--- zzzz-none-000/linux-5.4.213/drivers/net/wireless/ath/wil6210/txrx.c	2022-09-15 10:04:56.000000000 +0000
+++ miami-7690-761/linux-5.4.213/drivers/net/wireless/ath/wil6210/txrx.c	2024-05-29 11:19:56.000000000 +0000
@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2012-2017 Qualcomm Atheros, Inc.
- * Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2018-2021, The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -935,7 +935,9 @@
 			dev_kfree_skb(skb);
 			goto stats;
 		}
-	} else if (wdev->iftype == NL80211_IFTYPE_AP && !vif->ap_isolate) {
+	} else if (wdev->iftype == NL80211_IFTYPE_AP && !vif->ap_isolate &&
+		   /* pass EAPOL packets to local net stack only */
+		   (wil_skb_get_protocol(skb) != htons(ETH_P_PAE))) {
 		if (mcast) {
 			/* send multicast frames both to higher layers in
 			 * local net stack and back to the wireless medium
@@ -1003,6 +1005,7 @@
 {
 	int cid, security;
 	struct wil6210_priv *wil = ndev_to_wil(ndev);
+	struct wil6210_vif *vif = ndev_to_vif(ndev);
 	struct wil_net_stats *stats;
 
 	wil->txrx_ops.get_netif_rx_params(skb, &cid, &security);
@@ -1011,6 +1014,18 @@
 
 	skb_orphan(skb);
 
+	/* pass only EAPOL packets as plaintext */
+	if (vif->privacy && !security &&
+	    wil_skb_get_protocol(skb) != htons(ETH_P_PAE)) {
+		wil_dbg_txrx(wil,
+			     "Rx drop plaintext frame with %d bytes in secure network\n",
+			     skb->len);
+		dev_kfree_skb(skb);
+		ndev->stats.rx_dropped++;
+		stats->rx_dropped++;
+		return;
+	}
+
 	if (security && (wil->txrx_ops.rx_crypto_check(wil, skb) != 0)) {
 		wil_dbg_txrx(wil, "Rx drop %d bytes\n", skb->len);
 		dev_kfree_skb(skb);