qcacmn: Enhance allowed security modes for EHT via OEM cfg

Certain APs available to end users may allow EHT/MLO config
in non-WPA3 security modes (like WPA2). Current implementation
will not allow connection to such APs in EHT/MLO and instead
downgrades to 11ax mode.

OEMs may want to control this driver behavior via INI based
on the requirement. To allow connecting to such APs in EHT/MLO
a new INI is introduced as a bitmap. The default value of this
INI will not allow connection to any of those APs in EHT/MLO.

Change-Id: I3e657f3f4ba1f5efc9263cb90bcd1773233975ac
CRs-Fixed: 3693813

umac/cmn_services/crypto/inc/wlan_crypto_global_def.h

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -311,6 +311,62 @@ enum fils_erp_cryptosuite {
 	HMAC_SHA256_256,
 };
 
+/*
+ * enum wlan_crypto_oem_eht_mlo_config - ENUM for different OEM configurable
+ * crypto params to allow EHT/MLO in WPA2/WPA3 security.
+ *
+ * @WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT: Allows connecting to WPA2 with PMF
+ * capability set to false in EHT only mode. If the AP is MLO, the connection
+ * will still be in EHT without MLO.
+ *
+ * @WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO: Allows connecting to WPA2 with PMF
+ * capability set to false in MLO mode.
+ *    -If set along with WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT,
+ *     this mode supersedes.
+ *
+ * @WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT_MFPC_SET: Allows connecting to WPA2
+ * with PMF capability set to true in EHT only mode. If the AP is MLO,
+ * the connection will still be in EHT without MLO.
+ *
+ * @WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO_MFPC_SET: Allows connecting to WPA2 with PMF
+ * capability set to true in MLO mode.
+ *    -If set along with WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT_MFPC_SET,
+ *     this mode supersedes.
+ *
+ * @WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_NON_MLO_EHT_HnP: Connect to non-MLO/MLO
+ * WPA3-SAE without support for H2E (or no RSNXE IE in beacon) in non-MLO EHT.
+ * This bit results in connecting to both H2E and HnP APs in EHT only mode.
+ *
+ * @WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_MLO_HnP: Connect to MLO WPA3-SAE without
+ * support for H2E (or no RSNXE IE in beacon) in MLO.
+ * This bit result in connecting to both H2E and HnP APs in MLO mode.
+ *    -If set along with WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_NON_MLO_EHT_HnP,
+ *     this mode supersedes.
+ */
+enum wlan_crypto_oem_eht_mlo_config {
+	WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT           = BIT(0),
+	WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO                   = BIT(1),
+	WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT_MFPC_SET  = BIT(2),
+	WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO_MFPC_SET          = BIT(3),
+	/* Bits 4-15 are reserved for future WPA2 security configs */
+
+	WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_NON_MLO_EHT_HnP   = BIT(16),
+	WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_MLO_HnP           = BIT(17),
+	/* Bits 18-31 are reserved for future WPA3 security configs */
+};
+
+#define WLAN_CRYPTO_WPA2_OEM_EHT_CFG_NO_PMF_ALLOWED(_cfg) \
+	((_cfg) & WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT || \
+	 (_cfg) & WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO)
+
+#define WLAN_CRYPTO_WPA2_OEM_EHT_CFG_PMF_ALLOWED(_cfg) \
+	 ((_cfg) & WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT_MFPC_SET || \
+	  (_cfg) & WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO_MFPC_SET)
+
+#define WLAN_CRYPTO_WPA3_SAE_OEM_EHT_CFG_IS_STRICT_H2E(_cfg) \
+	(((_cfg) & WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_NON_MLO_EHT_HnP || \
+	  (_cfg) & WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_MLO_HnP) == 0)
+
 /**
  * struct mobility_domain_params - structure containing
  *				   mobility domain info
@@ -671,6 +727,13 @@ struct wlan_lmac_if_crypto_rx_ops {
 	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_PSK_SHA384) || \
 	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_PSK_SHA384))
 
+#define WLAN_CRYPTO_IS_WPA2(akm) \
+	(QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_PSK) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_PSK) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_PSK_SHA256) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_PSK_SHA384) || \
+	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_PSK_SHA384))
+
 #define WLAN_CRYPTO_IS_WPA3(akm) \
 	(QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_SAE) || \
 	 QDF_HAS_PARAM(akm, WLAN_CRYPTO_KEY_MGMT_FT_SAE) || \

umac/mlme/connection_mgr/core/src/wlan_cm_bss_scoring.c

@@ -1447,24 +1447,24 @@ cm_get_band_score(uint32_t freq, struct scoring_cfg *score_config)
 #ifdef WLAN_FEATURE_11BE
 #ifdef WLAN_FEATURE_11BE_MLO_ADV_FEATURE
 #if defined (SAP_MULTI_LINK_EMULATION)
-bool wlan_cm_is_eht_allowed_for_current_security(
-			struct wlan_objmgr_psoc *psoc,
-			struct scan_cache_entry *scan_entry)
+bool wlan_cm_is_eht_allowed_for_current_security(struct wlan_objmgr_psoc *psoc,
+						 struct scan_cache_entry *entry,
+						 bool is_mlo_connect)
 {
 	return true;
 }
 #else
-bool wlan_cm_is_eht_allowed_for_current_security(
-			struct wlan_objmgr_psoc *psoc,
-			struct scan_cache_entry *scan_entry)
+bool wlan_cm_is_eht_allowed_for_current_security(struct wlan_objmgr_psoc *psoc,
+						 struct scan_cache_entry *entry,
+						 bool is_mlo_connect)
 {
-	const uint8_t *rsnxe, *rsnxe_caps;
-	uint8_t cap_len;
 	bool rf_test_mode = false;
 	QDF_STATUS status;
+	struct security_info *neg_sec_info;
+	uint32_t oem_eht_cfg = 0x0;
+	bool mlie_present;
 
-	status = wlan_mlme_is_rf_test_mode_enabled(psoc,
-						   &rf_test_mode);
+	status = wlan_mlme_is_rf_test_mode_enabled(psoc, &rf_test_mode);
 	if (!QDF_IS_STATUS_SUCCESS(status)) {
 		mlme_err("Get rf test mode failed");
 		return false;
@@ -1474,56 +1474,120 @@ bool wlan_cm_is_eht_allowed_for_current_security(
 		return true;
 	}
 
-	if (!scan_entry->ie_list.rsn) {
+	if (!entry->ie_list.rsn) {
 		mlme_debug(QDF_MAC_ADDR_FMT ": RSN IE not present",
-			   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes));
+			   QDF_MAC_ADDR_REF(entry->bssid.bytes));
 		return false;
 	}
 
-	if (!(scan_entry->neg_sec_info.rsn_caps &
-	      WLAN_CRYPTO_RSN_CAP_MFP_ENABLED)) {
-		mlme_debug(QDF_MAC_ADDR_FMT " MFPC bit of RSN IE not present",
-			   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes));
+	/* Get the OEM EHT configuration. */
+	status = wlan_mlme_get_oem_eht_mlo_config(psoc, &oem_eht_cfg);
+	if (QDF_IS_STATUS_ERROR(status)) {
+		mlme_rl_nofl_err("OEM EHT cfg get failed");
 		return false;
 	}
 
-	if (WLAN_CRYPTO_IS_AKM_ENTERPRISE(scan_entry->neg_sec_info.key_mgmt))
-		return true;
+	/* Check if the AP is ML capable or not */
+	mlie_present = entry->ie_list.multi_link_bv ? true : false;
 
-	/* Return from here if atleast one AKM in list is not WPA3 AKM */
-	if (!WLAN_CRYPTO_IS_WPA3(scan_entry->neg_sec_info.key_mgmt)) {
-		mlme_debug(QDF_MAC_ADDR_FMT ": AKM 0x%x not valid",
-			   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes),
-			   scan_entry->neg_sec_info.key_mgmt);
-		return false;
-	}
+	neg_sec_info = &entry->neg_sec_info;
+	if (neg_sec_info->rsn_caps & WLAN_CRYPTO_RSN_CAP_MFP_ENABLED) {
+		/* For entreprise APs, only check if PMF is enabled or not */
+		if (WLAN_CRYPTO_IS_AKM_ENTERPRISE(neg_sec_info->key_mgmt))
+			return true;
 
-	/*
-	 * check AKM chosen for connection is SAE or not
-	 * if not connect with EHT enabled for all other AKMs
-	 */
-	if (!WLAN_CRYPTO_IS_AKM_SAE(scan_entry->neg_sec_info.key_mgmt))
-		return true;
+		/* For APs which are both WPA3 and WPA2, only check WPA3 as it
+		 * is the more secure AKM.
+		 */
+		if (WLAN_CRYPTO_IS_WPA3(neg_sec_info->key_mgmt)) {
+			if (!WLAN_CRYPTO_IS_AKM_SAE(neg_sec_info->key_mgmt))
+				return true;
+
+			/* If OEM enables APs with HnP to connect, don't check
+			 * whether RSNXE has H2E bit set or not. It will be
+			 * allowing both HnP and H2E APs.
+			 *
+			 * If the AP is ML capable, return:
+			 *    -True, if H2E is not required and not for ML assoc
+			 *    -True, if INI bit value for MLO assoc is set.
+			 *
+			 * If AP is not ML capable, return:
+			 *    -True, if INI bit value for allowing EHT only
+			 *     connection is set.
+			 */
+			if (mlie_present) {
+				if (!is_mlo_connect &&
+				    !WLAN_CRYPTO_WPA3_SAE_OEM_EHT_CFG_IS_STRICT_H2E(oem_eht_cfg)) {
+					return true;
+				} else if (is_mlo_connect &&
+					   (oem_eht_cfg & WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_MLO_HnP)) {
+					return true;
+				}
+			} else if (!is_mlo_connect &&
+				   (oem_eht_cfg & WLAN_HOST_CRYPTO_WPA3_SAE_ALLOW_NON_MLO_EHT_HnP)) {
+				return true;
+			}
 
-	rsnxe = util_scan_entry_rsnxe(scan_entry);
-	if (!rsnxe) {
-		mlme_debug(QDF_MAC_ADDR_FMT ":RSNXE not present, AKM 0x%x",
-			   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes),
-					    scan_entry->neg_sec_info.key_mgmt);
-		return false;
-	}
-	rsnxe_caps = wlan_crypto_parse_rsnxe_ie(rsnxe, &cap_len);
-	if (!rsnxe_caps) {
-		mlme_debug("RSNXE caps not present");
+			/* If OEM wants strict H2E mandatory for EHT/MLO, then
+			 * allow only if candidate has H2E capability
+			 */
+			return util_scan_entry_sae_h2e_capable(entry);
+		} else if (WLAN_CRYPTO_IS_WPA2(neg_sec_info->key_mgmt) &&
+			   WLAN_CRYPTO_WPA2_OEM_EHT_CFG_PMF_ALLOWED(oem_eht_cfg)) {
+			/* Only checks whether PMF APs are allowed or not via
+			 * the INI cfg.
+			 * Even if no-PMF APs are allowed to connect, PMF APs
+			 * will not be allowed to connect if the bitmap is not
+			 * set for PMF APs.
+			 *
+			 * If the AP is ML capable, return:
+			 *     -True, if not for MLO connection
+			 *     -INI BIT value for allowing MLO assoc with PMF
+			 *      enabled APs.
+			 *
+			 * If the AP is not ML capable, return:
+			 *     -INI BIT value for allowing EHT only connection
+			 *      for PMF enabled APS.
+			 *
+			 */
+			if (mlie_present) {
+				if (!is_mlo_connect)
+					return true;
+				return (oem_eht_cfg & WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO_MFPC_SET);
+			} else {
+				return (oem_eht_cfg & WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT_MFPC_SET);
+			}
+		} else {
+			return false;
+		}
+	} else if (!WLAN_CRYPTO_IS_WPA3(neg_sec_info->key_mgmt) &&
+		   WLAN_CRYPTO_IS_WPA2(neg_sec_info->key_mgmt) &&
+		   WLAN_CRYPTO_WPA2_OEM_EHT_CFG_NO_PMF_ALLOWED(oem_eht_cfg)) {
+		/*
+		 * Only checks whether no PMF APs are allowed or not via the INI
+		 * cfg.
+		 * All WPA3 configurations has to be PMF, so only allow
+		 * non-WPA3 WPA2 APs in this condition.
+		 *
+		 * If the AP is ML capable, return:
+		 *     -True, if not for MLO connection
+		 *     -INI BIT value for allowing MLO assoc with Non-PMF
+		 *      capable APs.
+		 *
+		 * If the AP is not ML capable, return:
+		 *     -INI BIT value for allowing EHT only connection
+		 *      for Non-PMF capable APs.
+		 */
+		if (mlie_present) {
+			if (!is_mlo_connect)
+				return true;
+			return (oem_eht_cfg & WLAN_HOST_CRYPTO_WPA2_ALLOW_MLO);
+		} else {
+			return (oem_eht_cfg & WLAN_HOST_CRYPTO_WPA2_ALLOW_NON_MLO_EHT);
+		}
+	} else {
 		return false;
 	}
-	/* check if H2E bit is enabled in RSNXE */
-	if (*rsnxe_caps & WLAN_CRYPTO_RSNX_CAP_SAE_H2E)
-		return true;
-
-	mlme_debug(QDF_MAC_ADDR_FMT ": RSNXE caps (0x%x) dont have H2E support",
-		   QDF_MAC_ADDR_REF(scan_entry->bssid.bytes), *rsnxe_caps);
-	return false;
 }
 #endif
 #endif
@@ -1540,7 +1604,7 @@ static int cm_calculate_eht_score(struct wlan_objmgr_psoc *psoc,
 	if (!phy_config->eht_cap || !entry->ie_list.ehtcap)
 		return 0;
 
-	if (!wlan_cm_is_eht_allowed_for_current_security(psoc, entry))
+	if (!wlan_cm_is_eht_allowed_for_current_security(psoc, entry, false))
 		return 0;
 
 	weight_config = &score_config->weight_config;
@@ -2269,7 +2333,7 @@ static int cm_calculate_ml_scores(struct wlan_objmgr_psoc *psoc,
 	weight_config = &score_config->weight_config;
 	if (IS_LINK_SCORE(ml_flag) || bss_mlo_type == SLO ||
 	    bss_mlo_type == MLSR ||
-	    !wlan_cm_is_eht_allowed_for_current_security(psoc, entry)) {
+	    !wlan_cm_is_eht_allowed_for_current_security(psoc, entry, false)) {
 		rssi_score =
 			cm_calculate_rssi_score(&score_config->rssi_score,
 						entry->rssi_raw,
@@ -3020,7 +3084,8 @@ static void cm_eliminate_common_candidate(qdf_list_t *candidate_list)
 	}
 }
 
-static void cm_validate_partner_links_rsn_cap(struct scan_cache_entry *entry,
+static void cm_validate_partner_links_rsn_cap(struct wlan_objmgr_psoc *psoc,
+					      struct scan_cache_entry *entry,
 					      qdf_list_t *scan_list)
 {
 	uint8_t idx;
@@ -3045,8 +3110,12 @@ static void cm_validate_partner_links_rsn_cap(struct scan_cache_entry *entry,
 		if (!partner_entry)
 			continue;
 
-		if (wlan_scan_entries_contain_cmn_akm(entry, partner_entry))
+		if (wlan_scan_entries_contain_cmn_akm(entry, partner_entry) &&
+		    wlan_cm_is_eht_allowed_for_current_security(psoc,
+								partner_entry,
+								true)) {
 			continue;
+		}
 
 		partner_info->is_valid_link = false;
 		mlme_debug(QDF_MAC_ADDR_FMT "link (%d) akm not matching",
@@ -3065,7 +3134,8 @@ static void cm_eliminate_common_candidate(qdf_list_t *candidate_list)
 }
 
 static inline void
-cm_validate_partner_links_rsn_cap(struct scan_cache_entry *entry,
+cm_validate_partner_links_rsn_cap(struct wlan_objmgr_psoc *psoc,
+				  struct scan_cache_entry *entry,
 				  qdf_list_t *scan_list)
 {
 }
@@ -3160,7 +3230,8 @@ void wlan_cm_calculate_bss_score(struct wlan_objmgr_pdev *pdev,
 		}
 
 		/* Check if the partner links RSN caps are matching. */
-		cm_validate_partner_links_rsn_cap(scan_entry->entry, scan_list);
+		cm_validate_partner_links_rsn_cap(psoc,
+						  scan_entry->entry, scan_list);
 		if (denylist_action == CM_DLM_NO_ACTION ||
 		    (are_all_candidate_denylisted && denylist_action ==
 		     CM_DLM_REMOVE)) {

umac/mlme/connection_mgr/core/src/wlan_cm_connect.c

@@ -528,34 +528,33 @@ static QDF_STATUS cm_update_vdev_mlme_macaddr(struct cnx_mgr *cm_ctx,
 {
 	struct qdf_mac_addr *mac;
 	bool eht_capab;
-	uint8_t vdev_id = wlan_vdev_get_id(cm_ctx->vdev);
+	struct wlan_objmgr_vdev *vdev = cm_ctx->vdev;
+	uint8_t vdev_id = wlan_vdev_get_id(vdev);
 
-	if (wlan_vdev_mlme_get_opmode(cm_ctx->vdev) != QDF_STA_MODE)
+	if (wlan_vdev_mlme_get_opmode(vdev) != QDF_STA_MODE)
 		return QDF_STATUS_SUCCESS;
 
-	wlan_psoc_mlme_get_11be_capab(wlan_vdev_get_psoc(cm_ctx->vdev),
-				      &eht_capab);
+	wlan_psoc_mlme_get_11be_capab(wlan_vdev_get_psoc(vdev), &eht_capab);
 	if (!eht_capab)
 		return QDF_STATUS_SUCCESS;
 
-	mac = (struct qdf_mac_addr *)wlan_vdev_mlme_get_mldaddr(cm_ctx->vdev);
+	mac = (struct qdf_mac_addr *)wlan_vdev_mlme_get_mldaddr(vdev);
 
 	if (req->cur_candidate->entry->ie_list.multi_link_bv &&
 	    !qdf_is_macaddr_zero(mac) &&
-	    wlan_cm_is_eht_allowed_for_current_security(
-					wlan_vdev_get_psoc(cm_ctx->vdev),
-					req->cur_candidate->entry)) {
-		wlan_vdev_obj_lock(cm_ctx->vdev);
+	    wlan_cm_is_eht_allowed_for_current_security(wlan_vdev_get_psoc(vdev),
+							req->cur_candidate->entry,
+							true)) {
+		wlan_vdev_obj_lock(vdev);
 		/* Use link address for ML connection */
-		wlan_vdev_mlme_set_macaddr(cm_ctx->vdev,
-					   cm_ctx->vdev->vdev_mlme.linkaddr);
-		wlan_vdev_obj_unlock(cm_ctx->vdev);
-		wlan_vdev_mlme_set_mlo_vdev(cm_ctx->vdev);
+		wlan_vdev_mlme_set_macaddr(vdev, vdev->vdev_mlme.linkaddr);
+		wlan_vdev_obj_unlock(vdev);
+		wlan_vdev_mlme_set_mlo_vdev(vdev);
 		mlme_debug(CM_PREFIX_FMT "setting ML link address " QDF_MAC_ADDR_FMT,
 			   CM_PREFIX_REF(vdev_id, req->cm_id),
 			   QDF_MAC_ADDR_REF(mac->bytes));
 	} else {
-		if (wlan_vdev_mlme_is_mlo_link_vdev(cm_ctx->vdev)) {
+		if (wlan_vdev_mlme_is_mlo_link_vdev(vdev)) {
 			mlme_debug(CM_PREFIX_FMT "MLIE is not present for partner" QDF_MAC_ADDR_FMT,
 				   CM_PREFIX_REF(vdev_id, req->cm_id),
 				   QDF_MAC_ADDR_REF(mac->bytes));
@@ -564,14 +563,14 @@ static QDF_STATUS cm_update_vdev_mlme_macaddr(struct cnx_mgr *cm_ctx,
 
 		/* Use net_dev address for non-ML connection */
 		if (!qdf_is_macaddr_zero(mac)) {
-			wlan_vdev_obj_lock(cm_ctx->vdev);
-			wlan_vdev_mlme_set_macaddr(cm_ctx->vdev, mac->bytes);
-			wlan_vdev_obj_unlock(cm_ctx->vdev);
+			wlan_vdev_obj_lock(vdev);
+			wlan_vdev_mlme_set_macaddr(vdev, mac->bytes);
+			wlan_vdev_obj_unlock(vdev);
 			mlme_debug(CM_PREFIX_FMT "setting non-ML address " QDF_MAC_ADDR_FMT,
 				   CM_PREFIX_REF(vdev_id, req->cm_id),
 				   QDF_MAC_ADDR_REF(mac->bytes));
 		}
-		wlan_vdev_mlme_clear_mlo_vdev(cm_ctx->vdev);
+		wlan_vdev_mlme_clear_mlo_vdev(vdev);
 	}
 
 	return QDF_STATUS_SUCCESS;
@@ -668,22 +667,22 @@ static void cm_create_bss_peer(struct cnx_mgr *cm_ctx,
 	struct qdf_mac_addr *mld_mac = NULL;
 	bool is_assoc_link = false;
 	bool eht_capab;
+	struct wlan_objmgr_vdev *vdev;
 
 	if (!cm_ctx) {
 		mlme_err("invalid cm_ctx");
 		return;
 	}
 
-	if (mlo_is_sta_bridge_vdev(cm_ctx->vdev) && req) {
+	vdev = cm_ctx->vdev;
+	if (mlo_is_sta_bridge_vdev(vdev) && req) {
 		/* Acquire lock as required by wlan_vdev_mlme_get_mldaddr() */
-		wlan_vdev_obj_lock(cm_ctx->vdev);
-		bssid = (struct qdf_mac_addr *)wlan_vdev_mlme_get_mldaddr(cm_ctx->vdev);
-		wlan_vdev_obj_unlock(cm_ctx->vdev);
-		mld_mac = mlo_get_sta_ctx_bss_mld_addr(cm_ctx->vdev);
-		status = mlme_cm_bss_peer_create_req(cm_ctx->vdev,
-						     bssid,
-						     mld_mac,
-						     is_assoc_link);
+		wlan_vdev_obj_lock(vdev);
+		bssid = (struct qdf_mac_addr *)wlan_vdev_mlme_get_mldaddr(vdev);
+		wlan_vdev_obj_unlock(vdev);
+		mld_mac = mlo_get_sta_ctx_bss_mld_addr(vdev);
+		status = mlme_cm_bss_peer_create_req(vdev, bssid,
+						     mld_mac, is_assoc_link);
 		goto peer_create_fail;
 	}
 
@@ -692,26 +691,25 @@ static void cm_create_bss_peer(struct cnx_mgr *cm_ctx,
 		return;
 	}
 
-	wlan_psoc_mlme_get_11be_capab(wlan_vdev_get_psoc(cm_ctx->vdev),
-				      &eht_capab);
-	if (eht_capab && wlan_vdev_mlme_is_mlo_vdev(cm_ctx->vdev) &&
-	    wlan_cm_is_eht_allowed_for_current_security(
-					wlan_vdev_get_psoc(cm_ctx->vdev),
-					req->cur_candidate->entry)) {
+	wlan_psoc_mlme_get_11be_capab(wlan_vdev_get_psoc(vdev), &eht_capab);
+	if (eht_capab && wlan_vdev_mlme_is_mlo_vdev(vdev) &&
+	    wlan_cm_is_eht_allowed_for_current_security(wlan_vdev_get_psoc(vdev),
+							req->cur_candidate->entry,
+							true)) {
 		cm_set_vdev_link_id(cm_ctx, req);
-		wlan_mlo_init_cu_bpcc(cm_ctx->vdev);
+		wlan_mlo_init_cu_bpcc(vdev);
 		mld_mac = cm_get_bss_peer_mld_addr(req);
-		mlo_set_sta_ctx_bss_mld_addr(cm_ctx->vdev, mld_mac);
+		mlo_set_sta_ctx_bss_mld_addr(vdev, mld_mac);
 		is_assoc_link = cm_bss_peer_is_assoc_peer(req);
 	}
 
 	bssid = &req->cur_candidate->entry->bssid;
-	status = mlme_cm_bss_peer_create_req(cm_ctx->vdev, bssid,
+	status = mlme_cm_bss_peer_create_req(vdev, bssid,
 					     mld_mac, is_assoc_link);
 peer_create_fail:
 	if (QDF_IS_STATUS_ERROR(status)) {
 		struct wlan_cm_connect_resp *resp;
-		uint8_t vdev_id = wlan_vdev_get_id(cm_ctx->vdev);
+		uint8_t vdev_id = wlan_vdev_get_id(vdev);
 
 		/* In case of failure try with next candidate */
 		mlme_err(CM_PREFIX_FMT "peer create request failed %d",

umac/mlme/connection_mgr/dispatcher/inc/wlan_cm_bss_score_param.h

@@ -345,25 +345,28 @@ void wlan_cm_calculate_bss_score(struct wlan_objmgr_pdev *pdev,
  * wlan_cm_is_eht_allowed_for_current_security() - checks the current security,
  * if eht allowed or not.
  * @psoc: psoc context
- * @scan_entry: pointer to scan cache entry
+ * @entry: pointer to scan cache entry
+ * @is_mlo_connect: Is for MLO connection, if false check for non-ML EHT only
  *
  * Return: true if eht allowed for current security
  **/
-bool wlan_cm_is_eht_allowed_for_current_security(
-			struct wlan_objmgr_psoc *psoc,
-			struct scan_cache_entry *scan_entry);
+bool wlan_cm_is_eht_allowed_for_current_security(struct wlan_objmgr_psoc *psoc,
+						 struct scan_cache_entry *entry,
+						 bool is_mlo_connect);
 #else
-static inline bool wlan_cm_is_eht_allowed_for_current_security(
-			struct wlan_objmgr_psoc *psoc,
-			struct scan_cache_entry *scan_entry)
+static inline bool
+wlan_cm_is_eht_allowed_for_current_security(struct wlan_objmgr_psoc *psoc,
+					    struct scan_cache_entry *entry,
+					    bool is_mlo_connect)
 {
 	return true;
 }
 #endif
 #else
-static inline bool wlan_cm_is_eht_allowed_for_current_security(
-			struct wlan_objmgr_psoc *psoc,
-			struct scan_cache_entry *scan_entry)
+static inline bool
+wlan_cm_is_eht_allowed_for_current_security(struct wlan_objmgr_psoc *psoc,
+					    struct scan_cache_entry *entry,
+					    bool is_mlo_connect)
 {
 	return false;
 }