bes2600: drop kernel_write() persistence from factory cali save

Following the conversion of the factory-calibration READ path to
request_firmware() (earlier in this series), the factory-calibration
WRITE path in factory_section_write_file() was still using
filp_open(O_CREAT | O_TRUNC | O_RDWR) + kernel_write() to persist
updated calibration data back to FACTORY_PATH
(default /lib/firmware/bes2600/bes2600_factory.txt).

Writing to files under /lib/firmware/ from kernel code is a
standing upstream blocker for staging and for drivers/net/wireless/
submission generally:

 - filp_open()/kernel_write() bypass the firmware-class abstraction,
   the LSM framework, and user/group/mode enforcement that governs
   the firmware search paths. They have been repeatedly called out
   in staging-prep reviews.
 - The kernel runs with capabilities that userspace does not (CAP_
   DAC_OVERRIDE effectively); quietly rewriting firmware blobs that
   userspace owns is a surprise contract.
 - A module unload / reboot immediately after the write races the
   writeback and can leave a truncated calibration file on disk.

Remove factory_section_write_file() and its two call sites in
bes2600_wifi_cali_table_save(). The in-memory factory_save_p
remains authoritative for the duration of the session: the WSM
command handlers that triggered this path (power-cali-table,
freq-cali, efuse-flag, power-cali-flag) already update the live
struct factory_t, and reads served from file_buffer pick up the
rebuilt serialised form immediately. On the next probe the
firmware-class file is re-read read-only via request_firmware(),
as set up by the earlier patch.

If cross-reboot persistence of runtime-updated calibration becomes
a requirement, the expected route is a userspace-visible dump
interface -- a read-only debugfs file exporting the serialised
blob, or an nl80211 vendor command -- that lets userspace copy the
values to a chosen location under its own privileges. Such a
facility can land as a follow-up without touching the core driver
write path again.

Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>

bes2600/Makefile

@@ -2,7 +2,7 @@ KERN_DIR = /lib/modules/$(KERNELRELEASE)/build
 # feature option
 BES2600                                 ?= m
 
-CONFIG_BES2600_TESTMODE                 ?= n
+CONFIG_BES2600_TESTMODE                 ?= y
 
 CONFIG_BES2600_ENABLE_DEVEL_LOGS        ?= n
 
@@ -65,8 +65,8 @@ BES2600_DRV_VERSION := bes2600_0.3.5_2024.0116
 
 ifeq ($(CONFIG_BES2600_CALIB_FROM_LINUX),y)
 FACTORY_CRC_CHECK                    ?= n
-STANDARD_FACTORY_EFUSE_FLAG          ?= y
-FACTORY_PATH                 ?= /lib/firmware/bes2600_factory.txt
+STANDARD_FACTORY_EFUSE_FLAG          ?= n
+FACTORY_PATH                 ?= bes2600/bes2600_factory.txt
 endif
 
 # basic function

bes2600/bes2600.h

@@ -596,11 +596,6 @@ struct bes2600_vif {
         unsigned long           rx_timestamp;
         u32                     cipherType;
 
-	/* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
-	unsigned long			decrypt_storm_window_start;
-	unsigned int			decrypt_storm_count;
-	unsigned int			decrypt_storm_recoveries;
-	struct work_struct		decrypt_storm_recover_work;
 
 	/* AP powersave */
 	u32			link_id_map;
@@ -861,8 +856,4 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
 void bes2600_btusb_uninit(struct usb_interface *interface);
 #endif
 
-/* Decrypt-storm fast-recover helpers — see txrx.c. */
-void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
-void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
-
 #endif /* BES2600_H */

bes2600/bes2600_factory.c

@@ -12,6 +12,7 @@
 #include <linux/module.h>
 #include <linux/sched.h>
 #include <linux/fs.h>
+#include <linux/firmware.h>
 #include <linux/slab.h>
 #include <linux/mutex.h>
 #include <linux/crc32.h>
@@ -30,6 +31,18 @@
 
 static DEFINE_MUTEX(factory_lock);
 
+/*
+ * struct device * for request_firmware() context. Set once at SDIO
+ * probe via bes2600_factory_set_dev(). NULL is tolerated (falls back
+ * to the udev-less firmware-class path) but loses per-device logging.
+ */
+static struct device *bes2600_factory_dev;
+
+void bes2600_factory_set_dev(struct device *dev)
+{
+	bes2600_factory_dev = dev;
+}
+
 /*
  * It is only used for temporary storage.
  * Every time get the factory, it will read from the
@@ -137,66 +150,32 @@ static int bes2600_factory_crc_check(struct factory_t *factory_data)
  */
 static int factory_section_read_file(char *path, void *buffer)
 {
-	int ret = 0;
-	struct file *fp;
+	const struct firmware *fw;
+	int ret;
 
 	if (!path || !buffer) {
 		bes_err("%s NULL pointer err\n", __func__);
 		return -1;
 	}
 
-	bes_devel("reading %s \n", path);
+	bes_devel("requesting firmware-class %s\n", path);
 
-	fp = filp_open(path, O_RDONLY, 0); //S_IRUSR
-	if (IS_ERR(fp)) {
-		bes_devel("BES2600 : can't open %s\n",path);
+	ret = request_firmware(&fw, path, bes2600_factory_dev);
+	if (ret) {
+		bes_devel("BES2600: request_firmware(%s) failed: %d\n", path, ret);
 		return -1;
 	}
 
-	if (fp->f_inode->i_size <= 0 || fp->f_inode->i_size > FACTORY_MAX_SIZE) {
-		bes_err(			"bes2600_factory.txt size check failed, read_size: %lld max_size: %d\n",
-			fp->f_inode->i_size, FACTORY_MAX_SIZE);
-		filp_close(fp, NULL);
+	if (fw->size == 0 || fw->size > FACTORY_MAX_SIZE) {
+		bes_err("bes2600_factory.txt size check failed, read_size: %zu max_size: %d\n",
+			fw->size, FACTORY_MAX_SIZE);
+		release_firmware(fw);
 		return -1;
 	}
 
-	ret = kernel_read(fp, buffer, fp->f_inode->i_size, &fp->f_pos);
-
-	filp_close(fp, NULL);
-
-	if (ret != fp->f_inode->i_size) {
-		bes_err("bes2600_factory.txt read fail\n");
-		ret = -1;
-	}
-
-	return ret;
-}
-
-/**
- * factory_section_write_file - Write data of specified length to file
- * @path:	path of the file
- * @buffer:	storage of write data
- * @size:	length of data to write
- *
- * Return: length on success, negative error code otherwise.
- */
-static int factory_section_write_file(char *path, void *buffer, int size)
-{
-	int ret = 0;
-	struct file *fp;
-
-	bes_devel("writing %s \n", path);
-
-	fp = filp_open(path, O_TRUNC | O_CREAT | O_RDWR, S_IRUSR);
-	if (IS_ERR(fp)) {
-		bes_devel("BES2600 : can't open %s\n",path);
-		return -1;
-	}
-
-	ret = kernel_write(fp, buffer, size, &fp->f_pos);
-
-	filp_close(fp,NULL);
-
+	memcpy(buffer, fw->data, fw->size);
+	ret = (int)fw->size;
+	release_firmware(fw);
 	return ret;
 }
 
@@ -891,9 +870,22 @@ static inline int factory_build(uint8_t *dest_buf, struct factory_t *factory)
 #endif
 }
 
+/*
+ * Rebuild the serialised calibration blob in file_buffer from the live
+ * in-memory factory_save_p. Previously this function also persisted the
+ * blob back to FACTORY_PATH via filp_open(O_CREAT) + kernel_write(); that
+ * is not acceptable in mainline, so the persistence step has been removed.
+ *
+ * The in-memory factory_save_p remains authoritative for the duration of
+ * the session; on the next probe the firmware-class file is read back
+ * read-only via request_firmware(). If cross-reboot persistence of runtime
+ * calibration updates becomes a requirement, the expected route is a
+ * userspace-facing dump interface (debugfs read-only blob, or nl80211
+ * vendor command) that lets userspace read the serialised form and store
+ * it under its own privileges.
+ */
 static int bes2600_wifi_cali_table_save(u8 *file_buffer, struct factory_t *factory_save_p)
 {
-	int ret = 0;
 	int w_size;
 	u32 crc_len = sizeof(factory_data_t);
 #ifndef STANDARD_FACTORY_EFUSE_FLAG
@@ -902,13 +894,11 @@ static int bes2600_wifi_cali_table_save(u8 *file_buffer, struct factory_t *facto
 
 	bes_devel("enter %s\n", __func__);
 
-	if (!file_buffer) {
+	if (!file_buffer)
 		return -ENOMEM;
-	}
 
-	if (!factory_save_p) {
+	if (!factory_save_p)
 		return -ENOENT;
-	}
 
 	/* All initialized to space */
 	memset(file_buffer, 32, FACTORY_MAX_SIZE);
@@ -920,22 +910,10 @@ static int bes2600_wifi_cali_table_save(u8 *file_buffer, struct factory_t *facto
 	w_size = factory_build(file_buffer, factory_save_p);
 
 	if (w_size < 0 || w_size > FACTORY_MAX_SIZE) {
-		bes_err("%s: build failed! ret = %d.", __func__, ret);
+		bes_err("%s: build failed! w_size = %d.", __func__, w_size);
 		return -ETXTBSY;
 	}
 
-#ifdef FACTORY_SAVE_MULTI_PATH
-	/* avoid trailing characters '\0' */
-	file_buffer[w_size] = 32;
-	ret = factory_section_write_file(FACTORY_PATH, file_buffer, FACTORY_MAX_SIZE);
-#else
-	ret = factory_section_write_file(FACTORY_PATH, file_buffer, w_size);
-#endif
-	if(ret < 0) {
-		bes_err("%s: write failed! ret = %d.", __func__, ret);
-		return ret;
-	}
-
 	return 0;
 }
 

bes2600/bes2600_factory.h

@@ -199,6 +199,9 @@ enum factory_cali_status {
 /* just calibrate 11n, other protocols are automatically mapped */
 #define WIFI_RF_11N_MODE 0x15
 
+/* set the struct device * used for request_firmware() context */
+void bes2600_factory_set_dev(struct device *dev);
+
 /* read wifi & bt factory cali value*/
 u8* bes2600_get_factory_cali_data(u8 *file_buffer, u32 *data_len, char *path);
 void factory_little_endian_cvrt(u8 *data);

bes2600/bes2600_sdio.c

@@ -30,6 +30,7 @@
 #include "bes2600.h"
 #include "sbus.h"
 #include "bes2600_plat.h"
+#include "bes2600_factory.h"
 #include "hwio.h"
 #include "bes_chardev.h"
 #include "bes_log.h"
@@ -94,6 +95,7 @@ struct sbus_priv {
 	struct work_struct tx_work;
 	struct scatterlist tx_sg[BES_SDIO_TX_MULTIPLE_NUM + 1];
 	struct scatterlist tx_sg_nosignal[BES_SDIO_TX_MULTIPLE_NUM_NOSIGNAL + 1];
+	u8 *tx_bounce;
 	u32 tx_data_cnt;
 	u32 tx_xfer_cnt;
 	u32 tx_proc_cnt;
@@ -1135,7 +1137,26 @@ static void sdio_tx_work(struct work_struct *work)
 				}
 			}
 
-			sg_set_buf(&sg[scatters], tx_buffer->buf, align);
+			/*
+			 * The transfer length is rounded up to the SDIO block
+			 * size, but tx_buffer->buf is only tx_buffer->len bytes
+			 * long (it usually aliases into an skb linear head).
+			 * Copy into a driver-owned bounce buffer and zero-pad
+			 * to the aligned size; otherwise DMA reads past the
+			 * skb and leaks adjacent kernel memory on the wire --
+			 * observed as KFENCE OOB reads from
+			 * bes_sdio_memcpy_to_io_helper via dma_map_sg.
+			 */
+			if (WARN_ON_ONCE(total_len + align > MAX_SDIO_TRANSFER_LEN))
+				goto flush_previous;
+			memcpy(self->tx_bounce + total_len,
+			       tx_buffer->buf, tx_buffer->len);
+			if (align > tx_buffer->len)
+				memset(self->tx_bounce + total_len +
+				       tx_buffer->len, 0,
+				       align - tx_buffer->len);
+			sg_set_buf(&sg[scatters],
+				   self->tx_bounce + total_len, align);
 			total_len += align;
 			++scatters;
 /*del_node:*/
@@ -1834,6 +1855,9 @@ static int bes2600_sdio_probe(struct sdio_func *func,
 	if (ret)
 		goto err;
 
+	/* wire struct device into factory.c for request_firmware() context */
+	bes2600_factory_set_dev(dev);
+
 	self->pdata = bes2600_get_platform_data();
 	self->func = func;
 	self->dev = &func->dev;
@@ -1853,6 +1877,17 @@ static int bes2600_sdio_probe(struct sdio_func *func,
 	if (!self->single_gathered_buffer)
 		return -ENOMEM;
 #endif
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
+	self->tx_bounce = (u8 *)__get_dma_pages(GFP_KERNEL,
+					get_order(MAX_SDIO_TRANSFER_LEN));
+	if (!self->tx_bounce) {
+#ifndef SDIO_HOST_ADMA_SUPPORT
+		free_pages((unsigned long)self->single_gathered_buffer,
+			   get_order(MAX_SDIO_TRANSFER_LEN));
+#endif
+		return -ENOMEM;
+	}
+#endif
 #ifdef BES_SDIO_RXTX_TOGGLE
 	self->fw_started = false;
 #endif
@@ -1981,6 +2016,12 @@ static void bes2600_sdio_remove(struct sdio_func *func)
 		if (self->single_gathered_buffer) {
 			free_pages((unsigned long)self->single_gathered_buffer, get_order(MAX_SDIO_TRANSFER_LEN));
 		}
+#endif
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
+		if (self->tx_bounce) {
+			free_pages((unsigned long)self->tx_bounce,
+				   get_order(MAX_SDIO_TRANSFER_LEN));
+		}
 #endif
 		kfree(self);
 	}

bes2600/bes_chardev.c

@@ -43,12 +43,6 @@ enum bus_probe_state {
 };
 
 struct bes_cdev {
-	struct cdev cdev;
-	dev_t dev_id;
-	int major;
-	int minor;
-	struct class *class;
-	struct device *device;
 	atomic_t num_proc;
 	wait_queue_head_t open_wq;
 	spinlock_t status_lock;
@@ -249,351 +243,18 @@ int bes2600_switch_bt(bool on)
 	return ret;
 }
 
-static int bes2600_get_cmd_and_ifname(const char *str, char **result)
-{
-	int cmd_len = 0;
-	int ifname_len = 0;
-	char *sp = NULL;
-	char *tmp_ptr = NULL;
-	char *cmd_ptr = NULL;
-
-	/* check if input arguments is valid */
-	if (!str || strncmp(str, "ifname:", 7) != 0)
-		return -1;
-
-	sp = strchr(str, ' ');
-	if (strncmp(sp + 1, "cmd:", 4) != 0)
-		return -1;
-
-	/* extract interface name */
-	ifname_len = sp - str - 7;
-	tmp_ptr = kmalloc(ifname_len + 1, GFP_KERNEL);
-	if (!tmp_ptr) {
-		return -2;
-	}
-
-	strncpy(tmp_ptr, str+7, ifname_len);
-	tmp_ptr[ifname_len] = '\0';
-	result[0] = tmp_ptr;
-
-	/* get command length */
-	cmd_ptr = strstr(str, "cmd:");
-	cmd_ptr += 4;
-	sp = strchr(cmd_ptr, ' ');
-	if (!sp) {	/* the command don't have any parameter */
-		cmd_len = strlen(cmd_ptr);
-		if (cmd_ptr[cmd_len - 1] == '\n')
-			--cmd_len;
-	} else {	/* the command have one or more parameter */
-		cmd_len = sp - cmd_ptr;
-	}
-
-	/* copy command to out buffer */
-	tmp_ptr = kmalloc( cmd_len + 1, GFP_KERNEL);
-	if (!tmp_ptr) {
-		kfree(result[0]);
-		result[0] = NULL;
-		return -3;
-	}
-
-	strncpy(tmp_ptr, cmd_ptr, cmd_len);
-	tmp_ptr[cmd_len] = '\0';
-	result[1] = tmp_ptr;
-
-	return 0;
-}
-
-static void bes2600_recyle_cmd_and_ifname_mem(char **info)
-{
-	if (info[0]) {
-		kfree(info[0]);
-		info[0] = NULL;
-	}
-
-	if (info[1]) {
-		kfree(info[1]);
-		info[1] = NULL;
-	}
-
-}
-
-static int bes2600_op_default_handler(const char *str)
-{
-	char *info[2] = {0};
-
-	if (bes2600_get_cmd_and_ifname(str, info) == 0) {
-		bes_devel("cmd(%s) on %s not handled\n", info[1], info[0]);
-	} else {
-		bes_err("%s get command fail, the origin string is %s\n", __func__, str);
-	}
-
-	bes2600_recyle_cmd_and_ifname_mem(info);
-
-	return 0;
-}
-
-static int bes2600_op_wifi_bt_on_off(const char *str)
-{
-	char *info[2] = {0};
-	int ret = 0;
-	enum wait_state wait_state;
-	enum bus_probe_state probe_state;
-	unsigned long status = 0;
-
-	spin_lock(&bes2600_cdev.status_lock);
-	probe_state = bes2600_cdev.bus_probe;
-	wait_state = bes2600_cdev.wait_state;
-	spin_unlock(&bes2600_cdev.status_lock);
-
-	/* only work for wifi signal mode */
-	if (bes2600_cdev.fw_type != BES2600_FW_TYPE_WIFI_SIGNAL)
-		return -EFAULT;
-
-	/* wait bus probe operation end */
-	if (probe_state == BES2600_BUS_PROBE_START) {
-		bes_devel("wait bus probe operation end\n");
-		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
-					(bes2600_cdev.bus_probe > BES2600_BUS_PROBE_START),
-					HZ);
-		WARN_ON(status <= 0);
-	}
-
-	/* must wait previous operation end in critical section */
-	if (wait_state != BES2600_BOOT_WAIT_NONE) {
-		bes_devel("wait previous operation end\n");
-		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
-					(bes2600_cdev.wait_state == BES2600_BOOT_WAIT_NONE),
-					HZ * 8);
-		WARN_ON(status <= 0);
-	}
-
-	/* if dpd calibration is doing, modify wifi and bt state directly */
-	spin_lock(&bes2600_cdev.status_lock);
-	if (bes2600_cdev.bus_probe == BES2600_BUS_PROBE_OK && !bes2600_cdev.dpd_calied) {
-		if (bes2600_get_cmd_and_ifname(str, info) == 0) {
-			if (strncmp(info[1], "WIFI_ON", 7) == 0) {
-				bes2600_cdev.wifi_opened = true;
-			} else if (strncmp(info[1], "WIFI_OFF", 8) == 0) {
-				bes2600_cdev.wifi_opened = false;
-			} else if (strncmp(info[1], "BT_ON", 5) == 0) {
-				bes2600_cdev.bt_opened = true;
-				bes2600_cdev.bton_pending = true;
-			} else if (strncmp(info[1], "BT_OFF", 6) == 0) {
-				bes2600_cdev.bt_opened = false;
-				bes2600_cdev.bton_pending = false;
-			}
-		}
-		bes2600_recyle_cmd_and_ifname_mem(info);
-		spin_unlock(&bes2600_cdev.status_lock);
-
-		/* wait probe done event */
-		status = wait_event_timeout(bes2600_cdev.probe_done_wq,
-				bes2600_bootup_end(), HZ * 8);
-		WARN_ON(status <= 0);
-
-		return (status <= 0 || bes2600_chrdev_is_bus_error()) ? -EFAULT : 0;
-	}
-	spin_unlock(&bes2600_cdev.status_lock);
-
-	/* process wifi/bt on/off operation */
-	if (bes2600_get_cmd_and_ifname(str, info) == 0) {
-		if (strncmp(info[1], "WIFI_ON", 7) == 0) {
-			ret = bes2600_switch_wifi(1);
-		} else if (strncmp(info[1], "WIFI_OFF", 8) == 0) {
-			ret = bes2600_switch_wifi(0);
-		} else if (strncmp(info[1], "BT_ON", 5) == 0) {
-			ret = bes2600_switch_bt(1);
-		} else if (strncmp(info[1], "BT_OFF", 6) == 0) {
-			ret = bes2600_switch_bt(0);
-		}
-	}
-
-	if (!ret && bes2600_chrdev_check_system_close())
-		ret = bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
-						bes2600_cdev.sbus_priv);
-
-	bes2600_recyle_cmd_and_ifname_mem(info);
-
-	return ret ;
-}
 
 
-static int bes2600_op_change_fw_type(const char *str)
-{
-	int ret = 0;
-	int temp = 0;
-	long status = 0;
-	char *cmd_ptr = NULL;
-	char fw_type[5] = {0};
-	bool sys_closed = bes2600_chrdev_check_system_close();
-
-	bes_devel("%s is called, arg:%s\n", __func__, str);
-
-	if (!bes2600_cdev.sbus_ops->power_switch && !bes2600_cdev.sbus_ops->reboot)
-		return -EPERM;
-
-	/* check if user input is valid */
-	cmd_ptr = strstr(str, "CHANGE_FW_TYPE ");
-	if (strlen(str) < 16 || !cmd_ptr) {
-		bes_err("the format of \"%s\" is error\n", str);
-		return -EINVAL;
-	}
-
-	/* convert fw_type from string to int */
-	strncpy(fw_type, cmd_ptr + 14, 4);
-	fw_type[0] = '+';
-	ret = kstrtoint(fw_type, 10, &temp);
-	if (ret < 0) {
-		bes_err("%s parse error\n", __func__);
-		return -EINVAL;
-	}
-
-	/* no need to realod firmware if new fw_type is equal to the old */
-	if (temp == bes2600_cdev.fw_type ) {
-		bes_devel("fw type is equal\n");
-		return 0;
-	}
-
-	/* close wifi net device */
-	if (bes2600_cdev.sbus_priv
-	    && bes2600_is_net_dev_created(bes2600_cdev.sbus_priv)) {
-		bes2600_unregister_net_dev(bes2600_cdev.sbus_priv);
-	}
-
-	/* update firmware type */
-	bes2600_cdev.fw_type = temp;
-	bes2600_chrdev_update_signal_mode();
-
-	if (!sys_closed) {
-		/* close device to call disconnect function */
-		if (bes2600_cdev.sbus_ops->power_switch)
-			bes2600_cdev.sbus_ops->power_switch(bes2600_cdev.sbus_priv, 0);
-		else if (bes2600_cdev.sbus_ops->reboot)
-			bes2600_cdev.sbus_ops->reboot(bes2600_cdev.sbus_priv);
-	}
-
-	if (bes2600_cdev.sbus_ops->reboot)
-		bes2600_chrdev_start_bus_probe();
-
-	/* wait disconnect event */
-	status = wait_event_timeout(bes2600_cdev.probe_done_wq, (bes2600_cdev.sbus_priv == NULL), HZ * 10);
-	WARN_ON(status <= 0);
-
-	if (bes2600_cdev.dpd_calied
-	   && bes2600_chrdev_check_system_close()) {
-		bes_devel("no need to reload firmware\n");
-		return 0;
-	}
-
-	bes_devel("reload firmware...\n");
-	/* power on device to call probe function */
-	if (bes2600_cdev.sbus_ops->power_switch)
-		bes2600_cdev.sbus_ops->power_switch(NULL, 1);
-
-	/* wait probe done event */
-	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
-			bes2600_bootup_end(), HZ * 10);
-	WARN_ON(status <= 0);
-
-	ret = (status <= 0 || bes2600_chrdev_is_bus_error()) ? -1 : 0;
 
 
-	return ret;
-}
 
-static int bes2600_op_bt_wakeup(const char *str)
-{
-	int ret = 0;
-	unsigned long status = 0;
 
-	spin_lock(&bes2600_cdev.status_lock);
-	if (!bes2600_cdev.bt_opened) {
-		spin_unlock(&bes2600_cdev.status_lock);
-		return -EFAULT;
-	}
-	spin_unlock(&bes2600_cdev.status_lock);
 
-	/* wait probe done event */
-	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
-			bes2600_bootup_end(), HZ * 8);
-	if (status <= 0 || bes2600_chrdev_is_bus_error())
-		return -EFAULT;
 
-	bes_devel("bes2600 wakeup bt.\n");
-	ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_LP_ON, SUBSYSTEM_BT_LP, true);
-
-	return ret;
-}
-
-static int bes2600_op_bt_sleep(const char *str)
-{
-	int ret = 0;
-	unsigned long status = 0;
-
-	spin_lock(&bes2600_cdev.status_lock);
-	if (!bes2600_cdev.bt_opened) {
-		spin_unlock(&bes2600_cdev.status_lock);
-		return -EFAULT;
-	}
-	spin_unlock(&bes2600_cdev.status_lock);
-
-	/* wait probe done event */
-	status = wait_event_timeout(bes2600_cdev.probe_done_wq,
-			bes2600_bootup_end(), HZ * 8);
-	if (status <= 0 || bes2600_chrdev_is_bus_error())
-		return -EFAULT;
-
-	bes_devel("bes2600 allow bt sleep.\n");
-	ret = bes2600_chrdev_switch_subsys(GPIO_WAKE_FLAG_BT_LP_OFF, SUBSYSTEM_BT_LP, false);
-
-	return ret;
-}
-
-static int bes2600_op_set_wakeup_read_flag(const char *str)
-{
-	bes_devel("%s is called, arg:%s\n", __func__, str);
-	spin_lock(&bes2600_cdev.status_lock);
-	bes2600_cdev.read_flag = BES_CDEV_READ_WAKEUP_STATE;
-	spin_unlock(&bes2600_cdev.status_lock);
-
-	return 0;
-}
 
 #ifdef FW_DOWNLOAD_UART_DAEMON
-int bes2600_load_uevent(char *env[])
-{
-	return kobject_uevent_env(&bes2600_cdev.device->kobj, KOBJ_CHANGE, env);
-}
 #endif
 
-static struct bes2600_op_map bes2600_op_map_tab[] ={
-	/*op			op_len	handler				*/
-	{"P2P_SET_NOA", 	11,	bes2600_op_default_handler},
-	{"P2P_SET_PS", 		10,	bes2600_op_default_handler},
-	{"SET_AP_WPS_P2P_IE",	17, 	bes2600_op_default_handler},
-	{"LINKSPEED", 		9,	bes2600_op_default_handler},
-	{"RSSI",		4,	bes2600_op_default_handler},
-	{"GETBAND", 		7,	bes2600_op_default_handler},
-	{"WLS_BATCHING", 	12,	bes2600_op_default_handler},
-	{"MACADDR",		7,	bes2600_op_default_handler},
-	{"RXFILTER-START",	14,	bes2600_op_default_handler},
-	{"RXFILTER-STOP",	13,	bes2600_op_default_handler},
-	{"RXFILTER-ADD",	12,	bes2600_op_default_handler},
-	{"RXFILTER-REMOVE",	15,	bes2600_op_default_handler},
-	{"BTCOEXMODE",		10,	bes2600_op_default_handler},
-	{"BTCOEXSCAN-START",	16,	bes2600_op_default_handler},
-	{"BTCOEXSCAN-STOP",	15,	bes2600_op_default_handler},
-	{"SETSUSPENDMODE",	14,	bes2600_op_default_handler},
-	{"COUNTRY",		7,	bes2600_op_default_handler},
-	{"WIFI_ON", 		7,	bes2600_op_wifi_bt_on_off},
-	{"WIFI_OFF", 		8,	bes2600_op_wifi_bt_on_off},
-	{"BT_ON", 		5,	bes2600_op_wifi_bt_on_off},
-	{"BT_OFF", 		6,	bes2600_op_wifi_bt_on_off},
-	{"CHANGE_FW_TYPE",	14,	bes2600_op_change_fw_type},
-	{"BT_WAKEUP",		9,	bes2600_op_bt_wakeup},
-	{"BT_SLEEP",		8,	bes2600_op_bt_sleep},
-	{"WAKEUP_STATE",	12,	bes2600_op_set_wakeup_read_flag},
-};
 
 static int bes2600_chrdev_check_system_close_internal(void)
 {
@@ -603,123 +264,10 @@ static int bes2600_chrdev_check_system_close_internal(void)
 		&& (bes2600_cdev.wifi_opened == false);
 }
 
-static int bes2600_chrdev_open(struct inode *inode, struct file *filp)
-{
-	if (atomic_read(&bes2600_cdev.num_proc) > 0) {
-		wait_event_timeout(bes2600_cdev.open_wq,
-			(atomic_read(&bes2600_cdev.num_proc) == 0),
-			MAX_SCHEDULE_TIMEOUT);
-	}
 
-	bes_devel("bes2600 char device is opened\n");
-	atomic_inc(&bes2600_cdev.num_proc);
 
-        return 0;
-}
 
-static ssize_t bes2600_chrdev_read(struct file *file, char __user *user_buf,
-			     size_t count, loff_t *ppos)
-{
-	char buf[64] = {0};
-	unsigned int len;
-	long status = 0;
 
-	switch (bes2600_cdev.read_flag) {
-	case BES_CDEV_READ_WAKEUP_STATE:
-		if (bes2600_chrdev_wakeup_by_event_get() > WAKEUP_EVENT_NONE) {
-			status = wait_event_timeout(bes2600_cdev.wakeup_reason_wq,
-				bes2600_chrdev_wakeup_by_event_get() ==  WAKEUP_EVENT_NONE, HZ * 2);
-			WARN_ON(status <= 0);
-		}
-		len = sprintf(buf, "wakeup_reason: %u, src_port: %u\n",
-		              bes2600_cdev.wakeup_state, bes2600_cdev.src_port);
-		break;
-	default:
-		len = sprintf(buf, "dpd_calied:%d wifi_opened:%d bt_opened:%d fw_type:%d\n",
-				bes2600_cdev.dpd_calied,
-				bes2600_cdev.wifi_opened,
-				bes2600_cdev.bt_opened,
-				bes2600_cdev.fw_type);
-		break;
-	}
-
-	len = sizeof(buf);
-	/* reset read flag */
-	spin_lock(&bes2600_cdev.status_lock);
-	bes2600_cdev.read_flag = BES_CDEV_READ_NUM_MAX;
-	spin_unlock(&bes2600_cdev.status_lock);
-
-	return simple_read_from_buffer(user_buf, count, ppos, buf, len);
-}
-
-static ssize_t bes2600_chrdev_write(struct file *file,
-		 const char __user *user_buf, size_t count, loff_t *ppos)
-{
-	int i = 0;
-	int cmd_num = ARRAY_SIZE(bes2600_op_map_tab);
-	int cmd_len = 0;
-	int ret = 0;
-	char *info[2] = {0};
-	char *buf = NULL;
-
-	/* copy content from user space to kernel */
-	/* message format:"ifname:wlanx cmd:xxx arg1 arg2 ..." */
-	buf = kmalloc(count + 1, GFP_KERNEL);
-	if (copy_from_user(buf, user_buf, count))
-		return -EFAULT;
-
-	/* add terminal character */
-	buf[count] = '\0';
-
-	/* extract comand and interface */
-	if (bes2600_get_cmd_and_ifname(buf, info) != 0) {
-		bes_err("%s get command fail, the origin string is %s\n", __func__, buf);
-		kfree(buf);
-		return -EINVAL;
-	}
-
-	/* match operation item and execure its handler */
-	cmd_len = strlen(info[1]);
-	for (i = 0; i < cmd_num; i++) {
-		if (cmd_len < bes2600_op_map_tab[i].op_len)
-			continue;
-
-		if (strncasecmp(info[1], bes2600_op_map_tab[i].op, bes2600_op_map_tab[i].op_len) == 0) {
-			ret = bes2600_op_map_tab[i].handler(buf);
-			break;
-		}
-	}
-
-	/* operation item mismatch */
-	if (i == cmd_num) {
-		bes_err("cmd(%s) mismatch\n", info[1]);
-	}
-
-	bes2600_recyle_cmd_and_ifname_mem(info);
-	kfree(buf);
-
-	return (ret == 0) ? count : ret;
-}
-
-static int bes2600_chrdev_release (struct inode *inode, struct file *file)
-{
-	if (atomic_dec_and_test(&bes2600_cdev.num_proc)) {
-		wake_up(&bes2600_cdev.open_wq);
-	}
-
-	bes_devel("bes2600 char device is closed\n");
-
-	return 0;
-}
-
-static struct file_operations bes2600_chardev_fops =
-{
-	.owner = THIS_MODULE,
-	.open = bes2600_chrdev_open,
-	.read = bes2600_chrdev_read,
-	.write = bes2600_chrdev_write,
-	.release = bes2600_chrdev_release,
-};
 
 #ifdef BES2600_WRITE_DPD_TO_FILE
 static int bes2600_chrdev_write_dpd_data_to_file(const char *path, void *buffer, int size)
@@ -1124,12 +672,6 @@ void bes2600_chrdev_update_signal_mode(void)
 
 static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 {
-	char wifi_state[15];
-	char bt_state[15];
-	char fw_type[15];
-	char *env[] = { wifi_state, bt_state, fw_type, NULL };
-	int ret;
-
 	if (bes2600_chrdev_is_wifi_opened()) {
 		bes_devel("system exeception, force wifi down\n");
 
@@ -1146,14 +688,6 @@ static void bes2600_chrdev_wifi_force_close_work(struct work_struct *work)
 			bes2600_chrdev_do_system_close(bes2600_cdev.sbus_ops,
 						bes2600_cdev.sbus_priv);
 		}
-
-		/* notify userspace */
-		snprintf(wifi_state, sizeof(wifi_state), "WIFI_OPENED=%d", bes2600_cdev.wifi_opened);
-		snprintf(bt_state, sizeof(bt_state), "BT_OPENED=%d", bes2600_cdev.bt_opened);
-		snprintf(fw_type, sizeof(fw_type), "FW_TYPE=%d", bes2600_cdev.fw_type);
-		ret = kobject_uevent_env(&bes2600_cdev.device->kobj, KOBJ_CHANGE, env);
-		if (!ret)
-			bes_err("bes2600 notify userspace failed\n");
 	}
 }
 
@@ -1247,46 +781,6 @@ int bes2600_chrdev_wakeup_by_event_get(void)
 
 int bes2600_chrdev_init(struct sbus_ops *ops)
 {
-	int ret = 0;
-
-	/* allocate devide id */
-	ret = alloc_chrdev_region(&bes2600_cdev.dev_id, 0, 1, "bes2600_chrdev");
-	if (ret < 0){
-		bes_err("bes2600 alloc device id fail\n");
-		ret =  -EFAULT;
-		goto fail;
-	}
-
-	/* extract major and minor device id */
-	bes2600_cdev.major = MAJOR(bes2600_cdev.dev_id);
-	bes2600_cdev.minor = MINOR(bes2600_cdev.dev_id);
-
-	/* add char device and bind operation function */
-	bes2600_cdev.cdev.owner = THIS_MODULE;
-	cdev_init(&bes2600_cdev.cdev, &bes2600_chardev_fops);
-	ret = cdev_add(&bes2600_cdev.cdev, bes2600_cdev.dev_id, 1);
-	if (ret < 0){
-		bes_err("bes2600 char device add fail\n");
-		ret =  -EFAULT;
-		goto fail1;
-	}
-
-	/* create class for creating device node */
-	bes2600_cdev.class = class_create("bes2600_chrdev");
-	if (IS_ERR(bes2600_cdev.class)){
-		bes_err("bes2600 char device add fail\n");
-		ret = -EFAULT;
-		goto fail2;
-	}
-
-	/* get char device pointer */
-	bes2600_cdev.device = device_create(bes2600_cdev.class, NULL, bes2600_cdev.dev_id, NULL, "bes2600");
-	if (IS_ERR(bes2600_cdev.device)){
-		bes_err("bes2600 char device create fail\n");
-		ret =  -EFAULT;
-		goto fail3;
-	}
-
 	/* initialise global variable */
 	atomic_set(&bes2600_cdev.num_proc, 0);
 	init_waitqueue_head(&bes2600_cdev.open_wq);
@@ -1318,15 +812,6 @@ int bes2600_chrdev_init(struct sbus_ops *ops)
 	bes_devel("%s done\n", __func__);
 
 	return 0;
-
-fail3:
-	class_destroy(bes2600_cdev.class);
-fail2:
-	cdev_del(&bes2600_cdev.cdev);
-fail1:
-	unregister_chrdev_region(bes2600_cdev.dev_id, 1);
-fail:
-	return ret;
 }
 
 void bes2600_chrdev_free(void)
@@ -1336,9 +821,5 @@ void bes2600_chrdev_free(void)
 	bes2600_free_dpd_log_buffer();
 #endif
 	bes2600_chrdev_free_dpd_data();
-	cdev_del(&bes2600_cdev.cdev);
-	unregister_chrdev_region(bes2600_cdev.dev_id, 1);
-	device_destroy(bes2600_cdev.class, bes2600_cdev.dev_id);
-	class_destroy(bes2600_cdev.class);
 	bes_devel("%s done\n", __func__);
 }

bes2600/bes_log.h

@@ -8,3 +8,26 @@ extern struct device *global_dev;
 #define bes_info(fmt, ...) dev_info(global_dev, fmt, ##__VA_ARGS__)
 #define bes_warn(fmt, ...) dev_warn(global_dev, fmt, ##__VA_ARGS__)
 #define bes_err(fmt, ...) dev_err(global_dev, fmt, ##__VA_ARGS__)
+
+/*
+ * Legacy debug-subsystem-tagged log macros. The per-subsystem filtering
+ * was never implemented in-tree; these shims let code paths gated by
+ * CONFIG_BES2600_TESTMODE / CONFIG_BES2600_ITP / BES2600_DETECTION_LOGIC
+ * build when their conditions are enabled. The first argument is
+ * currently unused; pick one of the BES2600_DBG_* constants below for
+ * documentation.
+ */
+#define BES2600_DBG_SBUS       0
+#define BES2600_DBG_DOWNLOAD   0
+#define BES2600_DBG_ITP        0
+#define BES2600_DBG_TEST_MODE  0
+
+#define bes2600_info(_dbg, fmt, ...) bes_info(fmt, ##__VA_ARGS__)
+#define bes2600_err(_dbg, fmt, ...) bes_err(fmt, ##__VA_ARGS__)
+#define bes2600_warn(_dbg, fmt, ...) bes_warn(fmt, ##__VA_ARGS__)
+#define bes2600_dbg(_dbg, fmt, ...) bes_devel(fmt, ##__VA_ARGS__)
+#define bes2600_err_with_cond(_cond, _dbg, fmt, ...)		\
+	do {							\
+		if (_cond)					\
+			bes_err(fmt, ##__VA_ARGS__);		\
+	} while (0)

bes2600/bes_pwr.c

@@ -472,6 +472,7 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 	int i = 0;
 	struct bes2600_vif *priv;
 	int ret = 0;
+	int timeouts = 0;
 	char ip_str[20];
 	unsigned long status = 0;
 
@@ -528,22 +529,35 @@ static int bes2600_pwr_enter_lp_mode(struct bes2600_common *hw_priv)
 				if (ret) {
 					atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
 					bes_err("%s, set operation mode fail\n", __func__);
+					timeouts++;
+					continue;
 				}
 
 				/* wait power save mode changed indication */
 				status = wait_for_completion_timeout(&hw_priv->bes_power.pm_enter_cmpl, 5 * HZ);
 				atomic_set(&hw_priv->bes_power.pm_set_in_process, 0);
 				reinit_completion(&hw_priv->bes_power.pm_enter_cmpl);
-				if (!status)
+				if (!status) {
 					bes_err("%s, wait pm ind timeout\n", __func__);
+					timeouts++;
+				}
 			} else {
 				bes_devel("skip enter lp mode\n");
 			}
 		}
 	}
 
-	/* set device low power configuration */
-	bes2600_pwr_device_enter_lp_mode(hw_priv);
+	/*
+	 * Enter the device-end of the LP transition only if every per-VIF
+	 * mac80211 handshake reached firmware-ACKed completion. Doing the
+	 * device-LP setup while any VIF is still pending leaves the driver
+	 * in an inconsistent state that cascades into SDIO TX errors on
+	 * the BES2600.
+	 */
+	if (timeouts == 0)
+		bes2600_pwr_device_enter_lp_mode(hw_priv);
+	else
+		ret = -ETIMEDOUT;
 
 	return ret;
 }

bes2600/debug.c

@@ -542,8 +542,6 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
 		priv->listening ? " (listening)" : "");
 	seq_printf(seq, "Assoc:      %s\n",
 		bes2600_debug_join_status[priv->join_status]);
-	seq_printf(seq, "DecryptStormRecoveries: %u\n",
-		   priv->decrypt_storm_recoveries);
 	if (priv->rx_filter.promiscuous)
 		seq_puts(seq,   "Filter:     promisc\n");
 	else if (priv->rx_filter.fcs)

bes2600/sta.c

@@ -448,7 +448,6 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
 	cancel_delayed_work_sync(&priv->join_timeout);
 	cancel_delayed_work_sync(&priv->set_cts_work);
 	cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
-	cancel_work_sync(&priv->decrypt_storm_recover_work);
 
 	del_timer_sync(&priv->mcast_timeout);
 	/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -2620,7 +2619,6 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
 
 	/* Setup per vif workitems and locks */
 	spin_lock_init(&priv->vif_lock);
-	bes2600_decrypt_storm_init(priv);
 	INIT_WORK(&priv->join_work, bes2600_join_work);
 	INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
 	INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);
@@ -3635,7 +3633,7 @@ static int bes2600_set_power_save(struct ieee80211_hw *hw,
  *
  * Returns: 0 on success or non zero value on failure
  */
-int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
+static int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
 {
 	struct bes_msg_start_stop_tsm *start_stop_tsm =
 		(struct bes_msg_start_stop_tsm *) data;
@@ -3665,7 +3663,7 @@ int bes2600_start_stop_tsm(struct ieee80211_hw *hw, void *data)
  *
  * Returns: TSM parameters collected
  */
-int bes2600_get_tsm_params(struct ieee80211_hw *hw)
+static int bes2600_get_tsm_params(struct ieee80211_hw *hw)
 {
 	struct bes2600_common *hw_priv = hw->priv;
 	struct bes_tsm_stats tsm_stats;
@@ -3705,7 +3703,7 @@ int bes2600_get_tsm_params(struct ieee80211_hw *hw)
  *
  * Returns: Returns the last measured roam delay
  */
-int bes2600_get_roam_delay(struct ieee80211_hw *hw)
+static int bes2600_get_roam_delay(struct ieee80211_hw *hw)
 {
 	struct bes2600_common *hw_priv = hw->priv;
 	u16 roam_delay = hw_priv->tsm_info.roam_delay / 1000;

bes2600/txrx.c

@@ -25,78 +25,6 @@
 
 #define BES2600_INVALID_RATE_ID (0xFF)
 
-/*
- * Decrypt-storm fast-recover (Trigger B).
- *
- * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
- * burst of received frames (typically because the host's PTK or GTK
- * has fallen out of sync with the AP), the AP eventually concludes that
- * the STA is not authenticated and emits an unprotected deauth-reason-6
- * ("Class 2 frame received from non-authenticated station"). On the
- * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
- * observed to leave the link blackholed for up to 109 s before
- * userspace finds a different SSID/channel to recover on. (Receipts at
- * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
- *
- * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
- * failures within WINDOW, we ask mac80211 for a clean reassoc via
- * ieee80211_connection_loss(), which causes immediate disassociation
- * and lets userspace auto-reconnect with fresh keys.
- *
- * mac80211 contract: ieee80211_connection_loss() may be called
- * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
- * disassociation without driver-side recovery attempts. See
- * include/net/mac80211.h for the canonical doc-comment.
- *
- * The threshold is set well above the steady-state per-vif
- * decrypt-fail rate observed in measurement (~1/min even under
- * sustained 1 MB/s load), so a true storm is required to trip it.
- */
-#define BES2600_DECRYPT_STORM_THRESHOLD	5
-#define BES2600_DECRYPT_STORM_WINDOW_MS	5000
-
-static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
-{
-	struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
-						decrypt_storm_recover_work);
-
-	if (!priv->vif)
-		return;
-
-	bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
-	ieee80211_connection_loss(priv->vif);
-	priv->decrypt_storm_recoveries++;
-}
-
-void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
-{
-	INIT_WORK(&priv->decrypt_storm_recover_work,
-		  bes2600_decrypt_storm_recover_work);
-	priv->decrypt_storm_window_start = 0;
-	priv->decrypt_storm_count = 0;
-	priv->decrypt_storm_recoveries = 0;
-}
-
-void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
-{
-	unsigned long now = jiffies;
-	unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
-
-	if (priv->decrypt_storm_window_start == 0 ||
-	    time_after(now, priv->decrypt_storm_window_start + window)) {
-		priv->decrypt_storm_window_start = now;
-		priv->decrypt_storm_count = 1;
-		return;
-	}
-
-	if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
-		priv->decrypt_storm_count = 0;
-		/* Skew the window so we don't re-fire on the same storm. */
-		priv->decrypt_storm_window_start = now + window;
-		schedule_work(&priv->decrypt_storm_recover_work);
-	}
-}
-
 #ifdef CONFIG_BES2600_TESTMODE
 #include "bes_nl80211_testmode_msg.h"
 #endif /* CONFIG_BES2600_TESTMODE */
@@ -1744,8 +1672,6 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
 			goto drop;
 		} else {
 			bes_warn("[RX] Receive failure: %d.\n", arg->status);
-			if (arg->status == WSM_STATUS_DECRYPTFAILURE)
-				bes2600_decrypt_storm_account(priv);
 			goto drop;
 		}
 	}

bes2600/wsm.h

@@ -2236,7 +2236,5 @@ int wsm_cpu_usage_cmd(struct bes2600_common *hw_priv);
 
 int wsm_wifi_status_cmd(struct bes2600_common *hw_priv, uint32_t status);
 
-#if defined(STANDARD_FACTORY_EFUSE_FLAG)
 int wsm_save_factory_txt_to_mcu(struct bes2600_common *hw_priv, const u8 *data, int if_id, enum bes2600_rf_cmd_type cmd_type);
-#endif
 #endif /* BES2600_HWIO_H_INCLUDED */