bes2600: Patch G — restore SPDX identifiers + ST-Ericsson attribution

The bes2600 driver is a fork of the upstream cw1200 driver
(drivers/net/wireless/st/cw1200/, ST-Ericsson, Dmitry Tarnyagin
2010-2011).  The fork's file headers have three GPL-compliance issues:

  1. NO SPDX-License-Identifier on any of 48 source files (cw1200
     mainline has them on all 25).  kernel.org-mandated since 2017.

  2. Original "Copyright (c) 2010, ST-Ericsson" lines stripped from
     all files inherited from cw1200, replaced with
     "Copyright (c) 2010, Bestechnic" — factually impossible
     (Bestechnic did not author the 2010 work) and a GPL-2.0 §1
     attribution-preservation violation.

  3. The "GPL version 2 as published by the Free Software Foundation"
     boilerplate paragraph is redundant alongside SPDX and is the
     legacy form modern kernel sources have replaced.

This patch corrects all three for the 48 .c/.h files in bes2600/:

  - Adds `// SPDX-License-Identifier: GPL-2.0-only` (or `/* ... */`
    for headers) as line 1 of every file.
  - Restores `Copyright (c) 2010, ST-Ericsson` + `Author: Dmitry
    Tarnyagin <dmitry.tarnyagin@lockless.no>` as the FIRST copyright
    chain entry on all 22 files derived from cw1200 (bh.{c,h},
    debug.{c,h}, fwio.{c,h}, hwio.{c,h}, main.c, pm.{c,h},
    queue.{c,h}, scan.{c,h}, sta.{c,h}, txrx.{c,h}, wsm.{c,h}).
  - Keeps `Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.` as
    the SECOND chain entry where Bestechnic genuinely contributed.
  - Notes "Derived from cw1200_sdio.c" + ST-Ericsson copyright on
    bes2600_sdio.c (heavy derivation, not a literal rename).
  - Notes "Replaces hwbus.h from cw1200/" + ST-Ericsson copyright
    on sbus.h.
  - Preserves the prism54/islsm authorship chain on main.c and
    bes2600.h (Michael Wu 2006 + Jean-Baptiste Note 2004-2006).
  - Drops the GPL-2.0 boilerplate paragraph in favour of SPDX.

No code changes — only file-header comment blocks.  Module build is
unaffected (verified by header-only diff scope).

This is a prerequisite for any kernel.org submission attempt.  The
existing MODULE_LICENSE("GPL") + MODULE_AUTHOR(Tarnyagin@stericsson.com)
declarations were already present and are unchanged here; the
mismatch between MODULE_AUTHOR and the (since-corrected) per-file
copyrights is now resolved.

bes2600/ap.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * mac80211 STA and AP API for mac80211 BES2600 drivers
+ * AP mode for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include "bes2600.h"

bes2600/ap.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * mac80211 STA and AP API for mac80211 BES2600 drivers
+ * AP mode interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include <linux/version.h>
 #ifndef AP_H_INCLUDED

bes2600/bes2600.h

@@ -1,18 +1,15 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Common private data for BES2600 drivers
+ * Common private data for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
  * Based on the mac80211 Prism54 code, which is
  * Copyright (c) 2006, Michael Wu <flamingice@sourmilk.net>
  *
- * Based on the islsm (softmac prism54) driver, which is:
+ * Based on the islsm (softmac prism54) driver, which is
  * Copyright 2004-2006 Jean-Baptiste Note <jbnote@gmail.com>, et al.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_H
@@ -511,6 +508,9 @@ struct bes2600_common {
 	struct list_head coex_event_list;
 	spinlock_t coex_event_lock;
 
+	/* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
+	struct work_struct connection_loss_storm_recover_work;
+
 	/* member for low power */
 	struct bes2600_pwr_t bes_power;
 
@@ -596,6 +596,11 @@ struct bes2600_vif {
         unsigned long           rx_timestamp;
         u32                     cipherType;
 
+	/* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
+	unsigned long			decrypt_storm_window_start;
+	unsigned int			decrypt_storm_count;
+	unsigned int			decrypt_storm_recoveries;
+	struct work_struct		decrypt_storm_recover_work;
 
 	/* AP powersave */
 	u32			link_id_map;
@@ -622,6 +627,10 @@ struct bes2600_vif {
 	/* CQM Implementation */
 	struct delayed_work	bss_loss_work;
 	struct delayed_work	connection_loss_work;
+	/* Connection-loss-storm fast-recover (Trigger A). See sta.c. */
+	unsigned long		connection_loss_storm_window_start;
+	unsigned int		connection_loss_storm_count;
+	unsigned int		connection_loss_storm_recoveries;
 	struct work_struct	tx_failure_work;
 	int			delayed_link_loss;
 	spinlock_t		bss_loss_lock;
@@ -856,4 +865,13 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
 void bes2600_btusb_uninit(struct usb_interface *interface);
 #endif
 
+/* Decrypt-storm fast-recover helpers — see txrx.c. */
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
+
+/* Connection-loss-storm fast-recover helpers — see sta.c. */
+void bes2600_connection_loss_storm_init(struct bes2600_vif *priv);
+bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv);
+void bes2600_connection_loss_storm_recover(struct work_struct *work);
+
 #endif /* BES2600_H */

bes2600/bes2600_factory.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Factory calibration loader for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/module.h>

bes2600/bes2600_factory.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Factory calibration loader interface
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef __FACTORY_H__
 #define __FACTORY_H__

bes2600/bes2600_plat.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Platform data for BES2600 SDIO bus
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef BES2600_PLAT_H_INCLUDED
 #define BES2600_PLAT_H_INCLUDED

bes2600/bes2600_sdio.c

@@ -1,12 +1,13 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 SDIO driver for BES2600 device
+ * SDIO bus glue for BES2600 mac80211 driver
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
+ * Derived from drivers/net/wireless/st/cw1200/cw1200_sdio.c
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
  #define DEBUG 1
 #include <linux/version.h>
@@ -16,6 +17,7 @@
 #include <linux/mmc/host.h>
 #include <linux/mmc/sdio_func.h>
 #include <linux/mmc/card.h>
+#include <linux/mmc/core.h>
 #include <linux/mmc/sdio.h>
 #include <linux/spinlock.h>
 #include <net/mac80211.h>
@@ -28,6 +30,7 @@
 #include <linux/of_gpio.h>
 
 #include "bes2600.h"
+#include "bh.h"
 #include "sbus.h"
 #include "bes2600_plat.h"
 #include "bes2600_factory.h"
@@ -71,10 +74,12 @@ struct sbus_priv {
 	int rx_data_toggle;
 #endif
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	spinlock_t rx_queue_lock;
-	struct sk_buff_head rx_queue;
+	/*
+	 * Patch C v3: rx_queue, rx_queue_lock, rx_work removed (no relay).
+	 * The bh thread now reads RX inline; the rx_buffer scratch area
+	 * stays.  Counters/timestamps stay for debugfs visibility.
+	 */
 	u8 *rx_buffer;
-	struct work_struct rx_work;
 	u32 rx_last_ctrl;
 	u32 rx_valid_ctrl;
 	u32 rx_total_ctrl_cnt;
@@ -411,10 +416,19 @@ static void bes2600_sdio_irq_handler(struct sdio_func *func)
 
 	bes_devel("%s called, fw_started:%d \n",
 			 __func__, self->fw_started);
-	if (likely(self->fw_started && self->core)) {
-		queue_work(self->sdio_wq, &self->rx_work);
+	/*
+	 * Patch C v3: no more sdio_rx_work relay.  Wake the bh thread
+	 * directly via self->irq_handler (bes2600_irq_handler in bh.c
+	 * which bumps bh_rx atomic + wakes bh_wq).  The bh thread will
+	 * then call sbus_ops->bus_rx_batch() to do the SDIO read inline.
+	 * Matches cw1200 mainline IRQ → bh-direct architecture.
+	 */
+	if (likely(self->fw_started && self->core && self->irq_handler)) {
+		spin_lock_irqsave(&self->lock, flags);
+		self->irq_handler(self->irq_priv);
+		spin_unlock_irqrestore(&self->lock, flags);
 		self->last_irq_timestamp = jiffies;
-	} else if(self->irq_handler) {
+	} else if (self->irq_handler) {
 		spin_lock_irqsave(&self->lock, flags);
 		self->irq_handler(self->irq_priv);
 		spin_unlock_irqrestore(&self->lock, flags);
@@ -811,10 +825,15 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
 		skb_put(skb, packet_len);
 		memcpy(skb->data, &data[pos], packet_len);
 		bes_devel("%s, %d,%d\n", __func__, packet_len, pos);
-		spin_lock(&self->rx_queue_lock);
-		skb_queue_tail(&self->rx_queue, skb);
 		self->rx_data_cnt++;
-		spin_unlock(&self->rx_queue_lock);
+		/*
+		 * Patch C v3: deliver the SKB directly into the WSM/mac80211
+		 * stack from the bh thread.  No rx_queue, no inter-thread
+		 * handoff, no atomic_t needed on the counters that
+		 * wsm_release_tx_buffer touches — single-writer-from-bh is
+		 * preserved by construction.  See bh.c for the contract block.
+		 */
+		bes2600_bh_handle_rx_skb(self->core, skb);
 		packet_len = (packet_len + 3) & (~0x3);
 		pos += packet_len;
 		#ifdef BES_SDIO_OPTIMIZED_LEN
@@ -825,17 +844,31 @@ static int bes2600_sdio_extract_packets(struct sbus_priv *self, u32 ctrl_reg, u8
 	return 0;
 }
 
-static void sdio_rx_work(struct work_struct *work)
+/*
+ * Patch C v3: bh thread calls this directly via sbus_ops->bus_rx_batch.
+ * No more sdio_rx_work workqueue.  SDIO read sequence (lock →
+ * read_ctrl → memcpy_fromio → packets_check → extract_packets) runs
+ * inline in bh-thread context.  Each parsed SKB is delivered via
+ * bes2600_bh_handle_rx_skb() from extract_packets — no rx_queue, no
+ * second worker, no inter-thread handoff.
+ *
+ * Architecture matches cw1200 mainline.  Single-writer-from-bh
+ * invariant on hw_bufs_used preserved by construction.
+ *
+ * Returns 0 on success (caller's bh outer loop decides whether to
+ * continue), negative on bus read error.  On error: triggers
+ * wifi_force_close (same as the old sdio_rx_work).
+ */
+static int bes2600_sdio_read_rx_batch(struct sbus_priv *self)
 {
-	int ret, again = 0, retry = 0, crc_retry = 0;
+	int ret = 0, again = 0, retry = 0, crc_retry = 0;
 	u32 ctrl_reg = 0;
 	int total_len;
-	struct sbus_priv *self = container_of(work, struct sbus_priv, rx_work);
 	u8 *buf = self->rx_buffer;
 
 	/* don't read/write sdio when sdio error */
 	if (bes2600_chrdev_is_bus_error())
-		return;
+		return 0;
 
 	bes2600_gpio_wakeup_mcu(self, GPIO_WAKE_FLAG_SDIO_RX);
 
@@ -890,6 +923,10 @@ static void sdio_rx_work(struct work_struct *work)
 			goto failed;
 		}
 
+		/*
+		 * extract_packets parses the multi-RX buffer and calls
+		 * bes2600_bh_handle_rx_skb() per SKB.  No queueing.
+		 */
 		if ((ret = bes2600_sdio_extract_packets(self, ctrl_reg, buf))) {
 			bes_err("%s,%d error=%d\n", __func__, __LINE__, ret);
 			goto failed;
@@ -897,22 +934,16 @@ static void sdio_rx_work(struct work_struct *work)
 
 		ctrl_reg = 0;
 
-		if (likely(self->irq_handler)) {
-			self->irq_handler(self->irq_priv);
-		} else {
-			bes_err("%s,%d\n", __func__, __LINE__);
-			goto failed;
-		}
-
 	} while (again);
 
 	bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
-	return;
+	return 0;
 
 failed:
 	bes2600_gpio_allow_mcu_sleep(self, GPIO_WAKE_FLAG_SDIO_RX);
 	bes2600_chrdev_wifi_force_close(self->core, false);
 	WARN_ON(1);
+	return -1;
 }
 
 static void sdio_scan_work(struct work_struct *work)
@@ -920,26 +951,11 @@ static void sdio_scan_work(struct work_struct *work)
 	bes_warn("%s: this function does nothing\n", __FUNCTION__);
 }
 
-static void *bes2600_sdio_pipe_read(struct sbus_priv *self)
-{
-	struct sk_buff *skb;
-
-	if (bes2600_chrdev_is_bus_error()) {
-		return bes2600_tx_loop_read(self->core);
-	}
-
-	spin_lock(&self->rx_queue_lock);
-	skb = skb_dequeue(&self->rx_queue);
-	if (skb)
-		self->rx_proc_cnt++;
-	spin_unlock(&self->rx_queue_lock);
-	if (likely(self->fw_started == true &&
-		!bes2600_pwr_device_is_idle(self->core) &&
-		self->core->hw_bufs_used > 0))
-		if (!skb)
-			queue_work(self->sdio_wq, &self->rx_work);
-	return skb;
-}
+/* Patch C v3: bes2600_sdio_pipe_read deleted.  bh thread reads the
+ * SDIO bus inline via bes2600_sdio_read_rx_batch (sbus_ops->bus_rx_batch).
+ * No rx_queue, no skb_dequeue, no relay.  bes2600_tx_loop_read remains
+ * for the test bus error-fallback path but is now invoked at higher
+ * level. */
 
 #endif
 
@@ -1195,7 +1211,14 @@ flush_previous:
 				}
 			} while (crc_retry <= 10);
 			sdio_release_host(self->func);
-			queue_work(self->sdio_wq, &self->rx_work);
+			/*
+			 * Patch C v3: wake the bh thread to check for any RX
+			 * that piggybacked on this TX window.  Bumps bh_rx
+			 * atomic; bh's wait_event will pick it up and call
+			 * sbus_ops->bus_rx_batch().
+			 */
+			if (likely(self->irq_handler))
+				self->irq_handler(self->irq_priv);
 			if (ret) {
 				bes_err("%s,%d err=%d,%d,%d\n", __func__, __LINE__, ret, scatters, cur_blk);
 				sdio_work_debug(self);
@@ -1246,12 +1269,11 @@ static int bes2600_sdio_misc_init(struct sbus_priv *self, struct bes2600_common
 	self->next_toggle = 0;
 #endif
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	spin_lock_init(&self->rx_queue_lock);
-	skb_queue_head_init(&self->rx_queue);
+	/* Patch C v3: rx_queue / rx_queue_lock removed (no relay). */
 	self->rx_buffer = (u8 *)__get_dma_pages(GFP_KERNEL, get_order(1632 * BES_SDIO_RX_MULTIPLE_NUM));
 	if (!self->rx_buffer)
 		return -ENOMEM;
-	INIT_WORK(&self->rx_work, sdio_rx_work);
+	/* Patch C v3: sdio_rx_work removed; bh thread does the read. */
 #endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	INIT_LIST_HEAD(&self->tx_bufferlist);
@@ -1388,7 +1410,14 @@ static void bes2600_gpio_wakeup_mcu(struct sbus_priv *self, int flag)
 
 	/* error check */
 	if((self->gpio_wakup_flags & BIT(flag)) != 0) {
-		bes_err(			"repeat set gpio_wake_flag, sub_sys:%d", flag);
+		/*
+		 * Multiple subsystems holding wake is the steady-state case
+		 * (e.g. WIFI + BT both want MCU awake). Demoted from bes_err
+		 * to bes_devel since it isn't an error - the GPIO is already
+		 * asserted high and the subsystem is now also tracked.
+		 */
+		bes_devel("repeat set gpio_wake_flag, sub_sys:%d\n", flag);
+		self->gpio_wakup_flags |= BIT(flag);
 		mutex_unlock(&self->io_mutex);
 		return;
 	}
@@ -1420,7 +1449,11 @@ static void bes2600_gpio_allow_mcu_sleep(struct sbus_priv *self, int flag)
 
 	/* error check */
 	if((self->gpio_wakup_flags & BIT(flag)) == 0) {
-		bes_err(			"repeat clear gpio_wake_flag, sub_sys:%d", flag);
+		/*
+		 * Mirror of the wake path: a clear when the bit is already
+		 * clear is racy bookkeeping, not a hardware error.
+		 */
+		bes_devel("repeat clear gpio_wake_flag, sub_sys:%d\n", flag);
 		mutex_unlock(&self->io_mutex);
 		return;
 	}
@@ -1569,22 +1602,15 @@ err:
 
 static void bes2600_sdio_empty_work(struct sbus_priv *self)
 {
-#ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	struct sk_buff *skb;
-#endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	struct bes_sdio_tx_list_t *tx_buffer, *temp;
 #endif
 
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	cancel_work_sync(&self->rx_work);
-	while (1) {
-		skb = skb_dequeue(&self->rx_queue);
-		if (skb)
-			dev_kfree_skb(skb);
-		else
-			break;
-	}
+	/*
+	 * Patch C v3: rx_work and rx_queue removed.  Counters still
+	 * reset for the next attach cycle.
+	 */
 	self->rx_last_ctrl = 0;
 	self->rx_total_ctrl_cnt = 0;
 	self->rx_continuous_ctrl_cnt = 0;
@@ -1777,6 +1803,55 @@ static void bes2600_sdio_halt_device(struct sbus_priv *self)
 	sdio_work_debug(self);
 }
 
+/*
+ * Trigger an SDIO bus reset via mmc_hw_reset().
+ *
+ * With multiple SDIO functions probed (PineTab2 binds func 1 for WLAN and
+ * func 2 for the BT-companion path) mmc_sdio_hw_reset() takes the
+ * remove-and-rescan path: it marks the card removed and schedules
+ * mmc_rescan, which tears down the bound function drivers and re-detects
+ * the card on the next sweep, in turn reinvoking bes2600_sdio_probe().
+ *
+ * With a single function probed it instead invokes mmc_power_cycle()
+ * directly, which on PineTab2 toggles the wifi-reset GPIO via sdio_pwrseq.
+ *
+ * In both cases the chip ends up in a freshly reset state, which is the
+ * goal of the recovery path.
+ *
+ * mmc_hw_reset() must be called without holding the SDIO host claim --
+ * the multi-func remove-and-rescan path acquires the host claim via the
+ * mmc workqueue.
+ */
+static int bes2600_sdio_bus_reset(struct sbus_priv *self)
+{
+	struct mmc_host *host;
+	int ret;
+
+	if (!self || !self->func || !self->func->card)
+		return -EINVAL;
+
+	host = self->func->card->host;
+	ret = mmc_hw_reset(self->func->card);
+
+	/*
+	 * On multi-function SDIO cards (BES2600 has WLAN func 1 + BT
+	 * companion func 2), mmc_sdio_hw_reset() removes the card and
+	 * returns 1 to signal "remove happened, caller must trigger
+	 * rescan". The kernel does NOT auto-rescan in this case;
+	 * single-function cards take the rescan path inline and return 0.
+	 * Treat any non-negative return as success and force a rescan if
+	 * mmc_hw_reset signalled the multi-function path - otherwise the
+	 * card stays removed indefinitely after a wedge recovery,
+	 * leaving wifi (and the BT companion) silent until reboot.
+	 */
+	if (ret > 0) {
+		bes_info("multi-func mmc_hw_reset removed card; scheduling rescan\n");
+		mmc_detect_change(host, 0);
+		ret = 0;
+	}
+	return ret;
+}
+
 static bool bes2600_sdio_wakeup_source(struct sbus_priv *self)
 {
 	struct bes2600_platform_data_sdio *pdata = bes2600_get_platform_data();
@@ -1803,7 +1878,8 @@ static struct sbus_ops bes2600_sdio_sbus_ops = {
 	.sbus_reg_write		= bes2600_sdio_reg_write,
 	.init			= bes2600_sdio_misc_init,
 #ifdef BES_SDIO_RX_MULTIPLE_ENABLE
-	.pipe_read		= bes2600_sdio_pipe_read,
+	/* Patch C v3: .pipe_read removed; bus_rx_batch replaces it. */
+	.bus_rx_batch		= bes2600_sdio_read_rx_batch,
 #endif
 #ifdef BES_SDIO_TX_MULTIPLE_ENABLE
 	.pipe_send		= bes2600_sdio_pipe_send,
@@ -1815,6 +1891,7 @@ static struct sbus_ops bes2600_sdio_sbus_ops = {
 	.gpio_sleep		= bes2600_gpio_allow_mcu_sleep,
 	.halt_device		= bes2600_sdio_halt_device,
 	.wakeup_source		= bes2600_sdio_wakeup_source,
+	.bus_reset		= bes2600_sdio_bus_reset,
 };
 
 static void bes2600_sdio_en_lp_cb(struct bes2600_common *hw_priv)
@@ -1822,9 +1899,15 @@ static void bes2600_sdio_en_lp_cb(struct bes2600_common *hw_priv)
 	long unsigned int old_ts, new_ts;
 	struct sbus_priv *self = hw_priv->sbus_priv;
 
+	/*
+	 * Patch C v3: rx_work removed.  Wait for IRQ-timestamp activity
+	 * to settle by polling self->last_irq_timestamp via msleep
+	 * (best-effort).  The caller already knows the bh thread will
+	 * process pending bh_rx during its next wait_event round.
+	 */
 	do {
 		old_ts = self->last_irq_timestamp;
-		flush_work(&self->rx_work);
+		msleep(2);
 		new_ts = self->last_irq_timestamp;
 	} while(old_ts != new_ts);
 }
@@ -2182,8 +2265,12 @@ static int bes2600_sdio_suspend_noirq(struct device *dev)
 	if (func->num > 1)
 		return 0;
 
-	if(self->core &&
-	   (work_pending(&self->rx_work) || atomic_read(&self->core->bh_rx))) {
+	/*
+	 * Patch C v3: work_pending(&self->rx_work) check dropped (no
+	 * relay).  bh_rx atomic alone tells us whether the bh thread
+	 * has un-processed RX events queued.
+	 */
+	if (self->core && atomic_read(&self->core->bh_rx)) {
 		bes_devel("%s: Suspend interrupted.\n", __func__);
 		return -EAGAIN;
 	}

bes2600/bes_chardev.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Character device for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include<linux/module.h>
 #include <linux/init.h>
@@ -442,6 +439,60 @@ int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_
 	return ret;
 }
 
+/*
+ * Hard-reset the bus and wait for the bus core to remove the chip.
+ *
+ * Used by the firmware-wedge recovery path on platforms where the normal
+ * power_switch(0) sequence has no effective chip-reset signal. The bus
+ * implementation triggers an asynchronous re-detect; this helper waits for
+ * the resulting remove() callback to clear bes2600_cdev.sbus_priv so that a
+ * subsequent bes2600_switch_wifi(true) sees a clean state and can wait on
+ * the fresh probe.
+ */
+int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_priv *priv)
+{
+	int ret;
+	long status;
+
+	if (!sbus_ops || !priv)
+		return -EINVAL;
+
+	if (!sbus_ops->bus_reset)
+		return -EOPNOTSUPP;
+
+	bes_info("trigger bus reset to recover wedged firmware.\n");
+
+	ret = sbus_ops->bus_reset(priv);
+	if (ret) {
+		bes_err("bus_reset failed: %d\n", ret);
+		return ret;
+	}
+
+	/*
+	 * The bus reset is asynchronous: the bus core schedules a rescan
+	 * which removes the bound function drivers and then re-detects the
+	 * chip. Wait for the remove callback to clear sbus_priv. Do not
+	 * dereference 'priv' after this point -- it may already be freed.
+	 */
+	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
+				    !bes2600_cdev.sbus_priv, HZ * 3);
+	WARN_ON(status <= 0);
+
+	return 0;
+}
+
+/*
+ * Trigger bes2600_chrdev_do_bus_reset() against the file-global
+ * bes2600_cdev. Used by host-side recovery paths outside this
+ * compilation unit (e.g. sta.c connection-loss-storm fast-recover) so
+ * those callers do not need to reach the static bes2600_cdev directly.
+ */
+int bes2600_chrdev_trigger_bus_reset(void)
+{
+	return bes2600_chrdev_do_bus_reset(bes2600_cdev.sbus_ops,
+					   bes2600_cdev.sbus_priv);
+}
+
 bool bes2600_chrdev_is_wifi_opened(void)
 {
 	bool wifi_opened = false;
@@ -540,8 +591,21 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 		/* unregister wifi */
 		bes2600_switch_wifi(0);
 
-		/* power down device if wifi is only opened */
-		if (bes2600_chrdev_check_system_close()) {
+		/*
+		 * Hard exception with a bus_reset implementation: tear the
+		 * bus down via mmc_hw_reset() (or equivalent) so the next
+		 * bringup probes a freshly reset chip. On PineTab2 this is
+		 * the only effective recovery path -- the existing
+		 * power_switch(0)/(1) sequence has no chip-reset signal of
+		 * its own (sdio_pwrseq owns wifi_reset).
+		 *
+		 * Soft close, or hard close on a board without bus_reset:
+		 * fall back to the legacy power_switch(0) sequence.
+		 */
+		if (bes2600_cdev.halt_dev && bes2600_cdev.sbus_ops->bus_reset) {
+			bes2600_chrdev_do_bus_reset(bes2600_cdev.sbus_ops,
+						    bes2600_cdev.sbus_priv);
+		} else if (bes2600_chrdev_check_system_close()) {
 			bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
 						bes2600_cdev.sbus_priv);
 		}

bes2600/bes_chardev.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Character device interface for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef __BES_CHARDEV_H__
 #define __BES_CHARDEV_H__
@@ -60,6 +57,8 @@ struct sbus_priv *bes2600_chrdev_get_sbus_priv_data(void);
 /* used to control device power down */
 int bes2600_chrdev_check_system_close(void);
 int bes2600_chrdev_do_system_close(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
+int bes2600_chrdev_do_bus_reset(const struct sbus_ops *sbus_ops, struct sbus_priv *priv);
+int bes2600_chrdev_trigger_bus_reset(void);
 void bes2600_chrdev_wakeup_bt(void);
 void bes2600_chrdev_wifi_force_close(struct bes2600_common *hw_priv, bool halt_dev);
 void bes2600_chrdev_usb_remove(struct bes2600_common *hw_priv);

bes2600/bes_fw.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Firmware download for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include "bes_fw_common.h"
 #include "bes2600.h"

bes2600/bes_fw_common.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Firmware download common code for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include "bes_fw_common.h"
 #include "bes_log.h"

bes2600/bes_fw_common.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Firmware download common interface
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef __BES_FW_COMMON_H__
 #define __BES_FW_COMMON_H__

bes2600/bes_log.h

@@ -1,3 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * printk wrappers for BES2600
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
+ *
+ */
 extern struct device *global_dev;
 
 #ifdef CONFIG_BES2600_ENABLE_DEVEL_LOGS

bes2600/bes_nl80211_testmode_msg.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Vendor testmode messages for BES2600
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES_NL80211_TESTMODE_MSG_H

bes2600/bes_pwr.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Chip-side power state machine for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include <linux/list.h>
 #include <linux/pm.h>
@@ -467,6 +464,45 @@ static void bes2600_pwr_device_enter_lp_mode(struct bes2600_common *hw_priv)
 	bes_devel("device enter sleep\n");
 }
 
+/*
+ * Number of consecutive bes2600_pwr_enter_lp_mode timeouts (with zero
+ * PM_INDICATIONs received) before we conclude the firmware does not
+ * honor host-driven PSM and switch to a sticky skip path.
+ */
+#define BES2600_PM_UNSUPPORTED_THRESHOLD	3
+
+/*
+ * Latch pm_unsupported = true and force chip_pm_state = ACTIVE so the
+ * c6.2 wake-side skip branch covers bes2600_pwr_device_exit_lp_mode.
+ * Called after BES2600_PM_UNSUPPORTED_THRESHOLD consecutive enter_lp_mode
+ * timeouts with zero PM_INDICATIONs.
+ */
+static void bes2600_pwr_latch_pm_unsupported(struct bes2600_common *hw_priv)
+{
+	bes_warn("PSM not honored (%u timeouts), switching to skip mode\n",
+		 hw_priv->bes_power.pm_consecutive_timeouts);
+	hw_priv->bes_power.pm_unsupported = true;
+	atomic_set(&hw_priv->bes_power.chip_pm_state,
+		   BES2600_CHIP_PM_ACTIVE);
+
+	/*
+	 * Hold the MCU wake-flag bit permanently. Without this, every
+	 * sdio_rx_work invocation hits bes2600_gpio_wakeup_mcu(SDIO_RX)
+	 * when gpio_wakup_flags == 0, drives the GPIO high and msleeps
+	 * 10 ms per RX. With ~50 RX/s of beacons + multicast that's
+	 * ~50%% of the bes_sdio workqueue thread blocked in msleep,
+	 * which directly caps RX throughput. Holding the MCU bit makes
+	 * those calls bit-only bookkeeping (gpio_wakeup = (flags == 0)
+	 * stays false, no GPIO toggle, no msleep). The bit is never
+	 * cleared once pm_unsupported is set because
+	 * bes2600_pwr_device_enter_lp_mode is unreachable under the
+	 * early-return.
+	 */
+	if (hw_priv->sbus_ops->gpio_wake)
+		hw_priv->sbus_ops->gpio_wake(hw_priv->sbus_priv,
+					     GPIO_WAKE_FLAG_MCU);
+}
+
 static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 {
 	int i = 0;
@@ -476,6 +512,17 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 	char ip_str[20];
 	unsigned long status = 0;
 
+	/*
+	 * Sticky early-return when we've previously concluded the firmware
+	 * doesn't honor PSM. Each attempt would otherwise burn 5s on a
+	 * doomed wait_for_completion_timeout and produce a noisy three-line
+	 * cascade in dmesg every time power_down_work retries (every
+	 * ~10s). The chip stays in active mode, which on this firmware is
+	 * the de-facto state anyway.
+	 */
+	if (hw_priv->bes_power.pm_unsupported)
+		return -EOPNOTSUPP;
+
 	/* set interface low power configuration */
 	bes2600_for_each_vif(hw_priv, priv, i) {
 #ifdef P2P_MULTIVIF
@@ -524,7 +571,17 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 				bes_devel("%s, psMode:%s, fastPsmIdlePeriod:%d apPsmChangePeriod:%d minAutoPsPollPeriod:%d\n",
 						__func__, bes2600_get_ps_mode_str(priv->powersave_mode.pmMode), priv->powersave_mode.fastPsmIdlePeriod,
 						priv->powersave_mode.apPsmChangePeriod, priv->powersave_mode.minAutoPsPollPeriod);
+				/*
+				 * Reinit BEFORE the WSM goes out, so a stale
+				 * indication from a previous cycle cannot have
+				 * primed pm_enter_cmpl. From here until the
+				 * indication callback's cmpxchg(1->0) on
+				 * pm_set_in_process, only the indication for
+				 * THIS request can complete the wait.
+				 */
+				reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
 				atomic_set(&hw_priv->bes_power.pm_set_in_process, 1);
+
 				ret = bes2600_set_pm(priv, &priv->powersave_mode);
 				if (ret) {
 					atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
@@ -535,11 +592,36 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 
 				/* wait power save mode changed indication */
 				status = wait_for_completion_timeout(&hw_priv->bes_power.pm_enter_cmpl, 5 * HZ);
-				atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
-				reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
 				if (!status) {
-					bes_devel("%s, wait pm ind timeout\n", __func__);
-					timeouts++;
+					/*
+					 * The indication callback only fires
+					 * complete() when it observes
+					 * pm_set_in_process == 1; cmpxchg it
+					 * to 0 here so a late indication
+					 * cannot prime the next wait.
+					 *
+					 * If we win the cmpxchg, this is a
+					 * real timeout: the firmware's PS
+					 * state is unknown to us. Mark it as
+					 * such so the next wake path can
+					 * probe before assuming the chip is
+					 * still active.
+					 *
+					 * If we lose the cmpxchg, the
+					 * indication arrived between the
+					 * wait timing out and us getting
+					 * here; treat as success.
+					 */
+					if (atomic_cmpxchg(&hw_priv->bes_power.pm_set_in_process,
+							   1, 0) == 1) {
+						bes_devel("%s, wait pm ind timeout\n", __func__);
+						atomic_set(&hw_priv->bes_power.chip_pm_state,
+							   BES2600_CHIP_PM_UNKNOWN);
+						timeouts++;
+						if (++hw_priv->bes_power.pm_consecutive_timeouts
+						    >= BES2600_PM_UNSUPPORTED_THRESHOLD)
+							bes2600_pwr_latch_pm_unsupported(hw_priv);
+					}
 				}
 			} else {
 				bes_devel("skip enter lp mode\n");
@@ -554,10 +636,35 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 	 * in an inconsistent state that cascades into SDIO TX errors on
 	 * the BES2600.
 	 */
-	if (timeouts == 0)
+	if (timeouts == 0) {
 		bes2600_pwr_device_enter_lp_mode(hw_priv);
-	else
+	} else {
+		/*
+		 * device_enter_lp_mode() was skipped (one or more VIFs
+		 * timed out waiting for the firmware indication) so its
+		 * gpio_sleep(MCU) - which drops the wake-flag bit and, if
+		 * no other subsystem holds the wake, drives the GPIO low -
+		 * never ran. Without it the bit stays asserted, and the
+		 * next bes2600_pwr_device_exit_lp_mode() calls
+		 * gpio_wake(MCU) into a "bit already set" no-op: the GPIO
+		 * never re-edges, sbus_active() exhausts its 200x2ms
+		 * MCU_WAKEUP_READY budget against an unwoken chip, and
+		 * the first TX after idle stalls for several seconds.
+		 *
+		 * Drop the MCU wake-flag bit explicitly here so the next
+		 * wake injects a real GPIO edge. gpio_allow_mcu_sleep
+		 * preserves multi-subsystem semantics: it only drives the
+		 * GPIO low when no other subsystem still holds wake; if
+		 * BT or another holder is keeping the chip awake, the
+		 * GPIO stays high and the bit clear here is purely
+		 * bookkeeping (so the next gpio_wake doesn't no-op).
+		 */
+		if (!hw_priv->bes_power.pm_unsupported &&
+		    hw_priv->sbus_ops->gpio_sleep)
+			hw_priv->sbus_ops->gpio_sleep(hw_priv->sbus_priv,
+						      GPIO_WAKE_FLAG_MCU);
 		ret = -ETIMEDOUT;
+	}
 
 	return ret;
 }
@@ -565,19 +672,61 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 static void bes2600_pwr_device_exit_lp_mode(struct bes2600_common *hw_priv)
 {
 	int ret = 0;
+	enum bes2600_chip_pm_state state;
 	struct wsm_operational_mode mode = {
 		.power_mode = wsm_power_mode_active,
 		.disableMoreFlagUsage = true,
 	};
 
-	bes_devel("host lock lmac\n");
-	if(hw_priv->sbus_ops->gpio_wake)
-		hw_priv->sbus_ops->gpio_wake(hw_priv->sbus_priv, GPIO_WAKE_FLAG_MCU);
+	/*
+	 * Consult chip_pm_state set by bes2600_pwr_notify_ps_changed().
+	 * If we last saw the firmware confirm ACTIVE, skip ONLY the
+	 * gpio_wake + sbus_active wake handshake - the GPIO is already
+	 * asserted high and the SDIO MCU subsystem is already running,
+	 * so another sbus_active() round-trip just hits its 200x2ms
+	 * timeout because the firmware has nothing to do.
+	 *
+	 * wsm_set_operational_mode() below is NOT part of the wake
+	 * handshake; it is the operational-mode setter the firmware
+	 * tracks per call. Skipping it leaves the chip's SDIO state
+	 * machine without a fresh operational-mode update, which on
+	 * PineTab2 wedges the bus (-EBUSY on next sdio_rx_work read)
+	 * within a few seconds of probe completion. So it must run
+	 * unconditionally.
+	 */
+	state = atomic_read(&hw_priv->bes_power.chip_pm_state);
+	if (state == BES2600_CHIP_PM_ACTIVE) {
+		bes_devel("device_exit_lp_mode: chip already ACTIVE, skipping wake handshake\n");
+	} else {
+		bes_devel("host lock lmac\n");
+		if (hw_priv->sbus_ops->gpio_wake)
+			hw_priv->sbus_ops->gpio_wake(hw_priv->sbus_priv,
+						      GPIO_WAKE_FLAG_MCU);
 
-	if(hw_priv->sbus_ops->sbus_active) {
-		ret = hw_priv->sbus_ops->sbus_active(hw_priv->sbus_priv, SUBSYSTEM_MCU);
-		if (ret)
-			bes_err("%s, active mcu fail\n", __func__);
+		if (hw_priv->sbus_ops->sbus_active) {
+			ret = hw_priv->sbus_ops->sbus_active(hw_priv->sbus_priv,
+							     SUBSYSTEM_MCU);
+			if (ret) {
+				/*
+				 * MCU_WAKEUP_READY did not arrive within
+				 * the SDIO handshake window. Record state
+				 * as UNKNOWN so the next exit_lp_mode call
+				 * also runs the full wake sequence (no
+				 * skip), but still send operational_mode
+				 * below to match pre-c6 behaviour - the
+				 * WSM may succeed even if the SDIO active
+				 * confirm was lost, and if it fails too,
+				 * we just emit a second devel-level error.
+				 * Repeated UNKNOWN is the signal for the
+				 * LMAC active-monitor to eventually
+				 * escalate to bus_reset (c5.2's
+				 * mmc_hw_reset path).
+				 */
+				bes_err("%s, active mcu fail\n", __func__);
+				atomic_set(&hw_priv->bes_power.chip_pm_state,
+					   BES2600_CHIP_PM_UNKNOWN);
+			}
+		}
 	}
 
 	ret = wsm_set_operational_mode(hw_priv, &mode, 0);
@@ -833,6 +982,9 @@ void bes2600_pwr_init(struct bes2600_common *hw_priv)
         hw_priv->bes_power.power_up_task = NULL;
         mutex_init(&hw_priv->bes_power.pwr_mutex);
         atomic_set(&hw_priv->bes_power.dev_state, 0);
+	atomic_set(&hw_priv->bes_power.chip_pm_state, BES2600_CHIP_PM_UNKNOWN);
+	hw_priv->bes_power.pm_unsupported = false;
+	hw_priv->bes_power.pm_consecutive_timeouts = 0;
         init_completion(&hw_priv->bes_power.pm_enter_cmpl);
         sema_init(&hw_priv->bes_power.sync_lock, 1);
         device_set_wakeup_capable(hw_priv->pdev, true);
@@ -1213,9 +1365,40 @@ int bes2600_pwr_clear_busy_event(struct bes2600_common *hw_priv, u32 event)
 
 void bes2600_pwr_notify_ps_changed(struct bes2600_common *hw_priv, u8 psmode)
 {
-	if((psmode & 0x01) != WSM_PSM_ACTIVE) {
-		bes_devel("complete pm_enter_cmpl\n");
-		complete(&hw_priv->bes_power.pm_enter_cmpl);
+	/*
+	 * The firmware sends a PM-changed indication for every transition,
+	 * including ones we didn't ask for (firmware-internal coex moves,
+	 * idle-driven aging). Update chip_pm_state unconditionally so the
+	 * wake path can use it, but only fire pm_enter_cmpl when a host-
+	 * initiated set_pm is actually in flight - otherwise a stale
+	 * indication can prime a future wait against a freshly
+	 * reinit_completion()'ed state.
+	 */
+	/*
+	 * Any PM indication, whatever its psmode, proves the firmware is
+	 * actually emitting them. Reset the consecutive-timeout counter
+	 * so a transient stall doesn't permanently disable PSM, and clear
+	 * pm_unsupported if a previous run had latched it.
+	 */
+	hw_priv->bes_power.pm_consecutive_timeouts = 0;
+	if (hw_priv->bes_power.pm_unsupported) {
+		bes_warn("PM indication arrived after pm_unsupported was set; re-enabling PSM transitions\n");
+		hw_priv->bes_power.pm_unsupported = false;
+	}
+
+	if ((psmode & 0x01) != WSM_PSM_ACTIVE) {
+		atomic_set(&hw_priv->bes_power.chip_pm_state,
+			   BES2600_CHIP_PM_LP);
+		if (atomic_cmpxchg(&hw_priv->bes_power.pm_set_in_process,
+				   1, 0) == 1) {
+			bes_devel("complete pm_enter_cmpl\n");
+			complete(&hw_priv->bes_power.pm_enter_cmpl);
+		} else {
+			bes_devel("PM ind (LP) without pending wait; state recorded\n");
+		}
+	} else {
+		atomic_set(&hw_priv->bes_power.chip_pm_state,
+			   BES2600_CHIP_PM_ACTIVE);
 	}
 }
 

bes2600/bes_pwr.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Chip-side power state machine interface
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef __BES_PWR_H__
 #define __BES_PWR_H__
@@ -64,6 +61,20 @@ enum power_down_state
         POWER_DOWN_STATE_UNLOCKED,
 };
 
+/*
+ * Confirmed PM state of the firmware-side chip. Tracks what the host
+ * has *seen* the firmware acknowledge, not what the host has
+ * requested. UNKNOWN means a host-initiated transition timed out
+ * before the firmware indication arrived; the next wake path should
+ * treat it as "we don't know" and probe before issuing GPIO/SDIO
+ * wakeup ops.
+ */
+enum bes2600_chip_pm_state {
+	BES2600_CHIP_PM_ACTIVE = 0,
+	BES2600_CHIP_PM_LP,
+	BES2600_CHIP_PM_UNKNOWN,
+};
+
 typedef void (*bes_pwr_enter_lp_cb)(struct bes2600_common *hw_priv);
 typedef void (*bes_pwr_exit_lp_cb)(struct bes2600_common *hw_priv);
 
@@ -106,6 +117,16 @@ struct bes2600_pwr_t
         bool ap_lp_bad;
         struct bes2600_pwr_event_t pwr_events[BES2600_DELAY_EVENT_NUM];
         atomic_t pm_set_in_process;
+	atomic_t chip_pm_state;
+	/*
+	 * Sticky flag set after BES2600_PM_UNSUPPORTED_THRESHOLD
+	 * consecutive enter_lp_mode timeouts with zero PM_INDICATIONs
+	 * received from firmware. Indicates this chip's firmware does
+	 * not honor host-driven PSM transitions; further attempts are
+	 * skipped to avoid the 5s timeout cascade.
+	 */
+	bool pm_unsupported;
+	unsigned int pm_consecutive_timeouts;
 };
 
 #ifdef CONFIG_BES2600_WOWLAN

bes2600/bh.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Bottom-half thread for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include <net/mac80211.h>
 #include <linux/kthread.h>
@@ -101,7 +101,7 @@ void bes2600_unregister_bh(struct bes2600_common *hw_priv)
 	coex_deinit_mode(hw_priv);
 #endif
 
-	atomic_add(1, &hw_priv->bh_term);
+	atomic_inc(&hw_priv->bh_term);
 	wake_up(&hw_priv->bh_wq);
 
 	flush_workqueue(hw_priv->bh_workqueue);
@@ -590,7 +590,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_add(1, &hw_priv->bh_rx);
+			atomic_inc(&hw_priv->bh_rx);
 			continue;
 		}
 
@@ -758,9 +758,9 @@ tx:
 
 #if 0 /* count is not implemented */
 				if (ret > 1)
-					atomic_add(1, &hw_priv->bh_tx);
+					atomic_inc(&hw_priv->bh_tx);
 #else
-				atomic_add(1, &hw_priv->bh_tx);
+				atomic_inc(&hw_priv->bh_tx);
 #endif
 
 #if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
@@ -958,6 +958,119 @@ static void bes2600_bh_parse_wakeup_event(struct bes2600_common *hw_priv, struct
 	}
 }
 
+/*
+ * Direct-deliver an RX SKB into the WSM/mac80211 stack.
+ *
+ * Patch C v3 (no-relay architecture, matches cw1200): the bh thread
+ * calls bes2600_sdio_read_rx_batch which calls
+ * bes2600_sdio_extract_packets which calls THIS function per parsed
+ * SKB.  No rx_queue, no sdio_rx_work, no inter-thread handoff.
+ *
+ * Single-writer-from-bh invariant on hw_priv->hw_bufs_used,
+ * hw_priv->hw_bufs_used_vif[] and hw_priv->wsm_tx_pending[] is
+ * preserved BY CONSTRUCTION — there is now only one writer (the bh
+ * thread itself), same as cw1200's design.  No atomic_t conversion
+ * needed.
+ *
+ * Contract:
+ *   - process context, sleepable.  wsm_handle_rx (wsm.c, EXPORT_SYMBOL)
+ *     acquires wsm_cmd.lock and may sleep on wait_event_timeout.
+ *   - caller holds no bes2600 spinlock.  bes2600_sdio_unlock(self) is
+ *     called inside read_rx_batch before extract_packets is invoked.
+ *   - SKB ownership: function frees on every path (success + error).
+ *   - No need to wake the bh thread on TX-confirm — we ARE the bh
+ *     thread; tx_burst is signalled by returning *tx_out = 1 to the
+ *     caller (bh_rx_helper), which propagates it to bh's outer loop.
+ */
+int bes2600_bh_handle_rx_skb(struct bes2600_common *priv, struct sk_buff *skb)
+{
+	struct wsm_hdr *wsm;
+	size_t wsm_len;
+	u16 wsm_id;
+	u8 wsm_seq;
+	int tx = 0;
+	u32 confirm_label = 0x0;
+
+	if (!skb)
+		return 0;
+
+	wsm = (struct wsm_hdr *)skb->data;
+	wsm_len = __le16_to_cpu(wsm->len);
+	if (WARN_ON(wsm_len > skb->len)) {
+		bes_err("wsm_len err %d %d\n", (int)wsm_len, (int)skb->len);
+		dev_kfree_skb(skb);
+		return -1;
+	}
+
+	if (priv->wsm_enable_wsm_dumps)
+		print_hex_dump(KERN_DEBUG, "<-- ", DUMP_PREFIX_NONE, 16, 1,
+			       skb->data, wsm_len, false);
+
+	wsm_id  = __le16_to_cpu(wsm->id) & 0xFFF;
+	wsm_seq = (__le16_to_cpu(wsm->id) >> 13) & 7;
+	bes_devel("bes2600_bh_handle_rx_skb wsm_id:0x%04x seq:%d\n",
+		  wsm_id, wsm_seq);
+
+	skb_trim(skb, wsm_len);
+
+	if (wsm_id == 0x0800) {
+		wsm_handle_exception(priv,
+				     &skb->data[sizeof(*wsm)],
+				     wsm_len - sizeof(*wsm));
+		bes_err("wsm exception\n");
+		dev_kfree_skb(skb);
+		return -1;
+	} else if ((wsm_seq != priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)])) {
+		bes_err("seq error! %u. %u. 0x%x.", wsm_seq,
+			priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)], wsm_id);
+		dev_kfree_skb(skb);
+		return -1;
+	}
+
+	bes2600_bh_parse_wakeup_event(priv, skb);
+
+	priv->wsm_rx_seq[WSM_TXRX_SEQ_IDX(wsm_id)] = (wsm_seq + 1) & 7;
+
+	if (IS_DRIVER_TO_MCU_CMD(wsm_id))
+		confirm_label = __le32_to_cpu(((struct wsm_mcu_hdr *)wsm)->handle_label);
+
+	if (WSM_CONFIRM_CONDITION(wsm_id, confirm_label)) {
+		int rc = wsm_release_tx_buffer(priv, 1);
+		bes2600_bh_dec_pending_count(priv, WSM_TXRX_SEQ_IDX(wsm->id));
+
+		if (rc < 0) {
+			bes_err("wsm_release_tx_buffer failed: %d\n", rc);
+			dev_kfree_skb(skb);
+			return rc;
+		} else if (rc > 0) {
+			tx = 1;
+		}
+	}
+
+	/* wsm_handle_rx takes care of SKB lifetime: zeroes *skb_p if consumed. */
+	if (wsm_handle_rx(priv, wsm_id, wsm, &skb)) {
+		bes_err("wsm_handle_rx failed (id=0x%04x)\n", wsm_id);
+		if (skb)
+			dev_kfree_skb(skb);
+		return -1;
+	}
+
+	if (skb)
+		dev_kfree_skb(skb);
+
+	/*
+	 * Signal "tx side has new headroom" via atomic so the bh outer
+	 * loop's wait_event predicate notices on its next wait.  No
+	 * cross-thread wake needed because we are the bh thread; the
+	 * outer loop will pick this up after read_rx_batch returns.
+	 */
+	if (tx)
+		atomic_inc(&priv->bh_tx);
+
+	return 0;
+}
+EXPORT_SYMBOL(bes2600_bh_handle_rx_skb);
+
 static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
 {
 	struct sk_buff *skb = NULL;
@@ -969,10 +1082,18 @@ static int bes2600_bh_rx_helper(struct bes2600_common *priv, int *tx)
 	u32 confirm_label = 0x0; /* wsm to mcu cmd cnfirm label */
 
 #if defined(BES_SDIO_RX_MULTIPLE_ENABLE)
-	skb = (struct sk_buff *)priv->sbus_ops->pipe_read(priv->sbus_priv);
-	if (!skb)
-		return 0;
-	rx = 1; // always consider rx pipe not empty
+	/*
+	 * Patch C v3: the bh thread does the SDIO read inline via
+	 * sbus_ops->bus_rx_batch.  bes2600_sdio_read_rx_batch reads the
+	 * multi-RX coalesced frames out of the chip and delivers each
+	 * one inline via bes2600_bh_handle_rx_skb (no rx_queue, no
+	 * pipe_read, no inter-thread handoff).  Return value: 0 on
+	 * success (bh outer loop will check whether to continue),
+	 * negative on read error.
+	 */
+	if (priv->sbus_ops->bus_rx_batch)
+		return priv->sbus_ops->bus_rx_batch(priv->sbus_priv);
+	return 0;
 #else
 	u32 ctrl_reg = 0;
 	size_t read_len = 0;
@@ -1134,7 +1255,7 @@ static int bes2600_bh_tx_helper(struct bes2600_common *hw_priv,
 	tx_len += 4;
 #endif
 
-	atomic_add(1, &hw_priv->bh_tx);
+	atomic_inc(&hw_priv->bh_tx);
 
 	tx_len = hw_priv->sbus_ops->align_size(
 		hw_priv->sbus_priv, tx_len);
@@ -1435,7 +1556,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_add(1, &hw_priv->bh_rx);
+			atomic_inc(&hw_priv->bh_rx);
 			goto done;
 		}
 

bes2600/bh.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Device handling thread interface for mac80211 BES2600 drivers
+ * Bottom-half thread interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_BH_H
@@ -39,6 +39,15 @@ int wsm_release_vif_tx_buffer(struct bes2600_common *hw_priv, int if_id,
 int bes2600_bh_sw_process(struct bes2600_common *hw_priv,
 			 struct wsm_tx_confirm *tx_confirm);
 
+/*
+ * Direct-deliver an RX SKB into the WSM/mac80211 stack from the bh thread.
+ * Called by bes2600_sdio_extract_packets per RX frame, no queueing.
+ * Process context, sleepable, caller holds no bes2600 spinlock.
+ * Function frees skb on every path. See bh.c for full contract.
+ */
+int bes2600_bh_handle_rx_skb(struct bes2600_common *hw_priv,
+			     struct sk_buff *skb);
+
 void bes2600_bh_inc_pending_count(struct bes2600_common *hw_priv, int idx);
 void bes2600_bh_dec_pending_count(struct bes2600_common *hw_priv, int idx);
 

bes2600/debug.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Debugging interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/module.h>
@@ -542,6 +542,10 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
 		priv->listening ? " (listening)" : "");
 	seq_printf(seq, "Assoc:      %s\n",
 		bes2600_debug_join_status[priv->join_status]);
+	seq_printf(seq, "DecryptStormRecoveries: %u\n",
+		   priv->decrypt_storm_recoveries);
+	seq_printf(seq, "ConnectionLossStormRecoveries: %u\n",
+		   priv->connection_loss_storm_recoveries);
 	if (priv->rx_filter.promiscuous)
 		seq_puts(seq,   "Filter:     promisc\n");
 	else if (priv->rx_filter.fcs)

bes2600/debug.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * DebugFS code for BES2600 mac80211 driver
+ * Debugging interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2011, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_DEBUG_H_INCLUDED

bes2600/epta_coex.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * BT/WiFi coexistence (ePTA) for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include <linux/types.h>
 #include <linux/version.h>

bes2600/epta_coex.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * BT/WiFi coexistence interface for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef __EPTA_COEX_H__
 #define __EPTA_COEX_H__

bes2600/epta_request.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * BT/WiFi coexistence request handling
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include <linux/types.h>
 #include <linux/kernel.h>

bes2600/epta_request.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * BT/WiFi coexistence request interface
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef EPTA_REQUEST_H
 #define EPTA_REQUEST_H

bes2600/fwio.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Firmware I/O for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/init.h>

bes2600/fwio.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Firmware I/O interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef FWIO_H_INCLUDED
 #define FWIO_H_INCLUDED

bes2600/ht.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- *  HT-related code for BES2600 driver
+ * HT capability config for BES2600
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_HT_H_INCLUDED

bes2600/hwio.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Low-level device IO routines for BES2600 drivers
+ * Low-level device I/O for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/types.h>

bes2600/hwio.h

@@ -1,17 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Low-level API for mac80211 BES2600 drivers
+ * Low-level device I/O interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
  *
- * Based on:
- * UMAC BES2600 driver which is
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_HWIO_H_INCLUDED

bes2600/itp.c

@@ -1,13 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * mac80211 glue code for mac80211 BES2600 drivers
- * ITP code
+ * ITP (in-band test mode) for BES2600
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/module.h>
@@ -570,7 +566,7 @@ int bes2600_itp_get_tx(struct bes2600_common *priv, u8 **data,
 	*burst = 2;
 	atomic_set(&priv->bh_tx, 1);
 	ktime_get_ts(&itp->last_sent);
-	atomic_add(1, &itp->awaiting_confirm);
+	atomic_inc(&itp->awaiting_confirm);
 	spin_unlock_bh(&itp->tx_lock);
 	return 1;
 

bes2600/itp.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * ITP code for BES2600 mac80211 driver
+ * ITP interface for BES2600
  *
- * Copyright (c) 2011, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_ITP_H_INCLUDED

bes2600/main.c

@@ -1,12 +1,18 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Main entry/init for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
+ *
+ * Based on the mac80211 Prism54 code, which is
+ * Copyright (c) 2006, Michael Wu <flamingice@sourmilk.net>
+ *
+ * Based on the islsm (softmac prism54) driver, which is
+ * Copyright 2004-2006 Jean-Baptiste Note <jbnote@gmail.com>, et al.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/module.h>
@@ -484,6 +490,8 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 	spin_lock_init(&hw_priv->rtsvalue_lock);
 	INIT_WORK(&hw_priv->dynamic_opt_txrx_work, bes2600_dynamic_opt_txrx_work);
 	INIT_WORK(&hw_priv->tx_policy_upload_work, tx_policy_upload_work);
+	INIT_WORK(&hw_priv->connection_loss_storm_recover_work,
+		  bes2600_connection_loss_storm_recover);
 	spin_lock_init(&hw_priv->event_queue_lock);
 	INIT_LIST_HEAD(&hw_priv->event_queue);
 	INIT_WORK(&hw_priv->event_handler, bes2600_event_handler);
@@ -495,6 +503,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 			WLAN_LINK_ID_MAX,
 			bes2600_skb_dtor,
 			hw_priv))) {
+		destroy_workqueue(hw_priv->workqueue);
 		ieee80211_free_hw(hw);
 		return NULL;
 	}
@@ -506,6 +515,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 			for (; i > 0; i--)
 				bes2600_queue_deinit(&hw_priv->tx_queue[i - 1]);
 			bes2600_queue_stats_deinit(&hw_priv->tx_queue_stats);
+			destroy_workqueue(hw_priv->workqueue);
 			ieee80211_free_hw(hw);
 			return NULL;
 		}

bes2600/pm.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 power management API for BES2600 drivers
+ * Power management for BES2600 mac80211 driver
  *
- * Copyright (c) 2011, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/platform_device.h>

bes2600/pm.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 power management interface for BES2600 mac80211 drivers
+ * Power management interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2011, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef PM_H_INCLUDED

bes2600/queue.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * O(1) TX queue with built-in allocator for BES2600 drivers
+ * O(1) TX queue for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <net/mac80211.h>

bes2600/queue.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * O(1) TX queue with built-in allocator for BES2600 drivers
+ * O(1) TX queue interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_QUEUE_H_INCLUDED

bes2600/sbus.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Common sbus abstraction layer interface for bes2600 wireless driver
+ * Bus abstraction interface for BES2600
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
+ * Replaces hwbus.h from drivers/net/wireless/st/cw1200/
+ * Copyright (c) 2010, ST-Ericsson
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_SBUS_H
@@ -75,6 +75,22 @@ struct sbus_ops {
 	void (*halt_device)(struct sbus_priv *self);
 	bool (*wakeup_source)(struct sbus_priv *self);
 	int (*reboot)(struct sbus_priv *self);
+	/*
+	 * Force the host bus to re-detect and re-probe the chip. Called
+	 * from the firmware-wedge recovery path when power_switch() has no
+	 * effective chip-reset signal of its own (e.g. PineTab2, where the
+	 * wifi-reset GPIO is owned by sdio_pwrseq, not the bes2600 node).
+	 * Returns 0 on success or a negative errno.
+	 */
+	int (*bus_reset)(struct sbus_priv *self);
+	/*
+	 * Read a batch of RX frames inline from the bus and deliver each
+	 * one via bes2600_bh_handle_rx_skb().  Called from the bh thread
+	 * (process context, sleepable).  Replaces the
+	 * sdio_rx_work + rx_queue + pipe_read relay (Patch C v3, 2026).
+	 * Returns 0 on success, negative on read error.
+	 */
+	int (*bus_rx_batch)(struct sbus_priv *self);
 };
 
 void bes2600_irq_handler(struct bes2600_common *priv);

bes2600/scan.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Scan implementation for BES2600 mac80211 drivers
+ * Scan implementation for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/sched.h>
@@ -14,11 +14,63 @@
 #include "scan.h"
 #include "sta.h"
 #include "pm.h"
+#include "epta_coex.h"
 #include "epta_request.h"
 #include "bes_pwr.h"
 
+/*
+ * After this many consecutive WSM scan rejections from firmware, stop
+ * issuing new scans for BES2600_SCAN_BACKOFF_JIFFIES and let the state
+ * that's rejecting them (coex window, firmware-internal busy) clear.
+ *
+ * The backoff has to be at least as long as the natural mac80211 scan-
+ * retry cadence, otherwise the next attempt lands outside the window
+ * and bypasses the defer guard. Observed in the wild on PineTab2:
+ * roam-evaluation bursts at ~12 s cadence, idle background scans at
+ * ~5 min cadence. 30 s catches the burst and leaves the slow case
+ * alone (the firmware-policy state has had minutes to clear by then
+ * anyway).
+ */
+#define BES2600_SCAN_REJECT_THRESHOLD	3
+#define BES2600_SCAN_BACKOFF_JIFFIES	(30 * HZ)
+
 static void bes2600_scan_restart_delayed(struct bes2600_vif *priv);
 
+/*
+ * Decide whether to skip sending the next WSM scan command without
+ * bothering the firmware. Two triggers:
+ *
+ *  1. BT A2DP is streaming in non-FDD coex mode. The firmware is
+ *     known to reject scan requests during that window; short-
+ *     circuiting here saves a WSM round-trip and avoids the
+ *     wsm_generic_confirm / scan_work warning cascade that follows.
+ *
+ *  2. We already saw >= BES2600_SCAN_REJECT_THRESHOLD consecutive
+ *     rejections on recent scan attempts and the backoff window has
+ *     not yet elapsed. Whatever was rejecting them is likely still
+ *     rejecting them; give it time. If the backoff has elapsed without
+ *     a fresh reject refreshing it, the burst is over and we reset the
+ *     count so an isolated reject doesn't immediately re-trip.
+ *
+ * Returns true if the caller should abandon the scan iteration.
+ */
+static bool bes2600_scan_should_defer(struct bes2600_common *hw_priv)
+{
+#ifdef WIFI_BT_COEXIST_EPTA_ENABLE
+	if (!coex_is_fdd_mode() && coex_is_bt_a2dp())
+		return true;
+#endif
+
+	if (time_after(jiffies, hw_priv->scan.backoff_until))
+		hw_priv->scan.reject_count = 0;
+
+	if (hw_priv->scan.reject_count >= BES2600_SCAN_REJECT_THRESHOLD &&
+	    time_before(jiffies, hw_priv->scan.backoff_until))
+		return true;
+
+	return false;
+}
+
 #ifdef CONFIG_BES2600_TESTMODE
 static int bes2600_advance_scan_start(struct bes2600_common *hw_priv)
 {
@@ -205,18 +257,21 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 
 	bes2600_pwr_set_busy_event(hw_priv, BES_PWR_LOCK_ON_SCAN);
 
-	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
-		req->ie_len);
-	if (!frame.skb)
-		return -ENOMEM;
-
-	if (req->ie_len)
-		skb_put_data(frame.skb, req->ie, req->ie_len);
-
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
 
+	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+		req->ie_len);
+	if (!frame.skb) {
+		up(&hw_priv->conf_lock);
+		up(&hw_priv->scan.lock);
+		return -ENOMEM;
+	}
+
+	if (req->ie_len)
+		skb_put_data(frame.skb, req->ie, req->ie_len);
+
 	if (frame.skb) {
 		int ret;
 		//if (priv->if_id == 0)
@@ -234,9 +289,9 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		}
 #endif
 		if (ret) {
+			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
-			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -266,10 +321,10 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		++hw_priv->scan.n_ssids;
 	}
 
-	up(&hw_priv->conf_lock);
-
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
+
+	up(&hw_priv->conf_lock);
 #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
 	bwifi_change_current_status(hw_priv, BWIFI_STATUS_SCANNING);
 #endif
@@ -310,14 +365,18 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 	if (req->n_ssids > hw->wiphy->max_scan_ssids)
 		return -EINVAL;
 
-	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
-		req->ie_len);
-	if (!frame.skb)
-		return -ENOMEM;
-
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
+
+	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+		req->ie_len);
+	if (!frame.skb) {
+		up(&hw_priv->conf_lock);
+		up(&hw_priv->scan.lock);
+		return -ENOMEM;
+	}
+
 	if (frame.skb) {
 		int ret;
 		if (priv->if_id == 0)
@@ -328,9 +387,9 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 			ret = wsm_set_probe_responder(priv, true);
 		}
 		if (ret) {
+			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
-			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -362,10 +421,10 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 		}
 	}
 
-	up(&hw_priv->conf_lock);
-
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
+
+	up(&hw_priv->conf_lock);
 	queue_work(hw_priv->workqueue, &hw_priv->scan.swork);
 	wiphy_warn(hw->wiphy, "<--[SCAN] Scheduled scan request.\n");
 	return 0;
@@ -702,10 +761,29 @@ void bes2600_scan_work(struct work_struct *work)
 				wsm_unlock_tx(hw_priv);
 		} else
 #endif
+		{
+			if (bes2600_scan_should_defer(hw_priv)) {
+				hw_priv->scan.status = -EBUSY;
+				hw_priv->scan.reject_count++;
+				hw_priv->scan.backoff_until =
+					jiffies + BES2600_SCAN_BACKOFF_JIFFIES;
+				wiphy_dbg(priv->hw->wiphy,
+					  "[SCAN] deferred (coex/backoff, reject_count=%u)\n",
+					  hw_priv->scan.reject_count);
+				kfree(scan.ch);
+				goto fail;
+			}
 			hw_priv->scan.status = bes2600_scan_start(priv, &scan);
+		}
 		kfree(scan.ch);
-		if (WARN_ON(hw_priv->scan.status))
+		if (hw_priv->scan.status) {
+			hw_priv->scan.reject_count++;
+			hw_priv->scan.backoff_until =
+				jiffies + BES2600_SCAN_BACKOFF_JIFFIES;
+			/* Lower callers already logged the reason at wiphy_warn. */
 			goto fail;
+		}
+		hw_priv->scan.reject_count = 0;
 		hw_priv->scan.curr = it;
 	}
 	up(&hw_priv->conf_lock);

bes2600/scan.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Scan interface for BES2600 mac80211 drivers
+ * Scan interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef SCAN_H_INCLUDED
@@ -42,6 +42,17 @@ struct bes2600_scan {
 	struct delayed_work probe_work;
 	int direct_probe;
 	u8 if_id;
+	/*
+	 * Track consecutive firmware-side WSM scan rejections so we can
+	 * back off briefly instead of re-issuing the same scan on every
+	 * mac80211 background-scan tick. Firmware returns WSM status != 0
+	 * for a handful of transient conditions (BT A2DP active in non-
+	 * FDD coex, firmware-internal busy windows) and keeps rejecting
+	 * until the state clears; retrying at full cadence just floods
+	 * dmesg.
+	 */
+	unsigned int reject_count;
+	unsigned long backoff_until;
 };
 
 int bes2600_hw_scan(struct ieee80211_hw *hw,

bes2600/sta.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 STA API for BES2600 drivers
+ * Mac80211 STA API for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/vmalloc.h>
@@ -266,6 +266,7 @@ void bes2600_stop(struct ieee80211_hw *dev, bool suspend)
 	cancel_work_sync(&hw_priv->coex_work);
 	coex_stop(hw_priv);
 #endif
+	cancel_work_sync(&hw_priv->connection_loss_storm_recover_work);
 
 	bes2600_wifi_stop(hw_priv);
 
@@ -448,6 +449,7 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
 	cancel_delayed_work_sync(&priv->join_timeout);
 	cancel_delayed_work_sync(&priv->set_cts_work);
 	cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
+	cancel_work_sync(&priv->decrypt_storm_recover_work);
 
 	del_timer_sync(&priv->mcast_timeout);
 	/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -1658,6 +1660,70 @@ report:
 	spin_unlock(&priv->bss_loss_lock);
 }
 
+/*
+ * Connection-loss-storm fast-recover (Trigger A).
+ *
+ * bes2600_connection_loss_work below is the driver's own decision-point
+ * to give up on a BSS (after bss-loss detection accumulates beyond
+ * tolerance) and tell mac80211 via ieee80211_connection_loss(). On the
+ * deployed pinetab2 stack a single ieee80211_connection_loss() event
+ * sometimes triggers a userspace reauth blackhole (assoc-comeback
+ * timeouts followed by AP unprotected-deauth-reason-6) that ends only
+ * via cross-channel/cross-SSID fallback and can take 80+ s. Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase4-2026-05-07.md.
+ *
+ * When N connection-loss decisions land within WINDOW on the same vif,
+ * skip the ieee80211_connection_loss() path and trigger a chip-level
+ * bus_reset (the c5.2-introduced bes2600_chrdev_do_bus_reset). The chip
+ * is removed and re-probed; userspace re-associates from a fresh state,
+ * dodging the assoc-comeback loop.
+ *
+ * Threshold (3 / 60 s) is chosen well above the steady-state per-vif
+ * connection-loss rate observed in the patch-A Phase-7 rep
+ * (0.86/h under sustained load), so a true storm is required.
+ *
+ * The recover work_struct lives on bes2600_common (hw_priv) so that
+ * scheduling it does not race with vif teardown after bus_reset frees
+ * the per-vif state.
+ */
+#define BES2600_CONNECTION_LOSS_STORM_THRESHOLD	3
+#define BES2600_CONNECTION_LOSS_STORM_WINDOW_MS	60000
+
+void bes2600_connection_loss_storm_recover(struct work_struct *work)
+{
+	bes_warn("[bes2600] connection-loss-storm fast-recover: bus_reset\n");
+	bes2600_chrdev_trigger_bus_reset();
+	/*
+	 * After bes2600_chrdev_do_bus_reset() returns, the SDIO core has
+	 * scheduled a remove + rescan; per-vif state may already be gone.
+	 * Do not dereference any per-vif pointer here.
+	 */
+}
+
+void bes2600_connection_loss_storm_init(struct bes2600_vif *priv)
+{
+	priv->connection_loss_storm_window_start = 0;
+	priv->connection_loss_storm_count = 0;
+	priv->connection_loss_storm_recoveries = 0;
+}
+
+bool bes2600_connection_loss_storm_account(struct bes2600_vif *priv)
+{
+	unsigned long now = jiffies;
+	unsigned long window =
+		msecs_to_jiffies(BES2600_CONNECTION_LOSS_STORM_WINDOW_MS);
+
+	if (priv->connection_loss_storm_window_start == 0 ||
+	    time_after(now, priv->connection_loss_storm_window_start + window)) {
+		priv->connection_loss_storm_window_start = now;
+		priv->connection_loss_storm_count = 1;
+		return false;
+	}
+
+	return ++priv->connection_loss_storm_count >=
+	       BES2600_CONNECTION_LOSS_STORM_THRESHOLD;
+}
+
 void bes2600_connection_loss_work(struct work_struct *work)
 {
 	struct bes2600_vif *priv =
@@ -1667,9 +1733,21 @@ void bes2600_connection_loss_work(struct work_struct *work)
 
 	bes_devel("[CQM] Reporting connection loss.\n");
 	bes2600_pwr_clear_busy_event(priv->hw_priv, BES_PWR_LOCK_ON_BSS_LOST);
-	if(bes2600_suspend_status_get(hw_priv)) {
+
+	if (bes2600_connection_loss_storm_account(priv)) {
+		bes_warn("[bes2600] connection-loss storm: %u in %u s, scheduling bus reset\n",
+			 priv->connection_loss_storm_count,
+			 BES2600_CONNECTION_LOSS_STORM_WINDOW_MS / 1000);
+		priv->connection_loss_storm_count = 0;
+		priv->connection_loss_storm_recoveries++;
+		schedule_work(&hw_priv->connection_loss_storm_recover_work);
+		/* bus_reset will tear the chip down; skip the mac80211 path. */
+		return;
+	}
+
+	if (bes2600_suspend_status_get(hw_priv))
 		bes2600_pending_unjoin_set(hw_priv, priv->if_id);
-	} else
+	else
 		ieee80211_connection_loss(priv->vif);
 #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
 	// set disconnected in BSS_CHANGED_ASSOC
@@ -2619,6 +2697,8 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
 
 	/* Setup per vif workitems and locks */
 	spin_lock_init(&priv->vif_lock);
+	bes2600_decrypt_storm_init(priv);
+	bes2600_connection_loss_storm_init(priv);
 	INIT_WORK(&priv->join_work, bes2600_join_work);
 	INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
 	INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);

bes2600/sta.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 STA interface for BES2600 mac80211 drivers
+ * Mac80211 STA API interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include <linux/version.h>
 #ifndef STA_H_INCLUDED

bes2600/tx_loop.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * Test-mode TX loopback for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #include "bes2600.h"
 #include "wsm.h"

bes2600/tx_loop.h

@@ -1,12 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Mac80211 driver for BES2600 device
+ * Test-mode TX loopback interface for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifndef __TX_LOOP_H__
 #define __TX_LOOP_H__

bes2600/txrx.c

@@ -1,12 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Datapath implementation for BES2600 mac80211 drivers
+ * Datapath implementation for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <net/mac80211.h>
@@ -25,6 +25,78 @@
 
 #define BES2600_INVALID_RATE_ID (0xFF)
 
+/*
+ * Decrypt-storm fast-recover (Trigger B).
+ *
+ * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
+ * burst of received frames (typically because the host's PTK or GTK
+ * has fallen out of sync with the AP), the AP eventually concludes that
+ * the STA is not authenticated and emits an unprotected deauth-reason-6
+ * ("Class 2 frame received from non-authenticated station"). On the
+ * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
+ * observed to leave the link blackholed for up to 109 s before
+ * userspace finds a different SSID/channel to recover on. (Receipts at
+ * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
+ *
+ * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
+ * failures within WINDOW, we ask mac80211 for a clean reassoc via
+ * ieee80211_connection_loss(), which causes immediate disassociation
+ * and lets userspace auto-reconnect with fresh keys.
+ *
+ * mac80211 contract: ieee80211_connection_loss() may be called
+ * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
+ * disassociation without driver-side recovery attempts. See
+ * include/net/mac80211.h for the canonical doc-comment.
+ *
+ * The threshold is set well above the steady-state per-vif
+ * decrypt-fail rate observed in measurement (~1/min even under
+ * sustained 1 MB/s load), so a true storm is required to trip it.
+ */
+#define BES2600_DECRYPT_STORM_THRESHOLD	5
+#define BES2600_DECRYPT_STORM_WINDOW_MS	5000
+
+static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
+{
+	struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
+						decrypt_storm_recover_work);
+
+	if (!priv->vif)
+		return;
+
+	bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
+	ieee80211_connection_loss(priv->vif);
+	priv->decrypt_storm_recoveries++;
+}
+
+void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
+{
+	INIT_WORK(&priv->decrypt_storm_recover_work,
+		  bes2600_decrypt_storm_recover_work);
+	priv->decrypt_storm_window_start = 0;
+	priv->decrypt_storm_count = 0;
+	priv->decrypt_storm_recoveries = 0;
+}
+
+void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
+{
+	unsigned long now = jiffies;
+	unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
+
+	if (priv->decrypt_storm_window_start == 0 ||
+	    time_after(now, priv->decrypt_storm_window_start + window)) {
+		priv->decrypt_storm_window_start = now;
+		priv->decrypt_storm_count = 1;
+		return;
+	}
+
+	if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
+		priv->decrypt_storm_count = 0;
+		/* Skew the window so we don't re-fire on the same storm. */
+		priv->decrypt_storm_window_start = now + window;
+		schedule_work(&priv->decrypt_storm_recover_work);
+	}
+}
+
 #ifdef CONFIG_BES2600_TESTMODE
 #include "bes_nl80211_testmode_msg.h"
 #endif /* CONFIG_BES2600_TESTMODE */
@@ -1672,6 +1744,8 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
 			goto drop;
 		} else {
 			bes_warn("[RX] Receive failure: %d.\n", arg->status);
+			if (arg->status == WSM_STATUS_DECRYPTFAILURE)
+				bes2600_decrypt_storm_account(priv);
 			goto drop;
 		}
 	}

bes2600/txrx.h

@@ -1,12 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * Datapath interface for BES2600 mac80211 drivers
+ * Datapath interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2010, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_TXRX_H

bes2600/wifi_testmode_cmd.c

@@ -1,12 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * Mac80211 driver for BES2600 device
+ * WiFi testmode commands for BES2600
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 #ifdef CONFIG_BES2600_TESTMODE
 #include <net/netlink.h>

bes2600/wsm.c

@@ -1,13 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0-only
 /*
- * WSM host interface (HI) implementation for
- * BES2600 mac80211 drivers.
+ * WSM host interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
+ *
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #include <linux/skbuff.h>
@@ -134,8 +133,20 @@ static int wsm_generic_confirm(struct bes2600_common *hw_priv,
 				 struct wsm_buf *buf)
 {
 	u32 status = WSM_GET32(buf);
-	if (WARN(status != WSM_STATUS_SUCCESS, "wsm_generic_confirm ret %u", status))
+
+	/*
+	 * A non-SUCCESS status here is a firmware-side policy decision for
+	 * the command whose confirm this is -- commonly WSM status 2 for
+	 * scan (0x0407) rejected because of a coex window or transient
+	 * firmware-busy state. It is not a driver/kernel bug, so avoid the
+	 * WARN()/stack-trace treatment; the caller already emits a
+	 * wiphy_warn identifying the request id and will propagate the
+	 * error to mac80211.
+	 */
+	if (status != WSM_STATUS_SUCCESS) {
+		bes_devel("%s ret %u\n", __func__, status);
 		return -EINVAL;
+	}
 	return 0;
 
 underflow:

bes2600/wsm.h

@@ -1,16 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
 /*
- * WSM host interface (HI) interface for BES2600 mac80211 drivers
+ * WSM host interface for BES2600 mac80211 driver
  *
- * Copyright (c) 2022, Bestechnic
- * Author:
+ * Copyright (c) 2010, ST-Ericsson
+ * Author: Dmitry Tarnyagin <dmitry.tarnyagin@lockless.no>
  *
- * Based on BES2600 UMAC WSM API, which is
- * Copyright (C) SA 2010
- * Author: Stewart Mathers <stewart.mathers@stericsson.com>
+ * Copyright (c) 2022, Bestechnic (Beijing) Co., Ltd.
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
  */
 
 #ifndef BES2600_WSM_H_INCLUDED