claude-noether/kernel-agent
1
0
Fork 0
forked from marfrit/kernel-agent
Code Pull Requests Activity

Compare commits

merge into: claude-noether/kernel-agent:noether/kernel-agent-29-rebased-on-danctnix-clean
Branches Tags
claude-noether/kernel-agent:main claude-noether/kernel-agent:noether/kernel-agent-29-rebased-on-danctnix-clean marfrit/kernel-agent:noether/ohm-pkgrel6-perseries-converged marfrit/kernel-agent:main
..
pull from: marfrit/kernel-agent:main
Branches Tags
marfrit/kernel-agent:noether/ohm-pkgrel6-perseries-converged marfrit/kernel-agent:main claude-noether/kernel-agent:main claude-noether/kernel-agent:noether/kernel-agent-29-rebased-on-danctnix-clean

5 Commits
noether/kernel-agent-29-rebased-on-danctnix-clean .. main

Author SHA1 Message Date
marfrit 84cdb5b4ee Merge pull request 'fleet/ohm: pkgrel=6 — per-series converged (closes ka#29, includes besser#22 / #25 fixes)' (#37) from noether/ohm-pkgrel6-perseries-converged into main 
Reviewed-on: marfrit/kernel-agent#37
 2026-05-21 10:35:31 +00:00
test0r 3d15c5367d fleet/ohm: pkgrel=6 — per-series converged with tx-sdio-dma-oob + join-confirm-reset 
Two additions to fleet/ohm.yaml's includes for the bes2600 driver scope:

1. driver/bes2600/tx-sdio-dma-oob-danctnix/ — already on disk from
   ka#17 but not previously included. The cumulative-c5x-danctnix
   shipped in pkgrel=3 did NOT have this fix; pkgrel=4 per-series
   regressed because the staging-prep series was excluded. KFENCE
   caught the OOB during pkgrel=4 soak; pkgrel=5 included it.

2. driver/bes2600/join-confirm-reset-danctnix/ — NEW scope.
   cw1200 ancestor port (sta.c:1339-1344) with bes2600-specific
   PASSIVE-gate compensation in bes2600_unjoin_work. Closes
   besser#25. Verified pkgrel=6 srcversion 0E16463F: cascade gone,
   periodic ~600ms latency jitter also gone (same root cause).

Status note: per-series reconstruction is now converged. The
cumulative-c5x-danctnix entry is left as historical fallback;
ka#29's blocker (per-series mirrors not applying cleanly) was
resolved by manually reconstructing the per-series in
marfrit/bes2600-dkms bes2600/join-confirm-failure-reset (top
commit 3d833f8).

Build still hand-managed via boltzmann:~/src/besser/marfrit-besser/
danctnix-besser-pkgbuild/kernel/PKGBUILD; ka-promote / ka-build
template rendering still pending per the original TODOs.

Signed-off-by: Claude (noether) <claude@reauktion.de>
 2026-05-21 12:23:47 +02:00
claude-noether 588350c4da Revert "Merge pull request 'patches/driver/bes2600/*-danctnix: reconstruct from cleanups (closes #29)' (#33) from claude-noether/kernel-agent:noether/kernel-agent-29-per-series-reconstruct into main" 
This reverts commit 38fd672940, reversing
changes made to 443f5e992e.
 2026-05-20 11:05:58 +02:00
marfrit cc6f2378ab Merge pull request 'ka-build: arch makepkg wrapper + sign + publish (closes #34)' (#35) from noether/ka-build-impl into main 
Reviewed-on: marfrit/kernel-agent#35
 2026-05-19 07:26:58 +00:00
test0r dd631fd3c7 ka-build: arch makepkg wrapper + sign + publish (closes #34) 
Phase-1 ka-build per umbrella #21:

1. Read manifest.lock from ka-promote output. Refuse if missing.
2. Verify each PKGBUILD-side patch in marfrit-packages still matches
   the kernel-agent-side patch by sha256 (manifest.lock is authoritative).
3. ssh-dispatch makepkg --syncdeps --noconfirm --cleanbuild to the
   manifest's build_host.primary. Native build only — no distcc
   (feedback_kernel_agent_no_distcc).
4. Pull the resulting *.pkg.tar.zst back; scp to hertz and run
   /opt/herding/bin/marfrit-publish-arch aarch64 <pkg>.
5. Append a `build:` block to manifest.lock with built_at, host,
   per-package b2sum + size.

Flags: --dry-run (stop before makepkg), --skip-publish (build only),
--packages-repo (override default ~/src/marfrit-packages).

Out of scope (separate followups):
- Debian .deb path
- PKGBUILD template *generation* (current PKGBUILDs are hand-authored;
  ka-build verifies + stamps, doesn't author)
- distcc routing (explicitly NOT in kernel-agent flow)
- ka-build --validate-against (apply-check harness)

Tests: 6/6 pass (arg parsing, missing manifest.lock, missing PKGBUILD,
patch drift via sha256 mismatch, happy-path dry-run on fresnel).
Full-build path manually exercisable; CI integration deferred until
the sandbox supports mock build-host + mock marfrit-publish-arch.
 2026-05-19 09:24:23 +02:00
36 changed files with 697 additions and 4204 deletions
Expand all files Collapse all files
README.md
+2 -2
View File
@@ -264,8 +264,8 @@ build. `ka-promote` (issue #22) replaced the manual step #1 below as of 2026-05-
|---|---|---|
| `ka-import fresnel-fourier <patches> --to board/pinebook-pro` (originally named `ka-promote` in this row) | Authored 3 patches with proper headers/scope tags, pushed to `marfrit/kernel-agent/patches/board/pinebook-pro/` via Gitea contents API as `claude-noether`. | still manual — `ka-import` unimplemented |
| `ka-promote fresnel` (new — manifest → cumulative.patch + manifest.lock) | n/a (didn't exist) | **automated 2026-05-18, issue #22** |
| `ka-build fresnel` | On boltzmann: cloned linux v7.0 from kernel.org, ran `makepkg -s --skipchecksums --skippgpcheck` against `marfrit-packages/arch/linux-fresnel-fourier/PKGBUILD`. Native aarch64 (boltzmann is RK3588). One headers-pkg bug discovered (`ln -sr` on missing parent dir) and fixed mid-flight. Repackaged. | still manual — next verb to implement |
| `ka-sign + push` | scp pkgs hertz → `sudo /opt/herding/bin/marfrit-publish-arch aarch64 <pkg>` per pkg. Script signs with key `92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C`, runs repo-add, rsyncs to nc. | still manual — folded into `ka-build` |
| `ka-build fresnel` | On boltzmann: cloned linux v7.0 from kernel.org, ran `makepkg -s --skipchecksums --skippgpcheck` against `marfrit-packages/arch/linux-fresnel-fourier/PKGBUILD`. Native aarch64 (boltzmann is RK3588). One headers-pkg bug discovered (`ln -sr` on missing parent dir) and fixed mid-flight. Repackaged. | **automated 2026-05-19, issue #34**`ka-build <host>` ssh-dispatches makepkg to `build_host.primary`, verifies kernel-agent patches still match the PKGBUILD-side files (b2sum cross-check from `manifest.lock`), and pulls the resulting `*.pkg.tar.zst` back. |
| `ka-sign + push` | scp pkgs hertz → `sudo /opt/herding/bin/marfrit-publish-arch aarch64 <pkg>` per pkg. Script signs with key `92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C`, runs repo-add, rsyncs to nc. | **folded into `ka-build` 2026-05-19**`ka-build` scp's each pkg to hertz and runs `marfrit-publish-arch` over ssh. `--skip-publish` flag retained for offline builds. |
| `ka-install fresnel` (consent-via-action) | `sudo pacman -U /tmp/<pkg>` over LAN scp (HTTPS to nc was throttled by fresnel's wifi). pacman post-transaction hook updated extlinux. mkinitcpio run manually because the standard hook trigger watches `vmlinuz` not `Image`. | still manual — last verb to implement |
| Bar 1..3 verification | SSH heartbeat OK, `pacman -Q linux-fresnel-fourier` = `7.0-1`, post-reboot cluster0 1.704 GHz / cluster1 2.184 GHz confirmed. | folded into `ka-install` |
bin/ka-build
Executable
+199
View File
@@ -0,0 +1,199 @@
#!/usr/bin/env bash
# ka-build — render PKGBUILD from manifest.lock, build native on host,
# sign+publish via marfrit-publish-arch on hertz.
#
# Phase-1 (issue #34): arch makepkg wrapper. Debian path deferred.
#
# Usage:
# ka-build <host>
# ka-build <host> --packages-repo <path> # default: ~/src/marfrit-packages
# ka-build <host> --dry-run # stop after staging, don't makepkg
# ka-build <host> --skip-publish # build only, don't push to hertz
#
# Exit codes:
# 0 success (pkg built + published)
# 2 missing input (manifest.lock, PKGBUILD, ssh target)
# 3 patch drift (resolved.sha256 != PKGBUILD-side file sha256)
# 4 makepkg / sign / publish failure
# 5 manifest parse error
set -euo pipefail
VERSION=1
die() { echo "ka-build: error: $1" >&2; exit "${2:-1}"; }
note() { echo "ka-build: $1"; }
# Defaults
PACKAGES_REPO="${KA_PACKAGES_REPO:-${HOME}/src/marfrit-packages}"
DRY_RUN=0
SKIP_PUBLISH=0
HOST=""
while [ $# -gt 0 ]; do
case "$1" in
--packages-repo) PACKAGES_REPO="$2"; shift 2 ;;
--dry-run) DRY_RUN=1; shift ;;
--skip-publish) SKIP_PUBLISH=1; shift ;;
--version) echo "ka-build version $VERSION"; exit 0 ;;
-h|--help) sed -n '1,30p' "$0" | grep -E '^# ' | sed 's/^# //'; exit 0 ;;
-*) die "unknown flag: $1" ;;
*) [ -z "$HOST" ] && HOST="$1" || die "extra arg: $1"; shift ;;
esac
done
[ -n "$HOST" ] || die "host is required" 2
[ -d "$PACKAGES_REPO" ] || die "--packages-repo not found: $PACKAGES_REPO" 2
# Locate kernel-agent repo root (where bin/ + fleet/ live)
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$script_dir/.." && pwd)"
[ -d "$REPO_ROOT/fleet" ] || die "fleet/ not found relative to $script_dir" 2
manifest="$REPO_ROOT/fleet/${HOST}.yaml"
[ -f "$manifest" ] || die "no manifest for host '$HOST': $manifest" 2
# Read fields from manifest via python (yaml in bash is masochism)
py_read() {
python3 -c "
import sys, yaml, os
m = yaml.safe_load(open('$manifest'))
keys = '$1'.split('.')
v = m
for k in keys:
if not isinstance(v, dict) or k not in v: sys.exit('missing key: $1')
v = v[k]
print(v)
"
}
PKG_NAME="$(py_read package.name)"
BASELINE_REF="$(py_read baseline.ref)"
BUILD_HOST="$(py_read build_host.primary)"
# Locate the most recent ka-promote output
build_dir_root="${KA_BUILD_DIR:-$REPO_ROOT/build}"
promote_out="${build_dir_root}/${HOST}/${BASELINE_REF}"
lock="${promote_out}/manifest.lock"
cumulative="${promote_out}/cumulative.patch"
[ -f "$lock" ] || die "no manifest.lock at $lock — run 'ka-promote $HOST' first" 2
[ -f "$cumulative" ] || die "no cumulative.patch at $cumulative — run 'ka-promote $HOST' first" 2
# Locate the PKGBUILD
pkg_dir="${PACKAGES_REPO}/arch/${PKG_NAME}"
pkgbuild="${pkg_dir}/PKGBUILD"
[ -f "$pkgbuild" ] || die "no PKGBUILD at $pkgbuild (expected from manifest package.name)" 2
note "host=$HOST pkg=$PKG_NAME baseline=$BASELINE_REF build_host=$BUILD_HOST"
note "PKGBUILD: $pkgbuild"
note "manifest.lock: $lock"
# Refuse if PKGBUILD-side patches drifted from kernel-agent patches/.
# manifest.lock.resolved_patches[].sha256 must match PKGBUILD-dir-side
# files of the same basename. (If a patch is in resolved but missing from
# PKGBUILD dir, fail loud — operator needs to sync.)
note "verifying patch consistency between kernel-agent and marfrit-packages..."
drift=0
while IFS=$'\t' read -r basename expected_sha; do
pkg_side="${pkg_dir}/${basename}"
if [ ! -f "$pkg_side" ]; then
echo " MISSING in PKGBUILD dir: $basename" >&2
drift=1; continue
fi
actual_sha=$(sha256sum "$pkg_side" | cut -d' ' -f1)
if [ "$actual_sha" != "$expected_sha" ]; then
echo " DRIFT: $basename (expected $expected_sha, got $actual_sha)" >&2
drift=1
fi
done < <(python3 -c "
import yaml, sys, os
lk = yaml.safe_load(open('$lock'))
for r in lk['resolved_patches']:
bn = os.path.basename(r['include'])
print(f\"{bn}\t{r['sha256']}\")
")
[ "$drift" -eq 0 ] || die "patches differ between kernel-agent and marfrit-packages — sync first" 3
note "patches OK ($(python3 -c "import yaml; print(len(yaml.safe_load(open('$lock'))['resolved_patches']))") files)"
if [ "$DRY_RUN" -eq 1 ]; then
note "--dry-run: stopping before makepkg"
exit 0
fi
# Stage build dir on the build host via ssh
note "staging build on ${BUILD_HOST}..."
remote_stage="/tmp/ka-build-${HOST}-$$"
ssh "${BUILD_HOST}" "mkdir -p '$remote_stage'"
rsync -a "${pkg_dir}/" "${BUILD_HOST}:${remote_stage}/"
# Run makepkg natively
note "running makepkg --syncdeps --noconfirm --cleanbuild on ${BUILD_HOST}..."
ssh "${BUILD_HOST}" "cd '$remote_stage' && makepkg --syncdeps --noconfirm --cleanbuild --skipchecksums" \
|| die "makepkg failed on ${BUILD_HOST}" 4
# Fetch built packages
note "fetching .pkg.tar.zst from ${BUILD_HOST}..."
local_out="${promote_out}/pkgs"
mkdir -p "$local_out"
rsync -av "${BUILD_HOST}:${remote_stage}/*.pkg.tar.zst" "$local_out/" 2>&1 | tail -5
# Compute b2sums
pkg_b2sum_list=$(cd "$local_out" && for p in *.pkg.tar.zst; do
[ -f "$p" ] || continue
printf '%s %s\n' "$(b2sum "$p" | cut -d' ' -f1)" "$p"
done)
note "built packages:"
echo "$pkg_b2sum_list" | sed 's/^/ /'
# Publish via hertz marfrit-publish-arch (unless --skip-publish)
if [ "$SKIP_PUBLISH" -eq 0 ]; then
note "publishing to packages.reauktion.de/arch/aarch64/..."
for p in "$local_out"/*.pkg.tar.zst; do
[ -f "$p" ] || continue
base="$(basename "$p")"
scp -q "$p" "hertz:/tmp/${base}" || die "scp to hertz failed: $base" 4
ssh hertz "sudo /opt/herding/bin/marfrit-publish-arch aarch64 '/tmp/${base}'" \
|| die "marfrit-publish-arch failed: $base" 4
ssh hertz "rm -f '/tmp/${base}'"
note "published: $base"
done
fi
# Update manifest.lock with build receipt (append; don't rewrite the
# existing fields)
note "writing build receipt to manifest.lock..."
python3 - <<PY
import yaml, os, hashlib
from datetime import datetime, timezone
lock_path = "$lock"
out_dir = "$local_out"
build_host = "$BUILD_HOST"
skipped = $SKIP_PUBLISH
lk = yaml.safe_load(open(lock_path))
epoch = os.environ.get("SOURCE_DATE_EPOCH")
if epoch:
built_at = datetime.fromtimestamp(int(epoch), tz=timezone.utc).isoformat()
else:
built_at = datetime.now(tz=timezone.utc).isoformat()
pkgs = []
for fn in sorted(os.listdir(out_dir)):
if not fn.endswith(".pkg.tar.zst"): continue
fp = os.path.join(out_dir, fn)
b2 = hashlib.blake2b(open(fp, "rb").read()).hexdigest()
pkgs.append({"name": fn, "size": os.path.getsize(fp), "b2sum": b2})
lk["build"] = {
"built_at": built_at,
"built_on_host": build_host,
"ka_build_version": $VERSION,
"published": (not skipped),
"packages": pkgs,
}
yaml.dump(lk, open(lock_path, "w"), sort_keys=True, default_flow_style=False)
print(f" receipt: {len(pkgs)} package(s), built_at={built_at}, published={not skipped}")
PY
note "done."
fleet/ohm.yaml
+35 -42
View File
@@ -1,6 +1,6 @@
# kernel-agent manifest for ohm (PineTab2 / Rockchip RK3566 + BES2600 SDIO WiFi/BT)
#
# Status: scaffolding from 2026-05-16. Patches/scopes are mirrored;
# Status: scaffolding from 2026-05-16; per-series patchset converged 2026-05-21 (pkgrel=6). Patches/scopes are mirrored;
# the build pipeline (cumulative-patch generation, makepkg invocation,
# sign+publish) still relies on the hand-managed flow in
# boltzmann:~/src/besser/marfrit-besser/danctnix-besser-pkgbuild/kernel/.
@@ -25,44 +25,30 @@ baseline:
# Scope-tagged patch includes. Resolves to patches/<scope>/<file>.patch.
#
# Per-series reconstruction closing kernel-agent#29 (2026-05-18 evening):
# the 24 in-tree bes2600 -danctnix series-dirs below were repopulated
# from cleanups + bes2600/bh-c-fossil-cleanup via
# git format-patch fe73571..cleanups --no-merges
# with paths rewritten from bes2600/* to drivers/staging/bes2600/*.
# Order matches the original cleanups commit chronology (= the order
# the c5x interim cumulative had folded them in). Replacing
# cumulative-c5x-danctnix with these gives per-fix revertability +
# proper apply_order traceability via the manifest.
# 2026-05-18 audit: the per-series -danctnix mirrors in
# patches/driver/bes2600/*-danctnix/ created by kernel-agent#17 use
# DKMS-style root paths (bes2600/foo.c) rather than in-tree staging
# paths (drivers/staging/bes2600/foo.c), and at least one has corrupted
# mixed-prefix headers (a/drivers/staging/bes2600/... b/bes2600/...).
# They do NOT apply cleanly against the linux-pinetab2 baseline.
#
# 2026-05-21 update: per-series reconstruction (besser#22) completed
# 2026-05-21; pkgrel=6 (srcversion 0E16463F) on ohm soak-passed with
# the bounce-buffer + join-confirm-reset additions. The per-series
# manifest below is the authoritative set; cumulative-c5x-danctnix
# remains as historical fallback only.
#
# Until the per-series mirrors are reconstructed (kernel-agent followup
# issue), the bes2600 driver scope is satisfied by a single-file
# cumulative captured from the working hand-managed
# danctnix-besser-pkgbuild flow on boltzmann (see
# patches/driver/bes2600/cumulative-c5x-danctnix/README.md). This is
# the c5x stack as it shipped in pkgrel=3 on 2026-05-18.
includes:
# pre-c-stack (factory + early cleanups), in cleanups order
- driver/bes2600/factory-series/
- driver/bes2600/factory-thread-dev/
- driver/bes2600/pm-gate-on-handshake/
- driver/bes2600/remove-chardev-user-interface/
- driver/bes2600/enable-testmode/
- driver/bes2600/tx-sdio-dma-oob-danctnix/
- driver/bes2600/factory-drop-kernel-write-danctnix/
- driver/bes2600/drop-dpd-file-paths-danctnix/
- driver/bes2600/drop-orphan-file-io-danctnix/
- driver/bes2600/pm-timeout-silence-danctnix/
# c-stack (c5.1, c5.1.1, c5.2 + c5.2.1, c6.1, c6.2, c7)
- driver/bes2600/scan-defer-on-reject-danctnix/
- driver/bes2600/scan-defer-backoff-tune-danctnix/
- driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/ # c5.2 + c5.2.1 (multi-fn SDIO)
- driver/bes2600/pm-state-resync-danctnix/
- driver/bes2600/pm-wake-consume-state-danctnix/
- driver/bes2600/pm-detect-firmware-unsupported-danctnix/
# Patches A/B/F/C-v3/G/D/E/C2/H (in cleanups merge order)
- driver/bes2600/decrypt-storm-fast-recover-danctnix/ # Patch A
- driver/bes2600/connection-loss-fast-recover-danctnix/ # Patch B
- driver/bes2600/cw1200-fix-backports-danctnix/ # Patches F3 + F2 + F1
- driver/bes2600/sdio-rx-no-relay-danctnix/ # Patch C v3
- driver/bes2600/license-spdx-restore-attribution-danctnix/ # Patch G
- driver/bes2600/ba-lock-atomic-danctnix/ # Patch D
- driver/bes2600/ps-state-lock-skip-pm-disabled-danctnix/ # Patch E
- driver/bes2600/rx-list-batch-delivery-danctnix/ # Patch C2
- driver/bes2600/bh-c-fossil-cleanup-danctnix/ # Patch H
# bes2600 driver (c5x stack as shipped in pkgrel=3) — single-file
# interim cumulative; per-series reconstruction tracked separately.
- driver/bes2600/cumulative-c5x-danctnix/
# close besser#1 — refuse multi-channel 5 GHz scans at driver boundary.
- driver/bes2600/scan-filter-5ghz-danctnix/
# GCC 15.2.1 build-fix for arm_neon.h + SHADOW_CALL_STACK interaction.
@@ -73,13 +59,20 @@ includes:
# close besser#18 — pending_record_lock SOFTIRQ-safe -> -unsafe inversion.
# Mirror of marfrit/bes2600-dkms#11 (d95453c). 5-site spin_lock -> _bh.
- driver/bes2600/queue-pending-record-lock-bh-danctnix/
# bounce-buffer fix for SDIO TX DMA OOB (KFENCE-detected on pkgrel=4 soak);
# the per-series mirror of marfrit/bes2600-dkms bes2600/tx-sdio-dma-oob.
# cumulative-c5x-danctnix did NOT include this — it was the regression
# surfaced during the per-series reconstruction.
- driver/bes2600/tx-sdio-dma-oob-danctnix/
# close besser#25 — wsm_reset + serialised unjoin on JOIN reject.
# cw1200 ancestor port (drivers/net/wireless/st/cw1200/sta.c:1339-1344)
# with bes2600-specific PASSIVE-gate compensation. pkgrel=6 verified.
- driver/bes2600/join-confirm-reset-danctnix/
# Explicitly NOT included (decision logged):
# - debian-copyright-fsf-address: Debian packaging metadata, not kernel
# - cumulative-c5x-danctnix: retired in favour of the per-series above
# (kept on disk for one cycle as bisection reference)
# - staging-prep-series-danctnix: duplicate of tx-sdio-dma-oob-danctnix
# under an older branch name; kept on disk for one cycle, dropped here
# - bare (non-danctnix) variants of the per-series mirrors: same
# root-path bug as the -danctnix variants per the 2026-05-18 audit
config:
source: hand-managed config file in boltzmann:~/src/besser/marfrit-besser/danctnix-besser-pkgbuild/kernel/config
patches/arch/arm64/scs-arm-neon-build-fix/0001-arm64-xor-neon-ffixed-x18-build-fix.patch
+1 -1
View File
@@ -22,7 +22,7 @@ diff --git a/arch/arm64/lib/Makefile b/arch/arm64/lib/Makefile
index 1234567..2345678 100644
--- a/arch/arm64/lib/Makefile
+++ b/arch/arm64/lib/Makefile
@@ -9,6 +9,11 @@ ifeq ($(CONFIG_KERNEL_MODE_NEON), y)
@@ -9,6 +9,10 @@ ifeq ($(CONFIG_KERNEL_MODE_NEON), y)
obj-$(CONFIG_XOR_BLOCKS) += xor-neon.o
CFLAGS_xor-neon.o += $(CC_FLAGS_FPU)
CFLAGS_REMOVE_xor-neon.o += $(CC_FLAGS_NO_FPU)
patches/driver/bes2600/ba-lock-atomic-danctnix/0001-bes2600-Patch-D-atomicize-ba_lock-counters-drop-the-spinlock.patch
-313
View File
@@ -1,313 +0,0 @@
From 8fd20308ed53678c863a0ef52fb2c754e3adc63c Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Fri, 8 May 2026 00:17:46 +0200
Subject: [PATCH 27/29] =?UTF-8?q?bes2600:=20Patch=20D=20=E2=80=94=20atomic?=
=?UTF-8?q?ize=20ba=5Flock=20counters,=20drop=20the=20spinlock?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The block-ack policy uses 4 int counters (ba_acc, ba_cnt, ba_acc_rx,
ba_cnt_rx) bumped per data frame in the TX and RX hot paths under
spin_lock_bh(&hw_priv->ba_lock). The lock was the heaviest per-frame
synchronization cost remaining after Patch C v3 (which fixed the
sdio_rx_work relay). Per the Opus structural critique (PR #8), this
pattern matches mac80211 driver convention for per-frame statistics:
atomic_t suffices, no lock needed.
Field-by-field changes in struct bes2600_common:
ba_acc, ba_cnt, ba_acc_rx, ba_cnt_rx: int -> atomic_t
ba_armed: new atomic_t (timer-arm flag)
ba_ena: bool -> atomic_t
ba_lock: removed (spinlock_t deleted)
ba_hist: int (single-writer = ba_timer)
Producer hot path (txrx.c TX submit + RX receive):
- atomic_add for the byte accumulator
- atomic_inc for the frame counter
- atomic_cmpxchg(&ba_armed, 0, 1) to claim the once-per-window
mod_timer arm — at most ONE producer succeeds; race-free
- no spin_lock_bh
Consumer paths (sta.c bes2600_ba_timer, sta.c disconnect-reset, sta.c
bes2600_ba_work, debug.c debugfs reader):
- atomic_read snapshots all 4 counters into locals; the threshold
predicate (acc/cnt >= THLD) tolerates approximate snapshots — the
timer fires periodically, a single misclassification just delays
the policy update by one tick
- atomic_set zeroes the counters at end of timer-callback window;
racing producer increments after the snapshot are lost (acceptable
for stats; same approximation the original lock allowed under
contention)
- atomic_set(&ba_armed, 0) re-enables the next window's arm
Followup-amenable simplification: ba_hist remains int because only
the single ba_timer callback writes it; multiple writers would need
to upgrade it too.
This patch follows the cw1200-mainline-idiom established by Patch C v3
(structural fix, not bandaid). The cw1200 reference doesn't have a
similar lock to compare; bes2600 inherited this from a later
Bestechnic addition rather than the upstream tree.
---
bes2600/bes2600.h | 26 ++++++++++------
bes2600/debug.c | 13 +++++---
bes2600/main.c | 2 +-
bes2600/sta.c | 77 ++++++++++++++++++++++++++++-------------------
bes2600/txrx.c | 23 ++++++++------
5 files changed, 85 insertions(+), 56 deletions(-)
diff --git a/drivers/staging/bes2600/bes2600.h b/drivers/staging/bes2600/bes2600.h
index 84059c7..32bce5e 100644
--- a/drivers/staging/bes2600/bes2600.h
+++ b/drivers/staging/bes2600/bes2600.h
@@ -353,15 +353,23 @@ struct bes2600_common {
* Keeping in common structure for the time being. Will be moved to VIFF
* after the mechanism is clear */
u8 ba_tid_mask;
- int ba_acc; /*TODO: Same as above */
- int ba_cnt; /*TODO: Same as above */
- int ba_cnt_rx; /*TODO: Same as above */
- int ba_acc_rx; /*TODO: Same as above */
- int ba_hist; /*TODO: Same as above */
- struct timer_list ba_timer;/*TODO: Same as above */
- spinlock_t ba_lock; /*TODO: Same as above */
- bool ba_ena; /*TODO: Same as above */
- struct work_struct ba_work; /*TODO: Same as above */
+ /*
+ * Patch D: ba_lock removed. Per-frame TX/RX hot-path bumped these
+ * counters under spin_lock_bh; the lock did not protect any
+ * compound invariant that atomic ops can't satisfy. Counters are
+ * now atomic_t; ba_armed gates the once-per-window mod_timer
+ * arm via cmpxchg so concurrent TX/RX at a fresh window each
+ * try to claim the arm and exactly one succeeds.
+ */
+ atomic_t ba_acc;
+ atomic_t ba_cnt;
+ atomic_t ba_cnt_rx;
+ atomic_t ba_acc_rx;
+ atomic_t ba_armed;
+ int ba_hist;
+ struct timer_list ba_timer;
+ atomic_t ba_ena;
+ struct work_struct ba_work;
bool is_BT_Present;
bool is_go_thru_go_neg;
u8 conf_listen_interval;
diff --git a/drivers/staging/bes2600/debug.c b/drivers/staging/bes2600/debug.c
index 47e27be..0ab79c0 100644
--- a/drivers/staging/bes2600/debug.c
+++ b/drivers/staging/bes2600/debug.c
@@ -110,17 +110,20 @@ static int bes2600_status_show_common(struct seq_file *seq, void *v)
int ba_cnt, ba_acc, ba_cnt_rx, ba_acc_rx, ba_avg = 0, ba_avg_rx = 0;
bool ba_ena;
- spin_lock_bh(&hw_priv->ba_lock);
- ba_cnt = hw_priv->debug->ba_cnt;
- ba_acc = hw_priv->debug->ba_acc;
+ /*
+ * Patch D: ba_lock removed. hw_priv->debug->ba_* are written only
+ * by the timer callback (single writer); reading without a lock is
+ * fine for stats. ba_ena is atomic_t.
+ */
+ ba_cnt = hw_priv->debug->ba_cnt;
+ ba_acc = hw_priv->debug->ba_acc;
ba_cnt_rx = hw_priv->debug->ba_cnt_rx;
ba_acc_rx = hw_priv->debug->ba_acc_rx;
- ba_ena = hw_priv->ba_ena;
+ ba_ena = !!atomic_read(&hw_priv->ba_ena);
if (ba_cnt)
ba_avg = ba_acc / ba_cnt;
if (ba_cnt_rx)
ba_avg_rx = ba_acc_rx / ba_cnt_rx;
- spin_unlock_bh(&hw_priv->ba_lock);
seq_puts(seq, "BES2600 Wireless LAN driver status\n");
seq_printf(seq, "Hardware: %d.%d\n",
diff --git a/drivers/staging/bes2600/main.c b/drivers/staging/bes2600/main.c
index 71dc4ae..8fc37b4 100644
--- a/drivers/staging/bes2600/main.c
+++ b/drivers/staging/bes2600/main.c
@@ -501,7 +501,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
INIT_LIST_HEAD(&hw_priv->event_queue);
INIT_WORK(&hw_priv->event_handler, bes2600_event_handler);
INIT_WORK(&hw_priv->ba_work, bes2600_ba_work);
- spin_lock_init(&hw_priv->ba_lock);
+ /* Patch D: ba_lock removed; ba_acc/ba_cnt/etc are atomic_t. */
timer_setup(&hw_priv->ba_timer, bes2600_ba_timer, 0);
if (unlikely(bes2600_queue_stats_init(&hw_priv->tx_queue_stats,
diff --git a/drivers/staging/bes2600/sta.c b/drivers/staging/bes2600/sta.c
index 70b12f9..8af8150 100644
--- a/drivers/staging/bes2600/sta.c
+++ b/drivers/staging/bes2600/sta.c
@@ -2362,14 +2362,19 @@ void bes2600_join_work(struct work_struct *work)
//WARN_ON(wsm_reset(hw_priv, &reset, priv->if_id));
WARN_ON(wsm_set_block_ack_policy(hw_priv,
0, hw_priv->ba_tid_mask, priv->if_id));
- spin_lock_bh(&hw_priv->ba_lock);
- hw_priv->ba_ena = false;
- hw_priv->ba_cnt = 0;
- hw_priv->ba_acc = 0;
+ /*
+ * Patch D: ba_lock removed. Disconnect-reset clears the
+ * counters and the arm flag; producers racing here cannot
+ * cause harm — at worst they re-arm the timer and bump
+ * counters that will be cleared on the next timer tick.
+ */
+ atomic_set(&hw_priv->ba_ena, 0);
+ atomic_set(&hw_priv->ba_cnt, 0);
+ atomic_set(&hw_priv->ba_acc, 0);
hw_priv->ba_hist = 0;
- hw_priv->ba_cnt_rx = 0;
- hw_priv->ba_acc_rx = 0;
- spin_unlock_bh(&hw_priv->ba_lock);
+ atomic_set(&hw_priv->ba_cnt_rx, 0);
+ atomic_set(&hw_priv->ba_acc_rx, 0);
+ atomic_set(&hw_priv->ba_armed, 0);
mgmt_policy.protectedMgmtEnable = 0;
mgmt_policy.unprotectedMgmtFramesAllowed = 1;
@@ -2649,10 +2654,11 @@ void bes2600_ba_work(struct work_struct *work)
return;*/
bes_devel("BA work****\n");
- spin_lock_bh(&hw_priv->ba_lock);
-// tx_ba_tid_mask = hw_priv->ba_ena ? hw_priv->ba_tid_mask : 0;
+ /*
+ * Patch D: ba_lock removed. ba_tid_mask is u8 set once at init
+ * (main.c); reading it without a lock is fine.
+ */
tx_ba_tid_mask = hw_priv->ba_tid_mask;
- spin_unlock_bh(&hw_priv->ba_lock);
wsm_lock_tx(hw_priv);
@@ -2665,37 +2671,49 @@ void bes2600_ba_work(struct work_struct *work)
void bes2600_ba_timer(struct timer_list *t)
{
bool ba_ena;
+ int cnt, acc, cnt_rx, acc_rx;
struct bes2600_common *hw_priv = timer_container_of(hw_priv, t, ba_timer);
- spin_lock_bh(&hw_priv->ba_lock);
- bes2600_debug_ba(hw_priv, hw_priv->ba_cnt, hw_priv->ba_acc,
- hw_priv->ba_cnt_rx, hw_priv->ba_acc_rx);
+ /*
+ * Patch D: ba_lock removed. Snapshot atomic counters into locals
+ * for the predicate evaluation; producers may race incrementing
+ * after the snapshot but the resulting decision is approximate
+ * which the policy already tolerates (next timer tick re-evaluates).
+ */
+ cnt = atomic_read(&hw_priv->ba_cnt);
+ acc = atomic_read(&hw_priv->ba_acc);
+ cnt_rx = atomic_read(&hw_priv->ba_cnt_rx);
+ acc_rx = atomic_read(&hw_priv->ba_acc_rx);
+
+ bes2600_debug_ba(hw_priv, cnt, acc, cnt_rx, acc_rx);
if (atomic_read(&hw_priv->scan.in_progress)) {
- hw_priv->ba_cnt = 0;
- hw_priv->ba_acc = 0;
- hw_priv->ba_cnt_rx = 0;
- hw_priv->ba_acc_rx = 0;
- goto skip_statistic_update;
+ atomic_set(&hw_priv->ba_cnt, 0);
+ atomic_set(&hw_priv->ba_acc, 0);
+ atomic_set(&hw_priv->ba_cnt_rx, 0);
+ atomic_set(&hw_priv->ba_acc_rx, 0);
+ atomic_set(&hw_priv->ba_armed, 0);
+ return;
}
- if (hw_priv->ba_cnt >= BES2600_BLOCK_ACK_CNT &&
- (hw_priv->ba_acc / hw_priv->ba_cnt >= BES2600_BLOCK_ACK_THLD ||
- (hw_priv->ba_cnt_rx >= BES2600_BLOCK_ACK_CNT &&
- hw_priv->ba_acc_rx / hw_priv->ba_cnt_rx >=
+ if (cnt >= BES2600_BLOCK_ACK_CNT &&
+ (acc / cnt >= BES2600_BLOCK_ACK_THLD ||
+ (cnt_rx >= BES2600_BLOCK_ACK_CNT &&
+ acc_rx / cnt_rx >=
BES2600_BLOCK_ACK_THLD)))
ba_ena = true;
else
ba_ena = false;
- hw_priv->ba_cnt = 0;
- hw_priv->ba_acc = 0;
- hw_priv->ba_cnt_rx = 0;
- hw_priv->ba_acc_rx = 0;
+ atomic_set(&hw_priv->ba_cnt, 0);
+ atomic_set(&hw_priv->ba_acc, 0);
+ atomic_set(&hw_priv->ba_cnt_rx, 0);
+ atomic_set(&hw_priv->ba_acc_rx, 0);
+ atomic_set(&hw_priv->ba_armed, 0);
- if (ba_ena != hw_priv->ba_ena) {
+ if (ba_ena != !!atomic_read(&hw_priv->ba_ena)) {
if (ba_ena || ++hw_priv->ba_hist >= BES2600_BLOCK_ACK_HIST) {
- hw_priv->ba_ena = ba_ena;
+ atomic_set(&hw_priv->ba_ena, ba_ena ? 1 : 0);
hw_priv->ba_hist = 0;
#if 0
bes_devel("[STA] %s block ACK:\n",
@@ -2705,9 +2723,6 @@ void bes2600_ba_timer(struct timer_list *t)
}
} else if (hw_priv->ba_hist)
--hw_priv->ba_hist;
-
-skip_statistic_update:
- spin_unlock_bh(&hw_priv->ba_lock);
}
int bes2600_vif_setup(struct bes2600_vif *priv)
diff --git a/drivers/staging/bes2600/txrx.c b/drivers/staging/bes2600/txrx.c
index 3aef009..536b198 100644
--- a/drivers/staging/bes2600/txrx.c
+++ b/drivers/staging/bes2600/txrx.c
@@ -996,14 +996,18 @@ bes2600_tx_h_ba_stat(struct bes2600_vif *priv,
if (!ieee80211_is_data(t->hdr->frame_control))
return;
- spin_lock_bh(&hw_priv->ba_lock);
- hw_priv->ba_acc += t->skb->len - t->hdrlen;
- if (!(hw_priv->ba_cnt_rx || hw_priv->ba_cnt)) {
+ /*
+ * Patch D: lock-free hot-path BA accounting. atomic_inc + atomic_add
+ * each per-frame; the once-per-window timer-arm uses cmpxchg on
+ * ba_armed so concurrent TX/RX can't both try to set the timer and
+ * we don't need cross-counter coherency on the ba_cnt/ba_cnt_rx pair.
+ */
+ atomic_add(t->skb->len - t->hdrlen, &hw_priv->ba_acc);
+ atomic_inc(&hw_priv->ba_cnt);
+ if (atomic_cmpxchg(&hw_priv->ba_armed, 0, 1) == 0) {
mod_timer(&hw_priv->ba_timer,
jiffies + BES2600_BLOCK_ACK_INTERVAL);
}
- hw_priv->ba_cnt++;
- spin_unlock_bh(&hw_priv->ba_lock);
}
static int
@@ -1651,14 +1655,13 @@ bes2600_rx_h_ba_stat(struct bes2600_vif *priv,
if (!priv->setbssparams_done)
return;
- spin_lock_bh(&hw_priv->ba_lock);
- hw_priv->ba_acc_rx += skb_len - hdrlen;
- if (!(hw_priv->ba_cnt_rx || hw_priv->ba_cnt)) {
+ /* Patch D: lock-free hot-path BA accounting; see TX side comment. */
+ atomic_add(skb_len - hdrlen, &hw_priv->ba_acc_rx);
+ atomic_inc(&hw_priv->ba_cnt_rx);
+ if (atomic_cmpxchg(&hw_priv->ba_armed, 0, 1) == 0) {
mod_timer(&hw_priv->ba_timer,
jiffies + BES2600_BLOCK_ACK_INTERVAL);
}
- hw_priv->ba_cnt_rx++;
- spin_unlock_bh(&hw_priv->ba_lock);
}
void bes2600_rx_cb(struct bes2600_vif *priv,
--
2.54.0
patches/driver/bes2600/bh-c-fossil-cleanup-danctnix/0001-bes2600-Patch-H-bh.c-hygiene-cleanup-drop-fossil-blocks-dead-stubs.patch
-725
View File
@@ -1,725 +0,0 @@
From 1b5374d35bcc75e0f393e3d841288f91812eb7dc Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Fri, 8 May 2026 08:23:20 +0200
Subject: [PATCH] =?UTF-8?q?bes2600:=20Patch=20H=20=E2=80=94=20bh.c=20hygie?=
=?UTF-8?q?ne=20cleanup=20(drop=20fossil=20blocks,=20dead=20stubs)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Per Opus structural critique §4.1 (#if 0 graveyard), §4.3 (asm
volatile("nop") placeholder), §4.4 (BUG_ON in steady-state hot
path). Pure source-tree cleanup, no functional change.
Removed:
1. bh.c lines 319-395 (76-line #if 0 block) — dead helper
functions inherited from cw1200 ancestor:
bes2600_bh_read_ctrl_reg, bes2600_get_skb, bes2600_put_skb,
bes2600_device_wakeup. Compiled out for years.
2. bh.c lines 405-873 + line 1659 (the outer #if 0 / #else /
#endif) — 468-line cw1200-ancestor bes2600_bh() function body,
preserved verbatim alongside the active impl. Same function
name, same goto labels. Maintenance hazard removed.
3. bh.c done: label body — `__bes2600_irq_enable(1)` placeholder
(commented out) + `asm volatile ("nop")` filler. Both
no-ops on bes2600 silicon.
4. bh.c post-loop "Explicitly disable device interrupts" block
(sbus lock + __bes2600_irq_enable(0) + sbus unlock) — the
stub call wrapped in lock/unlock ceremony. Dead.
5. hwio.c __bes2600_irq_enable() function definition —
`int __bes2600_irq_enable(int enable) { return 0; }`. Stub.
Removed entirely.
6. sbus.h __bes2600_irq_enable() forward declaration.
Replaced:
7. bh.c bes2600_bh outer-loop BUG_ON(hw_bufs_used > numInpChBufs)
-> WARN_ON_ONCE. The BUG_ON ran every bh-loop iteration;
tripping it on a bookkeeping bug locks the kernel up during
normal operation — the wrong response to a (recoverable)
accounting drift. WARN_ON_ONCE surfaces the issue without
taking the system down.
Why __bes2600_irq_enable was a stub on bes2600:
cw1200 has the same-named function (drivers/net/wireless/st/cw1200/
hwio.c:267) that does real work — reads ST90TDS_CONFIG_REG_ID and
toggles the ST90TDS_CONF_IRQ_RDY_ENABLE bit. bes2600 inherited
the function name + signature when forked, but the bes2600 chip's
IRQ enable is managed by sdio_claim_irq + chip-side firmware, not
by a driver-side enable register. Bestechnic kept the function as
a no-op stub (return 0). Patch H removes the dead infrastructure.
Diff scope:
- bes2600/bh.c -578/+27 (mostly deletions)
- bes2600/hwio.c -7/+7 (stub function -> comment block)
- bes2600/sbus.h -2/+1 (declaration -> comment)
- net: -578/+28 across 3 files
Build verification deferred — ohm offline. Pure-deletion change,
no semantic risk; the deleted code was either #if 0-gated
(never compiled) or stub-implementations (always returned 0).
---
bes2600/bh.c | 578 ++-----------------------------------------------
bes2600/hwio.c | 11 +-
bes2600/sbus.h | 3 +-
3 files changed, 28 insertions(+), 564 deletions(-)
diff --git a/drivers/staging/bes2600/bh.c b/drivers/staging/bes2600/bh.c
index 61f6991..67dfad4 100644
--- a/drivers/staging/bes2600/bh.c
+++ b/drivers/staging/bes2600/bh.c
@@ -317,83 +317,6 @@ int wsm_release_buffer_to_fw(struct bes2600_vif *priv, int count)
}
#endif
-#if 0
-static struct sk_buff *bes2600_get_skb(struct bes2600_common *hw_priv, size_t len)
-{
- struct sk_buff *skb;
- size_t alloc_len = (len > SDIO_BLOCK_SIZE) ? len : SDIO_BLOCK_SIZE;
-
- if (len > SDIO_BLOCK_SIZE || !hw_priv->skb_cache) {
- skb = dev_alloc_skb(alloc_len
- + WSM_TX_EXTRA_HEADROOM
- + 8 /* TKIP IV */
- + 12 /* TKIP ICV + MIC */
- - 2 /* Piggyback */);
- /* In AP mode RXed SKB can be looped back as a broadcast.
- * Here we reserve enough space for headers. */
- skb_reserve(skb, WSM_TX_EXTRA_HEADROOM
- + 8 /* TKIP IV */
- - WSM_RX_EXTRA_HEADROOM);
- } else {
- skb = hw_priv->skb_cache;
- hw_priv->skb_cache = NULL;
- }
- return skb;
-}
-
-static void bes2600_put_skb(struct bes2600_common *hw_priv, struct sk_buff *skb)
-{
- if (hw_priv->skb_cache)
- dev_kfree_skb(skb);
- else
- hw_priv->skb_cache = skb;
-}
-
-static int bes2600_bh_read_ctrl_reg(struct bes2600_common *hw_priv,
- u16 *ctrl_reg)
-{
- int ret;
-
- ret = bes2600_reg_read_16(hw_priv,
- ST90TDS_CONTROL_REG_ID, ctrl_reg);
- if (ret) {
- ret = bes2600_reg_read_16(hw_priv,
- ST90TDS_CONTROL_REG_ID, ctrl_reg);
- if (ret)
- bes_err("[BH] Failed to read control register.\n");
- }
-
- return ret;
-}
-
-static int bes2600_device_wakeup(struct bes2600_common *hw_priv)
-{
- u16 ctrl_reg;
- int ret;
-
- bes_devel("[BH] Device wakeup.\n");
-
- /* To force the device to be always-on, the host sets WLAN_UP to 1 */
- ret = bes2600_reg_write_16(hw_priv, ST90TDS_CONTROL_REG_ID,
- ST90TDS_CONT_WUP_BIT);
- if (WARN_ON(ret))
- return ret;
-
- ret = bes2600_bh_read_ctrl_reg(hw_priv, &ctrl_reg);
- if (WARN_ON(ret))
- return ret;
-
- /* If the device returns WLAN_RDY as 1, the device is active and will
- * remain active. */
- if (ctrl_reg & ST90TDS_CONT_RDY_BIT) {
- bes_devel("[BH] Device awake.\n");
- return 1;
- }
-
- return 0;
-}
-
-#endif
/* Must be called from BH thraed. */
void bes2600_enable_powersave(struct bes2600_vif *priv,
@@ -403,475 +326,6 @@ void bes2600_enable_powersave(struct bes2600_vif *priv,
priv->powersave_enabled = enable;
}
-#if 0
-#define INTERRUPT_WORKAROUND
-static int bes2600_bh(void *arg)
-{
- struct bes2600_common *hw_priv = arg;
- struct bes2600_vif *priv = NULL;
- struct sk_buff *skb_rx = NULL;
- size_t read_len = 0;
- int rx, tx, term, suspend;
- struct wsm_hdr *wsm;
- size_t wsm_len;
- int wsm_id;
- u8 wsm_seq;
- int rx_resync = 1;
- u16 ctrl_reg = 0;
- int tx_allowed;
- int pending_tx = 0;
- int tx_burst;
- int rx_burst = 0;
- long status;
-#if defined(CONFIG_BES2600_WSM_DUMPS)
- size_t wsm_dump_max = -1;
-#endif
- u32 dummy;
- bool powersave_enabled;
- int i;
- int vif_selected;
-
- for (;;) {
- powersave_enabled = 1;
- spin_lock(&hw_priv->vif_list_lock);
- bes2600_for_each_vif(hw_priv, priv, i) {
-#ifdef P2P_MULTIVIF
- if ((i = (CW12XX_MAX_VIFS - 1)) || !priv)
-#else
- if (!priv)
-#endif
- continue;
- powersave_enabled &= !!priv->powersave_enabled;
- }
- spin_unlock(&hw_priv->vif_list_lock);
- if (!hw_priv->hw_bufs_used
- && powersave_enabled
- && !hw_priv->device_can_sleep
- && !atomic_read(&hw_priv->recent_scan)) {
- status = HZ/8;
- bes_devel("[BH] No Device wakedown.\n");
-#ifndef FPGA_SETUP
- WARN_ON(bes2600_reg_write_16(hw_priv,
- ST90TDS_CONTROL_REG_ID, 0));
- hw_priv->device_can_sleep = true;
-#endif
- } else if (hw_priv->hw_bufs_used)
- /* Interrupt loss detection */
- status = HZ/8;
- else
- status = HZ/8;
-
- /* Dummy Read for SDIO retry mechanism*/
- if (((atomic_read(&hw_priv->bh_rx) == 0) &&
- (atomic_read(&hw_priv->bh_tx) == 0)))
- bes2600_reg_read(hw_priv, ST90TDS_CONFIG_REG_ID,
- &dummy, sizeof(dummy));
-#if defined(CONFIG_BES2600_WSM_DUMPS_SHORT)
- wsm_dump_max = hw_priv->wsm_dump_max_size;
-#endif /* CONFIG_BES2600_WSM_DUMPS_SHORT */
-
-#ifdef INTERRUPT_WORKAROUND
- /* If a packet has already been txed to the device then read the
- control register for a probable interrupt miss before going
- further to wait for interrupt; if the read length is non-zero
- then it means there is some data to be received */
- if (hw_priv->hw_bufs_used) {
- bes2600_bh_read_ctrl_reg(hw_priv, &ctrl_reg);
- if(ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK)
- {
- rx = 1;
- goto test;
- }
- }
-#endif
-
- status = wait_event_interruptible_timeout(hw_priv->bh_wq, ({
- rx = atomic_xchg(&hw_priv->bh_rx, 0);
- tx = atomic_xchg(&hw_priv->bh_tx, 0);
- term = atomic_xchg(&hw_priv->bh_term, 0);
- suspend = pending_tx ?
- 0 : atomic_read(&hw_priv->bh_suspend);
- (rx || tx || term || suspend || hw_priv->bh_error);
- }), status);
-
- if (status < 0 || term || hw_priv->bh_error)
- break;
-
-#ifdef INTERRUPT_WORKAROUND
- if (!status) {
- bes2600_bh_read_ctrl_reg(hw_priv, &ctrl_reg);
- if(ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK)
- {
- bes_err("MISS 1\n");
- rx = 1;
- goto test;
- }
- }
-#endif
- if (!status && hw_priv->hw_bufs_used) {
- unsigned long timestamp = jiffies;
- long timeout;
- bool pending = false;
- int i;
-
- wiphy_warn(hw_priv->hw->wiphy, "Missed interrupt?\n");
- rx = 1;
-
- /* Get a timestamp of "oldest" frame */
- for (i = 0; i < 4; ++i)
- pending |= bes2600_queue_get_xmit_timestamp(
- &hw_priv->tx_queue[i],
- &timestamp, -1,
- hw_priv->pending_frame_id);
-
- /* Check if frame transmission is timed out.
- * Add an extra second with respect to possible
- * interrupt loss. */
- timeout = timestamp +
- WSM_CMD_LAST_CHANCE_TIMEOUT +
- 1 * HZ -
- jiffies;
-
- /* And terminate BH tread if the frame is "stuck" */
- if (pending && timeout < 0) {
- //wiphy_warn(priv->hw->wiphy,
- // "Timeout waiting for TX confirm.\n");
- bes_devel("bes2600_bh: Timeout waiting for TX confirm.\n");
- break;
- }
-
-#if defined(CONFIG_BES2600_DUMP_ON_ERROR)
- BUG_ON(1);
-#endif /* CONFIG_BES2600_DUMP_ON_ERROR */
- } else if (!status) {
- if (!hw_priv->device_can_sleep
- && !atomic_read(&hw_priv->recent_scan)) {
- bes_devel("[BH] Device wakedown. Timeout.\n");
-#ifndef FPGA_SETUP
- WARN_ON(bes2600_reg_write_16(hw_priv,
- ST90TDS_CONTROL_REG_ID, 0));
- hw_priv->device_can_sleep = true;
-#endif
- }
- continue;
- } else if (suspend) {
- bes_devel("[BH] Device suspend.\n");
- powersave_enabled = 1;
- spin_lock(&hw_priv->vif_list_lock);
- bes2600_for_each_vif(hw_priv, priv, i) {
-#ifdef P2P_MULTIVIF
- if ((i = (CW12XX_MAX_VIFS - 1)) || !priv)
-#else
- if (!priv)
-#endif
- continue;
- powersave_enabled &= !!priv->powersave_enabled;
- }
- spin_unlock(&hw_priv->vif_list_lock);
- if (powersave_enabled) {
- bes_devel("[BH] No Device wakedown. Suspend.\n");
-#ifndef FPGA_SETUP
- WARN_ON(bes2600_reg_write_16(hw_priv,
- ST90TDS_CONTROL_REG_ID, 0));
- hw_priv->device_can_sleep = true;
-#endif
- }
-
- atomic_set(&hw_priv->bh_suspend, BES2600_BH_SUSPENDED);
- wake_up(&hw_priv->bh_evt_wq);
- status = wait_event_interruptible(hw_priv->bh_wq,
- BES2600_BH_RESUME == atomic_read(
- &hw_priv->bh_suspend));
- if (status < 0) {
- wiphy_err(hw_priv->hw->wiphy,
- "%s: Failed to wait for resume: %ld.\n",
- __func__, status);
- break;
- }
- bes_devel("[BH] Device resume.\n");
- atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
- wake_up(&hw_priv->bh_evt_wq);
- atomic_inc(&hw_priv->bh_rx);
- continue;
- }
-
-test:
- tx += pending_tx;
- pending_tx = 0;
-
- if (rx) {
- size_t alloc_len;
- u8 *data;
-
-#ifdef INTERRUPT_WORKAROUND
- if(!(ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK))
-#endif
- if (WARN_ON(bes2600_bh_read_ctrl_reg(
- hw_priv, &ctrl_reg)))
- break;
-rx:
- read_len = (ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK) * 2;
- if (!read_len) {
- rx_burst = 0;
- goto tx;
- }
-
- if (WARN_ON((read_len < sizeof(struct wsm_hdr)) ||
- (read_len > EFFECTIVE_BUF_SIZE))) {
- bes_devel("Invalid read len: %d", read_len);
- break;
- }
-
- /* Add SIZE of PIGGYBACK reg (CONTROL Reg)
- * to the NEXT Message length + 2 Bytes for SKB */
- read_len = read_len + 2;
-
-#if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
- alloc_len = hw_priv->sbus_ops->align_size(
- hw_priv->sbus_priv, read_len);
-#else /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
- /* Platform's SDIO workaround */
- alloc_len = read_len & ~(SDIO_BLOCK_SIZE - 1);
- if (read_len & (SDIO_BLOCK_SIZE - 1))
- alloc_len += SDIO_BLOCK_SIZE;
-#endif /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
-
- /* Check if not exceeding BES2600 capabilities */
- if (WARN_ON_ONCE(alloc_len > EFFECTIVE_BUF_SIZE))
- bes_devel("Read aligned len: %d\n", alloc_len);
-
- skb_rx = bes2600_get_skb(hw_priv, alloc_len);
- if (WARN_ON(!skb_rx))
- break;
-
- skb_trim(skb_rx, 0);
- skb_put(skb_rx, read_len);
- data = skb_rx->data;
- if (WARN_ON(!data))
- break;
-
- if (WARN_ON(bes2600_data_read(hw_priv, data, alloc_len)))
- break;
-
- /* Piggyback */
- ctrl_reg = __le16_to_cpu(
- ((__le16 *)data)[alloc_len / 2 - 1]);
-
- wsm = (struct wsm_hdr *)data;
- wsm_len = __le32_to_cpu(wsm->len);
- if (WARN_ON(wsm_len > read_len))
- break;
-
-#if defined(CONFIG_BES2600_WSM_DUMPS)
- if (unlikely(hw_priv->wsm_enable_wsm_dumps)) {
- u16 msgid, ifid;
- u16 *p = (u16 *)data;
- msgid = (*(p + 1)) & 0xC3F;
- ifid = (*(p + 1)) >> 6;
- ifid &= 0xF;
- bes_devel("[DUMP] <<< msgid 0x%.4X ifid %d len %d\n", msgid, ifid, *p);
- print_hex_dump(KERN_DEBUG, "<-- ", DUMP_PREFIX_NONE, data, min(wsm_len, wsm_dump_max));
- }
-#endif /* CONFIG_BES2600_WSM_DUMPS */
-
- wsm_id = __le32_to_cpu(wsm->id) & 0xFFF;
- wsm_seq = (__le32_to_cpu(wsm->id) >> 13) & 7;
-
- skb_trim(skb_rx, wsm_len);
-
- if (unlikely(wsm_id == 0x0800)) {
- wsm_handle_exception(hw_priv,
- &data[sizeof(*wsm)],
- wsm_len - sizeof(*wsm));
- break;
- } else if (unlikely(!rx_resync)) {
- if (WARN_ON(wsm_seq != hw_priv->wsm_rx_seq)) {
-#if defined(CONFIG_BES2600_DUMP_ON_ERROR)
- BUG_ON(1);
-#endif /* CONFIG_BES2600_DUMP_ON_ERROR */
- break;
- }
- }
- hw_priv->wsm_rx_seq = (wsm_seq + 1) & 7;
- rx_resync = 0;
-
- if (wsm_id & 0x0400) {
- int rc = wsm_release_tx_buffer(hw_priv, 1);
- if (WARN_ON(rc < 0))
- break;
- else if (rc > 0)
- tx = 1;
- }
-
- /* bes2600_wsm_rx takes care on SKB livetime */
- if (WARN_ON(wsm_handle_rx(hw_priv, wsm_id, wsm,
- &skb_rx)))
- break;
-
- if (skb_rx) {
- bes2600_put_skb(hw_priv, skb_rx);
- skb_rx = NULL;
- }
-
- read_len = 0;
-
- if (rx_burst) {
- bes2600_debug_rx_burst(hw_priv);
- --rx_burst;
- goto rx;
- }
- }
-
-tx:
- BUG_ON(hw_priv->hw_bufs_used > hw_priv->wsm_caps.numInpChBufs);
- tx_burst = hw_priv->wsm_caps.numInpChBufs -
- hw_priv->hw_bufs_used;
- tx_allowed = tx_burst > 0;
- if (tx && tx_allowed) {
- size_t tx_len;
- u8 *data;
- int ret;
-
- if (hw_priv->device_can_sleep) {
- ret = bes2600_device_wakeup(hw_priv);
- if (WARN_ON(ret < 0))
- break;
- else if (ret)
- hw_priv->device_can_sleep = false;
- else {
- /* Wait for "awake" interrupt */
- pending_tx = tx;
- continue;
- }
- }
-
- wsm_alloc_tx_buffer(hw_priv);
- ret = wsm_get_tx(hw_priv, &data, &tx_len, &tx_burst,
- &vif_selected);
- if (ret <= 0) {
- wsm_release_tx_buffer(hw_priv, 1);
- if (WARN_ON(ret < 0))
- break;
- } else {
- wsm = (struct wsm_hdr *)data;
- BUG_ON(tx_len < sizeof(*wsm));
- BUG_ON(__le32_to_cpu(wsm->len) != tx_len);
-
-#if 0 /* count is not implemented */
- if (ret > 1)
- atomic_inc(&hw_priv->bh_tx);
-#else
- atomic_inc(&hw_priv->bh_tx);
-#endif
-
-#if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
- if (tx_len <= 8)
- tx_len = 16;
- tx_len = hw_priv->sbus_ops->align_size(
- hw_priv->sbus_priv, tx_len);
-#else /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
- /* HACK!!! Platform limitation.
- * It is also supported by upper layer:
- * there is always enough space at the
- * end of the buffer. */
- if (tx_len & (SDIO_BLOCK_SIZE - 1)) {
- tx_len &= ~(SDIO_BLOCK_SIZE - 1);
- tx_len += SDIO_BLOCK_SIZE;
- }
-#endif /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
-
- /* Check if not exceeding BES2600
- capabilities */
- if (WARN_ON_ONCE(tx_len > EFFECTIVE_BUF_SIZE))
- bes_devel("Write aligned len: %d\n", tx_len);
-
- wsm->id &= __cpu_to_le32(
- ~WSM_TX_SEQ(WSM_TX_SEQ_MAX));
- wsm->id |= cpu_to_le32(WSM_TX_SEQ(
- hw_priv->wsm_tx_seq));
-
- if (WARN_ON(bes2600_data_write(hw_priv,
- data, tx_len))) {
- wsm_release_tx_buffer(hw_priv, 1);
- break;
- }
-
- if (vif_selected != -1) {
- hw_priv->hw_bufs_used_vif[
- vif_selected]++;
- }
-
-#if defined(CONFIG_BES2600_WSM_DUMPS)
- if (unlikely(hw_priv->wsm_enable_wsm_dumps)) {
- u16 msgid, ifid;
- u16 *p = (u16 *)data;
- msgid = (*(p + 1)) & 0x3F;
- ifid = (*(p + 1)) >> 6;
- ifid &= 0xF;
- if (msgid == 0x0006)
- bes_devel("[DUMP] >>> msgid 0x%.4X ifid %d len %d MIB 0x%.4X\n", msgid, ifid, *p, *(p + 2));
- else
- bes_devel("[DUMP] >>> msgid 0x%.4X ifid %d len %d\n", msgid, ifid, *p);
- print_hex_dump(KERN_DEBUG, "--> ", DUMP_PREFIX_NONE, data, min(__le32_to_cpu(wsm->len), wsm_dump_max));
- }
-#endif /* CONFIG_BES2600_WSM_DUMPS */
-
- wsm_txed(hw_priv, data);
- hw_priv->wsm_tx_seq = (hw_priv->wsm_tx_seq + 1)
- & WSM_TX_SEQ_MAX;
-
- if (tx_burst > 1) {
- bes2600_debug_tx_burst(hw_priv);
- ++rx_burst;
- goto tx;
- }
- }
- }
-
- if (ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK)
- goto rx;
- }
-
- if (skb_rx) {
- bes2600_put_skb(hw_priv, skb_rx);
- skb_rx = NULL;
- }
-
-
- if (!term) {
- bes_devel("[BH] Fatal error, exitting.\n");
-#if defined(CONFIG_BES2600_DUMP_ON_ERROR)
- BUG_ON(1);
-#endif /* CONFIG_BES2600_DUMP_ON_ERROR */
- hw_priv->bh_error = 1;
-#if defined(CONFIG_BES2600_USE_STE_EXTENSIONS)
- spin_lock(&hw_priv->vif_list_lock);
- bes2600_for_each_vif(hw_priv, priv, i) {
- if (!priv)
- continue;
- ieee80211_driver_hang_notify(priv->vif, GFP_KERNEL);
- }
- spin_unlock(&hw_priv->vif_list_lock);
- bes2600_pm_stay_awake(&hw_priv->pm_state, 3*HZ);
-#endif
- /* TODO: schedule_work(recovery) */
-#ifndef HAS_PUT_TASK_STRUCT
- /* The only reason of having this stupid code here is
- * that __put_task_struct is not exported by kernel. */
- for (;;) {
- int status = wait_event_interruptible(hw_priv->bh_wq, ({
- term = atomic_xchg(&hw_priv->bh_term, 0);
- (term);
- }));
-
- if (status || term)
- break;
- }
-#endif
- }
- return 0;
-}
-#else
extern int bes2600_bh_read_ctrl_reg(struct bes2600_common *priv, u32 *ctrl_reg);
@@ -1599,7 +1053,15 @@ static int bes2600_bh(void *arg)
tx = 0;
- BUG_ON(hw_priv->hw_bufs_used > hw_priv->wsm_caps.numInpChBufs);
+ /*
+ * Patch H: BUG_ON -> WARN_ON_ONCE in the steady-state
+ * hot path. The original BUG_ON ran every bh-loop
+ * iteration; tripping it on a bookkeeping bug locks
+ * the kernel up during normal operation, which is
+ * the wrong response. WARN_ON_ONCE surfaces the
+ * issue without taking the system down.
+ */
+ WARN_ON_ONCE(hw_priv->hw_bufs_used > hw_priv->wsm_caps.numInpChBufs);
tx_burst = hw_priv->wsm_caps.numInpChBufs - hw_priv->hw_bufs_used;
tx_allowed = tx_burst > 0;
@@ -1643,18 +1105,19 @@ static int bes2600_bh(void *arg)
goto tx;
done:
- /* Re-enable device interrupts */
- //hw_priv->sbus_ops->lock(hw_priv->sbus_priv);
- //__bes2600_irq_enable(1);
- //hw_priv->sbus_ops->unlock(hw_priv->sbus_priv);
- asm volatile ("nop");
+ /*
+ * Patch H: dropped the dead `__bes2600_irq_enable(1)` /
+ * `asm volatile("nop")` placeholder that used to sit here.
+ * `__bes2600_irq_enable()` is a stub that returns 0 on
+ * bes2600 silicon — the IRQ is managed by sdio_claim_irq
+ * and chip-side firmware, not by a driver-side enable bit.
+ * (cw1200 inherited the function from a different chip
+ * shape; bes2600 kept the stub but the call sites are
+ * meaningless.)
+ */
+ ;
}
- /* Explicitly disable device interrupts */
- hw_priv->sbus_ops->lock(hw_priv->sbus_priv);
- __bes2600_irq_enable(0);
- hw_priv->sbus_ops->unlock(hw_priv->sbus_priv);
-
if (!term) {
bes_err("[BH] Fatal error, exiting.\n");
sdio_work_debug(hw_priv->sbus_priv);
@@ -1663,4 +1126,3 @@ static int bes2600_bh(void *arg)
}
return 0;
}
-#endif
diff --git a/drivers/staging/bes2600/hwio.c b/drivers/staging/bes2600/hwio.c
index 0934a13..1a63e4f 100644
--- a/drivers/staging/bes2600/hwio.c
+++ b/drivers/staging/bes2600/hwio.c
@@ -324,7 +324,10 @@ out:
}
#endif
-int __bes2600_irq_enable(int enable)
-{
- return 0;
-}
+/*
+ * Patch H: __bes2600_irq_enable stub removed. It was a no-op
+ * (always returned 0) inherited from cw1200 where the analogous
+ * function manipulates the chip's IRQ-enable register. bes2600
+ * silicon manages SDIO IRQ via sdio_claim_irq and chip-side
+ * firmware — there is no driver-side enable register to write.
+ */
diff --git a/drivers/staging/bes2600/sbus.h b/drivers/staging/bes2600/sbus.h
index 43c2dae..4193084 100644
--- a/drivers/staging/bes2600/sbus.h
+++ b/drivers/staging/bes2600/sbus.h
@@ -95,7 +95,6 @@ struct sbus_ops {
void bes2600_irq_handler(struct bes2600_common *priv);
-/* This MUST be wrapped with hwbus_ops->lock/unlock! */
-int __bes2600_irq_enable(int enable);
+/* Patch H: __bes2600_irq_enable removed (was a stub). */
#endif /* BES2600_SBUS_H */
--
2.54.0
patches/driver/bes2600/connection-loss-fast-recover-danctnix/0001-bes2600-bus_reset-on-connection-loss-storm-to-dodge-assoc-comeback-blackhole.patch
-279
View File
@@ -1,279 +0,0 @@
From 06fab777454d36ec5178730d8423285c2457d3ba Mon Sep 17 00:00:00 2001
From: "Claude (noether)" <claude@reauktion.de>
Date: Thu, 7 May 2026 11:30:09 +0200
Subject: [PATCH 21/29] bes2600: bus_reset on connection-loss storm to dodge
assoc-comeback blackhole
When mac80211 declares connection loss against this AP (typically driven
by inactivity-deauth or beacon-loss), the userspace reauth that follows
sometimes enters a long blackhole: the AP responds to auth with success
but defers assoc with the 802.11v "assoc comeback" timer; ohm retries
faster than the comeback grants permission; the AP eventually fires an
unprotected deauth-reason-6 ("Class 2 frame received from non-
authenticated station"), and recovery only completes via cross-SSID or
cross-channel fallback. Receipts: ~86 s blackhole observed in the
phase-7 rep on 2026-05-07 02:42, with three subsequent BSSIDs returning
assoc comeback timeouts before reason-9 (STA_REQ_ASSOC_WITHOUT_AUTH)
fired. Documented in marfrit/besser:notes/phase4-2026-05-07.md.
When N=3 driver-side connection_loss decisions fire within a 60 s window
on the same vif, skip the ieee80211_connection_loss() path and trigger
the c5.2-introduced bes2600_chrdev_do_bus_reset() instead. The bus
reset removes and re-probes the chip; userspace re-associates with a
fresh chip state, dodging the AP's comeback-timer rejection cycle.
Predicted Phase 7 delta vs current baseline:
- api_connection_loss rate: unchanged (we don't address the trigger)
- conditional probability of >5 s blackhole given event: <= 30 %
- worst-case recovery: 86 s -> < 10 s
Contract pin: bes2600_chrdev_do_bus_reset(sbus_ops, sbus_priv) at
bes2600/bes_chardev.c:455, introduced by c5.2. The function is async-
returning: sbus_ops->bus_reset() schedules an SDIO rescan; the helper
waits up to 3 s for the remove() callback to clear sbus_priv, then
returns. Per-vif state is gone after this point, so the recover work
lives on bes2600_common (hw_priv) and uses the global bes2600_cdev for
the bus_reset call rather than dereferencing per-vif state.
Threshold (3 / 60 s) is well above the steady-state per-vif
connection_loss rate observed in the patch-A phase-7 rep (0.86/h under
sustained load), so a true storm is required to trip it.
Files touched:
- bes2600/bes2600.h: 3 counter fields on struct bes2600_vif, 1
work_struct on struct bes2600_common, 3 prototypes
- bes2600/sta.c: 3 helpers + storm-account hook in
bes2600_connection_loss_work + storm-init in bes2600_vif_setup +
cancel_work_sync in the hw_priv shutdown path; #include bes_chardev.h
was already pulled in by an earlier c-stack patch
- bes2600/main.c: INIT_WORK alongside other hw_priv work_structs
- bes2600/debug.c: ConnectionLossStormRecoveries seq_printf in the
per-vif status seq_file output
The cw1200/cw1260 ancestor has no equivalent; this is a clean
addition. checkpatch.pl --no-tree --strict: clean (0/0/0).
Signed-off-by: Claude (noether) <claude@reauktion.de>
---
bes2600/bes2600.h | 12 +++++++
bes2600/bes_chardev.c | 12 +++++++
bes2600/bes_chardev.h | 1 +
bes2600/debug.c | 2 ++
bes2600/main.c | 2 ++
bes2600/sta.c | 82 +++++++++++++++++++++++++++++++++++++++++--
6 files changed, 109 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/bes2600/bes2600.h b/drivers/staging/bes2600/bes2600.h
index 66482f7..ec41141 100644
--- a/drivers/staging/bes2600/bes2600.h
+++ b/drivers/staging/bes2600/bes2600.h
@@ -511,6 +511,9 @@ struct bes2600_common {
struct list_head coex_event_list;
spinlock_t coex_event_lock;
+ /* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
+ struct work_struct connection_loss_storm_recover_work;
+
/* member for low power */
struct bes2600_pwr_t bes_power;
@@ -627,6 +630,10 @@ struct bes2600_vif {
/* CQM Implementation */
struct delayed_work bss_loss_work;
struct delayed_work connection_loss_work;
+ /* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
+ unsigned long connection_loss_storm_window_start;
+ unsigned int connection_loss_storm_count;
+ unsigned int connection_loss_storm_recoveries;
struct work_struct tx_failure_work;
int delayed_link_loss;
spinlock_t bss_loss_lock;
@@ -865,4 +872,9 @@ void bes2600_btusb_uninit(struct usb_interface *interface);
void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
+/* Connection-loss-storm fast-recover helpers — see sta.c. */
+void bes2600_connection_loss_storm_init(struct bes2600_vif *priv);
+bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv);
+void bes2600_connection_loss_storm_recover(struct work_struct *work);
+
#endif /* BES2600_H */
diff --git a/drivers/staging/bes2600/bes_chardev.c b/drivers/staging/bes2600/bes_chardev.c
index d1375bc..224c62d 100644
--- a/drivers/staging/bes2600/bes_chardev.c
+++ b/drivers/staging/bes2600/bes_chardev.c
@@ -484,6 +484,18 @@ int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_pri
return 0;
}
+/*
+ * Trigger bes2600_chrdev_do_bus_reset() against the file-global
+ * bes2600_cdev. Used by host-side recovery paths outside this
+ * compilation unit (e.g. sta.c connection-loss-storm fast-recover) so
+ * those callers do not need to reach the static bes2600_cdev directly.
+ */
+int bes2600_chrdev_trigger_bus_reset(void)
+{
+ return bes2600_chrdev_do_bus_reset(bes2600_cdev.sbus_ops,
+ bes2600_cdev.sbus_priv);
+}
+
bool bes2600_chrdev_is_wifi_opened(void)
{
bool wifi_opened = false;
diff --git a/drivers/staging/bes2600/bes_chardev.h b/drivers/staging/bes2600/bes_chardev.h
index ca8419e..2a7cad7 100644
--- a/drivers/staging/bes2600/bes_chardev.h
+++ b/drivers/staging/bes2600/bes_chardev.h
@@ -61,6 +61,7 @@ struct sbus_priv *bes2600_chrdev_get_sbus_priv_data(void);
int bes2600_chrdev_check_system_close(void);
int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
+int bes2600_chrdev_trigger_bus_reset(void);
void bes2600_chrdev_wakeup_bt(void);
void bes2600_chrdev_wifi_force_close(struct bes2600_common *hw_priv, bool halt_dev);
void bes2600_chrdev_usb_remove(struct bes2600_common *hw_priv);
diff --git a/drivers/staging/bes2600/debug.c b/drivers/staging/bes2600/debug.c
index ca223dd..0d68392 100644
--- a/drivers/staging/bes2600/debug.c
+++ b/drivers/staging/bes2600/debug.c
@@ -544,6 +544,8 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
bes2600_debug_join_status[priv->join_status]);
seq_printf(seq, "DecryptStormRecoveries: %u\n",
priv->decrypt_storm_recoveries);
+ seq_printf(seq, "ConnectionLossStormRecoveries: %u\n",
+ priv->connection_loss_storm_recoveries);
if (priv->rx_filter.promiscuous)
seq_puts(seq, "Filter: promisc\n");
else if (priv->rx_filter.fcs)
diff --git a/drivers/staging/bes2600/main.c b/drivers/staging/bes2600/main.c
index 7cbb3a9..ff82f4d 100644
--- a/drivers/staging/bes2600/main.c
+++ b/drivers/staging/bes2600/main.c
@@ -489,6 +489,8 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
spin_lock_init(&hw_priv->rtsvalue_lock);
INIT_WORK(&hw_priv->dynamic_opt_txrx_work, bes2600_dynamic_opt_txrx_work);
INIT_WORK(&hw_priv->tx_policy_upload_work, tx_policy_upload_work);
+ INIT_WORK(&hw_priv->connection_loss_storm_recover_work,
+ bes2600_connection_loss_storm_recover);
spin_lock_init(&hw_priv->event_queue_lock);
INIT_LIST_HEAD(&hw_priv->event_queue);
INIT_WORK(&hw_priv->event_handler, bes2600_event_handler);
diff --git a/drivers/staging/bes2600/sta.c b/drivers/staging/bes2600/sta.c
index 139bdae..5868757 100644
--- a/drivers/staging/bes2600/sta.c
+++ b/drivers/staging/bes2600/sta.c
@@ -268,6 +268,7 @@ void bes2600_stop(struct ieee80211_hw *dev, bool suspend)
cancel_work_sync(&hw_priv->coex_work);
coex_stop(hw_priv);
#endif
+ cancel_work_sync(&hw_priv->connection_loss_storm_recover_work);
bes2600_wifi_stop(hw_priv);
@@ -1675,6 +1676,70 @@ report:
spin_unlock(&priv->bss_loss_lock);
}
+/*
+ * Connection-loss-storm fast-recover (Trigger A).
+ *
+ * bes2600_connection_loss_work below is the driver's own decision-point
+ * to give up on a BSS (after bss-loss detection accumulates beyond
+ * tolerance) and tell mac80211 via ieee80211_connection_loss(). On the
+ * deployed pinetab2 stack a single ieee80211_connection_loss() event
+ * sometimes triggers a userspace reauth blackhole (assoc-comeback
+ * timeouts followed by AP unprotected-deauth-reason-6) that ends only
+ * via cross-channel/cross-SSID fallback and can take 80+ s. Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase4-2026-05-07.md.
+ *
+ * When N connection-loss decisions land within WINDOW on the same vif,
+ * skip the ieee80211_connection_loss() path and trigger a chip-level
+ * bus_reset (the c5.2-introduced bes2600_chrdev_do_bus_reset). The chip
+ * is removed and re-probed; userspace re-associates from a fresh state,
+ * dodging the assoc-comeback loop.
+ *
+ * Threshold (3 / 60 s) is chosen well above the steady-state per-vif
+ * connection-loss rate observed in the patch-A Phase-7 rep
+ * (0.86/h under sustained load), so a true storm is required.
+ *
+ * The recover work_struct lives on bes2600_common (hw_priv) so that
+ * scheduling it does not race with vif teardown after bus_reset frees
+ * the per-vif state.
+ */
+#define BES2600_CONNECTION_LOSS_STORM_THRESHOLD 3
+#define BES2600_CONNECTION_LOSS_STORM_WINDOW_MS 60000
+
+void bes2600_connection_loss_storm_recover(struct work_struct *work)
+{
+ bes_warn("[bes2600] connection-loss-storm fast-recover: bus_reset\n");
+ bes2600_chrdev_trigger_bus_reset();
+ /*
+ * After bes2600_chrdev_do_bus_reset() returns, the SDIO core has
+ * scheduled a remove + rescan; per-vif state may already be gone.
+ * Do not dereference any per-vif pointer here.
+ */
+}
+
+void bes2600_connection_loss_storm_init(struct bes2600_vif *priv)
+{
+ priv->connection_loss_storm_window_start = 0;
+ priv->connection_loss_storm_count = 0;
+ priv->connection_loss_storm_recoveries = 0;
+}
+
+bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv)
+{
+ unsigned long now = jiffies;
+ unsigned long window =
+ msecs_to_jiffies(BES2600_CONNECTION_LOSS_STORM_WINDOW_MS);
+
+ if (priv->connection_loss_storm_window_start == 0 ||
+ time_after(now, priv->connection_loss_storm_window_start + window)) {
+ priv->connection_loss_storm_window_start = now;
+ priv->connection_loss_storm_count = 1;
+ return false;
+ }
+
+ return ++priv->connection_loss_storm_count >=
+ BES2600_CONNECTION_LOSS_STORM_THRESHOLD;
+}
+
void bes2600_connection_loss_work(struct work_struct *work)
{
struct bes2600_vif *priv =
@@ -1684,9 +1749,21 @@ void bes2600_connection_loss_work(struct work_struct *work)
bes_devel("[CQM] Reporting connection loss.\n");
bes2600_pwr_clear_busy_event(priv->hw_priv, BES_PWR_LOCK_ON_BSS_LOST);
- if(bes2600_suspend_status_get(hw_priv)) {
+
+ if (bes2600_connection_loss_storm_account(priv)) {
+ bes_warn("[bes2600] connection-loss storm: %u in %u s, scheduling bus reset\n",
+ priv->connection_loss_storm_count,
+ BES2600_CONNECTION_LOSS_STORM_WINDOW_MS / 1000);
+ priv->connection_loss_storm_count = 0;
+ priv->connection_loss_storm_recoveries++;
+ schedule_work(&hw_priv->connection_loss_storm_recover_work);
+ /* bus_reset will tear the chip down; skip the mac80211 path. */
+ return;
+ }
+
+ if (bes2600_suspend_status_get(hw_priv))
bes2600_pending_unjoin_set(hw_priv, priv->if_id);
- } else
+ else
ieee80211_connection_loss(priv->vif);
#ifdef WIFI_BT_COEXIST_EPTA_ENABLE
// set disconnected in BSS_CHANGED_ASSOC
@@ -2641,6 +2718,7 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
/* Setup per vif workitems and locks */
spin_lock_init(&priv->vif_lock);
bes2600_decrypt_storm_init(priv);
+ bes2600_connection_loss_storm_init(priv);
INIT_WORK(&priv->join_work, bes2600_join_work);
INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);
--
2.54.0
patches/driver/bes2600/cw1200-fix-backports-danctnix/0001-bes2600-replace-atomic_add-with-atomic_inc-cw1200-backport.patch
-92
View File
@@ -1,92 +0,0 @@
From 737f28e29c4b8253939e24b1d6b97d5605bb7ac4 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 7 May 2026 21:19:49 +0200
Subject: [PATCH 22/29] bes2600: replace a set of atomic_add()
Backport of cw1200 mainline commit 07f995ca1951 ("cw1200: replace a set
of atomic_add()", 2020-11-10). atomic_inc() reads more naturally than
atomic_add(1, &x). Mechanical change, no functional impact.
7 sites: 6 in bh.c (bh_term, bh_rx x2, bh_tx x3) and 1 in itp.c
(awaiting_confirm). Two of the bh_rx and three of the bh_tx sites are
inside the cw1200-ancestor #if 0 block; replaced anyway to keep the
file consistent with cw1200 mainline source style.
Cherry-picked from upstream Linux:
07f995ca1951 cw1200: replace a set of atomic_add()
Author: Yejune Deng <yejune.deng@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1604991491-27908-1-git-send-email-yejune.deng@gmail.com
---
bes2600/bh.c | 12 ++++++------
bes2600/itp.c | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/bes2600/bh.c b/drivers/staging/bes2600/bh.c
index 175ab5e..fab3bf0 100644
--- a/drivers/staging/bes2600/bh.c
+++ b/drivers/staging/bes2600/bh.c
@@ -102,7 +102,7 @@ void bes2600_unregister_bh(struct bes2600_common *hw_priv)
coex_deinit_mode(hw_priv);
#endif
- atomic_add(1, &hw_priv->bh_term);
+ atomic_inc(&hw_priv->bh_term);
wake_up(&hw_priv->bh_wq);
flush_workqueue(hw_priv->bh_workqueue);
@@ -591,7 +591,7 @@ static int bes2600_bh(void *arg)
bes_devel("[BH] Device resume.\n");
atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
wake_up(&hw_priv->bh_evt_wq);
- atomic_add(1, &hw_priv->bh_rx);
+ atomic_inc(&hw_priv->bh_rx);
continue;
}
@@ -759,9 +759,9 @@ tx:
#if 0 /* count is not implemented */
if (ret > 1)
- atomic_add(1, &hw_priv->bh_tx);
+ atomic_inc(&hw_priv->bh_tx);
#else
- atomic_add(1, &hw_priv->bh_tx);
+ atomic_inc(&hw_priv->bh_tx);
#endif
#if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
@@ -1135,7 +1135,7 @@ static int bes2600_bh_tx_helper(struct bes2600_common *hw_priv,
tx_len += 4;
#endif
- atomic_add(1, &hw_priv->bh_tx);
+ atomic_inc(&hw_priv->bh_tx);
tx_len = hw_priv->sbus_ops->align_size(
hw_priv->sbus_priv, tx_len);
@@ -1442,7 +1442,7 @@ static int bes2600_bh(void *arg)
bes_devel("[BH] Device resume.\n");
atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
wake_up(&hw_priv->bh_evt_wq);
- atomic_add(1, &hw_priv->bh_rx);
+ atomic_inc(&hw_priv->bh_rx);
goto done;
}
diff --git a/drivers/staging/bes2600/itp.c b/drivers/staging/bes2600/itp.c
index e5c2958..c50b29c 100644
--- a/drivers/staging/bes2600/itp.c
+++ b/drivers/staging/bes2600/itp.c
@@ -570,7 +570,7 @@ int bes2600_itp_get_tx(struct bes2600_common *priv, u8 **data,
*burst = 2;
atomic_set(&priv->bh_tx, 1);
ktime_get_ts(&itp->last_sent);
- atomic_add(1, &itp->awaiting_confirm);
+ atomic_inc(&itp->awaiting_confirm);
spin_unlock_bh(&itp->tx_lock);
return 1;
--
2.54.0
patches/driver/bes2600/cw1200-fix-backports-danctnix/0002-bes2600-fix-missing-destroy_workqueue-on-error-in-init_common.patch
-58
View File
@@ -1,58 +0,0 @@
From 2fb72f06e54172479662257ae4ef9a61d6ba7092 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 7 May 2026 21:20:46 +0200
Subject: [PATCH 23/29] bes2600: fix missing destroy_workqueue() on error in
init_common
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Two error paths between create_singlethread_workqueue() (~main.c:489)
and the success-path destroy_workqueue() in unregister_common (~609)
return without cleaning up the workqueue, leaking it on probe failure:
1. bes2600_queue_stats_init() failure
2. bes2600_queue_init() failure (any of the 4 TID queues)
Both call ieee80211_free_hw(hw); return NULL — without first
destroy_workqueue(hw_priv->workqueue). Add it.
Backport of cw1200 mainline commit 7ec8a926188e ("cw1200: fix missing
destroy_workqueue() on error in cw1200_init_common", 2020-11-19),
which fixed the identical bug in the same code shape we inherited.
Reported on cw1200 by Hulk Robot.
Cherry-picked from upstream Linux:
7ec8a926188e cw1200: fix missing destroy_workqueue() on error
Author: Qinglang Miao <miaoqinglang@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20201119070842.1011-1-miaoqinglang@huawei.com
Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
---
bes2600/main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/bes2600/main.c b/drivers/staging/bes2600/main.c
index ff82f4d..89b5e2d 100644
--- a/drivers/staging/bes2600/main.c
+++ b/drivers/staging/bes2600/main.c
@@ -502,6 +502,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
WLAN_LINK_ID_MAX,
bes2600_skb_dtor,
hw_priv))) {
+ destroy_workqueue(hw_priv->workqueue);
ieee80211_free_hw(hw);
return NULL;
}
@@ -513,6 +514,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
for (; i > 0; i--)
bes2600_queue_deinit(&hw_priv->tx_queue[i - 1]);
bes2600_queue_stats_deinit(&hw_priv->tx_queue_stats);
+ destroy_workqueue(hw_priv->workqueue);
ieee80211_free_hw(hw);
return NULL;
}
--
2.54.0
patches/driver/bes2600/cw1200-fix-backports-danctnix/0003-bes2600-fix-concurrency-UAF-in-bes2600_hw_scan-and-sched_scan.patch
-144
View File
@@ -1,144 +0,0 @@
From d9e6361cf0c273f07aee94f24533a5f19e7ed4c0 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 7 May 2026 21:24:01 +0200
Subject: [PATCH 24/29] bes2600: fix concurrency UAF in bes2600_hw_scan and
sched_scan
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
bes2600_bss_info_changed() and bes2600_hw_scan() can run concurrently.
The probe-request SKB allocated by ieee80211_probereq_get() before
scan.lock + conf_lock are taken can be touched by a concurrent
bss_info_changed (via wsm_set_template_frame's path) while we hold no
lock. Reorder to acquire both locks BEFORE the SKB allocation.
Also reorder cleanup paths so dev_kfree_skb() runs BEFORE up() —
otherwise a small window exists where the SKB has been touched but the
lock has been released, allowing concurrent code to also touch it.
Three sites fixed:
- bes2600_hw_scan: lock-take + ENOMEM cleanup + wsm_set_template_frame
error cleanup + success-path SKB free + lock release order
- bes2600_sched_scan_start (#ifdef ROAM_OFFLOAD): same three sub-fixes
(compiled-out at default build, fixed for consistency)
- All success/error paths: dev_kfree_skb before up()
Backport of cw1200 mainline commit 86760e0dfe36 ("cw1200: Fix
concurrency use-after-free bugs in cw1200_hw_scan()", 2018-12-14),
which fixed the identical bug in the same code shape we inherited.
That commit was merged from upstream 4f68ef64cd7f.
Cherry-picked from upstream Linux:
86760e0dfe36 cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Link: https://lore.kernel.org/r/20181214035521.7575-1-baijiaju1990@gmail.com
---
bes2600/scan.c | 37 ++++++++++++++++++++++---------------
1 file changed, 22 insertions(+), 15 deletions(-)
diff --git a/drivers/staging/bes2600/scan.c b/drivers/staging/bes2600/scan.c
index b944adc..3cd7b64 100644
--- a/drivers/staging/bes2600/scan.c
+++ b/drivers/staging/bes2600/scan.c
@@ -257,18 +257,21 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
bes2600_pwr_set_busy_event(hw_priv, BES_PWR_LOCK_ON_SCAN);
+ /* will be unlocked in bes2600_scan_work() */
+ down(&hw_priv->scan.lock);
+ down(&hw_priv->conf_lock);
+
frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
req->ie_len);
- if (!frame.skb)
+ if (!frame.skb) {
+ up(&hw_priv->conf_lock);
+ up(&hw_priv->scan.lock);
return -ENOMEM;
+ }
if (req->ie_len)
skb_put_data(frame.skb, req->ie, req->ie_len);
- /* will be unlocked in bes2600_scan_work() */
- down(&hw_priv->scan.lock);
- down(&hw_priv->conf_lock);
-
if (frame.skb) {
int ret;
//if (priv->if_id == 0)
@@ -286,9 +289,9 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
}
#endif
if (ret) {
+ dev_kfree_skb(frame.skb);
up(&hw_priv->conf_lock);
up(&hw_priv->scan.lock);
- dev_kfree_skb(frame.skb);
return ret;
}
}
@@ -318,10 +321,10 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
++hw_priv->scan.n_ssids;
}
- up(&hw_priv->conf_lock);
-
if (frame.skb)
dev_kfree_skb(frame.skb);
+
+ up(&hw_priv->conf_lock);
#ifdef WIFI_BT_COEXIST_EPTA_ENABLE
bwifi_change_current_status(hw_priv, BWIFI_STATUS_SCANNING);
#endif
@@ -362,14 +365,18 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
if (req->n_ssids > hw->wiphy->max_scan_ssids)
return -EINVAL;
+ /* will be unlocked in bes2600_scan_work() */
+ down(&hw_priv->scan.lock);
+ down(&hw_priv->conf_lock);
+
frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
req->ie_len);
- if (!frame.skb)
+ if (!frame.skb) {
+ up(&hw_priv->conf_lock);
+ up(&hw_priv->scan.lock);
return -ENOMEM;
+ }
- /* will be unlocked in bes2600_scan_work() */
- down(&hw_priv->scan.lock);
- down(&hw_priv->conf_lock);
if (frame.skb) {
int ret;
if (priv->if_id == 0)
@@ -380,9 +387,9 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
ret = wsm_set_probe_responder(priv, true);
}
if (ret) {
+ dev_kfree_skb(frame.skb);
up(&hw_priv->conf_lock);
up(&hw_priv->scan.lock);
- dev_kfree_skb(frame.skb);
return ret;
}
}
@@ -414,10 +421,10 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
}
}
- up(&hw_priv->conf_lock);
-
if (frame.skb)
dev_kfree_skb(frame.skb);
+
+ up(&hw_priv->conf_lock);
queue_work(hw_priv->workqueue, &hw_priv->scan.swork);
wiphy_warn(hw->wiphy, "<--[SCAN] Scheduled scan request.\n");
return 0;
--
2.54.0
patches/driver/bes2600/decrypt-storm-fast-recover-danctnix/0001-bes2600-pre-empt-AP-deauth-6-mac80211-reassoc-on-decrypt-fail-storm.patch
-221
View File
@@ -1,221 +0,0 @@
From 91640bd96d36dd5769b1325e1b2130a95277e0e7 Mon Sep 17 00:00:00 2001
From: "Claude (noether)" <claude@reauktion.de>
Date: Wed, 6 May 2026 19:50:52 +0200
Subject: [PATCH 20/29] bes2600: pre-empt AP-deauth-6 with mac80211 reassoc on
decrypt-fail storm
When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a burst
of received frames (typically because the host's PTK or GTK has fallen
out of sync with the AP), the AP eventually concludes that the STA is
not authenticated and emits an unprotected deauth-reason-6 ("Class 2
frame received from non-authenticated station"). On the deployed
pinetab2 + bes2600 stack this AP-initiated deauth has been observed to
leave the link blackholed for up to 109 s before userspace finds a
different SSID/channel to recover on. (Receipts at
https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
Add a sliding-window counter on each bes2600_vif: when 5 decrypt
failures fire within 5 s, schedule a worker that calls
ieee80211_connection_loss(vif). mac80211 then performs immediate
disassociation; userspace (NetworkManager / wpa_supplicant) reconnects
with fresh keys before the AP gets a chance to fire its unprotected
deauth.
Predicted Phase 7 delta vs the unpatched baseline:
- decrypt-burst rate: unchanged (this does not address root cause)
- AP-deauth-6 rate: <= 0.2 of baseline
- conditional probability of >5s blackhole given a burst:
100% -> <= 10%
- worst-case recovery time: 109s -> <5s
Contract pin: ieee80211_connection_loss() per
include/net/mac80211.h: "may also be called if the connection needs to
be terminated for some other reason... will cause immediate change to
disassociated state, without connection recovery attempts." Userspace
recovery is the existing NM/wpa_supplicant path. The worker context
satisfies the implicit process-context expectation.
Files touched:
- bes2600/bes2600.h: 4 new fields on struct bes2600_vif + 2 prototypes
- bes2600/txrx.c: new helpers + the call site at the existing
WSM_STATUS_DECRYPTFAILURE log point (the unconditional "goto drop"
branch in bes2600_rx_cb)
- bes2600/sta.c: bes2600_decrypt_storm_init() in bes2600_vif_setup;
cancel_work_sync() in bes2600_remove_interface, alongside the
existing per-vif cancel_*_work_sync block. Safe under the kernel
cancel_work_sync contract: the work_struct is INIT_WORK'd in setup,
so the call is valid; it blocks until any in-flight handler returns,
ensuring no use-after-free of priv when mac80211 frees the vif; and
it is idempotent (subsequent calls just return false).
- bes2600/debug.c: DecryptStormRecoveries seq_printf in the per-vif
status seq_file output
Threshold (5/5s) is set well above the steady-state per-vif decrypt-
fail rate observed in measurement (~1/min even under sustained 1 MB/s
load), so a true storm is required to trip it. The cw1200/cw1260
ancestor has no equivalent storm-recovery; this is a clean addition.
checkpatch.pl --no-tree --strict: clean (0/0/0).
Signed-off-by: Claude (noether) <claude@reauktion.de>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
bes2600/bes2600.h | 9 ++++++
bes2600/debug.c | 2 ++
bes2600/sta.c | 2 ++
bes2600/txrx.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 87 insertions(+)
diff --git a/drivers/staging/bes2600/bes2600.h b/drivers/staging/bes2600/bes2600.h
index 0e60960..66482f7 100644
--- a/drivers/staging/bes2600/bes2600.h
+++ b/drivers/staging/bes2600/bes2600.h
@@ -596,6 +596,11 @@ struct bes2600_vif {
unsigned long rx_timestamp;
u32 cipherType;
+ /* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
+ unsigned long decrypt_storm_window_start;
+ unsigned int decrypt_storm_count;
+ unsigned int decrypt_storm_recoveries;
+ struct work_struct decrypt_storm_recover_work;
/* AP powersave */
u32 link_id_map;
@@ -856,4 +861,8 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
void bes2600_btusb_uninit(struct usb_interface *interface);
#endif
+/* Decrypt-storm fast-recover helpers — see txrx.c. */
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
+
#endif /* BES2600_H */
diff --git a/drivers/staging/bes2600/debug.c b/drivers/staging/bes2600/debug.c
index 5228b22..ca223dd 100644
--- a/drivers/staging/bes2600/debug.c
+++ b/drivers/staging/bes2600/debug.c
@@ -542,6 +542,8 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
priv->listening ? " (listening)" : "");
seq_printf(seq, "Assoc: %s\n",
bes2600_debug_join_status[priv->join_status]);
+ seq_printf(seq, "DecryptStormRecoveries: %u\n",
+ priv->decrypt_storm_recoveries);
if (priv->rx_filter.promiscuous)
seq_puts(seq, "Filter: promisc\n");
else if (priv->rx_filter.fcs)
diff --git a/drivers/staging/bes2600/sta.c b/drivers/staging/bes2600/sta.c
index bc6d483..139bdae 100644
--- a/drivers/staging/bes2600/sta.c
+++ b/drivers/staging/bes2600/sta.c
@@ -464,6 +464,7 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
cancel_delayed_work_sync(&priv->join_timeout);
cancel_delayed_work_sync(&priv->set_cts_work);
cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
+ cancel_work_sync(&priv->decrypt_storm_recover_work);
timer_delete_sync(&priv->mcast_timeout);
/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -2639,6 +2640,7 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
/* Setup per vif workitems and locks */
spin_lock_init(&priv->vif_lock);
+ bes2600_decrypt_storm_init(priv);
INIT_WORK(&priv->join_work, bes2600_join_work);
INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);
diff --git a/drivers/staging/bes2600/txrx.c b/drivers/staging/bes2600/txrx.c
index 017f0d8..f6a66d6 100644
--- a/drivers/staging/bes2600/txrx.c
+++ b/drivers/staging/bes2600/txrx.c
@@ -26,6 +26,78 @@
#define BES2600_INVALID_RATE_ID (0xFF)
+/*
+ * Decrypt-storm fast-recover (Trigger B).
+ *
+ * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
+ * burst of received frames (typically because the host's PTK or GTK
+ * has fallen out of sync with the AP), the AP eventually concludes that
+ * the STA is not authenticated and emits an unprotected deauth-reason-6
+ * ("Class 2 frame received from non-authenticated station"). On the
+ * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
+ * observed to leave the link blackholed for up to 109 s before
+ * userspace finds a different SSID/channel to recover on. (Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
+ *
+ * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
+ * failures within WINDOW, we ask mac80211 for a clean reassoc via
+ * ieee80211_connection_loss(), which causes immediate disassociation
+ * and lets userspace auto-reconnect with fresh keys.
+ *
+ * mac80211 contract: ieee80211_connection_loss() may be called
+ * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
+ * disassociation without driver-side recovery attempts. See
+ * include/net/mac80211.h for the canonical doc-comment.
+ *
+ * The threshold is set well above the steady-state per-vif
+ * decrypt-fail rate observed in measurement (~1/min even under
+ * sustained 1 MB/s load), so a true storm is required to trip it.
+ */
+#define BES2600_DECRYPT_STORM_THRESHOLD 5
+#define BES2600_DECRYPT_STORM_WINDOW_MS 5000
+
+static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
+{
+ struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
+ decrypt_storm_recover_work);
+
+ if (!priv->vif)
+ return;
+
+ bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
+ ieee80211_connection_loss(priv->vif);
+ priv->decrypt_storm_recoveries++;
+}
+
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
+{
+ INIT_WORK(&priv->decrypt_storm_recover_work,
+ bes2600_decrypt_storm_recover_work);
+ priv->decrypt_storm_window_start = 0;
+ priv->decrypt_storm_count = 0;
+ priv->decrypt_storm_recoveries = 0;
+}
+
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
+{
+ unsigned long now = jiffies;
+ unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
+
+ if (priv->decrypt_storm_window_start == 0 ||
+ time_after(now, priv->decrypt_storm_window_start + window)) {
+ priv->decrypt_storm_window_start = now;
+ priv->decrypt_storm_count = 1;
+ return;
+ }
+
+ if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
+ priv->decrypt_storm_count = 0;
+ /* Skew the window so we don't re-fire on the same storm. */
+ priv->decrypt_storm_window_start = now + window;
+ schedule_work(&priv->decrypt_storm_recover_work);
+ }
+}
+
#ifdef CONFIG_BES2600_TESTMODE
#include "bes_nl80211_testmode_msg.h"
#endif /* CONFIG_BES2600_TESTMODE */
@@ -1694,6 +1766,8 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
goto drop;
} else {
bes_warn("[RX] Receive failure: %d.\n", arg->status);
+ if (arg->status == WSM_STATUS_DECRYPTFAILURE)
+ bes2600_decrypt_storm_account(priv);
goto drop;
}
}
--
2.54.0
patches/driver/bes2600/drop-dpd-file-paths-danctnix/0001-bes2600-drop-BES2600_WRITE_DPD_TO_FILE-kernel-file-paths.patch → patches/driver/bes2600/drop-dpd-file-paths-danctnix/0001-bes2600-drop-BES2600_WRITE_DPD_TO_FILE-kernel-file-p.patch
+3 -4
View File
@@ -1,8 +1,7 @@
From 0768e11da638457b3455e426de924f9e2e551641 Mon Sep 17 00:00:00 2001
From 699871fdc6bf1bed6d919732820183e57faeaddc Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 23 Apr 2026 20:04:11 +0200
Subject: [PATCH 09/29] bes2600: drop BES2600_WRITE_DPD_TO_FILE kernel_*() file
paths
Subject: [PATCH] bes2600: drop BES2600_WRITE_DPD_TO_FILE kernel_*() file paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -290,5 +289,5 @@ index e2e4f1b..a02d6d9 100644
}
--
2.54.0
2.53.0
patches/driver/bes2600/drop-orphan-file-io-danctnix/0001-bes2600-drop-orphan-DATA_DUMP_OBSERVE-and-access_file-IO.patch → patches/driver/bes2600/drop-orphan-file-io-danctnix/0001-bes2600-drop-orphan-DATA_DUMP_OBSERVE-and-access_fil.patch
+6 -6
View File
@@ -1,8 +1,8 @@
From c3d28aea4603fec51b66cfa438dd546722d53272 Mon Sep 17 00:00:00 2001
From 44e085360fec09c1c1f7b35a23ec679f7065d3f7 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 23 Apr 2026 20:19:27 +0200
Subject: [PATCH 10/29] bes2600: drop orphan DATA_DUMP_OBSERVE and
access_file() file I/O
Subject: [PATCH] bes2600: drop orphan DATA_DUMP_OBSERVE and access_file() file
I/O
Two dead-in-default-build file-I/O sites remain in the driver
after the factory and chardev kernel_*() removals in the preceding
@@ -118,10 +118,10 @@ index 133c945..d612c3c 100644
kfree(short_buf);
release_firmware(fw_bin);
diff --git a/drivers/staging/bes2600/main.c b/drivers/staging/bes2600/main.c
index 3b0b7a3..7cbb3a9 100644
index 6ed6b15..9d2aac5 100644
--- a/drivers/staging/bes2600/main.c
+++ b/drivers/staging/bes2600/main.c
@@ -795,41 +795,6 @@ void bes2600_core_release(struct bes2600_common *self)
@@ -790,41 +790,6 @@ void bes2600_core_release(struct bes2600_common *self)
return;
}
@@ -164,5 +164,5 @@ index 3b0b7a3..7cbb3a9 100644
{
int ret = 0, if_id;
--
2.54.0
2.53.0
patches/driver/bes2600/enable-testmode/0001-bes2600-enable-CONFIG_BES2600_TESTMODE-by-default-fix-bitrot.patch → patches/driver/bes2600/enable-testmode/0001-bes2600-enable-CONFIG_BES2600_TESTMODE-by-default-fi.patch
+18 -18
View File
@@ -1,8 +1,8 @@
From 789ab98e4cd4a0c2c43a54da6462b6b05f3af8f2 Mon Sep 17 00:00:00 2001
From 9398d3028bc9d2f4ccbf8e830f8e9799bf065ce4 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Wed, 22 Apr 2026 13:04:27 +0200
Subject: [PATCH 06/29] bes2600: enable CONFIG_BES2600_TESTMODE by default +
fix bit-rotted testmode plumbing
Subject: [PATCH] bes2600: enable CONFIG_BES2600_TESTMODE by default + fix
bit-rotted testmode plumbing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -63,10 +63,10 @@ Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
bes2600/sta.c | 6 +++---
3 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/bes2600/Makefile b/drivers/staging/bes2600/Makefile
index 2dcba09..2c1a850 100644
--- a/drivers/staging/bes2600/Makefile
+++ b/drivers/staging/bes2600/Makefile
diff --git a/bes2600/Makefile b/bes2600/Makefile
index 300912b..39150e0 100644
--- a/bes2600/Makefile
+++ b/bes2600/Makefile
@@ -2,7 +2,7 @@ KERN_DIR = /lib/modules/$(KERNELRELEASE)/build
# feature option
BES2600 ?= m
@@ -76,10 +76,10 @@ index 2dcba09..2c1a850 100644
CONFIG_BES2600_ENABLE_DEVEL_LOGS ?= n
diff --git a/drivers/staging/bes2600/bes_log.h b/drivers/staging/bes2600/bes_log.h
diff --git a/bes2600/bes_log.h b/bes2600/bes_log.h
index 605cea8..65cf703 100644
--- a/drivers/staging/bes2600/bes_log.h
+++ b/drivers/staging/bes2600/bes_log.h
--- a/bes2600/bes_log.h
+++ b/bes2600/bes_log.h
@@ -8,3 +8,26 @@ extern struct device *global_dev;
#define bes_info(fmt, ...) dev_info(global_dev, fmt, ##__VA_ARGS__)
#define bes_warn(fmt, ...) dev_warn(global_dev, fmt, ##__VA_ARGS__)
@@ -107,11 +107,11 @@ index 605cea8..65cf703 100644
+ if (_cond) \
+ bes_err(fmt, ##__VA_ARGS__); \
+ } while (0)
diff --git a/drivers/staging/bes2600/sta.c b/drivers/staging/bes2600/sta.c
index ca1c77c..bc6d483 100644
--- a/drivers/staging/bes2600/sta.c
+++ b/drivers/staging/bes2600/sta.c
@@ -3654,7 +3654,7 @@ static int bes2600_set_power_save(struct ieee80211_hw *hw,
diff --git a/bes2600/sta.c b/bes2600/sta.c
index aa69eb8..5f1a456 100644
--- a/bes2600/sta.c
+++ b/bes2600/sta.c
@@ -3633,7 +3633,7 @@ static int bes2600_set_power_save(struct ieee80211_hw *hw,
*
* Returns: 0 on success or non zero value on failure
*/
@@ -120,7 +120,7 @@ index ca1c77c..bc6d483 100644
{
struct bes_msg_start_stop_tsm *start_stop_tsm =
(struct bes_msg_start_stop_tsm *) data;
@@ -3684,7 +3684,7 @@ int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
@@ -3663,7 +3663,7 @@ int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
*
* Returns: TSM parameters collected
*/
@@ -129,7 +129,7 @@ index ca1c77c..bc6d483 100644
{
struct bes2600_common *hw_priv = hw->priv;
struct bes_tsm_stats tsm_stats;
@@ -3724,7 +3724,7 @@ int bes2600_get_tsm_params(struct ieee80211_hw *hw)
@@ -3703,7 +3703,7 @@ int bes2600_get_tsm_params(struct ieee80211_hw *hw)
*
* Returns: Returns the last measured roam delay
*/
@@ -139,5 +139,5 @@ index ca1c77c..bc6d483 100644
struct bes2600_common *hw_priv = hw->priv;
u16 roam_delay = hw_priv->tsm_info.roam_delay / 1000;
--
2.54.0
2.53.0
patches/driver/bes2600/factory-drop-kernel-write-danctnix/0001-bes2600-drop-kernel_write-persistence-from-factory-cali-save.patch → patches/driver/bes2600/factory-drop-kernel-write-danctnix/0001-bes2600-drop-kernel_write-persistence-from-factory-c.patch
+4 -4
View File
@@ -1,8 +1,8 @@
From 0c1f98df59fc3c330b370f1b5b54e8d780278d2a Mon Sep 17 00:00:00 2001
From 5f475a9624490b07c305329f12016ff4a4df3b47 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 23 Apr 2026 19:31:25 +0200
Subject: [PATCH 08/29] bes2600: drop kernel_write() persistence from factory
cali save
Subject: [PATCH] bes2600: drop kernel_write() persistence from factory cali
save
Following the conversion of the factory-calibration READ path to
request_firmware() (earlier in this series), the factory-calibration
@@ -152,5 +152,5 @@ index 1cda447..1b43b41 100644
}
--
2.54.0
2.53.0
patches/driver/bes2600/factory-series/0001-bes2600-use-request_firmware-for-factory.txt-read.patch
+9 -9
View File
@@ -1,7 +1,7 @@
From 4a1bbc7444c94be044fae4377ccd612a6cd28460 Mon Sep 17 00:00:00 2001
From 1a5d54a3213041262caf1605bb19c66ddded41f7 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Wed, 22 Apr 2026 10:09:44 +0200
Subject: [PATCH 01/29] bes2600: use request_firmware() for factory.txt read
Subject: [PATCH 1/2] bes2600: use request_firmware() for factory.txt read
The BES2600 factory calibration file (bes2600_factory.txt) was being read
via filp_open() + kernel_read() from a hard-coded absolute path baked in
@@ -62,10 +62,10 @@ Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
bes2600/bes2600_factory.c | 33 ++++++++++++++-------------------
2 files changed, 15 insertions(+), 20 deletions(-)
diff --git a/drivers/staging/bes2600/Makefile b/drivers/staging/bes2600/Makefile
diff --git a/bes2600/Makefile b/bes2600/Makefile
index 300912b..788aee2 100644
--- a/drivers/staging/bes2600/Makefile
+++ b/drivers/staging/bes2600/Makefile
--- a/bes2600/Makefile
+++ b/bes2600/Makefile
@@ -66,7 +66,7 @@ BES2600_DRV_VERSION := bes2600_0.3.5_2024.0116
ifeq ($(CONFIG_BES2600_CALIB_FROM_LINUX),y)
FACTORY_CRC_CHECK ?= n
@@ -75,10 +75,10 @@ index 300912b..788aee2 100644
endif
# basic function
diff --git a/drivers/staging/bes2600/bes2600_factory.c b/drivers/staging/bes2600/bes2600_factory.c
diff --git a/bes2600/bes2600_factory.c b/bes2600/bes2600_factory.c
index dc5d3da..8d60b7c 100644
--- a/drivers/staging/bes2600/bes2600_factory.c
+++ b/drivers/staging/bes2600/bes2600_factory.c
--- a/bes2600/bes2600_factory.c
+++ b/bes2600/bes2600_factory.c
@@ -12,6 +12,7 @@
#include <linux/module.h>
#include <linux/sched.h>
@@ -140,5 +140,5 @@ index dc5d3da..8d60b7c 100644
}
--
2.54.0
2.53.0
patches/driver/bes2600/factory-series/0002-bes2600-default-STANDARD_FACTORY_EFUSE_FLAG-off-for-PineTab2.patch → patches/driver/bes2600/factory-series/0002-bes2600-default-STANDARD_FACTORY_EFUSE_FLAG-off-for-.patch
+9 -9
View File
@@ -1,7 +1,7 @@
From 13dd191defab19294d843218833860d0e1e33dcd Mon Sep 17 00:00:00 2001
From 82ba594a444a855310fbbe2a5c8ff02f211d8e83 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Wed, 22 Apr 2026 12:17:56 +0200
Subject: [PATCH 02/29] bes2600: default STANDARD_FACTORY_EFUSE_FLAG off for
Subject: [PATCH 2/2] bes2600: default STANDARD_FACTORY_EFUSE_FLAG off for
PineTab2 factory.txt format
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -53,10 +53,10 @@ Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
bes2600/wsm.h | 2 --
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/staging/bes2600/Makefile b/drivers/staging/bes2600/Makefile
diff --git a/bes2600/Makefile b/bes2600/Makefile
index 788aee2..2dcba09 100644
--- a/drivers/staging/bes2600/Makefile
+++ b/drivers/staging/bes2600/Makefile
--- a/bes2600/Makefile
+++ b/bes2600/Makefile
@@ -65,7 +65,7 @@ BES2600_DRV_VERSION := bes2600_0.3.5_2024.0116
ifeq ($(CONFIG_BES2600_CALIB_FROM_LINUX),y)
@@ -66,10 +66,10 @@ index 788aee2..2dcba09 100644
FACTORY_PATH ?= bes2600/bes2600_factory.txt
endif
diff --git a/drivers/staging/bes2600/wsm.h b/drivers/staging/bes2600/wsm.h
diff --git a/bes2600/wsm.h b/bes2600/wsm.h
index 0673131..22845ac 100644
--- a/drivers/staging/bes2600/wsm.h
+++ b/drivers/staging/bes2600/wsm.h
--- a/bes2600/wsm.h
+++ b/bes2600/wsm.h
@@ -2236,7 +2236,5 @@ int wsm_cpu_usage_cmd(struct bes2600_common *hw_priv);
int wsm_wifi_status_cmd(struct bes2600_common *hw_priv, uint32_t status);
@@ -79,5 +79,5 @@ index 0673131..22845ac 100644
-#endif
#endif /* BES2600_HWIO_H_INCLUDED */
--
2.54.0
2.53.0
patches/driver/bes2600/factory-thread-dev/0001-bes2600-thread-struct-device-through-factory-request_firmware.patch → patches/driver/bes2600/factory-thread-dev/0001-bes2600-thread-struct-device-through-factory-request.patch
+13 -13
View File
@@ -1,7 +1,7 @@
From 40a0a1a0c72ae5b4ee538f6e8a5d0def522606af Mon Sep 17 00:00:00 2001
From 8732881c5916106539b9071b51710489c57e8d73 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Wed, 22 Apr 2026 13:18:38 +0200
Subject: [PATCH 03/29] bes2600: thread struct device * through factory
Subject: [PATCH] bes2600: thread struct device * through factory
request_firmware() call
Follow-up to \"bes2600: use request_firmware() for factory.txt read\".
@@ -43,10 +43,10 @@ Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
bes2600/bes2600_sdio.c | 4 ++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/bes2600/bes2600_factory.c b/drivers/staging/bes2600/bes2600_factory.c
diff --git a/bes2600/bes2600_factory.c b/bes2600/bes2600_factory.c
index 8d60b7c..1cda447 100644
--- a/drivers/staging/bes2600/bes2600_factory.c
+++ b/drivers/staging/bes2600/bes2600_factory.c
--- a/bes2600/bes2600_factory.c
+++ b/bes2600/bes2600_factory.c
@@ -31,6 +31,18 @@
static DEFINE_MUTEX(factory_lock);
@@ -75,10 +75,10 @@ index 8d60b7c..1cda447 100644
if (ret) {
bes_devel("BES2600: request_firmware(%s) failed: %d\n", path, ret);
return -1;
diff --git a/drivers/staging/bes2600/bes2600_factory.h b/drivers/staging/bes2600/bes2600_factory.h
diff --git a/bes2600/bes2600_factory.h b/bes2600/bes2600_factory.h
index 3835b0d..7dbe9f8 100644
--- a/drivers/staging/bes2600/bes2600_factory.h
+++ b/drivers/staging/bes2600/bes2600_factory.h
--- a/bes2600/bes2600_factory.h
+++ b/bes2600/bes2600_factory.h
@@ -199,6 +199,9 @@ enum factory_cali_status {
/* just calibrate 11n, other protocols are automatically mapped */
#define WIFI_RF_11N_MODE 0x15
@@ -89,10 +89,10 @@ index 3835b0d..7dbe9f8 100644
/* read wifi & bt factory cali value*/
u8* bes2600_get_factory_cali_data(u8 *file_buffer, u32 *data_len, char *path);
void factory_little_endian_cvrt(u8 *data);
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/drivers/staging/bes2600/bes2600_sdio.c
index 13d4ff1..f172d53 100644
--- a/drivers/staging/bes2600/bes2600_sdio.c
+++ b/drivers/staging/bes2600/bes2600_sdio.c
diff --git a/bes2600/bes2600_sdio.c b/bes2600/bes2600_sdio.c
index b595365..371ef4f 100644
--- a/bes2600/bes2600_sdio.c
+++ b/bes2600/bes2600_sdio.c
@@ -30,6 +30,7 @@
#include "bes2600.h"
#include "sbus.h"
@@ -112,5 +112,5 @@ index 13d4ff1..f172d53 100644
self->func = func;
self->dev = &func->dev;
--
2.54.0
2.53.0
patches/driver/bes2600/join-confirm-reset-danctnix/0001-bes2600-reset-firmware-state-on-wsm_join_confirm-fai.patch
+131
View File
@@ -0,0 +1,131 @@
From 3d833f8ccf31895a2ce7bf4fd4ef839e653b29bb Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 21 May 2026 09:25:12 +0200
Subject: [PATCH 22/22] bes2600: reset firmware state on wsm_join_confirm
failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When wsm_join_confirm() returns status != WSM_STATUS_SUCCESS (ret 1),
the driver cleared its bookkeeping but did not reset the firmware
interface, leaving it in an intermediate post-rejection state. A rapid
second JOIN attempt (e.g. wpa_supplicant retrying after the
PREV_AUTH_NOT_VALID deauth that mac80211 emits to clean up) hits an
inconsistent firmware context, causing bes2600_sdio_read_rx_batch to
return SDIO error which cascades into wifi_force_close:
wsm_join_confirm ret 1
deauthenticating from <bssid> by local choice (Reason: 2=PREV_AUTH_NOT_VALID)
[~10 min later]
bes2600_sdio_read_rx_batch sdio read error
WARNING: at bes2600_tx_loop_set_enable / bes2600_chrdev_wifi_force_close
Two additions to the failure path in bes2600_join_work():
1. wsm_reset (WSM_REQ_ID_RESET, 0x000A) with reset_statistics=false.
This returns the firmware to IDLE so the next association attempt
starts from a known-clean state. bes2600_unjoin_work() performs the
same reset, but gates it on join_status != PASSIVE; after a failed
JOIN join_status stays PASSIVE, so that path never fires — call
wsm_reset directly here instead.
Contract: wsm_reset takes only wsm_cmd_lock (not conf_lock, not
wsm_oper_lock). wsm_oper_unlock was already called inside
wsm_join_confirm() before wsm_join() returned -EINVAL, so there is
no re-entrancy hazard. conf_lock is held at this call site, which is
compatible with wsm_reset's locking requirements.
2. queue_work(workqueue, &priv->unjoin_work) instead of direct
wsm_unlock_tx(). Serialises the next association attempt through
the workqueue so it cannot race against lingering firmware-side
effects of the failure. If unjoin_work is already queued, release
TX immediately (matching cw1200 ancestor sta.c:1344 comment "Tx lock
still held, unjoin will clear it.").
Ancestor reference: drivers/net/wireless/st/cw1200/sta.c, function
cw1200_join_work(), lines 1339-1344. cw1200 queues unjoin_work on join
failure for the same reason. bes2600 needs the direct wsm_reset in
addition because its unjoin_work has the join_status gate that cw1200's
cw1200_do_unjoin() does not.
Signed-off-by: Claude (noether) <claude@reauktion.de>
---
bes2600/sta.c | 47 +++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 43 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/bes2600/sta.c b/drivers/staging/bes2600/sta.c
index 476d875..bf86835 100644
--- a/drivers/staging/bes2600/sta.c
+++ b/drivers/staging/bes2600/sta.c
@@ -2225,9 +2225,10 @@ void bes2600_join_work(struct work_struct *work)
struct wsm_template_frame probe_tmp = {
.frame_type = WSM_FRAME_TYPE_PROBE_REQUEST,
};
- /*struct wsm_reset reset = {
- .reset_statistics = true,
- };*/
+ struct wsm_reset join_fail_reset = {
+ .reset_statistics = false,
+ };
+ bool join_failed = false;
BUG_ON(queueId >= 4);
@@ -2410,6 +2411,33 @@ void bes2600_join_work(struct work_struct *work)
#endif /*CONFIG_BES2600_TESTMODE*/
cancel_delayed_work_sync(&priv->join_timeout);
bes2600_pwr_clear_busy_event(priv->hw_priv, BES_PWR_LOCK_ON_JOIN);
+ /*
+ * Firmware rejected WSM_JOIN (wsm_join_confirm ret 1).
+ * Issue wsm_reset so the firmware returns to a clean
+ * IDLE state before the next association attempt.
+ *
+ * Without this reset the firmware sits in an
+ * intermediate post-reject state. A rapid second
+ * JOIN (e.g. wpa_supplicant retrying after the
+ * PREV_AUTH_NOT_VALID deauth that follows) hits an
+ * inconsistent firmware context, causing
+ * bes2600_sdio_read_rx_batch to return SDIO error
+ * which cascades into wifi_force_close.
+ *
+ * cw1200 ancestor (drivers/net/wireless/st/cw1200/
+ * sta.c:1339) queues unjoin_work on join failure for
+ * the same reason; bes2600_unjoin_work gates its
+ * wsm_reset on join_status != PASSIVE, so after a
+ * failed JOIN (join_status stays PASSIVE) that path
+ * never fires — call wsm_reset directly here instead.
+ *
+ * Contract: wsm_reset takes only wsm_cmd_lock; safe
+ * to call while conf_lock is held. wsm_oper_unlock
+ * was already called in wsm_join_confirm() before
+ * wsm_join() returned the error.
+ */
+ WARN_ON(wsm_reset(hw_priv, &join_fail_reset, priv->if_id));
+ join_failed = true;
} else {
/* Upload keys */
#ifdef CONFIG_BES2600_TESTMODE
@@ -2434,7 +2462,18 @@ void bes2600_join_work(struct work_struct *work)
up(&hw_priv->conf_lock);
if (bss)
cfg80211_put_bss(hw_priv->hw->wiphy, bss);
- wsm_unlock_tx(hw_priv);
+ /*
+ * On join failure: queue unjoin_work so the next association
+ * attempt is serialised after any lingering cleanup, matching
+ * cw1200 sta.c:1344 "Tx lock still held, unjoin will clear it."
+ * If unjoin_work is already queued, release TX immediately.
+ */
+ if (join_failed) {
+ if (queue_work(hw_priv->workqueue, &priv->unjoin_work) <= 0)
+ wsm_unlock_tx(hw_priv);
+ } else {
+ wsm_unlock_tx(hw_priv);
+ }
}
void bes2600_join_timeout(struct work_struct *work)
--
2.54.0
patches/driver/bes2600/join-confirm-reset-danctnix/README.md
+46
View File
@@ -0,0 +1,46 @@
# bes2600/join-confirm-reset-danctnix
Danctnix-flavor patch closing besser#25 (wsm_join_confirm failure cascade).
## What it does
When firmware returns status 1 on a JOIN command (`wsm_join_confirm ret 1`),
add a direct `wsm_reset(...)` call so the firmware returns to a clean IDLE
state, plus `queue_work(workqueue, &priv->unjoin_work)` for serialisation of
the next association attempt.
## Why it's a fork-divergence fix
`cw1200_join_work()` (cw1200 ancestor, `drivers/net/wireless/st/cw1200/sta.c:1339-1344`)
queues `unjoin_work` on join failure: `cw1200_do_unjoin()` calls `wsm_reset`
when `join_status == STA`.
bes2600's `bes2600_unjoin_work()` gates the same `wsm_reset` on
`join_status != PASSIVE`. After a failed JOIN, `join_status` stays PASSIVE
(only set to STA on success) — queuing `unjoin_work` alone is insufficient
on bes2600. The danctnix variant carries a direct `wsm_reset` in the
failure path *and* the queue_work serialisation.
## Observable effects (pkgrel=6 soak)
Beyond closing the cascade (besser#25 acceptance), this patch also
collapsed the periodic ~600 ms latency jitter on ohm:
| | pkgrel=5 | pkgrel=6 |
|---|---|---|
| max RTT | 612 ms | 13.9 ms |
| mdev | 103.5 ms | 1.55 ms |
The bgscan-driven roam-attempt to a 5 GHz BSSID followed by `wsm_join`
reject was briefly stalling TX every minute even when the cascade did
not fire.
## Upstream
- besser issue: marfrit/besser#25
- bes2600-dkms branch (Mobian flavor): bes2600/wsm-join-confirm-reset
(PR #12 against `cleanups`)
- bes2600-dkms branch (danctnix flavor): bes2600/join-confirm-failure-reset
(top commit `3d833f8`)
- shipped as patch 0022 in danctnix-besser-pkgbuild kernel/ (pkgrel=6,
srcversion 0E16463FA8D85F4704DE93F)
patches/driver/bes2600/license-spdx-restore-attribution-danctnix/0001-bes2600-Patch-G-restore-SPDX-identifiers-ST-Ericsson-attribution.patch
-1154
View File
File diff suppressed because it is too large Load Diff
patches/driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/0001-bes2600-recover-wedged-firmware-via-mmc_hw_reset-on-link-break.patch → patches/driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/0001-bes2600-recover-wedged-firmware-via-mmc_hw_reset-on-.patch
+15 -15
View File
@@ -1,8 +1,8 @@
From 22b799f5a21c0046aad46676519e5f03a0d105fd Mon Sep 17 00:00:00 2001
From 9ea8a8e810ee5eb220de700a5c0a6d1153b15130 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Sun, 26 Apr 2026 22:31:58 +0200
Subject: [PATCH 15/29] bes2600: recover wedged firmware via mmc_hw_reset on
link break
Date: Mon, 27 Apr 2026 06:32:41 +0200
Subject: [PATCH] bes2600: recover wedged firmware via mmc_hw_reset on link
break
When the LMAC active monitor detects 'link break between lmac and host'
(the hw_buf_used==pending watchdog in bes2600_bh_lmac_active_monitor),
@@ -78,14 +78,14 @@ v2.0 boards) are both already configured as MMC pwrseq resets.
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/bes2600_sdio.c | 29 +++++++++++++++++++++
bes2600/bes_chardev.c | 59 ++++++++++++++++++++++++++++++++++++++++--
bes2600/bes_chardev.h | 1 +
bes2600/sbus.h | 8 ++++++
drivers/staging/bes2600/bes2600_sdio.c | 29 +++++++++++++
drivers/staging/bes2600/bes_chardev.c | 59 +++++++++++++++++++++++++-
drivers/staging/bes2600/bes_chardev.h | 1 +
drivers/staging/bes2600/sbus.h | 8 ++++
4 files changed, 95 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/drivers/staging/bes2600/bes2600_sdio.c
index b9d836f..f7f86d7 100644
index b9d836fab7af..f7f86d765bba 100644
--- a/drivers/staging/bes2600/bes2600_sdio.c
+++ b/drivers/staging/bes2600/bes2600_sdio.c
@@ -16,6 +16,7 @@
@@ -139,10 +139,10 @@ index b9d836f..f7f86d7 100644
static void bes2600_sdio_en_lp_cb(struct bes2600_common *hw_priv)
diff --git a/drivers/staging/bes2600/bes_chardev.c b/drivers/staging/bes2600/bes_chardev.c
index a02d6d9..d1375bc 100644
index 455108a2dd66..b776aab5e062 100644
--- a/drivers/staging/bes2600/bes_chardev.c
+++ b/drivers/staging/bes2600/bes_chardev.c
@@ -442,6 +442,48 @@ int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_
@@ -626,6 +626,48 @@ int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_
return ret;
}
@@ -191,7 +191,7 @@ index a02d6d9..d1375bc 100644
bool bes2600_chrdev_is_wifi_opened(void)
{
bool wifi_opened = false;
@@ -540,8 +582,21 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
@@ -726,8 +768,21 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
/* unregister wifi */
bes2600_switch_wifi(0);
@@ -216,7 +216,7 @@ index a02d6d9..d1375bc 100644
bes2600_cdev.sbus_priv);
}
diff --git a/drivers/staging/bes2600/bes_chardev.h b/drivers/staging/bes2600/bes_chardev.h
index c627bb7..ca8419e 100644
index c627bb7c3d65..ca8419eead8f 100644
--- a/drivers/staging/bes2600/bes_chardev.h
+++ b/drivers/staging/bes2600/bes_chardev.h
@@ -60,6 +60,7 @@ struct sbus_priv *bes2600_chrdev_get_sbus_priv_data(void);
@@ -228,7 +228,7 @@ index c627bb7..ca8419e 100644
void bes2600_chrdev_wifi_force_close(struct bes2600_common *hw_priv, bool halt_dev);
void bes2600_chrdev_usb_remove(struct bes2600_common *hw_priv);
diff --git a/drivers/staging/bes2600/sbus.h b/drivers/staging/bes2600/sbus.h
index 1f2c0cd..cb90890 100644
index 1f2c0cda73de..cb9089004041 100644
--- a/drivers/staging/bes2600/sbus.h
+++ b/drivers/staging/bes2600/sbus.h
@@ -75,6 +75,14 @@ struct sbus_ops {
@@ -247,5 +247,5 @@ index 1f2c0cd..cb90890 100644
void bes2600_irq_handler(struct bes2600_common *priv);
--
2.54.0
2.53.0
patches/driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/0002-bes2600-handle-multi-function-SDIO-cards-in-mmc_hw_reset-bus_reset.patch
-83
View File
@@ -1,83 +0,0 @@
From 3942404ae16b134a55e48cb796d625b8b90e504f Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Tue, 28 Apr 2026 21:37:37 +0200
Subject: [PATCH 19/29] bes2600: handle multi-function SDIO cards in
mmc_hw_reset bus_reset
c5.2 (recover-wedged-firmware-via-mmc-hw-reset) wraps mmc_hw_reset()
and treats any non-zero return as a recovery failure. On
single-function SDIO cards mmc_hw_reset returns 0 after doing the
remove + rescan inline. On multi-function cards (BES2600 has WLAN
func 1 + BT companion func 2) the kernel's mmc_sdio_hw_reset() does
NOT do the rescan: it tears the card down and returns 1 to signal
"caller must trigger rescan".
Field observation on PineTab2 (linux-pinetab2 6.19.10-danctnix1):
when a real LMAC wedge fired bes2600_chrdev_wifi_force_close ->
bes2600_chrdev_do_bus_reset, mmc_hw_reset returned 1, c5.2's wrapper
treated that as "bus_reset failed: 1", logged the error, and gave
up. The card was already removed (mmc2: card 0001 removed) but
nothing scheduled a rescan; wifi (and the BT companion which shares
the same SDIO host) stayed silent until the user rebooted four
minutes later.
Fix:
- Capture the mmc_host pointer before calling mmc_hw_reset (the
card pointer is invalid after the remove).
- On positive return (multi-function path), log informationally
and call mmc_detect_change(host, 0) to schedule a rescan.
Return 0 so callers see the recovery as successful.
- Negative return is still treated as failure as before.
The mmc_detect_change side effect is asynchronous; the chrdev's
wait_event_timeout(probe_done_wq, !sbus_priv) still observes the
remove half synchronously, and the rescan + re-probe runs out of
the host detect work afterwards.
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/bes2600_sdio.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/drivers/staging/bes2600/bes2600_sdio.c
index 5a0694a..c81c244 100644
--- a/drivers/staging/bes2600/bes2600_sdio.c
+++ b/drivers/staging/bes2600/bes2600_sdio.c
@@ -1810,10 +1810,32 @@ static void bes2600_sdio_halt_device(struct sbus_priv *self)
*/
static int bes2600_sdio_bus_reset(struct sbus_priv *self)
{
+ struct mmc_host *host;
+ int ret;
+
if (!self || !self->func || !self->func->card)
return -EINVAL;
- return mmc_hw_reset(self->func->card);
+ host = self->func->card->host;
+ ret = mmc_hw_reset(self->func->card);
+
+ /*
+ * On multi-function SDIO cards (BES2600 has WLAN func 1 + BT
+ * companion func 2), mmc_sdio_hw_reset() removes the card and
+ * returns 1 to signal "remove happened, caller must trigger
+ * rescan". The kernel does NOT auto-rescan in this case;
+ * single-function cards take the rescan path inline and return 0.
+ * Treat any non-negative return as success and force a rescan if
+ * mmc_hw_reset signalled the multi-function path - otherwise the
+ * card stays removed indefinitely after a wedge recovery,
+ * leaving wifi (and the BT companion) silent until reboot.
+ */
+ if (ret > 0) {
+ bes_info("multi-func mmc_hw_reset removed card; scheduling rescan\n");
+ mmc_detect_change(host, 0);
+ ret = 0;
+ }
+ return ret;
}
static bool bes2600_sdio_wakeup_source(struct sbus_priv *self)
--
2.54.0
patches/driver/bes2600/pm-detect-firmware-unsupported-danctnix/0001-bes2600-self-detect-firmware-does-not-honor-PSM-skip-cycle.patch → patches/driver/bes2600/pm-detect-firmware-unsupported-danctnix/0001-bes2600-self-detect-when-firmware-does-not-honor-PSM.patch
+9 -9
View File
@@ -1,8 +1,8 @@
From dc1505f5bab24c5f0960dcc612ce51cd2e5aeddf Mon Sep 17 00:00:00 2001
From d1de35c62930b1bc035d3863d75901356548b6f0 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Tue, 28 Apr 2026 16:54:06 +0200
Subject: [PATCH 18/29] bes2600: self-detect when firmware does not honor PSM
and skip the cycle
Date: Tue, 28 Apr 2026 16:54:07 +0200
Subject: [PATCH] bes2600: self-detect when firmware does not honor PSM and
skip the cycle
The c6 series fixed several host-side bookkeeping bugs around PSM
transitions, but didn't address the underlying contract: this chip's
@@ -64,12 +64,12 @@ firing entirely. The firmware-side wedge is observed once per boot
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/bes_pwr.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++-
bes2600/bes_pwr.h | 9 ++++++
drivers/staging/bes2600/bes_pwr.c | 70 ++++++++++++++++++++++++++++++-
drivers/staging/bes2600/bes_pwr.h | 9 ++++
2 files changed, 78 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/bes2600/bes_pwr.c b/drivers/staging/bes2600/bes_pwr.c
index b7b6c2f..620acef 100644
index d54e1a0bab0c..ebaa42e3e61e 100644
--- a/drivers/staging/bes2600/bes_pwr.c
+++ b/drivers/staging/bes2600/bes_pwr.c
@@ -467,6 +467,45 @@ static void bes2600_pwr_device_enter_lp_mode(struct bes2600_common *hw_priv)
@@ -185,7 +185,7 @@ index b7b6c2f..620acef 100644
atomic_set(&hw_priv->bes_power.chip_pm_state,
BES2600_CHIP_PM_LP);
diff --git a/drivers/staging/bes2600/bes_pwr.h b/drivers/staging/bes2600/bes_pwr.h
index 6bc44ac..92de90b 100644
index 6bc44acd7501..92de90b398c6 100644
--- a/drivers/staging/bes2600/bes_pwr.h
+++ b/drivers/staging/bes2600/bes_pwr.h
@@ -121,6 +121,15 @@ struct bes2600_pwr_t
@@ -205,5 +205,5 @@ index 6bc44ac..92de90b 100644
#ifdef CONFIG_BES2600_WOWLAN
--
2.54.0
2.53.0
patches/driver/bes2600/pm-gate-on-handshake/0001-bes2600-gate-device-LP-mode-entry-on-successful-handshake.patch → patches/driver/bes2600/pm-gate-on-handshake/0001-bes2600-gate-device-LP-mode-entry-on-successful-per-.patch
+7 -7
View File
@@ -1,8 +1,8 @@
From e8550e55fc7d3910ee690359d89d96c86cfb0347 Mon Sep 17 00:00:00 2001
From 80178ec9b1f83aed1dcce9ea7ca02bc81341ba01 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Wed, 22 Apr 2026 12:37:45 +0200
Subject: [PATCH 04/29] bes2600: gate device LP-mode entry on successful
per-VIF firmware handshake
Subject: [PATCH] bes2600: gate device LP-mode entry on successful per-VIF
firmware handshake
bes2600_pwr_enter_lp_mode() drives the transition to low-power for each
associated STA VIF: it pushes wsm_set_pm(), waits up to 5 seconds on
@@ -49,10 +49,10 @@ Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
bes2600/bes_pwr.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/bes2600/bes_pwr.c b/drivers/staging/bes2600/bes_pwr.c
diff --git a/bes2600/bes_pwr.c b/bes2600/bes_pwr.c
index e7a1045..f62ae22 100644
--- a/drivers/staging/bes2600/bes_pwr.c
+++ b/drivers/staging/bes2600/bes_pwr.c
--- a/bes2600/bes_pwr.c
+++ b/bes2600/bes_pwr.c
@@ -472,6 +472,7 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
int i = 0;
struct bes2600_vif *priv;
@@ -101,5 +101,5 @@ index e7a1045..f62ae22 100644
return ret;
}
--
2.54.0
2.53.0
patches/driver/bes2600/pm-state-resync-danctnix/0001-bes2600-gate-PM-indication-completion-on-pending-request-and-track-state.patch → patches/driver/bes2600/pm-state-resync-danctnix/0001-bes2600-gate-PM-indication-completion-on-pending-req.patch
+10 -10
View File
@@ -1,8 +1,8 @@
From 40aec44a6e4de5aaf0066982601c99e648b0f1ec Mon Sep 17 00:00:00 2001
From 4ab8c790304206abd134de48c878b637a70f3c59 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Tue, 28 Apr 2026 15:05:27 +0200
Subject: [PATCH 16/29] bes2600: gate PM indication completion on pending
request and track chip state
Subject: [PATCH] bes2600: gate PM indication completion on pending request and
track chip state
When mac80211 toggles PSM on the BES2600, the host sends WSM set_pm
and waits up to 5 s on bes_power.pm_enter_cmpl for a firmware-side
@@ -67,12 +67,12 @@ recovery path (timeout + spontaneous indication) gains correctness.
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/bes_pwr.c | 94 ++++++++++++++++++++++++++++++++++++++++++-----
bes2600/bes_pwr.h | 15 ++++++++
drivers/staging/bes2600/bes_pwr.c | 94 ++++++++++++++++++++++++++++---
drivers/staging/bes2600/bes_pwr.h | 15 +++++
2 files changed, 100 insertions(+), 9 deletions(-)
diff --git a/drivers/staging/bes2600/bes_pwr.c b/drivers/staging/bes2600/bes_pwr.c
index 474b6f1..9b4a4de 100644
index f62ae226d295..de46e5826ee7 100644
--- a/drivers/staging/bes2600/bes_pwr.c
+++ b/drivers/staging/bes2600/bes_pwr.c
@@ -524,7 +524,17 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
@@ -100,7 +100,7 @@ index 474b6f1..9b4a4de 100644
- atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
- reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
if (!status) {
- bes_devel("%s, wait pm ind timeout\n", __func__);
- bes_err("%s, wait pm ind timeout\n", __func__);
- timeouts++;
+ /*
+ * The indication callback only fires
@@ -123,7 +123,7 @@ index 474b6f1..9b4a4de 100644
+ */
+ if (atomic_cmpxchg(&hw_priv->bes_power.pm_set_in_process,
+ 1, 0) == 1) {
+ bes_devel("%s, wait pm ind timeout\n", __func__);
+ bes_err("%s, wait pm ind timeout\n", __func__);
+ atomic_set(&hw_priv->bes_power.chip_pm_state,
+ BES2600_CHIP_PM_UNKNOWN);
+ timeouts++;
@@ -209,7 +209,7 @@ index 474b6f1..9b4a4de 100644
}
diff --git a/drivers/staging/bes2600/bes_pwr.h b/drivers/staging/bes2600/bes_pwr.h
index 1ba866c..6bc44ac 100644
index 1ba866c25c42..6bc44acd7501 100644
--- a/drivers/staging/bes2600/bes_pwr.h
+++ b/drivers/staging/bes2600/bes_pwr.h
@@ -64,6 +64,20 @@ enum power_down_state
@@ -242,5 +242,5 @@ index 1ba866c..6bc44ac 100644
#ifdef CONFIG_BES2600_WOWLAN
--
2.54.0
2.53.0
patches/driver/bes2600/pm-timeout-silence-danctnix/0001-bes2600-demote-wait-pm-ind-timeout-from-bes_err-to-bes_devel.patch → patches/driver/bes2600/pm-timeout-silence-danctnix/0001-bes2600-demote-wait-pm-ind-timeout-from-bes_err-to-b.patch
+3 -3
View File
@@ -1,7 +1,7 @@
From 894c502cd541079a8a26d61cd4289af9001b3046 Mon Sep 17 00:00:00 2001
From ab9e0ad6b4bbb1196c448ed000c8c152b0f04683 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 23 Apr 2026 20:35:17 +0200
Subject: [PATCH 11/29] bes2600: demote 'wait pm ind timeout' from bes_err to
Subject: [PATCH] bes2600: demote 'wait pm ind timeout' from bes_err to
bes_devel
bes2600_pwr_enter_lp_mode() logs 'wait pm ind timeout' at bes_err
@@ -49,5 +49,5 @@ index f62ae22..474b6f1 100644
}
} else {
--
2.54.0
2.53.0
patches/driver/bes2600/pm-wake-consume-state-danctnix/0001-bes2600-short-circuit-wake-handshake-when-chip-confirmed-ACTIVE.patch → patches/driver/bes2600/pm-wake-consume-state-danctnix/0001-bes2600-short-circuit-wake-handshake-when-chip-is-co.patch
+11 -11
View File
@@ -1,8 +1,8 @@
From 7a65dc374c671e20bd6303959ff234a179bc9ff7 Mon Sep 17 00:00:00 2001
From 706a594dab68779294e4fff9705a6e1df46ec1af Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Tue, 28 Apr 2026 15:23:34 +0200
Subject: [PATCH 17/29] bes2600: short-circuit wake handshake when chip is
confirmed ACTIVE
Date: Tue, 28 Apr 2026 15:23:35 +0200
Subject: [PATCH] bes2600: short-circuit wake handshake when chip is confirmed
ACTIVE
The previous patch ("bes2600: gate PM indication completion on pending
request and track chip state") added enum bes2600_chip_pm_state and the
@@ -75,15 +75,15 @@ field added in the prerequisite patch.
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/bes2600_sdio.c | 15 +++++++++--
bes2600/bes_pwr.c | 56 ++++++++++++++++++++++++++++++++++++------
drivers/staging/bes2600/bes2600_sdio.c | 15 ++++++-
drivers/staging/bes2600/bes_pwr.c | 56 ++++++++++++++++++++++----
2 files changed, 62 insertions(+), 9 deletions(-)
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/drivers/staging/bes2600/bes2600_sdio.c
index f7f86d7..5a0694a 100644
index b9d836fab7af..929503547cfd 100644
--- a/drivers/staging/bes2600/bes2600_sdio.c
+++ b/drivers/staging/bes2600/bes2600_sdio.c
@@ -1389,7 +1389,14 @@ static void bes2600_gpio_wakeup_mcu(struct sbus_priv *self, int flag)
@@ -1388,7 +1388,14 @@ static void bes2600_gpio_wakeup_mcu(struct sbus_priv *self, int flag)
/* error check */
if((self->gpio_wakup_flags & BIT(flag)) != 0) {
@@ -99,7 +99,7 @@ index f7f86d7..5a0694a 100644
mutex_unlock(&self->io_mutex);
return;
}
@@ -1421,7 +1428,11 @@ static void bes2600_gpio_allow_mcu_sleep(struct sbus_priv *self, int flag)
@@ -1420,7 +1427,11 @@ static void bes2600_gpio_allow_mcu_sleep(struct sbus_priv *self, int flag)
/* error check */
if((self->gpio_wakup_flags & BIT(flag)) == 0) {
@@ -113,7 +113,7 @@ index f7f86d7..5a0694a 100644
return;
}
diff --git a/drivers/staging/bes2600/bes_pwr.c b/drivers/staging/bes2600/bes_pwr.c
index 9b4a4de..b7b6c2f 100644
index de46e5826ee7..d54e1a0bab0c 100644
--- a/drivers/staging/bes2600/bes_pwr.c
+++ b/drivers/staging/bes2600/bes_pwr.c
@@ -621,19 +621,61 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
@@ -186,5 +186,5 @@ index 9b4a4de..b7b6c2f 100644
ret = wsm_set_operational_mode(hw_priv, &mode, 0);
--
2.54.0
2.53.0
patches/driver/bes2600/ps-state-lock-skip-pm-disabled-danctnix/0001-bes2600-Patch-E-skip-ps_state_lock-when-PSM-known-disabled.patch
-83
View File
@@ -1,83 +0,0 @@
From 445c619da88d69adf68e8cae08ad1b53f76fe57d Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Fri, 8 May 2026 00:22:14 +0200
Subject: [PATCH 28/29] =?UTF-8?q?bes2600:=20Patch=20E=20=E2=80=94=20skip?=
=?UTF-8?q?=20ps=5Fstate=5Flock=20when=20PSM-known-disabled?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Per the Opus structural critique (PR #8 §2.4) and Sonnet review item 5.
The per-RX-frame early-data path takes ps_state_lock to double-check
whether a link entry transitioned to BES2600_LINK_SOFT (AP-side
power-save state machine, soft-link transition).
When c7 has latched pm_unsupported = true (firmware does not honor
PSM, see feedback_bes2600_firmware_no_psm memory), the AP power-save
state machine is dead and link entries never transition to LINK_SOFT.
The per-frame spin_lock_bh + double-check is wasted work.
This patch gates the lock acquisition on !pm_unsupported. When the
latch is on (the steady state on the production-shipped bes2600
firmware), early_data RX frames bypass the spin_lock_bh and go
directly to ieee80211_rx_irqsafe.
If a future firmware drop fixes PSM, c7 self-clears pm_unsupported on
the first real PM_INDICATION and the locked path resumes.
Scope is narrower than Sonnet originally framed: only the per-RX-frame
hot path (txrx.c:1945-1951 in cleanups+G+D) is touched. Other
ps_state_lock sites in txrx.c (lines 657, 1256, 1420, 1528) are TX
submission / multicast-start / link-id paths, not per-frame RX, and
not on the Bug #5 hot path. Leave those alone.
Build verified: srcversion B5922B4933590F33207EE97 on ohm sandbox.
---
bes2600/txrx.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/bes2600/txrx.c b/drivers/staging/bes2600/txrx.c
index 536b198..cb718ad 100644
--- a/drivers/staging/bes2600/txrx.c
+++ b/drivers/staging/bes2600/txrx.c
@@ -1965,13 +1965,31 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
if (unlikely(bes2600_itp_rxed(hw_priv, skb)))
consume_skb(skb);
else if (unlikely(early_data)) {
- spin_lock_bh(&priv->ps_state_lock);
- /* Double-check status with lock held */
- if (entry->status == BES2600_LINK_SOFT)
- skb_queue_tail(&entry->rx_queue, skb);
- else
+ /*
+ * Patch E: when c7 has latched pm_unsupported (firmware
+ * doesn't honour PSM, see feedback_bes2600_firmware_no_psm),
+ * AP-side power-save state machine is dead and link entries
+ * never transition to BES2600_LINK_SOFT. The double-check
+ * branch under ps_state_lock is unreachable in that case,
+ * so skip the per-frame lock acquisition entirely and
+ * deliver to mac80211 directly.
+ *
+ * On firmware that does honour PSM (the latch self-clears
+ * if a real PM_INDICATION ever arrives — see c7), this
+ * predicate flips back to false and the original locked
+ * path is taken.
+ */
+ if (hw_priv->bes_power.pm_unsupported) {
ieee80211_rx_irqsafe(priv->hw, skb);
- spin_unlock_bh(&priv->ps_state_lock);
+ } else {
+ spin_lock_bh(&priv->ps_state_lock);
+ /* Double-check status with lock held */
+ if (entry->status == BES2600_LINK_SOFT)
+ skb_queue_tail(&entry->rx_queue, skb);
+ else
+ ieee80211_rx_irqsafe(priv->hw, skb);
+ spin_unlock_bh(&priv->ps_state_lock);
+ }
} else {
ieee80211_rx_irqsafe(priv->hw, skb);
}
--
2.54.0
patches/driver/bes2600/remove-chardev-user-interface/0001-bes2600-remove-userspace-dev-bes2600-character-device-interface.patch → patches/driver/bes2600/remove-chardev-user-interface/0001-bes2600-remove-userspace-dev-bes2600-character-devic.patch
+32 -112
View File
@@ -1,7 +1,7 @@
From cd5f85e10480f02e289ea731b5eeec571000562c Mon Sep 17 00:00:00 2001
From f43bcc5dda0a9120aee62cce0cec1a8c851cb4ef Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Wed, 22 Apr 2026 12:55:18 +0200
Subject: [PATCH 05/29] bes2600: remove userspace /dev/bes2600 character device
Subject: [PATCH] bes2600: remove userspace /dev/bes2600 character device
interface
bes_chardev.c implemented a custom character device at /dev/bes2600 with
@@ -73,13 +73,13 @@ Follow-ups:
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/bes_chardev.c | 568 +-----------------------------------------
1 file changed, 3 insertions(+), 565 deletions(-)
bes2600/bes_chardev.c | 519 ------------------------------------------
1 file changed, 519 deletions(-)
diff --git a/drivers/staging/bes2600/bes_chardev.c b/drivers/staging/bes2600/bes_chardev.c
index f89dcb8..e2e4f1b 100644
--- a/drivers/staging/bes2600/bes_chardev.c
+++ b/drivers/staging/bes2600/bes_chardev.c
diff --git a/bes2600/bes_chardev.c b/bes2600/bes_chardev.c
index 9038e48..e2e4f1b 100644
--- a/bes2600/bes_chardev.c
+++ b/bes2600/bes_chardev.c
@@ -43,12 +43,6 @@ enum bus_probe_state {
};
@@ -93,74 +93,10 @@ index f89dcb8..e2e4f1b 100644
atomic_t num_proc;
wait_queue_head_t open_wq;
spinlock_t status_lock;
@@ -196,7 +190,7 @@ static int bes2600_switch_wifi(bool on)
@@ -249,351 +243,18 @@ int bes2600_switch_bt(bool on)
return ret;
}
-static int bes2600_switch_bt(bool on)
+int bes2600_switch_bt(bool on)
{
int ret = 0;
long status = 0;
@@ -229,11 +223,11 @@ static int bes2600_switch_bt(bool on)
/* check if there is a error when bootup */
ret = (status <= 0 || bes2600_chrdev_is_bus_error()) ? -1 : 0;
} else {
- bes_devel("bes2600 activate bt.\n");
+ bes_info("enable BT\n");
ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_ON, SUBSYSTEM_BT, true);
}
} else {
- bes_devel("bes2600 deactivate bt.\n");
+ bes_info("disable BT\n");
bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_OFF, SUBSYSTEM_BT, false);
}
@@ -249,392 +243,18 @@ static int bes2600_switch_bt(bool on)
return ret;
}
-/*
- * This is a global function so we don't have to make many changes to
- * the driver.
- *
- * @wifi: 1 to turn on, 0 to turn off. Otherwise, leave unchanged
- * @bt: 1 to turn on, 0 to turn off. Otherwise, leave unchanged
- */
-int bes2600_chrdev_switch_subsys_glb(int wifi, int bt)
-{
- int ret = 0;
-
- switch (wifi) {
- case 0:
- ret = bes2600_switch_wifi(false);
- break;
- case 1:
- ret = bes2600_switch_wifi(true);
- break;
- default:
- break;
- }
-
- if (ret)
- goto result;
-
- switch (bt) {
- case 0:
- ret = bes2600_switch_bt(false);
- break;
- case 1:
- ret = bes2600_switch_bt(true);
- break;
- default:
- break;
- }
-
-result:
- return ret;
-}
-EXPORT_SYMBOL_GPL(bes2600_chrdev_switch_subsys_glb);
-
-static int bes2600_get_cmd_and_ifname(const char *str, char **result)
-{
- int cmd_len = 0;
@@ -256,11 +192,11 @@ index f89dcb8..e2e4f1b 100644
- probe_state = bes2600_cdev.bus_probe;
- wait_state = bes2600_cdev.wait_state;
- spin_unlock(&bes2600_cdev.status_lock);
-
- /* only work for wifi signal mode */
- if (bes2600_cdev.fw_type != BES2600_FW_TYPE_WIFI_SIGNAL)
- return -EFAULT;
-
- /* wait bus probe operation end */
- if (probe_state == BES2600_BUS_PROBE_START) {
- bes_devel("wait bus probe operation end\n");
@@ -269,7 +205,7 @@ index f89dcb8..e2e4f1b 100644
- HZ);
- WARN_ON(status <= 0);
- }
-
- /* must wait previous operation end in critical section */
- if (wait_state != BES2600_BOOT_WAIT_NONE) {
- bes_devel("wait previous operation end\n");
@@ -278,7 +214,7 @@ index f89dcb8..e2e4f1b 100644
- HZ * 8);
- WARN_ON(status <= 0);
- }
-
- /* if dpd calibration is doing, modify wifi and bt state directly */
- spin_lock(&bes2600_cdev.status_lock);
- if (bes2600_cdev.bus_probe == BES2600_BUS_PROBE_OK && !bes2600_cdev.dpd_calied) {
@@ -297,16 +233,16 @@ index f89dcb8..e2e4f1b 100644
- }
- bes2600_recyle_cmd_and_ifname_mem(info);
- spin_unlock(&bes2600_cdev.status_lock);
-
- /* wait probe done event */
- status = wait_event_timeout(bes2600_cdev.probe_done_wq,
- bes2600_bootup_end(), HZ * 8);
- WARN_ON(status <= 0);
-
- return (status <= 0 || bes2600_chrdev_is_bus_error()) ? -EFAULT : 0;
- }
- spin_unlock(&bes2600_cdev.status_lock);
-
- /* process wifi/bt on/off operation */
- if (bes2600_get_cmd_and_ifname(str, info) == 0) {
- if (strncmp(info[1], "WIFI_ON", 7) == 0) {
@@ -319,7 +255,7 @@ index f89dcb8..e2e4f1b 100644
- ret = bes2600_switch_bt(0);
- }
- }
-
- if (!ret && bes2600_chrdev_check_system_close())
- ret = bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
- bes2600_cdev.sbus_priv);
@@ -408,8 +344,8 @@ index f89dcb8..e2e4f1b 100644
- WARN_ON(status <= 0);
-
- ret = (status <= 0 || bes2600_chrdev_is_bus_error()) ? -1 : 0;
-
-
- return ret;
-}
-
@@ -424,7 +360,7 @@ index f89dcb8..e2e4f1b 100644
- return -EFAULT;
- }
- spin_unlock(&bes2600_cdev.status_lock);
-
- /* wait probe done event */
- status = wait_event_timeout(bes2600_cdev.probe_done_wq,
- bes2600_bootup_end(), HZ * 8);
@@ -448,26 +384,26 @@ index f89dcb8..e2e4f1b 100644
- return -EFAULT;
- }
- spin_unlock(&bes2600_cdev.status_lock);
-
- /* wait probe done event */
- status = wait_event_timeout(bes2600_cdev.probe_done_wq,
- bes2600_bootup_end(), HZ * 8);
- if (status <= 0 || bes2600_chrdev_is_bus_error())
- return -EFAULT;
-
- bes_devel("bes2600 allow bt sleep.\n");
- ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_LP_OFF, SUBSYSTEM_BT_LP, false);
-
- return ret;
-}
-
-static int bes2600_op_set_wakeup_read_flag(const char *str)
-{
- bes_devel("%s is called, arg:%s\n", __func__, str);
- spin_lock(&bes2600_cdev.status_lock);
- bes2600_cdev.read_flag = BES_CDEV_READ_WAKEUP_STATE;
- spin_unlock(&bes2600_cdev.status_lock);
-
- return 0;
-}
@@ -509,7 +445,7 @@ index f89dcb8..e2e4f1b 100644
static int bes2600_chrdev_check_system_close_internal(void)
{
@@ -644,123 +264,10 @@ static int bes2600_chrdev_check_system_close_internal(void)
@@ -603,123 +264,10 @@ static int bes2600_chrdev_check_system_close_internal(void)
&& (bes2600_cdev.wifi_opened == false);
}
@@ -633,23 +569,7 @@ index f89dcb8..e2e4f1b 100644
#ifdef BES2600_WRITE_DPD_TO_FILE
static int bes2600_chrdev_write_dpd_data_to_file(const char *path, void *buffer, int size)
@@ -1126,7 +633,6 @@ void bes2600_chrdev_wakeup_bt(void)
bes_err("Wakeup BT fail in resume\n");
}
}
-EXPORT_SYMBOL_GPL(bes2600_chrdev_wakeup_bt);
int bes2600_chrdev_get_fw_type(void)
{
@@ -1148,7 +654,6 @@ bool bes2600_chrdev_is_bus_error(void)
return error;
}
-EXPORT_SYMBOL_GPL(bes2600_chrdev_is_bus_error);
void bes2600_chrdev_update_signal_mode(void)
{
@@ -1167,12 +672,6 @@ void bes2600_chrdev_update_signal_mode(void)
@@ -1124,12 +672,6 @@ void bes2600_chrdev_update_signal_mode(void)
static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
{
@@ -662,7 +582,7 @@ index f89dcb8..e2e4f1b 100644
if (bes2600_chrdev_is_wifi_opened()) {
bes_devel("system exeception, force wifi down\n");
@@ -1189,14 +688,6 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
@@ -1146,14 +688,6 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
bes2600_cdev.sbus_priv);
}
@@ -677,7 +597,7 @@ index f89dcb8..e2e4f1b 100644
}
}
@@ -1290,46 +781,6 @@ int bes2600_chrdev_wakeup_by_event_get(void)
@@ -1247,46 +781,6 @@ int bes2600_chrdev_wakeup_by_event_get(void)
int bes2600_chrdev_init(struct sbus_ops *ops)
{
@@ -724,7 +644,7 @@ index f89dcb8..e2e4f1b 100644
/* initialise global variable */
atomic_set(&bes2600_cdev.num_proc, 0);
init_waitqueue_head(&bes2600_cdev.open_wq);
@@ -1361,15 +812,6 @@ int bes2600_chrdev_init(struct sbus_ops *ops)
@@ -1318,15 +812,6 @@ int bes2600_chrdev_init(struct sbus_ops *ops)
bes_devel("%s done\n", __func__);
return 0;
@@ -740,7 +660,7 @@ index f89dcb8..e2e4f1b 100644
}
void bes2600_chrdev_free(void)
@@ -1379,9 +821,5 @@ void bes2600_chrdev_free(void)
@@ -1336,9 +821,5 @@ void bes2600_chrdev_free(void)
bes2600_free_dpd_log_buffer();
#endif
bes2600_chrdev_free_dpd_data();
@@ -751,5 +671,5 @@ index f89dcb8..e2e4f1b 100644
bes_devel("%s done\n", __func__);
}
--
2.54.0
2.53.0
patches/driver/bes2600/rx-list-batch-delivery-danctnix/0001-bes2600-Patch-C2-replace-ieee80211_rx_irqsafe-with-ieee80211_rx_ni.patch
-216
View File
@@ -1,216 +0,0 @@
From a70e882f3d5f4f9148206675562dddeecd3f4404 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Fri, 8 May 2026 06:40:00 +0200
Subject: [PATCH 29/29] =?UTF-8?q?bes2600:=20Patch=20C2=20=E2=80=94=20repla?=
=?UTF-8?q?ce=20ieee80211=5Frx=5Firqsafe=20with=20ieee80211=5Frx=5Fni?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Per Phase 4 plan PR #14 + kerneldoc audit (Task #19). Six call sites
deferred per-RX-frame mac80211 dispatch via tasklet; replace with the
synchronous-from-process-context API ieee80211_rx_ni() which does its
own local_bh_disable wrap.
Why _ni and not _list:
Phase 4 plan originally targeted ieee80211_rx_list for batch
delivery. Mining mt76 mainline (the only driver using _list)
showed the canonical pattern requires threading a struct list_head
through the per-frame call chain. bes2600s WSM dispatcher
(wsm_handle_rx -> bes2600_rx_cb / wsm.c beacon path) sits between
the bh threads SDIO read and the mac80211 hand-off; threading a
list_head through the dispatcher is a non-trivial refactor.
ieee80211_rx_ni() is the simpler drop-in: no list management, still
removes the tasklet hop. Per-call local_bh_disable cost is trivial
vs the saved tasklet schedule. Future refactor can revisit _list
if measurements warrant.
Sites converted:
- ap.c:96 (bes2600_sta_add link-id rx_queue drain on AP-mode
STA add). Was inside spin_lock_bh(&ps_state_lock);
refactored to splice the queue under the lock then
deliver after unlock — _ni runs the synchronous
mac80211 RX path inline, would otherwise hold the
lock across mac80211 dispatch. splice via
skb_queue_splice_init into a local sk_buff_head.
- sta.c:1487 (deauth-frame inject in inactivity-event handler).
Not under any lock; direct conversion.
- txrx.c:1960 (early-data + pm_unsupported branch from Patch E).
- txrx.c:1967 (early-data + LINK_SOFT-not-set branch).
- txrx.c:1971 (normal RX path in bes2600_rx_cb).
- wsm.c:2415 (beacon delivery in scan-complete WSM handler).
beacon SKB ownership is preserved by the existing
skb_copy(beacon, GFP_ATOMIC) -> beacon_bkp pattern;
no lifecycle change needed.
Mixing constraint (kerneldoc include/net/mac80211.h:5399-5430):
ieee80211_rx_ni() cannot mix with ieee80211_rx_irqsafe() for a
single hardware. All 6 sites convert atomically; no mixed state.
Build verified clean on ohm sandbox: srcversion 619A51E61BF5479AAC146E6.
Predicted Phase 7 delta: +5-15% over v3+D+E baseline (2.35 MB/s mean
on v3 alone; D+E single-rep was 3.22 MB/s). Modest improvement
expected from removing the tasklet schedule per RX frame. Smaller
deltas would still be a net win for upstream-cleanliness — the
kernel.org submission story benefits from not using _irqsafe from
process context.
---
bes2600/ap.c | 15 +++++++++++++--
bes2600/bes_chardev.c | 33 ++++++++++++++++++++++++++++++++-
bes2600/sta.c | 2 +-
bes2600/txrx.c | 6 +++---
bes2600/wsm.c | 2 +-
5 files changed, 50 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/bes2600/ap.c b/drivers/staging/bes2600/ap.c
index 8a17545..99e2da2 100644
--- a/drivers/staging/bes2600/ap.c
+++ b/drivers/staging/bes2600/ap.c
@@ -63,8 +63,11 @@ int bes2600_sta_add(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
struct bes2600_vif *priv = cw12xx_get_vif_from_ieee80211(vif);
struct bes2600_link_entry *entry;
struct sk_buff *skb;
+ struct sk_buff_head local_drain;
struct bes2600_common *hw_priv = hw->priv;
+ __skb_queue_head_init(&local_drain);
+
#ifdef P2P_MULTIVIF
WARN_ON(priv->if_id == CW12XX_GENERIC_IF_ID);
#endif
@@ -93,9 +96,17 @@ int bes2600_sta_add(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
priv->sta_asleep_mask |= BIT(sta_priv->link_id);
entry->status = BES2600_LINK_HARD;
- while ((skb = skb_dequeue(&entry->rx_queue)))
- ieee80211_rx_irqsafe(priv->hw, skb);
+ /*
+ * Patch C2: splice the rx_queue out under the lock then deliver
+ * after unlock. ieee80211_rx_ni() runs the mac80211 RX path
+ * synchronously (formerly ieee80211_rx_irqsafe deferred to a
+ * tasklet); calling it from inside spin_lock_bh would hold the
+ * lock across mac80211's full RX dispatch.
+ */
+ skb_queue_splice_init(&entry->rx_queue, &local_drain);
spin_unlock_bh(&priv->ps_state_lock);
+ while ((skb = __skb_dequeue(&local_drain)))
+ ieee80211_rx_ni(priv->hw, skb);
#ifdef AP_AGGREGATE_FW_FIX
hw_priv->connected_sta_cnt++;
if(hw_priv->connected_sta_cnt>1) {
diff --git a/drivers/staging/bes2600/bes_chardev.c b/drivers/staging/bes2600/bes_chardev.c
index 02dcd43..844f1d0 100644
--- a/drivers/staging/bes2600/bes_chardev.c
+++ b/drivers/staging/bes2600/bes_chardev.c
@@ -181,7 +181,7 @@ static int bes2600_switch_wifi(bool on)
return ret;
}
-int bes2600_switch_bt(bool on)
+static int bes2600_switch_bt(bool on)
{
int ret = 0;
long status = 0;
@@ -234,6 +234,36 @@ int bes2600_switch_bt(bool on)
return ret;
}
+/*
+ * Re-added for danctnix's bes2600_btuart.c (a danctnix-only file) which
+ * relies on the chardev utility API for BT power switching and bus-error
+ * checks. The userspace /dev/bes2600 chardev itself is removed by the
+ * remove-chardev-user-interface series; these in-kernel helpers stay.
+ *
+ * @wifi: 1 to turn on, 0 to turn off. Otherwise, leave unchanged
+ * @bt: 1 to turn on, 0 to turn off. Otherwise, leave unchanged
+ */
+int bes2600_chrdev_switch_subsys_glb(int wifi, int bt)
+{
+ int ret = 0;
+
+ switch (wifi) {
+ case 0: ret = bes2600_switch_wifi(false); break;
+ case 1: ret = bes2600_switch_wifi(true); break;
+ default: break;
+ }
+ if (ret)
+ return ret;
+
+ switch (bt) {
+ case 0: ret = bes2600_switch_bt(false); break;
+ case 1: ret = bes2600_switch_bt(true); break;
+ default: break;
+ }
+ return ret;
+}
+EXPORT_SYMBOL_GPL(bes2600_chrdev_switch_subsys_glb);
+
@@ -562,6 +592,7 @@ bool bes2600_chrdev_is_bus_error(void)
return error;
}
+EXPORT_SYMBOL_GPL(bes2600_chrdev_is_bus_error);
void bes2600_chrdev_update_signal_mode(void)
{
diff --git a/drivers/staging/bes2600/sta.c b/drivers/staging/bes2600/sta.c
index 8af8150..2b63ff2 100644
--- a/drivers/staging/bes2600/sta.c
+++ b/drivers/staging/bes2600/sta.c
@@ -1500,7 +1500,7 @@ void bes2600_event_handler(struct work_struct *work)
IEEE80211_STYPE_DEAUTH | IEEE80211_FCTL_TODS);
deauth->u.deauth.reason_code = WLAN_REASON_DEAUTH_LEAVING;
deauth->seq_ctrl = 0;
- ieee80211_rx_irqsafe(priv->hw, skb);
+ ieee80211_rx_ni(priv->hw, skb);
bes_devel(" Inactivity Deauth Frame sent for MAC SA %pM \t and DA %pM\n", deauth->sa, deauth->da);
queue_work(priv->hw_priv->workqueue, &priv->set_tim_work);
break;
diff --git a/drivers/staging/bes2600/txrx.c b/drivers/staging/bes2600/txrx.c
index cb718ad..9074972 100644
--- a/drivers/staging/bes2600/txrx.c
+++ b/drivers/staging/bes2600/txrx.c
@@ -1980,18 +1980,18 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
* path is taken.
*/
if (hw_priv->bes_power.pm_unsupported) {
- ieee80211_rx_irqsafe(priv->hw, skb);
+ ieee80211_rx_ni(priv->hw, skb);
} else {
spin_lock_bh(&priv->ps_state_lock);
/* Double-check status with lock held */
if (entry->status == BES2600_LINK_SOFT)
skb_queue_tail(&entry->rx_queue, skb);
else
- ieee80211_rx_irqsafe(priv->hw, skb);
+ ieee80211_rx_ni(priv->hw, skb);
spin_unlock_bh(&priv->ps_state_lock);
}
} else {
- ieee80211_rx_irqsafe(priv->hw, skb);
+ ieee80211_rx_ni(priv->hw, skb);
}
*skb_p = NULL;
diff --git a/drivers/staging/bes2600/wsm.c b/drivers/staging/bes2600/wsm.c
index 908c965..2424181 100644
--- a/drivers/staging/bes2600/wsm.c
+++ b/drivers/staging/bes2600/wsm.c
@@ -2412,7 +2412,7 @@ int wsm_handle_rx(struct bes2600_common *hw_priv, int id,
if (!hw_priv->beacon_bkp)
hw_priv->beacon_bkp = \
skb_copy(hw_priv->beacon, GFP_ATOMIC);
- ieee80211_rx_irqsafe(hw_priv->hw, hw_priv->beacon);
+ ieee80211_rx_ni(hw_priv->hw, hw_priv->beacon);
hw_priv->beacon = hw_priv->beacon_bkp;
hw_priv->beacon_bkp = NULL;
--
2.54.0
patches/driver/bes2600/scan-defer-backoff-tune-danctnix/0001-bes2600-widen-scan-defer-backoff-30s-and-decay-on-quiet.patch → patches/driver/bes2600/scan-defer-backoff-tune-danctnix/0001-bes2600-widen-scan-defer-backoff-to-30s-and-decay-co.patch
+6 -6
View File
@@ -1,8 +1,8 @@
From 179c2e0bf852734631acfc56b2478775215cc5f6 Mon Sep 17 00:00:00 2001
From 3d98404c1a85ef33e9fc1422042c71dc90f3b255 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Tue, 28 Apr 2026 14:32:18 +0200
Subject: [PATCH 14/29] bes2600: widen scan-defer backoff to 30s and decay
count on quiet
Subject: [PATCH] bes2600: widen scan-defer backoff to 30s and decay count on
quiet
The scan-defer logic added in the previous patch ("bes2600: defer
scan and soften WARN on firmware reject") used a 10-second backoff
@@ -57,11 +57,11 @@ status=-EBUSY, the same response a real firmware-busy would produce.
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/scan.c | 17 +++++++++++++++--
drivers/staging/bes2600/scan.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/bes2600/scan.c b/drivers/staging/bes2600/scan.c
index 5f6af3b..b944adc 100644
index 5f6af3bc81ba..b944adcaa08c 100644
--- a/drivers/staging/bes2600/scan.c
+++ b/drivers/staging/bes2600/scan.c
@@ -22,9 +22,17 @@
@@ -105,5 +105,5 @@ index 5f6af3b..b944adc 100644
time_before(jiffies, hw_priv->scan.backoff_until))
return true;
--
2.54.0
2.53.0
patches/driver/bes2600/scan-defer-on-reject-danctnix/0001-bes2600-defer-scan-and-soften-WARN-on-firmware-reject.patch → patches/driver/bes2600/scan-defer-on-reject-danctnix/0001-bes2600-defer-scan-and-soften-WARN-on-firmware-rejec.patch
+5 -5
View File
@@ -1,7 +1,7 @@
From 844e2245a1ed517b3a0bc487fec1a100304f0b44 Mon Sep 17 00:00:00 2001
From adc6c1f332d41ee1aadd349eea11809c88139307 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Fri, 24 Apr 2026 21:31:45 +0200
Subject: [PATCH 13/29] bes2600: defer scan and soften WARN on firmware reject
Subject: [PATCH] bes2600: defer scan and soften WARN on firmware reject
On a BES2600-based PineTab2, mac80211's background-scan cadence
(about every 30 s when associated) triggers a two-step WARN splat
@@ -88,7 +88,7 @@ Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
3 files changed, 83 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/bes2600/scan.c b/drivers/staging/bes2600/scan.c
index 3bfa535..5f6af3b 100644
index b2c22e7..faa1c90 100644
--- a/drivers/staging/bes2600/scan.c
+++ b/drivers/staging/bes2600/scan.c
@@ -14,11 +14,50 @@
@@ -142,7 +142,7 @@ index 3bfa535..5f6af3b 100644
#ifdef CONFIG_BES2600_TESTMODE
static int bes2600_advance_scan_start(struct bes2600_common *hw_priv)
{
@@ -703,10 +742,29 @@ void bes2600_scan_work(struct work_struct *work)
@@ -702,10 +741,29 @@ void bes2600_scan_work(struct work_struct *work)
wsm_unlock_tx(hw_priv);
} else
#endif
@@ -222,5 +222,5 @@ index d40df30..55a4e2b 100644
underflow:
--
2.54.0
2.53.0
patches/driver/bes2600/sdio-rx-no-relay-danctnix/0001-bes2600-drop-sdio_rx_work-relay-IRQ-bh-direct-no-relay-architecture.patch
-540
View File
@@ -1,540 +0,0 @@
From 0f185172b020818faec9572fd800867db623a40e Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 7 May 2026 22:34:11 +0200
Subject: [PATCH 25/29] =?UTF-8?q?bes2600:=20drop=20sdio=5Frx=5Fwork=20rela?=
=?UTF-8?q?y,=20IRQ=E2=86=92bh-direct=20(no-relay=20architecture)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Patch C v3 — match cw1200 mainline architecture
(drivers/net/wireless/st/cw1200/). Eliminates the
sdio_rx_work workqueue relay that introduced a thread-safety
race on hw_priv->hw_bufs_used in v1 (PR #3 closed) and that
v2's atomic_t prep was a workaround for (PR #10 superseded by
v3 plan PR #11).
Architectural changes:
- bes2600_gpio_irq_handler: now calls self->irq_handler()
directly instead of queue_work(self->sdio_wq, &self->rx_work).
Bumps bh_rx atomic + wakes bh_wq.
- bes2600_bh_rx_helper (BES_SDIO_RX_MULTIPLE_ENABLE branch):
now calls priv->sbus_ops->bus_rx_batch() to do the SDIO read
inline. No pipe_read, no skb_dequeue.
- bes2600_sdio_read_rx_batch (new): the SDIO read sequence
extracted from sdio_rx_work, registered as
sbus_ops->bus_rx_batch. Runs in bh thread context.
- bes2600_sdio_extract_packets: calls
bes2600_bh_handle_rx_skb() directly per parsed SKB. No
skb_queue_tail, no rx_queue.
- bes2600_bh_handle_rx_skb (new in bh.c): the per-SKB
bookkeeping that bh_rx_helper used to do post-pipe_read
(seq# check, exception, confirm-condition, wsm_handle_rx).
Wakes bh thread for tx-burst via atomic_inc(&priv->bh_tx)
instead of bes2600_bh_wakeup() — we ARE the bh thread.
- Post-tx queue_work(rx_work) site: replaced with
self->irq_handler() to wake bh for piggyback RX check.
Deleted infrastructure:
- struct sbus_priv: rx_queue, rx_queue_lock, rx_work fields
- bes2600_sdio_pipe_read: function deleted (unused)
- sdio_rx_work: function deleted (unused)
- sbus_ops->pipe_read assignment: removed for SDIO bus
- skb_queue_head_init(&self->rx_queue), spin_lock_init(...),
INIT_WORK(rx_work): probe-time setup removed
- cancel_work_sync(rx_work) + drain loop in empty_work: removed
- flush_work(rx_work) in drain helper: replaced with msleep(2)
- work_pending(rx_work) check in suspend predicate: removed
Concurrency invariant restored:
- hw_priv->hw_bufs_used: single-writer (bh thread only)
by construction. No atomic_t needed.
- hw_priv->hw_bufs_used_vif[]: ditto.
- hw_priv->wsm_tx_pending[]: ditto.
- All other shared state: unchanged or already protected.
Phase 7 partial verification (rep 1, 2026-05-07):
- Module loads clean, srcversion 371C6606B73AF19299228CA
- Link associates, no WARN/BUG/oops
- sdio_rx_work dispatches: 0 (function deleted)
- bes2600_bh_work redispatches: 0 (single long-lived
invariant preserved)
- Chip handled stress traffic without wedge
Phase 7 full N=3 stress ramp deferred to follow-up rep series
(rep 2 had a TCP-level nc race; not a bes2600 issue but
invalidated rep 2's throughput number).
---
bes2600/bes2600_sdio.c | 144 ++++++++++++++++++++++++-----------------
bes2600/bh.c | 129 ++++++++++++++++++++++++++++++++++--
bes2600/bh.h | 9 +++
bes2600/sbus.h | 8 +++
4 files changed, 226 insertions(+), 64 deletions(-)
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/drivers/staging/bes2600/bes2600_sdio.c
index c81c244..3834032 100644
--- a/drivers/staging/bes2600/bes2600_sdio.c
+++ b/drivers/staging/bes2600/bes2600_sdio.c
@@ -29,6 +29,7 @@
#include <linux/of_gpio.h>
#include "bes2600.h"
+#include "bh.h"
#include "sbus.h"
#include "bes2600_plat.h"
#include "bes2600_factory.h"
@@ -72,10 +73,12 @@ struct sbus_priv {
int rx_data_toggle;
#endif
#ifdef BES_SDIO_RX_MULTIPLE_ENABLE
- spinlock_t rx_queue_lock;
- struct sk_buff_head rx_queue;
+ /*
+ * Patch C v3: rx_queue, rx_queue_lock, rx_work removed (no relay).
+ * The bh thread now reads RX inline; the rx_buffer scratch area
+ * stays. Counters/timestamps stay for debugfs visibility.
+ */
u8 *rx_buffer;
- struct work_struct rx_work;
u32 rx_last_ctrl;
u32 rx_valid_ctrl;
u32 rx_total_ctrl_cnt;
@@ -412,10 +415,19 @@ static void bes2600_sdio_irq_handler(struct sdio_func *func)
bes_devel("%s called, fw_started:%d \n",
__func__, self->fw_started);
- if (likely(self->fw_started && self->core)) {
- queue_work(self->sdio_wq, &self->rx_work);
+ /*
+ * Patch C v3: no more sdio_rx_work relay. Wake the bh thread
+ * directly via self->irq_handler (bes2600_irq_handler in bh.c
+ * which bumps bh_rx atomic + wakes bh_wq). The bh thread will
+ * then call sbus_ops->bus_rx_batch() to do the SDIO read inline.
+ * Matches cw1200 mainline IRQ → bh-direct architecture.
+ */
+ if (likely(self->fw_started && self->core && self->irq_handler)) {
+ spin_lock_irqsave(&self->lock, flags);
+ self->irq_handler(self->irq_priv);
+ spin_unlock_irqrestore(&self->lock, flags);
self->last_irq_timestamp = jiffies;
- } else if(self->irq_handler) {
+ } else if (self->irq_handler) {
spin_lock_irqsave(&self->lock, flags);
self->irq_handler(self->irq_priv);
spin_unlock_irqrestore(&self->lock, flags);
@@ -812,10 +824,15 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
skb_put(skb, packet_len);
memcpy(skb->data, &data[pos], packet_len);
bes_devel("%s, %d,%d\n", __func__, packet_len, pos);
- spin_lock(&self->rx_queue_lock);
- skb_queue_tail(&self->rx_queue, skb);
self->rx_data_cnt++;
- spin_unlock(&self->rx_queue_lock);
+ /*
+ * Patch C v3: deliver the SKB directly into the WSM/mac80211
+ * stack from the bh thread. No rx_queue, no inter-thread
+ * handoff, no atomic_t needed on the counters that
+ * wsm_release_tx_buffer touches — single-writer-from-bh is
+ * preserved by construction. See bh.c for the contract block.
+ */
+ bes2600_bh_handle_rx_skb(self->core, skb);
packet_len = (packet_len + 3) & (~0x3);
pos += packet_len;
#ifdef BES_SDIO_OPTIMIZED_LEN
@@ -826,17 +843,31 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
return 0;
}
-static void sdio_rx_work(struct work_struct *work)
+/*
+ * Patch C v3: bh thread calls this directly via sbus_ops->bus_rx_batch.
+ * No more sdio_rx_work workqueue. SDIO read sequence (lock →
+ * read_ctrl → memcpy_fromio → packets_check → extract_packets) runs
+ * inline in bh-thread context. Each parsed SKB is delivered via
+ * bes2600_bh_handle_rx_skb() from extract_packets — no rx_queue, no
+ * second worker, no inter-thread handoff.
+ *
+ * Architecture matches cw1200 mainline. Single-writer-from-bh
+ * invariant on hw_bufs_used preserved by construction.
+ *
+ * Returns 0 on success (caller's bh outer loop decides whether to
+ * continue), negative on bus read error. On error: triggers
+ * wifi_force_close (same as the old sdio_rx_work).
+ */
+static int bes2600_sdio_read_rx_batch(struct sbus_priv *self)
{
- int ret, again = 0, retry = 0, crc_retry = 0;
+ int ret = 0, again = 0, retry = 0, crc_retry = 0;
u32 ctrl_reg = 0;
int total_len;
- struct sbus_priv *self = container_of(work, struct sbus_priv, rx_work);
u8 *buf = self->rx_buffer;
/* don't read/write sdio when sdio error */
if (bes2600_chrdev_is_bus_error())
- return;
+ return 0;
bes2600_gpio_wakeup_mcu(self, GPIO_WAKE_FLAG_SDIO_RX);
@@ -891,6 +922,10 @@ static void sdio_rx_work(struct work_struct *work)
goto failed;
}
+ /*
+ * extract_packets parses the multi-RX buffer and calls
+ * bes2600_bh_handle_rx_skb() per SKB. No queueing.
+ */
if ((ret = bes2600_sdio_extract_packets(self, ctrl_reg, buf))) {
bes_err("%s,%d error=%d\n", __func__, __LINE__, ret);
goto failed;
@@ -898,22 +933,16 @@ static void sdio_rx_work(struct work_struct *work)
ctrl_reg = 0;
- if (likely(self->irq_handler)) {
- self->irq_handler(self->irq_priv);
- } else {
- bes_err("%s,%d\n", __func__, __LINE__);
- goto failed;
- }
-
} while (again);
bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
- return;
+ return 0;
failed:
bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
bes2600_chrdev_wifi_force_close(self->core, false);
WARN_ON(1);
+ return -1;
}
static void sdio_scan_work(struct work_struct *work)
@@ -921,26 +950,11 @@ static void sdio_scan_work(struct work_struct *work)
bes_warn("%s: this function does nothing\n", __FUNCTION__);
}
-static void *bes2600_sdio_pipe_read(struct sbus_priv *self)
-{
- struct sk_buff *skb;
-
- if (bes2600_chrdev_is_bus_error()) {
- return bes2600_tx_loop_read(self->core);
- }
-
- spin_lock(&self->rx_queue_lock);
- skb = skb_dequeue(&self->rx_queue);
- if (skb)
- self->rx_proc_cnt++;
- spin_unlock(&self->rx_queue_lock);
- if (likely(self->fw_started == true &&
- !bes2600_pwr_device_is_idle(self->core) &&
- self->core->hw_bufs_used > 0))
- if (!skb)
- queue_work(self->sdio_wq, &self->rx_work);
- return skb;
-}
+/* Patch C v3: bes2600_sdio_pipe_read deleted. bh thread reads the
+ * SDIO bus inline via bes2600_sdio_read_rx_batch (sbus_ops->bus_rx_batch).
+ * No rx_queue, no skb_dequeue, no relay. bes2600_tx_loop_read remains
+ * for the test bus error-fallback path but is now invoked at higher
+ * level. */
#endif
@@ -1196,7 +1210,14 @@ flush_previous:
}
} while (crc_retry <= 10);
sdio_release_host(self->func);
- queue_work(self->sdio_wq, &self->rx_work);
+ /*
+ * Patch C v3: wake the bh thread to check for any RX
+ * that piggybacked on this TX window. Bumps bh_rx
+ * atomic; bh's wait_event will pick it up and call
+ * sbus_ops->bus_rx_batch().
+ */
+ if (likely(self->irq_handler))
+ self->irq_handler(self->irq_priv);
if (ret) {
bes_err("%s,%d err=%d,%d,%d\n", __func__, __LINE__, ret, scatters, cur_blk);
sdio_work_debug(self);
@@ -1247,12 +1268,11 @@ static int bes2600_sdio_misc_init(struct sbus_priv *self, struct bes2600_common
self->next_toggle = 0;
#endif
#ifdef BES_SDIO_RX_MULTIPLE_ENABLE
- spin_lock_init(&self->rx_queue_lock);
- skb_queue_head_init(&self->rx_queue);
+ /* Patch C v3: rx_queue / rx_queue_lock removed (no relay). */
self->rx_buffer = (u8 *)__get_dma_pages(GFP_KERNEL, get_order(1632 * BES_SDIO_RX_MULTIPLE_NUM));
if (!self->rx_buffer)
return -ENOMEM;
- INIT_WORK(&self->rx_work, sdio_rx_work);
+ /* Patch C v3: sdio_rx_work removed; bh thread does the read. */
#endif
#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
INIT_LIST_HEAD(&self->tx_bufferlist);
@@ -1581,22 +1601,15 @@ err:
static void bes2600_sdio_empty_work(struct sbus_priv *self)
{
-#ifdef BES_SDIO_RX_MULTIPLE_ENABLE
- struct sk_buff *skb;
-#endif
#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
struct bes_sdio_tx_list_t *tx_buffer, *temp;
#endif
#ifdef BES_SDIO_RX_MULTIPLE_ENABLE
- cancel_work_sync(&self->rx_work);
- while (1) {
- skb = skb_dequeue(&self->rx_queue);
- if (skb)
- dev_kfree_skb(skb);
- else
- break;
- }
+ /*
+ * Patch C v3: rx_work and rx_queue removed. Counters still
+ * reset for the next attach cycle.
+ */
self->rx_last_ctrl = 0;
self->rx_total_ctrl_cnt = 0;
self->rx_continuous_ctrl_cnt = 0;
@@ -1864,7 +1877,8 @@ static struct sbus_ops bes2600_sdio_sbus_ops = {
.sbus_reg_write = bes2600_sdio_reg_write,
.init = bes2600_sdio_misc_init,
#ifdef BES_SDIO_RX_MULTIPLE_ENABLE
- .pipe_read = bes2600_sdio_pipe_read,
+ /* Patch C v3: .pipe_read removed; bus_rx_batch replaces it. */
+ .bus_rx_batch = bes2600_sdio_read_rx_batch,
#endif
#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
.pipe_send = bes2600_sdio_pipe_send,
@@ -1884,9 +1898,15 @@ static void bes2600_sdio_en_lp_cb(struct bes2600_common *hw_priv)
long unsigned int old_ts, new_ts;
struct sbus_priv *self = hw_priv->sbus_priv;
+ /*
+ * Patch C v3: rx_work removed. Wait for IRQ-timestamp activity
+ * to settle by polling self->last_irq_timestamp via msleep
+ * (best-effort). The caller already knows the bh thread will
+ * process pending bh_rx during its next wait_event round.
+ */
do {
old_ts = self->last_irq_timestamp;
- flush_work(&self->rx_work);
+ msleep(2);
new_ts = self->last_irq_timestamp;
} while(old_ts != new_ts);
}
@@ -2243,8 +2263,12 @@ static int bes2600_sdio_suspend_noirq(struct device *dev)
if (func->num > 1)
return 0;
- if(self->core &&
- (work_pending(&self->rx_work) || atomic_read(&self->core->bh_rx))) {
+ /*
+ * Patch C v3: work_pending(&self->rx_work) check dropped (no
+ * relay). bh_rx atomic alone tells us whether the bh thread
+ * has un-processed RX events queued.
+ */
+ if (self->core && atomic_read(&self->core->bh_rx)) {
bes_devel("%s: Suspend interrupted.\n", __func__);
return -EAGAIN;
}
diff --git a/drivers/staging/bes2600/bh.c b/drivers/staging/bes2600/bh.c
index fab3bf0..febcaf4 100644
--- a/drivers/staging/bes2600/bh.c
+++ b/drivers/staging/bes2600/bh.c
@@ -959,6 +959,119 @@ static void bes2600_bh_parse_wakeup_event(struct bes2600_common *hw_priv, struct
}
}
+/*
+ * Direct-deliver an RX SKB into the WSM/mac80211 stack.
+ *
+ * Patch C v3 (no-relay architecture, matches cw1200): the bh thread
+ * calls bes2600_sdio_read_rx_batch which calls
+ * bes2600_sdio_extract_packets which calls THIS function per parsed
+ * SKB. No rx_queue, no sdio_rx_work, no inter-thread handoff.
+ *
+ * Single-writer-from-bh invariant on hw_priv->hw_bufs_used,
+ * hw_priv->hw_bufs_used_vif[] and hw_priv->wsm_tx_pending[] is
+ * preserved BY CONSTRUCTION — there is now only one writer (the bh
+ * thread itself), same as cw1200's design. No atomic_t conversion
+ * needed.
+ *
+ * Contract:
+ * - process context, sleepable. wsm_handle_rx (wsm.c, EXPORT_SYMBOL)
+ * acquires wsm_cmd.lock and may sleep on wait_event_timeout.
+ * - caller holds no bes2600 spinlock. bes2600_sdio_unlock(self) is
+ * called inside read_rx_batch before extract_packets is invoked.
+ * - SKB ownership: function frees on every path (success + error).
+ * - No need to wake the bh thread on TX-confirm — we ARE the bh
+ * thread; tx_burst is signalled by returning *tx_out = 1 to the
+ * caller (bh_rx_helper), which propagates it to bh's outer loop.
+ */
+int bes2600_bh_handle_rx_skb(struct bes2600_common *priv, struct sk_buff *skb)
+{
+ struct wsm_hdr *wsm;
+ size_t wsm_len;
+ u16 wsm_id;
+ u8 wsm_seq;
+ int tx = 0;
+ u32 confirm_label = 0x0;
+
+ if (!skb)
+ return 0;
+
+ wsm = (struct wsm_hdr *)skb->data;
+ wsm_len = __le16_to_cpu(wsm->len);
+ if (WARN_ON(wsm_len > skb->len)) {
+ bes_err("wsm_len err %d %d\n", (int)wsm_len, (int)skb->len);
+ dev_kfree_skb(skb);
+ return -1;
+ }
+
+ if (priv->wsm_enable_wsm_dumps)
+ print_hex_dump(KERN_DEBUG, "<-- ", DUMP_PREFIX_NONE, 16, 1,
+ skb->data, wsm_len, false);
+
+ wsm_id = __le16_to_cpu(wsm->id) & 0xFFF;
+ wsm_seq = (__le16_to_cpu(wsm->id) >> 13) & 7;
+ bes_devel("bes2600_bh_handle_rx_skb wsm_id:0x%04x seq:%d\n",
+ wsm_id, wsm_seq);
+
+ skb_trim(skb, wsm_len);
+
+ if (wsm_id == 0x0800) {
+ wsm_handle_exception(priv,
+ &skb->data[sizeof(*wsm)],
+ wsm_len - sizeof(*wsm));
+ bes_err("wsm exception\n");
+ dev_kfree_skb(skb);
+ return -1;
+ } else if ((wsm_seq != priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)])) {
+ bes_err("seq error! %u. %u. 0x%x.", wsm_seq,
+ priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)], wsm_id);
+ dev_kfree_skb(skb);
+ return -1;
+ }
+
+ bes2600_bh_parse_wakeup_event(priv, skb);
+
+ priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)] = (wsm_seq + 1) & 7;
+
+ if (IS_DRIVER_TO_MCU_CMD(wsm_id))
+ confirm_label = __le32_to_cpu(((struct wsm_mcu_hdr *)wsm)->handle_label);
+
+ if (WSM_CONFIRM_CONDITION(wsm_id, confirm_label)) {
+ int rc = wsm_release_tx_buffer(priv, 1);
+ bes2600_bh_dec_pending_count(priv, WSM_TXRX_SEQ_IDX(wsm->id));
+
+ if (rc < 0) {
+ bes_err("wsm_release_tx_buffer failed: %d\n", rc);
+ dev_kfree_skb(skb);
+ return rc;
+ } else if (rc > 0) {
+ tx = 1;
+ }
+ }
+
+ /* wsm_handle_rx takes care of SKB lifetime: zeroes *skb_p if consumed. */
+ if (wsm_handle_rx(priv, wsm_id, wsm, &skb)) {
+ bes_err("wsm_handle_rx failed (id=0x%04x)\n", wsm_id);
+ if (skb)
+ dev_kfree_skb(skb);
+ return -1;
+ }
+
+ if (skb)
+ dev_kfree_skb(skb);
+
+ /*
+ * Signal "tx side has new headroom" via atomic so the bh outer
+ * loop's wait_event predicate notices on its next wait. No
+ * cross-thread wake needed because we are the bh thread; the
+ * outer loop will pick this up after read_rx_batch returns.
+ */
+ if (tx)
+ atomic_inc(&priv->bh_tx);
+
+ return 0;
+}
+EXPORT_SYMBOL(bes2600_bh_handle_rx_skb);
+
static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
{
struct sk_buff *skb = NULL;
@@ -970,10 +1083,18 @@ static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
u32 confirm_label = 0x0; /* wsm to mcu cmd cnfirm label */
#if defined(BES_SDIO_RX_MULTIPLE_ENABLE)
- skb = (struct sk_buff *)priv->sbus_ops->pipe_read(priv->sbus_priv);
- if (!skb)
- return 0;
- rx = 1; // always consider rx pipe not empty
+ /*
+ * Patch C v3: the bh thread does the SDIO read inline via
+ * sbus_ops->bus_rx_batch. bes2600_sdio_read_rx_batch reads the
+ * multi-RX coalesced frames out of the chip and delivers each
+ * one inline via bes2600_bh_handle_rx_skb (no rx_queue, no
+ * pipe_read, no inter-thread handoff). Return value: 0 on
+ * success (bh outer loop will check whether to continue),
+ * negative on read error.
+ */
+ if (priv->sbus_ops->bus_rx_batch)
+ return priv->sbus_ops->bus_rx_batch(priv->sbus_priv);
+ return 0;
#else
u32 ctrl_reg = 0;
size_t read_len = 0;
diff --git a/drivers/staging/bes2600/bh.h b/drivers/staging/bes2600/bh.h
index 7be82dc..9ed08b1 100644
--- a/drivers/staging/bes2600/bh.h
+++ b/drivers/staging/bes2600/bh.h
@@ -39,6 +39,15 @@ int wsm_release_vif_tx_buffer(struct bes2600_common *hw_priv, int if_id,
int bes2600_bh_sw_process(struct bes2600_common *hw_priv,
struct wsm_tx_confirm *tx_confirm);
+/*
+ * Direct-deliver an RX SKB into the WSM/mac80211 stack from the bh thread.
+ * Called by bes2600_sdio_extract_packets per RX frame, no queueing.
+ * Process context, sleepable, caller holds no bes2600 spinlock.
+ * Function frees skb on every path. See bh.c for full contract.
+ */
+int bes2600_bh_handle_rx_skb(struct bes2600_common *hw_priv,
+ struct sk_buff *skb);
+
void bes2600_bh_inc_pending_count(struct bes2600_common *hw_priv, int idx);
void bes2600_bh_dec_pending_count(struct bes2600_common *hw_priv, int idx);
diff --git a/drivers/staging/bes2600/sbus.h b/drivers/staging/bes2600/sbus.h
index cb90890..96b1d4c 100644
--- a/drivers/staging/bes2600/sbus.h
+++ b/drivers/staging/bes2600/sbus.h
@@ -83,6 +83,14 @@ struct sbus_ops {
* Returns 0 on success or a negative errno.
*/
int (*bus_reset)(struct sbus_priv *self);
+ /*
+ * Read a batch of RX frames inline from the bus and deliver each
+ * one via bes2600_bh_handle_rx_skb(). Called from the bh thread
+ * (process context, sleepable). Replaces the
+ * sdio_rx_work + rx_queue + pipe_read relay (Patch C v3, 2026).
+ * Returns 0 on success, negative on read error.
+ */
+ int (*bus_rx_batch)(struct sbus_priv *self);
};
void bes2600_irq_handler(struct bes2600_common *priv);
--
2.54.0
patches/driver/bes2600/tx-sdio-dma-oob-danctnix/0001-bes2600-bounce-SDIO-TX-buffers-to-avoid-DMA-OOB-read.patch
+10 -10
View File
@@ -1,7 +1,7 @@
From 2f9b4c719faf9563895c064439a7da25f35c8fc7 Mon Sep 17 00:00:00 2001
From 4ec7d25817af09654fb9439e472890f69281840c Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 23 Apr 2026 11:58:31 +0200
Subject: [PATCH 07/29] bes2600: bounce SDIO TX buffers to avoid DMA OOB read
Subject: [PATCH] bes2600: bounce SDIO TX buffers to avoid DMA OOB read
The SDIO TX path rounds the DMA transfer length up to the host's
current block size and hands that length to dma_map_sg() via
@@ -44,14 +44,14 @@ claiming the bus.
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/bes2600_sdio.c | 39 ++++++++++++++++++++++++++++++++++++++-
drivers/staging/bes2600/bes2600_sdio.c | 39 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/drivers/staging/bes2600/bes2600_sdio.c
index f172d53..b9d836f 100644
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/bes2600/bes2600_sdio.c
index b595365..7bc922c 100644
--- a/drivers/staging/bes2600/bes2600_sdio.c
+++ b/drivers/staging/bes2600/bes2600_sdio.c
@@ -95,6 +95,7 @@ struct sbus_priv {
@@ -94,6 +94,7 @@ struct sbus_priv {
struct work_struct tx_work;
struct scatterlist tx_sg[BES_SDIO_TX_MULTIPLE_NUM + 1];
struct scatterlist tx_sg_nosignal[BES_SDIO_TX_MULTIPLE_NUM_NOSIGNAL + 1];
@@ -59,7 +59,7 @@ index f172d53..b9d836f 100644
u32 tx_data_cnt;
u32 tx_xfer_cnt;
u32 tx_proc_cnt;
@@ -1136,7 +1137,26 @@ static void sdio_tx_work(struct work_struct *work)
@@ -1135,7 +1136,26 @@ static void sdio_tx_work(struct work_struct *work)
}
}
@@ -87,7 +87,7 @@ index f172d53..b9d836f 100644
total_len += align;
++scatters;
/*del_node:*/
@@ -1857,6 +1877,17 @@ static int bes2600_sdio_probe(struct sdio_func *func,
@@ -1853,6 +1873,17 @@ static int bes2600_sdio_probe(struct sdio_func *func,
if (!self->single_gathered_buffer)
return -ENOMEM;
#endif
@@ -105,7 +105,7 @@ index f172d53..b9d836f 100644
#ifdef BES_SDIO_RXTX_TOGGLE
self->fw_started = false;
#endif
@@ -1984,6 +2015,12 @@ static void bes2600_sdio_remove(struct sdio_func *func)
@@ -1981,6 +2012,12 @@ static void bes2600_sdio_remove(struct sdio_func *func)
if (self->single_gathered_buffer) {
free_pages((unsigned long)self->single_gathered_buffer, get_order(MAX_SDIO_TRANSFER_LEN));
}
@@ -119,5 +119,5 @@ index f172d53..b9d836f 100644
kfree(self);
}
--
2.54.0
2.53.0
tests/ka-build/run-tests.sh
Executable
+113
View File
@@ -0,0 +1,113 @@
#!/usr/bin/env bash
# ka-build test suite — dry-run paths only.
#
# Phase-1 deliverable per issue #34. The full makepkg path is exercised
# manually on boltzmann (parity test against the most recent hand-built
# linux-fresnel-fourier pkg); not in this suite because:
# - Needs real ssh to boltzmann + ~30 min build wall time
# - Hermetic sandbox would need a mock marfrit-publish-arch on hertz
# Future-work: add a `--mock-build-host` flag + fixture builder so this
# can run in CI.
#
# What this suite covers:
# - Argument parsing + required-host check
# - manifest.yaml read + package.name / build_host.primary extraction
# - Refuses if manifest.lock missing (ka-promote not run)
# - Refuses if PKGBUILD missing
# - Refuses on patch drift between kernel-agent and marfrit-packages
# - Happy-path dry-run on fresnel (all 6 patches match)
set -euo pipefail
repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
packages_repo="${PACKAGES_REPO_FOR_TESTS:-${HOME}/src/marfrit-packages}"
pass=0
fail=0
results=()
note() { printf ' %s\n' "$*"; }
ok() { results+=("PASS $1"); pass=$((pass+1)); note "PASS"; }
ko() { results+=("FAIL $1: $2"); fail=$((fail+1)); note "FAIL: $2"; }
# Reset build/ before running so we exercise the "no manifest.lock yet" path
rm -rf "$repo_root/build/fresnel"
echo
echo "Running ka-build test suite from $repo_root"
echo
# ----- 1. requires host arg -----
echo "::: requires host arg"
set +e
out=$("$repo_root/bin/ka-build" 2>&1)
rc=$?
set -e
if [ "$rc" -eq 2 ] && echo "$out" | grep -q "host is required"; then ok "requires host arg"; else ko "requires host arg" "exit=$rc out=$out"; fi
# ----- 2. unknown flag -----
echo "::: unknown flag rejected"
set +e
out=$("$repo_root/bin/ka-build" fresnel --nonsense 2>&1)
rc=$?
set -e
if [ "$rc" -ne 0 ] && echo "$out" | grep -q "unknown flag"; then ok "unknown flag rejected"; else ko "unknown flag rejected" "exit=$rc out=$out"; fi
# ----- 3. refuses if manifest.lock missing -----
echo "::: refuses if manifest.lock missing (ka-promote not run)"
set +e
out=$("$repo_root/bin/ka-build" fresnel --dry-run --packages-repo "$packages_repo" 2>&1)
rc=$?
set -e
if [ "$rc" -eq 2 ] && echo "$out" | grep -q "no manifest.lock"; then ok "refuses no-lock"; else ko "refuses no-lock" "exit=$rc out=$out"; fi
# Now run ka-promote so the rest can proceed
"$repo_root/bin/ka-promote" fresnel >/dev/null
# ----- 4. refuses if PKGBUILD missing -----
echo "::: refuses if PKGBUILD missing (--packages-repo wrong)"
set +e
out=$("$repo_root/bin/ka-build" fresnel --dry-run --packages-repo /tmp/non-existent-mp 2>&1)
rc=$?
set -e
if [ "$rc" -eq 2 ]; then ok "refuses bad packages-repo"; else ko "refuses bad packages-repo" "exit=$rc out=$out"; fi
# ----- 5. happy-path dry-run -----
echo "::: happy-path dry-run (fresnel, real packages-repo)"
if [ ! -f "$packages_repo/arch/linux-fresnel-fourier/PKGBUILD" ]; then
note "SKIP: $packages_repo/arch/linux-fresnel-fourier/PKGBUILD not present"
results+=("SKIP happy-path dry-run (PKGBUILD missing locally)")
else
set +e
out=$("$repo_root/bin/ka-build" fresnel --dry-run --packages-repo "$packages_repo" 2>&1)
rc=$?
set -e
if [ "$rc" -eq 0 ] && echo "$out" | grep -q "patches OK (6 files)"; then ok "happy-path dry-run"; else ko "happy-path dry-run" "exit=$rc out=$out"; fi
fi
# ----- 6. patch drift detection -----
echo "::: patch drift detection (mutate a copied patch, expect exit 3)"
if [ ! -d "$packages_repo/arch/linux-fresnel-fourier" ]; then
note "SKIP: $packages_repo/arch/linux-fresnel-fourier not present"
results+=("SKIP patch drift detection")
else
sandbox=$(mktemp -d -t ka-build-drift.XXXXXX)
cp -r "$packages_repo/arch/linux-fresnel-fourier" "$sandbox/linux-fresnel-fourier"
mkdir -p "$sandbox/arch"
mv "$sandbox/linux-fresnel-fourier" "$sandbox/arch/linux-fresnel-fourier"
# Mutate one patch so its sha256 differs from manifest.lock's recorded sha
echo "drift" >> "$sandbox/arch/linux-fresnel-fourier/0001-arm64-dts-rk3399-pinebook-pro-add-OC-OPP-tables-1704-2184.patch"
set +e
out=$("$repo_root/bin/ka-build" fresnel --dry-run --packages-repo "$sandbox" 2>&1)
rc=$?
set -e
rm -rf "$sandbox"
if [ "$rc" -eq 3 ] && echo "$out" | grep -q "DRIFT:"; then ok "patch drift detection"; else ko "patch drift detection" "exit=$rc out=$out"; fi
fi
echo
echo "===================="
printf '%s\n' "${results[@]}"
echo "===================="
echo "passed: $pass"
echo "failed: $fail"
[ "$fail" -eq 0 ] || exit 1