bes2600: bounce SDIO TX buffers to avoid DMA OOB read

The SDIO TX path rounds the DMA transfer length up to the host's
current block size and hands that length to dma_map_sg() via
sg_set_buf(&sg[scatters], tx_buffer->buf, align) in sdio_tx_work().
tx_buffer->buf typically aliases into an skb linear head whose
allocated size matches tx_buffer->len, not the block-aligned
align. The DMA engine (swiotlb / dw_mci IDMAC) therefore reads up
to one block past the end of the skb. On a PineTab2 with KFENCE
enabled this fires as:

  BUG: KFENCE: out-of-bounds read in __pi_memcpy_generic
  Out-of-bounds read at ... (704B right of kfence-#...):
  __pi_memcpy_generic
  swiotlb_tbl_map_single
  swiotlb_map
  dma_direct_map_sg
  __dma_map_sg_attrs
  dma_map_sg_attrs
  dw_mci_pre_dma_transfer
  __dw_mci_start_request
  ...
  bes_sdio_memcpy_to_io_helper+0x18c/0x288 [bes2600]
  sdio_tx_work+0x2b4/0x4a0 [bes2600]

allocated by ... pskb_expand_head / validate_xmit_skb / tcp_*

In addition to being undefined behavior, the padding bytes (which
come from whatever memory follows the skb) are transmitted to the
peer, leaking kernel memory on the air.

Allocate a driver-owned DMA-page bounce buffer sized to
MAX_SDIO_TRANSFER_LEN and use it as the scatter-gather backing for
sdio_tx_work. Each TX buffer is copied into its bounce slot and the
tail (align - tx_buffer->len bytes) is zeroed. This mirrors the
existing bounce pattern already used by bes2600_sdio_memcpy_toio()
via single_gathered_buffer; a separate allocation is used for the
TX path because single_gathered_buffer is only serialised via
sdio_claim_host and sdio_tx_work accumulates scatter entries before
claiming the bus.

Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>

bes2600/Makefile

@@ -2,7 +2,7 @@ KERN_DIR = /lib/modules/$(KERNELRELEASE)/build
 # feature option
 BES2600                                 ?= m
 
-CONFIG_BES2600_TESTMODE                 ?= y
+CONFIG_BES2600_TESTMODE                 ?= n
 
 CONFIG_BES2600_ENABLE_DEVEL_LOGS        ?= n
 
@@ -65,8 +65,8 @@ BES2600_DRV_VERSION := bes2600_0.3.5_2024.0116
 
 ifeq ($(CONFIG_BES2600_CALIB_FROM_LINUX),y)
 FACTORY_CRC_CHECK                    ?= n
-STANDARD_FACTORY_EFUSE_FLAG          ?= n
+STANDARD_FACTORY_EFUSE_FLAG          ?= y
-FACTORY_PATH                 ?= bes2600/bes2600_factory.txt
+FACTORY_PATH                 ?= /lib/firmware/bes2600_factory.txt
 endif
 
 # basic function

bes2600/bes2600_factory.c

@@ -12,7 +12,6 @@
 #include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/fs.h>
-#include <linux/firmware.h>
 #include <linux/slab.h>
 #include <linux/mutex.h>
 #include <linux/crc32.h>
@@ -31,18 +30,6 @@
 
 static DEFINE_MUTEX(factory_lock);
 
-/*
- * struct device * for request_firmware() context. Set once at SDIO
- * probe via bes2600_factory_set_dev(). NULL is tolerated (falls back
- * to the udev-less firmware-class path) but loses per-device logging.
- */
-static struct device *bes2600_factory_dev;
-
-void bes2600_factory_set_dev(struct device *dev)
-{
-	bes2600_factory_dev = dev;
-}
-
 /*
  * It is only used for temporary storage.
  * Every time get the factory, it will read from the
@@ -150,32 +137,38 @@ static int bes2600_factory_crc_check(struct factory_t *factory_data)
  */
 static int factory_section_read_file(char *path, void *buffer)
 {
-	const struct firmware *fw;
+	int ret = 0;
-	int ret;
+	struct file *fp;
 
 	if (!path || !buffer) {
 		bes_err("%s NULL pointer err\n", __func__);
 		return -1;
 	}
 
-	bes_devel("requesting firmware-class %s\n", path);
+	bes_devel("reading %s \n", path);
 
-	ret = request_firmware(&fw, path, bes2600_factory_dev);
+	fp = filp_open(path, O_RDONLY, 0); //S_IRUSR
-	if (ret) {
+	if (IS_ERR(fp)) {
-		bes_devel("BES2600: request_firmware(%s) failed: %d\n", path, ret);
+		bes_devel("BES2600 : can't open %s\n",path);
 		return -1;
 	}
 
-	if (fw->size == 0 || fw->size > FACTORY_MAX_SIZE) {
+	if (fp->f_inode->i_size <= 0 || fp->f_inode->i_size > FACTORY_MAX_SIZE) {
-		bes_err("bes2600_factory.txt size check failed, read_size: %zu max_size: %d\n",
+		bes_err(			"bes2600_factory.txt size check failed, read_size: %lld max_size: %d\n",
-			fw->size, FACTORY_MAX_SIZE);
+			fp->f_inode->i_size, FACTORY_MAX_SIZE);
-		release_firmware(fw);
+		filp_close(fp, NULL);
 		return -1;
 	}
 
-	memcpy(buffer, fw->data, fw->size);
+	ret = kernel_read(fp, buffer, fp->f_inode->i_size, &fp->f_pos);
-	ret = (int)fw->size;
+
-	release_firmware(fw);
+	filp_close(fp, NULL);
+
+	if (ret != fp->f_inode->i_size) {
+		bes_err("bes2600_factory.txt read fail\n");
+		ret = -1;
+	}
+
 	return ret;
 }
 

bes2600/bes2600_factory.h

@@ -199,9 +199,6 @@ enum factory_cali_status {
 /* just calibrate 11n, other protocols are automatically mapped */
 #define WIFI_RF_11N_MODE 0x15
 
-/* set the struct device * used for request_firmware() context */
-void bes2600_factory_set_dev(struct device *dev);
-
 /* read wifi & bt factory cali value*/
 u8* bes2600_get_factory_cali_data(u8 *file_buffer, u32 *data_len, char *path);
 void factory_little_endian_cvrt(u8 *data);

bes2600/bes2600_sdio.c

@@ -30,7 +30,6 @@
 #include "bes2600.h"
 #include "sbus.h"
 #include "bes2600_plat.h"
-#include "bes2600_factory.h"
 #include "hwio.h"
 #include "bes_chardev.h"
 #include "bes_log.h"
@@ -1855,9 +1854,6 @@ static int bes2600_sdio_probe(struct sdio_func *func,
 	if (ret)
 		goto err;
 
-	/* wire struct device into factory.c for request_firmware() context */
-	bes2600_factory_set_dev(dev);
-
 	self->pdata = bes2600_get_platform_data();
 	self->func = func;
 	self->dev = &func->dev;

bes2600/bes_chardev.c

@@ -43,6 +43,12 @@ enum bus_probe_state {
 };
 
 struct bes_cdev {
+	struct cdev cdev;
+	dev_t dev_id;
+	int major;
+	int minor;
+	struct class *class;
+	struct device *device;
 	atomic_t num_proc;
 	wait_queue_head_t open_wq;
 	spinlock_t status_lock;
@@ -243,18 +249,351 @@ int bes2600_switch_bt(bool on)
 	return ret;
 }
 
+static int bes2600_get_cmd_and_ifname(const char *str, char **result)
+{
+	int cmd_len = 0;
+	int ifname_len = 0;
+	char *sp = NULL;
+	char *tmp_ptr = NULL;
+	char *cmd_ptr = NULL;
+
+	/* check if input arguments is valid */
+	if (!str || strncmp(str, "ifname:", 7) != 0)
+		return -1;
+
+	sp = strchr(str, ' ');
+	if (strncmp(sp + 1, "cmd:", 4) != 0)
+		return -1;
+
+	/* extract interface name */
+	ifname_len = sp - str - 7;
+	tmp_ptr = kmalloc(ifname_len + 1, GFP_KERNEL);
+	if (!tmp_ptr) {
+		return -2;
+	}
+
+	strncpy(tmp_ptr, str+7, ifname_len);
+	tmp_ptr[ifname_len] = '\0';
+	result[0] = tmp_ptr;
+
+	/* get command length */
+	cmd_ptr = strstr(str, "cmd:");
+	cmd_ptr += 4;
+	sp = strchr(cmd_ptr, ' ');
+	if (!sp) {	/* the command don't have any parameter */
+		cmd_len = strlen(cmd_ptr);
+		if (cmd_ptr[cmd_len - 1] == '\n')
+			--cmd_len;
+	} else {	/* the command have one or more parameter */
+		cmd_len = sp - cmd_ptr;
+	}
+
+	/* copy command to out buffer */
+	tmp_ptr = kmalloc( cmd_len + 1, GFP_KERNEL);
+	if (!tmp_ptr) {
+		kfree(result[0]);
+		result[0] = NULL;
+		return -3;
+	}
+
+	strncpy(tmp_ptr, cmd_ptr, cmd_len);
+	tmp_ptr[cmd_len] = '\0';
+	result[1] = tmp_ptr;
+
+	return 0;
+}
+
+static void bes2600_recyle_cmd_and_ifname_mem(char **info)
+{
+	if (info[0]) {
+		kfree(info[0]);
+		info[0] = NULL;
+	}
+
+	if (info[1]) {
+		kfree(info[1]);
+		info[1] = NULL;
+	}
+
+}
+
+static int bes2600_op_default_handler(const char *str)
+{
+	char *info[2] = {0};
+
+	if (bes2600_get_cmd_and_ifname(str, info) == 0) {
+		bes_devel("cmd(%s) on %s not handled\n", info[1], info[0]);
+	} else {
+		bes_err("%s get command fail, the origin string is %s\n", __func__, str);
+	}
+
+	bes2600_recyle_cmd_and_ifname_mem(info);
+
+	return 0;
+}
+
+static int bes2600_op_wifi_bt_on_off(const char *str)
+{
+	char *info[2] = {0};
+	int ret = 0;
+	enum wait_state wait_state;
+	enum bus_probe_state probe_state;
+	unsigned long status = 0;
+
+	spin_lock(&bes2600_cdev.status_lock);
+	probe_state = bes2600_cdev.bus_probe;
+	wait_state = bes2600_cdev.wait_state;
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	/* only work for wifi signal mode */
+	if (bes2600_cdev.fw_type != BES2600_FW_TYPE_WIFI_SIGNAL)
+		return -EFAULT;
+
+	/* wait bus probe operation end */
+	if (probe_state == BES2600_BUS_PROBE_START) {
+		bes_devel("wait bus probe operation end\n");
+		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+					(bes2600_cdev.bus_probe > BES2600_BUS_PROBE_START),
+					HZ);
+		WARN_ON(status <= 0);
+	}
+
+	/* must wait previous operation end in critical section */
+	if (wait_state != BES2600_BOOT_WAIT_NONE) {
+		bes_devel("wait previous operation end\n");
+		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+					(bes2600_cdev.wait_state == BES2600_BOOT_WAIT_NONE),
+					HZ * 8);
+		WARN_ON(status <= 0);
+	}
+
+	/* if dpd calibration is doing, modify wifi and bt state directly */
+	spin_lock(&bes2600_cdev.status_lock);
+	if (bes2600_cdev.bus_probe == BES2600_BUS_PROBE_OK && !bes2600_cdev.dpd_calied) {
+		if (bes2600_get_cmd_and_ifname(str, info) == 0) {
+			if (strncmp(info[1], "WIFI_ON", 7) == 0) {
+				bes2600_cdev.wifi_opened = true;
+			} else if (strncmp(info[1], "WIFI_OFF", 8) == 0) {
+				bes2600_cdev.wifi_opened = false;
+			} else if (strncmp(info[1], "BT_ON", 5) == 0) {
+				bes2600_cdev.bt_opened = true;
+				bes2600_cdev.bton_pending = true;
+			} else if (strncmp(info[1], "BT_OFF", 6) == 0) {
+				bes2600_cdev.bt_opened = false;
+				bes2600_cdev.bton_pending = false;
+			}
+		}
+		bes2600_recyle_cmd_and_ifname_mem(info);
+		spin_unlock(&bes2600_cdev.status_lock);
+
+		/* wait probe done event */
+		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+				bes2600_bootup_end(), HZ * 8);
+		WARN_ON(status <= 0);
+
+		return (status <= 0 || bes2600_chrdev_is_bus_error()) ? -EFAULT : 0;
+	}
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	/* process wifi/bt on/off operation */
+	if (bes2600_get_cmd_and_ifname(str, info) == 0) {
+		if (strncmp(info[1], "WIFI_ON", 7) == 0) {
+			ret = bes2600_switch_wifi(1);
+		} else if (strncmp(info[1], "WIFI_OFF", 8) == 0) {
+			ret = bes2600_switch_wifi(0);
+		} else if (strncmp(info[1], "BT_ON", 5) == 0) {
+			ret = bes2600_switch_bt(1);
+		} else if (strncmp(info[1], "BT_OFF", 6) == 0) {
+			ret = bes2600_switch_bt(0);
+		}
+	}
+
+	if (!ret && bes2600_chrdev_check_system_close())
+		ret = bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
+						bes2600_cdev.sbus_priv);
+
+	bes2600_recyle_cmd_and_ifname_mem(info);
+
+	return ret ;
+}
 
 
+static int bes2600_op_change_fw_type(const char *str)
+{
+	int ret = 0;
+	int temp = 0;
+	long status = 0;
+	char *cmd_ptr = NULL;
+	char fw_type[5] = {0};
+	bool sys_closed = bes2600_chrdev_check_system_close();
+
+	bes_devel("%s is called, arg:%s\n", __func__, str);
+
+	if (!bes2600_cdev.sbus_ops->power_switch && !bes2600_cdev.sbus_ops->reboot)
+		return -EPERM;
+
+	/* check if user input is valid */
+	cmd_ptr = strstr(str, "CHANGE_FW_TYPE ");
+	if (strlen(str) < 16 || !cmd_ptr) {
+		bes_err("the format of \"%s\" is error\n", str);
+		return -EINVAL;
+	}
+
+	/* convert fw_type from string to int */
+	strncpy(fw_type, cmd_ptr + 14, 4);
+	fw_type[0] = '+';
+	ret = kstrtoint(fw_type, 10, &temp);
+	if (ret < 0) {
+		bes_err("%s parse error\n", __func__);
+		return -EINVAL;
+	}
+
+	/* no need to realod firmware if new fw_type is equal to the old */
+	if (temp == bes2600_cdev.fw_type ) {
+		bes_devel("fw type is equal\n");
+		return 0;
+	}
+
+	/* close wifi net device */
+	if (bes2600_cdev.sbus_priv
+	    && bes2600_is_net_dev_created(bes2600_cdev.sbus_priv)) {
+		bes2600_unregister_net_dev(bes2600_cdev.sbus_priv);
+	}
+
+	/* update firmware type */
+	bes2600_cdev.fw_type = temp;
+	bes2600_chrdev_update_signal_mode();
+
+	if (!sys_closed) {
+		/* close device to call disconnect function */
+		if (bes2600_cdev.sbus_ops->power_switch)
+			bes2600_cdev.sbus_ops->power_switch(bes2600_cdev.sbus_priv, 0);
+		else if (bes2600_cdev.sbus_ops->reboot)
+			bes2600_cdev.sbus_ops->reboot(bes2600_cdev.sbus_priv);
+	}
+
+	if (bes2600_cdev.sbus_ops->reboot)
+		bes2600_chrdev_start_bus_probe();
+
+	/* wait disconnect event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq, (bes2600_cdev.sbus_priv == NULL), HZ * 10);
+	WARN_ON(status <= 0);
+
+	if (bes2600_cdev.dpd_calied
+	   && bes2600_chrdev_check_system_close()) {
+		bes_devel("no need to reload firmware\n");
+		return 0;
+	}
+
+	bes_devel("reload firmware...\n");
+	/* power on device to call probe function */
+	if (bes2600_cdev.sbus_ops->power_switch)
+		bes2600_cdev.sbus_ops->power_switch(NULL, 1);
+
+	/* wait probe done event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+			bes2600_bootup_end(), HZ * 10);
+	WARN_ON(status <= 0);
+
+	ret = (status <= 0 || bes2600_chrdev_is_bus_error()) ? -1 : 0;
 
 
+	return ret;
+}
 
+static int bes2600_op_bt_wakeup(const char *str)
+{
+	int ret = 0;
+	unsigned long status = 0;
 
+	spin_lock(&bes2600_cdev.status_lock);
+	if (!bes2600_cdev.bt_opened) {
+		spin_unlock(&bes2600_cdev.status_lock);
+		return -EFAULT;
+	}
+	spin_unlock(&bes2600_cdev.status_lock);
 
+	/* wait probe done event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+			bes2600_bootup_end(), HZ * 8);
+	if (status <= 0 || bes2600_chrdev_is_bus_error())
+		return -EFAULT;
 
+	bes_devel("bes2600 wakeup bt.\n");
+	ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_LP_ON, SUBSYSTEM_BT_LP, true);
+
+	return ret;
+}
+
+static int bes2600_op_bt_sleep(const char *str)
+{
+	int ret = 0;
+	unsigned long status = 0;
+
+	spin_lock(&bes2600_cdev.status_lock);
+	if (!bes2600_cdev.bt_opened) {
+		spin_unlock(&bes2600_cdev.status_lock);
+		return -EFAULT;
+	}
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	/* wait probe done event */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+			bes2600_bootup_end(), HZ * 8);
+	if (status <= 0 || bes2600_chrdev_is_bus_error())
+		return -EFAULT;
+
+	bes_devel("bes2600 allow bt sleep.\n");
+	ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_LP_OFF, SUBSYSTEM_BT_LP, false);
+
+	return ret;
+}
+
+static int bes2600_op_set_wakeup_read_flag(const char *str)
+{
+	bes_devel("%s is called, arg:%s\n", __func__, str);
+	spin_lock(&bes2600_cdev.status_lock);
+	bes2600_cdev.read_flag = BES_CDEV_READ_WAKEUP_STATE;
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	return 0;
+}
 
 #ifdef FW_DOWNLOAD_UART_DAEMON
+int bes2600_load_uevent(char *env[])
+{
+	return kobject_uevent_env(&bes2600_cdev.device->kobj, KOBJ_CHANGE, env);
+}
 #endif
 
+static struct bes2600_op_map bes2600_op_map_tab[] ={
+	/*op			op_len	handler				*/
+	{"P2P_SET_NOA", 	11,	bes2600_op_default_handler},
+	{"P2P_SET_PS", 		10,	bes2600_op_default_handler},
+	{"SET_AP_WPS_P2P_IE",	17, 	bes2600_op_default_handler},
+	{"LINKSPEED", 		9,	bes2600_op_default_handler},
+	{"RSSI",		4,	bes2600_op_default_handler},
+	{"GETBAND", 		7,	bes2600_op_default_handler},
+	{"WLS_BATCHING", 	12,	bes2600_op_default_handler},
+	{"MACADDR",		7,	bes2600_op_default_handler},
+	{"RXFILTER-START",	14,	bes2600_op_default_handler},
+	{"RXFILTER-STOP",	13,	bes2600_op_default_handler},
+	{"RXFILTER-ADD",	12,	bes2600_op_default_handler},
+	{"RXFILTER-REMOVE",	15,	bes2600_op_default_handler},
+	{"BTCOEXMODE",		10,	bes2600_op_default_handler},
+	{"BTCOEXSCAN-START",	16,	bes2600_op_default_handler},
+	{"BTCOEXSCAN-STOP",	15,	bes2600_op_default_handler},
+	{"SETSUSPENDMODE",	14,	bes2600_op_default_handler},
+	{"COUNTRY",		7,	bes2600_op_default_handler},
+	{"WIFI_ON", 		7,	bes2600_op_wifi_bt_on_off},
+	{"WIFI_OFF", 		8,	bes2600_op_wifi_bt_on_off},
+	{"BT_ON", 		5,	bes2600_op_wifi_bt_on_off},
+	{"BT_OFF", 		6,	bes2600_op_wifi_bt_on_off},
+	{"CHANGE_FW_TYPE",	14,	bes2600_op_change_fw_type},
+	{"BT_WAKEUP",		9,	bes2600_op_bt_wakeup},
+	{"BT_SLEEP",		8,	bes2600_op_bt_sleep},
+	{"WAKEUP_STATE",	12,	bes2600_op_set_wakeup_read_flag},
+};
 
 static int bes2600_chrdev_check_system_close_internal(void)
 {
@@ -264,10 +603,123 @@ static int bes2600_chrdev_check_system_close_internal(void)
 		&& (bes2600_cdev.wifi_opened == false);
 }
 
+static int bes2600_chrdev_open(struct inode *inode, struct file *filp)
+{
+	if (atomic_read(&bes2600_cdev.num_proc) > 0) {
+		wait_event_timeout(bes2600_cdev.open_wq,
+			(atomic_read(&bes2600_cdev.num_proc) == 0),
+			MAX_SCHEDULE_TIMEOUT);
+	}
 
+	bes_devel("bes2600 char device is opened\n");
+	atomic_inc(&bes2600_cdev.num_proc);
 
+        return 0;
+}
 
+static ssize_t bes2600_chrdev_read(struct file *file, char __user *user_buf,
+			     size_t count, loff_t *ppos)
+{
+	char buf[64] = {0};
+	unsigned int len;
+	long status = 0;
 
+	switch (bes2600_cdev.read_flag) {
+	case BES_CDEV_READ_WAKEUP_STATE:
+		if (bes2600_chrdev_wakeup_by_event_get() > WAKEUP_EVENT_NONE) {
+			status = wait_event_timeout(bes2600_cdev.wakeup_reason_wq,
+				bes2600_chrdev_wakeup_by_event_get() ==  WAKEUP_EVENT_NONE, HZ * 2);
+			WARN_ON(status <= 0);
+		}
+		len = sprintf(buf, "wakeup_reason: %u, src_port: %u\n",
+		              bes2600_cdev.wakeup_state, bes2600_cdev.src_port);
+		break;
+	default:
+		len = sprintf(buf, "dpd_calied:%d wifi_opened:%d bt_opened:%d fw_type:%d\n",
+				bes2600_cdev.dpd_calied,
+				bes2600_cdev.wifi_opened,
+				bes2600_cdev.bt_opened,
+				bes2600_cdev.fw_type);
+		break;
+	}
+
+	len = sizeof(buf);
+	/* reset read flag */
+	spin_lock(&bes2600_cdev.status_lock);
+	bes2600_cdev.read_flag = BES_CDEV_READ_NUM_MAX;
+	spin_unlock(&bes2600_cdev.status_lock);
+
+	return simple_read_from_buffer(user_buf, count, ppos, buf, len);
+}
+
+static ssize_t bes2600_chrdev_write(struct file *file,
+		 const char __user *user_buf, size_t count, loff_t *ppos)
+{
+	int i = 0;
+	int cmd_num = ARRAY_SIZE(bes2600_op_map_tab);
+	int cmd_len = 0;
+	int ret = 0;
+	char *info[2] = {0};
+	char *buf = NULL;
+
+	/* copy content from user space to kernel */
+	/* message format:"ifname:wlanx cmd:xxx arg1 arg2 ..." */
+	buf = kmalloc(count + 1, GFP_KERNEL);
+	if (copy_from_user(buf, user_buf, count))
+		return -EFAULT;
+
+	/* add terminal character */
+	buf[count] = '\0';
+
+	/* extract comand and interface */
+	if (bes2600_get_cmd_and_ifname(buf, info) != 0) {
+		bes_err("%s get command fail, the origin string is %s\n", __func__, buf);
+		kfree(buf);
+		return -EINVAL;
+	}
+
+	/* match operation item and execure its handler */
+	cmd_len = strlen(info[1]);
+	for (i = 0; i < cmd_num; i++) {
+		if (cmd_len < bes2600_op_map_tab[i].op_len)
+			continue;
+
+		if (strncasecmp(info[1], bes2600_op_map_tab[i].op, bes2600_op_map_tab[i].op_len) == 0) {
+			ret = bes2600_op_map_tab[i].handler(buf);
+			break;
+		}
+	}
+
+	/* operation item mismatch */
+	if (i == cmd_num) {
+		bes_err("cmd(%s) mismatch\n", info[1]);
+	}
+
+	bes2600_recyle_cmd_and_ifname_mem(info);
+	kfree(buf);
+
+	return (ret == 0) ? count : ret;
+}
+
+static int bes2600_chrdev_release (struct inode *inode, struct file *file)
+{
+	if (atomic_dec_and_test(&bes2600_cdev.num_proc)) {
+		wake_up(&bes2600_cdev.open_wq);
+	}
+
+	bes_devel("bes2600 char device is closed\n");
+
+	return 0;
+}
+
+static struct file_operations bes2600_chardev_fops =
+{
+	.owner = THIS_MODULE,
+	.open = bes2600_chrdev_open,
+	.read = bes2600_chrdev_read,
+	.write = bes2600_chrdev_write,
+	.release = bes2600_chrdev_release,
+};
 
 #ifdef BES2600_WRITE_DPD_TO_FILE
 static int bes2600_chrdev_write_dpd_data_to_file(const char *path, void *buffer, int size)
@@ -672,6 +1124,12 @@ void bes2600_chrdev_update_signal_mode(void)
 
 static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 {
+	char wifi_state[15];
+	char bt_state[15];
+	char fw_type[15];
+	char *env[] = { wifi_state, bt_state, fw_type, NULL };
+	int ret;
+
 	if (bes2600_chrdev_is_wifi_opened()) {
 		bes_devel("system exeception, force wifi down\n");
 
@@ -688,6 +1146,14 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 			bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
 						bes2600_cdev.sbus_priv);
 		}
+
+		/* notify userspace */
+		snprintf(wifi_state, sizeof(wifi_state), "WIFI_OPENED=%d", bes2600_cdev.wifi_opened);
+		snprintf(bt_state, sizeof(bt_state), "BT_OPENED=%d", bes2600_cdev.bt_opened);
+		snprintf(fw_type, sizeof(fw_type), "FW_TYPE=%d", bes2600_cdev.fw_type);
+		ret = kobject_uevent_env(&bes2600_cdev.device->kobj, KOBJ_CHANGE, env);
+		if (!ret)
+			bes_err("bes2600 notify userspace failed\n");
 	}
 }
 
@@ -781,6 +1247,46 @@ int bes2600_chrdev_wakeup_by_event_get(void)
 
 int bes2600_chrdev_init(struct sbus_ops *ops)
 {
+	int ret = 0;
+
+	/* allocate devide id */
+	ret = alloc_chrdev_region(&bes2600_cdev.dev_id, 0, 1, "bes2600_chrdev");
+	if (ret < 0){
+		bes_err("bes2600 alloc device id fail\n");
+		ret =  -EFAULT;
+		goto fail;
+	}
+
+	/* extract major and minor device id */
+	bes2600_cdev.major = MAJOR(bes2600_cdev.dev_id);
+	bes2600_cdev.minor = MINOR(bes2600_cdev.dev_id);
+
+	/* add char device and bind operation function */
+	bes2600_cdev.cdev.owner = THIS_MODULE;
+	cdev_init(&bes2600_cdev.cdev, &bes2600_chardev_fops);
+	ret = cdev_add(&bes2600_cdev.cdev, bes2600_cdev.dev_id, 1);
+	if (ret < 0){
+		bes_err("bes2600 char device add fail\n");
+		ret =  -EFAULT;
+		goto fail1;
+	}
+
+	/* create class for creating device node */
+	bes2600_cdev.class = class_create("bes2600_chrdev");
+	if (IS_ERR(bes2600_cdev.class)){
+		bes_err("bes2600 char device add fail\n");
+		ret = -EFAULT;
+		goto fail2;
+	}
+
+	/* get char device pointer */
+	bes2600_cdev.device = device_create(bes2600_cdev.class, NULL, bes2600_cdev.dev_id, NULL, "bes2600");
+	if (IS_ERR(bes2600_cdev.device)){
+		bes_err("bes2600 char device create fail\n");
+		ret =  -EFAULT;
+		goto fail3;
+	}
+
 	/* initialise global variable */
 	atomic_set(&bes2600_cdev.num_proc, 0);
 	init_waitqueue_head(&bes2600_cdev.open_wq);
@@ -812,6 +1318,15 @@ int bes2600_chrdev_init(struct sbus_ops *ops)
 	bes_devel("%s done\n", __func__);
 
 	return 0;
+
+fail3:
+	class_destroy(bes2600_cdev.class);
+fail2:
+	cdev_del(&bes2600_cdev.cdev);
+fail1:
+	unregister_chrdev_region(bes2600_cdev.dev_id, 1);
+fail:
+	return ret;
 }
 
 void bes2600_chrdev_free(void)
@@ -821,5 +1336,9 @@ void bes2600_chrdev_free(void)
 	bes2600_free_dpd_log_buffer();
 #endif
 	bes2600_chrdev_free_dpd_data();
+	cdev_del(&bes2600_cdev.cdev);
+	unregister_chrdev_region(bes2600_cdev.dev_id, 1);
+	device_destroy(bes2600_cdev.class, bes2600_cdev.dev_id);
+	class_destroy(bes2600_cdev.class);
 	bes_devel("%s done\n", __func__);
 }

bes2600/bes_log.h

@@ -8,26 +8,3 @@ extern struct device *global_dev;
 #define bes_info(fmt, ...) dev_info(global_dev, fmt, ##__VA_ARGS__)
 #define bes_warn(fmt, ...) dev_warn(global_dev, fmt, ##__VA_ARGS__)
 #define bes_err(fmt, ...) dev_err(global_dev, fmt, ##__VA_ARGS__)
-
-/*
- * Legacy debug-subsystem-tagged log macros. The per-subsystem filtering
- * was never implemented in-tree; these shims let code paths gated by
- * CONFIG_BES2600_TESTMODE / CONFIG_BES2600_ITP / BES2600_DETECTION_LOGIC
- * build when their conditions are enabled. The first argument is
- * currently unused; pick one of the BES2600_DBG_* constants below for
- * documentation.
- */
-#define BES2600_DBG_SBUS       0
-#define BES2600_DBG_DOWNLOAD   0
-#define BES2600_DBG_ITP        0
-#define BES2600_DBG_TEST_MODE  0
-
-#define bes2600_info(_dbg, fmt, ...) bes_info(fmt, ##__VA_ARGS__)
-#define bes2600_err(_dbg, fmt, ...) bes_err(fmt, ##__VA_ARGS__)
-#define bes2600_warn(_dbg, fmt, ...) bes_warn(fmt, ##__VA_ARGS__)
-#define bes2600_dbg(_dbg, fmt, ...) bes_devel(fmt, ##__VA_ARGS__)
-#define bes2600_err_with_cond(_cond, _dbg, fmt, ...)		\
-	do {							\
-		if (_cond)					\
-			bes_err(fmt, ##__VA_ARGS__);		\
-	} while (0)

bes2600/bes_pwr.c

@@ -472,7 +472,6 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 	int i = 0;
 	struct bes2600_vif *priv;
 	int ret = 0;
-	int timeouts = 0;
 	char ip_str[20];
 	unsigned long status = 0;
 
@@ -529,35 +528,22 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 				if (ret) {
 					atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
 					bes_err("%s, set operation mode fail\n", __func__);
-					timeouts++;
-					continue;
 				}
 
 				/* wait power save mode changed indication */
 				status = wait_for_completion_timeout(&hw_priv->bes_power.pm_enter_cmpl, 5 * HZ);
 				atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
 				reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
-				if (!status) {
+				if (!status)
 					bes_err("%s, wait pm ind timeout\n", __func__);
-					timeouts++;
-				}
 			} else {
 				bes_devel("skip enter lp mode\n");
 			}
 		}
 	}
 
-	/*
+	/* set device low power configuration */
-	 * Enter the device-end of the LP transition only if every per-VIF
+	bes2600_pwr_device_enter_lp_mode(hw_priv);
-	 * mac80211 handshake reached firmware-ACKed completion. Doing the
-	 * device-LP setup while any VIF is still pending leaves the driver
-	 * in an inconsistent state that cascades into SDIO TX errors on
-	 * the BES2600.
-	 */
-	if (timeouts == 0)
-		bes2600_pwr_device_enter_lp_mode(hw_priv);
-	else
-		ret = -ETIMEDOUT;
 
 	return ret;
 }

bes2600/scan.c

@@ -14,50 +14,11 @@
 #include "scan.h"
 #include "sta.h"
 #include "pm.h"
-#include "epta_coex.h"
 #include "epta_request.h"
 #include "bes_pwr.h"
 
-/*
- * After this many consecutive WSM scan rejections from firmware, stop
- * issuing new scans for BES2600_SCAN_BACKOFF_JIFFIES and let the state
- * that's rejecting them (coex window, firmware-internal busy) clear.
- */
-#define BES2600_SCAN_REJECT_THRESHOLD	3
-#define BES2600_SCAN_BACKOFF_JIFFIES	(10 * HZ)
-
 static void bes2600_scan_restart_delayed(struct bes2600_vif *priv);
 
-/*
- * Decide whether to skip sending the next WSM scan command without
- * bothering the firmware. Two triggers:
- *
- *  1. BT A2DP is streaming in non-FDD coex mode. The firmware is
- *     known to reject scan requests during that window; short-
- *     circuiting here saves a WSM round-trip and avoids the
- *     wsm_generic_confirm / scan_work warning cascade that follows.
- *
- *  2. We already saw >= BES2600_SCAN_REJECT_THRESHOLD consecutive
- *     rejections on recent scan attempts and the backoff window has
- *     not yet elapsed. Whatever was rejecting them is likely still
- *     rejecting them; give it time.
- *
- * Returns true if the caller should abandon the scan iteration.
- */
-static bool bes2600_scan_should_defer(struct bes2600_common *hw_priv)
-{
-#ifdef WIFI_BT_COEXIST_EPTA_ENABLE
-	if (!coex_is_fdd_mode() && coex_is_bt_a2dp())
-		return true;
-#endif
-
-	if (hw_priv->scan.reject_count >= BES2600_SCAN_REJECT_THRESHOLD &&
-	    time_before(jiffies, hw_priv->scan.backoff_until))
-		return true;
-
-	return false;
-}
-
 #ifdef CONFIG_BES2600_TESTMODE
 static int bes2600_advance_scan_start(struct bes2600_common *hw_priv)
 {
@@ -741,29 +702,10 @@ void bes2600_scan_work(struct work_struct *work)
 				wsm_unlock_tx(hw_priv);
 		} else
 #endif
-		{
-			if (bes2600_scan_should_defer(hw_priv)) {
-				hw_priv->scan.status = -EBUSY;
-				hw_priv->scan.reject_count++;
-				hw_priv->scan.backoff_until =
-					jiffies + BES2600_SCAN_BACKOFF_JIFFIES;
-				wiphy_dbg(priv->hw->wiphy,
-					  "[SCAN] deferred (coex/backoff, reject_count=%u)\n",
-					  hw_priv->scan.reject_count);
-				kfree(scan.ch);
-				goto fail;
-			}
 			hw_priv->scan.status = bes2600_scan_start(priv, &scan);
-		}
 		kfree(scan.ch);
-		if (hw_priv->scan.status) {
+		if (WARN_ON(hw_priv->scan.status))
-			hw_priv->scan.reject_count++;
-			hw_priv->scan.backoff_until =
-				jiffies + BES2600_SCAN_BACKOFF_JIFFIES;
-			/* Lower callers already logged the reason at wiphy_warn. */
 			goto fail;
-		}
-		hw_priv->scan.reject_count = 0;
 		hw_priv->scan.curr = it;
 	}
 	up(&hw_priv->conf_lock);

bes2600/scan.h

@@ -42,17 +42,6 @@ struct bes2600_scan {
 	struct delayed_work probe_work;
 	int direct_probe;
 	u8 if_id;
-	/*
-	 * Track consecutive firmware-side WSM scan rejections so we can
-	 * back off briefly instead of re-issuing the same scan on every
-	 * mac80211 background-scan tick. Firmware returns WSM status != 0
-	 * for a handful of transient conditions (BT A2DP active in non-
-	 * FDD coex, firmware-internal busy windows) and keeps rejecting
-	 * until the state clears; retrying at full cadence just floods
-	 * dmesg.
-	 */
-	unsigned int reject_count;
-	unsigned long backoff_until;
 };
 
 int bes2600_hw_scan(struct ieee80211_hw *hw,

bes2600/sta.c

@@ -3633,7 +3633,7 @@ static int bes2600_set_power_save(struct ieee80211_hw *hw,
  *
  * Returns: 0 on success or non zero value on failure
  */
-static int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
+int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
 {
 	struct bes_msg_start_stop_tsm *start_stop_tsm =
 		(struct bes_msg_start_stop_tsm *) data;
@@ -3663,7 +3663,7 @@ static int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
  *
  * Returns: TSM parameters collected
  */
-static int bes2600_get_tsm_params(struct ieee80211_hw *hw)
+int bes2600_get_tsm_params(struct ieee80211_hw *hw)
 {
 	struct bes2600_common *hw_priv = hw->priv;
 	struct bes_tsm_stats tsm_stats;
@@ -3703,7 +3703,7 @@ static int bes2600_get_tsm_params(struct ieee80211_hw *hw)
  *
  * Returns: Returns the last measured roam delay
  */
-static int bes2600_get_roam_delay(struct ieee80211_hw *hw)
+int bes2600_get_roam_delay(struct ieee80211_hw *hw)
 {
 	struct bes2600_common *hw_priv = hw->priv;
 	u16 roam_delay = hw_priv->tsm_info.roam_delay / 1000;

bes2600/wsm.c

@@ -134,20 +134,8 @@ static int wsm_generic_confirm(struct bes2600_common *hw_priv,
 				 struct wsm_buf *buf)
 {
 	u32 status = WSM_GET32(buf);
-
+	if (WARN(status != WSM_STATUS_SUCCESS, "wsm_generic_confirm ret %u", status))
-	/*
-	 * A non-SUCCESS status here is a firmware-side policy decision for
-	 * the command whose confirm this is -- commonly WSM status 2 for
-	 * scan (0x0407) rejected because of a coex window or transient
-	 * firmware-busy state. It is not a driver/kernel bug, so avoid the
-	 * WARN()/stack-trace treatment; the caller already emits a
-	 * wiphy_warn identifying the request id and will propagate the
-	 * error to mac80211.
-	 */
-	if (status != WSM_STATUS_SUCCESS) {
-		bes_devel("%s ret %u\n", __func__, status);
 		return -EINVAL;
-	}
 	return 0;
 
 underflow:

bes2600/wsm.h

@@ -2236,5 +2236,7 @@ int wsm_cpu_usage_cmd(struct bes2600_common *hw_priv);
 
 int wsm_wifi_status_cmd(struct bes2600_common *hw_priv, uint32_t status);
 
+#if defined(STANDARD_FACTORY_EFUSE_FLAG)
 int wsm_save_factory_txt_to_mcu(struct bes2600_common *hw_priv, const u8 *data, int if_id, enum bes2600_rf_cmd_type cmd_type);
+#endif
 #endif /* BES2600_HWIO_H_INCLUDED */