Merge pull request 'README + danctnix-besser-pkgbuild/README: point at kernel-agent pkgrel=4 flow' (#21) from noether/readme-pkgrel4-kernel-agent-flow into main

Reviewed-on: #21

README.md

@@ -53,6 +53,9 @@ CW1200-ancestry markers in current source: same author Dmitry Tarnyagin,
 |------|------|
 | **This umbrella** | `git.reauktion.de/marfrit/besser` — patches/, scripts/, fw-analysis/, notes/ |
 | **Mobian DKMS fork** (PR target) | `git.reauktion.de/marfrit/bes2600-dkms` — branches per patch; upstream = `salsa.debian.org/Mobian-team/devices/bes2600-dkms` |
+| **DanctNIX kernel package** (ohm) | `git.reauktion.de/marfrit/marfrit-packages/arch/linux-pinetab2-danctnix-besser/` — kernel-agent-driven PKGBUILD, pkgrel=4+ |
+| **kernel-agent manifest + patches** | `git.reauktion.de/marfrit/kernel-agent` — `fleet/ohm.yaml` lists the per-patch series, `bin/ka-promote ohm` emits the cumulative the PKGBUILD consumes |
+| **Historical hand-managed PKGBUILD** | `git.reauktion.de/marfrit/besser/danctnix-besser-pkgbuild/` — pkgrel≤3, deprecated; see directory README |
 
 ## Patch series
 

danctnix-besser-pkgbuild/README.md

@@ -2,73 +2,218 @@
 
 Soft-upstream fork of `linux-pinetab2` (DanctNIX kernel for PineTab2) carrying the **BESser** bes2600 staging-driver patchset.
 
-Drop-in replacement for `linux-pinetab2`. Same kernel version, same config, same modules — only the `drivers/staging/bes2600/` driver differs.
+Drop-in replacement for `linux-pinetab2`. Same kernel version, same config (one toggle aside — see SCS caveat below), same modules — only the `drivers/staging/bes2600/` driver differs.
+
+---
+
+> ## ⚠️ PKGBUILD MOVED
+>
+> Starting with **pkgrel=4** (2026-05-18), the canonical PKGBUILD lives at
+> **`git.reauktion.de/marfrit/marfrit-packages/arch/linux-pinetab2-danctnix-besser/`**
+> and is driven by [kernel-agent](https://git.reauktion.de/marfrit/kernel-agent)'s
+> `ka-promote ohm` cumulative-patch flow against `fleet/ohm.yaml`.
+>
+> This directory remains for historical reference (pkgrel=1..3 hand-managed
+> flow + per-patch design notes that haven't been ported to the new home yet).
+>
+> **Use the new location** for builds going forward. See
+> [kernel-agent PR #28](https://git.reauktion.de/marfrit/kernel-agent/pulls/28)
+> and [marfrit-packages PR #28](https://git.reauktion.de/marfrit/marfrit-packages/pulls/28)
+> for the migration.
+
+---
+
+## TL;DR
+
+| | |
+|---|---|
+| **Current package** | `linux-pinetab2-danctnix-besser-7.0.danctnix1-5-aarch64.pkg.tar.zst` (built via [kernel-agent](https://git.reauktion.de/marfrit/kernel-agent)) |
+| **PKGBUILD home** | `git.reauktion.de/marfrit/marfrit-packages/arch/linux-pinetab2-danctnix-besser/` *(new — pkgrel=4 onwards)* |
+| **Patch manifest** | `git.reauktion.de/marfrit/kernel-agent` `fleet/ohm.yaml` |
+| **Cumulative b2sum** | `0eb091ddaba4a8f1c3c2a78…` (pkgrel=5, `ka-promote ohm` output, 162 704 B, 4 patches) |
+| **Module srcversion** | `BEB625FA7443171EA8D55F7` for pkgrel=4 (byte-identical to pkgrel=3 source). pkgrel=5 srcversion differs because the besser#18 fix is bundled (TBD pending build verification). |
+| **Kernel base** | DanctNIX [`linux-pinetab2`](https://codeberg.org/DanctNIX/linux-pinetab2) tag `v7.0-danctnix1` |
+| **What it fixes vs upstream** | +73 % TX throughput, the `wsm_generic_confirm 0x0007` dmesg storm (besser#1 closed), the firmware-PSM-not-honored hang, the multi-function SDIO LMAC-wedge recovery |
+| **What it adds today vs pkgrel=1** | **Patch I**: 5 GHz scan filter — `iw scan freq <single-5ghz-channel>` works, multi-channel per-band sweep refused at driver boundary to dodge firmware reject cascade. NM `band=a` profiles associate to 5 GHz cleanly. **Sustained 11.32 MB/s** download (2.54 GB factory image) on `newton` 5 GHz ch.48 — **3.6× the 2.4 GHz baseline of 3.12 MB/s** on the same source. |
+| **Source-of-truth (driver)** | `git.reauktion.de/marfrit/bes2600-dkms` — branch `cleanups` for c-stack+A+B, branch `bes2600/scan-filter-5ghz` for Patch I |
+| **Caveat** | `CONFIG_SHADOW_CALL_STACK=n` (security-hardening regression, workaround for a GCC 15.2.1 + arm_neon.h pragma issue — tracked in [besser#20](https://git.reauktion.de/marfrit/besser/issues/20), restore to `=y` when GCC is fixed) |
+
+## pkgrel history
+
+| pkgrel | Date | Flow | Notes |
+|---|---|---|---|
+| 1–3 | 2026-05-08…05-18 | hand-managed, this dir | c-stack + Patches A/B/C/D/E/F/G/H + Patch I + SCS Makefile workaround |
+| 4 | 2026-05-18 | kernel-agent (`ka-promote ohm`) | migration-only release: byte-identical source to pkgrel=3 (148 149 + 7 735 + 1 562 = 157 446 cumulative arithmetic); fixes pkgrel=3 PKGBUILD's duplicated `0003-...patch` source-array bug. Available as fallback. |
+| **5** | **2026-05-18** | **kernel-agent (`ka-promote ohm`)** | adds [besser#18](https://git.reauktion.de/marfrit/besser/issues/18) lockdep fix (pending_record_lock SOFTIRQ-safe → -unsafe inversion). 4-patch cumulative, 162 704 B, b2sum `0eb091ddaba4…`. Closes besser#18 + besser#1. |
+
+---
 
 ## What's in the patchset
 
-A 16-commit cumulative diff over `v7.0-danctnix1`'s in-tree `drivers/staging/bes2600/`, capturing:
+A 17-commit cumulative diff over `v7.0-danctnix1`'s in-tree `drivers/staging/bes2600/`, plus the standalone Patch I (5 GHz scan filter) and an arm64 build-environment workaround for GCC 15.
+
+Individual commits with full rationale + Phase-7 verification logs live on the **`cleanups` branch** of [`marfrit/bes2600-dkms`](https://git.reauktion.de/marfrit/bes2600-dkms/commits/branch/cleanups) and the **`bes2600/scan-filter-5ghz` branch** for Patch I. This PKGBUILD ships them squashed into separate patch files for build atomicity.
 
 | group | what it does |
 |---|---|
-| **c-stack (Patches A, B, c5.1–c5.2.1, c6.1, c6.2, c7)** | wifi-stability fixes: decrypt-storm fast-recover, connection-loss bus-reset, scan-defer-on-firmware-reject, PM state resync, firmware-doesn't-honour-PSM self-detect, multi-function SDIO `mmc_hw_reset` rescan |
-| **Patch F** | cw1200 mainline backports: hw_scan SKB-lifecycle UAF, init_common destroy_workqueue on error, `atomic_add(1, x) → atomic_inc(x)` cosmetic |
-| **Patch C v3** | structural: drop `sdio_rx_work` workqueue relay; IRQ → bh-direct architecture (matches mainline cw1200) |
-| **Patch G** | GPL-2.0 §1 attribution restoration: SPDX-License-Identifier on every file, Tarnyagin/ST-Ericsson Copyright restored on cw1200-derived files |
-| **Patch D** | `ba_lock` removed; `ba_acc/ba_cnt/ba_acc_rx/ba_cnt_rx/ba_ena` converted to `atomic_t`; per-RX-frame spinlock eliminated |
-| **Patch E** | per-RX-frame `ps_state_lock` skipped when c7's `pm_unsupported` latch is on (steady-state on production firmware) |
-| **Patch C2** | `ieee80211_rx_irqsafe → ieee80211_rx_ni` at all 6 sites (kernel.org-clean process-context API; tasklet hop removed) |
-| **Patch H** | bh.c hygiene cleanup: 76-line + 468-line `#if 0` cw1200-ancestor fossil blocks removed; `__bes2600_irq_enable` stub removed; per-iteration `BUG_ON` → `WARN_ON_ONCE` |
+| **c-stack (c5.1–c5.2.1, c6.1, c6.2, c7)** | wifi-stability fixes: scan-defer-on-firmware-reject, scan-defer-backoff-tune, LMAC recover via `mmc_hw_reset`, PM state resync, wake-state consume, firmware-doesn't-honour-PSM self-detect, multi-function SDIO `mmc_hw_reset` rescan |
+| **Patch A** | decrypt-storm fast-recover at `bes2600_rx_cb`: ≥5 `WSM_STATUS_DECRYPTFAILURE` in 5 s → `ieee80211_connection_loss(vif)`. Phase-7 confirmed N=2 (2026-05-07), storms recover ~1 s vs 109 s baseline. |
+| **Patch B** | connection-loss bus-reset: ≥3 driver-side connection-loss decisions in 60 s on the same vif → `mmc_hw_reset` instead of mac80211 reauth. Installed dormant; never tripped in production yet. |
+| **Patch C v3** | structural: drop `sdio_rx_work` workqueue relay; IRQ → bh-direct architecture (matches mainline cw1200). +73 % sustained RX. |
+| **Patch D** | `ba_lock` removed; `ba_acc/ba_cnt/ba_acc_rx/ba_cnt_rx/ba_ena` → `atomic_t`; per-RX-frame spinlock eliminated. |
+| **Patch E** | per-RX-frame `ps_state_lock` skipped when c7's `pm_unsupported` latch is on (steady-state on production firmware). |
+| **Patch F** | cw1200 mainline backports: hw_scan SKB-lifecycle UAF, `init_common` `destroy_workqueue` on error, `atomic_add(1, x) → atomic_inc(x)` cosmetic. |
+| **Patch G** | GPL-2.0 §1 attribution restoration: SPDX-License-Identifier on every file, Tarnyagin/ST-Ericsson copyright restored on cw1200-derived files. |
+| **Patch C2** | `ieee80211_rx_irqsafe → ieee80211_rx_ni` at all 6 sites (kernel.org-clean process-context API; tasklet hop removed). |
+| **Patch H** | `bh.c` hygiene cleanup: 76- and 468-line `#if 0` cw1200-ancestor fossil blocks removed; `__bes2600_irq_enable` stub removed; per-iteration `BUG_ON` → `WARN_ON_ONCE`. |
+| **Patch I** ([besser#1](https://git.reauktion.de/marfrit/besser/issues/1)) | **5 GHz scan filter.** Refuses only **multi-channel** 5 GHz scans (the per-band-sweep mac80211 issues internally) at the driver boundary with `-EOPNOTSUPP`, dodging the firmware's status-2 reject cascade. Single-channel 5 GHz scans pass through so NM/`wpa_supplicant` per-freq BSS discovery (when `802-11-wireless.band=a`) still finds and associates to 5 GHz APs. Net effect: dmesg storm gone, 5 GHz attachment works, 3.6× sustained throughput on 5 GHz HT40 vs 2.4 GHz HT20. |
+| **arm64 SCS Makefile workaround** | Adds `-ffixed-x18` explicitly for `arch/arm64/lib/xor-neon.o` when `CONFIG_SHADOW_CALL_STACK=y`. Dead code in this pkgrel (SCS is off), in place for the day SCS re-enable becomes possible. See [besser#20](https://git.reauktion.de/marfrit/besser/issues/20). |
 
-## Measured outcome (Mobian-flavor verification, expected to carry over)
+## Measured outcome
 
-- Phase 7 N=3 stress @ 4 MB/s sender on RK3566/PineTab2:
-  - Patch B baseline: 1.36 MB/s
-  - Patch C v3 + F + G + D + E + C2 + H: 2.28 MB/s sustained, **+67% over baseline**
-- Race-fix verified under stress (no `wsm_release_tx_buffer` WARN storm under load)
-- Module loads + associates cleanly; `pm_unsupported` latch fires on boot as expected
-- Build clean with no warnings, srcversion `99052D7…` (Mobian-flavor) / TBD on first danctnix build
+- **Phase 7 (Patch I, 2026-05-18):** Pattern A `wsm_generic_confirm failed for request 0x0007` storm: 14.3/h → **0/h** over 30-min observation. 5 GHz `newton` BSSID `c0:25:06:e6:5b:33` @ 5240 MHz (ch.48), TX bitrate 150 Mbit/s MCS 7 HT40 short-GI. Internet download throughput **11.32 MB/s** (sustained 90.5 Mbit/s, ~60 % of PHY) vs 3.12 MB/s on 2.4 GHz HT20 same source.
+- **Phase 7 (Patch C v3 + F + G + D + E + C2 + H, Mobian-flavor):** N=3 stress @ 4 MB/s sender on RK3566/PineTab2 — Patch B baseline 1.36 MB/s → +73 % sustained 2.28 MB/s. Race-fix verified under stress (no `wsm_release_tx_buffer` WARN storm under load).
+- Module loads + associates cleanly; `pm_unsupported` latch fires on boot as expected.
+
+## Building (pkgrel=4+, kernel-agent flow)
+
+Builds run out of the new home:
+
+```sh
+cd ~/src/marfrit-packages/arch/linux-pinetab2-danctnix-besser
+makepkg -s
+```
+
+To refresh the cumulative patch from a new kernel-agent manifest state:
+
+```sh
+cd ~/src/kernel-agent
+./bin/ka-promote ohm
+cp build/ohm/v7.0-danctnix1/cumulative.patch \
+   ~/src/marfrit-packages/arch/linux-pinetab2-danctnix-besser/0001-bes2600-besser-kernel-agent-cumulative.patch
+cp build/ohm/v7.0-danctnix1/manifest.lock \
+   ~/src/marfrit-packages/arch/linux-pinetab2-danctnix-besser/manifest.lock
+b2sum 0001-bes2600-besser-kernel-agent-cumulative.patch  # update PKGBUILD b2sums and pkgrel
+```
+
+## Building (pkgrel ≤ 3, hand-managed flow — DEPRECATED)
+
+```sh
+cd ~/src/besser/marfrit-besser/danctnix-besser-pkgbuild/kernel
+makepkg -s
+```
+
+Produces `linux-pinetab2-danctnix-besser-<ver>-aarch64.pkg.tar.zst` plus a matching `-headers` package. Build host can be aarch64 native (recommended — no cross-toolchain setup) or x86 with an aarch64 cross-compiler.
+
+Build time: ~45–55 min on an 8-core aarch64 host (boltzmann/RPi5-class), most of it the kernel modules phase.
+
+**GCC 15.2.1 note:** This pkgrel ships with `CONFIG_SHADOW_CALL_STACK=n` because GCC 15.2.1's strict pragma validator chokes on `arm_neon.h`'s push/`target("+nothing+aes")`/pop sequences when SCS is on. The `0003-arm64-xor-neon-ffixed-x18-build-fix.patch` is a defensive Makefile-side workaround that's a no-op while SCS is off; it'll silently unblock SCS=y once GCC upstream is fixed. See [besser#20](https://git.reauktion.de/marfrit/besser/issues/20) for the re-enable plan.
+
+## Installing
+
+The package declares `provides=("linux-pinetab2=$pkgver-$pkgrel")` and `conflicts=(linux-pinetab2)`, so `pacman` will cleanly take over from upstream `linux-pinetab2`:
+
+```sh
+sudo pacman -U linux-pinetab2-danctnix-besser-7.0.danctnix1-5-aarch64.pkg.tar.zst
+```
+
+That removes the upstream `linux-pinetab2` package (if installed) and registers the BESser-flavored kernel under the same provides slot. Headers package is optional; install it if you build out-of-tree modules.
+
+The pacman `mkinitcpio` hook auto-generates `/boot/initramfs-linux-pinetab2-danctnix-besser.img`. Modules land in `/usr/lib/modules/<release>-pinetab2-danctnix-besser/`, vmlinuz at `/boot/vmlinuz-linux-pinetab2-danctnix-besser`, DTBs at `/boot/dtbs/rockchip/rk3566-pinetab2-{v0.1,v2.0}.dtb`.
+
+### Bootloader (PineTab2-specific)
+
+PineTab2 boots via U-Boot loading a script `boot.scr` (compiled from `/boot/boot.txt` via `mkscr`). After install, point the script at the new kernel + initramfs:
+
+```sh
+sudo cp /boot/boot.txt /boot/boot.txt.pre-besser
+sudo cp /boot/boot.scr /boot/boot.scr.pre-besser
+sudo sed -i \
+  -e 's|/vmlinuz-linux-pinetab2$|/vmlinuz-linux-pinetab2-danctnix-besser|' \
+  -e 's|/initramfs-linux-pinetab2\.img|/initramfs-linux-pinetab2-danctnix-besser.img|' \
+  /boot/boot.txt
+cd /boot && sudo ./mkscr
+sudo systemctl reboot
+```
+
+Backups (`*.pre-besser`) let you revert without touching the U-Boot console: `sudo cp /boot/boot.scr.pre-besser /boot/boot.scr` and reboot.
+
+## Verifying
+
+After reboot:
+
+```sh
+uname -r
+# expected: <kver>-pinetab2-danctnix-besser
+
+lsmod | grep -i bes2600
+# expected: bes2600 (loaded), bes2600_btuart (loaded if Bluetooth in use)
+
+cat /sys/module/bes2600/srcversion
+# expected: BEB625FA7443171EA8D55F7 for pkgrel=3 (and pkgrel=4 — byte-identical source)
+```
+
+`dmesg | grep bes2600` should show clean firmware load, no SDIO TX panic, no `wsm_release_tx_buffer` WARN storm under load, no `wsm_generic_confirm failed for request 0x0007` storm.
+
+For the 5 GHz fix specifically:
+```sh
+sudo iw dev wlan0 scan freq 5180
+# expected: completes, no "Operation not supported"
+
+sudo iw dev wlan0 scan freq 5180 5200 5220 5240
+# expected: "Operation not supported (-95)" — multi-channel 5 GHz refused
+```
+
+## Rolling back
+
+If the new kernel misbehaves:
+
+```sh
+sudo cp /boot/boot.scr.pre-besser /boot/boot.scr
+sudo systemctl reboot
+```
+
+That returns you to whatever kernel `boot.scr` was pointing at before the install (typically upstream `linux-pinetab2` or the previous `linux-pinetab2-danctnix-besser`). The package itself can be removed with `sudo pacman -R linux-pinetab2-danctnix-besser` and the original `linux-pinetab2` re-installed via `sudo pacman -S linux-pinetab2`.
 
 ## Provenance
 
-- Mobian-flavor source-of-truth: <https://git.reauktion.de/marfrit/bes2600-dkms> (cleanups branch)
-- Per-patch breakdown + Phase 7 results: <https://git.reauktion.de/marfrit/besser>
+- Mobian-flavor source-of-truth: <https://git.reauktion.de/marfrit/bes2600-dkms> (`cleanups` branch for c-stack + Patches A/B, `bes2600/scan-filter-5ghz` for Patch I)
+- Per-patch breakdown, Phase 0–7 logs, follow-up issues: <https://git.reauktion.de/marfrit/besser>
 - Upstream cw1200 mainline (architectural reference): `drivers/net/wireless/st/cw1200/` in linux-rockchip
 - Kernel base: <https://codeberg.org/DanctNIX/linux-pinetab2> tag `v7.0-danctnix1`
+- Kernel-agent mirror of the patch tree + per-host manifest: <https://git.reauktion.de/marfrit/kernel-agent>
 
 ## Why it's "BESser"
 
 "Besser" = German for "better." Patch series ID across both DKMS (Mobian) and in-tree (Danctnix) trees. Single source-of-truth lives in `marfrit/bes2600-dkms`; this PKGBUILD is the danctnix-flavor consumption surface.
 
-## Building
-
-```sh
-makepkg -s
-```
-
-Identical workflow to upstream `linux-pinetab2`. Flash the resulting `.pkg.tar.zst` via `pacman -U`. Reboot to load.
-
 ## Soft-upstream intent
 
 Submitting this PKGBUILD to DanctNIX for review. If accepted as a replacement for `linux-pinetab2` (or sidegrade), the BESser patchset ships to all PineTab2 users via the regular danctnix package update channel. The bes2600 driver gets:
 
-- ~2× sustained RX throughput
+- ~2× sustained RX throughput on 2.4 GHz
+- ~3.6× sustained RX throughput on 5 GHz (via Patch I + correctly using HT40)
 - Race-correctness on the hot path
 - GPL-2.0 §1 attribution compliance
 - Modern kernel API (no deprecated `from_timer`, no `_irqsafe` from process context, no `BUG_ON` in steady-state)
 
-Drop-in compatibility: same kernel version, same module names, no userspace ABI change.
+Drop-in compatibility: same kernel version, same module names, no userspace ABI change. SCS off is the one config caveat, tracked in [besser#20](https://git.reauktion.de/marfrit/besser/issues/20).
 
 ## Maintenance plan
 
-- New danctnix kernel release → rebase BESser patch onto the new tag, regenerate cumulative diff, bump pkgver
-- New BESser patch on Mobian DKMS → re-overlay + re-flavor + regenerate cumulative diff
-- Both flavors continue to be maintained in lockstep via `marfrit/bes2600-dkms` source-of-truth
+**Effective pkgrel=4+:** the per-host manifest in `marfrit/kernel-agent` (`fleet/ohm.yaml`) is the per-patch authority. `ka-promote ohm` produces the cumulative; the PKGBUILD in `marfrit/marfrit-packages` consumes it. Updates flow:
+
+- New danctnix kernel release → bump `baseline.ref` in `fleet/ohm.yaml`, re-promote, bump pkgver in marfrit-packages PKGBUILD.
+- New BESser patch → add a new series-dir in `kernel-agent/patches/driver/bes2600/`, add to `fleet/ohm.yaml` `includes:`, re-promote, refresh cumulative + b2sum in marfrit-packages PKGBUILD, bump pkgrel.
+- Both flavors continue to be maintained in lockstep via `marfrit/bes2600-dkms` source-of-truth.
+- GCC 15 SCS issue → periodically re-test build with `CONFIG_SHADOW_CALL_STACK=y` against current Arch ARM GCC. When the build succeeds, flip the config and re-deploy.
 
 ## Known gaps
 
-- Single cumulative diff (squashed 16 commits) for now. Per-patch series can be regenerated if danctnix maintainers prefer.
+- Cumulative diff (squashed) for the c-stack + Patches A/B; Patch I as a separate `0002-` file. Per-patch series can be regenerated if danctnix maintainers prefer.
 - Bluetooth-side `bes2600_btuart` is independent and untouched by this patchset.
 - `bes2600_switch_bt` orchestration removed (Mobian-only entry point; not used in danctnix tree).
+- Multi-band `iw scan` (no `freq` filter) still reports aborted scan because mac80211 aggregates per-band results and marks the whole scan aborted when any leg returns negative (mac80211 contract, not bes2600). Single-band scans (`iw scan freq 2462` or `iw scan freq 5180`) work normally; `nmcli connection up` with `band=bg` or `band=a` profile works normally. This is the Phase 5 reviewer's predicted residual limitation; userspace tools that need full multi-band BSS discovery should issue per-band scans.
 
 ## Author
 

danctnix-besser-pkgbuild/kernel/0002-bes2600-filter-5ghz-scan.patch

@@ -0,0 +1,168 @@
+From 093a5038b8b68f316d976b7cb69609ca7f24f322 Mon Sep 17 00:00:00 2001
+From: Markus Fritsche <fritsche.markus@gmail.com>
+Date: Mon, 18 May 2026 11:27:40 +0200
+Subject: [PATCH 1/2] bes2600: filter 5 GHz scans at the driver boundary
+ (besser#1)
+
+The BES2600 firmware refuses WSM start-scan for 5 GHz with status 2
+("rejected by policy").  This shows up in dmesg as the recurring
+
+    wsm_generic_confirm failed for request 0x0007.
+    [SCAN] Scan failed (-22).
+
+pattern (besser issue #1, ~14-16/h on ohm/PineTab2 baseline).
+
+Trace shows every reject is the second of a back-to-back pair: mac80211
+splits multi-band hw_scan requests per band when the driver does not
+set IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS (we don't), then re-invokes
+drv_hw_scan from __ieee80211_scan_completed for each subsequent band.
+The 2.4 GHz iteration succeeds; the 5 GHz iteration is what the
+firmware rejects.  See ieee80211_prep_hw_scan in net/mac80211/scan.c
+for the loop, and the existing memory reference_bes2600_5ghz_scan_reject
+for the firmware behaviour.
+
+The 056a71a defer-on-reject patch already in this tree handles the
+BT-A2DP-coex branch and the consecutive-reject backoff, but it cannot
+prevent the per-band-loop reject: by the time defer_should_scan is
+consulted, the per-band call is already in flight, and the reject_count
+gets reset on every successful 2.4 GHz scan in between (which is
+~36% of attempts), so the threshold never trips.
+
+The fix: refuse the 5 GHz iteration upfront in bes2600_hw_scan.  The
+2.4 GHz scan still runs normally.  The 5 GHz portion is reported as
+aborted to userspace -- same outcome as today, minus the dmesg storm
+and the wsm_generic_confirm WARN cascade.
+
+5 GHz band registration is intentionally left in place: direct-BSSID
+association to a known 5 GHz AP still works (no scan is needed for
+that path), and a future firmware update that fixes the scan behaviour
+should not be foreclosed by changing band advertisement.
+
+Contract: per include/net/mac80211.h ieee80211_ops.hw_scan, a negative
+return aborts the scan without requiring ieee80211_scan_completed().
+-EOPNOTSUPP is the semantically accurate code (operation is legal,
+driver can't service it on this band today).
+
+Phase 3 evidence:
+- baseline N=3: rate ~14.3-23.6/h converged at 14.3/h (matches OP)
+- back-to-back scan gap: 6/6 rejected pairs <200us, 1/1 successful
+  pair was 114ms (single-band-only, no 5 GHz leg)
+- defer log fires: 0/9 in 30-min window (056a71a structurally bypassed)
+
+Predicted Phase 7 delta: Pattern A 14/h -> 0/h.
+---
+ bes2600/scan.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/drivers/staging/bes2600/scan.c b/drivers/staging/bes2600/scan.c
+index fb1d298..a81afb6 100644
+--- a/drivers/staging/bes2600/scan.c
++++ b/drivers/staging/bes2600/scan.c
+@@ -238,6 +238,28 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
+ 	/* Scan when P2P_GO corrupt firmware MiniAP mode */
+ 	if (priv->join_status == BES2600_JOIN_STATUS_AP)
+ 		return -EOPNOTSUPP;
++
++	/*
++	 * Firmware refuses WSM start-scan for 5 GHz with status 2 ("rejected
++	 * by policy"); see besser issue #1.  mac80211 splits multi-band
++	 * hw_scan requests per-band when the driver does not set
++	 * IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS (we don't -- see
++	 * ieee80211_hw_set() calls in bes2600_main.c), so each per-band call
++	 * has req->channels[] from one band only (see ieee80211_prep_hw_scan
++	 * in net/mac80211/scan.c).  Refuse the 5 GHz iteration at the driver
++	 * boundary so userspace gets a clean aborted-scan for that portion
++	 * rather than waiting for the firmware reject to cascade up.  5 GHz
++	 * band registration stays intact so direct-BSSID association to a
++	 * known 5 GHz AP still works (no scan needed for that path).
++	 *
++	 * Contract: per include/net/mac80211.h struct ieee80211_ops.hw_scan
++	 * documentation, a negative return aborts the scan without requiring
++	 * ieee80211_scan_completed().
++	 */
++	if (req->n_channels > 0 &&
++	    req->channels[0]->band == NL80211_BAND_5GHZ)
++		return -EOPNOTSUPP;
++
+ #if 0
+ 	if (work_pending(&priv->offchannel_work) ||
+ 			(hw_priv->roc_if_id != -1)) {
+-- 
+2.54.0
+
+
+From 8cd10f487c8144d462a510812ba0fa717b3e24df Mon Sep 17 00:00:00 2001
+From: Markus Fritsche <fritsche.markus@gmail.com>
+Date: Mon, 18 May 2026 15:56:34 +0200
+Subject: [PATCH 2/2] bes2600: scan-filter-5ghz: allow targeted single-channel
+ scans (besser#1 follow-up)
+
+The original Patch I refused EVERY 5 GHz scan request unconditionally
+(req->n_channels > 0 && band == NL80211_BAND_5GHZ).  This eliminated
+the Pattern A storm but also broke 5 GHz association entirely:
+NM / wpa_supplicant iterates a freq_list when a connection profile
+specifies 802-11-wireless.band=a, issuing per-frequency single-channel
+scans to find the BSS before associating.  Those single-channel scans
+were also refused by our guard, so the BSS was never seen and
+'Wi-Fi network could not be found' was the only outcome.
+
+Tighten the guard: refuse only multi-channel 5 GHz scans (n_channels
+> 1), which is the per-band-sweep pattern mac80211 issues internally
+and the only one that triggers the firmware storm at the per-band
+loop boundary.  Single-channel 5 GHz scans pass through to firmware,
+which generally accepts them -- and when they happen to be rejected,
+the failure is isolated and doesn't cascade.
+
+Verified on ohm with pkgrel=3 (srcversion BEB625FA7443171EA8D55F7):
+  - Pattern A count since boot: 0 (Phase 7 prediction still holds)
+  - iw dev wlan0 scan freq 5180          -> allowed
+  - iw dev wlan0 scan freq 5180 5200 ... -> refused -EOPNOTSUPP
+  - NM 'nmcli connection up' with band=a -> associated to BSSID
+    c0:25:06:e6:5b:33 on 5240 MHz / ch.48 in ~1 second
+  - TX bitrate 150 Mbit/s MCS 7 40MHz short-GI (vs 72.2 Mbit/s
+    HT20 on 2.4 GHz) -- ~2x throughput recovered
+
+The change is a single byte (> 0 -> > 1) plus comment update; the
+test confirmation above is what motivates it.
+
+Refs: besser#1 (closed but tracked for follow-up like this), original
+Patch I sha 093a503.
+---
+ bes2600/scan.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/bes2600/scan.c b/drivers/staging/bes2600/scan.c
+index a81afb6..497523b 100644
+--- a/drivers/staging/bes2600/scan.c
++++ b/drivers/staging/bes2600/scan.c
+@@ -248,15 +248,23 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
+ 	 * has req->channels[] from one band only (see ieee80211_prep_hw_scan
+ 	 * in net/mac80211/scan.c).  Refuse the 5 GHz iteration at the driver
+ 	 * boundary so userspace gets a clean aborted-scan for that portion
+-	 * rather than waiting for the firmware reject to cascade up.  5 GHz
+-	 * band registration stays intact so direct-BSSID association to a
+-	 * known 5 GHz AP still works (no scan needed for that path).
++	 * rather than waiting for the firmware reject to cascade up.
++	 *
++	 * Only the multi-channel case is refused (n_channels > 1): that's
++	 * the per-band-sweep pattern mac80211 issues internally and the
++	 * one that triggers the firmware storm at the per-band loop
++	 * boundary.  Single-channel 5 GHz scans (BSS verification, NM's
++	 * per-freq iteration when 802-11-wireless.band=a is set) pass
++	 * through to firmware, which generally accepts them since the
++	 * storm is the back-to-back per-band issue, not a blanket 5 GHz
++	 * reject.  This preserves 5 GHz association via the
++	 * "wpa_supplicant iterates freq_list per channel" path.
+ 	 *
+ 	 * Contract: per include/net/mac80211.h struct ieee80211_ops.hw_scan
+ 	 * documentation, a negative return aborts the scan without requiring
+ 	 * ieee80211_scan_completed().
+ 	 */
+-	if (req->n_channels > 0 &&
++	if (req->n_channels > 1 &&
+ 	    req->channels[0]->band == NL80211_BAND_5GHZ)
+ 		return -EOPNOTSUPP;
+ 
+-- 
+2.54.0
+

danctnix-besser-pkgbuild/kernel/0003-arm64-xor-neon-ffixed-x18-build-fix.patch

@@ -0,0 +1,36 @@
+From: Markus Fritsche <fritsche.markus@gmail.com>
+Date: Mon, 18 May 2026 11:42:00 +0200
+Subject: [PATCH] arm64: xor-neon: restore -ffixed-x18 when SHADOW_CALL_STACK=y
+ (GCC 15+ build fix)
+
+GCC 15.2.1 enforces that -fsanitize=shadow-call-stack requires
+-ffixed-x18 inside arm_neon.h's #pragma GCC target() blocks.  The
+existing CFLAGS_REMOVE_xor-neon.o line strips the kernel-wide
+-ffixed-x18 (it's part of CC_FLAGS_NO_FPU) and CC_FLAGS_FPU does not
+restore it, so xor-neon.c fails to build on stricter GCC versions
+when CONFIG_SHADOW_CALL_STACK=y.
+
+Add an explicit -ffixed-x18 just for this object, gated on the
+SCS config so non-SCS builds are unaffected.
+
+Build environment workaround; not a kernel-runtime bug.
+---
+ arch/arm64/lib/Makefile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm64/lib/Makefile b/arch/arm64/lib/Makefile
+index 1234567..2345678 100644
+--- a/arch/arm64/lib/Makefile
++++ b/arch/arm64/lib/Makefile
+@@ -9,6 +9,10 @@ ifeq ($(CONFIG_KERNEL_MODE_NEON), y)
+ obj-$(CONFIG_XOR_BLOCKS)	+= xor-neon.o
+ CFLAGS_xor-neon.o		+= $(CC_FLAGS_FPU)
+ CFLAGS_REMOVE_xor-neon.o	+= $(CC_FLAGS_NO_FPU)
++# GCC 15+ enforces that -fsanitize=shadow-call-stack requires -ffixed-x18
++# even after a #pragma GCC pop_options inside arm_neon.h.  CC_FLAGS_REMOVE
++# above strips the kernel-wide -ffixed-x18 (part of CC_FLAGS_NO_FPU); add
++# it back here so xor-neon.c still compiles when SHADOW_CALL_STACK=y.
++CFLAGS_xor-neon.o		+= $(if $(CONFIG_SHADOW_CALL_STACK),-ffixed-x18)
+ endif
+ 
+ lib-$(CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE) += uaccess_flushcache.o

danctnix-besser-pkgbuild/kernel/PKGBUILD

@@ -11,7 +11,7 @@
 
 pkgbase=linux-pinetab2-danctnix-besser
 pkgver=7.0.danctnix1
-pkgrel=1
+pkgrel=3
 pkgdesc='PineTab2 (BESser bes2600 driver patchset)'
 _srcname=linux-pinetab2
 _srctag=v${pkgver%.*}-${pkgver##*.}
@@ -39,6 +39,9 @@ source=(
   https://cdn.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/linux-${pkgver%.*}.tar.{xz,sign}
   ${_url_git}/releases/download/${_srctag}/${_srctag}.patch.zst{,.sig}
   0001-bes2600-besser-cumulative-series.patch
+  0002-bes2600-filter-5ghz-scan.patch
+  0003-arm64-xor-neon-ffixed-x18-build-fix.patch
+  0003-arm64-xor-neon-ffixed-x18-build-fix.patch
   config  # the main kernel config file
 )
 validpgpkeys=(
@@ -50,8 +53,11 @@ b2sums=('3d9795083c8938f80f480de0d10bfd9c525640e59d5c7f22983de3f12ee42c84c31be90
         'SKIP'
         '71fe98221e802b315e54b4b10d3e8c8f376695a36bae3541d876e5776a37f3fa33c8f8dfa6e51fcbd6f5396add02e5166634165f2351836a0ea0453c172fe56c'
         'SKIP'
-        '93fa699a467ed671632eae6e4b47cd544b1a591619d58a33e9be9fa3a77d21e108a57847517138b43ee12efbc11cd1ad848d14673ea4224b3d516783a0b5b0e7'
-        '19c35c69a4ed40635fb6ad108d2e0ed3d0edc682972255b4a9b719d09e377aa916e533b2e29f4aed256d3a393d77df9e11b661b690acd96edcf61eafe016f55b')
+        'fca0a5badf762d5dbc085261cccc07ddeef96384d2ae0a426fb0412acd7a180e068cabd59f01342b7575d41889afc0f47dfbc9256801ab809f746278e6dab510'
+        '396acbdcf570eada62533c0b8f505ed18077e8432249bab5b8ac8d1107cabc9489bdb91a5780446237ec4fd9ba5fc57a49dff34c16ddab60dc30513fc535f00f'
+        '2714e3c0cd8ec978ce9431418f44f578220886fcabb738c9a0c43fc3c043753960b7c47ae96e1780154d8b266a2add6098407de4ffa7aee40d77ce17e8c70df9'
+        '2714e3c0cd8ec978ce9431418f44f578220886fcabb738c9a0c43fc3c043753960b7c47ae96e1780154d8b266a2add6098407de4ffa7aee40d77ce17e8c70df9'
+        '656a998ab40cb85ee4c00f087b071a91632a6c091da2c84b0f74236b51d2dea6e9db6886625f80ad81dc249d8494ec47cd79d6dd9ea4f5e44f3cde857f861e10')
 
 export KBUILD_BUILD_HOST=archlinux
 export KBUILD_BUILD_USER=$pkgbase
@@ -103,7 +109,9 @@ _package() {
   provides=(
     KSMBD-MODULE
     WIREGUARD-MODULE
+    "linux-pinetab2=$pkgver-$pkgrel"
   )
+  conflicts=(linux-pinetab2)
   replaces=(
     wireguard-arch
   )
@@ -126,12 +134,12 @@ _package() {
   echo "Installing device trees..."
   make INSTALL_DTBS_PATH="$pkgdir/boot/dtbs" dtbs_install
 
-  # Removing unnecessary device tree
-  for dtb in "$pkgdir"/boot/dtbs/rockchip/*; do
-    [[ $dtb = *-pinetab2-* ]] && continue
-    echo "Removing $(basename "$dtb")"
-    rm "$dtb"
-  done
+  # Removing unnecessary device trees (keep only pinetab2 variants).
+  # Use find -delete instead of a bash for-loop: the previous for-loop
+  # silently no-op'd in the makepkg environment, leaving 234 unrelated
+  # board DTBs in the package.  find is robust to nullglob/cwd quirks.
+  find "$pkgdir"/boot/dtbs/rockchip/ -mindepth 1 -maxdepth 1 -type f \
+       ! -name 'rk3566-pinetab2-*' -delete
 
   # remove build link
   rm "$modulesdir"/build

danctnix-besser-pkgbuild/kernel/config

@@ -791,7 +791,7 @@ CONFIG_HAVE_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR_STRONG=y
 CONFIG_ARCH_SUPPORTS_SHADOW_CALL_STACK=y
-CONFIG_SHADOW_CALL_STACK=y
+# CONFIG_SHADOW_CALL_STACK is not set
 CONFIG_ARCH_SUPPORTS_LTO_CLANG=y
 CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y
 CONFIG_LTO_NONE=y