Merge pull request 'bes2600: pre-empt AP-deauth-6 with mac80211 reassoc on decrypt-fail storm' (#1) from bes2600/decrypt-storm-fast-recover into mobian

Reviewed-on: #1

bes2600/Makefile

@@ -2,7 +2,7 @@ KERN_DIR = /lib/modules/$(KERNELRELEASE)/build
 # feature option
 BES2600                                 ?= m
 
-CONFIG_BES2600_TESTMODE                 ?= y
+CONFIG_BES2600_TESTMODE                 ?= n
 
 CONFIG_BES2600_ENABLE_DEVEL_LOGS        ?= n
 
@@ -65,8 +65,8 @@ BES2600_DRV_VERSION := bes2600_0.3.5_2024.0116
 
 ifeq ($(CONFIG_BES2600_CALIB_FROM_LINUX),y)
 FACTORY_CRC_CHECK                    ?= n
-STANDARD_FACTORY_EFUSE_FLAG          ?= n
-FACTORY_PATH                 ?= bes2600/bes2600_factory.txt
+STANDARD_FACTORY_EFUSE_FLAG          ?= y
+FACTORY_PATH                 ?= /lib/firmware/bes2600_factory.txt
 endif
 
 # basic function

bes2600/bes2600.h

@@ -596,6 +596,11 @@ struct bes2600_vif {
         unsigned long           rx_timestamp;
         u32                     cipherType;
 
+	/* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
+	unsigned long			decrypt_storm_window_start;
+	unsigned int			decrypt_storm_count;
+	unsigned int			decrypt_storm_recoveries;
+	struct work_struct		decrypt_storm_recover_work;
 
 	/* AP powersave */
 	u32			link_id_map;
@@ -856,4 +861,8 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
 void bes2600_btusb_uninit(struct usb_interface *interface);
 #endif
 
+/* Decrypt-storm fast-recover helpers — see txrx.c. */
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
+
 #endif /* BES2600_H */

bes2600/bes2600_factory.c

@@ -12,7 +12,6 @@
 #include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/fs.h>
-#include <linux/firmware.h>
 #include <linux/slab.h>
 #include <linux/mutex.h>
 #include <linux/crc32.h>
@@ -31,18 +30,6 @@
 
 static DEFINE_MUTEX(factory_lock);
 
-/*
- * struct device * for request_firmware() context. Set once at SDIO
- * probe via bes2600_factory_set_dev(). NULL is tolerated (falls back
- * to the udev-less firmware-class path) but loses per-device logging.
- */
-static struct device *bes2600_factory_dev;
-
-void bes2600_factory_set_dev(struct device *dev)
-{
-	bes2600_factory_dev = dev;
-}
-
 /*
  * It is only used for temporary storage.
  * Every time get the factory, it will read from the
@@ -150,32 +137,38 @@ static int bes2600_factory_crc_check(struct factory_t *factory_data)
  */
 static int factory_section_read_file(char *path, void *buffer)
 {
-	const struct firmware *fw;
-	int ret;
+	int ret = 0;
+	struct file *fp;
 
 	if (!path || !buffer) {
 		bes_err("%s NULL pointer err\n", __func__);
 		return -1;
 	}
 
-	bes_devel("requesting firmware-class %s\n", path);
+	bes_devel("reading %s \n", path);
 
-	ret = request_firmware(&fw, path, bes2600_factory_dev);
-	if (ret) {
-		bes_devel("BES2600: request_firmware(%s) failed: %d\n", path, ret);
+	fp = filp_open(path, O_RDONLY, 0); //S_IRUSR
+	if (IS_ERR(fp)) {
+		bes_devel("BES2600 : can't open %s\n",path);
 		return -1;
 	}
 
-	if (fw->size == 0 || fw->size > FACTORY_MAX_SIZE) {
-		bes_err("bes2600_factory.txt size check failed, read_size: %zu max_size: %d\n",
-			fw->size, FACTORY_MAX_SIZE);
-		release_firmware(fw);
+	if (fp->f_inode->i_size <= 0 || fp->f_inode->i_size > FACTORY_MAX_SIZE) {
+		bes_err(			"bes2600_factory.txt size check failed, read_size: %lld max_size: %d\n",
+			fp->f_inode->i_size, FACTORY_MAX_SIZE);
+		filp_close(fp, NULL);
 		return -1;
 	}
 
-	memcpy(buffer, fw->data, fw->size);
-	ret = (int)fw->size;
-	release_firmware(fw);
+	ret = kernel_read(fp, buffer, fp->f_inode->i_size, &fp->f_pos);
+
+	filp_close(fp, NULL);
+
+	if (ret != fp->f_inode->i_size) {
+		bes_err("bes2600_factory.txt read fail\n");
+		ret = -1;
+	}
+
 	return ret;
 }
 

bes2600/bes2600_factory.h

@@ -199,9 +199,6 @@ enum factory_cali_status {
 /* just calibrate 11n, other protocols are automatically mapped */
 #define WIFI_RF_11N_MODE 0x15
 
-/* set the struct device * used for request_firmware() context */
-void bes2600_factory_set_dev(struct device *dev);
-
 /* read wifi & bt factory cali value*/
 u8* bes2600_get_factory_cali_data(u8 *file_buffer, u32 *data_len, char *path);
 void factory_little_endian_cvrt(u8 *data);

bes2600/bes2600_sdio.c

@@ -30,7 +30,6 @@
 #include "bes2600.h"
 #include "sbus.h"
 #include "bes2600_plat.h"
-#include "bes2600_factory.h"
 #include "hwio.h"
 #include "bes_chardev.h"
 #include "bes_log.h"
@@ -95,7 +94,6 @@ struct sbus_priv {
 	struct work_struct tx_work;
 	struct scatterlist tx_sg[BES_SDIO_TX_MULTIPLE_NUM + 1];
 	struct scatterlist tx_sg_nosignal[BES_SDIO_TX_MULTIPLE_NUM_NOSIGNAL + 1];
-	u8 *tx_bounce;
 	u32 tx_data_cnt;
 	u32 tx_xfer_cnt;
 	u32 tx_proc_cnt;
@@ -1137,26 +1135,7 @@ static void sdio_tx_work(struct work_struct *work)
 				}
 			}
 
-			/*
-			 * The transfer length is rounded up to the SDIO block
-			 * size, but tx_buffer->buf is only tx_buffer->len bytes
-			 * long (it usually aliases into an skb linear head).
-			 * Copy into a driver-owned bounce buffer and zero-pad
-			 * to the aligned size; otherwise DMA reads past the
-			 * skb and leaks adjacent kernel memory on the wire --
-			 * observed as KFENCE OOB reads from
-			 * bes_sdio_memcpy_to_io_helper via dma_map_sg.
-			 */
-			if (WARN_ON_ONCE(total_len + align > MAX_SDIO_TRANSFER_LEN))
-				goto flush_previous;
-			memcpy(self->tx_bounce + total_len,
-			       tx_buffer->buf, tx_buffer->len);
-			if (align > tx_buffer->len)
-				memset(self->tx_bounce + total_len +
-				       tx_buffer->len, 0,
-				       align - tx_buffer->len);
-			sg_set_buf(&sg[scatters],
-				   self->tx_bounce + total_len, align);
+			sg_set_buf(&sg[scatters], tx_buffer->buf, align);
 			total_len += align;
 			++scatters;
 /*del_node:*/
@@ -1855,9 +1834,6 @@ static int bes2600_sdio_probe(struct sdio_func *func,
 	if (ret)
 		goto err;
 
-	/* wire struct device into factory.c for request_firmware() context */
-	bes2600_factory_set_dev(dev);
-
 	self->pdata = bes2600_get_platform_data();
 	self->func = func;
 	self->dev = &func->dev;
@@ -1877,17 +1853,6 @@ static int bes2600_sdio_probe(struct sdio_func *func,
 	if (!self->single_gathered_buffer)
 		return -ENOMEM;
 #endif
-#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
-	self->tx_bounce = (u8 *)__get_dma_pages(GFP_KERNEL,
-					get_order(MAX_SDIO_TRANSFER_LEN));
-	if (!self->tx_bounce) {
-#ifndef SDIO_HOST_ADMA_SUPPORT
-		free_pages((unsigned long)self->single_gathered_buffer,
-			   get_order(MAX_SDIO_TRANSFER_LEN));
-#endif
-		return -ENOMEM;
-	}
-#endif
 #ifdef BES_SDIO_RXTX_TOGGLE
 	self->fw_started = false;
 #endif
@@ -2016,12 +1981,6 @@ static void bes2600_sdio_remove(struct sdio_func *func)
 		if (self->single_gathered_buffer) {
 			free_pages((unsigned long)self->single_gathered_buffer, get_order(MAX_SDIO_TRANSFER_LEN));
 		}
-#endif
-#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
-		if (self->tx_bounce) {
-			free_pages((unsigned long)self->tx_bounce,
-				   get_order(MAX_SDIO_TRANSFER_LEN));
-		}
 #endif
 		kfree(self);
 	}

bes2600/bes_chardev.c

@@ -43,6 +43,12 @@ enum bus_probe_state {
 };
 
 struct bes_cdev {
+	struct cdev cdev;
+	dev_t dev_id;
+	int major;
+	int minor;
+	struct class *class;
+	struct device *device;
 	atomic_t num_proc;
 	wait_queue_head_t open_wq;
 	spinlock_t status_lock;
@@ -243,18 +249,351 @@ int bes2600_switch_bt(bool on)
 	return ret;
 }
 
+static int bes2600_get_cmd_and_ifname(const char *str, char **result)
+{
+	int cmd_len = 0;
+	int ifname_len = 0;
+	char *sp = NULL;
+	char *tmp_ptr = NULL;
+	char *cmd_ptr = NULL;
+
+	/* check if input arguments is valid */
+	if (!str || strncmp(str, "ifname:", 7) != 0)
+		return -1;
+
+	sp = strchr(str, ' ');
+	if (strncmp(sp + 1, "cmd:", 4) != 0)
+		return -1;
+
+	/* extract interface name */
+	ifname_len = sp - str - 7;
+	tmp_ptr = kmalloc(ifname_len + 1, GFP_KERNEL);
+	if (!tmp_ptr) {
+		return -2;
+	}
+
+	strncpy(tmp_ptr, str+7, ifname_len);
+	tmp_ptr[ifname_len] = '\0';
+	result[0] = tmp_ptr;
+
+	/* get command length */
+	cmd_ptr = strstr(str, "cmd:");
+	cmd_ptr += 4;
+	sp = strchr(cmd_ptr, ' ');
+	if (!sp) {	/* the command don't have any parameter */
+		cmd_len = strlen(cmd_ptr);
+		if (cmd_ptr[cmd_len - 1] == '\n')
+			--cmd_len;
+	} else {	/* the command have one or more parameter */
+		cmd_len = sp - cmd_ptr;
+	}
+
+	/* copy command to out buffer */
+	tmp_ptr = kmalloc( cmd_len + 1, GFP_KERNEL);
+	if (!tmp_ptr) {
+		kfree(result[0]);
+		result[0] = NULL;
+		return -3;
+	}
+
+	strncpy(tmp_ptr, cmd_ptr, cmd_len);
+	tmp_ptr[cmd_len] = '\0';
+	result[1] = tmp_ptr;
+
+	return 0;
+}
+
+static void bes2600_recyle_cmd_and_ifname_mem(char **info)
+{
+	if (info[0]) {
+		kfree(info[0]);
+		info[0] = NULL;
+	}
+
+	if (info[1]) {
+		kfree(info[1]);
+		info[1] = NULL;
+	}
+
+}
+
+static int bes2600_op_default_handler(const char *str)
+{
+	char *info[2] = {0};
+
+	if (bes2600_get_cmd_and_ifname(str, info) == 0) {
+		bes_devel("cmd(%s) on %s not handled\n", info[1], info[0]);
+	} else {
+		bes_err("%s get command fail, the origin string is %s\n", __func__, str);
+	}
+
+	bes2600_recyle_cmd_and_ifname_mem(info);
+
+	return 0;
+}
+
+static int bes2600_op_wifi_bt_on_off(const char *str)
+{
+	char *info[2] = {0};
+	int ret = 0;
+	enum wait_state wait_state;
+	enum bus_probe_state probe_state;
+	unsigned long status = 0;
+
+	spin_lock(&bes2600_cdev.status_lock);
+	probe_state = bes2600_cdev.bus_probe;
+	wait_state = bes2600_cdev.wait_state;
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	/* only work for wifi signal mode */
+	if (bes2600_cdev.fw_type != BES2600_FW_TYPE_WIFI_SIGNAL)
+		return -EFAULT;
+
+	/* wait bus probe operation end */
+	if (probe_state == BES2600_BUS_PROBE_START) {
+		bes_devel("wait bus probe operation end\n");
+		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+					(bes2600_cdev.bus_probe > BES2600_BUS_PROBE_START),
+					HZ);
+		WARN_ON(status <= 0);
+	}
+
+	/* must wait previous operation end in critical section */
+	if (wait_state != BES2600_BOOT_WAIT_NONE) {
+		bes_devel("wait previous operation end\n");
+		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+					(bes2600_cdev.wait_state == BES2600_BOOT_WAIT_NONE),
+					HZ * 8);
+		WARN_ON(status <= 0);
+	}
+
+	/* if dpd calibration is doing, modify wifi and bt state directly */
+	spin_lock(&bes2600_cdev.status_lock);
+	if (bes2600_cdev.bus_probe == BES2600_BUS_PROBE_OK && !bes2600_cdev.dpd_calied) {
+		if (bes2600_get_cmd_and_ifname(str, info) == 0) {
+			if (strncmp(info[1], "WIFI_ON", 7) == 0) {
+				bes2600_cdev.wifi_opened = true;
+			} else if (strncmp(info[1], "WIFI_OFF", 8) == 0) {
+				bes2600_cdev.wifi_opened = false;
+			} else if (strncmp(info[1], "BT_ON", 5) == 0) {
+				bes2600_cdev.bt_opened = true;
+				bes2600_cdev.bton_pending = true;
+			} else if (strncmp(info[1], "BT_OFF", 6) == 0) {
+				bes2600_cdev.bt_opened = false;
+				bes2600_cdev.bton_pending = false;
+			}
+		}
+		bes2600_recyle_cmd_and_ifname_mem(info);
+		spin_unlock(&bes2600_cdev.status_lock);
+
+		/* wait probe done event */
+		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+				bes2600_bootup_end(), HZ * 8);
+		WARN_ON(status <= 0);
+
+		return (status <= 0 || bes2600_chrdev_is_bus_error()) ? -EFAULT : 0;
+	}
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	/* process wifi/bt on/off operation */
+	if (bes2600_get_cmd_and_ifname(str, info) == 0) {
+		if (strncmp(info[1], "WIFI_ON", 7) == 0) {
+			ret = bes2600_switch_wifi(1);
+		} else if (strncmp(info[1], "WIFI_OFF", 8) == 0) {
+			ret = bes2600_switch_wifi(0);
+		} else if (strncmp(info[1], "BT_ON", 5) == 0) {
+			ret = bes2600_switch_bt(1);
+		} else if (strncmp(info[1], "BT_OFF", 6) == 0) {
+			ret = bes2600_switch_bt(0);
+		}
+	}
+
+	if (!ret && bes2600_chrdev_check_system_close())
+		ret = bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
+						bes2600_cdev.sbus_priv);
+
+	bes2600_recyle_cmd_and_ifname_mem(info);
+
+	return ret ;
+}
 
 
+static int bes2600_op_change_fw_type(const char *str)
+{
+	int ret = 0;
+	int temp = 0;
+	long status = 0;
+	char *cmd_ptr = NULL;
+	char fw_type[5] = {0};
+	bool sys_closed = bes2600_chrdev_check_system_close();
+
+	bes_devel("%s is called, arg:%s\n", __func__, str);
+
+	if (!bes2600_cdev.sbus_ops->power_switch && !bes2600_cdev.sbus_ops->reboot)
+		return -EPERM;
+
+	/* check if user input is valid */
+	cmd_ptr = strstr(str, "CHANGE_FW_TYPE ");
+	if (strlen(str) < 16 || !cmd_ptr) {
+		bes_err("the format of \"%s\" is error\n", str);
+		return -EINVAL;
+	}
+
+	/* convert fw_type from string to int */
+	strncpy(fw_type, cmd_ptr + 14, 4);
+	fw_type[0] = '+';
+	ret = kstrtoint(fw_type, 10, &temp);
+	if (ret < 0) {
+		bes_err("%s parse error\n", __func__);
+		return -EINVAL;
+	}
+
+	/* no need to realod firmware if new fw_type is equal to the old */
+	if (temp == bes2600_cdev.fw_type ) {
+		bes_devel("fw type is equal\n");
+		return 0;
+	}
+
+	/* close wifi net device */
+	if (bes2600_cdev.sbus_priv
+	    && bes2600_is_net_dev_created(bes2600_cdev.sbus_priv)) {
+		bes2600_unregister_net_dev(bes2600_cdev.sbus_priv);
+	}
+
+	/* update firmware type */
+	bes2600_cdev.fw_type = temp;
+	bes2600_chrdev_update_signal_mode();
+
+	if (!sys_closed) {
+		/* close device to call disconnect function */
+		if (bes2600_cdev.sbus_ops->power_switch)
+			bes2600_cdev.sbus_ops->power_switch(bes2600_cdev.sbus_priv, 0);
+		else if (bes2600_cdev.sbus_ops->reboot)
+			bes2600_cdev.sbus_ops->reboot(bes2600_cdev.sbus_priv);
+	}
+
+	if (bes2600_cdev.sbus_ops->reboot)
+		bes2600_chrdev_start_bus_probe();
+
+	/* wait disconnect event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq, (bes2600_cdev.sbus_priv == NULL), HZ * 10);
+	WARN_ON(status <= 0);
+
+	if (bes2600_cdev.dpd_calied
+	   && bes2600_chrdev_check_system_close()) {
+		bes_devel("no need to reload firmware\n");
+		return 0;
+	}
+
+	bes_devel("reload firmware...\n");
+	/* power on device to call probe function */
+	if (bes2600_cdev.sbus_ops->power_switch)
+		bes2600_cdev.sbus_ops->power_switch(NULL, 1);
+
+	/* wait probe done event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+			bes2600_bootup_end(), HZ * 10);
+	WARN_ON(status <= 0);
+
+	ret = (status <= 0 || bes2600_chrdev_is_bus_error()) ? -1 : 0;
 
 
+	return ret;
+}
 
+static int bes2600_op_bt_wakeup(const char *str)
+{
+	int ret = 0;
+	unsigned long status = 0;
 
+	spin_lock(&bes2600_cdev.status_lock);
+	if (!bes2600_cdev.bt_opened) {
+		spin_unlock(&bes2600_cdev.status_lock);
+		return -EFAULT;
+	}
+	spin_unlock(&bes2600_cdev.status_lock);
 
+	/* wait probe done event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+			bes2600_bootup_end(), HZ * 8);
+	if (status <= 0 || bes2600_chrdev_is_bus_error())
+		return -EFAULT;
 
+	bes_devel("bes2600 wakeup bt.\n");
+	ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_LP_ON, SUBSYSTEM_BT_LP, true);
+
+	return ret;
+}
+
+static int bes2600_op_bt_sleep(const char *str)
+{
+	int ret = 0;
+	unsigned long status = 0;
+
+	spin_lock(&bes2600_cdev.status_lock);
+	if (!bes2600_cdev.bt_opened) {
+		spin_unlock(&bes2600_cdev.status_lock);
+		return -EFAULT;
+	}
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	/* wait probe done event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+			bes2600_bootup_end(), HZ * 8);
+	if (status <= 0 || bes2600_chrdev_is_bus_error())
+		return -EFAULT;
+
+	bes_devel("bes2600 allow bt sleep.\n");
+	ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_LP_OFF, SUBSYSTEM_BT_LP, false);
+
+	return ret;
+}
+
+static int bes2600_op_set_wakeup_read_flag(const char *str)
+{
+	bes_devel("%s is called, arg:%s\n", __func__, str);
+	spin_lock(&bes2600_cdev.status_lock);
+	bes2600_cdev.read_flag = BES_CDEV_READ_WAKEUP_STATE;
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	return 0;
+}
 
 #ifdef FW_DOWNLOAD_UART_DAEMON
+int bes2600_load_uevent(char *env[])
+{
+	return kobject_uevent_env(&bes2600_cdev.device->kobj, KOBJ_CHANGE, env);
+}
 #endif
 
+static struct bes2600_op_map bes2600_op_map_tab[] ={
+	/*op			op_len	handler				*/
+	{"P2P_SET_NOA", 	11,	bes2600_op_default_handler},
+	{"P2P_SET_PS", 		10,	bes2600_op_default_handler},
+	{"SET_AP_WPS_P2P_IE",	17, 	bes2600_op_default_handler},
+	{"LINKSPEED", 		9,	bes2600_op_default_handler},
+	{"RSSI",		4,	bes2600_op_default_handler},
+	{"GETBAND", 		7,	bes2600_op_default_handler},
+	{"WLS_BATCHING", 	12,	bes2600_op_default_handler},
+	{"MACADDR",		7,	bes2600_op_default_handler},
+	{"RXFILTER-START",	14,	bes2600_op_default_handler},
+	{"RXFILTER-STOP",	13,	bes2600_op_default_handler},
+	{"RXFILTER-ADD",	12,	bes2600_op_default_handler},
+	{"RXFILTER-REMOVE",	15,	bes2600_op_default_handler},
+	{"BTCOEXMODE",		10,	bes2600_op_default_handler},
+	{"BTCOEXSCAN-START",	16,	bes2600_op_default_handler},
+	{"BTCOEXSCAN-STOP",	15,	bes2600_op_default_handler},
+	{"SETSUSPENDMODE",	14,	bes2600_op_default_handler},
+	{"COUNTRY",		7,	bes2600_op_default_handler},
+	{"WIFI_ON", 		7,	bes2600_op_wifi_bt_on_off},
+	{"WIFI_OFF", 		8,	bes2600_op_wifi_bt_on_off},
+	{"BT_ON", 		5,	bes2600_op_wifi_bt_on_off},
+	{"BT_OFF", 		6,	bes2600_op_wifi_bt_on_off},
+	{"CHANGE_FW_TYPE",	14,	bes2600_op_change_fw_type},
+	{"BT_WAKEUP",		9,	bes2600_op_bt_wakeup},
+	{"BT_SLEEP",		8,	bes2600_op_bt_sleep},
+	{"WAKEUP_STATE",	12,	bes2600_op_set_wakeup_read_flag},
+};
 
 static int bes2600_chrdev_check_system_close_internal(void)
 {
@@ -264,10 +603,123 @@ static int bes2600_chrdev_check_system_close_internal(void)
 		&& (bes2600_cdev.wifi_opened == false);
 }
 
+static int bes2600_chrdev_open(struct inode *inode, struct file *filp)
+{
+	if (atomic_read(&bes2600_cdev.num_proc) > 0) {
+		wait_event_timeout(bes2600_cdev.open_wq,
+			(atomic_read(&bes2600_cdev.num_proc) == 0),
+			MAX_SCHEDULE_TIMEOUT);
+	}
 
+	bes_devel("bes2600 char device is opened\n");
+	atomic_inc(&bes2600_cdev.num_proc);
 
+        return 0;
+}
 
+static ssize_t bes2600_chrdev_read(struct file *file, char __user *user_buf,
+			     size_t count, loff_t *ppos)
+{
+	char buf[64] = {0};
+	unsigned int len;
+	long status = 0;
 
+	switch (bes2600_cdev.read_flag) {
+	case BES_CDEV_READ_WAKEUP_STATE:
+		if (bes2600_chrdev_wakeup_by_event_get() > WAKEUP_EVENT_NONE) {
+			status = wait_event_timeout(bes2600_cdev.wakeup_reason_wq,
+				bes2600_chrdev_wakeup_by_event_get() ==  WAKEUP_EVENT_NONE, HZ * 2);
+			WARN_ON(status <= 0);
+		}
+		len = sprintf(buf, "wakeup_reason: %u, src_port: %u\n",
+		              bes2600_cdev.wakeup_state, bes2600_cdev.src_port);
+		break;
+	default:
+		len = sprintf(buf, "dpd_calied:%d wifi_opened:%d bt_opened:%d fw_type:%d\n",
+				bes2600_cdev.dpd_calied,
+				bes2600_cdev.wifi_opened,
+				bes2600_cdev.bt_opened,
+				bes2600_cdev.fw_type);
+		break;
+	}
+
+	len = sizeof(buf);
+	/* reset read flag */
+	spin_lock(&bes2600_cdev.status_lock);
+	bes2600_cdev.read_flag = BES_CDEV_READ_NUM_MAX;
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	return simple_read_from_buffer(user_buf, count, ppos, buf, len);
+}
+
+static ssize_t bes2600_chrdev_write(struct file *file,
+		 const char __user *user_buf, size_t count, loff_t *ppos)
+{
+	int i = 0;
+	int cmd_num = ARRAY_SIZE(bes2600_op_map_tab);
+	int cmd_len = 0;
+	int ret = 0;
+	char *info[2] = {0};
+	char *buf = NULL;
+
+	/* copy content from user space to kernel */
+	/* message format:"ifname:wlanx cmd:xxx arg1 arg2 ..." */
+	buf = kmalloc(count + 1, GFP_KERNEL);
+	if (copy_from_user(buf, user_buf, count))
+		return -EFAULT;
+
+	/* add terminal character */
+	buf[count] = '\0';
+
+	/* extract comand and interface */
+	if (bes2600_get_cmd_and_ifname(buf, info) != 0) {
+		bes_err("%s get command fail, the origin string is %s\n", __func__, buf);
+		kfree(buf);
+		return -EINVAL;
+	}
+
+	/* match operation item and execure its handler */
+	cmd_len = strlen(info[1]);
+	for (i = 0; i < cmd_num; i++) {
+		if (cmd_len < bes2600_op_map_tab[i].op_len)
+			continue;
+
+		if (strncasecmp(info[1], bes2600_op_map_tab[i].op, bes2600_op_map_tab[i].op_len) == 0) {
+			ret = bes2600_op_map_tab[i].handler(buf);
+			break;
+		}
+	}
+
+	/* operation item mismatch */
+	if (i == cmd_num) {
+		bes_err("cmd(%s) mismatch\n", info[1]);
+	}
+
+	bes2600_recyle_cmd_and_ifname_mem(info);
+	kfree(buf);
+
+	return (ret == 0) ? count : ret;
+}
+
+static int bes2600_chrdev_release (struct inode *inode, struct file *file)
+{
+	if (atomic_dec_and_test(&bes2600_cdev.num_proc)) {
+		wake_up(&bes2600_cdev.open_wq);
+	}
+
+	bes_devel("bes2600 char device is closed\n");
+
+	return 0;
+}
+
+static struct file_operations bes2600_chardev_fops =
+{
+	.owner = THIS_MODULE,
+	.open = bes2600_chrdev_open,
+	.read = bes2600_chrdev_read,
+	.write = bes2600_chrdev_write,
+	.release = bes2600_chrdev_release,
+};
 
 #ifdef BES2600_WRITE_DPD_TO_FILE
 static int bes2600_chrdev_write_dpd_data_to_file(const char *path, void *buffer, int size)
@@ -672,6 +1124,12 @@ void bes2600_chrdev_update_signal_mode(void)
 
 static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 {
+	char wifi_state[15];
+	char bt_state[15];
+	char fw_type[15];
+	char *env[] = { wifi_state, bt_state, fw_type, NULL };
+	int ret;
+
 	if (bes2600_chrdev_is_wifi_opened()) {
 		bes_devel("system exeception, force wifi down\n");
 
@@ -688,6 +1146,14 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 			bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
 						bes2600_cdev.sbus_priv);
 		}
+
+		/* notify userspace */
+		snprintf(wifi_state, sizeof(wifi_state), "WIFI_OPENED=%d", bes2600_cdev.wifi_opened);
+		snprintf(bt_state, sizeof(bt_state), "BT_OPENED=%d", bes2600_cdev.bt_opened);
+		snprintf(fw_type, sizeof(fw_type), "FW_TYPE=%d", bes2600_cdev.fw_type);
+		ret = kobject_uevent_env(&bes2600_cdev.device->kobj, KOBJ_CHANGE, env);
+		if (!ret)
+			bes_err("bes2600 notify userspace failed\n");
 	}
 }
 
@@ -781,6 +1247,46 @@ int bes2600_chrdev_wakeup_by_event_get(void)
 
 int bes2600_chrdev_init(struct sbus_ops *ops)
 {
+	int ret = 0;
+
+	/* allocate devide id */
+	ret = alloc_chrdev_region(&bes2600_cdev.dev_id, 0, 1, "bes2600_chrdev");
+	if (ret < 0){
+		bes_err("bes2600 alloc device id fail\n");
+		ret =  -EFAULT;
+		goto fail;
+	}
+
+	/* extract major and minor device id */
+	bes2600_cdev.major = MAJOR(bes2600_cdev.dev_id);
+	bes2600_cdev.minor = MINOR(bes2600_cdev.dev_id);
+
+	/* add char device and bind operation function */
+	bes2600_cdev.cdev.owner = THIS_MODULE;
+	cdev_init(&bes2600_cdev.cdev, &bes2600_chardev_fops);
+	ret = cdev_add(&bes2600_cdev.cdev, bes2600_cdev.dev_id, 1);
+	if (ret < 0){
+		bes_err("bes2600 char device add fail\n");
+		ret =  -EFAULT;
+		goto fail1;
+	}
+
+	/* create class for creating device node */
+	bes2600_cdev.class = class_create("bes2600_chrdev");
+	if (IS_ERR(bes2600_cdev.class)){
+		bes_err("bes2600 char device add fail\n");
+		ret = -EFAULT;
+		goto fail2;
+	}
+
+	/* get char device pointer */
+	bes2600_cdev.device = device_create(bes2600_cdev.class, NULL, bes2600_cdev.dev_id, NULL, "bes2600");
+	if (IS_ERR(bes2600_cdev.device)){
+		bes_err("bes2600 char device create fail\n");
+		ret =  -EFAULT;
+		goto fail3;
+	}
+
 	/* initialise global variable */
 	atomic_set(&bes2600_cdev.num_proc, 0);
 	init_waitqueue_head(&bes2600_cdev.open_wq);
@@ -812,6 +1318,15 @@ int bes2600_chrdev_init(struct sbus_ops *ops)
 	bes_devel("%s done\n", __func__);
 
 	return 0;
+
+fail3:
+	class_destroy(bes2600_cdev.class);
+fail2:
+	cdev_del(&bes2600_cdev.cdev);
+fail1:
+	unregister_chrdev_region(bes2600_cdev.dev_id, 1);
+fail:
+	return ret;
 }
 
 void bes2600_chrdev_free(void)
@@ -821,5 +1336,9 @@ void bes2600_chrdev_free(void)
 	bes2600_free_dpd_log_buffer();
 #endif
 	bes2600_chrdev_free_dpd_data();
+	cdev_del(&bes2600_cdev.cdev);
+	unregister_chrdev_region(bes2600_cdev.dev_id, 1);
+	device_destroy(bes2600_cdev.class, bes2600_cdev.dev_id);
+	class_destroy(bes2600_cdev.class);
 	bes_devel("%s done\n", __func__);
 }

bes2600/bes_log.h

@@ -8,26 +8,3 @@ extern struct device *global_dev;
 #define bes_info(fmt, ...) dev_info(global_dev, fmt, ##__VA_ARGS__)
 #define bes_warn(fmt, ...) dev_warn(global_dev, fmt, ##__VA_ARGS__)
 #define bes_err(fmt, ...) dev_err(global_dev, fmt, ##__VA_ARGS__)
-
-/*
- * Legacy debug-subsystem-tagged log macros. The per-subsystem filtering
- * was never implemented in-tree; these shims let code paths gated by
- * CONFIG_BES2600_TESTMODE / CONFIG_BES2600_ITP / BES2600_DETECTION_LOGIC
- * build when their conditions are enabled. The first argument is
- * currently unused; pick one of the BES2600_DBG_* constants below for
- * documentation.
- */
-#define BES2600_DBG_SBUS       0
-#define BES2600_DBG_DOWNLOAD   0
-#define BES2600_DBG_ITP        0
-#define BES2600_DBG_TEST_MODE  0
-
-#define bes2600_info(_dbg, fmt, ...) bes_info(fmt, ##__VA_ARGS__)
-#define bes2600_err(_dbg, fmt, ...) bes_err(fmt, ##__VA_ARGS__)
-#define bes2600_warn(_dbg, fmt, ...) bes_warn(fmt, ##__VA_ARGS__)
-#define bes2600_dbg(_dbg, fmt, ...) bes_devel(fmt, ##__VA_ARGS__)
-#define bes2600_err_with_cond(_cond, _dbg, fmt, ...)		\
-	do {							\
-		if (_cond)					\
-			bes_err(fmt, ##__VA_ARGS__);		\
-	} while (0)

bes2600/bes_pwr.c

@@ -472,7 +472,6 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 	int i = 0;
 	struct bes2600_vif *priv;
 	int ret = 0;
-	int timeouts = 0;
 	char ip_str[20];
 	unsigned long status = 0;
 
@@ -529,35 +528,22 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 				if (ret) {
 					atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
 					bes_err("%s, set operation mode fail\n", __func__);
-					timeouts++;
-					continue;
 				}
 
 				/* wait power save mode changed indication */
 				status = wait_for_completion_timeout(&hw_priv->bes_power.pm_enter_cmpl, 5 * HZ);
 				atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
 				reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
-				if (!status) {
-					bes_devel("%s, wait pm ind timeout\n", __func__);
-					timeouts++;
-				}
+				if (!status)
+					bes_err("%s, wait pm ind timeout\n", __func__);
 			} else {
 				bes_devel("skip enter lp mode\n");
 			}
 		}
 	}
 
-	/*
-	 * Enter the device-end of the LP transition only if every per-VIF
-	 * mac80211 handshake reached firmware-ACKed completion. Doing the
-	 * device-LP setup while any VIF is still pending leaves the driver
-	 * in an inconsistent state that cascades into SDIO TX errors on
-	 * the BES2600.
-	 */
-	if (timeouts == 0)
-		bes2600_pwr_device_enter_lp_mode(hw_priv);
-	else
-		ret = -ETIMEDOUT;
+	/* set device low power configuration */
+	bes2600_pwr_device_enter_lp_mode(hw_priv);
 
 	return ret;
 }

bes2600/debug.c

@@ -542,6 +542,8 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
 		priv->listening ? " (listening)" : "");
 	seq_printf(seq, "Assoc:      %s\n",
 		bes2600_debug_join_status[priv->join_status]);
+	seq_printf(seq, "DecryptStormRecoveries: %u\n",
+		   priv->decrypt_storm_recoveries);
 	if (priv->rx_filter.promiscuous)
 		seq_puts(seq,   "Filter:     promisc\n");
 	else if (priv->rx_filter.fcs)

bes2600/sta.c

@@ -448,6 +448,7 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
 	cancel_delayed_work_sync(&priv->join_timeout);
 	cancel_delayed_work_sync(&priv->set_cts_work);
 	cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
+	cancel_work_sync(&priv->decrypt_storm_recover_work);
 
 	del_timer_sync(&priv->mcast_timeout);
 	/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -2619,6 +2620,7 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
 
 	/* Setup per vif workitems and locks */
 	spin_lock_init(&priv->vif_lock);
+	bes2600_decrypt_storm_init(priv);
 	INIT_WORK(&priv->join_work, bes2600_join_work);
 	INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
 	INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);
@@ -3633,7 +3635,7 @@ static int bes2600_set_power_save(struct ieee80211_hw *hw,
  *
  * Returns: 0 on success or non zero value on failure
  */
-static int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
+int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
 {
 	struct bes_msg_start_stop_tsm *start_stop_tsm =
 		(struct bes_msg_start_stop_tsm *) data;
@@ -3663,7 +3665,7 @@ static int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
  *
  * Returns: TSM parameters collected
  */
-static int bes2600_get_tsm_params(struct ieee80211_hw *hw)
+int bes2600_get_tsm_params(struct ieee80211_hw *hw)
 {
 	struct bes2600_common *hw_priv = hw->priv;
 	struct bes_tsm_stats tsm_stats;
@@ -3703,7 +3705,7 @@ static int bes2600_get_tsm_params(struct ieee80211_hw *hw)
  *
  * Returns: Returns the last measured roam delay
  */
-static int bes2600_get_roam_delay(struct ieee80211_hw *hw)
+int bes2600_get_roam_delay(struct ieee80211_hw *hw)
 {
 	struct bes2600_common *hw_priv = hw->priv;
 	u16 roam_delay = hw_priv->tsm_info.roam_delay / 1000;

bes2600/txrx.c

@@ -25,6 +25,78 @@
 
 #define BES2600_INVALID_RATE_ID (0xFF)
 
+/*
+ * Decrypt-storm fast-recover (Trigger B).
+ *
+ * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
+ * burst of received frames (typically because the host's PTK or GTK
+ * has fallen out of sync with the AP), the AP eventually concludes that
+ * the STA is not authenticated and emits an unprotected deauth-reason-6
+ * ("Class 2 frame received from non-authenticated station"). On the
+ * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
+ * observed to leave the link blackholed for up to 109 s before
+ * userspace finds a different SSID/channel to recover on. (Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
+ *
+ * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
+ * failures within WINDOW, we ask mac80211 for a clean reassoc via
+ * ieee80211_connection_loss(), which causes immediate disassociation
+ * and lets userspace auto-reconnect with fresh keys.
+ *
+ * mac80211 contract: ieee80211_connection_loss() may be called
+ * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
+ * disassociation without driver-side recovery attempts. See
+ * include/net/mac80211.h for the canonical doc-comment.
+ *
+ * The threshold is set well above the steady-state per-vif
+ * decrypt-fail rate observed in measurement (~1/min even under
+ * sustained 1 MB/s load), so a true storm is required to trip it.
+ */
+#define BES2600_DECRYPT_STORM_THRESHOLD	5
+#define BES2600_DECRYPT_STORM_WINDOW_MS	5000
+
+static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
+{
+	struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
+						decrypt_storm_recover_work);
+
+	if (!priv->vif)
+		return;
+
+	bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
+	ieee80211_connection_loss(priv->vif);
+	priv->decrypt_storm_recoveries++;
+}
+
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
+{
+	INIT_WORK(&priv->decrypt_storm_recover_work,
+		  bes2600_decrypt_storm_recover_work);
+	priv->decrypt_storm_window_start = 0;
+	priv->decrypt_storm_count = 0;
+	priv->decrypt_storm_recoveries = 0;
+}
+
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
+{
+	unsigned long now = jiffies;
+	unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
+
+	if (priv->decrypt_storm_window_start == 0 ||
+	    time_after(now, priv->decrypt_storm_window_start + window)) {
+		priv->decrypt_storm_window_start = now;
+		priv->decrypt_storm_count = 1;
+		return;
+	}
+
+	if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
+		priv->decrypt_storm_count = 0;
+		/* Skew the window so we don't re-fire on the same storm. */
+		priv->decrypt_storm_window_start = now + window;
+		schedule_work(&priv->decrypt_storm_recover_work);
+	}
+}
+
 #ifdef CONFIG_BES2600_TESTMODE
 #include "bes_nl80211_testmode_msg.h"
 #endif /* CONFIG_BES2600_TESTMODE */
@@ -1672,6 +1744,8 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
 			goto drop;
 		} else {
 			bes_warn("[RX] Receive failure: %d.\n", arg->status);
+			if (arg->status == WSM_STATUS_DECRYPTFAILURE)
+				bes2600_decrypt_storm_account(priv);
 			goto drop;
 		}
 	}

bes2600/wsm.h

@@ -2236,5 +2236,7 @@ int wsm_cpu_usage_cmd(struct bes2600_common *hw_priv);
 
 int wsm_wifi_status_cmd(struct bes2600_common *hw_priv, uint32_t status);
 
+#if defined(STANDARD_FACTORY_EFUSE_FLAG)
 int wsm_save_factory_txt_to_mcu(struct bes2600_common *hw_priv, const u8 *data, int if_id, enum bes2600_rf_cmd_type cmd_type);
+#endif
 #endif /* BES2600_HWIO_H_INCLUDED */