bes2600: take pending_record_lock with _bh() to fix SOFTIRQ-safe → -unsafe inversion (besser#18)

PROVE_LOCKING reports:

  WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
  kworker/u16:1 is trying to acquire:
    &hw_priv->tx_loop.pending_record_lock at bes2600_queue_clear+0x80
  and this task is already holding:
    &queue->lock at bes2600_queue_clear+0x60

  which would create a new lock dependency:
    (&queue->lock){+.-.}   -> (&hw_priv->tx_loop.pending_record_lock){+.+.}

  but this new dependency connects a SOFTIRQ-irq-safe lock:
    (&queue->lock){+.-.}
  ... which became SOFTIRQ-irq-safe at:
    bes2600_tx -> ieee80211_handle_wake_tx_queue -> tasklet_action
  to a SOFTIRQ-irq-unsafe lock:
    (&hw_priv->tx_loop.pending_record_lock){+.+.}
  ... which became SOFTIRQ-irq-unsafe at:
    bes2600_queue_get_skb -> bes2600_join_work -> process_one_work

queue->lock is taken consistently with spin_lock_bh() at 22 sites;
the nested acquisition of pending_record_lock at queue.c:289 (inside
the outer queue->lock_bh held at line 285) had it implicitly BH-safe
via the outer scope. But pending_record_lock is ALSO taken from
non-BH-disabled contexts:

  bes2600_queue_get_skb  (queue.c:832)  — process context via
    bes2600_join_work (workqueue), no outer queue->lock held
  bes2600_tx_loop_item_pending_check (tx_loop.c:112)
                                     — TX-loop context, no outer
                                     queue->lock held

When CPU0 holds pending_record_lock from one of those non-BH paths
and a softirq fires that wants queue->lock, and CPU1 in softirq has
queue->lock and is about to acquire pending_record_lock — classic AB-BA
SOFTIRQ deadlock.

The fix is the conservative one: take pending_record_lock with _bh()
at every site that's not already inside a queue->lock_bh-held scope.
That makes the lock consistently SOFTIRQ-safe, eliminating the
inversion. queue.c:289/295 stays as plain spin_lock because BH is
already disabled by the outer queue->lock_bh acquired at queue.c:285.

Five sites converted:
  bes2600/queue.c:832 -- spin_lock      -> spin_lock_bh
  bes2600/queue.c:839 -- spin_unlock    -> spin_unlock_bh
  bes2600/queue.c:844 -- spin_unlock    -> spin_unlock_bh
  bes2600/tx_loop.c:112 -- spin_lock    -> spin_lock_bh
  bes2600/tx_loop.c:114 -- spin_unlock  -> spin_unlock_bh

Contract:
  - Documentation/locking/locktypes.rst spelling: spin_lock_bh() is
    the canonical way to make a non-IRQ spinlock safe against
    softirq preemption that might re-enter the same lock.
  - Same shape as queue->lock in this driver and as is_drv->lock
    in the cw1200 ancestor.

Closes: besser#18
Fixes: <bes2600 base import>
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>

bes2600/bh.c

@@ -316,83 +316,6 @@ int wsm_release_buffer_to_fw(struct bes2600_vif *priv, int count)
 }
 #endif
 
-#if 0
-static struct sk_buff *bes2600_get_skb(struct bes2600_common *hw_priv, size_t len)
-{
-	struct sk_buff *skb;
-	size_t alloc_len = (len > SDIO_BLOCK_SIZE) ? len : SDIO_BLOCK_SIZE;
-
-	if (len > SDIO_BLOCK_SIZE || !hw_priv->skb_cache) {
-		skb = dev_alloc_skb(alloc_len
-				+ WSM_TX_EXTRA_HEADROOM
-				+ 8  /* TKIP IV */
-				+ 12 /* TKIP ICV + MIC */
-				- 2  /* Piggyback */);
-		/* In AP mode RXed SKB can be looped back as a broadcast.
-		 * Here we reserve enough space for headers. */
-		skb_reserve(skb, WSM_TX_EXTRA_HEADROOM
-				+ 8 /* TKIP IV */
-				- WSM_RX_EXTRA_HEADROOM);
-	} else {
-		skb = hw_priv->skb_cache;
-		hw_priv->skb_cache = NULL;
-	}
-	return skb;
-}
-
-static void bes2600_put_skb(struct bes2600_common *hw_priv, struct sk_buff *skb)
-{
-	if (hw_priv->skb_cache)
-		dev_kfree_skb(skb);
-	else
-		hw_priv->skb_cache = skb;
-}
-
-static int bes2600_bh_read_ctrl_reg(struct bes2600_common *hw_priv,
-					  u16 *ctrl_reg)
-{
-	int ret;
-
-	ret = bes2600_reg_read_16(hw_priv,
-			ST90TDS_CONTROL_REG_ID, ctrl_reg);
-	if (ret) {
-		ret = bes2600_reg_read_16(hw_priv,
-				ST90TDS_CONTROL_REG_ID, ctrl_reg);
-		if (ret)
-			bes_err("[BH] Failed to read control register.\n");
-	}
-
-	return ret;
-}
-
-static int bes2600_device_wakeup(struct bes2600_common *hw_priv)
-{
-	u16 ctrl_reg;
-	int ret;
-
-	bes_devel("[BH] Device wakeup.\n");
-
-	/* To force the device to be always-on, the host sets WLAN_UP to 1 */
-	ret = bes2600_reg_write_16(hw_priv, ST90TDS_CONTROL_REG_ID,
-			ST90TDS_CONT_WUP_BIT);
-	if (WARN_ON(ret))
-		return ret;
-
-	ret = bes2600_bh_read_ctrl_reg(hw_priv, &ctrl_reg);
-	if (WARN_ON(ret))
-		return ret;
-
-	/* If the device returns WLAN_RDY as 1, the device is active and will
-	 * remain active. */
-	if (ctrl_reg & ST90TDS_CONT_RDY_BIT) {
-		bes_devel("[BH] Device awake.\n");
-		return 1;
-	}
-
-	return 0;
-}
-
-#endif
 
 /* Must be called from BH thraed. */
 void bes2600_enable_powersave(struct bes2600_vif *priv,
@@ -402,475 +325,6 @@ void bes2600_enable_powersave(struct bes2600_vif *priv,
 	priv->powersave_enabled = enable;
 }
 
-#if 0
-#define INTERRUPT_WORKAROUND
-static int bes2600_bh(void *arg)
-{
-	struct bes2600_common *hw_priv = arg;
-	struct bes2600_vif *priv = NULL;
-	struct sk_buff *skb_rx = NULL;
-	size_t read_len = 0;
-	int rx, tx, term, suspend;
-	struct wsm_hdr *wsm;
-	size_t wsm_len;
-	int wsm_id;
-	u8 wsm_seq;
-	int rx_resync = 1;
-	u16 ctrl_reg = 0;
-	int tx_allowed;
-	int pending_tx = 0;
-	int tx_burst;
-	int rx_burst = 0;
-	long status;
-#if defined(CONFIG_BES2600_WSM_DUMPS)
-	size_t wsm_dump_max = -1;
-#endif
-	u32 dummy;
-	bool powersave_enabled;
-	int i;
-	int vif_selected;
-
-	for (;;) {
-		powersave_enabled = 1;
-		spin_lock(&hw_priv->vif_list_lock);
-		bes2600_for_each_vif(hw_priv, priv, i) {
-#ifdef P2P_MULTIVIF
-			if ((i = (CW12XX_MAX_VIFS - 1)) || !priv)
-#else
-			if (!priv)
-#endif
-				continue;
-			powersave_enabled &= !!priv->powersave_enabled;
-		}
-		spin_unlock(&hw_priv->vif_list_lock);
-		if (!hw_priv->hw_bufs_used
-				&& powersave_enabled
-				&& !hw_priv->device_can_sleep
-				&& !atomic_read(&hw_priv->recent_scan)) {
-			status = HZ/8;
-			bes_devel("[BH] No Device wakedown.\n");
-#ifndef FPGA_SETUP
-			WARN_ON(bes2600_reg_write_16(hw_priv,
-						ST90TDS_CONTROL_REG_ID, 0));
-			hw_priv->device_can_sleep = true;
-#endif
-		} else if (hw_priv->hw_bufs_used)
-			/* Interrupt loss detection */
-			status = HZ/8;
-		else
-			status = HZ/8;
-
-		/* Dummy Read for SDIO retry mechanism*/
-		if (((atomic_read(&hw_priv->bh_rx) == 0) &&
-				(atomic_read(&hw_priv->bh_tx) == 0)))
-			bes2600_reg_read(hw_priv, ST90TDS_CONFIG_REG_ID,
-					&dummy, sizeof(dummy));
-#if defined(CONFIG_BES2600_WSM_DUMPS_SHORT)
-		wsm_dump_max = hw_priv->wsm_dump_max_size;
-#endif /* CONFIG_BES2600_WSM_DUMPS_SHORT */
-
-#ifdef INTERRUPT_WORKAROUND
-				/* If a packet has already been txed to the device then read the
-				   control register for a probable interrupt miss before going
-				   further to wait for interrupt; if the read length is non-zero
-				   then it means there is some data to be received */
-				if (hw_priv->hw_bufs_used) {
-					bes2600_bh_read_ctrl_reg(hw_priv, &ctrl_reg);
-					if(ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK)
-					{
-						rx = 1;
-						goto test;
-					}
-				}
-#endif
-
-		status = wait_event_interruptible_timeout(hw_priv->bh_wq, ({
-				rx = atomic_xchg(&hw_priv->bh_rx, 0);
-				tx = atomic_xchg(&hw_priv->bh_tx, 0);
-				term = atomic_xchg(&hw_priv->bh_term, 0);
-				suspend = pending_tx ?
-					0 : atomic_read(&hw_priv->bh_suspend);
-				(rx || tx || term || suspend || hw_priv->bh_error);
-			}), status);
-
-		if (status < 0 || term || hw_priv->bh_error)
-			break;
-
-#ifdef INTERRUPT_WORKAROUND
-		if (!status) {
-			bes2600_bh_read_ctrl_reg(hw_priv, &ctrl_reg);
-			if(ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK)
-			{
-				bes_err("MISS 1\n");
-				rx = 1;
-				goto test;
-			}
-		}
-#endif
-		if (!status && hw_priv->hw_bufs_used) {
-			unsigned long timestamp = jiffies;
-			long timeout;
-			bool pending = false;
-			int i;
-
-			wiphy_warn(hw_priv->hw->wiphy, "Missed interrupt?\n");
-			rx = 1;
-
-			/* Get a timestamp of "oldest" frame */
-			for (i = 0; i < 4; ++i)
-				pending |= bes2600_queue_get_xmit_timestamp(
-						&hw_priv->tx_queue[i],
-						&timestamp, -1,
-						hw_priv->pending_frame_id);
-
-			/* Check if frame transmission is timed out.
-			 * Add an extra second with respect to possible
-			 * interrupt loss. */
-			timeout = timestamp +
-					WSM_CMD_LAST_CHANCE_TIMEOUT +
-					1 * HZ  -
-					jiffies;
-
-			/* And terminate BH tread if the frame is "stuck" */
-			if (pending && timeout < 0) {
-				//wiphy_warn(priv->hw->wiphy,
-				//	"Timeout waiting for TX confirm.\n");
-				bes_devel("bes2600_bh: Timeout waiting for TX confirm.\n");
-				break;
-			}
-
-#if defined(CONFIG_BES2600_DUMP_ON_ERROR)
-			BUG_ON(1);
-#endif /* CONFIG_BES2600_DUMP_ON_ERROR */
-		} else if (!status) {
-			if (!hw_priv->device_can_sleep
-					&& !atomic_read(&hw_priv->recent_scan)) {
-				bes_devel("[BH] Device wakedown. Timeout.\n");
-#ifndef FPGA_SETUP
-				WARN_ON(bes2600_reg_write_16(hw_priv,
-						ST90TDS_CONTROL_REG_ID, 0));
-				hw_priv->device_can_sleep = true;
-#endif
-			}
-			continue;
-		} else if (suspend) {
-			bes_devel("[BH] Device suspend.\n");
-			powersave_enabled = 1;
-			spin_lock(&hw_priv->vif_list_lock);
-			bes2600_for_each_vif(hw_priv, priv, i) {
-#ifdef P2P_MULTIVIF
-				if ((i = (CW12XX_MAX_VIFS - 1)) || !priv)
-#else
-				if (!priv)
-#endif
-					continue;
-				powersave_enabled &= !!priv->powersave_enabled;
-			}
-			spin_unlock(&hw_priv->vif_list_lock);
-			if (powersave_enabled) {
-				bes_devel("[BH] No Device wakedown. Suspend.\n");
-#ifndef FPGA_SETUP
-				WARN_ON(bes2600_reg_write_16(hw_priv,
-						ST90TDS_CONTROL_REG_ID, 0));
-				hw_priv->device_can_sleep = true;
-#endif
-			}
-
-			atomic_set(&hw_priv->bh_suspend, BES2600_BH_SUSPENDED);
-			wake_up(&hw_priv->bh_evt_wq);
-			status = wait_event_interruptible(hw_priv->bh_wq,
-					BES2600_BH_RESUME == atomic_read(
-						&hw_priv->bh_suspend));
-			if (status < 0) {
-				wiphy_err(hw_priv->hw->wiphy,
-					"%s: Failed to wait for resume: %ld.\n",
-					__func__, status);
-				break;
-			}
-			bes_devel("[BH] Device resume.\n");
-			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
-			wake_up(&hw_priv->bh_evt_wq);
-			atomic_inc(&hw_priv->bh_rx);
-			continue;
-		}
-
-test:
-		tx += pending_tx;
-		pending_tx = 0;
-
-		if (rx) {
-			size_t alloc_len;
-			u8 *data;
-
-#ifdef INTERRUPT_WORKAROUND
-			if(!(ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK))
-#endif
-			if (WARN_ON(bes2600_bh_read_ctrl_reg(
-					hw_priv, &ctrl_reg)))
-				break;
-rx:
-			read_len = (ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK) * 2;
-			if (!read_len) {
-				rx_burst = 0;
-				goto tx;
-			}
-
-			if (WARN_ON((read_len < sizeof(struct wsm_hdr)) ||
-					(read_len > EFFECTIVE_BUF_SIZE))) {
-				bes_devel("Invalid read len: %d", read_len);
-				break;
-			}
-
-			/* Add SIZE of PIGGYBACK reg (CONTROL Reg)
-			 * to the NEXT Message length + 2 Bytes for SKB */
-			read_len = read_len + 2;
-
-#if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
-			alloc_len = hw_priv->sbus_ops->align_size(
-					hw_priv->sbus_priv, read_len);
-#else /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
-			/* Platform's SDIO workaround */
-			alloc_len = read_len & ~(SDIO_BLOCK_SIZE - 1);
-			if (read_len & (SDIO_BLOCK_SIZE - 1))
-				alloc_len += SDIO_BLOCK_SIZE;
-#endif /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
-
-			/* Check if not exceeding BES2600 capabilities */
-			if (WARN_ON_ONCE(alloc_len > EFFECTIVE_BUF_SIZE))
-				bes_devel("Read aligned len: %d\n", alloc_len);
-
-			skb_rx = bes2600_get_skb(hw_priv, alloc_len);
-			if (WARN_ON(!skb_rx))
-				break;
-
-			skb_trim(skb_rx, 0);
-			skb_put(skb_rx, read_len);
-			data = skb_rx->data;
-			if (WARN_ON(!data))
-				break;
-
-			if (WARN_ON(bes2600_data_read(hw_priv, data, alloc_len)))
-				break;
-
-			/* Piggyback */
-			ctrl_reg = __le16_to_cpu(
-				((__le16 *)data)[alloc_len / 2 - 1]);
-
-			wsm = (struct wsm_hdr *)data;
-			wsm_len = __le32_to_cpu(wsm->len);
-			if (WARN_ON(wsm_len > read_len))
-				break;
-
-#if defined(CONFIG_BES2600_WSM_DUMPS)
-			if (unlikely(hw_priv->wsm_enable_wsm_dumps)) {
-				u16 msgid, ifid;
-				u16 *p = (u16 *)data;
-				msgid = (*(p + 1)) & 0xC3F;
-				ifid  = (*(p + 1)) >> 6;
-				ifid &= 0xF;
-				bes_devel("[DUMP] <<< msgid 0x%.4X ifid %d len %d\n", msgid, ifid, *p);
-				print_hex_dump(KERN_DEBUG, "<-- ", DUMP_PREFIX_NONE, data, min(wsm_len, wsm_dump_max));
-			}
-#endif /* CONFIG_BES2600_WSM_DUMPS */
-
-			wsm_id  = __le32_to_cpu(wsm->id) & 0xFFF;
-			wsm_seq = (__le32_to_cpu(wsm->id) >> 13) & 7;
-
-			skb_trim(skb_rx, wsm_len);
-
-			if (unlikely(wsm_id == 0x0800)) {
-				wsm_handle_exception(hw_priv,
-					 &data[sizeof(*wsm)],
-					wsm_len - sizeof(*wsm));
-				break;
-			} else if (unlikely(!rx_resync)) {
-				if (WARN_ON(wsm_seq != hw_priv->wsm_rx_seq)) {
-#if defined(CONFIG_BES2600_DUMP_ON_ERROR)
-					BUG_ON(1);
-#endif /* CONFIG_BES2600_DUMP_ON_ERROR */
-					break;
-				}
-			}
-			hw_priv->wsm_rx_seq = (wsm_seq + 1) & 7;
-			rx_resync = 0;
-
-			if (wsm_id & 0x0400) {
-				int rc = wsm_release_tx_buffer(hw_priv, 1);
-				if (WARN_ON(rc < 0))
-					break;
-				else if (rc > 0)
-					tx = 1;
-			}
-
-			/* bes2600_wsm_rx takes care on SKB livetime */
-			if (WARN_ON(wsm_handle_rx(hw_priv, wsm_id, wsm,
-						  &skb_rx)))
-				break;
-
-			if (skb_rx) {
-				bes2600_put_skb(hw_priv, skb_rx);
-				skb_rx = NULL;
-			}
-
-			read_len = 0;
-
-			if (rx_burst) {
-				bes2600_debug_rx_burst(hw_priv);
-				--rx_burst;
-				goto rx;
-			}
-		}
-
-tx:
-		BUG_ON(hw_priv->hw_bufs_used > hw_priv->wsm_caps.numInpChBufs);
-		tx_burst = hw_priv->wsm_caps.numInpChBufs -
-			hw_priv->hw_bufs_used;
-		tx_allowed = tx_burst > 0;
-		if (tx && tx_allowed) {
-			size_t tx_len;
-			u8 *data;
-			int ret;
-
-			if (hw_priv->device_can_sleep) {
-				ret = bes2600_device_wakeup(hw_priv);
-				if (WARN_ON(ret < 0))
-					break;
-				else if (ret)
-					hw_priv->device_can_sleep = false;
-				else {
-					/* Wait for "awake" interrupt */
-					pending_tx = tx;
-					continue;
-				}
-			}
-
-			wsm_alloc_tx_buffer(hw_priv);
-			ret = wsm_get_tx(hw_priv, &data, &tx_len, &tx_burst,
-						&vif_selected);
-			if (ret <= 0) {
-				wsm_release_tx_buffer(hw_priv, 1);
-				if (WARN_ON(ret < 0))
-					break;
-			} else {
-				wsm = (struct wsm_hdr *)data;
-				BUG_ON(tx_len < sizeof(*wsm));
-				BUG_ON(__le32_to_cpu(wsm->len) != tx_len);
-
-#if 0 /* count is not implemented */
-				if (ret > 1)
-					atomic_inc(&hw_priv->bh_tx);
-#else
-				atomic_inc(&hw_priv->bh_tx);
-#endif
-
-#if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
-				if (tx_len <= 8)
-					tx_len = 16;
-				tx_len = hw_priv->sbus_ops->align_size(
-						hw_priv->sbus_priv, tx_len);
-#else /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
-				/* HACK!!! Platform limitation.
-				* It is also supported by upper layer:
-				* there is always enough space at the
-				* end of the buffer. */
-				if (tx_len & (SDIO_BLOCK_SIZE - 1)) {
-					tx_len &= ~(SDIO_BLOCK_SIZE - 1);
-					tx_len += SDIO_BLOCK_SIZE;
-				}
-#endif /* CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES */
-
-				/* Check if not exceeding BES2600
-				    capabilities */
-				if (WARN_ON_ONCE(tx_len > EFFECTIVE_BUF_SIZE))
-					bes_devel("Write aligned len: %d\n", tx_len);
-
-				wsm->id &= __cpu_to_le32(
-						~WSM_TX_SEQ(WSM_TX_SEQ_MAX));
-				wsm->id |= cpu_to_le32(WSM_TX_SEQ(
-						hw_priv->wsm_tx_seq));
-
-				if (WARN_ON(bes2600_data_write(hw_priv,
-				    data, tx_len))) {
-					wsm_release_tx_buffer(hw_priv, 1);
-					break;
-				}
-
-				if (vif_selected != -1) {
-					hw_priv->hw_bufs_used_vif[
-							vif_selected]++;
-				}
-
-#if defined(CONFIG_BES2600_WSM_DUMPS)
-				if (unlikely(hw_priv->wsm_enable_wsm_dumps)) {
-					u16 msgid, ifid;
-					u16 *p = (u16 *)data;
-					msgid = (*(p + 1)) & 0x3F;
-					ifid  = (*(p + 1)) >> 6;
-					ifid &= 0xF;
-					if (msgid == 0x0006)
-						bes_devel("[DUMP] >>> msgid 0x%.4X ifid %d len %d MIB 0x%.4X\n", msgid, ifid, *p, *(p + 2));
-					else
-						bes_devel("[DUMP] >>> msgid 0x%.4X ifid %d len %d\n", msgid, ifid, *p);
-					print_hex_dump(KERN_DEBUG, "--> ", DUMP_PREFIX_NONE, data, min(__le32_to_cpu(wsm->len), wsm_dump_max));
-				}
-#endif /* CONFIG_BES2600_WSM_DUMPS */
-
-				wsm_txed(hw_priv, data);
-				hw_priv->wsm_tx_seq = (hw_priv->wsm_tx_seq + 1)
-						& WSM_TX_SEQ_MAX;
-
-				if (tx_burst > 1) {
-					bes2600_debug_tx_burst(hw_priv);
-					++rx_burst;
-					goto tx;
-				}
-			}
-		}
-
-		if (ctrl_reg & ST90TDS_CONT_NEXT_LEN_MASK)
-			goto rx;
-	}
-
-	if (skb_rx) {
-		bes2600_put_skb(hw_priv, skb_rx);
-		skb_rx = NULL;
-	}
-
-
-	if (!term) {
-		bes_devel("[BH] Fatal error, exitting.\n");
-#if defined(CONFIG_BES2600_DUMP_ON_ERROR)
-		BUG_ON(1);
-#endif /* CONFIG_BES2600_DUMP_ON_ERROR */
-		hw_priv->bh_error = 1;
-#if defined(CONFIG_BES2600_USE_STE_EXTENSIONS)
-		spin_lock(&hw_priv->vif_list_lock);
-		bes2600_for_each_vif(hw_priv, priv, i) {
-			if (!priv)
-				continue;
-			ieee80211_driver_hang_notify(priv->vif, GFP_KERNEL);
-		}
-		spin_unlock(&hw_priv->vif_list_lock);
-		bes2600_pm_stay_awake(&hw_priv->pm_state, 3*HZ);
-#endif
-		/* TODO: schedule_work(recovery) */
-#ifndef HAS_PUT_TASK_STRUCT
-		/* The only reason of having this stupid code here is
-		 * that __put_task_struct is not exported by kernel. */
-		for (;;) {
-			int status = wait_event_interruptible(hw_priv->bh_wq, ({
-				term = atomic_xchg(&hw_priv->bh_term, 0);
-				(term);
-				}));
-
-			if (status || term)
-				break;
-		}
-#endif
-	}
-	return 0;
-}
-#else
 
 extern int bes2600_bh_read_ctrl_reg(struct bes2600_common *priv, u32 *ctrl_reg);
 
@@ -1592,7 +1046,15 @@ static int bes2600_bh(void *arg)
 
 			tx = 0;
 
-			BUG_ON(hw_priv->hw_bufs_used > hw_priv->wsm_caps.numInpChBufs);
+			/*
+			 * Patch H: BUG_ON -> WARN_ON_ONCE in the steady-state
+			 * hot path.  The original BUG_ON ran every bh-loop
+			 * iteration; tripping it on a bookkeeping bug locks
+			 * the kernel up during normal operation, which is
+			 * the wrong response.  WARN_ON_ONCE surfaces the
+			 * issue without taking the system down.
+			 */
+			WARN_ON_ONCE(hw_priv->hw_bufs_used > hw_priv->wsm_caps.numInpChBufs);
 			tx_burst = hw_priv->wsm_caps.numInpChBufs - hw_priv->hw_bufs_used;
 			tx_allowed = tx_burst > 0;
 
@@ -1636,18 +1098,19 @@ static int bes2600_bh(void *arg)
 			goto tx;
 
 	done:
-		/* Re-enable device interrupts */
-		//hw_priv->sbus_ops->lock(hw_priv->sbus_priv);
-		//__bes2600_irq_enable(1);
-		//hw_priv->sbus_ops->unlock(hw_priv->sbus_priv);
-		asm volatile ("nop");
+		/*
+		 * Patch H: dropped the dead `__bes2600_irq_enable(1)` /
+		 * `asm volatile("nop")` placeholder that used to sit here.
+		 * `__bes2600_irq_enable()` is a stub that returns 0 on
+		 * bes2600 silicon — the IRQ is managed by sdio_claim_irq
+		 * and chip-side firmware, not by a driver-side enable bit.
+		 * (cw1200 inherited the function from a different chip
+		 * shape; bes2600 kept the stub but the call sites are
+		 * meaningless.)
+		 */
+		;
 	}
 
-	/* Explicitly disable device interrupts */
-	hw_priv->sbus_ops->lock(hw_priv->sbus_priv);
-	__bes2600_irq_enable(0);
-	hw_priv->sbus_ops->unlock(hw_priv->sbus_priv);
-
 	if (!term) {
 		bes_err("[BH] Fatal error, exiting.\n");
 		sdio_work_debug(hw_priv->sbus_priv);
@@ -1656,4 +1119,3 @@ static int bes2600_bh(void *arg)
 	}
 	return 0;
 }
-#endif

bes2600/hwio.c

@@ -324,7 +324,10 @@ out:
 }
 #endif
 
-int __bes2600_irq_enable(int enable)
-{
-	return 0;
-}
+/*
+ * Patch H: __bes2600_irq_enable stub removed.  It was a no-op
+ * (always returned 0) inherited from cw1200 where the analogous
+ * function manipulates the chip's IRQ-enable register.  bes2600
+ * silicon manages SDIO IRQ via sdio_claim_irq and chip-side
+ * firmware — there is no driver-side enable register to write.
+ */

bes2600/queue.c

@@ -829,19 +829,19 @@ int bes2600_queue_get_skb(struct bes2600_queue *queue, u32 packetID,
 	bes2600_queue_parse_id(packetID, &queue_generation, &queue_id,
 				&item_generation, &item_id, &if_id, &link_id);
 
-	spin_lock(&queue->stats->hw_priv->tx_loop.pending_record_lock);
+	spin_lock_bh(&queue->stats->hw_priv->tx_loop.pending_record_lock);
 	if (!list_empty(&queue->stats->hw_priv->tx_loop.pending_record_list)) {
 		list_for_each_entry_safe(record_item, temp_record_item, &queue->stats->hw_priv->tx_loop.pending_record_list, head) {
 			if (record_item->packetID == packetID) {
 				list_del(&record_item->head);
 				dev_kfree_skb(record_item->skb);
 				kfree(record_item);
-				spin_unlock(&queue->stats->hw_priv->tx_loop.pending_record_lock);
+				spin_unlock_bh(&queue->stats->hw_priv->tx_loop.pending_record_lock);
 				return -EINVAL;
 			}
 		}
 	}
-	spin_unlock(&queue->stats->hw_priv->tx_loop.pending_record_lock);
+	spin_unlock_bh(&queue->stats->hw_priv->tx_loop.pending_record_lock);
 
 	item = &queue->pool[item_id];
 

bes2600/sbus.h

@@ -95,7 +95,6 @@ struct sbus_ops {
 
 void bes2600_irq_handler(struct bes2600_common *priv);
 
-/* This MUST be wrapped with hwbus_ops->lock/unlock! */
-int __bes2600_irq_enable(int enable);
+/* Patch H: __bes2600_irq_enable removed (was a stub). */
 
 #endif /* BES2600_SBUS_H */

bes2600/scan.c

@@ -238,6 +238,36 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 	/* Scan when P2P_GO corrupt firmware MiniAP mode */
 	if (priv->join_status == BES2600_JOIN_STATUS_AP)
 		return -EOPNOTSUPP;
+
+	/*
+	 * Firmware refuses WSM start-scan for 5 GHz with status 2 ("rejected
+	 * by policy"); see besser issue #1.  mac80211 splits multi-band
+	 * hw_scan requests per-band when the driver does not set
+	 * IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS (we don't -- see
+	 * ieee80211_hw_set() calls in bes2600_main.c), so each per-band call
+	 * has req->channels[] from one band only (see ieee80211_prep_hw_scan
+	 * in net/mac80211/scan.c).  Refuse the 5 GHz iteration at the driver
+	 * boundary so userspace gets a clean aborted-scan for that portion
+	 * rather than waiting for the firmware reject to cascade up.
+	 *
+	 * Only the multi-channel case is refused (n_channels > 1): that's
+	 * the per-band-sweep pattern mac80211 issues internally and the
+	 * one that triggers the firmware storm at the per-band loop
+	 * boundary.  Single-channel 5 GHz scans (BSS verification, NM's
+	 * per-freq iteration when 802-11-wireless.band=a is set) pass
+	 * through to firmware, which generally accepts them since the
+	 * storm is the back-to-back per-band issue, not a blanket 5 GHz
+	 * reject.  This preserves 5 GHz association via the
+	 * "wpa_supplicant iterates freq_list per channel" path.
+	 *
+	 * Contract: per include/net/mac80211.h struct ieee80211_ops.hw_scan
+	 * documentation, a negative return aborts the scan without requiring
+	 * ieee80211_scan_completed().
+	 */
+	if (req->n_channels > 1 &&
+	    req->channels[0]->band == NL80211_BAND_5GHZ)
+		return -EOPNOTSUPP;
+
 #if 0
 	if (work_pending(&priv->offchannel_work) ||
 			(hw_priv->roc_if_id != -1)) {

bes2600/tx_loop.c

@@ -109,9 +109,9 @@ void bes2600_tx_loop_set_enable(struct bes2600_common *hw_priv, bool need_warn)
                 bes2600_queue_iterate_pending_packet(&hw_priv->tx_queue[i],
 				                bes2600_tx_loop_item_pending_item);
         }
-	spin_lock(&hw_priv->tx_loop.pending_record_lock);
+	spin_lock_bh(&hw_priv->tx_loop.pending_record_lock);
         bes2600_queue_iterate_record_pending_packet(hw_priv, bes2600_tx_loop_item_pending_item);
-	spin_unlock(&hw_priv->tx_loop.pending_record_lock);
+	spin_unlock_bh(&hw_priv->tx_loop.pending_record_lock);
 
         if (atomic_read(&hw_priv->bh_rx) > 0)
 		wake_up(&hw_priv->bh_wq);