struct bes2600_common *hw_priv,
+ 	tx_len += 4;
+ #endif
+ 
+-	atomic_add(1, &hw_priv->bh_tx);
++	atomic_inc(&hw_priv->bh_tx);
+ 
+ 	tx_len = hw_priv->sbus_ops->align_size(
+ 		hw_priv->sbus_priv, tx_len);
+@@ -1435,7 +1435,7 @@ static int bes2600_bh(void *arg)
+ 			bes_devel("[BH] Device resume.\n");
+ 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
+ 			wake_up(&hw_priv->bh_evt_wq);
+-			atomic_add(1, &hw_priv->bh_rx);
++			atomic_inc(&hw_priv->bh_rx);
+ 			goto done;
+ 		}
+ 
+diff --git a/drivers/staging/bes2600/itp.c b/drivers/staging/bes2600/itp.c
+index e5c2958..c50b29c 100644
+--- a/drivers/staging/bes2600/itp.c
++++ b/drivers/staging/bes2600/itp.c
+@@ -570,7 +570,7 @@ int bes2600_itp_get_tx(struct bes2600_common *priv, u8 **data,
+ 	*burst = 2;
+ 	atomic_set(&priv->bh_tx, 1);
+ 	ktime_get_ts(&itp->last_sent);
+-	atomic_add(1, &itp->awaiting_confirm);
++	atomic_inc(&itp->awaiting_confirm);
+ 	spin_unlock_bh(&itp->tx_lock);
+ 	return 1;
+ 
+-- 
+2.54.0
+

patches/driver/bes2600/cw1200-fix-backports-danctnix/0002-bes2600-fix-missing-destroy_workqueue-on-error-in-init_common.patch

@@ -0,0 +1,58 @@
+From 65a4c39914f07bcb0fc01ea78b974e6901d3377d Mon Sep 17 00:00:00 2001
+From: Markus Fritsche <fritsche.markus@gmail.com>
+Date: Thu, 7 May 2026 21:20:46 +0200
+Subject: [PATCH 23/29] bes2600: fix missing destroy_workqueue() on error in
+ init_common
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Two error paths between create_singlethread_workqueue() (~main.c:489)
+and the success-path destroy_workqueue() in unregister_common (~609)
+return without cleaning up the workqueue, leaking it on probe failure:
+
+  1. bes2600_queue_stats_init() failure
+  2. bes2600_queue_init() failure (any of the 4 TID queues)
+
+Both call ieee80211_free_hw(hw); return NULL — without first
+destroy_workqueue(hw_priv->workqueue).  Add it.
+
+Backport of cw1200 mainline commit 7ec8a926188e ("cw1200: fix missing
+destroy_workqueue() on error in cw1200_init_common", 2020-11-19),
+which fixed the identical bug in the same code shape we inherited.
+Reported on cw1200 by Hulk Robot.
+
+Cherry-picked from upstream Linux:
+  7ec8a926188e cw1200: fix missing destroy_workqueue() on error
+  Author: Qinglang Miao <miaoqinglang@huawei.com>
+  Reported-by: Hulk Robot <hulkci@huawei.com>
+  Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+  Link: https://lore.kernel.org/r/20201119070842.1011-1-miaoqinglang@huawei.com
+  Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+---
+ bes2600/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/bes2600/main.c b/drivers/staging/bes2600/main.c
+index d6da84a..90a8ff8 100644
+--- a/drivers/staging/bes2600/main.c
++++ b/drivers/staging/bes2600/main.c
+@@ -497,6 +497,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
+ 			WLAN_LINK_ID_MAX,
+ 			bes2600_skb_dtor,
+ 			hw_priv))) {
++		destroy_workqueue(hw_priv->workqueue);
+ 		ieee80211_free_hw(hw);
+ 		return NULL;
+ 	}
+@@ -508,6 +509,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
+ 			for (; i > 0; i--)
+ 				bes2600_queue_deinit(&hw_priv->tx_queue[i - 1]);
+ 			bes2600_queue_stats_deinit(&hw_priv->tx_queue_stats);
++			destroy_workqueue(hw_priv->workqueue);
+ 			ieee80211_free_hw(hw);
+ 			return NULL;
+ 		}
+-- 
+2.54.0
+

patches/driver/bes2600/cw1200-fix-backports-danctnix/0003-bes2600-fix-concurrency-UAF-in-bes2600_hw_scan-and-sched_scan.patch

@@ -0,0 +1,144 @@
+From b717251598c95bb7ce7822ffa103216598f19b67 Mon Sep 17 00:00:00 2001
+From: Markus Fritsche <fritsche.markus@gmail.com>
+Date: Thu, 7 May 2026 21:24:01 +0200
+Subject: [PATCH 24/29] bes2600: fix concurrency UAF in bes2600_hw_scan and
+ sched_scan
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+bes2600_bss_info_changed() and bes2600_hw_scan() can run concurrently.
+The probe-request SKB allocated by ieee80211_probereq_get() before
+scan.lock + conf_lock are taken can be touched by a concurrent
+bss_info_changed (via wsm_set_template_frame's path) while we hold no
+lock.  Reorder to acquire both locks BEFORE the SKB allocation.
+
+Also reorder cleanup paths so dev_kfree_skb() runs BEFORE up() —
+otherwise a small window exists where the SKB has been touched but the
+lock has been released, allowing concurrent code to also touch it.
+
+Three sites fixed:
+  - bes2600_hw_scan: lock-take + ENOMEM cleanup + wsm_set_template_frame
+    error cleanup + success-path SKB free + lock release order
+  - bes2600_sched_scan_start (#ifdef ROAM_OFFLOAD): same three sub-fixes
+    (compiled-out at default build, fixed for consistency)
+  - All success/error paths: dev_kfree_skb before up()
+
+Backport of cw1200 mainline commit 86760e0dfe36 ("cw1200: Fix
+concurrency use-after-free bugs in cw1200_hw_scan()", 2018-12-14),
+which fixed the identical bug in the same code shape we inherited.
+That commit was merged from upstream 4f68ef64cd7f.
+
+Cherry-picked from upstream Linux:
+  86760e0dfe36 cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
+  Author: Jia-Ju Bai <baijiaju1990@gmail.com>
+  Link: https://lore.kernel.org/r/20181214035521.7575-1-baijiaju1990@gmail.com
+---
+ bes2600/scan.c | 37 ++++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/staging/bes2600/scan.c b/drivers/staging/bes2600/scan.c
+index ad5033b..16b5d0f 100644
+--- a/drivers/staging/bes2600/scan.c
++++ b/drivers/staging/bes2600/scan.c
+@@ -257,18 +257,21 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
+ 
+ 	bes2600_pwr_set_busy_event(hw_priv, BES_PWR_LOCK_ON_SCAN);
+ 
++	/* will be unlocked in bes2600_scan_work() */
++	down(&hw_priv->scan.lock);
++	down(&hw_priv->conf_lock);
++
+ 	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+ 		req->ie_len);
+-	if (!frame.skb)
++	if (!frame.skb) {
++		up(&hw_priv->conf_lock);
++		up(&hw_priv->scan.lock);
+ 		return -ENOMEM;
++	}
+ 
+ 	if (req->ie_len)
+ 		skb_put_data(frame.skb, req->ie, req->ie_len);
+ 
+-	/* will be unlocked in bes2600_scan_work() */
+-	down(&hw_priv->scan.lock);
+-	down(&hw_priv->conf_lock);
+-
+ 	if (frame.skb) {
+ 		int ret;
+ 		//if (priv->if_id == 0)
+@@ -286,9 +289,9 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
+ 		}
+ #endif
+ 		if (ret) {
++			dev_kfree_skb(frame.skb);
+ 			up(&hw_priv->conf_lock);
+ 			up(&hw_priv->scan.lock);
+-			dev_kfree_skb(frame.skb);
+ 			return ret;
+ 		}
+ 	}
+@@ -318,10 +321,10 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
+ 		++hw_priv->scan.n_ssids;
+ 	}
+ 
+-	up(&hw_priv->conf_lock);
+-
+ 	if (frame.skb)
+ 		dev_kfree_skb(frame.skb);
++
++	up(&hw_priv->conf_lock);
+ #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
+ 	bwifi_change_current_status(hw_priv, BWIFI_STATUS_SCANNING);
+ #endif
+@@ -362,14 +365,18 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
+ 	if (req->n_ssids > hw->wiphy->max_scan_ssids)
+ 		return -EINVAL;
+ 
++	/* will be unlocked in bes2600_scan_work() */
++	down(&hw_priv->scan.lock);
++	down(&hw_priv->conf_lock);
++
+ 	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+ 		req->ie_len);
+-	if (!frame.skb)
++	if (!frame.skb) {
++		up(&hw_priv->conf_lock);
++		up(&hw_priv->scan.lock);
+ 		return -ENOMEM;
++	}
+ 
+-	/* will be unlocked in bes2600_scan_work() */
+-	down(&hw_priv->scan.lock);
+-	down(&hw_priv->conf_lock);
+ 	if (frame.skb) {
+ 		int ret;
+ 		if (priv->if_id == 0)
+@@ -380,9 +387,9 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
+ 			ret = wsm_set_probe_responder(priv, true);
+ 		}
+ 		if (ret) {
++			dev_kfree_skb(frame.skb);
+ 			up(&hw_priv->conf_lock);
+ 			up(&hw_priv->scan.lock);
+-			dev_kfree_skb(frame.skb);
+ 			return ret;
+ 		}
+ 	}
+@@ -414,10 +421,10 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
+ 		}
+ 	}
+ 
+-	up(&hw_priv->conf_lock);
+-
+ 	if (frame.skb)
+ 		dev_kfree_skb(frame.skb);
++
++	up(&hw_priv->conf_lock);
+ 	queue_work(hw_priv->workqueue, &hw_priv->scan.swork);
+ 	wiphy_warn(hw->wiphy, "<--[SCAN] Scheduled scan request.\n");
+ 	return 0;
+-- 
+2.54.0
+