bes2600: recover wedged firmware via mmc_hw_reset on link break

When the LMAC active monitor detects 'link break between lmac and host' (the hw_buf_used==pending watchdog in bes2600_bh_lmac_active_monitor), bes2600_chrdev_wifi_force_close(hw_priv, true) is invoked to tear the device down and prepare for a fresh probe. On the wifi_force_close_work side this calls bes2600_chrdev_do_system_close() which dispatches sbus_ops->power_switch(0). On PineTab2 (RK3566 + BES2600WM over SDIO) this recovery path is a no-op: * bes2600_sdio_power_down() writes a SYSTEM_CLOSE host-int message, clears MMC_CAP_NONREMOVABLE, and schedules sdio_scan_work, which is the literal one-line stub bes_warn("...this function does nothing\n"). * bes2600_sdio_on() (the eventual power_switch(1) counterpart) toggles pdata->powerup, which is NULL on PineTab2 because the wifi-reset GPIO is owned by sdio_pwrseq, not the bes2600 device tree node (see arch/arm64/boot/dts/rockchip/rk3566-pinetab2.dtsi: 'The reset pin is claimed by sdio_mmcseq, It is better to move it to U-Boot so the OS can use it.'). Net result: the chip is never reset. The function drivers are not removed (the SDIO core has no signal that the card is gone), the firmware stays wedged, and a subsequent rmmod bes2600 leaves the SDIO function in a half-torn-down state. modprobe bes2600 then fails with 'probe with driver bes2600_wlan failed with error -123' (-ENOMEDIUM) on both functions (:1 wifi, :2 BT-companion) until a full system reboot. Observed on PineTab2 (linux-pinetab2 6.19.10-danctnix1-1) after ~150 minutes of background-scan rejects (wsm_generic_confirm 0x0007, [SCAN] Scan failed (-22)) accumulating until the LMAC stopped acknowledging TX buffers (hw_buf_used:24 pending:24). Reproducible under sustained scan pressure. Add a sbus operation bus_reset() that the recovery path can call when power_switch() has no effective chip-reset signal of its own. Provide an SDIO implementation that calls mmc_hw_reset(self->func->card), which on a multi-function SDIO card (PineTab2 binds func 1 for WLAN and func 2 for the BT-companion path) takes the remove-and-rescan path: mmc_sdio_hw_reset() marks the card removed and schedules mmc_rescan, which tears down the bound function drivers and re-detects the card on the next sweep, in turn reinvoking bes2600_sdio_probe(). With a single function probed it instead invokes mmc_power_cycle() directly, which on PineTab2 toggles the wifi-reset GPIO via sdio_pwrseq. Add bes2600_chrdev_do_bus_reset() as the chrdev-side helper. It invokes the bus op and then waits on probe_done_wq for the SDIO remove() callback to clear sbus_priv, mirroring the wait pattern already used by bes2600_chrdev_do_system_close() so that a subsequent bes2600_switch_wifi(true) sees a clean state and can wait on the fresh probe. Wire it into bes2600_chrdev_wifi_force_close_work(): when halt_dev is set (the hard-exception path used by both bes2600_bh_lmac_active_monitor and bes2600_bh_mcu_active_monitor) and the underlying bus implements bus_reset, take the new recovery path; otherwise fall back to the legacy power_switch(0) sequence so this patch is a no-op on USB or any other future bus that does not provide bus_reset. mmc_hw_reset() is exported by the MMC core and is the canonical recovery primitive; calling it without holding the SDIO host claim is correct because the multi-func remove-and-rescan path acquires the host claim via the mmc workqueue, and the single-func mmc_power_cycle path does not require the host claim. No DT change is required: this works against the existing PineTab2 DTS, where the wifi-reset GPIO and the optional sdio_pwrkey GPIO (on v2.0 boards) are both already configured as MMC pwrseq resets. Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
2026-04-26 22:32:29 +02:00
15 changed files with 166 additions and 816 deletions
@@ -356,23 +356,15 @@ struct bes2600_common {
 	* Keeping in common structure for the time being. Will be moved to VIFF
 	* after the mechanism is clear */
 	u8				ba_tid_mask;
-	/*
+	int				ba_acc; /*TODO: Same as above */
-	 * Patch D: ba_lock removed.  Per-frame TX/RX hot-path bumped these
+	int				ba_cnt; /*TODO: Same as above */
-	 * counters under spin_lock_bh; the lock did not protect any
+	int				ba_cnt_rx; /*TODO: Same as above */
-	 * compound invariant that atomic ops can't satisfy.  Counters are
+	int				ba_acc_rx; /*TODO: Same as above */
-	 * now atomic_t; ba_armed gates the once-per-window mod_timer
+	int				ba_hist; /*TODO: Same as above */
-	 * arm via cmpxchg so concurrent TX/RX at a fresh window each
+	struct timer_list		ba_timer;/*TODO: Same as above */
-	 * try to claim the arm and exactly one succeeds.
+	spinlock_t			ba_lock; /*TODO: Same as above */
-	 */
+	bool				ba_ena; /*TODO: Same as above */
-	atomic_t			ba_acc;
+	struct work_struct              ba_work; /*TODO: Same as above */
 	atomic_t			ba_cnt;
 	atomic_t			ba_cnt_rx;
 	atomic_t			ba_acc_rx;
 	atomic_t			ba_armed;
 	int				ba_hist;
 	struct timer_list		ba_timer;
 	atomic_t			ba_ena;
 	struct work_struct              ba_work;
 	bool				is_BT_Present;
 	bool				is_go_thru_go_neg;
 	u8				conf_listen_interval;
@@ -519,9 +511,6 @@ struct bes2600_common {
 	struct list_head coex_event_list;
 	spinlock_t coex_event_lock;
 	/* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
 	struct work_struct connection_loss_storm_recover_work;
 	/* member for low power */
 	struct bes2600_pwr_t bes_power;
@@ -607,11 +596,6 @@ struct bes2600_vif {
        unsigned long           rx_timestamp;
        u32                     cipherType;
 	/* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
 	unsigned long			decrypt_storm_window_start;
 	unsigned int			decrypt_storm_count;
 	unsigned int			decrypt_storm_recoveries;
 	struct work_struct		decrypt_storm_recover_work;
 	/* AP powersave */
 	u32			link_id_map;
@@ -638,10 +622,6 @@ struct bes2600_vif {
 	/* CQM Implementation */
 	struct delayed_work	bss_loss_work;
 	struct delayed_work	connection_loss_work;
 	/* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
 	unsigned long		connection_loss_storm_window_start;
 	unsigned int		connection_loss_storm_count;
 	unsigned int		connection_loss_storm_recoveries;
 	struct work_struct	tx_failure_work;
 	int			delayed_link_loss;
 	spinlock_t		bss_loss_lock;
@@ -876,13 +856,4 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
 void bes2600_btusb_uninit(struct usb_interface *interface);
 #endif
 /* Decrypt-storm fast-recover helpers — see txrx.c. */
 void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
 void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
 /* Connection-loss-storm fast-recover helpers — see sta.c. */
 void bes2600_connection_loss_storm_init(struct bes2600_vif *priv);
 bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv);
 void bes2600_connection_loss_storm_recover(struct work_struct *work);
 #endif /* BES2600_H */
@@ -29,7 +29,6 @@
 #include <linux/of_gpio.h>
 #include "bes2600.h"
 #include "bh.h"
 #include "sbus.h"
 #include "bes2600_plat.h"
 #include "bes2600_factory.h"
@@ -73,12 +72,10 @@ struct sbus_priv {
 	int rx_data_toggle;
 #endif
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	/*
+	spinlock_t rx_queue_lock;
-	 * Patch C v3: rx_queue, rx_queue_lock, rx_work removed (no relay).
+	struct sk_buff_head rx_queue;
 	 * The bh thread now reads RX inline; the rx_buffer scratch area
 	 * stays.  Counters/timestamps stay for debugfs visibility.
 	 */
 	u8 *rx_buffer;
 	struct work_struct rx_work;
 	u32 rx_last_ctrl;
 	u32 rx_valid_ctrl;
 	u32 rx_total_ctrl_cnt;
@@ -415,19 +412,10 @@ static void bes2600_sdio_irq_handler(struct sdio_func *func)
 	bes_devel("%s called, fw_started:%d \n",
 			 __func__, self->fw_started);
-	/*
+	if (likely(self->fw_started && self->core)) {
-	 * Patch C v3: no more sdio_rx_work relay.  Wake the bh thread
+		queue_work(self->sdio_wq, &self->rx_work);
 	 * directly via self->irq_handler (bes2600_irq_handler in bh.c
 	 * which bumps bh_rx atomic + wakes bh_wq).  The bh thread will
 	 * then call sbus_ops->bus_rx_batch() to do the SDIO read inline.
 	 * Matches cw1200 mainline IRQ → bh-direct architecture.
 	 */
 	if (likely(self->fw_started && self->core && self->irq_handler)) {
 		spin_lock_irqsave(&self->lock, flags);
 		self->irq_handler(self->irq_priv);
 		spin_unlock_irqrestore(&self->lock, flags);
 		self->last_irq_timestamp = jiffies;
-	} else if (self->irq_handler) {
+	} else if(self->irq_handler) {
 		spin_lock_irqsave(&self->lock, flags);
 		self->irq_handler(self->irq_priv);
 		spin_unlock_irqrestore(&self->lock, flags);
@@ -824,15 +812,10 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
 		skb_put(skb, packet_len);
 		memcpy(skb->data, &data[pos], packet_len);
 		bes_devel("%s, %d,%d\n", __func__, packet_len, pos);
 		spin_lock(&self->rx_queue_lock);
 		skb_queue_tail(&self->rx_queue, skb);
 		self->rx_data_cnt++;
-		/*
+		spin_unlock(&self->rx_queue_lock);
 		 * Patch C v3: deliver the SKB directly into the WSM/mac80211
 		 * stack from the bh thread.  No rx_queue, no inter-thread
 		 * handoff, no atomic_t needed on the counters that
 		 * wsm_release_tx_buffer touches — single-writer-from-bh is
 		 * preserved by construction.  See bh.c for the contract block.
 		 */
 		bes2600_bh_handle_rx_skb(self->core, skb);
 		packet_len = (packet_len + 3) & (~0x3);
 		pos += packet_len;
 		#ifdef BES_SDIO_OPTIMIZED_LEN
@@ -843,31 +826,17 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
 	return 0;
 }
-/*
+static void sdio_rx_work(struct work_struct *work)
 * Patch C v3: bh thread calls this directly via sbus_ops->bus_rx_batch.
 * No more sdio_rx_work workqueue.  SDIO read sequence (lock →
 * read_ctrl → memcpy_fromio → packets_check → extract_packets) runs
 * inline in bh-thread context.  Each parsed SKB is delivered via
 * bes2600_bh_handle_rx_skb() from extract_packets — no rx_queue, no
 * second worker, no inter-thread handoff.
 *
 * Architecture matches cw1200 mainline.  Single-writer-from-bh
 * invariant on hw_bufs_used preserved by construction.
 *
 * Returns 0 on success (caller's bh outer loop decides whether to
 * continue), negative on bus read error.  On error: triggers
 * wifi_force_close (same as the old sdio_rx_work).
 */
 static int bes2600_sdio_read_rx_batch(struct sbus_priv *self)
 {
-	int ret = 0, again = 0, retry = 0, crc_retry = 0;
+	int ret, again = 0, retry = 0, crc_retry = 0;
 	u32 ctrl_reg = 0;
 	int total_len;
 	struct sbus_priv *self = container_of(work, struct sbus_priv, rx_work);
 	u8 *buf = self->rx_buffer;
 	/* don't read/write sdio when sdio error */
 	if (bes2600_chrdev_is_bus_error())
-		return 0;
+		return;
 	bes2600_gpio_wakeup_mcu(self, GPIO_WAKE_FLAG_SDIO_RX);
@@ -922,10 +891,6 @@ static int bes2600_sdio_read_rx_batch(struct sbus_priv *self)
 			goto failed;
 		}
 		/*
 		 * extract_packets parses the multi-RX buffer and calls
 		 * bes2600_bh_handle_rx_skb() per SKB.  No queueing.
 		 */
 		if ((ret = bes2600_sdio_extract_packets(self, ctrl_reg, buf))) {
 			bes_err("%s,%d error=%d\n", __func__, __LINE__, ret);
 			goto failed;
@@ -933,16 +898,22 @@ static int bes2600_sdio_read_rx_batch(struct sbus_priv *self)
 		ctrl_reg = 0;
 		if (likely(self->irq_handler)) {
 			self->irq_handler(self->irq_priv);
 		} else {
 			bes_err("%s,%d\n", __func__, __LINE__);
 			goto failed;
 		}
 	} while (again);
 	bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
-	return 0;
+	return;
 failed:
 	bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
 	bes2600_chrdev_wifi_force_close(self->core, false);
 	WARN_ON(1);
 	return -1;
 }
 static void sdio_scan_work(struct work_struct *work)
@@ -950,11 +921,26 @@ static void sdio_scan_work(struct work_struct *work)
 	bes_warn("%s: this function does nothing\n", __FUNCTION__);
 }
-/* Patch C v3: bes2600_sdio_pipe_read deleted.  bh thread reads the
+static void *bes2600_sdio_pipe_read(struct sbus_priv *self)
- * SDIO bus inline via bes2600_sdio_read_rx_batch (sbus_ops->bus_rx_batch).
+{
- * No rx_queue, no skb_dequeue, no relay.  bes2600_tx_loop_read remains
+	struct sk_buff *skb;
- * for the test bus error-fallback path but is now invoked at higher
+
- * level. */
+	if (bes2600_chrdev_is_bus_error()) {
 		return bes2600_tx_loop_read(self->core);
 	}
 	spin_lock(&self->rx_queue_lock);
 	skb = skb_dequeue(&self->rx_queue);
 	if (skb)
 		self->rx_proc_cnt++;
 	spin_unlock(&self->rx_queue_lock);
 	if (likely(self->fw_started == true &&
 		!bes2600_pwr_device_is_idle(self->core) &&
 		self->core->hw_bufs_used > 0))
 		if (!skb)
 			queue_work(self->sdio_wq, &self->rx_work);
 	return skb;
 }
 #endif
@@ -1210,14 +1196,7 @@ flush_previous:
 				}
 			} while (crc_retry <= 10);
 			sdio_release_host(self->func);
-			/*
+			queue_work(self->sdio_wq, &self->rx_work);
 			 * Patch C v3: wake the bh thread to check for any RX
 			 * that piggybacked on this TX window.  Bumps bh_rx
 			 * atomic; bh's wait_event will pick it up and call
 			 * sbus_ops->bus_rx_batch().
 			 */
 			if (likely(self->irq_handler))
 				self->irq_handler(self->irq_priv);
 			if (ret) {
 				bes_err("%s,%d err=%d,%d,%d\n", __func__, __LINE__, ret, scatters, cur_blk);
 				sdio_work_debug(self);
@@ -1268,11 +1247,12 @@ static int bes2600_sdio_misc_init(struct sbus_priv *self, struct bes2600_common
 	self->next_toggle = 0;
 #endif
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	/* Patch C v3: rx_queue / rx_queue_lock removed (no relay). */
+	spin_lock_init(&self->rx_queue_lock);
 	skb_queue_head_init(&self->rx_queue);
 	self->rx_buffer = (u8 *)__get_dma_pages(GFP_KERNEL, get_order(1632 * BES_SDIO_RX_MULTIPLE_NUM));
 	if (!self->rx_buffer)
 		return -ENOMEM;
-	/* Patch C v3: sdio_rx_work removed; bh thread does the read. */
+	INIT_WORK(&self->rx_work, sdio_rx_work);
 #endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	INIT_LIST_HEAD(&self->tx_bufferlist);
@@ -1409,14 +1389,7 @@ static void bes2600_gpio_wakeup_mcu(struct sbus_priv *self, int flag)
 	/* error check */
 	if((self->gpio_wakup_flags & BIT(flag)) != 0) {
-		/*
+		bes_err(			"repeat set gpio_wake_flag, sub_sys:%d", flag);
 		 * Multiple subsystems holding wake is the steady-state case
 		 * (e.g. WIFI + BT both want MCU awake). Demoted from bes_err
 		 * to bes_devel since it isn't an error - the GPIO is already
 		 * asserted high and the subsystem is now also tracked.
 		 */
 		bes_devel("repeat set gpio_wake_flag, sub_sys:%d\n", flag);
 		self->gpio_wakup_flags |= BIT(flag);
 		mutex_unlock(&self->io_mutex);
 		return;
 	}
@@ -1448,11 +1421,7 @@ static void bes2600_gpio_allow_mcu_sleep(struct sbus_priv *self, int flag)
 	/* error check */
 	if((self->gpio_wakup_flags & BIT(flag)) == 0) {
-		/*
+		bes_err(			"repeat clear gpio_wake_flag, sub_sys:%d", flag);
 		 * Mirror of the wake path: a clear when the bit is already
 		 * clear is racy bookkeeping, not a hardware error.
 		 */
 		bes_devel("repeat clear gpio_wake_flag, sub_sys:%d\n", flag);
 		mutex_unlock(&self->io_mutex);
 		return;
 	}
@@ -1601,15 +1570,22 @@ err:
 static void bes2600_sdio_empty_work(struct sbus_priv *self)
 {
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
 	struct sk_buff *skb;
 #endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	struct bes_sdio_tx_list_t *tx_buffer, *temp;
 #endif
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	/*
+	cancel_work_sync(&self->rx_work);
-	 * Patch C v3: rx_work and rx_queue removed.  Counters still
+	while (1) {
-	 * reset for the next attach cycle.
+		skb = skb_dequeue(&self->rx_queue);
-	 */
+		if (skb)
 			dev_kfree_skb(skb);
 		else
 			break;
 	}
 	self->rx_last_ctrl = 0;
 	self->rx_total_ctrl_cnt = 0;
 	self->rx_continuous_ctrl_cnt = 0;
@@ -1823,32 +1799,10 @@ static void bes2600_sdio_halt_device(struct sbus_priv *self)
 */
 static int bes2600_sdio_bus_reset(struct sbus_priv *self)
 {
 	struct mmc_host *host;
 	int ret;
 	if (!self || !self->func || !self->func->card)
 		return -EINVAL;
-	host = self->func->card->host;
+	return mmc_hw_reset(self->func->card);
 	ret = mmc_hw_reset(self->func->card);
 	/*
 	 * On multi-function SDIO cards (BES2600 has WLAN func 1 + BT
 	 * companion func 2), mmc_sdio_hw_reset() removes the card and
 	 * returns 1 to signal "remove happened, caller must trigger
 	 * rescan". The kernel does NOT auto-rescan in this case;
 	 * single-function cards take the rescan path inline and return 0.
 	 * Treat any non-negative return as success and force a rescan if
 	 * mmc_hw_reset signalled the multi-function path - otherwise the
 	 * card stays removed indefinitely after a wedge recovery,
 	 * leaving wifi (and the BT companion) silent until reboot.
 	 */
 	if (ret > 0) {
 		bes_info("multi-func mmc_hw_reset removed card; scheduling rescan\n");
 		mmc_detect_change(host, 0);
 		ret = 0;
 	}
 	return ret;
 }
 static bool bes2600_sdio_wakeup_source(struct sbus_priv *self)
@@ -1877,8 +1831,7 @@ static struct sbus_ops bes2600_sdio_sbus_ops = {
 	.sbus_reg_write		= bes2600_sdio_reg_write,
 	.init			= bes2600_sdio_misc_init,
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	/* Patch C v3: .pipe_read removed; bus_rx_batch replaces it. */
+	.pipe_read		= bes2600_sdio_pipe_read,
 	.bus_rx_batch		= bes2600_sdio_read_rx_batch,
 #endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	.pipe_send		= bes2600_sdio_pipe_send,
@@ -1898,15 +1851,9 @@ static void bes2600_sdio_en_lp_cb(struct bes2600_common *hw_priv)
 	long unsigned int old_ts, new_ts;
 	struct sbus_priv *self = hw_priv->sbus_priv;
 	/*
 	 * Patch C v3: rx_work removed.  Wait for IRQ-timestamp activity
 	 * to settle by polling self->last_irq_timestamp via msleep
 	 * (best-effort).  The caller already knows the bh thread will
 	 * process pending bh_rx during its next wait_event round.
 	 */
 	do {
 		old_ts = self->last_irq_timestamp;
-		msleep(2);
+		flush_work(&self->rx_work);
 		new_ts = self->last_irq_timestamp;
 	} while(old_ts != new_ts);
 }
@@ -2264,12 +2211,8 @@ static int bes2600_sdio_suspend_noirq(struct device *dev)
 	if (func->num > 1)
 		return 0;
-	/*
+	if(self->core &&
-	 * Patch C v3: work_pending(&self->rx_work) check dropped (no
+	   (work_pending(&self->rx_work) || atomic_read(&self->core->bh_rx))) {
 	 * relay).  bh_rx atomic alone tells us whether the bh thread
 	 * has un-processed RX events queued.
 	 */
 	if (self->core && atomic_read(&self->core->bh_rx)) {
 		bes_devel("%s: Suspend interrupted.\n", __func__);
 		return -EAGAIN;
 	}
@@ -484,18 +484,6 @@ int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_pri
 	return 0;
 }
 /*
 * Trigger bes2600_chrdev_do_bus_reset() against the file-global
 * bes2600_cdev. Used by host-side recovery paths outside this
 * compilation unit (e.g. sta.c connection-loss-storm fast-recover) so
 * those callers do not need to reach the static bes2600_cdev directly.
 */
 int bes2600_chrdev_trigger_bus_reset(void)
 {
 	return bes2600_chrdev_do_bus_reset(bes2600_cdev.sbus_ops,
 					   bes2600_cdev.sbus_priv);
 }
 bool bes2600_chrdev_is_wifi_opened(void)
 {
 	bool wifi_opened = false;
@@ -61,7 +61,6 @@ struct sbus_priv *bes2600_chrdev_get_sbus_priv_data(void);
 int bes2600_chrdev_check_system_close(void);
 int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
 int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
 int bes2600_chrdev_trigger_bus_reset(void);
 void bes2600_chrdev_wakeup_bt(void);
 void bes2600_chrdev_wifi_force_close(struct bes2600_common *hw_priv, bool halt_dev);
 void bes2600_chrdev_usb_remove(struct bes2600_common *hw_priv);
@@ -467,45 +467,6 @@ static void bes2600_pwr_device_enter_lp_mode(struct bes2600_common *hw_priv)
 	bes_devel("device enter sleep\n");
 }
 /*
 * Number of consecutive bes2600_pwr_enter_lp_mode timeouts (with zero
 * PM_INDICATIONs received) before we conclude the firmware does not
 * honor host-driven PSM and switch to a sticky skip path.
 */
 #define BES2600_PM_UNSUPPORTED_THRESHOLD	3
 /*
 * Latch pm_unsupported = true and force chip_pm_state = ACTIVE so the
 * c6.2 wake-side skip branch covers bes2600_pwr_device_exit_lp_mode.
 * Called after BES2600_PM_UNSUPPORTED_THRESHOLD consecutive enter_lp_mode
 * timeouts with zero PM_INDICATIONs.
 */
 static void bes2600_pwr_latch_pm_unsupported(struct bes2600_common *hw_priv)
 {
 	bes_warn("PSM not honored (%u timeouts), switching to skip mode\n",
 		 hw_priv->bes_power.pm_consecutive_timeouts);
 	hw_priv->bes_power.pm_unsupported = true;
 	atomic_set(&hw_priv->bes_power.chip_pm_state,
 		   BES2600_CHIP_PM_ACTIVE);
 	/*
 	 * Hold the MCU wake-flag bit permanently. Without this, every
 	 * sdio_rx_work invocation hits bes2600_gpio_wakeup_mcu(SDIO_RX)
 	 * when gpio_wakup_flags == 0, drives the GPIO high and msleeps
 	 * 10 ms per RX. With ~50 RX/s of beacons + multicast that's
 	 * ~50%% of the bes_sdio workqueue thread blocked in msleep,
 	 * which directly caps RX throughput. Holding the MCU bit makes
 	 * those calls bit-only bookkeeping (gpio_wakeup = (flags == 0)
 	 * stays false, no GPIO toggle, no msleep). The bit is never
 	 * cleared once pm_unsupported is set because
 	 * bes2600_pwr_device_enter_lp_mode is unreachable under the
 	 * early-return.
 	 */
 	if (hw_priv->sbus_ops->gpio_wake)
 		hw_priv->sbus_ops->gpio_wake(hw_priv->sbus_priv,
 					     GPIO_WAKE_FLAG_MCU);
 }
 static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 {
 	int i = 0;
@@ -515,17 +476,6 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 	char ip_str[20];
 	unsigned long status = 0;
 	/*
 	 * Sticky early-return when we've previously concluded the firmware
 	 * doesn't honor PSM. Each attempt would otherwise burn 5s on a
 	 * doomed wait_for_completion_timeout and produce a noisy three-line
 	 * cascade in dmesg every time power_down_work retries (every
 	 * ~10s). The chip stays in active mode, which on this firmware is
 	 * the de-facto state anyway.
 	 */
 	if (hw_priv->bes_power.pm_unsupported)
 		return -EOPNOTSUPP;
 	/* set interface low power configuration */
 	bes2600_for_each_vif(hw_priv, priv, i) {
 #ifdef P2P_MULTIVIF
@@ -574,17 +524,7 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 				bes_devel("%s, psMode:%s, fastPsmIdlePeriod:%d apPsmChangePeriod:%d minAutoPsPollPeriod:%d\n",
 						__func__, bes2600_get_ps_mode_str(priv->powersave_mode.pmMode), priv->powersave_mode.fastPsmIdlePeriod,
 						priv->powersave_mode.apPsmChangePeriod, priv->powersave_mode.minAutoPsPollPeriod);
 				/*
 				 * Reinit BEFORE the WSM goes out, so a stale
 				 * indication from a previous cycle cannot have
 				 * primed pm_enter_cmpl. From here until the
 				 * indication callback's cmpxchg(1->0) on
 				 * pm_set_in_process, only the indication for
 				 * THIS request can complete the wait.
 				 */
 				reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
 				atomic_set(&hw_priv->bes_power.pm_set_in_process, 1);
 				ret = bes2600_set_pm(priv, &priv->powersave_mode);
 				if (ret) {
 					atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
@@ -595,36 +535,11 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 				/* wait power save mode changed indication */
 				status = wait_for_completion_timeout(&hw_priv->bes_power.pm_enter_cmpl, 5 * HZ);
 				atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
 				reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
 				if (!status) {
-					/*
+					bes_devel("%s, wait pm ind timeout\n", __func__);
-					 * The indication callback only fires
+					timeouts++;
 					 * complete() when it observes
 					 * pm_set_in_process == 1; cmpxchg it
 					 * to 0 here so a late indication
 					 * cannot prime the next wait.
 					 *
 					 * If we win the cmpxchg, this is a
 					 * real timeout: the firmware's PS
 					 * state is unknown to us. Mark it as
 					 * such so the next wake path can
 					 * probe before assuming the chip is
 					 * still active.
 					 *
 					 * If we lose the cmpxchg, the
 					 * indication arrived between the
 					 * wait timing out and us getting
 					 * here; treat as success.
 					 */
 					if (atomic_cmpxchg(&hw_priv->bes_power.pm_set_in_process,
 							   1, 0) == 1) {
 						bes_devel("%s, wait pm ind timeout\n", __func__);
 						atomic_set(&hw_priv->bes_power.chip_pm_state,
 							   BES2600_CHIP_PM_UNKNOWN);
 						timeouts++;
 						if (++hw_priv->bes_power.pm_consecutive_timeouts
 						    >= BES2600_PM_UNSUPPORTED_THRESHOLD)
 							bes2600_pwr_latch_pm_unsupported(hw_priv);
 					}
 				}
 			} else {
 				bes_devel("skip enter lp mode\n");
@@ -639,35 +554,10 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 	 * in an inconsistent state that cascades into SDIO TX errors on
 	 * the BES2600.
 	 */
-	if (timeouts == 0) {
+	if (timeouts == 0)
 		bes2600_pwr_device_enter_lp_mode(hw_priv);
-	} else {
+	else
 		/*
 		 * device_enter_lp_mode() was skipped (one or more VIFs
 		 * timed out waiting for the firmware indication) so its
 		 * gpio_sleep(MCU) - which drops the wake-flag bit and, if
 		 * no other subsystem holds the wake, drives the GPIO low -
 		 * never ran. Without it the bit stays asserted, and the
 		 * next bes2600_pwr_device_exit_lp_mode() calls
 		 * gpio_wake(MCU) into a "bit already set" no-op: the GPIO
 		 * never re-edges, sbus_active() exhausts its 200x2ms
 		 * MCU_WAKEUP_READY budget against an unwoken chip, and
 		 * the first TX after idle stalls for several seconds.
 		 *
 		 * Drop the MCU wake-flag bit explicitly here so the next
 		 * wake injects a real GPIO edge. gpio_allow_mcu_sleep
 		 * preserves multi-subsystem semantics: it only drives the
 		 * GPIO low when no other subsystem still holds wake; if
 		 * BT or another holder is keeping the chip awake, the
 		 * GPIO stays high and the bit clear here is purely
 		 * bookkeeping (so the next gpio_wake doesn't no-op).
 		 */
 		if (!hw_priv->bes_power.pm_unsupported &&
 		    hw_priv->sbus_ops->gpio_sleep)
 			hw_priv->sbus_ops->gpio_sleep(hw_priv->sbus_priv,
 						      GPIO_WAKE_FLAG_MCU);
 		ret = -ETIMEDOUT;
 	}
 	return ret;
 }
@@ -675,61 +565,19 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 static void bes2600_pwr_device_exit_lp_mode(struct bes2600_common *hw_priv)
 {
 	int ret = 0;
 	enum bes2600_chip_pm_state state;
 	struct wsm_operational_mode mode = {
 		.power_mode = wsm_power_mode_active,
 		.disableMoreFlagUsage = true,
 	};
-	/*
+	bes_devel("host lock lmac\n");
-	 * Consult chip_pm_state set by bes2600_pwr_notify_ps_changed().
+	if(hw_priv->sbus_ops->gpio_wake)
-	 * If we last saw the firmware confirm ACTIVE, skip ONLY the
+		hw_priv->sbus_ops->gpio_wake(hw_priv->sbus_priv, GPIO_WAKE_FLAG_MCU);
 	 * gpio_wake + sbus_active wake handshake - the GPIO is already
 	 * asserted high and the SDIO MCU subsystem is already running,
 	 * so another sbus_active() round-trip just hits its 200x2ms
 	 * timeout because the firmware has nothing to do.
 	 *
 	 * wsm_set_operational_mode() below is NOT part of the wake
 	 * handshake; it is the operational-mode setter the firmware
 	 * tracks per call. Skipping it leaves the chip's SDIO state
 	 * machine without a fresh operational-mode update, which on
 	 * PineTab2 wedges the bus (-EBUSY on next sdio_rx_work read)
 	 * within a few seconds of probe completion. So it must run
 	 * unconditionally.
 	 */
 	state = atomic_read(&hw_priv->bes_power.chip_pm_state);
 	if (state == BES2600_CHIP_PM_ACTIVE) {
 		bes_devel("device_exit_lp_mode: chip already ACTIVE, skipping wake handshake\n");
 	} else {
 		bes_devel("host lock lmac\n");
 		if (hw_priv->sbus_ops->gpio_wake)
 			hw_priv->sbus_ops->gpio_wake(hw_priv->sbus_priv,
 						      GPIO_WAKE_FLAG_MCU);
-		if (hw_priv->sbus_ops->sbus_active) {
+	if(hw_priv->sbus_ops->sbus_active) {
-			ret = hw_priv->sbus_ops->sbus_active(hw_priv->sbus_priv,
+		ret = hw_priv->sbus_ops->sbus_active(hw_priv->sbus_priv, SUBSYSTEM_MCU);
-							     SUBSYSTEM_MCU);
+		if (ret)
-			if (ret) {
+			bes_err("%s, active mcu fail\n", __func__);
 				/*
 				 * MCU_WAKEUP_READY did not arrive within
 				 * the SDIO handshake window. Record state
 				 * as UNKNOWN so the next exit_lp_mode call
 				 * also runs the full wake sequence (no
 				 * skip), but still send operational_mode
 				 * below to match pre-c6 behaviour - the
 				 * WSM may succeed even if the SDIO active
 				 * confirm was lost, and if it fails too,
 				 * we just emit a second devel-level error.
 				 * Repeated UNKNOWN is the signal for the
 				 * LMAC active-monitor to eventually
 				 * escalate to bus_reset (c5.2's
 				 * mmc_hw_reset path).
 				 */
 				bes_err("%s, active mcu fail\n", __func__);
 				atomic_set(&hw_priv->bes_power.chip_pm_state,
 					   BES2600_CHIP_PM_UNKNOWN);
 			}
 		}
 	}
 	ret = wsm_set_operational_mode(hw_priv, &mode, 0);
@@ -985,9 +833,6 @@ void bes2600_pwr_init(struct bes2600_common *hw_priv)
        hw_priv->bes_power.power_up_task = NULL;
        mutex_init(&hw_priv->bes_power.pwr_mutex);
        atomic_set(&hw_priv->bes_power.dev_state, 0);
 	atomic_set(&hw_priv->bes_power.chip_pm_state, BES2600_CHIP_PM_UNKNOWN);
 	hw_priv->bes_power.pm_unsupported = false;
 	hw_priv->bes_power.pm_consecutive_timeouts = 0;
        init_completion(&hw_priv->bes_power.pm_enter_cmpl);
        sema_init(&hw_priv->bes_power.sync_lock, 1);
        device_set_wakeup_capable(hw_priv->pdev, true);
@@ -1368,40 +1213,9 @@ int bes2600_pwr_clear_busy_event(struct bes2600_common *hw_priv, u32 event)
 void bes2600_pwr_notify_ps_changed(struct bes2600_common *hw_priv, u8 psmode)
 {
-	/*
+	if((psmode & 0x01) != WSM_PSM_ACTIVE) {
-	 * The firmware sends a PM-changed indication for every transition,
+		bes_devel("complete pm_enter_cmpl\n");
-	 * including ones we didn't ask for (firmware-internal coex moves,
+		complete(&hw_priv->bes_power.pm_enter_cmpl);
 	 * idle-driven aging). Update chip_pm_state unconditionally so the
 	 * wake path can use it, but only fire pm_enter_cmpl when a host-
 	 * initiated set_pm is actually in flight - otherwise a stale
 	 * indication can prime a future wait against a freshly
 	 * reinit_completion()'ed state.
 	 */
 	/*
 	 * Any PM indication, whatever its psmode, proves the firmware is
 	 * actually emitting them. Reset the consecutive-timeout counter
 	 * so a transient stall doesn't permanently disable PSM, and clear
 	 * pm_unsupported if a previous run had latched it.
 	 */
 	hw_priv->bes_power.pm_consecutive_timeouts = 0;
 	if (hw_priv->bes_power.pm_unsupported) {
 		bes_warn("PM indication arrived after pm_unsupported was set; re-enabling PSM transitions\n");
 		hw_priv->bes_power.pm_unsupported = false;
 	}
 	if ((psmode & 0x01) != WSM_PSM_ACTIVE) {
 		atomic_set(&hw_priv->bes_power.chip_pm_state,
 			   BES2600_CHIP_PM_LP);
 		if (atomic_cmpxchg(&hw_priv->bes_power.pm_set_in_process,
 				   1, 0) == 1) {
 			bes_devel("complete pm_enter_cmpl\n");
 			complete(&hw_priv->bes_power.pm_enter_cmpl);
 		} else {
 			bes_devel("PM ind (LP) without pending wait; state recorded\n");
 		}
 	} else {
 		atomic_set(&hw_priv->bes_power.chip_pm_state,
 			   BES2600_CHIP_PM_ACTIVE);
 	}
 }
@@ -64,20 +64,6 @@ enum power_down_state
        POWER_DOWN_STATE_UNLOCKED,
 };
 /*
 * Confirmed PM state of the firmware-side chip. Tracks what the host
 * has *seen* the firmware acknowledge, not what the host has
 * requested. UNKNOWN means a host-initiated transition timed out
 * before the firmware indication arrived; the next wake path should
 * treat it as "we don't know" and probe before issuing GPIO/SDIO
 * wakeup ops.
 */
 enum bes2600_chip_pm_state {
 	BES2600_CHIP_PM_ACTIVE = 0,
 	BES2600_CHIP_PM_LP,
 	BES2600_CHIP_PM_UNKNOWN,
 };
 typedef void (*bes_pwr_enter_lp_cb)(struct bes2600_common *hw_priv);
 typedef void (*bes_pwr_exit_lp_cb)(struct bes2600_common *hw_priv);
@@ -120,16 +106,6 @@ struct bes2600_pwr_t
        bool ap_lp_bad;
        struct bes2600_pwr_event_t pwr_events[BES2600_DELAY_EVENT_NUM];
        atomic_t pm_set_in_process;
 	atomic_t chip_pm_state;
 	/*
 	 * Sticky flag set after BES2600_PM_UNSUPPORTED_THRESHOLD
 	 * consecutive enter_lp_mode timeouts with zero PM_INDICATIONs
 	 * received from firmware. Indicates this chip's firmware does
 	 * not honor host-driven PSM transitions; further attempts are
 	 * skipped to avoid the 5s timeout cascade.
 	 */
 	bool pm_unsupported;
 	unsigned int pm_consecutive_timeouts;
 };
 #ifdef CONFIG_BES2600_WOWLAN
@@ -101,7 +101,7 @@ void bes2600_unregister_bh(struct bes2600_common *hw_priv)
 	coex_deinit_mode(hw_priv);
 #endif
-	atomic_inc(&hw_priv->bh_term);
+	atomic_add(1, &hw_priv->bh_term);
 	wake_up(&hw_priv->bh_wq);
 	flush_workqueue(hw_priv->bh_workqueue);
@@ -590,7 +590,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_inc(&hw_priv->bh_rx);
+			atomic_add(1, &hw_priv->bh_rx);
 			continue;
 		}
@@ -758,9 +758,9 @@ tx:
 #if 0 /* count is not implemented */
 				if (ret > 1)
-					atomic_inc(&hw_priv->bh_tx);
+					atomic_add(1, &hw_priv->bh_tx);
 #else
-				atomic_inc(&hw_priv->bh_tx);
+				atomic_add(1, &hw_priv->bh_tx);
 #endif
 #if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
@@ -958,119 +958,6 @@ static void bes2600_bh_parse_wakeup_event(struct bes2600_common *hw_priv, struct
 	}
 }
 /*
 * Direct-deliver an RX SKB into the WSM/mac80211 stack.
 *
 * Patch C v3 (no-relay architecture, matches cw1200): the bh thread
 * calls bes2600_sdio_read_rx_batch which calls
 * bes2600_sdio_extract_packets which calls THIS function per parsed
 * SKB.  No rx_queue, no sdio_rx_work, no inter-thread handoff.
 *
 * Single-writer-from-bh invariant on hw_priv->hw_bufs_used,
 * hw_priv->hw_bufs_used_vif[] and hw_priv->wsm_tx_pending[] is
 * preserved BY CONSTRUCTION — there is now only one writer (the bh
 * thread itself), same as cw1200's design.  No atomic_t conversion
 * needed.
 *
 * Contract:
 *   - process context, sleepable.  wsm_handle_rx (wsm.c, EXPORT_SYMBOL)
 *     acquires wsm_cmd.lock and may sleep on wait_event_timeout.
 *   - caller holds no bes2600 spinlock.  bes2600_sdio_unlock(self) is
 *     called inside read_rx_batch before extract_packets is invoked.
 *   - SKB ownership: function frees on every path (success + error).
 *   - No need to wake the bh thread on TX-confirm — we ARE the bh
 *     thread; tx_burst is signalled by returning *tx_out = 1 to the
 *     caller (bh_rx_helper), which propagates it to bh's outer loop.
 */
 int bes2600_bh_handle_rx_skb(struct bes2600_common *priv, struct sk_buff *skb)
 {
 	struct wsm_hdr *wsm;
 	size_t wsm_len;
 	u16 wsm_id;
 	u8 wsm_seq;
 	int tx = 0;
 	u32 confirm_label = 0x0;
 	if (!skb)
 		return 0;
 	wsm = (struct wsm_hdr *)skb->data;
 	wsm_len = __le16_to_cpu(wsm->len);
 	if (WARN_ON(wsm_len > skb->len)) {
 		bes_err("wsm_len err %d %d\n", (int)wsm_len, (int)skb->len);
 		dev_kfree_skb(skb);
 		return -1;
 	}
 	if (priv->wsm_enable_wsm_dumps)
 		print_hex_dump(KERN_DEBUG, "<-- ", DUMP_PREFIX_NONE, 16, 1,
 			       skb->data, wsm_len, false);
 	wsm_id  = __le16_to_cpu(wsm->id) & 0xFFF;
 	wsm_seq = (__le16_to_cpu(wsm->id) >> 13) & 7;
 	bes_devel("bes2600_bh_handle_rx_skb wsm_id:0x%04x seq:%d\n",
 		  wsm_id, wsm_seq);
 	skb_trim(skb, wsm_len);
 	if (wsm_id == 0x0800) {
 		wsm_handle_exception(priv,
 				     &skb->data[sizeof(*wsm)],
 				     wsm_len - sizeof(*wsm));
 		bes_err("wsm exception\n");
 		dev_kfree_skb(skb);
 		return -1;
 	} else if ((wsm_seq != priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)])) {
 		bes_err("seq error! %u. %u. 0x%x.", wsm_seq,
 			priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)], wsm_id);
 		dev_kfree_skb(skb);
 		return -1;
 	}
 	bes2600_bh_parse_wakeup_event(priv, skb);
 	priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)] = (wsm_seq + 1) & 7;
 	if (IS_DRIVER_TO_MCU_CMD(wsm_id))
 		confirm_label = __le32_to_cpu(((struct wsm_mcu_hdr *)wsm)->handle_label);
 	if (WSM_CONFIRM_CONDITION(wsm_id, confirm_label)) {
 		int rc = wsm_release_tx_buffer(priv, 1);
 		bes2600_bh_dec_pending_count(priv, WSM_TXRX_SEQ_IDX(wsm->id));
 		if (rc < 0) {
 			bes_err("wsm_release_tx_buffer failed: %d\n", rc);
 			dev_kfree_skb(skb);
 			return rc;
 		} else if (rc > 0) {
 			tx = 1;
 		}
 	}
 	/* wsm_handle_rx takes care of SKB lifetime: zeroes *skb_p if consumed. */
 	if (wsm_handle_rx(priv, wsm_id, wsm, &skb)) {
 		bes_err("wsm_handle_rx failed (id=0x%04x)\n", wsm_id);
 		if (skb)
 			dev_kfree_skb(skb);
 		return -1;
 	}
 	if (skb)
 		dev_kfree_skb(skb);
 	/*
 	 * Signal "tx side has new headroom" via atomic so the bh outer
 	 * loop's wait_event predicate notices on its next wait.  No
 	 * cross-thread wake needed because we are the bh thread; the
 	 * outer loop will pick this up after read_rx_batch returns.
 	 */
 	if (tx)
 		atomic_inc(&priv->bh_tx);
 	return 0;
 }
 EXPORT_SYMBOL(bes2600_bh_handle_rx_skb);
 static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
 {
 	struct sk_buff *skb = NULL;
@@ -1082,18 +969,10 @@ static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
 	u32 confirm_label = 0x0; /* wsm to mcu cmd cnfirm label */
 #if defined(BES_SDIO_RX_MULTIPLE_ENABLE)
-	/*
+	skb = (struct sk_buff *)priv->sbus_ops->pipe_read(priv->sbus_priv);
-	 * Patch C v3: the bh thread does the SDIO read inline via
+	if (!skb)
-	 * sbus_ops->bus_rx_batch.  bes2600_sdio_read_rx_batch reads the
+		return 0;
-	 * multi-RX coalesced frames out of the chip and delivers each
+	rx = 1; // always consider rx pipe not empty
 	 * one inline via bes2600_bh_handle_rx_skb (no rx_queue, no
 	 * pipe_read, no inter-thread handoff).  Return value: 0 on
 	 * success (bh outer loop will check whether to continue),
 	 * negative on read error.
 	 */
 	if (priv->sbus_ops->bus_rx_batch)
 		return priv->sbus_ops->bus_rx_batch(priv->sbus_priv);
 	return 0;
 #else
 	u32 ctrl_reg = 0;
 	size_t read_len = 0;
@@ -1255,7 +1134,7 @@ static int bes2600_bh_tx_helper(struct bes2600_common *hw_priv,
 	tx_len += 4;
 #endif
-	atomic_inc(&hw_priv->bh_tx);
+	atomic_add(1, &hw_priv->bh_tx);
 	tx_len = hw_priv->sbus_ops->align_size(
 		hw_priv->sbus_priv, tx_len);
@@ -1556,7 +1435,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_inc(&hw_priv->bh_rx);
+			atomic_add(1, &hw_priv->bh_rx);
 			goto done;
 		}
@@ -39,15 +39,6 @@ int wsm_release_vif_tx_buffer(struct bes2600_common *hw_priv, int if_id,
 int bes2600_bh_sw_process(struct bes2600_common *hw_priv,
 			 struct wsm_tx_confirm *tx_confirm);
 /*
 * Direct-deliver an RX SKB into the WSM/mac80211 stack from the bh thread.
 * Called by bes2600_sdio_extract_packets per RX frame, no queueing.
 * Process context, sleepable, caller holds no bes2600 spinlock.
 * Function frees skb on every path. See bh.c for full contract.
 */
 int bes2600_bh_handle_rx_skb(struct bes2600_common *hw_priv,
 			     struct sk_buff *skb);
 void bes2600_bh_inc_pending_count(struct bes2600_common *hw_priv, int idx);
 void bes2600_bh_dec_pending_count(struct bes2600_common *hw_priv, int idx);
@@ -110,20 +110,17 @@ static int bes2600_status_show_common(struct seq_file *seq, void *v)
 	int ba_cnt, ba_acc, ba_cnt_rx, ba_acc_rx, ba_avg = 0, ba_avg_rx = 0;
 	bool ba_ena;
-	/*
+	spin_lock_bh(&hw_priv->ba_lock);
-	 * Patch D: ba_lock removed.  hw_priv->debug->ba_* are written only
+	ba_cnt = hw_priv->debug->ba_cnt;
-	 * by the timer callback (single writer); reading without a lock is
+	ba_acc = hw_priv->debug->ba_acc;
 	 * fine for stats.  ba_ena is atomic_t.
 	 */
 	ba_cnt    = hw_priv->debug->ba_cnt;
 	ba_acc    = hw_priv->debug->ba_acc;
 	ba_cnt_rx = hw_priv->debug->ba_cnt_rx;
 	ba_acc_rx = hw_priv->debug->ba_acc_rx;
-	ba_ena    = !!atomic_read(&hw_priv->ba_ena);
+	ba_ena = hw_priv->ba_ena;
 	if (ba_cnt)
 		ba_avg = ba_acc / ba_cnt;
 	if (ba_cnt_rx)
 		ba_avg_rx = ba_acc_rx / ba_cnt_rx;
 	spin_unlock_bh(&hw_priv->ba_lock);
 	seq_puts(seq,   "BES2600 Wireless LAN driver status\n");
 	seq_printf(seq, "Hardware:   %d.%d\n",
@@ -545,10 +542,6 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
 		priv->listening ? " (listening)" : "");
 	seq_printf(seq, "Assoc:      %s\n",
 		bes2600_debug_join_status[priv->join_status]);
 	seq_printf(seq, "DecryptStormRecoveries: %u\n",
 		   priv->decrypt_storm_recoveries);
 	seq_printf(seq, "ConnectionLossStormRecoveries: %u\n",
 		   priv->connection_loss_storm_recoveries);
 	if (priv->rx_filter.promiscuous)
 		seq_puts(seq,   "Filter:     promisc\n");
 	else if (priv->rx_filter.fcs)
@@ -570,7 +570,7 @@ int bes2600_itp_get_tx(struct bes2600_common *priv, u8 **data,
 	*burst = 2;
 	atomic_set(&priv->bh_tx, 1);
 	ktime_get_ts(&itp->last_sent);
-	atomic_inc(&itp->awaiting_confirm);
+	atomic_add(1, &itp->awaiting_confirm);
 	spin_unlock_bh(&itp->tx_lock);
 	return 1;
@@ -484,20 +484,17 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 	spin_lock_init(&hw_priv->rtsvalue_lock);
 	INIT_WORK(&hw_priv->dynamic_opt_txrx_work, bes2600_dynamic_opt_txrx_work);
 	INIT_WORK(&hw_priv->tx_policy_upload_work, tx_policy_upload_work);
 	INIT_WORK(&hw_priv->connection_loss_storm_recover_work,
 		  bes2600_connection_loss_storm_recover);
 	spin_lock_init(&hw_priv->event_queue_lock);
 	INIT_LIST_HEAD(&hw_priv->event_queue);
 	INIT_WORK(&hw_priv->event_handler, bes2600_event_handler);
 	INIT_WORK(&hw_priv->ba_work, bes2600_ba_work);
-	/* Patch D: ba_lock removed; ba_acc/ba_cnt/etc are atomic_t. */
+	spin_lock_init(&hw_priv->ba_lock);
 	timer_setup(&hw_priv->ba_timer, bes2600_ba_timer, 0);
 	if (unlikely(bes2600_queue_stats_init(&hw_priv->tx_queue_stats,
 			WLAN_LINK_ID_MAX,
 			bes2600_skb_dtor,
 			hw_priv))) {
 		destroy_workqueue(hw_priv->workqueue);
 		ieee80211_free_hw(hw);
 		return NULL;
 	}
@@ -509,7 +506,6 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 			for (; i > 0; i--)
 				bes2600_queue_deinit(&hw_priv->tx_queue[i - 1]);
 			bes2600_queue_stats_deinit(&hw_priv->tx_queue_stats);
 			destroy_workqueue(hw_priv->workqueue);
 			ieee80211_free_hw(hw);
 			return NULL;
 		}
@@ -83,14 +83,6 @@ struct sbus_ops {
 	 * Returns 0 on success or a negative errno.
 	 */
 	int (*bus_reset)(struct sbus_priv *self);
 	/*
 	 * Read a batch of RX frames inline from the bus and deliver each
 	 * one via bes2600_bh_handle_rx_skb().  Called from the bh thread
 	 * (process context, sleepable).  Replaces the
 	 * sdio_rx_work + rx_queue + pipe_read relay (Patch C v3, 2026).
 	 * Returns 0 on success, negative on read error.
 	 */
 	int (*bus_rx_batch)(struct sbus_priv *self);
 };
 void bes2600_irq_handler(struct bes2600_common *priv);
@@ -22,17 +22,9 @@
 * After this many consecutive WSM scan rejections from firmware, stop
 * issuing new scans for BES2600_SCAN_BACKOFF_JIFFIES and let the state
 * that's rejecting them (coex window, firmware-internal busy) clear.
 *
 * The backoff has to be at least as long as the natural mac80211 scan-
 * retry cadence, otherwise the next attempt lands outside the window
 * and bypasses the defer guard. Observed in the wild on PineTab2:
 * roam-evaluation bursts at ~12 s cadence, idle background scans at
 * ~5 min cadence. 30 s catches the burst and leaves the slow case
 * alone (the firmware-policy state has had minutes to clear by then
 * anyway).
 */
 #define BES2600_SCAN_REJECT_THRESHOLD	3
-#define BES2600_SCAN_BACKOFF_JIFFIES	(30 * HZ)
+#define BES2600_SCAN_BACKOFF_JIFFIES	(10 * HZ)
 static void bes2600_scan_restart_delayed(struct bes2600_vif *priv);
@@ -48,9 +40,7 @@ static void bes2600_scan_restart_delayed(struct bes2600_vif *priv);
 *  2. We already saw >= BES2600_SCAN_REJECT_THRESHOLD consecutive
 *     rejections on recent scan attempts and the backoff window has
 *     not yet elapsed. Whatever was rejecting them is likely still
- *     rejecting them; give it time. If the backoff has elapsed without
+ *     rejecting them; give it time.
 *     a fresh reject refreshing it, the burst is over and we reset the
 *     count so an isolated reject doesn't immediately re-trip.
 *
 * Returns true if the caller should abandon the scan iteration.
 */
@@ -61,9 +51,6 @@ static bool bes2600_scan_should_defer(struct bes2600_common *hw_priv)
 		return true;
 #endif
 	if (time_after(jiffies, hw_priv->scan.backoff_until))
 		hw_priv->scan.reject_count = 0;
 	if (hw_priv->scan.reject_count >= BES2600_SCAN_REJECT_THRESHOLD &&
 	    time_before(jiffies, hw_priv->scan.backoff_until))
 		return true;
@@ -257,21 +244,18 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 	bes2600_pwr_set_busy_event(hw_priv, BES_PWR_LOCK_ON_SCAN);
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
 	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
 		req->ie_len);
-	if (!frame.skb) {
+	if (!frame.skb)
 		up(&hw_priv->conf_lock);
 		up(&hw_priv->scan.lock);
 		return -ENOMEM;
 	}
 	if (req->ie_len)
 		skb_put_data(frame.skb, req->ie, req->ie_len);
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
 	if (frame.skb) {
 		int ret;
 		//if (priv->if_id == 0)
@@ -289,9 +273,9 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		}
 #endif
 		if (ret) {
 			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
 			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -321,10 +305,10 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		++hw_priv->scan.n_ssids;
 	}
 	up(&hw_priv->conf_lock);
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
 	up(&hw_priv->conf_lock);
 #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
 	bwifi_change_current_status(hw_priv, BWIFI_STATUS_SCANNING);
 #endif
@@ -365,18 +349,14 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 	if (req->n_ssids > hw->wiphy->max_scan_ssids)
 		return -EINVAL;
 	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
 		req->ie_len);
 	if (!frame.skb)
 		return -ENOMEM;
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
 	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
 		req->ie_len);
 	if (!frame.skb) {
 		up(&hw_priv->conf_lock);
 		up(&hw_priv->scan.lock);
 		return -ENOMEM;
 	}
 	if (frame.skb) {
 		int ret;
 		if (priv->if_id == 0)
@@ -387,9 +367,9 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 			ret = wsm_set_probe_responder(priv, true);
 		}
 		if (ret) {
 			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
 			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -421,10 +401,10 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 		}
 	}
 	up(&hw_priv->conf_lock);
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
 	up(&hw_priv->conf_lock);
 	queue_work(hw_priv->workqueue, &hw_priv->scan.swork);
 	wiphy_warn(hw->wiphy, "<--[SCAN] Scheduled scan request.\n");
 	return 0;
@@ -266,7 +266,6 @@ void bes2600_stop(struct ieee80211_hw *dev, bool suspend)
 	cancel_work_sync(&hw_priv->coex_work);
 	coex_stop(hw_priv);
 #endif
 	cancel_work_sync(&hw_priv->connection_loss_storm_recover_work);
 	bes2600_wifi_stop(hw_priv);
@@ -449,7 +448,6 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
 	cancel_delayed_work_sync(&priv->join_timeout);
 	cancel_delayed_work_sync(&priv->set_cts_work);
 	cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
 	cancel_work_sync(&priv->decrypt_storm_recover_work);
 	del_timer_sync(&priv->mcast_timeout);
 	/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -1660,70 +1658,6 @@ report:
 	spin_unlock(&priv->bss_loss_lock);
 }
 /*
 * Connection-loss-storm fast-recover (Trigger A).
 *
 * bes2600_connection_loss_work below is the driver's own decision-point
 * to give up on a BSS (after bss-loss detection accumulates beyond
 * tolerance) and tell mac80211 via ieee80211_connection_loss(). On the
 * deployed pinetab2 stack a single ieee80211_connection_loss() event
 * sometimes triggers a userspace reauth blackhole (assoc-comeback
 * timeouts followed by AP unprotected-deauth-reason-6) that ends only
 * via cross-channel/cross-SSID fallback and can take 80+ s. Receipts at
 * https://git.reauktion.de/marfrit/besser, notes/phase4-2026-05-07.md.
 *
 * When N connection-loss decisions land within WINDOW on the same vif,
 * skip the ieee80211_connection_loss() path and trigger a chip-level
 * bus_reset (the c5.2-introduced bes2600_chrdev_do_bus_reset). The chip
 * is removed and re-probed; userspace re-associates from a fresh state,
 * dodging the assoc-comeback loop.
 *
 * Threshold (3 / 60 s) is chosen well above the steady-state per-vif
 * connection-loss rate observed in the patch-A Phase-7 rep
 * (0.86/h under sustained load), so a true storm is required.
 *
 * The recover work_struct lives on bes2600_common (hw_priv) so that
 * scheduling it does not race with vif teardown after bus_reset frees
 * the per-vif state.
 */
 #define BES2600_CONNECTION_LOSS_STORM_THRESHOLD	3
 #define BES2600_CONNECTION_LOSS_STORM_WINDOW_MS	60000
 void bes2600_connection_loss_storm_recover(struct work_struct *work)
 {
 	bes_warn("[bes2600] connection-loss-storm fast-recover: bus_reset\n");
 	bes2600_chrdev_trigger_bus_reset();
 	/*
 	 * After bes2600_chrdev_do_bus_reset() returns, the SDIO core has
 	 * scheduled a remove + rescan; per-vif state may already be gone.
 	 * Do not dereference any per-vif pointer here.
 	 */
 }
 void bes2600_connection_loss_storm_init(struct bes2600_vif *priv)
 {
 	priv->connection_loss_storm_window_start = 0;
 	priv->connection_loss_storm_count = 0;
 	priv->connection_loss_storm_recoveries = 0;
 }
 bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv)
 {
 	unsigned long now = jiffies;
 	unsigned long window =
 		msecs_to_jiffies(BES2600_CONNECTION_LOSS_STORM_WINDOW_MS);
 	if (priv->connection_loss_storm_window_start == 0 ||
 	    time_after(now, priv->connection_loss_storm_window_start + window)) {
 		priv->connection_loss_storm_window_start = now;
 		priv->connection_loss_storm_count = 1;
 		return false;
 	}
 	return ++priv->connection_loss_storm_count >=
 	       BES2600_CONNECTION_LOSS_STORM_THRESHOLD;
 }
 void bes2600_connection_loss_work(struct work_struct *work)
 {
 	struct bes2600_vif *priv =
@@ -1733,21 +1667,9 @@ void bes2600_connection_loss_work(struct work_struct *work)
 	bes_devel("[CQM] Reporting connection loss.\n");
 	bes2600_pwr_clear_busy_event(priv->hw_priv, BES_PWR_LOCK_ON_BSS_LOST);
-
+	if(bes2600_suspend_status_get(hw_priv)) {
 	if (bes2600_connection_loss_storm_account(priv)) {
 		bes_warn("[bes2600] connection-loss storm: %u in %u s, scheduling bus reset\n",
 			 priv->connection_loss_storm_count,
 			 BES2600_CONNECTION_LOSS_STORM_WINDOW_MS / 1000);
 		priv->connection_loss_storm_count = 0;
 		priv->connection_loss_storm_recoveries++;
 		schedule_work(&hw_priv->connection_loss_storm_recover_work);
 		/* bus_reset will tear the chip down; skip the mac80211 path. */
 		return;
 	}
 	if (bes2600_suspend_status_get(hw_priv))
 		bes2600_pending_unjoin_set(hw_priv, priv->if_id);
-	else
+	} else
 		ieee80211_connection_loss(priv->vif);
 #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
 	// set disconnected in BSS_CHANGED_ASSOC
@@ -2342,19 +2264,14 @@ void bes2600_join_work(struct work_struct *work)
 		//WARN_ON(wsm_reset(hw_priv, &reset, priv->if_id));
 		WARN_ON(wsm_set_block_ack_policy(hw_priv,
 			0, hw_priv->ba_tid_mask, priv->if_id));
-		/*
+		spin_lock_bh(&hw_priv->ba_lock);
-		 * Patch D: ba_lock removed.  Disconnect-reset clears the
+		hw_priv->ba_ena = false;
-		 * counters and the arm flag; producers racing here cannot
+		hw_priv->ba_cnt = 0;
-		 * cause harm — at worst they re-arm the timer and bump
+		hw_priv->ba_acc = 0;
 		 * counters that will be cleared on the next timer tick.
 		 */
 		atomic_set(&hw_priv->ba_ena, 0);
 		atomic_set(&hw_priv->ba_cnt, 0);
 		atomic_set(&hw_priv->ba_acc, 0);
 		hw_priv->ba_hist = 0;
-		atomic_set(&hw_priv->ba_cnt_rx, 0);
+		hw_priv->ba_cnt_rx = 0;
-		atomic_set(&hw_priv->ba_acc_rx, 0);
+		hw_priv->ba_acc_rx = 0;
-		atomic_set(&hw_priv->ba_armed, 0);
+		spin_unlock_bh(&hw_priv->ba_lock);
 		mgmt_policy.protectedMgmtEnable = 0;
 		mgmt_policy.unprotectedMgmtFramesAllowed = 1;
@@ -2634,11 +2551,10 @@ void bes2600_ba_work(struct work_struct *work)
 		return;*/
 	bes_devel("BA work****\n");
-	/*
+	spin_lock_bh(&hw_priv->ba_lock);
-	 * Patch D: ba_lock removed.  ba_tid_mask is u8 set once at init
+//	tx_ba_tid_mask = hw_priv->ba_ena ? hw_priv->ba_tid_mask : 0;
 	 * (main.c); reading it without a lock is fine.
 	 */
 	tx_ba_tid_mask = hw_priv->ba_tid_mask;
 	spin_unlock_bh(&hw_priv->ba_lock);
 	wsm_lock_tx(hw_priv);
@@ -2651,49 +2567,37 @@ void bes2600_ba_work(struct work_struct *work)
 void bes2600_ba_timer(struct timer_list *t)
 {
 	bool ba_ena;
 	int cnt, acc, cnt_rx, acc_rx;
 	struct bes2600_common *hw_priv = from_timer(hw_priv, t, ba_timer);
-	/*
+	spin_lock_bh(&hw_priv->ba_lock);
-	 * Patch D: ba_lock removed.  Snapshot atomic counters into locals
+	bes2600_debug_ba(hw_priv, hw_priv->ba_cnt, hw_priv->ba_acc,
-	 * for the predicate evaluation; producers may race incrementing
+			hw_priv->ba_cnt_rx, hw_priv->ba_acc_rx);
 	 * after the snapshot but the resulting decision is approximate
 	 * which the policy already tolerates (next timer tick re-evaluates).
 	 */
 	cnt    = atomic_read(&hw_priv->ba_cnt);
 	acc    = atomic_read(&hw_priv->ba_acc);
 	cnt_rx = atomic_read(&hw_priv->ba_cnt_rx);
 	acc_rx = atomic_read(&hw_priv->ba_acc_rx);
 	bes2600_debug_ba(hw_priv, cnt, acc, cnt_rx, acc_rx);
 	if (atomic_read(&hw_priv->scan.in_progress)) {
-		atomic_set(&hw_priv->ba_cnt, 0);
+		hw_priv->ba_cnt = 0;
-		atomic_set(&hw_priv->ba_acc, 0);
+		hw_priv->ba_acc = 0;
-		atomic_set(&hw_priv->ba_cnt_rx, 0);
+		hw_priv->ba_cnt_rx = 0;
-		atomic_set(&hw_priv->ba_acc_rx, 0);
+		hw_priv->ba_acc_rx = 0;
-		atomic_set(&hw_priv->ba_armed, 0);
+		goto skip_statistic_update;
 		return;
 	}
-	if (cnt >= BES2600_BLOCK_ACK_CNT &&
+	if (hw_priv->ba_cnt >= BES2600_BLOCK_ACK_CNT &&
-		(acc / cnt >= BES2600_BLOCK_ACK_THLD ||
+		(hw_priv->ba_acc / hw_priv->ba_cnt >= BES2600_BLOCK_ACK_THLD ||
-		(cnt_rx >= BES2600_BLOCK_ACK_CNT &&
+		(hw_priv->ba_cnt_rx >= BES2600_BLOCK_ACK_CNT &&
-		acc_rx / cnt_rx >=
+		hw_priv->ba_acc_rx / hw_priv->ba_cnt_rx >=
 			BES2600_BLOCK_ACK_THLD)))
 		ba_ena = true;
 	else
 		ba_ena = false;
-	atomic_set(&hw_priv->ba_cnt, 0);
+	hw_priv->ba_cnt = 0;
-	atomic_set(&hw_priv->ba_acc, 0);
+	hw_priv->ba_acc = 0;
-	atomic_set(&hw_priv->ba_cnt_rx, 0);
+	hw_priv->ba_cnt_rx = 0;
-	atomic_set(&hw_priv->ba_acc_rx, 0);
+	hw_priv->ba_acc_rx = 0;
 	atomic_set(&hw_priv->ba_armed, 0);
-	if (ba_ena != !!atomic_read(&hw_priv->ba_ena)) {
+	if (ba_ena != hw_priv->ba_ena) {
 		if (ba_ena || ++hw_priv->ba_hist >= BES2600_BLOCK_ACK_HIST) {
-			atomic_set(&hw_priv->ba_ena, ba_ena ? 1 : 0);
+			hw_priv->ba_ena = ba_ena;
 			hw_priv->ba_hist = 0;
 #if 0
 			bes_devel("[STA] %s block ACK:\n",
@@ -2703,6 +2607,9 @@ void bes2600_ba_timer(struct timer_list *t)
 		}
 	} else if (hw_priv->ba_hist)
 		--hw_priv->ba_hist;
 skip_statistic_update:
 	spin_unlock_bh(&hw_priv->ba_lock);
 }
 int bes2600_vif_setup(struct bes2600_vif *priv)
@@ -2712,8 +2619,6 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
 	/* Setup per vif workitems and locks */
 	spin_lock_init(&priv->vif_lock);
 	bes2600_decrypt_storm_init(priv);
 	bes2600_connection_loss_storm_init(priv);
 	INIT_WORK(&priv->join_work, bes2600_join_work);
 	INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
 	INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);
@@ -25,78 +25,6 @@
 #define BES2600_INVALID_RATE_ID (0xFF)
 /*
 * Decrypt-storm fast-recover (Trigger B).
 *
 * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
 * burst of received frames (typically because the host's PTK or GTK
 * has fallen out of sync with the AP), the AP eventually concludes that
 * the STA is not authenticated and emits an unprotected deauth-reason-6
 * ("Class 2 frame received from non-authenticated station"). On the
 * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
 * observed to leave the link blackholed for up to 109 s before
 * userspace finds a different SSID/channel to recover on. (Receipts at
 * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
 *
 * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
 * failures within WINDOW, we ask mac80211 for a clean reassoc via
 * ieee80211_connection_loss(), which causes immediate disassociation
 * and lets userspace auto-reconnect with fresh keys.
 *
 * mac80211 contract: ieee80211_connection_loss() may be called
 * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
 * disassociation without driver-side recovery attempts. See
 * include/net/mac80211.h for the canonical doc-comment.
 *
 * The threshold is set well above the steady-state per-vif
 * decrypt-fail rate observed in measurement (~1/min even under
 * sustained 1 MB/s load), so a true storm is required to trip it.
 */
 #define BES2600_DECRYPT_STORM_THRESHOLD	5
 #define BES2600_DECRYPT_STORM_WINDOW_MS	5000
 static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
 {
 	struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
 						decrypt_storm_recover_work);
 	if (!priv->vif)
 		return;
 	bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
 	ieee80211_connection_loss(priv->vif);
 	priv->decrypt_storm_recoveries++;
 }
 void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
 {
 	INIT_WORK(&priv->decrypt_storm_recover_work,
 		  bes2600_decrypt_storm_recover_work);
 	priv->decrypt_storm_window_start = 0;
 	priv->decrypt_storm_count = 0;
 	priv->decrypt_storm_recoveries = 0;
 }
 void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
 {
 	unsigned long now = jiffies;
 	unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
 	if (priv->decrypt_storm_window_start == 0 ||
 	    time_after(now, priv->decrypt_storm_window_start + window)) {
 		priv->decrypt_storm_window_start = now;
 		priv->decrypt_storm_count = 1;
 		return;
 	}
 	if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
 		priv->decrypt_storm_count = 0;
 		/* Skew the window so we don't re-fire on the same storm. */
 		priv->decrypt_storm_window_start = now + window;
 		schedule_work(&priv->decrypt_storm_recover_work);
 	}
 }
 #ifdef CONFIG_BES2600_TESTMODE
 #include "bes_nl80211_testmode_msg.h"
 #endif /* CONFIG_BES2600_TESTMODE */
@@ -995,18 +923,14 @@ bes2600_tx_h_ba_stat(struct bes2600_vif *priv,
 	if (!ieee80211_is_data(t->hdr->frame_control))
 		return;
-	/*
+	spin_lock_bh(&hw_priv->ba_lock);
-	 * Patch D: lock-free hot-path BA accounting.  atomic_inc + atomic_add
+	hw_priv->ba_acc += t->skb->len - t->hdrlen;
-	 * each per-frame; the once-per-window timer-arm uses cmpxchg on
+	if (!(hw_priv->ba_cnt_rx || hw_priv->ba_cnt)) {
 	 * ba_armed so concurrent TX/RX can't both try to set the timer and
 	 * we don't need cross-counter coherency on the ba_cnt/ba_cnt_rx pair.
 	 */
 	atomic_add(t->skb->len - t->hdrlen, &hw_priv->ba_acc);
 	atomic_inc(&hw_priv->ba_cnt);
 	if (atomic_cmpxchg(&hw_priv->ba_armed, 0, 1) == 0) {
 		mod_timer(&hw_priv->ba_timer,
 			jiffies + BES2600_BLOCK_ACK_INTERVAL);
 	}
 	hw_priv->ba_cnt++;
 	spin_unlock_bh(&hw_priv->ba_lock);
 }
 static int
@@ -1633,13 +1557,14 @@ bes2600_rx_h_ba_stat(struct bes2600_vif *priv,
 	if (!priv->setbssparams_done)
 		return;
-	/* Patch D: lock-free hot-path BA accounting; see TX side comment. */
+	spin_lock_bh(&hw_priv->ba_lock);
-	atomic_add(skb_len - hdrlen, &hw_priv->ba_acc_rx);
+	hw_priv->ba_acc_rx += skb_len - hdrlen;
-	atomic_inc(&hw_priv->ba_cnt_rx);
+	if (!(hw_priv->ba_cnt_rx || hw_priv->ba_cnt)) {
 	if (atomic_cmpxchg(&hw_priv->ba_armed, 0, 1) == 0) {
 		mod_timer(&hw_priv->ba_timer,
 			jiffies + BES2600_BLOCK_ACK_INTERVAL);
 	}
 	hw_priv->ba_cnt_rx++;
 	spin_unlock_bh(&hw_priv->ba_lock);
 }
 void bes2600_rx_cb(struct bes2600_vif *priv,
@@ -1747,8 +1672,6 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
 			goto drop;
 		} else {
 			bes_warn("[RX] Receive failure: %d.\n", arg->status);
 			if (arg->status == WSM_STATUS_DECRYPTFAILURE)
 				bes2600_decrypt_storm_account(priv);
 			goto drop;
 		}
 	}