When switching from WPA-PSK/SAE to open/no encryption, the DISABLE_KEY path never resets mvif->mt76.cipher back to zero. The stale cipher value is sent to the WA firmware via BSS_INFO updates, causing the firmware to keep the protection bit set on WED-offloaded packets. The hardware then drops all plaintext frames, resulting in zero throughput. Reset mvif->mt76.cipher to zero and notify the firmware via mt7915_mcu_add_bss_info() when the last group key is removed. The clearing is guarded by checking that both hw_key_idx and hw_key_idx2 are unset (-1) so that GTK rotation (where the new key is installed before the old one is removed) and BIGTK removal while another group key is active do not trigger a premature zero-cipher BSS update. Fixes: 3fd2dbd6a1d3 ("mt76: mt7915: update bss_info with cipher after setting the group key") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c index 116dff49c104..2365d1ccf23d 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c @@ -414,6 +414,19 @@ static int mt7915_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, } else { if (idx == *wcid_keyidx) *wcid_keyidx = -1; + + /* Clear BSS cipher only when the last group key is removed; + * during GTK rotation the new key is installed before the old + * one is removed, so hw_key_idx still points at the new key + * and this condition stays false. + */ + if (!sta && mvif->mt76.cipher && + wcid->hw_key_idx == (u8)-1 && + wcid->hw_key_idx2 == (u8)-1) { + mvif->mt76.cipher = 0; + mt7915_mcu_add_bss_info(phy, vif, true); + } + goto out; } -- 2.43.0