[PATCH wireless v3 0/3] wifi: mt76: clear cipher state on key removal for WED offload

[PATCH wireless v3 0/3] wifi: mt76: clear cipher state on key removal for WED offload

[Joshua Klinesmith]

Clear stale BSS cipher on group key removal so WED-offloaded
plaintext traffic is not dropped after switching from encrypted
to open/no-encryption mode.

Changes since v2:
- New patch 1/3: initialize hw_key_idx2 to -1 in mt76_wcid_init()
  for consistent "no key" sentinel on both key index slots.
- Guard cipher clearing on both hw_key_idx == (u8)-1 AND
  hw_key_idx2 == (u8)-1, so that GTK rotation (new key installed
  before old removed) and BIGTK removal while another group key
  is active do not trigger a premature zero-cipher BSS update.

Changes since v1:
- Rebased on current wireless tree.

Joshua Klinesmith (3):
  wifi: mt76: initialize hw_key_idx2 in mt76_wcid_init
  wifi: mt76: mt7915: clear cipher state on key removal for WED offload
  wifi: mt76: mt7996: clear cipher state on key removal for WED offload

 drivers/net/wireless/mediatek/mt76/mac80211.c |  1 +
 .../net/wireless/mediatek/mt76/mt7915/main.c  | 13 +++++++++++
 .../net/wireless/mediatek/mt76/mt7996/main.c  | 23 ++++++++++++++++---
 3 files changed, 34 insertions(+), 3 deletions(-)

-- 
2.43.0

[PATCH wireless v3 1/3] wifi: mt76: initialize hw_key_idx2 in mt76_wcid_init

[Joshua Klinesmith]

hw_key_idx is initialized to -1 (0xFF, meaning "no key") in
mt76_wcid_init(), but hw_key_idx2 (used for AES-CMAC/BIGTK key
tracking) is left at the kzalloc default of 0. This makes the
two key index slots inconsistent: code that checks whether all
group keys have been removed cannot use a uniform "== (u8)-1"
test on both slots.

Initialize hw_key_idx2 to -1 alongside hw_key_idx so both use
the same "no key installed" sentinel. This does not change
runtime behavior since all existing consumers compare
hw_key_idx2 against explicit key indices (6 or 7) which are
distinct from both 0 and 0xFF.

Fixes: 730d6d0da8d8 ("mt76: mt7615: fix key set/delete issues")
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mac80211.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 75772979f438..5eea3b4f27dc 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -1690,6 +1690,7 @@ EXPORT_SYMBOL_GPL(mt76_sta_pre_rcu_remove);
 void mt76_wcid_init(struct mt76_wcid *wcid, u8 band_idx)
 {
 	wcid->hw_key_idx = -1;
+	wcid->hw_key_idx2 = -1;
 	wcid->phy_idx = band_idx;
 
 	INIT_LIST_HEAD(&wcid->tx_list);
-- 
2.43.0

[PATCH wireless v3 2/3] wifi: mt76: mt7915: clear cipher state on key removal for WED offload

[Joshua Klinesmith]

When switching from WPA-PSK/SAE to open/no encryption, the
DISABLE_KEY path never resets mvif->mt76.cipher back to zero.
The stale cipher value is sent to the WA firmware via BSS_INFO
updates, causing the firmware to keep the protection bit set on
WED-offloaded packets. The hardware then drops all plaintext
frames, resulting in zero throughput.

Reset mvif->mt76.cipher to zero and notify the firmware via
mt7915_mcu_add_bss_info() when the last group key is removed.
The clearing is guarded by checking that both hw_key_idx and
hw_key_idx2 are unset (-1) so that GTK rotation (where the new
key is installed before the old one is removed) and BIGTK
removal while another group key is active do not trigger a
premature zero-cipher BSS update.

Fixes: 3fd2dbd6a1d3 ("mt76: mt7915: update bss_info with cipher after setting the group key")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt7915/main.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index 116dff49c104..2365d1ccf23d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -414,6 +414,19 @@ static int mt7915_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 	} else {
 		if (idx == *wcid_keyidx)
 			*wcid_keyidx = -1;
+
+		/* Clear BSS cipher only when the last group key is removed;
+		 * during GTK rotation the new key is installed before the old
+		 * one is removed, so hw_key_idx still points at the new key
+		 * and this condition stays false.
+		 */
+		if (!sta && mvif->mt76.cipher &&
+		    wcid->hw_key_idx == (u8)-1 &&
+		    wcid->hw_key_idx2 == (u8)-1) {
+			mvif->mt76.cipher = 0;
+			mt7915_mcu_add_bss_info(phy, vif, true);
+		}
+
 		goto out;
 	}
 
-- 
2.43.0

[PATCH wireless v3 3/3] wifi: mt76: mt7996: clear cipher state on key removal for WED offload

[Joshua Klinesmith]

Same issue as mt7915: link->mt76.cipher is set on key installation
but never cleared on removal. The WA firmware retains the stale
cipher in BSS_INFO, sets the protection bit on WED-offloaded
frames, and drops all plaintext traffic when encryption is
switched to open/none.

Reset link->mt76.cipher to zero and call mt7996_mcu_add_bss_info()
when the last group key is removed. The clearing is guarded by
checking that both hw_key_idx and hw_key_idx2 are unset (-1) so
that GTK rotation and BIGTK removal while another group key is
active do not trigger a premature zero-cipher BSS update.

Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 .../net/wireless/mediatek/mt76/mt7996/main.c  | 23 ++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index f16135f0b7f9..8b1bc3237527 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -244,10 +244,27 @@ mt7996_set_hw_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 					&link->mt76, msta_link, true);
 	}
 
-	if (cmd == SET_KEY)
+	if (cmd == SET_KEY) {
 		*wcid_keyidx = idx;
-	else if (idx == *wcid_keyidx)
-		*wcid_keyidx = -1;
+	} else {
+		if (idx == *wcid_keyidx)
+			*wcid_keyidx = -1;
+
+		/* Clear BSS cipher only when the last group key is removed;
+		 * during GTK rotation the new key is installed before the old
+		 * one is removed, so hw_key_idx still points at the new key
+		 * and this condition stays false.
+		 */
+		if (!sta && link->mt76.cipher &&
+		    msta_link->wcid.hw_key_idx == (u8)-1 &&
+		    msta_link->wcid.hw_key_idx2 == (u8)-1) {
+			link->mt76.cipher = 0;
+			if (link->phy)
+				mt7996_mcu_add_bss_info(link->phy, vif,
+							link_conf, &link->mt76,
+							msta_link, true);
+		}
+	}
 
 	/* only do remove key for BIGTK */
 	if (cmd != SET_KEY && !is_bigtk)
-- 
2.43.0