[openwrt/openwrt] mac80211, mt76: add fixes for recently discovered security issues

LEDE Commits lede-commits at lists.infradead.org
Thu Mar 30 02:40:43 PDT 2023


nbd pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/d54c91bd9ab3c54ee06923eafbd67047816a37e4

commit d54c91bd9ab3c54ee06923eafbd67047816a37e4
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Wed Mar 29 17:54:19 2023 +0200

    mac80211, mt76: add fixes for recently discovered security issues
    
    Fixes CVE-2022-47522
    
    Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
 ...211-correctly-mark-FTM-frames-non-buffera.patch | 134 +++++++++
 ...wifi-mac80211-flush-queues-on-STA-removal.patch |  36 +++
 ...wlwifi-mvm-support-flush-on-AP-interfaces.patch |  34 +++
 .../333-wifi-mac80211-add-flush_sta-method.patch   |  91 ++++++
 ...-iwlwifi-mvm-support-new-flush_sta-method.patch |  53 ++++
 package/kernel/mt76/patches/100-api_update.patch   |  11 +
 ...110-wifi-mt76-ignore-key-disable-commands.patch | 326 +++++++++++++++++++++
 7 files changed, 685 insertions(+)

diff --git a/package/kernel/mac80211/patches/subsys/330-wifi-ieee80211-correctly-mark-FTM-frames-non-buffera.patch b/package/kernel/mac80211/patches/subsys/330-wifi-ieee80211-correctly-mark-FTM-frames-non-buffera.patch
new file mode 100644
index 0000000000..9c98d9e6d9
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/330-wifi-ieee80211-correctly-mark-FTM-frames-non-buffera.patch
@@ -0,0 +1,134 @@
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Wed, 29 Mar 2023 16:46:26 +0200
+Subject: [PATCH] wifi: ieee80211: correctly mark FTM frames non-bufferable
+
+The checks of whether or not a frame is bufferable were not
+taking into account that some action frames aren't, such as
+FTM. Check this, which requires some changes to the function
+ieee80211_is_bufferable_mmpdu() since we need the whole skb
+for the checks now.
+
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman at intel.com>
+Reviewed-by: Peer, Ilan <ilan.peer at intel.com>
+---
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -601,8 +601,9 @@ static void iwl_mvm_skb_prepare_status(s
+ 
+ static int iwl_mvm_get_ctrl_vif_queue(struct iwl_mvm *mvm,
+ 				      struct ieee80211_tx_info *info,
+-				      struct ieee80211_hdr *hdr)
++				      struct sk_buff *skb)
+ {
++	struct ieee80211_hdr *hdr = (void *)skb->data;
+ 	struct iwl_mvm_vif *mvmvif =
+ 		iwl_mvm_vif_from_mac80211(info->control.vif);
+ 	__le16 fc = hdr->frame_control;
+@@ -621,7 +622,7 @@ static int iwl_mvm_get_ctrl_vif_queue(st
+ 		 * reason 7 ("Class 3 frame received from nonassociated STA").
+ 		 */
+ 		if (ieee80211_is_mgmt(fc) &&
+-		    (!ieee80211_is_bufferable_mmpdu(fc) ||
++		    (!ieee80211_is_bufferable_mmpdu(skb) ||
+ 		     ieee80211_is_deauth(fc) || ieee80211_is_disassoc(fc)))
+ 			return mvm->probe_queue;
+ 
+@@ -740,7 +741,7 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
+ 			else
+ 				sta_id = mvmvif->mcast_sta.sta_id;
+ 
+-			queue = iwl_mvm_get_ctrl_vif_queue(mvm, &info, hdr);
++			queue = iwl_mvm_get_ctrl_vif_queue(mvm, &info, skb);
+ 		} else if (info.control.vif->type == NL80211_IFTYPE_MONITOR) {
+ 			queue = mvm->snif_queue;
+ 			sta_id = mvm->snif_sta.sta_id;
+--- a/include/linux/ieee80211.h
++++ b/include/linux/ieee80211.h
+@@ -772,20 +772,6 @@ static inline bool ieee80211_is_any_null
+ }
+ 
+ /**
+- * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU
+- * @fc: frame control field in little-endian byteorder
+- */
+-static inline bool ieee80211_is_bufferable_mmpdu(__le16 fc)
+-{
+-	/* IEEE 802.11-2012, definition of "bufferable management frame";
+-	 * note that this ignores the IBSS special case. */
+-	return ieee80211_is_mgmt(fc) &&
+-	       (ieee80211_is_action(fc) ||
+-		ieee80211_is_disassoc(fc) ||
+-		ieee80211_is_deauth(fc));
+-}
+-
+-/**
+  * ieee80211_is_first_frag - check if IEEE80211_SCTL_FRAG is not set
+  * @seq_ctrl: frame sequence control bytes in little-endian byteorder
+  */
+@@ -4121,6 +4107,44 @@ static inline u8 *ieee80211_get_DA(struc
+ }
+ 
+ /**
++ * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU
++ * @skb: the skb to check, starting with the 802.11 header
++ */
++static inline bool ieee80211_is_bufferable_mmpdu(struct sk_buff *skb)
++{
++	struct ieee80211_mgmt *mgmt = (void *)skb->data;
++	__le16 fc = mgmt->frame_control;
++
++	/*
++	 * IEEE 802.11 REVme D2.0 definition of bufferable MMPDU;
++	 * note that this ignores the IBSS special case.
++	 */
++	if (!ieee80211_is_mgmt(fc))
++		return false;
++
++	if (ieee80211_is_disassoc(fc) || ieee80211_is_deauth(fc))
++		return true;
++
++	if (!ieee80211_is_action(fc))
++		return false;
++
++	if (skb->len < offsetofend(typeof(*mgmt), u.action.u.ftm.action_code))
++		return true;
++
++	/* action frame - additionally check for non-bufferable FTM */
++
++	if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
++	    mgmt->u.action.category != WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION)
++		return true;
++
++	if (mgmt->u.action.u.ftm.action_code == WLAN_PUB_ACTION_FTM_REQUEST ||
++	    mgmt->u.action.u.ftm.action_code == WLAN_PUBLIC_ACTION_FTM_RESPONSE)
++		return false;
++
++	return true;
++}
++
++/**
+  * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
+  * @hdr: the frame (buffer must include at least the first octet of payload)
+  */
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -488,7 +488,7 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
+ 		int ac = skb_get_queue_mapping(tx->skb);
+ 
+ 		if (ieee80211_is_mgmt(hdr->frame_control) &&
+-		    !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
++		    !ieee80211_is_bufferable_mmpdu(tx->skb)) {
+ 			info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
+ 			return TX_CONTINUE;
+ 		}
+@@ -1325,7 +1325,7 @@ static struct txq_info *ieee80211_get_tx
+ 	if (!(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) &&
+ 	    unlikely(!ieee80211_is_data_present(hdr->frame_control))) {
+ 		if ((!ieee80211_is_mgmt(hdr->frame_control) ||
+-		     ieee80211_is_bufferable_mmpdu(hdr->frame_control) ||
++		     ieee80211_is_bufferable_mmpdu(skb) ||
+ 		     vif->type == NL80211_IFTYPE_STATION) &&
+ 		    sta && sta->uploaded) {
+ 			/*
diff --git a/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-flush-queues-on-STA-removal.patch b/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-flush-queues-on-STA-removal.patch
new file mode 100644
index 0000000000..00232ec1b9
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-flush-queues-on-STA-removal.patch
@@ -0,0 +1,36 @@
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Mon, 13 Mar 2023 11:42:12 +0100
+Subject: [PATCH] wifi: mac80211: flush queues on STA removal
+
+When we remove a station, we first make it unreachable,
+then we (must) remove its keys, and then remove the
+station itself. Depending on the hardware design, if
+we have hardware crypto at all, frames still sitting
+on hardware queues may then be transmitted without a
+valid key, possibly unencrypted or with a fixed key.
+
+Fix this by flushing the queues when removing stations
+so this cannot happen.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman at intel.com>
+---
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1271,6 +1271,14 @@ static void __sta_info_destroy_part2(str
+ 		WARN_ON_ONCE(ret);
+ 	}
+ 
++	/* Flush queues before removing keys, as that might remove them
++	 * from hardware, and then depending on the offload method, any
++	 * frames sitting on hardware queues might be sent out without
++	 * any encryption at all.
++	 */
++	if (local->ops->set_key)
++		ieee80211_flush_queues(local, sta->sdata, false);
++
+ 	/* now keys can no longer be reached */
+ 	ieee80211_free_sta_keys(local, sta);
+ 
diff --git a/package/kernel/mac80211/patches/subsys/332-wifi-iwlwifi-mvm-support-flush-on-AP-interfaces.patch b/package/kernel/mac80211/patches/subsys/332-wifi-iwlwifi-mvm-support-flush-on-AP-interfaces.patch
new file mode 100644
index 0000000000..3c31dfeddc
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/332-wifi-iwlwifi-mvm-support-flush-on-AP-interfaces.patch
@@ -0,0 +1,34 @@
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Mon, 13 Mar 2023 12:02:58 +0100
+Subject: [PATCH] wifi: iwlwifi: mvm: support flush on AP interfaces
+
+Support TX flush on AP interfaces so that we will do a
+proper flush for frames on the queue before keys are
+removed.
+
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman at intel.com>
+---
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -4854,9 +4854,6 @@ static void iwl_mvm_mac_flush(struct iee
+ 		return;
+ 	}
+ 
+-	if (vif->type != NL80211_IFTYPE_STATION)
+-		return;
+-
+ 	/* Make sure we're done with the deferred traffic before flushing */
+ 	flush_work(&mvm->add_stream_wk);
+ 
+@@ -4874,9 +4871,6 @@ static void iwl_mvm_mac_flush(struct iee
+ 		if (mvmsta->vif != vif)
+ 			continue;
+ 
+-		/* make sure only TDLS peers or the AP are flushed */
+-		WARN_ON(i != mvmvif->ap_sta_id && !sta->tdls);
+-
+ 		if (drop) {
+ 			if (iwl_mvm_flush_sta(mvm, mvmsta, false))
+ 				IWL_ERR(mvm, "flush request fail\n");
diff --git a/package/kernel/mac80211/patches/subsys/333-wifi-mac80211-add-flush_sta-method.patch b/package/kernel/mac80211/patches/subsys/333-wifi-mac80211-add-flush_sta-method.patch
new file mode 100644
index 0000000000..300a2b65c6
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/333-wifi-mac80211-add-flush_sta-method.patch
@@ -0,0 +1,91 @@
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Mon, 13 Mar 2023 11:53:51 +0100
+Subject: [PATCH] wifi: mac80211: add flush_sta method
+
+Some drivers like iwlwifi might have per-STA queues, so we
+may want to flush/drop just those queues rather than all
+when removing a station. Add a separate method for that.
+
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman at intel.com>
+---
+
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -3922,6 +3922,10 @@ struct ieee80211_prep_tx_info {
+  *	Note that vif can be NULL.
+  *	The callback can sleep.
+  *
++ * @flush_sta: Flush or drop all pending frames from the hardware queue(s) for
++ *	the given station, as it's about to be removed.
++ *	The callback can sleep.
++ *
+  * @channel_switch: Drivers that need (or want) to offload the channel
+  *	switch operation for CSAs received from the AP may implement this
+  *	callback. They must then call ieee80211_chswitch_done() to indicate
+@@ -4376,6 +4380,8 @@ struct ieee80211_ops {
+ #endif
+ 	void (*flush)(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ 		      u32 queues, bool drop);
++	void (*flush_sta)(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
++			  struct ieee80211_sta *sta);
+ 	void (*channel_switch)(struct ieee80211_hw *hw,
+ 			       struct ieee80211_vif *vif,
+ 			       struct ieee80211_channel_switch *ch_switch);
+--- a/net/mac80211/driver-ops.h
++++ b/net/mac80211/driver-ops.h
+@@ -617,6 +617,21 @@ static inline void drv_flush(struct ieee
+ 	trace_drv_return_void(local);
+ }
+ 
++static inline void drv_flush_sta(struct ieee80211_local *local,
++				 struct ieee80211_sub_if_data *sdata,
++				 struct sta_info *sta)
++{
++	might_sleep();
++
++	if (sdata && !check_sdata_in_driver(sdata))
++		return;
++
++	trace_drv_flush_sta(local, sdata, &sta->sta);
++	if (local->ops->flush_sta)
++		local->ops->flush_sta(&local->hw, &sdata->vif, &sta->sta);
++	trace_drv_return_void(local);
++}
++
+ static inline void drv_channel_switch(struct ieee80211_local *local,
+ 				      struct ieee80211_sub_if_data *sdata,
+ 				      struct ieee80211_channel_switch *ch_switch)
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1276,8 +1276,12 @@ static void __sta_info_destroy_part2(str
+ 	 * frames sitting on hardware queues might be sent out without
+ 	 * any encryption at all.
+ 	 */
+-	if (local->ops->set_key)
+-		ieee80211_flush_queues(local, sta->sdata, false);
++	if (local->ops->set_key) {
++		if (local->ops->flush_sta)
++			drv_flush_sta(local, sta->sdata, sta);
++		else
++			ieee80211_flush_queues(local, sta->sdata, false);
++	}
+ 
+ 	/* now keys can no longer be reached */
+ 	ieee80211_free_sta_keys(local, sta);
+--- a/net/mac80211/trace.h
++++ b/net/mac80211/trace.h
+@@ -1177,6 +1177,13 @@ TRACE_EVENT(drv_flush,
+ 	)
+ );
+ 
++DEFINE_EVENT(sta_event, drv_flush_sta,
++	TP_PROTO(struct ieee80211_local *local,
++		 struct ieee80211_sub_if_data *sdata,
++		 struct ieee80211_sta *sta),
++	TP_ARGS(local, sdata, sta)
++);
++
+ TRACE_EVENT(drv_channel_switch,
+ 	TP_PROTO(struct ieee80211_local *local,
+ 		 struct ieee80211_sub_if_data *sdata,
diff --git a/package/kernel/mac80211/patches/subsys/334-wifi-iwlwifi-mvm-support-new-flush_sta-method.patch b/package/kernel/mac80211/patches/subsys/334-wifi-iwlwifi-mvm-support-new-flush_sta-method.patch
new file mode 100644
index 0000000000..18f39d505f
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/334-wifi-iwlwifi-mvm-support-new-flush_sta-method.patch
@@ -0,0 +1,53 @@
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Mon, 13 Mar 2023 12:05:35 +0100
+Subject: [PATCH] wifi: iwlwifi: mvm: support new flush_sta method
+
+For iwlwifi this is simple to implement, and on newer hardware
+it's an improvement since we have per-station queues.
+
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman at intel.com>
+---
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -4890,6 +4890,31 @@ static void iwl_mvm_mac_flush(struct iee
+ 		iwl_trans_wait_tx_queues_empty(mvm->trans, msk);
+ }
+ 
++static void iwl_mvm_mac_flush_sta(struct ieee80211_hw *hw,
++				  struct ieee80211_vif *vif,
++				  struct ieee80211_sta *sta)
++{
++	struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
++	int i;
++
++	mutex_lock(&mvm->mutex);
++	for (i = 0; i < mvm->fw->ucode_capa.num_stations; i++) {
++		struct iwl_mvm_sta *mvmsta;
++		struct ieee80211_sta *tmp;
++
++		tmp = rcu_dereference_protected(mvm->fw_id_to_mac_id[i],
++						lockdep_is_held(&mvm->mutex));
++		if (tmp != sta)
++			continue;
++
++		mvmsta = iwl_mvm_sta_from_mac80211(sta);
++
++		if (iwl_mvm_flush_sta(mvm, mvmsta, false))
++			IWL_ERR(mvm, "flush request fail\n");
++	}
++	mutex_unlock(&mvm->mutex);
++}
++
+ static int iwl_mvm_mac_get_survey(struct ieee80211_hw *hw, int idx,
+ 				  struct survey_info *survey)
+ {
+@@ -5417,6 +5442,7 @@ const struct ieee80211_ops iwl_mvm_hw_op
+ 	.mgd_complete_tx = iwl_mvm_mac_mgd_complete_tx,
+ 	.mgd_protect_tdls_discover = iwl_mvm_mac_mgd_protect_tdls_discover,
+ 	.flush = iwl_mvm_mac_flush,
++	.flush_sta = iwl_mvm_mac_flush_sta,
+ 	.sched_scan_start = iwl_mvm_mac_sched_scan_start,
+ 	.sched_scan_stop = iwl_mvm_mac_sched_scan_stop,
+ 	.set_key = iwl_mvm_mac_set_key,
diff --git a/package/kernel/mt76/patches/100-api_update.patch b/package/kernel/mt76/patches/100-api_update.patch
new file mode 100644
index 0000000000..3a76f11752
--- /dev/null
+++ b/package/kernel/mt76/patches/100-api_update.patch
@@ -0,0 +1,11 @@
+--- a/tx.c
++++ b/tx.c
+@@ -330,7 +330,7 @@ mt76_tx(struct mt76_phy *phy, struct iee
+ 	if ((dev->drv->drv_flags & MT_DRV_HW_MGMT_TXQ) &&
+ 	    !(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) &&
+ 	    !ieee80211_is_data(hdr->frame_control) &&
+-	    !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
++	    !ieee80211_is_bufferable_mmpdu(skb)) {
+ 		qid = MT_TXQ_PSD;
+ 	}
+ 
diff --git a/package/kernel/mt76/patches/110-wifi-mt76-ignore-key-disable-commands.patch b/package/kernel/mt76/patches/110-wifi-mt76-ignore-key-disable-commands.patch
new file mode 100644
index 0000000000..78b70d7902
--- /dev/null
+++ b/package/kernel/mt76/patches/110-wifi-mt76-ignore-key-disable-commands.patch
@@ -0,0 +1,326 @@
+From: Felix Fietkau <nbd at nbd.name>
+Date: Wed, 22 Mar 2023 10:17:49 +0100
+Subject: [PATCH] wifi: mt76: ignore key disable commands
+
+This helps avoid cleartext leakage of already queued or powersave buffered
+packets, when a reassoc triggers the key deletion.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+---
+
+--- a/mt7603/main.c
++++ b/mt7603/main.c
+@@ -512,15 +512,15 @@ mt7603_set_key(struct ieee80211_hw *hw,
+ 	    !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
+ 		return -EOPNOTSUPP;
+ 
+-	if (cmd == SET_KEY) {
+-		key->hw_key_idx = wcid->idx;
+-		wcid->hw_key_idx = idx;
+-	} else {
++	if (cmd != SET_KEY) {
+ 		if (idx == wcid->hw_key_idx)
+ 			wcid->hw_key_idx = -1;
+ 
+-		key = NULL;
++		return 0;
+ 	}
++
++	key->hw_key_idx = wcid->idx;
++	wcid->hw_key_idx = idx;
+ 	mt76_wcid_key_setup(&dev->mt76, wcid, key);
+ 
+ 	return mt7603_wtbl_set_key(dev, wcid->idx, key);
+--- a/mt7615/mac.c
++++ b/mt7615/mac.c
+@@ -1193,8 +1193,7 @@ EXPORT_SYMBOL_GPL(mt7615_mac_enable_rtsc
+ static int
+ mt7615_mac_wtbl_update_key(struct mt7615_dev *dev, struct mt76_wcid *wcid,
+ 			   struct ieee80211_key_conf *key,
+-			   enum mt76_cipher_type cipher, u16 cipher_mask,
+-			   enum set_key_cmd cmd)
++			   enum mt76_cipher_type cipher, u16 cipher_mask)
+ {
+ 	u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx) + 30 * 4;
+ 	u8 data[32] = {};
+@@ -1203,27 +1202,18 @@ mt7615_mac_wtbl_update_key(struct mt7615
+ 		return -EINVAL;
+ 
+ 	mt76_rr_copy(dev, addr, data, sizeof(data));
+-	if (cmd == SET_KEY) {
+-		if (cipher == MT_CIPHER_TKIP) {
+-			/* Rx/Tx MIC keys are swapped */
+-			memcpy(data, key->key, 16);
+-			memcpy(data + 16, key->key + 24, 8);
+-			memcpy(data + 24, key->key + 16, 8);
+-		} else {
+-			if (cipher_mask == BIT(cipher))
+-				memcpy(data, key->key, key->keylen);
+-			else if (cipher != MT_CIPHER_BIP_CMAC_128)
+-				memcpy(data, key->key, 16);
+-			if (cipher == MT_CIPHER_BIP_CMAC_128)
+-				memcpy(data + 16, key->key, 16);
+-		}
++	if (cipher == MT_CIPHER_TKIP) {
++		/* Rx/Tx MIC keys are swapped */
++		memcpy(data, key->key, 16);
++		memcpy(data + 16, key->key + 24, 8);
++		memcpy(data + 24, key->key + 16, 8);
+ 	} else {
++		if (cipher_mask == BIT(cipher))
++			memcpy(data, key->key, key->keylen);
++		else if (cipher != MT_CIPHER_BIP_CMAC_128)
++			memcpy(data, key->key, 16);
+ 		if (cipher == MT_CIPHER_BIP_CMAC_128)
+-			memset(data + 16, 0, 16);
+-		else if (cipher_mask)
+-			memset(data, 0, 16);
+-		if (!cipher_mask)
+-			memset(data, 0, sizeof(data));
++			memcpy(data + 16, key->key, 16);
+ 	}
+ 
+ 	mt76_wr_copy(dev, addr, data, sizeof(data));
+@@ -1234,7 +1224,7 @@ mt7615_mac_wtbl_update_key(struct mt7615
+ static int
+ mt7615_mac_wtbl_update_pk(struct mt7615_dev *dev, struct mt76_wcid *wcid,
+ 			  enum mt76_cipher_type cipher, u16 cipher_mask,
+-			  int keyidx, enum set_key_cmd cmd)
++			  int keyidx)
+ {
+ 	u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx), w0, w1;
+ 
+@@ -1253,9 +1243,7 @@ mt7615_mac_wtbl_update_pk(struct mt7615_
+ 	else
+ 		w0 &= ~MT_WTBL_W0_RX_IK_VALID;
+ 
+-	if (cmd == SET_KEY &&
+-	    (cipher != MT_CIPHER_BIP_CMAC_128 ||
+-	     cipher_mask == BIT(cipher))) {
++	if (cipher != MT_CIPHER_BIP_CMAC_128 || cipher_mask == BIT(cipher)) {
+ 		w0 &= ~MT_WTBL_W0_KEY_IDX;
+ 		w0 |= FIELD_PREP(MT_WTBL_W0_KEY_IDX, keyidx);
+ 	}
+@@ -1272,19 +1260,10 @@ mt7615_mac_wtbl_update_pk(struct mt7615_
+ 
+ static void
+ mt7615_mac_wtbl_update_cipher(struct mt7615_dev *dev, struct mt76_wcid *wcid,
+-			      enum mt76_cipher_type cipher, u16 cipher_mask,
+-			      enum set_key_cmd cmd)
++			      enum mt76_cipher_type cipher, u16 cipher_mask)
+ {
+ 	u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx);
+ 
+-	if (!cipher_mask) {
+-		mt76_clear(dev, addr + 2 * 4, MT_WTBL_W2_KEY_TYPE);
+-		return;
+-	}
+-
+-	if (cmd != SET_KEY)
+-		return;
+-
+ 	if (cipher == MT_CIPHER_BIP_CMAC_128 &&
+ 	    cipher_mask & ~BIT(MT_CIPHER_BIP_CMAC_128))
+ 		return;
+@@ -1295,8 +1274,7 @@ mt7615_mac_wtbl_update_cipher(struct mt7
+ 
+ int __mt7615_mac_wtbl_set_key(struct mt7615_dev *dev,
+ 			      struct mt76_wcid *wcid,
+-			      struct ieee80211_key_conf *key,
+-			      enum set_key_cmd cmd)
++			      struct ieee80211_key_conf *key)
+ {
+ 	enum mt76_cipher_type cipher;
+ 	u16 cipher_mask = wcid->cipher;
+@@ -1306,19 +1284,14 @@ int __mt7615_mac_wtbl_set_key(struct mt7
+ 	if (cipher == MT_CIPHER_NONE)
+ 		return -EOPNOTSUPP;
+ 
+-	if (cmd == SET_KEY)
+-		cipher_mask |= BIT(cipher);
+-	else
+-		cipher_mask &= ~BIT(cipher);
+-
+-	mt7615_mac_wtbl_update_cipher(dev, wcid, cipher, cipher_mask, cmd);
+-	err = mt7615_mac_wtbl_update_key(dev, wcid, key, cipher, cipher_mask,
+-					 cmd);
++	cipher_mask |= BIT(cipher);
++	mt7615_mac_wtbl_update_cipher(dev, wcid, cipher, cipher_mask);
++	err = mt7615_mac_wtbl_update_key(dev, wcid, key, cipher, cipher_mask);
+ 	if (err < 0)
+ 		return err;
+ 
+ 	err = mt7615_mac_wtbl_update_pk(dev, wcid, cipher, cipher_mask,
+-					key->keyidx, cmd);
++					key->keyidx);
+ 	if (err < 0)
+ 		return err;
+ 
+@@ -1329,13 +1302,12 @@ int __mt7615_mac_wtbl_set_key(struct mt7
+ 
+ int mt7615_mac_wtbl_set_key(struct mt7615_dev *dev,
+ 			    struct mt76_wcid *wcid,
+-			    struct ieee80211_key_conf *key,
+-			    enum set_key_cmd cmd)
++			    struct ieee80211_key_conf *key)
+ {
+ 	int err;
+ 
+ 	spin_lock_bh(&dev->mt76.lock);
+-	err = __mt7615_mac_wtbl_set_key(dev, wcid, key, cmd);
++	err = __mt7615_mac_wtbl_set_key(dev, wcid, key);
+ 	spin_unlock_bh(&dev->mt76.lock);
+ 
+ 	return err;
+--- a/mt7615/main.c
++++ b/mt7615/main.c
+@@ -391,18 +391,17 @@ static int mt7615_set_key(struct ieee802
+ 
+ 	if (cmd == SET_KEY)
+ 		*wcid_keyidx = idx;
+-	else if (idx == *wcid_keyidx)
+-		*wcid_keyidx = -1;
+-	else
++	else {
++		if (idx == *wcid_keyidx)
++			*wcid_keyidx = -1;
+ 		goto out;
++	}
+ 
+-	mt76_wcid_key_setup(&dev->mt76, wcid,
+-			    cmd == SET_KEY ? key : NULL);
+-
++	mt76_wcid_key_setup(&dev->mt76, wcid, key);
+ 	if (mt76_is_mmio(&dev->mt76))
+-		err = mt7615_mac_wtbl_set_key(dev, wcid, key, cmd);
++		err = mt7615_mac_wtbl_set_key(dev, wcid, key);
+ 	else
+-		err = __mt7615_mac_wtbl_set_key(dev, wcid, key, cmd);
++		err = __mt7615_mac_wtbl_set_key(dev, wcid, key);
+ 
+ out:
+ 	mt7615_mutex_release(dev);
+--- a/mt7615/mt7615.h
++++ b/mt7615/mt7615.h
+@@ -491,11 +491,9 @@ int mt7615_mac_write_txwi(struct mt7615_
+ void mt7615_mac_set_timing(struct mt7615_phy *phy);
+ int __mt7615_mac_wtbl_set_key(struct mt7615_dev *dev,
+ 			      struct mt76_wcid *wcid,
+-			      struct ieee80211_key_conf *key,
+-			      enum set_key_cmd cmd);
++			      struct ieee80211_key_conf *key);
+ int mt7615_mac_wtbl_set_key(struct mt7615_dev *dev, struct mt76_wcid *wcid,
+-			    struct ieee80211_key_conf *key,
+-			    enum set_key_cmd cmd);
++			    struct ieee80211_key_conf *key);
+ void mt7615_mac_reset_work(struct work_struct *work);
+ u32 mt7615_mac_get_sta_tid_sn(struct mt7615_dev *dev, int wcid, u8 tid);
+ 
+--- a/mt76x02_util.c
++++ b/mt76x02_util.c
+@@ -454,20 +454,20 @@ int mt76x02_set_key(struct ieee80211_hw
+ 	msta = sta ? (struct mt76x02_sta *)sta->drv_priv : NULL;
+ 	wcid = msta ? &msta->wcid : &mvif->group_wcid;
+ 
+-	if (cmd == SET_KEY) {
+-		key->hw_key_idx = wcid->idx;
+-		wcid->hw_key_idx = idx;
+-		if (key->flags & IEEE80211_KEY_FLAG_RX_MGMT) {
+-			key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
+-			wcid->sw_iv = true;
+-		}
+-	} else {
++	if (cmd != SET_KEY) {
+ 		if (idx == wcid->hw_key_idx) {
+ 			wcid->hw_key_idx = -1;
+ 			wcid->sw_iv = false;
+ 		}
+ 
+-		key = NULL;
++		return 0;
++	}
++
++	key->hw_key_idx = wcid->idx;
++	wcid->hw_key_idx = idx;
++	if (key->flags & IEEE80211_KEY_FLAG_RX_MGMT) {
++		key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX;
++		wcid->sw_iv = true;
+ 	}
+ 	mt76_wcid_key_setup(&dev->mt76, wcid, key);
+ 
+--- a/mt7915/main.c
++++ b/mt7915/main.c
+@@ -410,16 +410,15 @@ static int mt7915_set_key(struct ieee802
+ 		mt7915_mcu_add_bss_info(phy, vif, true);
+ 	}
+ 
+-	if (cmd == SET_KEY)
++	if (cmd == SET_KEY) {
+ 		*wcid_keyidx = idx;
+-	else if (idx == *wcid_keyidx)
+-		*wcid_keyidx = -1;
+-	else
++	} else {
++		if (idx == *wcid_keyidx)
++			*wcid_keyidx = -1;
+ 		goto out;
++	}
+ 
+-	mt76_wcid_key_setup(&dev->mt76, wcid,
+-			    cmd == SET_KEY ? key : NULL);
+-
++	mt76_wcid_key_setup(&dev->mt76, wcid, key);
+ 	err = mt76_connac_mcu_add_key(&dev->mt76, vif, &msta->bip,
+ 				      key, MCU_EXT_CMD(STA_REC_UPDATE),
+ 				      &msta->wcid, cmd);
+--- a/mt7921/main.c
++++ b/mt7921/main.c
+@@ -569,16 +569,15 @@ static int mt7921_set_key(struct ieee802
+ 
+ 	mt7921_mutex_acquire(dev);
+ 
+-	if (cmd == SET_KEY)
++	if (cmd == SET_KEY) {
+ 		*wcid_keyidx = idx;
+-	else if (idx == *wcid_keyidx)
+-		*wcid_keyidx = -1;
+-	else
++	} else {
++		if (idx == *wcid_keyidx)
++			*wcid_keyidx = -1;
+ 		goto out;
++	}
+ 
+-	mt76_wcid_key_setup(&dev->mt76, wcid,
+-			    cmd == SET_KEY ? key : NULL);
+-
++	mt76_wcid_key_setup(&dev->mt76, wcid, key);
+ 	err = mt76_connac_mcu_add_key(&dev->mt76, vif, &msta->bip,
+ 				      key, MCU_UNI_CMD(STA_REC_UPDATE),
+ 				      &msta->wcid, cmd);
+--- a/mt7996/main.c
++++ b/mt7996/main.c
+@@ -351,16 +351,15 @@ static int mt7996_set_key(struct ieee802
+ 		mt7996_mcu_add_bss_info(phy, vif, true);
+ 	}
+ 
+-	if (cmd == SET_KEY)
++	if (cmd == SET_KEY) {
+ 		*wcid_keyidx = idx;
+-	else if (idx == *wcid_keyidx)
+-		*wcid_keyidx = -1;
+-	else
++	} else {
++		if (idx == *wcid_keyidx)
++			*wcid_keyidx = -1;
+ 		goto out;
++	}
+ 
+-	mt76_wcid_key_setup(&dev->mt76, wcid,
+-			    cmd == SET_KEY ? key : NULL);
+-
++	mt76_wcid_key_setup(&dev->mt76, wcid, key);
+ 	err = mt7996_mcu_add_key(&dev->mt76, vif, &msta->bip,
+ 				 key, MCU_WMWA_UNI_CMD(STA_REC_UPDATE),
+ 				 &msta->wcid, cmd);




More information about the lede-commits mailing list