bes2600: Patch D — atomicize ba_lock counters, drop the spinlock

The block-ack policy uses 4 int counters (ba_acc, ba_cnt, ba_acc_rx,
ba_cnt_rx) bumped per data frame in the TX and RX hot paths under
spin_lock_bh(&hw_priv->ba_lock).  The lock was the heaviest per-frame
synchronization cost remaining after Patch C v3 (which fixed the
sdio_rx_work relay).  Per the Opus structural critique (PR #8), this
pattern matches mac80211 driver convention for per-frame statistics:
atomic_t suffices, no lock needed.

Field-by-field changes in struct bes2600_common:
  ba_acc, ba_cnt, ba_acc_rx, ba_cnt_rx: int -> atomic_t
  ba_armed:                              new atomic_t (timer-arm flag)
  ba_ena:                                bool -> atomic_t
  ba_lock:                               removed (spinlock_t deleted)
  ba_hist:                               int (single-writer = ba_timer)

Producer hot path (txrx.c TX submit + RX receive):
  - atomic_add for the byte accumulator
  - atomic_inc for the frame counter
  - atomic_cmpxchg(&ba_armed, 0, 1) to claim the once-per-window
    mod_timer arm — at most ONE producer succeeds; race-free
  - no spin_lock_bh

Consumer paths (sta.c bes2600_ba_timer, sta.c disconnect-reset, sta.c
bes2600_ba_work, debug.c debugfs reader):
  - atomic_read snapshots all 4 counters into locals; the threshold
    predicate (acc/cnt >= THLD) tolerates approximate snapshots — the
    timer fires periodically, a single misclassification just delays
    the policy update by one tick
  - atomic_set zeroes the counters at end of timer-callback window;
    racing producer increments after the snapshot are lost (acceptable
    for stats; same approximation the original lock allowed under
    contention)
  - atomic_set(&ba_armed, 0) re-enables the next window's arm

Followup-amenable simplification: ba_hist remains int because only
the single ba_timer callback writes it; multiple writers would need
to upgrade it too.

This patch follows the cw1200-mainline-idiom established by Patch C v3
(structural fix, not bandaid).  The cw1200 reference doesn't have a
similar lock to compare; bes2600 inherited this from a later
Bestechnic addition rather than the upstream tree.

bes2600/bes2600.h

@@ -356,15 +356,23 @@ struct bes2600_common {
 	* Keeping in common structure for the time being. Will be moved to VIFF
 	* after the mechanism is clear */
 	u8				ba_tid_mask;
-	int				ba_acc; /*TODO: Same as above */
-	int				ba_cnt; /*TODO: Same as above */
-	int				ba_cnt_rx; /*TODO: Same as above */
-	int				ba_acc_rx; /*TODO: Same as above */
-	int				ba_hist; /*TODO: Same as above */
-	struct timer_list		ba_timer;/*TODO: Same as above */
-	spinlock_t			ba_lock; /*TODO: Same as above */
-	bool				ba_ena; /*TODO: Same as above */
-	struct work_struct              ba_work; /*TODO: Same as above */
+	/*
+	 * Patch D: ba_lock removed.  Per-frame TX/RX hot-path bumped these
+	 * counters under spin_lock_bh; the lock did not protect any
+	 * compound invariant that atomic ops can't satisfy.  Counters are
+	 * now atomic_t; ba_armed gates the once-per-window mod_timer
+	 * arm via cmpxchg so concurrent TX/RX at a fresh window each
+	 * try to claim the arm and exactly one succeeds.
+	 */
+	atomic_t			ba_acc;
+	atomic_t			ba_cnt;
+	atomic_t			ba_cnt_rx;
+	atomic_t			ba_acc_rx;
+	atomic_t			ba_armed;
+	int				ba_hist;
+	struct timer_list		ba_timer;
+	atomic_t			ba_ena;
+	struct work_struct              ba_work;
 	bool				is_BT_Present;
 	bool				is_go_thru_go_neg;
 	u8				conf_listen_interval;
@@ -511,6 +519,9 @@ struct bes2600_common {
 	struct list_head coex_event_list;
 	spinlock_t coex_event_lock;
 
+	/* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
+	struct work_struct connection_loss_storm_recover_work;
+
 	/* member for low power */
 	struct bes2600_pwr_t bes_power;
 
@@ -596,6 +607,11 @@ struct bes2600_vif {
         unsigned long           rx_timestamp;
         u32                     cipherType;
 
+	/* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
+	unsigned long			decrypt_storm_window_start;
+	unsigned int			decrypt_storm_count;
+	unsigned int			decrypt_storm_recoveries;
+	struct work_struct		decrypt_storm_recover_work;
 
 	/* AP powersave */
 	u32			link_id_map;
@@ -622,6 +638,10 @@ struct bes2600_vif {
 	/* CQM Implementation */
 	struct delayed_work	bss_loss_work;
 	struct delayed_work	connection_loss_work;
+	/* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
+	unsigned long		connection_loss_storm_window_start;
+	unsigned int		connection_loss_storm_count;
+	unsigned int		connection_loss_storm_recoveries;
 	struct work_struct	tx_failure_work;
 	int			delayed_link_loss;
 	spinlock_t		bss_loss_lock;
@@ -856,4 +876,13 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
 void bes2600_btusb_uninit(struct usb_interface *interface);
 #endif
 
+/* Decrypt-storm fast-recover helpers — see txrx.c. */
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
+
+/* Connection-loss-storm fast-recover helpers — see sta.c. */
+void bes2600_connection_loss_storm_init(struct bes2600_vif *priv);
+bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv);
+void bes2600_connection_loss_storm_recover(struct work_struct *work);
+
 #endif /* BES2600_H */

bes2600/bes2600_sdio.c

@@ -16,6 +16,7 @@
 #include <linux/mmc/host.h>
 #include <linux/mmc/sdio_func.h>
 #include <linux/mmc/card.h>
+#include <linux/mmc/core.h>
 #include <linux/mmc/sdio.h>
 #include <linux/spinlock.h>
 #include <net/mac80211.h>
@@ -28,6 +29,7 @@
 #include <linux/of_gpio.h>
 
 #include "bes2600.h"
+#include "bh.h"
 #include "sbus.h"
 #include "bes2600_plat.h"
 #include "bes2600_factory.h"
@@ -71,10 +73,12 @@ struct sbus_priv {
 	int rx_data_toggle;
 #endif
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	spinlock_t rx_queue_lock;
-	struct sk_buff_head rx_queue;
+	/*
+	 * Patch C v3: rx_queue, rx_queue_lock, rx_work removed (no relay).
+	 * The bh thread now reads RX inline; the rx_buffer scratch area
+	 * stays.  Counters/timestamps stay for debugfs visibility.
+	 */
 	u8 *rx_buffer;
-	struct work_struct rx_work;
 	u32 rx_last_ctrl;
 	u32 rx_valid_ctrl;
 	u32 rx_total_ctrl_cnt;
@@ -411,10 +415,19 @@ static void bes2600_sdio_irq_handler(struct sdio_func *func)
 
 	bes_devel("%s called, fw_started:%d \n",
 			 __func__, self->fw_started);
-	if (likely(self->fw_started && self->core)) {
-		queue_work(self->sdio_wq, &self->rx_work);
+	/*
+	 * Patch C v3: no more sdio_rx_work relay.  Wake the bh thread
+	 * directly via self->irq_handler (bes2600_irq_handler in bh.c
+	 * which bumps bh_rx atomic + wakes bh_wq).  The bh thread will
+	 * then call sbus_ops->bus_rx_batch() to do the SDIO read inline.
+	 * Matches cw1200 mainline IRQ → bh-direct architecture.
+	 */
+	if (likely(self->fw_started && self->core && self->irq_handler)) {
+		spin_lock_irqsave(&self->lock, flags);
+		self->irq_handler(self->irq_priv);
+		spin_unlock_irqrestore(&self->lock, flags);
 		self->last_irq_timestamp = jiffies;
-	} else if(self->irq_handler) {
+	} else if (self->irq_handler) {
 		spin_lock_irqsave(&self->lock, flags);
 		self->irq_handler(self->irq_priv);
 		spin_unlock_irqrestore(&self->lock, flags);
@@ -811,10 +824,15 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
 		skb_put(skb, packet_len);
 		memcpy(skb->data, &data[pos], packet_len);
 		bes_devel("%s, %d,%d\n", __func__, packet_len, pos);
-		spin_lock(&self->rx_queue_lock);
-		skb_queue_tail(&self->rx_queue, skb);
 		self->rx_data_cnt++;
-		spin_unlock(&self->rx_queue_lock);
+		/*
+		 * Patch C v3: deliver the SKB directly into the WSM/mac80211
+		 * stack from the bh thread.  No rx_queue, no inter-thread
+		 * handoff, no atomic_t needed on the counters that
+		 * wsm_release_tx_buffer touches — single-writer-from-bh is
+		 * preserved by construction.  See bh.c for the contract block.
+		 */
+		bes2600_bh_handle_rx_skb(self->core, skb);
 		packet_len = (packet_len + 3) & (~0x3);
 		pos += packet_len;
 		#ifdef BES_SDIO_OPTIMIZED_LEN
@@ -825,17 +843,31 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
 	return 0;
 }
 
-static void sdio_rx_work(struct work_struct *work)
+/*
+ * Patch C v3: bh thread calls this directly via sbus_ops->bus_rx_batch.
+ * No more sdio_rx_work workqueue.  SDIO read sequence (lock →
+ * read_ctrl → memcpy_fromio → packets_check → extract_packets) runs
+ * inline in bh-thread context.  Each parsed SKB is delivered via
+ * bes2600_bh_handle_rx_skb() from extract_packets — no rx_queue, no
+ * second worker, no inter-thread handoff.
+ *
+ * Architecture matches cw1200 mainline.  Single-writer-from-bh
+ * invariant on hw_bufs_used preserved by construction.
+ *
+ * Returns 0 on success (caller's bh outer loop decides whether to
+ * continue), negative on bus read error.  On error: triggers
+ * wifi_force_close (same as the old sdio_rx_work).
+ */
+static int bes2600_sdio_read_rx_batch(struct sbus_priv *self)
 {
-	int ret, again = 0, retry = 0, crc_retry = 0;
+	int ret = 0, again = 0, retry = 0, crc_retry = 0;
 	u32 ctrl_reg = 0;
 	int total_len;
-	struct sbus_priv *self = container_of(work, struct sbus_priv, rx_work);
 	u8 *buf = self->rx_buffer;
 
 	/* don't read/write sdio when sdio error */
 	if (bes2600_chrdev_is_bus_error())
-		return;
+		return 0;
 
 	bes2600_gpio_wakeup_mcu(self, GPIO_WAKE_FLAG_SDIO_RX);
 
@@ -890,6 +922,10 @@ static void sdio_rx_work(struct work_struct *work)
 			goto failed;
 		}
 
+		/*
+		 * extract_packets parses the multi-RX buffer and calls
+		 * bes2600_bh_handle_rx_skb() per SKB.  No queueing.
+		 */
 		if ((ret = bes2600_sdio_extract_packets(self, ctrl_reg, buf))) {
 			bes_err("%s,%d error=%d\n", __func__, __LINE__, ret);
 			goto failed;
@@ -897,22 +933,16 @@ static void sdio_rx_work(struct work_struct *work)
 
 		ctrl_reg = 0;
 
-		if (likely(self->irq_handler)) {
-			self->irq_handler(self->irq_priv);
-		} else {
-			bes_err("%s,%d\n", __func__, __LINE__);
-			goto failed;
-		}
-
 	} while (again);
 
 	bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
-	return;
+	return 0;
 
 failed:
 	bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
 	bes2600_chrdev_wifi_force_close(self->core, false);
 	WARN_ON(1);
+	return -1;
 }
 
 static void sdio_scan_work(struct work_struct *work)
@@ -920,26 +950,11 @@ static void sdio_scan_work(struct work_struct *work)
 	bes_warn("%s: this function does nothing\n", __FUNCTION__);
 }
 
-static void *bes2600_sdio_pipe_read(struct sbus_priv *self)
-{
-	struct sk_buff *skb;
-
-	if (bes2600_chrdev_is_bus_error()) {
-		return bes2600_tx_loop_read(self->core);
-	}
-
-	spin_lock(&self->rx_queue_lock);
-	skb = skb_dequeue(&self->rx_queue);
-	if (skb)
-		self->rx_proc_cnt++;
-	spin_unlock(&self->rx_queue_lock);
-	if (likely(self->fw_started == true &&
-		!bes2600_pwr_device_is_idle(self->core) &&
-		self->core->hw_bufs_used > 0))
-		if (!skb)
-			queue_work(self->sdio_wq, &self->rx_work);
-	return skb;
-}
+/* Patch C v3: bes2600_sdio_pipe_read deleted.  bh thread reads the
+ * SDIO bus inline via bes2600_sdio_read_rx_batch (sbus_ops->bus_rx_batch).
+ * No rx_queue, no skb_dequeue, no relay.  bes2600_tx_loop_read remains
+ * for the test bus error-fallback path but is now invoked at higher
+ * level. */
 
 #endif
 
@@ -1195,7 +1210,14 @@ flush_previous:
 				}
 			} while (crc_retry <= 10);
 			sdio_release_host(self->func);
-			queue_work(self->sdio_wq, &self->rx_work);
+			/*
+			 * Patch C v3: wake the bh thread to check for any RX
+			 * that piggybacked on this TX window.  Bumps bh_rx
+			 * atomic; bh's wait_event will pick it up and call
+			 * sbus_ops->bus_rx_batch().
+			 */
+			if (likely(self->irq_handler))
+				self->irq_handler(self->irq_priv);
 			if (ret) {
 				bes_err("%s,%d err=%d,%d,%d\n", __func__, __LINE__, ret, scatters, cur_blk);
 				sdio_work_debug(self);
@@ -1246,12 +1268,11 @@ static int bes2600_sdio_misc_init(struct sbus_priv *self, struct bes2600_common
 	self->next_toggle = 0;
 #endif
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	spin_lock_init(&self->rx_queue_lock);
-	skb_queue_head_init(&self->rx_queue);
+	/* Patch C v3: rx_queue / rx_queue_lock removed (no relay). */
 	self->rx_buffer = (u8 *)__get_dma_pages(GFP_KERNEL, get_order(1632 * BES_SDIO_RX_MULTIPLE_NUM));
 	if (!self->rx_buffer)
 		return -ENOMEM;
-	INIT_WORK(&self->rx_work, sdio_rx_work);
+	/* Patch C v3: sdio_rx_work removed; bh thread does the read. */
 #endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	INIT_LIST_HEAD(&self->tx_bufferlist);
@@ -1580,22 +1601,15 @@ err:
 
 static void bes2600_sdio_empty_work(struct sbus_priv *self)
 {
-#ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	struct sk_buff *skb;
-#endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	struct bes_sdio_tx_list_t *tx_buffer, *temp;
 #endif
 
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	cancel_work_sync(&self->rx_work);
-	while (1) {
-		skb = skb_dequeue(&self->rx_queue);
-		if (skb)
-			dev_kfree_skb(skb);
-		else
-			break;
-	}
+	/*
+	 * Patch C v3: rx_work and rx_queue removed.  Counters still
+	 * reset for the next attach cycle.
+	 */
 	self->rx_last_ctrl = 0;
 	self->rx_total_ctrl_cnt = 0;
 	self->rx_continuous_ctrl_cnt = 0;
@@ -1788,6 +1802,55 @@ static void bes2600_sdio_halt_device(struct sbus_priv *self)
 	sdio_work_debug(self);
 }
 
+/*
+ * Trigger an SDIO bus reset via mmc_hw_reset().
+ *
+ * With multiple SDIO functions probed (PineTab2 binds func 1 for WLAN and
+ * func 2 for the BT-companion path) mmc_sdio_hw_reset() takes the
+ * remove-and-rescan path: it marks the card removed and schedules
+ * mmc_rescan, which tears down the bound function drivers and re-detects
+ * the card on the next sweep, in turn reinvoking bes2600_sdio_probe().
+ *
+ * With a single function probed it instead invokes mmc_power_cycle()
+ * directly, which on PineTab2 toggles the wifi-reset GPIO via sdio_pwrseq.
+ *
+ * In both cases the chip ends up in a freshly reset state, which is the
+ * goal of the recovery path.
+ *
+ * mmc_hw_reset() must be called without holding the SDIO host claim --
+ * the multi-func remove-and-rescan path acquires the host claim via the
+ * mmc workqueue.
+ */
+static int bes2600_sdio_bus_reset(struct sbus_priv *self)
+{
+	struct mmc_host *host;
+	int ret;
+
+	if (!self || !self->func || !self->func->card)
+		return -EINVAL;
+
+	host = self->func->card->host;
+	ret = mmc_hw_reset(self->func->card);
+
+	/*
+	 * On multi-function SDIO cards (BES2600 has WLAN func 1 + BT
+	 * companion func 2), mmc_sdio_hw_reset() removes the card and
+	 * returns 1 to signal "remove happened, caller must trigger
+	 * rescan". The kernel does NOT auto-rescan in this case;
+	 * single-function cards take the rescan path inline and return 0.
+	 * Treat any non-negative return as success and force a rescan if
+	 * mmc_hw_reset signalled the multi-function path - otherwise the
+	 * card stays removed indefinitely after a wedge recovery,
+	 * leaving wifi (and the BT companion) silent until reboot.
+	 */
+	if (ret > 0) {
+		bes_info("multi-func mmc_hw_reset removed card; scheduling rescan\n");
+		mmc_detect_change(host, 0);
+		ret = 0;
+	}
+	return ret;
+}
+
 static bool bes2600_sdio_wakeup_source(struct sbus_priv *self)
 {
 	struct bes2600_platform_data_sdio *pdata = bes2600_get_platform_data();
@@ -1814,7 +1877,8 @@ static struct sbus_ops bes2600_sdio_sbus_ops = {
 	.sbus_reg_write		= bes2600_sdio_reg_write,
 	.init			= bes2600_sdio_misc_init,
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	.pipe_read		= bes2600_sdio_pipe_read,
+	/* Patch C v3: .pipe_read removed; bus_rx_batch replaces it. */
+	.bus_rx_batch		= bes2600_sdio_read_rx_batch,
 #endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	.pipe_send		= bes2600_sdio_pipe_send,
@@ -1826,6 +1890,7 @@ static struct sbus_ops bes2600_sdio_sbus_ops = {
 	.gpio_sleep		= bes2600_gpio_allow_mcu_sleep,
 	.halt_device		= bes2600_sdio_halt_device,
 	.wakeup_source		= bes2600_sdio_wakeup_source,
+	.bus_reset		= bes2600_sdio_bus_reset,
 };
 
 static void bes2600_sdio_en_lp_cb(struct bes2600_common *hw_priv)
@@ -1833,9 +1898,15 @@ static void bes2600_sdio_en_lp_cb(struct bes2600_common *hw_priv)
 	long unsigned int old_ts, new_ts;
 	struct sbus_priv *self = hw_priv->sbus_priv;
 
+	/*
+	 * Patch C v3: rx_work removed.  Wait for IRQ-timestamp activity
+	 * to settle by polling self->last_irq_timestamp via msleep
+	 * (best-effort).  The caller already knows the bh thread will
+	 * process pending bh_rx during its next wait_event round.
+	 */
 	do {
 		old_ts = self->last_irq_timestamp;
-		flush_work(&self->rx_work);
+		msleep(2);
 		new_ts = self->last_irq_timestamp;
 	} while(old_ts != new_ts);
 }
@@ -2193,8 +2264,12 @@ static int bes2600_sdio_suspend_noirq(struct device *dev)
 	if (func->num > 1)
 		return 0;
 
-	if(self->core &&
-	   (work_pending(&self->rx_work) || atomic_read(&self->core->bh_rx))) {
+	/*
+	 * Patch C v3: work_pending(&self->rx_work) check dropped (no
+	 * relay).  bh_rx atomic alone tells us whether the bh thread
+	 * has un-processed RX events queued.
+	 */
+	if (self->core && atomic_read(&self->core->bh_rx)) {
 		bes_devel("%s: Suspend interrupted.\n", __func__);
 		return -EAGAIN;
 	}

bes2600/bes_chardev.c

@@ -442,6 +442,60 @@ int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_
 	return ret;
 }
 
+/*
+ * Hard-reset the bus and wait for the bus core to remove the chip.
+ *
+ * Used by the firmware-wedge recovery path on platforms where the normal
+ * power_switch(0) sequence has no effective chip-reset signal. The bus
+ * implementation triggers an asynchronous re-detect; this helper waits for
+ * the resulting remove() callback to clear bes2600_cdev.sbus_priv so that a
+ * subsequent bes2600_switch_wifi(true) sees a clean state and can wait on
+ * the fresh probe.
+ */
+int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_priv *priv)
+{
+	int ret;
+	long status;
+
+	if (!sbus_ops || !priv)
+		return -EINVAL;
+
+	if (!sbus_ops->bus_reset)
+		return -EOPNOTSUPP;
+
+	bes_info("trigger bus reset to recover wedged firmware.\n");
+
+	ret = sbus_ops->bus_reset(priv);
+	if (ret) {
+		bes_err("bus_reset failed: %d\n", ret);
+		return ret;
+	}
+
+	/*
+	 * The bus reset is asynchronous: the bus core schedules a rescan
+	 * which removes the bound function drivers and then re-detects the
+	 * chip. Wait for the remove callback to clear sbus_priv. Do not
+	 * dereference 'priv' after this point -- it may already be freed.
+	 */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+				    !bes2600_cdev.sbus_priv, HZ * 3);
+	WARN_ON(status <= 0);
+
+	return 0;
+}
+
+/*
+ * Trigger bes2600_chrdev_do_bus_reset() against the file-global
+ * bes2600_cdev. Used by host-side recovery paths outside this
+ * compilation unit (e.g. sta.c connection-loss-storm fast-recover) so
+ * those callers do not need to reach the static bes2600_cdev directly.
+ */
+int bes2600_chrdev_trigger_bus_reset(void)
+{
+	return bes2600_chrdev_do_bus_reset(bes2600_cdev.sbus_ops,
+					   bes2600_cdev.sbus_priv);
+}
+
 bool bes2600_chrdev_is_wifi_opened(void)
 {
 	bool wifi_opened = false;
@@ -540,8 +594,21 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 		/* unregister wifi */
 		bes2600_switch_wifi(0);
 
-		/* power down device if wifi is only opened */
-		if (bes2600_chrdev_check_system_close()) {
+		/*
+		 * Hard exception with a bus_reset implementation: tear the
+		 * bus down via mmc_hw_reset() (or equivalent) so the next
+		 * bringup probes a freshly reset chip. On PineTab2 this is
+		 * the only effective recovery path -- the existing
+		 * power_switch(0)/(1) sequence has no chip-reset signal of
+		 * its own (sdio_pwrseq owns wifi_reset).
+		 *
+		 * Soft close, or hard close on a board without bus_reset:
+		 * fall back to the legacy power_switch(0) sequence.
+		 */
+		if (bes2600_cdev.halt_dev && bes2600_cdev.sbus_ops->bus_reset) {
+			bes2600_chrdev_do_bus_reset(bes2600_cdev.sbus_ops,
+						    bes2600_cdev.sbus_priv);
+		} else if (bes2600_chrdev_check_system_close()) {
 			bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
 						bes2600_cdev.sbus_priv);
 		}

bes2600/bes_chardev.h

@@ -60,6 +60,8 @@ struct sbus_priv *bes2600_chrdev_get_sbus_priv_data(void);
 /* used to control device power down */
 int bes2600_chrdev_check_system_close(void);
 int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
+int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
+int bes2600_chrdev_trigger_bus_reset(void);
 void bes2600_chrdev_wakeup_bt(void);
 void bes2600_chrdev_wifi_force_close(struct bes2600_common *hw_priv, bool halt_dev);
 void bes2600_chrdev_usb_remove(struct bes2600_common *hw_priv);

bes2600/bh.c

@@ -101,7 +101,7 @@ void bes2600_unregister_bh(struct bes2600_common *hw_priv)
 	coex_deinit_mode(hw_priv);
 #endif
 
-	atomic_add(1, &hw_priv->bh_term);
+	atomic_inc(&hw_priv->bh_term);
 	wake_up(&hw_priv->bh_wq);
 
 	flush_workqueue(hw_priv->bh_workqueue);
@@ -590,7 +590,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_add(1, &hw_priv->bh_rx);
+			atomic_inc(&hw_priv->bh_rx);
 			continue;
 		}
 
@@ -758,9 +758,9 @@ tx:
 
 #if 0 /* count is not implemented */
 				if (ret > 1)
-					atomic_add(1, &hw_priv->bh_tx);
+					atomic_inc(&hw_priv->bh_tx);
 #else
-				atomic_add(1, &hw_priv->bh_tx);
+				atomic_inc(&hw_priv->bh_tx);
 #endif
 
 #if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
@@ -958,6 +958,119 @@ static void bes2600_bh_parse_wakeup_event(struct bes2600_common *hw_priv, struct
 	}
 }
 
+/*
+ * Direct-deliver an RX SKB into the WSM/mac80211 stack.
+ *
+ * Patch C v3 (no-relay architecture, matches cw1200): the bh thread
+ * calls bes2600_sdio_read_rx_batch which calls
+ * bes2600_sdio_extract_packets which calls THIS function per parsed
+ * SKB.  No rx_queue, no sdio_rx_work, no inter-thread handoff.
+ *
+ * Single-writer-from-bh invariant on hw_priv->hw_bufs_used,
+ * hw_priv->hw_bufs_used_vif[] and hw_priv->wsm_tx_pending[] is
+ * preserved BY CONSTRUCTION — there is now only one writer (the bh
+ * thread itself), same as cw1200's design.  No atomic_t conversion
+ * needed.
+ *
+ * Contract:
+ *   - process context, sleepable.  wsm_handle_rx (wsm.c, EXPORT_SYMBOL)
+ *     acquires wsm_cmd.lock and may sleep on wait_event_timeout.
+ *   - caller holds no bes2600 spinlock.  bes2600_sdio_unlock(self) is
+ *     called inside read_rx_batch before extract_packets is invoked.
+ *   - SKB ownership: function frees on every path (success + error).
+ *   - No need to wake the bh thread on TX-confirm — we ARE the bh
+ *     thread; tx_burst is signalled by returning *tx_out = 1 to the
+ *     caller (bh_rx_helper), which propagates it to bh's outer loop.
+ */
+int bes2600_bh_handle_rx_skb(struct bes2600_common *priv, struct sk_buff *skb)
+{
+	struct wsm_hdr *wsm;
+	size_t wsm_len;
+	u16 wsm_id;
+	u8 wsm_seq;
+	int tx = 0;
+	u32 confirm_label = 0x0;
+
+	if (!skb)
+		return 0;
+
+	wsm = (struct wsm_hdr *)skb->data;
+	wsm_len = __le16_to_cpu(wsm->len);
+	if (WARN_ON(wsm_len > skb->len)) {
+		bes_err("wsm_len err %d %d\n", (int)wsm_len, (int)skb->len);
+		dev_kfree_skb(skb);
+		return -1;
+	}
+
+	if (priv->wsm_enable_wsm_dumps)
+		print_hex_dump(KERN_DEBUG, "<-- ", DUMP_PREFIX_NONE, 16, 1,
+			       skb->data, wsm_len, false);
+
+	wsm_id  = __le16_to_cpu(wsm->id) & 0xFFF;
+	wsm_seq = (__le16_to_cpu(wsm->id) >> 13) & 7;
+	bes_devel("bes2600_bh_handle_rx_skb wsm_id:0x%04x seq:%d\n",
+		  wsm_id, wsm_seq);
+
+	skb_trim(skb, wsm_len);
+
+	if (wsm_id == 0x0800) {
+		wsm_handle_exception(priv,
+				     &skb->data[sizeof(*wsm)],
+				     wsm_len - sizeof(*wsm));
+		bes_err("wsm exception\n");
+		dev_kfree_skb(skb);
+		return -1;
+	} else if ((wsm_seq != priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)])) {
+		bes_err("seq error! %u. %u. 0x%x.", wsm_seq,
+			priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)], wsm_id);
+		dev_kfree_skb(skb);
+		return -1;
+	}
+
+	bes2600_bh_parse_wakeup_event(priv, skb);
+
+	priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)] = (wsm_seq + 1) & 7;
+
+	if (IS_DRIVER_TO_MCU_CMD(wsm_id))
+		confirm_label = __le32_to_cpu(((struct wsm_mcu_hdr *)wsm)->handle_label);
+
+	if (WSM_CONFIRM_CONDITION(wsm_id, confirm_label)) {
+		int rc = wsm_release_tx_buffer(priv, 1);
+		bes2600_bh_dec_pending_count(priv, WSM_TXRX_SEQ_IDX(wsm->id));
+
+		if (rc < 0) {
+			bes_err("wsm_release_tx_buffer failed: %d\n", rc);
+			dev_kfree_skb(skb);
+			return rc;
+		} else if (rc > 0) {
+			tx = 1;
+		}
+	}
+
+	/* wsm_handle_rx takes care of SKB lifetime: zeroes *skb_p if consumed. */
+	if (wsm_handle_rx(priv, wsm_id, wsm, &skb)) {
+		bes_err("wsm_handle_rx failed (id=0x%04x)\n", wsm_id);
+		if (skb)
+			dev_kfree_skb(skb);
+		return -1;
+	}
+
+	if (skb)
+		dev_kfree_skb(skb);
+
+	/*
+	 * Signal "tx side has new headroom" via atomic so the bh outer
+	 * loop's wait_event predicate notices on its next wait.  No
+	 * cross-thread wake needed because we are the bh thread; the
+	 * outer loop will pick this up after read_rx_batch returns.
+	 */
+	if (tx)
+		atomic_inc(&priv->bh_tx);
+
+	return 0;
+}
+EXPORT_SYMBOL(bes2600_bh_handle_rx_skb);
+
 static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
 {
 	struct sk_buff *skb = NULL;
@@ -969,10 +1082,18 @@ static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
 	u32 confirm_label = 0x0; /* wsm to mcu cmd cnfirm label */
 
 #if defined(BES_SDIO_RX_MULTIPLE_ENABLE)
-	skb = (struct sk_buff *)priv->sbus_ops->pipe_read(priv->sbus_priv);
-	if (!skb)
-		return 0;
-	rx = 1; // always consider rx pipe not empty
+	/*
+	 * Patch C v3: the bh thread does the SDIO read inline via
+	 * sbus_ops->bus_rx_batch.  bes2600_sdio_read_rx_batch reads the
+	 * multi-RX coalesced frames out of the chip and delivers each
+	 * one inline via bes2600_bh_handle_rx_skb (no rx_queue, no
+	 * pipe_read, no inter-thread handoff).  Return value: 0 on
+	 * success (bh outer loop will check whether to continue),
+	 * negative on read error.
+	 */
+	if (priv->sbus_ops->bus_rx_batch)
+		return priv->sbus_ops->bus_rx_batch(priv->sbus_priv);
+	return 0;
 #else
 	u32 ctrl_reg = 0;
 	size_t read_len = 0;
@@ -1134,7 +1255,7 @@ static int bes2600_bh_tx_helper(struct bes2600_common *hw_priv,
 	tx_len += 4;
 #endif
 
-	atomic_add(1, &hw_priv->bh_tx);
+	atomic_inc(&hw_priv->bh_tx);
 
 	tx_len = hw_priv->sbus_ops->align_size(
 		hw_priv->sbus_priv, tx_len);
@@ -1435,7 +1556,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_add(1, &hw_priv->bh_rx);
+			atomic_inc(&hw_priv->bh_rx);
 			goto done;
 		}
 

bes2600/bh.h

@@ -39,6 +39,15 @@ int wsm_release_vif_tx_buffer(struct bes2600_common *hw_priv, int if_id,
 int bes2600_bh_sw_process(struct bes2600_common *hw_priv,
 			 struct wsm_tx_confirm *tx_confirm);
 
+/*
+ * Direct-deliver an RX SKB into the WSM/mac80211 stack from the bh thread.
+ * Called by bes2600_sdio_extract_packets per RX frame, no queueing.
+ * Process context, sleepable, caller holds no bes2600 spinlock.
+ * Function frees skb on every path. See bh.c for full contract.
+ */
+int bes2600_bh_handle_rx_skb(struct bes2600_common *hw_priv,
+			     struct sk_buff *skb);
+
 void bes2600_bh_inc_pending_count(struct bes2600_common *hw_priv, int idx);
 void bes2600_bh_dec_pending_count(struct bes2600_common *hw_priv, int idx);
 

bes2600/debug.c

@@ -110,17 +110,20 @@ static int bes2600_status_show_common(struct seq_file *seq, void *v)
 	int ba_cnt, ba_acc, ba_cnt_rx, ba_acc_rx, ba_avg = 0, ba_avg_rx = 0;
 	bool ba_ena;
 
-	spin_lock_bh(&hw_priv->ba_lock);
-	ba_cnt = hw_priv->debug->ba_cnt;
-	ba_acc = hw_priv->debug->ba_acc;
+	/*
+	 * Patch D: ba_lock removed.  hw_priv->debug->ba_* are written only
+	 * by the timer callback (single writer); reading without a lock is
+	 * fine for stats.  ba_ena is atomic_t.
+	 */
+	ba_cnt    = hw_priv->debug->ba_cnt;
+	ba_acc    = hw_priv->debug->ba_acc;
 	ba_cnt_rx = hw_priv->debug->ba_cnt_rx;
 	ba_acc_rx = hw_priv->debug->ba_acc_rx;
-	ba_ena = hw_priv->ba_ena;
+	ba_ena    = !!atomic_read(&hw_priv->ba_ena);
 	if (ba_cnt)
 		ba_avg = ba_acc / ba_cnt;
 	if (ba_cnt_rx)
 		ba_avg_rx = ba_acc_rx / ba_cnt_rx;
-	spin_unlock_bh(&hw_priv->ba_lock);
 
 	seq_puts(seq,   "BES2600 Wireless LAN driver status\n");
 	seq_printf(seq, "Hardware:   %d.%d\n",
@@ -542,6 +545,10 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
 		priv->listening ? " (listening)" : "");
 	seq_printf(seq, "Assoc:      %s\n",
 		bes2600_debug_join_status[priv->join_status]);
+	seq_printf(seq, "DecryptStormRecoveries: %u\n",
+		   priv->decrypt_storm_recoveries);
+	seq_printf(seq, "ConnectionLossStormRecoveries: %u\n",
+		   priv->connection_loss_storm_recoveries);
 	if (priv->rx_filter.promiscuous)
 		seq_puts(seq,   "Filter:     promisc\n");
 	else if (priv->rx_filter.fcs)

bes2600/itp.c

@@ -570,7 +570,7 @@ int bes2600_itp_get_tx(struct bes2600_common *priv, u8 **data,
 	*burst = 2;
 	atomic_set(&priv->bh_tx, 1);
 	ktime_get_ts(&itp->last_sent);
-	atomic_add(1, &itp->awaiting_confirm);
+	atomic_inc(&itp->awaiting_confirm);
 	spin_unlock_bh(&itp->tx_lock);
 	return 1;
 

bes2600/main.c

@@ -484,17 +484,20 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 	spin_lock_init(&hw_priv->rtsvalue_lock);
 	INIT_WORK(&hw_priv->dynamic_opt_txrx_work, bes2600_dynamic_opt_txrx_work);
 	INIT_WORK(&hw_priv->tx_policy_upload_work, tx_policy_upload_work);
+	INIT_WORK(&hw_priv->connection_loss_storm_recover_work,
+		  bes2600_connection_loss_storm_recover);
 	spin_lock_init(&hw_priv->event_queue_lock);
 	INIT_LIST_HEAD(&hw_priv->event_queue);
 	INIT_WORK(&hw_priv->event_handler, bes2600_event_handler);
 	INIT_WORK(&hw_priv->ba_work, bes2600_ba_work);
-	spin_lock_init(&hw_priv->ba_lock);
+	/* Patch D: ba_lock removed; ba_acc/ba_cnt/etc are atomic_t. */
 	timer_setup(&hw_priv->ba_timer, bes2600_ba_timer, 0);
 
 	if (unlikely(bes2600_queue_stats_init(&hw_priv->tx_queue_stats,
 			WLAN_LINK_ID_MAX,
 			bes2600_skb_dtor,
 			hw_priv))) {
+		destroy_workqueue(hw_priv->workqueue);
 		ieee80211_free_hw(hw);
 		return NULL;
 	}
@@ -506,6 +509,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 			for (; i > 0; i--)
 				bes2600_queue_deinit(&hw_priv->tx_queue[i - 1]);
 			bes2600_queue_stats_deinit(&hw_priv->tx_queue_stats);
+			destroy_workqueue(hw_priv->workqueue);
 			ieee80211_free_hw(hw);
 			return NULL;
 		}

bes2600/sbus.h

@@ -75,6 +75,22 @@ struct sbus_ops {
 	void (*halt_device)(struct sbus_priv *self);
 	bool (*wakeup_source)(struct sbus_priv *self);
 	int (*reboot)(struct sbus_priv *self);
+	/*
+	 * Force the host bus to re-detect and re-probe the chip. Called
+	 * from the firmware-wedge recovery path when power_switch() has no
+	 * effective chip-reset signal of its own (e.g. PineTab2, where the
+	 * wifi-reset GPIO is owned by sdio_pwrseq, not the bes2600 node).
+	 * Returns 0 on success or a negative errno.
+	 */
+	int (*bus_reset)(struct sbus_priv *self);
+	/*
+	 * Read a batch of RX frames inline from the bus and deliver each
+	 * one via bes2600_bh_handle_rx_skb().  Called from the bh thread
+	 * (process context, sleepable).  Replaces the
+	 * sdio_rx_work + rx_queue + pipe_read relay (Patch C v3, 2026).
+	 * Returns 0 on success, negative on read error.
+	 */
+	int (*bus_rx_batch)(struct sbus_priv *self);
 };
 
 void bes2600_irq_handler(struct bes2600_common *priv);

bes2600/scan.c

@@ -257,18 +257,21 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 
 	bes2600_pwr_set_busy_event(hw_priv, BES_PWR_LOCK_ON_SCAN);
 
-	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
-		req->ie_len);
-	if (!frame.skb)
-		return -ENOMEM;
-
-	if (req->ie_len)
-		skb_put_data(frame.skb, req->ie, req->ie_len);
-
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
 
+	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+		req->ie_len);
+	if (!frame.skb) {
+		up(&hw_priv->conf_lock);
+		up(&hw_priv->scan.lock);
+		return -ENOMEM;
+	}
+
+	if (req->ie_len)
+		skb_put_data(frame.skb, req->ie, req->ie_len);
+
 	if (frame.skb) {
 		int ret;
 		//if (priv->if_id == 0)
@@ -286,9 +289,9 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		}
 #endif
 		if (ret) {
+			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
-			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -318,10 +321,10 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		++hw_priv->scan.n_ssids;
 	}
 
-	up(&hw_priv->conf_lock);
-
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
+
+	up(&hw_priv->conf_lock);
 #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
 	bwifi_change_current_status(hw_priv, BWIFI_STATUS_SCANNING);
 #endif
@@ -362,14 +365,18 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 	if (req->n_ssids > hw->wiphy->max_scan_ssids)
 		return -EINVAL;
 
-	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
-		req->ie_len);
-	if (!frame.skb)
-		return -ENOMEM;
-
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
+
+	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+		req->ie_len);
+	if (!frame.skb) {
+		up(&hw_priv->conf_lock);
+		up(&hw_priv->scan.lock);
+		return -ENOMEM;
+	}
+
 	if (frame.skb) {
 		int ret;
 		if (priv->if_id == 0)
@@ -380,9 +387,9 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 			ret = wsm_set_probe_responder(priv, true);
 		}
 		if (ret) {
+			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
-			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -414,10 +421,10 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 		}
 	}
 
-	up(&hw_priv->conf_lock);
-
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
+
+	up(&hw_priv->conf_lock);
 	queue_work(hw_priv->workqueue, &hw_priv->scan.swork);
 	wiphy_warn(hw->wiphy, "<--[SCAN] Scheduled scan request.\n");
 	return 0;

bes2600/sta.c

@@ -266,6 +266,7 @@ void bes2600_stop(struct ieee80211_hw *dev, bool suspend)
 	cancel_work_sync(&hw_priv->coex_work);
 	coex_stop(hw_priv);
 #endif
+	cancel_work_sync(&hw_priv->connection_loss_storm_recover_work);
 
 	bes2600_wifi_stop(hw_priv);
 
@@ -448,6 +449,7 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
 	cancel_delayed_work_sync(&priv->join_timeout);
 	cancel_delayed_work_sync(&priv->set_cts_work);
 	cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
+	cancel_work_sync(&priv->decrypt_storm_recover_work);
 
 	del_timer_sync(&priv->mcast_timeout);
 	/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -1658,6 +1660,70 @@ report:
 	spin_unlock(&priv->bss_loss_lock);
 }
 
+/*
+ * Connection-loss-storm fast-recover (Trigger A).
+ *
+ * bes2600_connection_loss_work below is the driver's own decision-point
+ * to give up on a BSS (after bss-loss detection accumulates beyond
+ * tolerance) and tell mac80211 via ieee80211_connection_loss(). On the
+ * deployed pinetab2 stack a single ieee80211_connection_loss() event
+ * sometimes triggers a userspace reauth blackhole (assoc-comeback
+ * timeouts followed by AP unprotected-deauth-reason-6) that ends only
+ * via cross-channel/cross-SSID fallback and can take 80+ s. Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase4-2026-05-07.md.
+ *
+ * When N connection-loss decisions land within WINDOW on the same vif,
+ * skip the ieee80211_connection_loss() path and trigger a chip-level
+ * bus_reset (the c5.2-introduced bes2600_chrdev_do_bus_reset). The chip
+ * is removed and re-probed; userspace re-associates from a fresh state,
+ * dodging the assoc-comeback loop.
+ *
+ * Threshold (3 / 60 s) is chosen well above the steady-state per-vif
+ * connection-loss rate observed in the patch-A Phase-7 rep
+ * (0.86/h under sustained load), so a true storm is required.
+ *
+ * The recover work_struct lives on bes2600_common (hw_priv) so that
+ * scheduling it does not race with vif teardown after bus_reset frees
+ * the per-vif state.
+ */
+#define BES2600_CONNECTION_LOSS_STORM_THRESHOLD	3
+#define BES2600_CONNECTION_LOSS_STORM_WINDOW_MS	60000
+
+void bes2600_connection_loss_storm_recover(struct work_struct *work)
+{
+	bes_warn("[bes2600] connection-loss-storm fast-recover: bus_reset\n");
+	bes2600_chrdev_trigger_bus_reset();
+	/*
+	 * After bes2600_chrdev_do_bus_reset() returns, the SDIO core has
+	 * scheduled a remove + rescan; per-vif state may already be gone.
+	 * Do not dereference any per-vif pointer here.
+	 */
+}
+
+void bes2600_connection_loss_storm_init(struct bes2600_vif *priv)
+{
+	priv->connection_loss_storm_window_start = 0;
+	priv->connection_loss_storm_count = 0;
+	priv->connection_loss_storm_recoveries = 0;
+}
+
+bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv)
+{
+	unsigned long now = jiffies;
+	unsigned long window =
+		msecs_to_jiffies(BES2600_CONNECTION_LOSS_STORM_WINDOW_MS);
+
+	if (priv->connection_loss_storm_window_start == 0 ||
+	    time_after(now, priv->connection_loss_storm_window_start + window)) {
+		priv->connection_loss_storm_window_start = now;
+		priv->connection_loss_storm_count = 1;
+		return false;
+	}
+
+	return ++priv->connection_loss_storm_count >=
+	       BES2600_CONNECTION_LOSS_STORM_THRESHOLD;
+}
+
 void bes2600_connection_loss_work(struct work_struct *work)
 {
 	struct bes2600_vif *priv =
@@ -1667,9 +1733,21 @@ void bes2600_connection_loss_work(struct work_struct *work)
 
 	bes_devel("[CQM] Reporting connection loss.\n");
 	bes2600_pwr_clear_busy_event(priv->hw_priv, BES_PWR_LOCK_ON_BSS_LOST);
-	if(bes2600_suspend_status_get(hw_priv)) {
+
+	if (bes2600_connection_loss_storm_account(priv)) {
+		bes_warn("[bes2600] connection-loss storm: %u in %u s, scheduling bus reset\n",
+			 priv->connection_loss_storm_count,
+			 BES2600_CONNECTION_LOSS_STORM_WINDOW_MS / 1000);
+		priv->connection_loss_storm_count = 0;
+		priv->connection_loss_storm_recoveries++;
+		schedule_work(&hw_priv->connection_loss_storm_recover_work);
+		/* bus_reset will tear the chip down; skip the mac80211 path. */
+		return;
+	}
+
+	if (bes2600_suspend_status_get(hw_priv))
 		bes2600_pending_unjoin_set(hw_priv, priv->if_id);
-	} else
+	else
 		ieee80211_connection_loss(priv->vif);
 #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
 	// set disconnected in BSS_CHANGED_ASSOC
@@ -2264,14 +2342,19 @@ void bes2600_join_work(struct work_struct *work)
 		//WARN_ON(wsm_reset(hw_priv, &reset, priv->if_id));
 		WARN_ON(wsm_set_block_ack_policy(hw_priv,
 			0, hw_priv->ba_tid_mask, priv->if_id));
-		spin_lock_bh(&hw_priv->ba_lock);
-		hw_priv->ba_ena = false;
-		hw_priv->ba_cnt = 0;
-		hw_priv->ba_acc = 0;
+		/*
+		 * Patch D: ba_lock removed.  Disconnect-reset clears the
+		 * counters and the arm flag; producers racing here cannot
+		 * cause harm — at worst they re-arm the timer and bump
+		 * counters that will be cleared on the next timer tick.
+		 */
+		atomic_set(&hw_priv->ba_ena, 0);
+		atomic_set(&hw_priv->ba_cnt, 0);
+		atomic_set(&hw_priv->ba_acc, 0);
 		hw_priv->ba_hist = 0;
-		hw_priv->ba_cnt_rx = 0;
-		hw_priv->ba_acc_rx = 0;
-		spin_unlock_bh(&hw_priv->ba_lock);
+		atomic_set(&hw_priv->ba_cnt_rx, 0);
+		atomic_set(&hw_priv->ba_acc_rx, 0);
+		atomic_set(&hw_priv->ba_armed, 0);
 
 		mgmt_policy.protectedMgmtEnable = 0;
 		mgmt_policy.unprotectedMgmtFramesAllowed = 1;
@@ -2551,10 +2634,11 @@ void bes2600_ba_work(struct work_struct *work)
 		return;*/
 
 	bes_devel("BA work****\n");
-	spin_lock_bh(&hw_priv->ba_lock);
-//	tx_ba_tid_mask = hw_priv->ba_ena ? hw_priv->ba_tid_mask : 0;
+	/*
+	 * Patch D: ba_lock removed.  ba_tid_mask is u8 set once at init
+	 * (main.c); reading it without a lock is fine.
+	 */
 	tx_ba_tid_mask = hw_priv->ba_tid_mask;
-	spin_unlock_bh(&hw_priv->ba_lock);
 
 	wsm_lock_tx(hw_priv);
 
@@ -2567,37 +2651,49 @@ void bes2600_ba_work(struct work_struct *work)
 void bes2600_ba_timer(struct timer_list *t)
 {
 	bool ba_ena;
+	int cnt, acc, cnt_rx, acc_rx;
 	struct bes2600_common *hw_priv = from_timer(hw_priv, t, ba_timer);
 
-	spin_lock_bh(&hw_priv->ba_lock);
-	bes2600_debug_ba(hw_priv, hw_priv->ba_cnt, hw_priv->ba_acc,
-			hw_priv->ba_cnt_rx, hw_priv->ba_acc_rx);
+	/*
+	 * Patch D: ba_lock removed.  Snapshot atomic counters into locals
+	 * for the predicate evaluation; producers may race incrementing
+	 * after the snapshot but the resulting decision is approximate
+	 * which the policy already tolerates (next timer tick re-evaluates).
+	 */
+	cnt    = atomic_read(&hw_priv->ba_cnt);
+	acc    = atomic_read(&hw_priv->ba_acc);
+	cnt_rx = atomic_read(&hw_priv->ba_cnt_rx);
+	acc_rx = atomic_read(&hw_priv->ba_acc_rx);
+
+	bes2600_debug_ba(hw_priv, cnt, acc, cnt_rx, acc_rx);
 
 	if (atomic_read(&hw_priv->scan.in_progress)) {
-		hw_priv->ba_cnt = 0;
-		hw_priv->ba_acc = 0;
-		hw_priv->ba_cnt_rx = 0;
-		hw_priv->ba_acc_rx = 0;
-		goto skip_statistic_update;
+		atomic_set(&hw_priv->ba_cnt, 0);
+		atomic_set(&hw_priv->ba_acc, 0);
+		atomic_set(&hw_priv->ba_cnt_rx, 0);
+		atomic_set(&hw_priv->ba_acc_rx, 0);
+		atomic_set(&hw_priv->ba_armed, 0);
+		return;
 	}
 
-	if (hw_priv->ba_cnt >= BES2600_BLOCK_ACK_CNT &&
-		(hw_priv->ba_acc / hw_priv->ba_cnt >= BES2600_BLOCK_ACK_THLD ||
-		(hw_priv->ba_cnt_rx >= BES2600_BLOCK_ACK_CNT &&
-		hw_priv->ba_acc_rx / hw_priv->ba_cnt_rx >=
+	if (cnt >= BES2600_BLOCK_ACK_CNT &&
+		(acc / cnt >= BES2600_BLOCK_ACK_THLD ||
+		(cnt_rx >= BES2600_BLOCK_ACK_CNT &&
+		acc_rx / cnt_rx >=
 			BES2600_BLOCK_ACK_THLD)))
 		ba_ena = true;
 	else
 		ba_ena = false;
 
-	hw_priv->ba_cnt = 0;
-	hw_priv->ba_acc = 0;
-	hw_priv->ba_cnt_rx = 0;
-	hw_priv->ba_acc_rx = 0;
+	atomic_set(&hw_priv->ba_cnt, 0);
+	atomic_set(&hw_priv->ba_acc, 0);
+	atomic_set(&hw_priv->ba_cnt_rx, 0);
+	atomic_set(&hw_priv->ba_acc_rx, 0);
+	atomic_set(&hw_priv->ba_armed, 0);
 
-	if (ba_ena != hw_priv->ba_ena) {
+	if (ba_ena != !!atomic_read(&hw_priv->ba_ena)) {
 		if (ba_ena || ++hw_priv->ba_hist >= BES2600_BLOCK_ACK_HIST) {
-			hw_priv->ba_ena = ba_ena;
+			atomic_set(&hw_priv->ba_ena, ba_ena ? 1 : 0);
 			hw_priv->ba_hist = 0;
 #if 0
 			bes_devel("[STA] %s block ACK:\n",
@@ -2607,9 +2703,6 @@ void bes2600_ba_timer(struct timer_list *t)
 		}
 	} else if (hw_priv->ba_hist)
 		--hw_priv->ba_hist;
-
-skip_statistic_update:
-	spin_unlock_bh(&hw_priv->ba_lock);
 }
 
 int bes2600_vif_setup(struct bes2600_vif *priv)
@@ -2619,6 +2712,8 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
 
 	/* Setup per vif workitems and locks */
 	spin_lock_init(&priv->vif_lock);
+	bes2600_decrypt_storm_init(priv);
+	bes2600_connection_loss_storm_init(priv);
 	INIT_WORK(&priv->join_work, bes2600_join_work);
 	INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
 	INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);

bes2600/txrx.c

@@ -25,6 +25,78 @@
 
 #define BES2600_INVALID_RATE_ID (0xFF)
 
+/*
+ * Decrypt-storm fast-recover (Trigger B).
+ *
+ * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
+ * burst of received frames (typically because the host's PTK or GTK
+ * has fallen out of sync with the AP), the AP eventually concludes that
+ * the STA is not authenticated and emits an unprotected deauth-reason-6
+ * ("Class 2 frame received from non-authenticated station"). On the
+ * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
+ * observed to leave the link blackholed for up to 109 s before
+ * userspace finds a different SSID/channel to recover on. (Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
+ *
+ * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
+ * failures within WINDOW, we ask mac80211 for a clean reassoc via
+ * ieee80211_connection_loss(), which causes immediate disassociation
+ * and lets userspace auto-reconnect with fresh keys.
+ *
+ * mac80211 contract: ieee80211_connection_loss() may be called
+ * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
+ * disassociation without driver-side recovery attempts. See
+ * include/net/mac80211.h for the canonical doc-comment.
+ *
+ * The threshold is set well above the steady-state per-vif
+ * decrypt-fail rate observed in measurement (~1/min even under
+ * sustained 1 MB/s load), so a true storm is required to trip it.
+ */
+#define BES2600_DECRYPT_STORM_THRESHOLD	5
+#define BES2600_DECRYPT_STORM_WINDOW_MS	5000
+
+static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
+{
+	struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
+						decrypt_storm_recover_work);
+
+	if (!priv->vif)
+		return;
+
+	bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
+	ieee80211_connection_loss(priv->vif);
+	priv->decrypt_storm_recoveries++;
+}
+
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
+{
+	INIT_WORK(&priv->decrypt_storm_recover_work,
+		  bes2600_decrypt_storm_recover_work);
+	priv->decrypt_storm_window_start = 0;
+	priv->decrypt_storm_count = 0;
+	priv->decrypt_storm_recoveries = 0;
+}
+
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
+{
+	unsigned long now = jiffies;
+	unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
+
+	if (priv->decrypt_storm_window_start == 0 ||
+	    time_after(now, priv->decrypt_storm_window_start + window)) {
+		priv->decrypt_storm_window_start = now;
+		priv->decrypt_storm_count = 1;
+		return;
+	}
+
+	if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
+		priv->decrypt_storm_count = 0;
+		/* Skew the window so we don't re-fire on the same storm. */
+		priv->decrypt_storm_window_start = now + window;
+		schedule_work(&priv->decrypt_storm_recover_work);
+	}
+}
+
 #ifdef CONFIG_BES2600_TESTMODE
 #include "bes_nl80211_testmode_msg.h"
 #endif /* CONFIG_BES2600_TESTMODE */
@@ -923,14 +995,18 @@ bes2600_tx_h_ba_stat(struct bes2600_vif *priv,
 	if (!ieee80211_is_data(t->hdr->frame_control))
 		return;
 
-	spin_lock_bh(&hw_priv->ba_lock);
-	hw_priv->ba_acc += t->skb->len - t->hdrlen;
-	if (!(hw_priv->ba_cnt_rx || hw_priv->ba_cnt)) {
+	/*
+	 * Patch D: lock-free hot-path BA accounting.  atomic_inc + atomic_add
+	 * each per-frame; the once-per-window timer-arm uses cmpxchg on
+	 * ba_armed so concurrent TX/RX can't both try to set the timer and
+	 * we don't need cross-counter coherency on the ba_cnt/ba_cnt_rx pair.
+	 */
+	atomic_add(t->skb->len - t->hdrlen, &hw_priv->ba_acc);
+	atomic_inc(&hw_priv->ba_cnt);
+	if (atomic_cmpxchg(&hw_priv->ba_armed, 0, 1) == 0) {
 		mod_timer(&hw_priv->ba_timer,
 			jiffies + BES2600_BLOCK_ACK_INTERVAL);
 	}
-	hw_priv->ba_cnt++;
-	spin_unlock_bh(&hw_priv->ba_lock);
 }
 
 static int
@@ -1557,14 +1633,13 @@ bes2600_rx_h_ba_stat(struct bes2600_vif *priv,
 	if (!priv->setbssparams_done)
 		return;
 
-	spin_lock_bh(&hw_priv->ba_lock);
-	hw_priv->ba_acc_rx += skb_len - hdrlen;
-	if (!(hw_priv->ba_cnt_rx || hw_priv->ba_cnt)) {
+	/* Patch D: lock-free hot-path BA accounting; see TX side comment. */
+	atomic_add(skb_len - hdrlen, &hw_priv->ba_acc_rx);
+	atomic_inc(&hw_priv->ba_cnt_rx);
+	if (atomic_cmpxchg(&hw_priv->ba_armed, 0, 1) == 0) {
 		mod_timer(&hw_priv->ba_timer,
 			jiffies + BES2600_BLOCK_ACK_INTERVAL);
 	}
-	hw_priv->ba_cnt_rx++;
-	spin_unlock_bh(&hw_priv->ba_lock);
 }
 
 void bes2600_rx_cb(struct bes2600_vif *priv,
@@ -1672,6 +1747,8 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
 			goto drop;
 		} else {
 			bes_warn("[RX] Receive failure: %d.\n", arg->status);
+			if (arg->status == WSM_STATUS_DECRYPTFAILURE)
+				bes2600_decrypt_storm_account(priv);
 			goto drop;
 		}
 	}