From 5f475a9624490b07c305329f12016ff4a4df3b47 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Thu, 23 Apr 2026 19:31:25 +0200
Subject: [PATCH] bes2600: drop kernel_write() persistence from factory cali
 save

Following the conversion of the factory-calibration READ path to
request_firmware() (earlier in this series), the factory-calibration
WRITE path in factory_section_write_file() was still using
filp_open(O_CREAT | O_TRUNC | O_RDWR) + kernel_write() to persist
updated calibration data back to FACTORY_PATH
(default /lib/firmware/bes2600/bes2600_factory.txt).

Writing to files under /lib/firmware/ from kernel code is a
standing upstream blocker for staging and for drivers/net/wireless/
submission generally:

 - filp_open()/kernel_write() bypass the firmware-class abstraction,
   the LSM framework, and user/group/mode enforcement that governs
   the firmware search paths. They have been repeatedly called out
   in staging-prep reviews.
 - The kernel runs with capabilities that userspace does not (CAP_
   DAC_OVERRIDE effectively); quietly rewriting firmware blobs that
   userspace owns is a surprise contract.
 - A module unload / reboot immediately after the write races the
   writeback and can leave a truncated calibration file on disk.

Remove factory_section_write_file() and its two call sites in
bes2600_wifi_cali_table_save(). The in-memory factory_save_p
remains authoritative for the duration of the session: the WSM
command handlers that triggered this path (power-cali-table,
freq-cali, efuse-flag, power-cali-flag) already update the live
struct factory_t, and reads served from file_buffer pick up the
rebuilt serialised form immediately. On the next probe the
firmware-class file is re-read read-only via request_firmware(),
as set up by the earlier patch.

If cross-reboot persistence of runtime-updated calibration becomes
a requirement, the expected route is a userspace-visible dump
interface -- a read-only debugfs file exporting the serialised
blob, or an nl80211 vendor command -- that lets userspace copy the
values to a chosen location under its own privileges. Such a
facility can land as a follow-up without touching the core driver
write path again.

Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
 bes2600/bes2600_factory.c | 63 +++++++++++----------------------------
 1 file changed, 17 insertions(+), 46 deletions(-)

diff --git a/drivers/staging/bes2600/bes2600_factory.c b/drivers/staging/bes2600/bes2600_factory.c
index 1cda447..1b43b41 100644
--- a/drivers/staging/bes2600/bes2600_factory.c
+++ b/drivers/staging/bes2600/bes2600_factory.c
@@ -179,34 +179,6 @@ static int factory_section_read_file(char *path, void *buffer)
 	return ret;
 }
 
-/**
- * factory_section_write_file - Write data of specified length to file
- * @path:	path of the file
- * @buffer:	storage of write data
- * @size:	length of data to write
- *
- * Return: length on success, negative error code otherwise.
- */
-static int factory_section_write_file(char *path, void *buffer, int size)
-{
-	int ret = 0;
-	struct file *fp;
-
-	bes_devel("writing %s \n", path);
-
-	fp = filp_open(path, O_TRUNC | O_CREAT | O_RDWR, S_IRUSR);
-	if (IS_ERR(fp)) {
-		bes_devel("BES2600 : can't open %s\n",path);
-		return -1;
-	}
-
-	ret = kernel_write(fp, buffer, size, &fp->f_pos);
-
-	filp_close(fp,NULL);
-
-	return ret;
-}
-
 static inline int factory_parse(uint8_t *source_buf, struct factory_t *factory)
 {
 	int ret = 0;
@@ -898,9 +870,22 @@ static inline int factory_build(uint8_t *dest_buf, struct factory_t *factory)
 #endif
 }
 
+/*
+ * Rebuild the serialised calibration blob in file_buffer from the live
+ * in-memory factory_save_p. Previously this function also persisted the
+ * blob back to FACTORY_PATH via filp_open(O_CREAT) + kernel_write(); that
+ * is not acceptable in mainline, so the persistence step has been removed.
+ *
+ * The in-memory factory_save_p remains authoritative for the duration of
+ * the session; on the next probe the firmware-class file is read back
+ * read-only via request_firmware(). If cross-reboot persistence of runtime
+ * calibration updates becomes a requirement, the expected route is a
+ * userspace-facing dump interface (debugfs read-only blob, or nl80211
+ * vendor command) that lets userspace read the serialised form and store
+ * it under its own privileges.
+ */
 static int bes2600_wifi_cali_table_save(u8 *file_buffer, struct factory_t *factory_save_p)
 {
-	int ret = 0;
 	int w_size;
 	u32 crc_len = sizeof(factory_data_t);
 #ifndef STANDARD_FACTORY_EFUSE_FLAG
@@ -909,13 +894,11 @@ static int bes2600_wifi_cali_table_save(u8 *file_buffer, struct factory_t *facto
 
 	bes_devel("enter %s\n", __func__);
 
-	if (!file_buffer) {
+	if (!file_buffer)
 		return -ENOMEM;
-	}
 
-	if (!factory_save_p) {
+	if (!factory_save_p)
 		return -ENOENT;
-	}
 
 	/* All initialized to space */
 	memset(file_buffer, 32, FACTORY_MAX_SIZE);
@@ -927,22 +910,10 @@ static int bes2600_wifi_cali_table_save(u8 *file_buffer, struct factory_t *facto
 	w_size = factory_build(file_buffer, factory_save_p);
 
 	if (w_size < 0 || w_size > FACTORY_MAX_SIZE) {
-		bes_err("%s: build failed! ret = %d.", __func__, ret);
+		bes_err("%s: build failed! w_size = %d.", __func__, w_size);
 		return -ETXTBSY;
 	}
 
-#ifdef FACTORY_SAVE_MULTI_PATH
-	/* avoid trailing characters '\0' */
-	file_buffer[w_size] = 32;
-	ret = factory_section_write_file(FACTORY_PATH, file_buffer, FACTORY_MAX_SIZE);
-#else
-	ret = factory_section_write_file(FACTORY_PATH, file_buffer, w_size);
-#endif
-	if(ret < 0) {
-		bes_err("%s: write failed! ret = %d.", __func__, ret);
-		return ret;
-	}
-
 	return 0;
 }
 
-- 
2.53.0