public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH wireless v2 0/2] wifi: mt76: clear cipher state on key removal for WED offload
@ 2026-04-07  0:15 Joshua Klinesmith
  2026-04-07  0:15 ` [PATCH wireless v2 1/2] wifi: mt76: mt7915: " Joshua Klinesmith
  2026-04-07  0:15 ` [PATCH wireless v2 2/2] wifi: mt76: mt7996: " Joshua Klinesmith
  0 siblings, 2 replies; 3+ messages in thread
From: Joshua Klinesmith @ 2026-04-07  0:15 UTC (permalink / raw)
  To: linux-wireless
  Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang, linux-kernel,
	Joshua Klinesmith

When switching WiFi encryption from WPA-PSK/SAE to open/none with
WED hardware offload enabled, throughput drops to zero. The BSS
cipher state is set when group keys are installed but never cleared
when they are removed. The WA firmware retains the stale cipher
value and keeps the protection bit set on WED-offloaded packets,
causing all plaintext frames to be dropped.

Found via reverse engineering of the vendor MediaTek SDK
mt_wifi.ko driver.
---
v1 -> v2: Rebased on wireless.git (was mt76-fixes)

Joshua Klinesmith (2):
  wifi: mt76: mt7915: clear cipher state on key removal for WED offload
  wifi: mt76: mt7996: clear cipher state on key removal for WED offload

 drivers/net/wireless/mediatek/mt76/mt7915/main.c | 6 ++++++
 drivers/net/wireless/mediatek/mt76/mt7996/main.c | 7 +++++++
 2 files changed, 13 insertions(+)


base-commit: 45dbf8fcea4dcf28cabcf4a1778e908feadf4c90
-- 
2.43.0


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH wireless v2 1/2] wifi: mt76: mt7915: clear cipher state on key removal for WED offload
  2026-04-07  0:15 [PATCH wireless v2 0/2] wifi: mt76: clear cipher state on key removal for WED offload Joshua Klinesmith
@ 2026-04-07  0:15 ` Joshua Klinesmith
  2026-04-07  0:15 ` [PATCH wireless v2 2/2] wifi: mt76: mt7996: " Joshua Klinesmith
  1 sibling, 0 replies; 3+ messages in thread
From: Joshua Klinesmith @ 2026-04-07  0:15 UTC (permalink / raw)
  To: linux-wireless
  Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang, linux-kernel,
	Joshua Klinesmith, stable

When switching from WPA-PSK/SAE to open/no encryption, the
DISABLE_KEY path never resets mvif->mt76.cipher back to zero.
The stale cipher value is sent to the WA firmware via BSS_INFO
updates, causing the firmware to keep the protection bit set on
WED-offloaded packets. The hardware then drops all plaintext
frames, resulting in zero throughput.

Reset mvif->mt76.cipher to zero and notify the firmware via
mt7915_mcu_add_bss_info() when the last group key is removed.

Fixes: 3fd2dbd6a1d3 ("mt76: mt7915: update bss_info with cipher after setting the group key")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt7915/main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index 90d5e79fbf..6e7442cac4 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -414,6 +414,12 @@ static int mt7915_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 	} else {
 		if (idx == *wcid_keyidx)
 			*wcid_keyidx = -1;
+
+		if (!sta && mvif->mt76.cipher) {
+			mvif->mt76.cipher = 0;
+			mt7915_mcu_add_bss_info(phy, vif, true);
+		}
+
 		goto out;
 	}
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH wireless v2 2/2] wifi: mt76: mt7996: clear cipher state on key removal for WED offload
  2026-04-07  0:15 [PATCH wireless v2 0/2] wifi: mt76: clear cipher state on key removal for WED offload Joshua Klinesmith
  2026-04-07  0:15 ` [PATCH wireless v2 1/2] wifi: mt76: mt7915: " Joshua Klinesmith
@ 2026-04-07  0:15 ` Joshua Klinesmith
  1 sibling, 0 replies; 3+ messages in thread
From: Joshua Klinesmith @ 2026-04-07  0:15 UTC (permalink / raw)
  To: linux-wireless
  Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang, linux-kernel,
	Joshua Klinesmith, stable

Same issue as mt7915: link->mt76.cipher is set on key installation
but never cleared on removal. The WA firmware retains the stale
cipher in BSS_INFO, sets the protection bit on WED-offloaded
frames, and drops all plaintext traffic when encryption is
switched to open/none.

Reset link->mt76.cipher to zero and call mt7996_mcu_add_bss_info()
when the last group key is removed.

Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt7996/main.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index f16135f0b7..d464fc3d90 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -249,6 +249,13 @@ mt7996_set_hw_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 	else if (idx == *wcid_keyidx)
 		*wcid_keyidx = -1;
 
+	if (cmd != SET_KEY && !sta && link->mt76.cipher) {
+		link->mt76.cipher = 0;
+		if (link->phy)
+			mt7996_mcu_add_bss_info(link->phy, vif, link_conf,
+						&link->mt76, msta_link, true);
+	}
+
 	/* only do remove key for BIGTK */
 	if (cmd != SET_KEY && !is_bigtk)
 		return 0;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-07  0:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-07  0:15 [PATCH wireless v2 0/2] wifi: mt76: clear cipher state on key removal for WED offload Joshua Klinesmith
2026-04-07  0:15 ` [PATCH wireless v2 1/2] wifi: mt76: mt7915: " Joshua Klinesmith
2026-04-07  0:15 ` [PATCH wireless v2 2/2] wifi: mt76: mt7996: " Joshua Klinesmith

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox