Merge pull request 'bes2600: pre-empt AP-deauth-6 with mac80211 reassoc on decrypt-fail storm' (#1) from bes2600/decrypt-storm-fast-recover into mobian

Reviewed-on: #1

bes2600/Makefile

@@ -65,8 +65,8 @@ BES2600_DRV_VERSION := bes2600_0.3.5_2024.0116
 
 ifeq ($(CONFIG_BES2600_CALIB_FROM_LINUX),y)
 FACTORY_CRC_CHECK                    ?= n
-STANDARD_FACTORY_EFUSE_FLAG          ?= n
+STANDARD_FACTORY_EFUSE_FLAG          ?= y
-FACTORY_PATH                 ?= bes2600/bes2600_factory.txt
+FACTORY_PATH                 ?= /lib/firmware/bes2600_factory.txt
 endif
 
 # basic function

bes2600/bes2600.h

@@ -596,6 +596,11 @@ struct bes2600_vif {
         unsigned long           rx_timestamp;
         u32                     cipherType;
 
+	/* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
+	unsigned long			decrypt_storm_window_start;
+	unsigned int			decrypt_storm_count;
+	unsigned int			decrypt_storm_recoveries;
+	struct work_struct		decrypt_storm_recover_work;
 
 	/* AP powersave */
 	u32			link_id_map;
@@ -856,4 +861,8 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
 void bes2600_btusb_uninit(struct usb_interface *interface);
 #endif
 
+/* Decrypt-storm fast-recover helpers — see txrx.c. */
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
+
 #endif /* BES2600_H */

bes2600/bes2600_factory.c

@@ -12,7 +12,6 @@
 #include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/fs.h>
-#include <linux/firmware.h>
 #include <linux/slab.h>
 #include <linux/mutex.h>
 #include <linux/crc32.h>
@@ -31,18 +30,6 @@
 
 static DEFINE_MUTEX(factory_lock);
 
-/*
- * struct device * for request_firmware() context. Set once at SDIO
- * probe via bes2600_factory_set_dev(). NULL is tolerated (falls back
- * to the udev-less firmware-class path) but loses per-device logging.
- */
-static struct device *bes2600_factory_dev;
-
-void bes2600_factory_set_dev(struct device *dev)
-{
-	bes2600_factory_dev = dev;
-}
-
 /*
  * It is only used for temporary storage.
  * Every time get the factory, it will read from the
@@ -150,32 +137,38 @@ static int bes2600_factory_crc_check(struct factory_t *factory_data)
  */
 static int factory_section_read_file(char *path, void *buffer)
 {
-	const struct firmware *fw;
+	int ret = 0;
-	int ret;
+	struct file *fp;
 
 	if (!path || !buffer) {
 		bes_err("%s NULL pointer err\n", __func__);
 		return -1;
 	}
 
-	bes_devel("requesting firmware-class %s\n", path);
+	bes_devel("reading %s \n", path);
 
-	ret = request_firmware(&fw, path, bes2600_factory_dev);
+	fp = filp_open(path, O_RDONLY, 0); //S_IRUSR
-	if (ret) {
+	if (IS_ERR(fp)) {
-		bes_devel("BES2600: request_firmware(%s) failed: %d\n", path, ret);
+		bes_devel("BES2600 : can't open %s\n",path);
 		return -1;
 	}
 
-	if (fw->size == 0 || fw->size > FACTORY_MAX_SIZE) {
+	if (fp->f_inode->i_size <= 0 || fp->f_inode->i_size > FACTORY_MAX_SIZE) {
-		bes_err("bes2600_factory.txt size check failed, read_size: %zu max_size: %d\n",
+		bes_err(			"bes2600_factory.txt size check failed, read_size: %lld max_size: %d\n",
-			fw->size, FACTORY_MAX_SIZE);
+			fp->f_inode->i_size, FACTORY_MAX_SIZE);
-		release_firmware(fw);
+		filp_close(fp, NULL);
 		return -1;
 	}
 
-	memcpy(buffer, fw->data, fw->size);
+	ret = kernel_read(fp, buffer, fp->f_inode->i_size, &fp->f_pos);
-	ret = (int)fw->size;
+
-	release_firmware(fw);
+	filp_close(fp, NULL);
+
+	if (ret != fp->f_inode->i_size) {
+		bes_err("bes2600_factory.txt read fail\n");
+		ret = -1;
+	}
+
 	return ret;
 }
 

bes2600/bes2600_factory.h

@@ -199,9 +199,6 @@ enum factory_cali_status {
 /* just calibrate 11n, other protocols are automatically mapped */
 #define WIFI_RF_11N_MODE 0x15
 
-/* set the struct device * used for request_firmware() context */
-void bes2600_factory_set_dev(struct device *dev);
-
 /* read wifi & bt factory cali value*/
 u8* bes2600_get_factory_cali_data(u8 *file_buffer, u32 *data_len, char *path);
 void factory_little_endian_cvrt(u8 *data);

bes2600/bes2600_sdio.c

@@ -30,7 +30,6 @@
 #include "bes2600.h"
 #include "sbus.h"
 #include "bes2600_plat.h"
-#include "bes2600_factory.h"
 #include "hwio.h"
 #include "bes_chardev.h"
 #include "bes_log.h"
@@ -1835,9 +1834,6 @@ static int bes2600_sdio_probe(struct sdio_func *func,
 	if (ret)
 		goto err;
 
-	/* wire struct device into factory.c for request_firmware() context */
-	bes2600_factory_set_dev(dev);
-
 	self->pdata = bes2600_get_platform_data();
 	self->func = func;
 	self->dev = &func->dev;

bes2600/debug.c

@@ -542,6 +542,8 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
 		priv->listening ? " (listening)" : "");
 	seq_printf(seq, "Assoc:      %s\n",
 		bes2600_debug_join_status[priv->join_status]);
+	seq_printf(seq, "DecryptStormRecoveries: %u\n",
+		   priv->decrypt_storm_recoveries);
 	if (priv->rx_filter.promiscuous)
 		seq_puts(seq,   "Filter:     promisc\n");
 	else if (priv->rx_filter.fcs)

bes2600/sta.c

@@ -448,6 +448,7 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
 	cancel_delayed_work_sync(&priv->join_timeout);
 	cancel_delayed_work_sync(&priv->set_cts_work);
 	cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
+	cancel_work_sync(&priv->decrypt_storm_recover_work);
 
 	del_timer_sync(&priv->mcast_timeout);
 	/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -2619,6 +2620,7 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
 
 	/* Setup per vif workitems and locks */
 	spin_lock_init(&priv->vif_lock);
+	bes2600_decrypt_storm_init(priv);
 	INIT_WORK(&priv->join_work, bes2600_join_work);
 	INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
 	INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);

bes2600/txrx.c

@@ -25,6 +25,78 @@
 
 #define BES2600_INVALID_RATE_ID (0xFF)
 
+/*
+ * Decrypt-storm fast-recover (Trigger B).
+ *
+ * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
+ * burst of received frames (typically because the host's PTK or GTK
+ * has fallen out of sync with the AP), the AP eventually concludes that
+ * the STA is not authenticated and emits an unprotected deauth-reason-6
+ * ("Class 2 frame received from non-authenticated station"). On the
+ * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
+ * observed to leave the link blackholed for up to 109 s before
+ * userspace finds a different SSID/channel to recover on. (Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
+ *
+ * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
+ * failures within WINDOW, we ask mac80211 for a clean reassoc via
+ * ieee80211_connection_loss(), which causes immediate disassociation
+ * and lets userspace auto-reconnect with fresh keys.
+ *
+ * mac80211 contract: ieee80211_connection_loss() may be called
+ * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
+ * disassociation without driver-side recovery attempts. See
+ * include/net/mac80211.h for the canonical doc-comment.
+ *
+ * The threshold is set well above the steady-state per-vif
+ * decrypt-fail rate observed in measurement (~1/min even under
+ * sustained 1 MB/s load), so a true storm is required to trip it.
+ */
+#define BES2600_DECRYPT_STORM_THRESHOLD	5
+#define BES2600_DECRYPT_STORM_WINDOW_MS	5000
+
+static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
+{
+	struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
+						decrypt_storm_recover_work);
+
+	if (!priv->vif)
+		return;
+
+	bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
+	ieee80211_connection_loss(priv->vif);
+	priv->decrypt_storm_recoveries++;
+}
+
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
+{
+	INIT_WORK(&priv->decrypt_storm_recover_work,
+		  bes2600_decrypt_storm_recover_work);
+	priv->decrypt_storm_window_start = 0;
+	priv->decrypt_storm_count = 0;
+	priv->decrypt_storm_recoveries = 0;
+}
+
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
+{
+	unsigned long now = jiffies;
+	unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
+
+	if (priv->decrypt_storm_window_start == 0 ||
+	    time_after(now, priv->decrypt_storm_window_start + window)) {
+		priv->decrypt_storm_window_start = now;
+		priv->decrypt_storm_count = 1;
+		return;
+	}
+
+	if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
+		priv->decrypt_storm_count = 0;
+		/* Skew the window so we don't re-fire on the same storm. */
+		priv->decrypt_storm_window_start = now + window;
+		schedule_work(&priv->decrypt_storm_recover_work);
+	}
+}
+
 #ifdef CONFIG_BES2600_TESTMODE
 #include "bes_nl80211_testmode_msg.h"
 #endif /* CONFIG_BES2600_TESTMODE */
@@ -1672,6 +1744,8 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
 			goto drop;
 		} else {
 			bes_warn("[RX] Receive failure: %d.\n", arg->status);
+			if (arg->status == WSM_STATUS_DECRYPTFAILURE)
+				bes2600_decrypt_storm_account(priv);
 			goto drop;
 		}
 	}

bes2600/wsm.h

@@ -2236,5 +2236,7 @@ int wsm_cpu_usage_cmd(struct bes2600_common *hw_priv);
 
 int wsm_wifi_status_cmd(struct bes2600_common *hw_priv, uint32_t status);
 
+#if defined(STANDARD_FACTORY_EFUSE_FLAG)
 int wsm_save_factory_txt_to_mcu(struct bes2600_common *hw_priv, const u8 *data, int if_id, enum bes2600_rf_cmd_type cmd_type);
+#endif
 #endif /* BES2600_HWIO_H_INCLUDED */