patches: re-roll staging-prep as 7-patch series (tx-bounce added)

Fold bes2600/tx-sdio-dma-oob into the linear series as 7/7. Re-cover-letter and update testing matrix. Update UPSTREAM.md table and submission route to list the 7th branch. The PS Mode Error residual note is removed from the known-limitations section -- it stopped recurring after 7/7 deployed. Both staging-prep-series/ (Mobian paths) and staging-prep-series- danctnix/ (drivers/staging/bes2600/ paths) variants regenerated; all 14 patch files checkpatch --strict clean (0/0/0). Net: +117 / -550 lines across 9 files.
2026-04-23 12:43:29 +02:00
parent b9f90c30e1
commit b8ba0b342e
17 changed files with 617 additions and 239 deletions
@@ -1,7 +1,11 @@
-From 6f13e008d21d453db486f707f47340a0a17e650b Mon Sep 17 00:00:00 2001
+From 10a05d21bfe4563f963e16d65228fd7a713c143d Mon Sep 17 00:00:00 2001
+Message-ID: <cover.1776940528.git.fritsche.markus@gmail.com>
 From: Markus Fritsche <fritsche.markus@gmail.com>
-Date: Wed, 22 Apr 2026 14:15:56 +0200
-Subject: [PATCH 0/6] bes2600: staging-prep cleanup for PineTab2 (BES2600WM)
+Date: Thu, 23 Apr 2026 12:35:28 +0200
+Subject: [PATCH 0/7] bes2600: staging-prep cleanup for PineTab2 (BES2600WM)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit

 This series is a staging-prep cleanup for the out-of-tree Bestechnic
 BES2600WM Wi-Fi/BT combo-chip driver as shipped by Mobian's bes2600-dkms
@@ -24,14 +28,14 @@ dependencies.

 ## What the series does

-* 1/6 -- Replace filp_open() + kernel_read() in the factory-calibration
+* 1/7 -- Replace filp_open() + kernel_read() in the factory-calibration
  read path with request_firmware(). Repoint the FACTORY_PATH macro to
  the firmware-class name (bes2600/bes2600_factory.txt, matching the
  /lib/firmware/ layout). Kills a kernel-mainline anti-pattern and the
  '(NULL device *): read and check /lib/firmware/bes2600_factory.txt
  error' boot spam on PineTab2.

-* 2/6 -- Default STANDARD_FACTORY_EFUSE_FLAG from y to n. The shipped
+* 2/7 -- Default STANDARD_FACTORY_EFUSE_FLAG from y to n. The shipped
  bes2600_factory.txt on PineTab2 contains 30 calibration fields; the
  driver was expecting 31 (including a ##select_efuse_flag section
  absent from this firmware). Also unguards the
@@ -41,12 +45,12 @@ dependencies.
  ungated -- gcc -Werror=missing-prototypes broke the build with the
  new default until this is fixed.

-* 3/6 -- Thread struct device * through factory_section_read_file() via
+* 3/7 -- Thread struct device * through factory_section_read_file() via
  a module-local setter invoked at SDIO probe. request_firmware() now
  receives a real device pointer; '(NULL device *):' no longer prefixes
  factory-related diagnostics.

-* 4/6 -- Gate the device-end of the low-power transition on successful
+* 4/7 -- Gate the device-end of the low-power transition on successful
  per-VIF firmware handshake. Pre-patch bes2600_pwr_enter_lp_mode()
  called bes2600_pwr_device_enter_lp_mode() unconditionally even when
  wait_for_completion_timeout() returned 0 (firmware never posted the
@@ -56,7 +60,7 @@ dependencies.
  messages. Post-patch: -ETIMEDOUT returned cleanly, dmesg silent,
  SDIO stable.

-* 5/6 -- Remove the custom /dev/bes2600 character-device interface.
+* 5/7 -- Remove the custom /dev/bes2600 character-device interface.
  file_operations, open/read/write/release, bes2600_op_*
  command-dispatch table, bes2600_load_uevent, alloc_chrdev_region /
  cdev_init / cdev_add / class_create / device_create in the init
@@ -64,9 +68,9 @@ dependencies.
  deleted. The in-kernel accessor functions (is_signal_mode,
  get_fw_type, etc., 13 call sites) and the fw_type module parameter
  are preserved; the userspace interface becomes rfkill + module_param
-  + (with 6/6) nl80211 testmode.
+  + (with 6/7) nl80211 testmode.

-* 6/6 -- Flip CONFIG_BES2600_TESTMODE default from n to y. The driver
+* 6/7 -- Flip CONFIG_BES2600_TESTMODE default from n to y. The driver
  already implements a mac80211 testmode_cmd dispatcher (routing to
  the firmware's patch_wifi_testMode path), already gated on the flag;
  CONFIG_NL80211_TESTMODE=y is common on target kernels. Enabling the
@@ -77,6 +81,25 @@ dependencies.
  bes_err / bes_warn / bes_devel family, define BES2600_DBG_* subsystem
  ids as 0 constants, and mark the 3 helpers static.

+* 7/7 -- Bounce SDIO TX buffers to avoid DMA out-of-bounds reads.
+  sdio_tx_work() rounded the transfer length up to the SDIO block size
+  (align = blks * cur_blksize, or 1632) and handed that length to
+  dma_map_sg() via sg_set_buf(..., tx_buffer->buf, align); tx_buffer->buf
+  typically aliases into an skb linear head allocated to tx_buffer->len,
+  not the block-aligned length. The DMA engine therefore read up to one
+  block past the end of the skb -- KFENCE on PineTab2 fires as
+  'out-of-bounds read in __pi_memcpy_generic ... 704B right of
+  kfence-#...' with sdio_tx_work+0x2b4 / bes_sdio_memcpy_to_io_helper in
+  the stack and pskb_expand_head / validate_xmit_skb / tcp_write_xmit in
+  the allocator stack. Besides being undefined behavior, the padding
+  bytes are transmitted to the peer, leaking adjacent kernel memory on
+  the air. Allocate a driver-owned DMA-pages bounce buffer of
+  MAX_SDIO_TRANSFER_LEN, memcpy each TX buffer into its slot, zero the
+  padding tail, and point the SG entries at the bounce. Mirrors the
+  pattern already used for single_gathered_buffer; kept as a separate
+  allocation because sdio_tx_work accumulates SG entries before claiming
+  the bus.
+
 ## Testing

 Reference hardware: Pine64 PineTab2 (BES2600WM + Rockchip RK3566,
@@ -84,21 +107,31 @@ Reference hardware: Pine64 PineTab2 (BES2600WM + Rockchip RK3566,
 TelekomHotspot@ERGO @ 5 GHz ch36).

 Host kernel: linux-pinetab2 6.19.10-danctnix1-1-pinetab2 with
-CONFIG_NL80211_TESTMODE=y. Driver installed via
-/lib/modules/<ver>/extra/ and verified loaded via modinfo srcversion.
+CONFIG_NL80211_TESTMODE=y and CONFIG_KFENCE=y (for 7/7 verification).
+Driver installed via /lib/modules/<ver>/extra/ and verified loaded via
+modinfo srcversion.

-Per-patch outcomes in post-reboot dmesg (full-stack applied):
- 1/6: 'read and check /lib/firmware/bes2600_factory.txt error' -- gone
- 2/6: 'bes2600_factory.txt parse fail' / 'factory cali data get
+Per-patch outcomes in post-reboot dmesg (full-stack applied, 11+ min
+soak, 245k RX packets / 365 MB traffic):
+
+- 1/7: 'read and check /lib/firmware/bes2600_factory.txt error' -- gone
+- 2/7: 'bes2600_factory.txt parse fail' / 'factory cali data get
  failed.' -- gone
- 3/6: '(NULL device *):' prefix on factory lines -- gone
- 4/6: 'bes2600_pwr_enter_lp_mode, wait pm ind timeout' (pre-patch 20-30
-  msgs / 5 min window) -- 0 per 5 min; 'sdio_tx_work' WARN splat
-  (pre-patch 2+ / 5 min) -- 0 per 5 min; '[RX] Receive failure: 4.' --
+- 3/7: '(NULL device *):' prefix on factory lines -- gone
+- 4/7: 'bes2600_pwr_enter_lp_mode, wait pm ind timeout' (pre-patch 20-30
+  msgs / 5 min window) -- 0 per 5 min; '[RX] Receive failure: 4.' --
  gone
- 5/6: /dev/bes2600 -- absent; driver continues to associate
- 6/6: 'iw phy0' lists 'testmode' under Supported commands; module
+- 5/7: /dev/bes2600 -- absent; driver continues to associate
+- 6/7: 'iw phy0' lists 'testmode' under Supported commands; module
  builds cleanly
+- 7/7: 'BUG: KFENCE: out-of-bounds read in __pi_memcpy_generic'
+  (pre-patch ~65 splats per 4 h of real traffic, always via
+  sdio_tx_work+0x2b4 / bes_sdio_memcpy_to_io_helper+0x18c) -- 0;
+  'sdio_tx_work+0x2b4' WARN splat residual from 4/7's cascade -- 0
+  (previously recurred ~1 per reboot even with 4/7 applied);
+  'PS Mode Error, Reason:1' benign handshake notice at T+40s --
+  also gone, apparently a downstream effect of no longer DMAing
+  uninitialised padding bytes into firmware

 Full stack: wifi associates and passes traffic across 3+ reboots.

@@ -122,14 +155,9 @@ Full stack: wifi associates and passes traffic across 3+ reboots.
  those to per-hw_priv state is blocked by fw_type being a module
  parameter (inherently singleton). Migrating fw_type to a per-phy
  debugfs knob or nl80211 testmode command is the next step; overlaps
-  with 6/6's testmode plumbing.
+  with 6/7's testmode plumbing.

- One residual benign notice after the full stack: 'bes2600_wlan
-  mmc2:0001:1: PS Mode Error, Reason:1' at T+40s on fresh boot.
-  Distinct from the pre-4/6 timeout cascade; driver recovers, WiFi
-  stays up. Root cause not investigated.
-
-Markus Fritsche (6):
+Markus Fritsche (7):
  bes2600: use request_firmware() for factory.txt read
  bes2600: default STANDARD_FACTORY_EFUSE_FLAG off for PineTab2
    factory.txt format
@@ -140,17 +168,18 @@ Markus Fritsche (6):
  bes2600: remove userspace /dev/bes2600 character device interface
  bes2600: enable CONFIG_BES2600_TESTMODE by default + fix bit-rotted
    testmode plumbing
+  bes2600: bounce SDIO TX buffers to avoid DMA OOB read

 bes2600/Makefile          |   6 +-
 bes2600/bes2600_factory.c |  45 ++--
 bes2600/bes2600_factory.h |   3 +
- bes2600/bes2600_sdio.c    |   4 +
+ bes2600/bes2600_sdio.c    |  43 +++-
 bes2600/bes_chardev.c     | 519 --------------------------------------
 bes2600/bes_log.h         |  23 ++
 bes2600/bes_pwr.c         |  20 +-
 bes2600/sta.c             |   6 +-
 bes2600/wsm.h             |   2 -
- 9 files changed, 79 insertions(+), 549 deletions(-)
+ 9 files changed, 117 insertions(+), 550 deletions(-)

 -- 
 2.53.0
@@ -1,7 +1,10 @@
 From d18aa6a9bc03a03e455434f83577892aa1a60ffe Mon Sep 17 00:00:00 2001
+Message-ID: <d18aa6a9bc03a03e455434f83577892aa1a60ffe.1776940528.git.fritsche.markus@gmail.com>
+In-Reply-To: <cover.1776940528.git.fritsche.markus@gmail.com>
+References: <cover.1776940528.git.fritsche.markus@gmail.com>
 From: Markus Fritsche <fritsche.markus@gmail.com>
 Date: Wed, 22 Apr 2026 10:09:44 +0200
-Subject: [PATCH 1/6] bes2600: use request_firmware() for factory.txt read
+Subject: [PATCH 1/7] bes2600: use request_firmware() for factory.txt read

 The BES2600 factory calibration file (bes2600_factory.txt) was being read
 via filp_open() + kernel_read() from a hard-coded absolute path baked in
@@ -1,7 +1,10 @@
 From a826f4db7d97a3a872d92079db37dbdaf9a0cdec Mon Sep 17 00:00:00 2001
+Message-ID: <a826f4db7d97a3a872d92079db37dbdaf9a0cdec.1776940528.git.fritsche.markus@gmail.com>
+In-Reply-To: <cover.1776940528.git.fritsche.markus@gmail.com>
+References: <cover.1776940528.git.fritsche.markus@gmail.com>
 From: Markus Fritsche <fritsche.markus@gmail.com>
 Date: Wed, 22 Apr 2026 12:17:56 +0200
-Subject: [PATCH 2/6] bes2600: default STANDARD_FACTORY_EFUSE_FLAG off for
+Subject: [PATCH 2/7] bes2600: default STANDARD_FACTORY_EFUSE_FLAG off for
 PineTab2 factory.txt format
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -1,7 +1,10 @@
 From c7ba2044b78cc3778763737daea60c9912b710c6 Mon Sep 17 00:00:00 2001
+Message-ID: <c7ba2044b78cc3778763737daea60c9912b710c6.1776940528.git.fritsche.markus@gmail.com>
+In-Reply-To: <cover.1776940528.git.fritsche.markus@gmail.com>
+References: <cover.1776940528.git.fritsche.markus@gmail.com>
 From: Markus Fritsche <fritsche.markus@gmail.com>
 Date: Wed, 22 Apr 2026 13:18:38 +0200
-Subject: [PATCH 3/6] bes2600: thread struct device * through factory
+Subject: [PATCH 3/7] bes2600: thread struct device * through factory
 request_firmware() call

 Follow-up to \"bes2600: use request_firmware() for factory.txt read\".
@@ -1,7 +1,10 @@
 From 108d3967eac4ba3a6e0f508d865a5f221b49079d Mon Sep 17 00:00:00 2001
+Message-ID: <108d3967eac4ba3a6e0f508d865a5f221b49079d.1776940528.git.fritsche.markus@gmail.com>
+In-Reply-To: <cover.1776940528.git.fritsche.markus@gmail.com>
+References: <cover.1776940528.git.fritsche.markus@gmail.com>
 From: Markus Fritsche <fritsche.markus@gmail.com>
 Date: Wed, 22 Apr 2026 12:37:45 +0200
-Subject: [PATCH 4/6] bes2600: gate device LP-mode entry on successful per-VIF
+Subject: [PATCH 4/7] bes2600: gate device LP-mode entry on successful per-VIF
 firmware handshake

 bes2600_pwr_enter_lp_mode() drives the transition to low-power for each
@@ -1,7 +1,10 @@
 From 3304b13a2b2e7388ebf076c2bcb7f02cd0b6800f Mon Sep 17 00:00:00 2001
+Message-ID: <3304b13a2b2e7388ebf076c2bcb7f02cd0b6800f.1776940528.git.fritsche.markus@gmail.com>
+In-Reply-To: <cover.1776940528.git.fritsche.markus@gmail.com>
+References: <cover.1776940528.git.fritsche.markus@gmail.com>
 From: Markus Fritsche <fritsche.markus@gmail.com>
 Date: Wed, 22 Apr 2026 12:55:18 +0200
-Subject: [PATCH 5/6] bes2600: remove userspace /dev/bes2600 character device
+Subject: [PATCH 5/7] bes2600: remove userspace /dev/bes2600 character device
 interface

 bes_chardev.c implemented a custom character device at /dev/bes2600 with
@@ -1,7 +1,10 @@
 From 6f13e008d21d453db486f707f47340a0a17e650b Mon Sep 17 00:00:00 2001
+Message-ID: <6f13e008d21d453db486f707f47340a0a17e650b.1776940528.git.fritsche.markus@gmail.com>
+In-Reply-To: <cover.1776940528.git.fritsche.markus@gmail.com>
+References: <cover.1776940528.git.fritsche.markus@gmail.com>
 From: Markus Fritsche <fritsche.markus@gmail.com>
 Date: Wed, 22 Apr 2026 13:04:27 +0200
-Subject: [PATCH 6/6] bes2600: enable CONFIG_BES2600_TESTMODE by default + fix
+Subject: [PATCH 6/7] bes2600: enable CONFIG_BES2600_TESTMODE by default + fix
 bit-rotted testmode plumbing
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -0,0 +1,126 @@
+From 10a05d21bfe4563f963e16d65228fd7a713c143d Mon Sep 17 00:00:00 2001
+Message-ID: <10a05d21bfe4563f963e16d65228fd7a713c143d.1776940528.git.fritsche.markus@gmail.com>
+In-Reply-To: <cover.1776940528.git.fritsche.markus@gmail.com>
+References: <cover.1776940528.git.fritsche.markus@gmail.com>
+From: Markus Fritsche <fritsche.markus@gmail.com>
+Date: Thu, 23 Apr 2026 11:58:31 +0200
+Subject: [PATCH 7/7] bes2600: bounce SDIO TX buffers to avoid DMA OOB read
+
+The SDIO TX path rounds the DMA transfer length up to the host's
+current block size and hands that length to dma_map_sg() via
+sg_set_buf(&sg[scatters], tx_buffer->buf, align) in sdio_tx_work().
+tx_buffer->buf typically aliases into an skb linear head whose
+allocated size matches tx_buffer->len, not the block-aligned
+align. The DMA engine (swiotlb / dw_mci IDMAC) therefore reads up
+to one block past the end of the skb. On a PineTab2 with KFENCE
+enabled this fires as:
+
+  BUG: KFENCE: out-of-bounds read in __pi_memcpy_generic
+  Out-of-bounds read at ... (704B right of kfence-#...):
+  __pi_memcpy_generic
+  swiotlb_tbl_map_single
+  swiotlb_map
+  dma_direct_map_sg
+  __dma_map_sg_attrs
+  dma_map_sg_attrs
+  dw_mci_pre_dma_transfer
+  __dw_mci_start_request
+  ...
+  bes_sdio_memcpy_to_io_helper+0x18c/0x288 [bes2600]
+  sdio_tx_work+0x2b4/0x4a0 [bes2600]
+
+allocated by ... pskb_expand_head / validate_xmit_skb / tcp_*
+
+In addition to being undefined behavior, the padding bytes (which
+come from whatever memory follows the skb) are transmitted to the
+peer, leaking kernel memory on the air.
+
+Allocate a driver-owned DMA-page bounce buffer sized to
+MAX_SDIO_TRANSFER_LEN and use it as the scatter-gather backing for
+sdio_tx_work. Each TX buffer is copied into its bounce slot and the
+tail (align - tx_buffer->len bytes) is zeroed. This mirrors the
+existing bounce pattern already used by bes2600_sdio_memcpy_toio()
+via single_gathered_buffer; a separate allocation is used for the
+TX path because single_gathered_buffer is only serialised via
+sdio_claim_host and sdio_tx_work accumulates scatter entries before
+claiming the bus.
+
+Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
+---
+ bes2600/bes2600_sdio.c | 39 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/bes2600/bes2600_sdio.c b/bes2600/bes2600_sdio.c
+index 371ef4f..3e04e8c 100644
+--- a/bes2600/bes2600_sdio.c
+++ b/bes2600/bes2600_sdio.c
+@@ -95,6 +95,7 @@ struct sbus_priv {
+ 	struct work_struct tx_work;
+ 	struct scatterlist tx_sg[BES_SDIO_TX_MULTIPLE_NUM + 1];
+ 	struct scatterlist tx_sg_nosignal[BES_SDIO_TX_MULTIPLE_NUM_NOSIGNAL + 1];
+	u8 *tx_bounce;
+ 	u32 tx_data_cnt;
+ 	u32 tx_xfer_cnt;
+ 	u32 tx_proc_cnt;
+@@ -1136,7 +1137,26 @@ static void sdio_tx_work(struct work_struct *work)
+ 				}
+ 			}
+ 
+-			sg_set_buf(&sg[scatters], tx_buffer->buf, align);
+			/*
+			 * The transfer length is rounded up to the SDIO block
+			 * size, but tx_buffer->buf is only tx_buffer->len bytes
+			 * long (it usually aliases into an skb linear head).
+			 * Copy into a driver-owned bounce buffer and zero-pad
+			 * to the aligned size; otherwise DMA reads past the
+			 * skb and leaks adjacent kernel memory on the wire --
+			 * observed as KFENCE OOB reads from
+			 * bes_sdio_memcpy_to_io_helper via dma_map_sg.
+			 */
+			if (WARN_ON_ONCE(total_len + align > MAX_SDIO_TRANSFER_LEN))
+				goto flush_previous;
+			memcpy(self->tx_bounce + total_len,
+			       tx_buffer->buf, tx_buffer->len);
+			if (align > tx_buffer->len)
+				memset(self->tx_bounce + total_len +
+				       tx_buffer->len, 0,
+				       align - tx_buffer->len);
+			sg_set_buf(&sg[scatters],
+				   self->tx_bounce + total_len, align);
+ 			total_len += align;
+ 			++scatters;
+ /*del_node:*/
+@@ -1857,6 +1877,17 @@ static int bes2600_sdio_probe(struct sdio_func *func,
+ 	if (!self->single_gathered_buffer)
+ 		return -ENOMEM;
+ #endif
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
+	self->tx_bounce = (u8 *)__get_dma_pages(GFP_KERNEL,
+					get_order(MAX_SDIO_TRANSFER_LEN));
+	if (!self->tx_bounce) {
+#ifndef SDIO_HOST_ADMA_SUPPORT
+		free_pages((unsigned long)self->single_gathered_buffer,
+			   get_order(MAX_SDIO_TRANSFER_LEN));
+#endif
+		return -ENOMEM;
+	}
+#endif
+ #ifdef BES_SDIO_RXTX_TOGGLE
+ 	self->fw_started = false;
+ #endif
+@@ -1985,6 +2016,12 @@ static void bes2600_sdio_remove(struct sdio_func *func)
+ 		if (self->single_gathered_buffer) {
+ 			free_pages((unsigned long)self->single_gathered_buffer, get_order(MAX_SDIO_TRANSFER_LEN));
+ 		}
+#endif
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
+		if (self->tx_bounce) {
+			free_pages((unsigned long)self->tx_bounce,
+				   get_order(MAX_SDIO_TRANSFER_LEN));
+		}
+ #endif
+ 		kfree(self);
+ 	}
+-- 
+2.53.0
+