From 7f93038dad7c0432a86a23fe87a94c8f3c6d0856 Mon Sep 17 00:00:00 2001
From: nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Mon, 21 May 2007 06:25:34 +0000
Subject: madwifi: switch to latest madwifi-hal-0.9.30.13 snapshot as reference
 merge in refcount branch as well and clean up openwrt patches (a few fixes
 got merged upstream)

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@7300 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 package/madwifi/Makefile                           |   11 +-
 package/madwifi/patches/010-refcount_merge.patch   | 2208 ++++++++++++++++++++
 package/madwifi/patches/101-fix_typo.patch         |   12 -
 package/madwifi/patches/106-minstrel_crash.patch   |   13 -
 package/madwifi/patches/111-wds_fix_PR_914.patch   |   31 -
 package/madwifi/patches/112-keycache_PR_962.patch  |   34 +-
 .../madwifi/patches/114-fix_ff_corruption.patch    |   21 -
 package/madwifi/patches/115-PR_1270_fix.patch      |  104 -
 .../madwifi/patches/116-adhoc_beacon_PR_1033.patch |   24 +-
 package/madwifi/patches/117-node_rates.patch       |   11 -
 .../madwifi/patches/118-txstop_workaround.patch    |   22 +-
 package/madwifi/patches/200-no_debug.patch         |   20 +-
 package/madwifi/patches/300-napi_polling.patch     |  190 +-
 package/madwifi/patches/308-mlme_fix.patch         |   12 -
 package/madwifi/patches/309-micfail_detect.patch   |   77 +-
 15 files changed, 2391 insertions(+), 399 deletions(-)
 create mode 100644 package/madwifi/patches/010-refcount_merge.patch
 delete mode 100644 package/madwifi/patches/101-fix_typo.patch
 delete mode 100644 package/madwifi/patches/106-minstrel_crash.patch
 delete mode 100644 package/madwifi/patches/111-wds_fix_PR_914.patch
 delete mode 100644 package/madwifi/patches/114-fix_ff_corruption.patch
 delete mode 100644 package/madwifi/patches/115-PR_1270_fix.patch
 delete mode 100644 package/madwifi/patches/117-node_rates.patch
 delete mode 100644 package/madwifi/patches/308-mlme_fix.patch

diff --git a/package/madwifi/Makefile b/package/madwifi/Makefile
index 6b85d3d65..9867a2e05 100644
--- a/package/madwifi/Makefile
+++ b/package/madwifi/Makefile
@@ -10,13 +10,14 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=madwifi
-PKG_VERSION:=r2313-20070505
+PKG_VERSION:=r2351-20070519
+PKG_BRANCH:=madwifi-hal-0.9.30.13
 PKG_RELEASE:=1
 
-PKG_SOURCE:=madwifi-ng-refcount-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://snapshots.madwifi.org/madwifi-ng-refcount
-PKG_MD5SUM:=01ee9dfb1f174be6e009f9697f7267b8
-PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/madwifi-ng-refcount-r2313-20070505
+PKG_SOURCE:=$(PKG_BRANCH)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=http://snapshots.madwifi.org/$(PKG_BRANCH)
+PKG_MD5SUM:=215b6c66eb1a3c4bcd947f358ade823f
+PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_BRANCH)-$(PKG_VERSION)
 
 include $(INCLUDE_DIR)/package.mk
 
diff --git a/package/madwifi/patches/010-refcount_merge.patch b/package/madwifi/patches/010-refcount_merge.patch
new file mode 100644
index 000000000..a6c335958
--- /dev/null
+++ b/package/madwifi/patches/010-refcount_merge.patch
@@ -0,0 +1,2208 @@
+diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
+--- madwifi.old/ath/if_ath.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/ath/if_ath.c	2007-05-21 08:10:46.864754176 +0200
+@@ -158,8 +158,7 @@
+ static int ath_desc_alloc(struct ath_softc *);
+ static void ath_desc_free(struct ath_softc *);
+ static void ath_desc_swap(struct ath_desc *);
+-static struct ieee80211_node *ath_node_alloc(struct ieee80211_node_table *,
+-	struct ieee80211vap *);
++static struct ieee80211_node *ath_node_alloc(struct ieee80211vap *);
+ static void ath_node_cleanup(struct ieee80211_node *);
+ static void ath_node_free(struct ieee80211_node *);
+ static u_int8_t ath_node_getrssi(const struct ieee80211_node *);
+@@ -2385,7 +2384,7 @@
+ 		if (ath_tx_start(sc->sc_dev, ni, bf_ff, bf_ff->bf_skb, 0) == 0)
+ 			continue;
+ 	bad:
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 		if (bf_ff->bf_skb != NULL) {
+ 			dev_kfree_skb(bf_ff->bf_skb);
+ 			bf_ff->bf_skb = NULL;
+@@ -2525,8 +2524,10 @@
+ 			skb = bf->bf_skb;
+ 			ATH_FF_MAGIC_PUT(skb);
+ 
++#if 0
+ 			/* decrement extra node reference made when an_tx_ffbuf[] was set */
+-			//ieee80211_free_node(ni); /* XXX where was it set ? */
++			ieee80211_unref_node(&ni); /* XXX where was it set ? */
++#endif
+ 
+ 			DPRINTF(sc, ATH_DEBUG_XMIT | ATH_DEBUG_FF,
+ 				"%s: aggregating fast-frame\n", __func__);
+@@ -2585,7 +2586,7 @@
+ 		ff_flushbad:
+ 			DPRINTF(sc, ATH_DEBUG_XMIT | ATH_DEBUG_FF,
+ 				"%s: ff stageq flush failure\n", __func__);
+-			ieee80211_free_node(ni);
++			ieee80211_unref_node(&ni);
+ 			if (bf_ff->bf_skb) {
+ 				dev_kfree_skb(bf_ff->bf_skb);
+ 				bf_ff->bf_skb = NULL;
+@@ -2707,7 +2708,7 @@
+ 			tbf->bf_node = NULL;
+ 			
+ 			if (ni != NULL) 
+-				ieee80211_free_node(ni);
++				ieee80211_unref_node(&ni);
+ 
+ 			STAILQ_INSERT_TAIL(&sc->sc_txbuf, tbf, bf_list);
+ 		}
+@@ -2789,7 +2790,7 @@
+ 	/* fall thru... */
+ bad:
+ 	if (ni != NULL)
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 	if (bf != NULL) {
+ 		bf->bf_skb = NULL;
+ 		bf->bf_node = NULL;
+@@ -3178,7 +3179,7 @@
+ 	 */
+ 	ni = sc->sc_keyixmap[keyix];
+ 	if (ni != NULL) {
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 		sc->sc_keyixmap[keyix] = NULL;
+ 	}
+ 	/*
+@@ -3189,7 +3190,7 @@
+ 		ath_hal_keyreset(ah, keyix + 32);	/* RX key */
+ 		ni = sc->sc_keyixmap[keyix + 32];
+ 		if (ni != NULL) {			/* as above... */
+-			ieee80211_free_node(ni);
++			ieee80211_unref_node(&ni);
+ 			sc->sc_keyixmap[keyix + 32] = NULL;
+ 		}
+ 	}
+@@ -3202,7 +3203,7 @@
+ 			ath_hal_keyreset(ah, keyix + rxkeyoff);
+ 			ni = sc->sc_keyixmap[keyix + rxkeyoff];
+ 			if (ni != NULL) {	/* as above... */
+-				ieee80211_free_node(ni);
++				ieee80211_unref_node(&ni);
+ 				sc->sc_keyixmap[keyix + rxkeyoff] = NULL;
+ 			}
+ 		}
+@@ -3764,10 +3765,8 @@
+ 		dev_kfree_skb(bf->bf_skb);
+ 		bf->bf_skb = NULL;
+ 	}
+-	if (bf->bf_node != NULL) {
+-		ieee80211_free_node(bf->bf_node);
+-		bf->bf_node = NULL;
+-	}
++	if (bf->bf_node != NULL)
++		ieee80211_unref_node(&bf->bf_node);
+ 
+ 	/*
+ 	 * NB: the beacon data buffer must be 32-bit aligned;
+@@ -3808,7 +3807,7 @@
+ 		DPRINTF(sc, ATH_DEBUG_BEACON,
+ 			"%s: %s beacons, bslot %d intval %u tsfadjust(Kus) %llu\n",
+ 			__func__, sc->sc_stagbeacons ? "stagger" : "burst",
+-			avp->av_bslot, ni->ni_intval, (unsigned long long) tuadjust);
++			avp->av_bslot, ni->ni_intval, (long long) tuadjust);
+ 
+ 		wh = (struct ieee80211_frame *) skb->data;
+ 		memcpy(&wh[1], &tsfadjust, sizeof(tsfadjust));
+@@ -4128,7 +4127,7 @@
+ 		vap = sc->sc_bslot[(slot + 1) % ATH_BCBUF];
+ 		DPRINTF(sc, ATH_DEBUG_BEACON_PROC,
+ 			"%s: slot %d [tsf %llu tsftu %u intval %u] vap %p\n",
+-			__func__, slot, (unsigned long long) tsf, tsftu, ic->ic_lintval, vap);
++			__func__, slot, (long long) tsf, tsftu, ic->ic_lintval, vap);
+ 		bfaddr = 0;
+ 		if (vap != NULL) {
+ 			bf = ath_beacon_generate(sc, vap, needmark);
+@@ -4309,10 +4308,8 @@
+ 		dev_kfree_skb(bf->bf_skb);
+ 		bf->bf_skb = NULL;
+ 	}
+-	if (bf->bf_node != NULL) {
+-		ieee80211_free_node(bf->bf_node);
+-		bf->bf_node = NULL;
+-	}
++	if (bf->bf_node != NULL) 
++		ieee80211_unref_node(&bf->bf_node);
+ 	STAILQ_INSERT_TAIL(&sc->sc_bbuf, bf, bf_list);
+ }
+ 
+@@ -4331,10 +4328,8 @@
+ 			dev_kfree_skb(bf->bf_skb);
+ 			bf->bf_skb = NULL;
+ 		}
+-		if (bf->bf_node != NULL) {
+-			ieee80211_free_node(bf->bf_node);
+-			bf->bf_node = NULL;
+-		}
++		if (bf->bf_node != NULL)
++			ieee80211_unref_node(&bf->bf_node);
+ 	}
+ }
+ 
+@@ -4620,7 +4615,7 @@
+ 			/*
+ 			 * Reclaim node reference.
+ 			 */
+-			ieee80211_free_node(ni);
++			ieee80211_unref_node(&ni);
+ 		}
+ 	}
+ 
+@@ -4679,37 +4674,39 @@
+ }
+ 
+ static struct ieee80211_node *
+-ath_node_alloc(struct ieee80211_node_table *nt,struct ieee80211vap *vap)
++ath_node_alloc(struct ieee80211vap *vap)
+ {
+-	struct ath_softc *sc = nt->nt_ic->ic_dev->priv;
++	struct ath_softc *sc = vap->iv_ic->ic_dev->priv;
+ 	const size_t space = sizeof(struct ath_node) + sc->sc_rc->arc_space;
+ 	struct ath_node *an;
+ 
+ 	an = kmalloc(space, GFP_ATOMIC);
+-	if (an == NULL)
+-		return NULL;
+-	memset(an, 0, space);
+-	an->an_decomp_index = INVALID_DECOMP_INDEX;
+-	an->an_avgrssi = ATH_RSSI_DUMMY_MARKER;
+-	an->an_halstats.ns_avgbrssi = ATH_RSSI_DUMMY_MARKER;
+-	an->an_halstats.ns_avgrssi = ATH_RSSI_DUMMY_MARKER;
+-	an->an_halstats.ns_avgtxrssi = ATH_RSSI_DUMMY_MARKER;
+-	/*
+-	 * ath_rate_node_init needs a VAP pointer in node
+-	 * to decide which mgt rate to use
+-	 */
+-	an->an_node.ni_vap = vap;
+-	sc->sc_rc->ops->node_init(sc, an);
+-
+-	/* U-APSD init */
+-	STAILQ_INIT(&an->an_uapsd_q);
+-	an->an_uapsd_qdepth = 0;
+-	STAILQ_INIT(&an->an_uapsd_overflowq);
+-	an->an_uapsd_overflowqdepth = 0;
+-	ATH_NODE_UAPSD_LOCK_INIT(an);
++	if (an != NULL) {
++		memset(an, 0, space);
++		an->an_decomp_index = INVALID_DECOMP_INDEX;
++		an->an_avgrssi = ATH_RSSI_DUMMY_MARKER;
++		an->an_halstats.ns_avgbrssi = ATH_RSSI_DUMMY_MARKER;
++		an->an_halstats.ns_avgrssi = ATH_RSSI_DUMMY_MARKER;
++		an->an_halstats.ns_avgtxrssi = ATH_RSSI_DUMMY_MARKER;
++		/*
++		 * ath_rate_node_init needs a vap pointer in node
++		 * to decide which mgt rate to use
++		 */
++		an->an_node.ni_vap = vap;
++		sc->sc_rc->ops->node_init(sc, an);
+ 
+-	DPRINTF(sc, ATH_DEBUG_NODE, "%s: an %p\n", __func__, an);
+-	return &an->an_node;
++		/* U-APSD init */
++		STAILQ_INIT(&an->an_uapsd_q);
++		an->an_uapsd_qdepth = 0;
++		STAILQ_INIT(&an->an_uapsd_overflowq);
++		an->an_uapsd_overflowqdepth = 0;
++		ATH_NODE_UAPSD_LOCK_INIT(an);
++		
++		DPRINTF(sc, ATH_DEBUG_NODE, "%s: an %p\n", __func__, an);
++		return &an->an_node;
++	} else {
++		return NULL;
++	}
+ }
+ 
+ static void
+@@ -4719,6 +4716,7 @@
+ 	struct ath_softc *sc = ni->ni_ic->ic_dev->priv;
+ 	struct ath_node *an = ATH_NODE(ni);
+ 	struct ath_buf *bf;
++	struct ieee80211_cb *cb = NULL;
+ 	
+ 	/*
+ 	 * U-APSD cleanup
+@@ -4733,15 +4731,18 @@
+ 	while (an->an_uapsd_qdepth) {
+ 		bf = STAILQ_FIRST(&an->an_uapsd_q);
+ 		STAILQ_REMOVE_HEAD(&an->an_uapsd_q, bf_list);
+-		bf->bf_desc->ds_link = 0;
+ 
++		cb = (struct ieee80211_cb *) bf->bf_skb->cb;
++		ieee80211_unref_node(&cb->ni);
+ 		dev_kfree_skb_any(bf->bf_skb);
++
++		bf->bf_desc->ds_link = 0;
+ 		bf->bf_skb = NULL;
+ 		bf->bf_node = NULL;
++
+ 		ATH_TXBUF_LOCK_IRQ(sc);
+ 		STAILQ_INSERT_TAIL(&sc->sc_txbuf, bf, bf_list);
+ 		ATH_TXBUF_UNLOCK_IRQ(sc);
+-		ieee80211_free_node(ni);
+ 
+ 		an->an_uapsd_qdepth--;
+ 	}
+@@ -4749,19 +4750,25 @@
+ 	while (an->an_uapsd_overflowqdepth) {
+ 		bf = STAILQ_FIRST(&an->an_uapsd_overflowq);
+ 		STAILQ_REMOVE_HEAD(&an->an_uapsd_overflowq, bf_list);
+-		bf->bf_desc->ds_link = 0;
+ 
++		cb = (struct ieee80211_cb *) bf->bf_skb->cb;
++		ieee80211_unref_node(&cb->ni);
+ 		dev_kfree_skb_any(bf->bf_skb);
++
+ 		bf->bf_skb = NULL;
+ 		bf->bf_node = NULL;
++		bf->bf_desc->ds_link = 0;
++		
+ 		ATH_TXBUF_LOCK_IRQ(sc);
+ 		STAILQ_INSERT_TAIL(&sc->sc_txbuf, bf, bf_list);
+ 		ATH_TXBUF_UNLOCK_IRQ(sc);
+-		ieee80211_free_node(ni);
+ 
+ 		an->an_uapsd_overflowqdepth--;
+ 	}
+ 
++	/* Clean up node-specific rate things - this currently appears to always be a no-op */
++	sc->sc_rc->ops->node_cleanup(sc, ATH_NODE(ni));
++
+ 	ATH_NODE_UAPSD_LOCK_IRQ(an);
+ 	sc->sc_node_cleanup(ni);
+ 	ATH_NODE_UAPSD_UNLOCK_IRQ(an);
+@@ -4772,7 +4779,6 @@
+ {
+ 	struct ath_softc *sc = ni->ni_ic->ic_dev->priv;
+ 
+-	sc->sc_rc->ops->node_cleanup(sc, ATH_NODE(ni));
+ 	sc->sc_node_free(ni);
+ #ifdef ATH_SUPERG_XR
+ 	ath_grppoll_period_update(sc);
+@@ -5660,7 +5666,7 @@
+ 			an = ATH_NODE(ieee80211_ref_node(ni));
+ 			ATH_RSSI_LPF(an->an_avgrssi, rs->rs_rssi);
+ 			type = ieee80211_input(ni, skb, rs->rs_rssi, rs->rs_tstamp);
+-			ieee80211_free_node(ni);
++			ieee80211_unref_node(&ni);
+ 		} else {
+ 			/*
+ 			 * No key index or no entry, do a lookup and
+@@ -5682,7 +5688,7 @@
+ 				if (keyix != IEEE80211_KEYIX_NONE &&
+ 				    sc->sc_keyixmap[keyix] == NULL)
+ 					sc->sc_keyixmap[keyix] = ieee80211_ref_node(ni);
+-				ieee80211_free_node(ni); 
++				ieee80211_unref_node(&ni); 
+ 			} else
+ 				type = ieee80211_input_all(ic, skb,
+ 					rs->rs_rssi, rs->rs_tstamp);
+@@ -6478,8 +6484,7 @@
+ 		STAILQ_REMOVE_HEAD(&an->an_uapsd_q, bf_list);
+ 		dev_kfree_skb(lastbuf->bf_skb);
+ 		lastbuf->bf_skb = NULL;
+-		ieee80211_free_node(lastbuf->bf_node);
+-		lastbuf->bf_node = NULL;
++		ieee80211_unref_node(&lastbuf->bf_node);
+ 		ATH_TXBUF_LOCK_IRQ(sc);
+ 		STAILQ_INSERT_TAIL(&sc->sc_txbuf, lastbuf, bf_list);
+ 		ATH_TXBUF_UNLOCK_IRQ(sc);
+@@ -7229,7 +7234,7 @@
+ 			 *     this is a DEAUTH message that was sent and the
+ 			 *     node was timed out due to inactivity.
+ 			 */
+-			 ieee80211_free_node(ni); 
++			 ieee80211_unref_node(&ni); 
+ 		}
+ 
+ 		bus_unmap_single(sc->sc_bdev, bf->bf_skbaddr, 
+@@ -7474,7 +7479,7 @@
+ 		}
+ #endif /* ATH_SUPERG_FF */
+ 		if (bf->bf_node)
+-			ieee80211_free_node(bf->bf_node);
++			ieee80211_unref_node(&bf->bf_node);
+ 
+ 		bf->bf_skb = NULL;
+ 		bf->bf_node = NULL;
+diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c
+--- madwifi.old/net80211/ieee80211_input.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_input.c	2007-05-21 08:10:46.865754024 +0200
+@@ -489,7 +489,7 @@
+ 					nt = &ic->ic_sta;
+ 					ni_wds = ieee80211_find_wds_node(nt, wh->i_addr3);
+ 					if (ni_wds) {
+-						ieee80211_free_node(ni_wds); /* Decr ref count */
++						ieee80211_unref_node(&ni_wds); /* Decr ref count */
+ 						IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
+ 							wh, NULL, "%s",
+ 							"multicast echo originated from node behind me");
+@@ -543,10 +543,12 @@
+ 			 * the node table for the packet source address (addr4).
+ 			 * If not, add one.
+ 			 */
++			/* XXX: Useless node mgmt API; make better */
+ 			if (dir == IEEE80211_FC1_DIR_DSTODS) {
+ 				struct ieee80211_node_table *nt;
+ 				struct ieee80211_frame_addr4 *wh4;
+ 				struct ieee80211_node *ni_wds;
++
+ 				if (!(vap->iv_flags_ext & IEEE80211_FEXT_WDS)) {
+ 					IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
+ 						wh, "data", "%s", "4 addr not allowed");
+@@ -569,7 +571,7 @@
+ 				if (ni_wds == NULL)
+ 					ieee80211_add_wds_addr(nt, ni, wh4->i_addr4, 0);
+ 				else
+-					ieee80211_free_node(ni_wds); /* Decr ref count */
++					ieee80211_unref_node(&ni_wds); /* Decr. ref count */
+ 			}
+ 			
+ 			/*
+@@ -936,7 +938,7 @@
+ 		}
+ 		ni = ieee80211_ref_node(vap->iv_bss);
+ 		type = ieee80211_input(ni, skb1, rssi, rstamp);
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 	}
+ 	if (skb != NULL)		/* no vaps, reclaim skb */
+ 		dev_kfree_skb(skb);
+@@ -986,22 +988,14 @@
+ 	}
+ 
+ 	/*
+-	 * Use this lock to make sure ni->ni_rxfrag is
+-	 * not freed by the timer process while we use it.
+-	 * XXX bogus
+-	 */
+-	IEEE80211_NODE_LOCK_IRQ(ni->ni_table);
+-
+-	/*
+ 	 * Update the time stamp.  As a side effect, it
+ 	 * also makes sure that the timer will not change
+ 	 * ni->ni_rxfrag for at least 1 second, or in
+ 	 * other words, for the remaining of this function.
++	 * XXX HUGE HORRIFIC HACK
+ 	 */
+ 	ni->ni_rxfragstamp = jiffies;
+ 
+-	IEEE80211_NODE_UNLOCK_IRQ(ni->ni_table);
+-
+ 	/*
+ 	 * Validate that fragment is in order and
+ 	 * related to the previous ones.
+@@ -1130,7 +1124,7 @@
+ 					skb = NULL;
+ 				}
+ 				/* XXX statistic? */
+-				ieee80211_free_node(ni1);
++				ieee80211_unref_node(&ni1);
+ 			}
+ 		}
+ 		if (skb1 != NULL) {
+@@ -1265,6 +1259,7 @@
+ 	int rssi, u_int32_t rstamp, u_int16_t seq, u_int16_t status)
+ {
+ 	struct ieee80211vap *vap = ni->ni_vap;
++	unsigned int tmpnode = 0;
+ 
+ 	if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
+ 		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
+@@ -1272,22 +1267,21 @@
+ 			"bad sta auth mode %u", ni->ni_authmode);
+ 		vap->iv_stats.is_rx_bad_auth++;	/* XXX maybe a unique error? */
+ 		if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
+-			/* XXX hack to workaround calling convention */
+-
+-			/* XXX To send the frame to the requesting STA, we have to
+-			 * create a node for the station that we're going to reject.
+-			 * The node will be freed automatically */
+ 			if (ni == vap->iv_bss) {
+-				ni = ieee80211_dup_bss(vap, wh->i_addr2);
++				ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
+ 				if (ni == NULL)
+ 					return;
+ 
+ 				IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
+ 				"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(ni->ni_macaddr), 
+ 				ieee80211_node_refcnt(ni));
++				tmpnode = 1;
+ 			}
+ 			IEEE80211_SEND_MGMT(ni,	IEEE80211_FC0_SUBTYPE_AUTH,
+ 				(seq + 1) | (IEEE80211_STATUS_ALG << 16));
++			
++			if (tmpnode)
++				ieee80211_unref_node(&ni);
+ 			return;
+ 		}
+ 	}
+@@ -1315,23 +1309,16 @@
+ 		}
+ 		/* always accept open authentication requests */
+ 		if (ni == vap->iv_bss) {
+-			ni = ieee80211_dup_bss(vap, wh->i_addr2); 
++			ni = ieee80211_dup_bss(vap, wh->i_addr2, 0); 
+ 			if (ni == NULL)
+ 				return;
+ 
+ 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
+ 			"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(ni->ni_macaddr), 
+ 			ieee80211_node_refcnt(ni));
+-
+-		} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
+-			(void) ieee80211_ref_node(ni);
+-		/*
+-		 * Mark the node as referenced to reflect that it's
+-		 * reference count has been bumped to ensure it remains
+-		 * after the transaction completes.
+-		 */
+-		ni->ni_flags |= IEEE80211_NODE_AREF;
+-
++			tmpnode = 1;
++		}
++		
+ 		IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
+ 		IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
+ 			ni, "station authenticated (%s)", "open");
+@@ -1341,6 +1328,8 @@
+ 		 */
+ 		if (ni->ni_authmode != IEEE80211_AUTH_8021X)
+ 			ieee80211_node_authorize(ni);
++		if (tmpnode)
++			ieee80211_unref_node(&ni);
+ 		break;
+ 
+ 	case IEEE80211_M_STA:
+@@ -1379,7 +1368,7 @@
+ 	int istmp;
+ 
+ 	if (ni == vap->iv_bss) {
+-		ni = ieee80211_tmp_node(vap, mac);
++		ni = ieee80211_dup_bss(vap, mac, 1);
+ 		if (ni == NULL) {
+ 			/* XXX msg */
+ 			return;
+@@ -1389,7 +1378,7 @@
+ 		istmp = 0;
+ 	IEEE80211_SEND_MGMT(ni, subtype, arg);
+ 	if (istmp)
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ }
+ 
+ static int
+@@ -1505,7 +1494,7 @@
+ 		switch (seq) {
+ 		case IEEE80211_AUTH_SHARED_REQUEST:
+ 			if (ni == vap->iv_bss) {
+-				ni = ieee80211_dup_bss(vap, wh->i_addr2);
++				ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
+ 				if (ni == NULL) {
+ 					/* NB: no way to return an error */
+ 					return;
+@@ -1516,17 +1505,8 @@
+ 				ieee80211_node_refcnt(ni));
+ 
+ 				allocbs = 1;
+-			} else {
+-				if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
+-					(void) ieee80211_ref_node(ni);
+-				allocbs = 0;
+ 			}
+-			/*
+-			 * Mark the node as referenced to reflect that it's
+-			 * reference count has been bumped to ensure it remains
+-			 * after the transaction completes.
+-			 */
+-			ni->ni_flags |= IEEE80211_NODE_AREF;
++
+ 			ni->ni_rssi = rssi;
+ 			ni->ni_rstamp = rstamp;
+ 			ni->ni_last_rx = jiffies;
+@@ -1620,14 +1600,13 @@
+ 	}
+ 	return;
+ bad:
+-	/*
+-	 * Send an error response; but only when operating as an AP.
+-	 */
++	/* Send an error response; but only when operating as an AP. */
+ 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
+ 		/* XXX hack to workaround calling convention */
+ 		ieee80211_send_error(ni, wh->i_addr2, 
+ 			IEEE80211_FC0_SUBTYPE_AUTH,
+ 			(seq + 1) | (estatus<<16));
++		ieee80211_node_leave(ni);
+ 	} else if (vap->iv_opmode == IEEE80211_M_STA) {
+ 		/*
+ 		 * Kick the state machine.  This short-circuits
+@@ -2600,7 +2579,7 @@
+ 	u_int8_t *frm, *efrm;
+ 	u_int8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath;
+ 	u_int8_t rate;
+-	int reassoc, resp, allocbs;
++	int reassoc, resp, allocbs = 0;
+ 	u_int8_t qosinfo;
+ 
+ 	wh = (struct ieee80211_frame *) skb->data;
+@@ -3008,13 +2987,13 @@
+ 				ni = ieee80211_fakeup_adhoc_node(vap,
+ 					wh->i_addr2);
+ 			} else {
+-				ni = ieee80211_tmp_node(vap, wh->i_addr2);
++				ni = ieee80211_dup_bss(vap, wh->i_addr2, 1);
+ 			}
+ 			if (ni == NULL)
+ 				return;
+ 			allocbs = 1;
+-		} else
+-			allocbs = 0;
++		}
++
+ 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
+ 			"%s", "recv probe req");
+ 		ni->ni_rssi = rssi;
+@@ -3037,7 +3016,7 @@
+ 			 * Temporary node created just to send a
+ 			 * response, reclaim immediately
+ 			 */
+-			ieee80211_free_node(ni);
++			ieee80211_unref_node(&ni);
+ 		} else if (ath != NULL)
+ 			ieee80211_saveath(ni, ath);
+ 		break;
+@@ -3067,6 +3046,9 @@
+ 					ni = vap->iv_xrvap->iv_bss;
+ 				else {
+ 					ieee80211_node_leave(ni);
++					/* This would be a stupid place to add a node to the table
++					 * XR stuff needs work anyway
++					 */
+ 					ieee80211_node_reset(ni, vap->iv_xrvap);
+ 				}
+ 				vap = vap->iv_xrvap;
+diff -ur madwifi.old/net80211/ieee80211_linux.c madwifi.dev/net80211/ieee80211_linux.c
+--- madwifi.old/net80211/ieee80211_linux.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_linux.c	2007-05-21 08:10:46.866753872 +0200
+@@ -358,7 +358,7 @@
+         struct ieee80211_node *ni;
+         struct ieee80211_node_table *nt = (struct ieee80211_node_table *) &vap->iv_ic->ic_sta;
+ 
+-        //IEEE80211_NODE_LOCK(nt);                                                                               
++        /* IEEE80211_NODE_LOCK(nt); */
+         TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
+                 /* Assume each node needs 500 bytes */
+                 if (buf + space < p + 500)
+@@ -376,7 +376,7 @@
+ 
+ 		}
+         }
+-        //IEEE80211_NODE_UNLOCK(nt);                                                                             
++        /* IEEE80211_NODE_UNLOCK(nt); */
+         return (p - buf);
+ }
+ 
+diff -ur madwifi.old/net80211/ieee80211_linux.h madwifi.dev/net80211/ieee80211_linux.h
+--- madwifi.old/net80211/ieee80211_linux.h	2007-05-04 15:45:58.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_linux.h	2007-05-21 08:10:46.867753720 +0200
+@@ -63,6 +63,12 @@
+ 
+ #define	IEEE80211_RESCHEDULE	schedule
+ 
++/* Locking */
++/* NB: beware, spin_is_locked() is not usefully defined for !(DEBUG || SMP)
++ * because spinlocks do not exist in this configuration. Instead IRQs 
++ * or pre-emption are simply disabled, as this is all that is needed.
++ */
++
+ /*
+  * Beacon handler locking definitions.
+  * Beacon locking 
+@@ -85,14 +91,14 @@
+ #define IEEE80211_LOCK(_ic)	spin_lock(&(_ic)->ic_comlock)
+ #define IEEE80211_UNLOCK(_ic)	spin_unlock(&(_ic)->ic_comlock)
+ 
+-/* NB: beware, spin_is_locked() is unusable for !SMP */
+-#if defined(CONFIG_SMP)
++#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
+ #define	IEEE80211_LOCK_ASSERT(_ic) \
+ 	KASSERT(spin_is_locked(&(_ic)->ic_comlock),("ieee80211com not locked!"))
+ #else
+ #define	IEEE80211_LOCK_ASSERT(_ic)
+ #endif
+ 
++
+ #define IEEE80211_VAPS_LOCK_INIT(_ic, _name)		\
+ 	spin_lock_init(&(_ic)->ic_vapslock)
+ #define IEEE80211_VAPS_LOCK_DESTROY(_ic)
+@@ -108,11 +114,10 @@
+ } while (0)
+ #define IEEE80211_VAPS_UNLOCK_IRQ_EARLY(_ic)	spin_unlock_irqrestore(&(_ic)->ic_vapslock, _vaps_lockflags)
+ 
+-
+-/* NB: beware, spin_is_locked() is unusable for !SMP */
+-#if defined(CONFIG_SMP)
++#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
+ #define IEEE80211_VAPS_LOCK_ASSERT(_ic) \
+-	KASSERT(spin_is_locked(&(_ic)->ic_vapslock),("ieee80211com_vaps not locked!"))
++	KASSERT(spin_is_locked(&(_ic)->ic_vapslock), \
++		("ieee80211com_vaps not locked!"))
+ #else
+ #define IEEE80211_VAPS_LOCK_ASSERT(_ic)
+ #endif
+@@ -121,29 +126,63 @@
+ /*
+  * Node locking definitions.
+  */
++#if 0
++
+ typedef spinlock_t ieee80211_node_lock_t;
+-#define	IEEE80211_NODE_LOCK_INIT(_nt, _name)	spin_lock_init(&(_nt)->nt_nodelock)
+-#define	IEEE80211_NODE_LOCK_DESTROY(_nt)
+-#define	IEEE80211_NODE_LOCK(_nt)	spin_lock(&(_nt)->nt_nodelock)
+-#define	IEEE80211_NODE_UNLOCK(_nt)	spin_unlock(&(_nt)->nt_nodelock)
+-#define	IEEE80211_NODE_LOCK_BH(_nt)	spin_lock_bh(&(_nt)->nt_nodelock)
+-#define	IEEE80211_NODE_UNLOCK_BH(_nt)	spin_unlock_bh(&(_nt)->nt_nodelock)
+-#define	IEEE80211_NODE_LOCK_IRQ(_nt)	do {	\
++#define	IEEE80211_NODE_LOCK_INIT(_ni, _name)	spin_lock_init(&(_ni)->ni_nodelock)
++#define	IEEE80211_NODE_LOCK_DESTROY(_ni)
++#if 0	/* We should always be contesting in the same contexts */
++#define	IEEE80211_NODE_LOCK(_ni)	spin_lock(&(_ni)->ni_nodelock)
++#define	IEEE80211_NODE_UNLOCK(_ni)	spin_unlock(&(_ni)->ni_nodelock)
++#define	IEEE80211_NODE_LOCK_BH(_ni)	spin_lock_bh(&(_ni)->ni_nodelock)
++#define	IEEE80211_NODE_UNLOCK_BH(_ni)	spin_unlock_bh(&(_ni)->ni_nodelock)
++#endif
++#define	IEEE80211_NODE_LOCK_IRQ(_ni)	do {	\
++	unsigned long __node_lockflags;		\
++	spin_lock_irqsave(&(_ni)->ni_nodelock, __node_lockflags);
++#define	IEEE80211_NODE_UNLOCK_IRQ(_ni)		\
++	spin_unlock_irqrestore(&(_ni)->ni_nodelock, __node_lockflags); \
++} while(0)
++#define	IEEE80211_NODE_UNLOCK_IRQ_EARLY(_ni)		\
++	spin_unlock_irqrestore(&(_ni)->ni_nodelock, __node_lockflags);
++
++#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
++#define	IEEE80211_NODE_LOCK_ASSERT(_nt) \
++	KASSERT(spin_is_locked(&(_ni)->ni_nodelock), \
++		("802.11 node not locked!"))
++#else
++#define	IEEE80211_NODE_LOCK_ASSERT(_ni)
++#endif
++
++#endif /* node lock */
++
++/*
++ * Node table locking definitions.
++ */
++typedef spinlock_t ieee80211_node_table_lock_t;
++#define	IEEE80211_NODE_TABLE_LOCK_INIT(_nt, _name)	spin_lock_init(&(_nt)->nt_nodelock)
++#define	IEEE80211_NODE_TABLE_LOCK_DESTROY(_nt)
++#if 0	/* We should always be contesting in the same contexts */
++#define	IEEE80211_NODE_TABLE_LOCK(_nt)	spin_lock(&(_nt)->nt_nodelock)
++#define	IEEE80211_NODE_TABLE_UNLOCK(_nt)	spin_unlock(&(_nt)->nt_nodelock)
++#define	IEEE80211_NODE_TABLE_LOCK_BH(_nt)	spin_lock_bh(&(_nt)->nt_nodelock)
++#define	IEEE80211_NODE_TABLE_UNLOCK_BH(_nt)	spin_unlock_bh(&(_nt)->nt_nodelock)
++#endif
++#define	IEEE80211_NODE_TABLE_LOCK_IRQ(_nt)	do {	\
+ 	unsigned long __node_lockflags;		\
+ 	spin_lock_irqsave(&(_nt)->nt_nodelock, __node_lockflags);
+-#define	IEEE80211_NODE_UNLOCK_IRQ(_nt)		\
++#define	IEEE80211_NODE_TABLE_UNLOCK_IRQ(_nt)		\
+ 	spin_unlock_irqrestore(&(_nt)->nt_nodelock, __node_lockflags); \
+ } while(0)
+-#define	IEEE80211_NODE_UNLOCK_IRQ_EARLY(_nt)		\
++#define	IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(_nt)		\
+ 	spin_unlock_irqrestore(&(_nt)->nt_nodelock, __node_lockflags);
+ 
+-/* NB: beware, *_is_locked() are bogusly defined for UP+!PREEMPT */
+-#if (defined(CONFIG_SMP) || defined(CONFIG_PREEMPT)) && defined(spinlock_is_locked)
+-#define	IEEE80211_NODE_LOCK_ASSERT(_nt) \
+-	KASSERT(spinlock_is_locked(&(_nt)->nt_nodelock), \
++#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
++#define	IEEE80211_NODE_TABLE_LOCK_ASSERT(_nt) \
++	KASSERT(spin_is_locked(&(_nt)->nt_nodelock), \
+ 		("802.11 node table not locked!"))
+ #else
+-#define	IEEE80211_NODE_LOCK_ASSERT(_nt)
++#define	IEEE80211_NODE_TABLE_LOCK_ASSERT(_nt)
+ #endif
+ 
+ /*
+@@ -163,8 +202,7 @@
+ #define	IEEE80211_SCAN_UNLOCK_IRQ_EARLY(_nt)		\
+ 	spin_unlock_irqrestore(&(_nt)->nt_scanlock, __scan_lockflags);
+ 
+-/* NB: beware, spin_is_locked() is unusable for !SMP */
+-#if defined(CONFIG_SMP)
++#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
+ #define	IEEE80211_SCAN_LOCK_ASSERT(_nt) \
+ 	KASSERT(spin_is_locked(&(_nt)->nt_scanlock), ("scangen not locked!"))
+ #else
+@@ -182,8 +220,7 @@
+ #define	ACL_LOCK_BH(_as)		spin_lock_bh(&(_as)->as_lock)
+ #define	ACL_UNLOCK_BH(_as)		spin_unlock_bh(&(_as)->as_lock)
+ 
+-/* NB: beware, spin_is_locked() is unusable for !SMP */
+-#if defined(CONFIG_SMP)
++#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
+ #define	ACL_LOCK_ASSERT(_as) \
+ 	KASSERT(spin_is_locked(&(_as)->as_lock), ("ACL not locked!"))
+ #else
+@@ -299,6 +336,7 @@
+  *				is the last reference, otherwise 0
+  * ieee80211_node_refcnt	reference count for printing (only)
+  */
++typedef atomic_t ieee80211_node_ref_count_t; 
+ #define ieee80211_node_initref(_ni)	atomic_set(&(_ni)->ni_refcnt, 1)
+ #define ieee80211_node_incref(_ni)	atomic_inc(&(_ni)->ni_refcnt)
+ #define	ieee80211_node_decref(_ni)	atomic_dec(&(_ni)->ni_refcnt)
+@@ -379,8 +417,8 @@
+ /* msecs_to_jiffies appeared in 2.6.7 and 2.4.29 */
+ #include <linux/delay.h>
+ #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) && \
+-      LINUX_VERSION_CODE < KERNEL_VERSION(2,6,7)) || \
+-     LINUX_VERSION_CODE < KERNEL_VERSION(2,4,29)
++     LINUX_VERSION_CODE < KERNEL_VERSION(2,6,7)) || \
++    LINUX_VERSION_CODE < KERNEL_VERSION(2,4,29)
+ 
+ /* The following definitions and inline functions are
+  * copied from the kernel src, include/linux/jiffies.h */
+diff -ur madwifi.old/net80211/ieee80211_node.c madwifi.dev/net80211/ieee80211_node.c
+--- madwifi.old/net80211/ieee80211_node.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_node.c	2007-05-21 08:10:46.868753568 +0200
+@@ -65,16 +65,17 @@
+ #define	IEEE80211_AID_ISSET(_vap, _b) \
+ 	((_vap)->iv_aid_bitmap[IEEE80211_AID(_b) / 32] & (1 << (IEEE80211_AID(_b) % 32)))
+ 
++static struct ieee80211_node *ieee80211_alloc_node(struct ieee80211vap *, const u_int8_t *);
++
+ static int ieee80211_sta_join1(struct ieee80211_node *);
+ 
+-static struct ieee80211_node *node_alloc(struct ieee80211_node_table *,
+-	struct ieee80211vap *);
++static struct ieee80211_node *node_alloc(struct ieee80211vap *);
+ static void node_cleanup(struct ieee80211_node *);
+ static void node_free(struct ieee80211_node *);
+ static u_int8_t node_getrssi(const struct ieee80211_node *);
+ 
+-static void _ieee80211_free_node(struct ieee80211_node *);
+-static void node_reclaim(struct ieee80211_node_table *, struct ieee80211_node*);
++static void _node_table_leave(struct ieee80211_node_table *, struct ieee80211_node *);
++static void _node_table_join(struct ieee80211_node_table *, struct ieee80211_node *);
+ 
+ static void ieee80211_node_timeout(unsigned long);
+ 
+@@ -194,8 +195,7 @@
+ 
+ 	ieee80211_node_table_reset(&ic->ic_sta, vap);
+ 	if (vap->iv_bss != NULL) {
+-		ieee80211_free_node(vap->iv_bss);
+-		vap->iv_bss = NULL;
++		ieee80211_unref_node(&vap->iv_bss);
+ 	}
+ 	if (vap->iv_aid_bitmap != NULL) {
+ 		FREE(vap->iv_aid_bitmap, M_DEVBUF);
+@@ -250,6 +250,7 @@
+ 	nbss->ni_txpower = obss->ni_txpower;
+ 	nbss->ni_vlan = obss->ni_vlan;
+ 	nbss->ni_rsn = obss->ni_rsn;
++	nbss->ni_rates = obss->ni_rates;
+ 	/* XXX statistics? */
+ }
+ 
+@@ -263,17 +264,17 @@
+ 		"%s: creating ibss on channel %u\n", __func__,
+ 		ieee80211_chan2ieee(ic, chan));
+ 
+-	/* Check to see if we already have a node for this mac */
++	/* Check to see if we already have a node for this mac 
++	 * NB: we gain a node reference here
++	 */
+ 	ni = ieee80211_find_node(&ic->ic_sta, vap->iv_myaddr);
+ 	if (ni == NULL) {
+-		ni = ieee80211_alloc_node(&ic->ic_sta, vap, vap->iv_myaddr);
++		ni = ieee80211_alloc_node_table(vap, vap->iv_myaddr);
+ 		if (ni == NULL) {
+ 			/* XXX recovery? */
+ 			return;
+ 		}
+ 	}
+-	else
+-		ieee80211_free_node(ni);
+ 
+ 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, "%s: %p<%s> refcnt %d\n",
+ 		__func__, vap->iv_bss, ether_sprintf(vap->iv_bss->ni_macaddr),
+@@ -339,7 +340,7 @@
+ 	else if (IEEE80211_IS_CHAN_QUARTER(chan))
+ 		ni->ni_rates = ic->ic_sup_quarter_rates;
+ 
+-	(void) ieee80211_sta_join1(ieee80211_ref_node(ni));
++	(void) ieee80211_sta_join1(PASS_NODE(ni));
+ }
+ EXPORT_SYMBOL(ieee80211_create_ibss);
+ 
+@@ -363,9 +364,10 @@
+ 	/* XXX multi-bss wrong */
+ 	ieee80211_reset_erp(ic, ic->ic_curmode);
+ 
+-	ni = ieee80211_alloc_node(&ic->ic_sta, vap, vap->iv_myaddr);
++	ni = ieee80211_alloc_node_table(vap, vap->iv_myaddr);
+ 	KASSERT(ni != NULL, ("unable to setup inital BSS node"));
+ 	obss = vap->iv_bss;
++	/* New reference for caller */
+ 	vap->iv_bss = ieee80211_ref_node(ni);
+ 
+ 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, "%s: new bss %p<%s> refcnt %d\n",
+@@ -375,7 +377,8 @@
+ 	if (obss != NULL) {
+ 		copy_bss(ni, obss);
+ 		ni->ni_intval = ic->ic_lintval;
+-		ieee80211_free_node(obss);
++		/* Caller's reference */
++		ieee80211_unref_node(&obss);
+ 	}
+ }
+ 
+@@ -581,7 +584,7 @@
+ 		vap->iv_state == IEEE80211_S_RUN && ssid_equal(obss, selbs));
+ 	vap->iv_bss = selbs;
+ 	if (obss != NULL)
+-		ieee80211_free_node(obss);
++		ieee80211_unref_node(&obss);
+ 	ic->ic_bsschan = selbs->ni_chan;
+ 	ic->ic_curchan = ic->ic_bsschan;
+ 	ic->ic_curmode = ieee80211_chan2mode(ic->ic_curchan);
+@@ -638,21 +641,20 @@
+ 
+ 	ni = ieee80211_find_node(&ic->ic_sta, se->se_macaddr);
+ 	if (ni == NULL) {
+-		ni = ieee80211_alloc_node(&ic->ic_sta, vap, se->se_macaddr);
++		ni = ieee80211_alloc_node_table(vap, se->se_macaddr);
+ 		if (ni == NULL) {
+ 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
+ 			"%s: Unable to allocate node for BSS: %s\n", __func__, 
+ 			ether_sprintf(ni->ni_macaddr));
+ 			return 0;
+ 		}
+-	} else
+-		ieee80211_free_node(ni);
++	}
+ 
+ 	/*
+ 	 * Expand scan state into node's format.
+ 	 * XXX may not need all this stuff
+ 	 */
+-	ni->ni_authmode = vap->iv_bss->ni_authmode;		/* inherit authmode from iv_bss */
++	ni->ni_authmode = vap->iv_bss->ni_authmode;	/* inherit authmode from iv_bss */
+ 	/* inherit the WPA setup as well (structure copy!) */
+ 	ni->ni_rsn = vap->iv_bss->ni_rsn; 
+ 	IEEE80211_ADDR_COPY(ni->ni_bssid, se->se_bssid);
+@@ -686,9 +688,9 @@
+ 
+ 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
+ 	"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(ni->ni_macaddr), 
+-	ieee80211_node_refcnt(ni)+1);
++	ieee80211_node_refcnt(ni));
+ 
+-	return ieee80211_sta_join1(ieee80211_ref_node(ni));
++	return ieee80211_sta_join1(PASS_NODE(ni));
+ }
+ EXPORT_SYMBOL(ieee80211_sta_join);
+ 
+@@ -700,15 +702,13 @@
+ ieee80211_sta_leave(struct ieee80211_node *ni)
+ {
+ 	struct ieee80211vap *vap = ni->ni_vap;
+-	struct ieee80211com *ic = vap->iv_ic;
+ 
+ 	/* WDS/Repeater: Stop software beacon timer for STA */
+ 	if (vap->iv_opmode == IEEE80211_M_STA &&
+ 	    vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) {
+ 		del_timer(&vap->iv_swbmiss);
+ 	}
+-
+-	ic->ic_node_cleanup(ni);
++	
+ 	ieee80211_notify_node_leave(ni);
+ }
+ 
+@@ -717,11 +717,11 @@
+  */
+ 
+ static void
+-ieee80211_node_table_init(struct ieee80211com *ic,
+-	struct ieee80211_node_table *nt,	const char *name, int inact)
++ieee80211_node_table_init(struct ieee80211com *ic, struct ieee80211_node_table *nt,
++		const char *name, int inact)
+ {
+ 	nt->nt_ic = ic;
+-	IEEE80211_NODE_LOCK_INIT(nt, ic->ic_dev->name);
++	IEEE80211_NODE_TABLE_LOCK_INIT(nt, ic->ic_dev->name);
+ 	IEEE80211_SCAN_LOCK_INIT(nt, ic->ic_dev->name);
+ 	TAILQ_INIT(&nt->nt_node);
+ 	nt->nt_name = name;
+@@ -733,11 +733,31 @@
+ 	mod_timer(&nt->nt_wds_aging_timer, jiffies + HZ * WDS_AGING_TIMER_VAL);
+ }
+ 
++static __inline void _node_table_join(struct ieee80211_node_table *nt, struct ieee80211_node *ni) {
++	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
++
++	ni->ni_table = nt;
++	TAILQ_INSERT_TAIL(&nt->nt_node, ieee80211_ref_node(ni), ni_list);
++	LIST_INSERT_HEAD(&nt->nt_hash[IEEE80211_NODE_HASH(ni->ni_macaddr)], ni, ni_hash);
++}
++
++static __inline void _node_table_leave(struct ieee80211_node_table *nt, struct ieee80211_node *ni) {
++	struct ieee80211_node *hni;
++	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
++	
++	TAILQ_REMOVE(&nt->nt_node, ni, ni_list);
++	LIST_FOREACH(hni, &nt->nt_hash[IEEE80211_NODE_HASH(ni->ni_macaddr)], ni_hash) {
++		LIST_REMOVE(ni, ni_hash);
++	}
++	ni->ni_table = NULL;
++	_ieee80211_unref_node(ni);
++}
++
+ /* This is overridden by ath_node_alloc in ath/if_ath.c, and so
+- * should never get called
++ * should never get called.
+  */
+ static struct ieee80211_node *
+-node_alloc(struct ieee80211_node_table *nt, struct ieee80211vap *vap)
++node_alloc(struct ieee80211vap *vap)
+ {
+ 	struct ieee80211_node *ni;
+ 
+@@ -776,13 +796,6 @@
+ 			IEEE80211_UNLOCK_IRQ(ni->ni_ic);
+ 		}
+ 	}
+-	/*
+-	 * Clear AREF flag that marks the authorization refcnt bump
+-	 * has happened.  This is probably not needed as the node
+-	 * should always be removed from the table so not found but
+-	 * do it just in case.
+-	 */
+-	ni->ni_flags &= ~IEEE80211_NODE_AREF;
+ 
+ 	/*
+ 	 * Drain power save queue and, if needed, clear TIM.
+@@ -791,10 +804,7 @@
+ 		vap->iv_set_tim(ni, 0);
+ 
+ 	ni->ni_associd = 0;
+-	if (ni->ni_challenge != NULL) {
+-		FREE(ni->ni_challenge, M_DEVBUF);
+-		ni->ni_challenge = NULL;
+-	}
++	
+ 	/*
+ 	 * Preserve SSID, WPA, and WME ie's so the bss node is
+ 	 * reusable during a re-auth/re-assoc state transition.
+@@ -819,9 +829,16 @@
+ static void
+ node_free(struct ieee80211_node *ni)
+ {
++#if 0
++	/* We should 'cleanup' and then free'ing should be done automatically on decref */
+ 	struct ieee80211com *ic = ni->ni_ic;
+ 
+ 	ic->ic_node_cleanup(ni);
++#endif 
++	KASSERT(ieee80211_node_refcnt(ni) == 0, ("node being free whilst still referenced"));
++
++	if (ni->ni_challenge != NULL) 
++		FREE(ni->ni_challenge, M_DEVBUF);
+ 	if (ni->ni_wpa_ie != NULL)
+ 		FREE(ni->ni_wpa_ie, M_DEVBUF);
+ 	if (ni->ni_rsn_ie != NULL)
+@@ -831,6 +848,7 @@
+ 	if (ni->ni_ath_ie != NULL)
+ 		FREE(ni->ni_ath_ie, M_DEVBUF);
+ 	IEEE80211_NODE_SAVEQ_DESTROY(ni);
++	
+ 	FREE(ni, M_80211_NODE);
+ }
+ 
+@@ -847,55 +865,70 @@
+  * This interface is not intended for general use, it is
+  * used by the routines below to create entries with a
+  * specific purpose.
++ * Dont assume a BSS?
+  */
+ struct ieee80211_node *
+-ieee80211_alloc_node(struct ieee80211_node_table *nt,
+-	struct ieee80211vap *vap, const u_int8_t *macaddr)
++ieee80211_alloc_node_table(struct ieee80211vap *vap, 
++	const u_int8_t *macaddr)
+ {
+-	struct ieee80211com *ic = nt->nt_ic;
++	struct ieee80211com *ic = vap->iv_ic;
++	struct ieee80211_node_table *nt = &ic->ic_sta;
+ 	struct ieee80211_node *ni;
+-	int hash;
+ 
+-	ni = ic->ic_node_alloc(nt, vap);
+-	if (ni == NULL) {
+-		/* XXX msg */
+-		vap->iv_stats.is_rx_nodealloc++;
+-		return NULL;
+-	}
++	ni = ieee80211_alloc_node(vap, macaddr);
++	if (ni != NULL) {
++		ni->ni_inact = ni->ni_inact_reload = nt->nt_inact_init;
+ 
+-	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
+-		"%s: %p<%s> in %s table, refcnt %d\n", __func__, ni,
+-		ether_sprintf(macaddr), nt->nt_name,
+-		ieee80211_node_refcnt(ni)+1);
++		WME_UAPSD_NODE_TRIGSEQINIT(ni);
++		IEEE80211_NODE_SAVEQ_INIT(ni, "unknown");
+ 
+-	IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr);
+-	hash = IEEE80211_NODE_HASH(macaddr);
+-	ieee80211_node_initref(ni);		/* mark referenced */
+-	ni->ni_chan = IEEE80211_CHAN_ANYC;
+-	ni->ni_authmode = IEEE80211_AUTH_OPEN;
+-	ni->ni_txpower = ic->ic_txpowlimit;	/* max power */
+-	ieee80211_crypto_resetkey(vap, &ni->ni_ucastkey, IEEE80211_KEYIX_NONE);
+-	ni->ni_inact_reload = nt->nt_inact_init;
+-	ni->ni_inact = ni->ni_inact_reload;
+-	ni->ni_ath_defkeyindex = IEEE80211_INVAL_DEFKEY;
+-	ni->ni_rxkeyoff = 0;
+-	IEEE80211_NODE_SAVEQ_INIT(ni, "unknown");
++		IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
++		_node_table_join(nt, ni);
++		IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
++	}
+ 
+-	IEEE80211_NODE_LOCK_IRQ(nt);
+-	ni->ni_vap = vap;
+-	ni->ni_ic = ic;
+-	ni->ni_table = nt;
+-	TAILQ_INSERT_TAIL(&nt->nt_node, ni, ni_list);
+-	LIST_INSERT_HEAD(&nt->nt_hash[hash], ni, ni_hash);
+-	ni->ni_rxfrag = NULL;
+-	ni->ni_challenge = NULL;
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	return ni;
++}
++EXPORT_SYMBOL(ieee80211_alloc_node_table);
++
++/* Allocate a node structure and initialise specialised structures
++ * This function does not add the node to the node table, thus this
++ * node will not be found using ieee80211_find_*node.
++ * This is useful when sending one off errors or request denials.
++ */
++static struct ieee80211_node *
++ieee80211_alloc_node(struct ieee80211vap *vap, const u_int8_t *macaddr)
++{
++	struct ieee80211com *ic = vap->iv_ic;
++	struct ieee80211_node *ni;
++	
++	/* This always allocates zeroed memoery */
++	ni = ic->ic_node_alloc(vap);
++	if (ni != NULL) {
++		IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
++		"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(macaddr), 
++		ieee80211_node_refcnt(ni)+1);
+ 
+-	WME_UAPSD_NODE_TRIGSEQINIT(ni);
++		ieee80211_node_initref(ni);		/* mark referenced */
++		
++		IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr);
++		
++		ni->ni_chan = IEEE80211_CHAN_ANYC;
++		ni->ni_authmode = IEEE80211_AUTH_OPEN;
++		ni->ni_txpower = ic->ic_txpowlimit;
++		
++		ieee80211_crypto_resetkey(vap, &ni->ni_ucastkey,
++			IEEE80211_KEYIX_NONE);
++		ni->ni_ath_defkeyindex = IEEE80211_INVAL_DEFKEY;
+ 
++		ni->ni_vap = vap;
++		ni->ni_ic = ic;
++	} else {
++		/* XXX msg */
++		vap->iv_stats.is_rx_nodealloc++;
++	}
+ 	return ni;
+ }
+-EXPORT_SYMBOL(ieee80211_alloc_node);
+ 
+ /* Add wds address to the node table */
+ int
+@@ -917,11 +950,11 @@
+ 		wds->wds_agingcount = WDS_AGING_COUNT;
+ 	hash = IEEE80211_NODE_HASH(macaddr);
+ 	IEEE80211_ADDR_COPY(wds->wds_macaddr, macaddr);
+-	ieee80211_ref_node(ni);		/* Reference node */
+-	wds->wds_ni = ni;
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
++	wds->wds_ni = ieee80211_ref_node(ni);
+ 	LIST_INSERT_HEAD(&nt->nt_wds_hash[hash], wds, wds_hash);
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 	return 0;
+ }
+ EXPORT_SYMBOL(ieee80211_add_wds_addr);
+@@ -934,22 +967,19 @@
+ 	struct ieee80211_wds_addr *wds, *twds;
+ 
+ 	hash = IEEE80211_NODE_HASH(macaddr);
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, twds) {
+ 		if (IEEE80211_ADDR_EQ(wds->wds_macaddr, macaddr)) {
+-			if (ieee80211_node_dectestref(wds->wds_ni)) {
+-				_ieee80211_free_node(wds->wds_ni);
+-				LIST_REMOVE(wds, wds_hash);
+-				FREE(wds, M_80211_WDS);
+-				break;
+-			}
++			LIST_REMOVE(wds, wds_hash);
++			ieee80211_unref_node(&wds->wds_ni);
++			FREE(wds, M_80211_WDS);
++			break;
+ 		}
+ 	}
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ }
+ EXPORT_SYMBOL(ieee80211_remove_wds_addr);
+ 
+-
+ /* Remove node references from wds table */
+ void
+ ieee80211_del_wds_node(struct ieee80211_node_table *nt, struct ieee80211_node *ni)
+@@ -957,19 +987,17 @@
+ 	int hash;
+ 	struct ieee80211_wds_addr *wds, *twds;
+ 
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
+ 		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, twds) {
+ 			if (wds->wds_ni == ni) {
+-				if (ieee80211_node_dectestref(ni)) {
+-					_ieee80211_free_node(ni);
+-					LIST_REMOVE(wds, wds_hash);
+-					FREE(wds, M_80211_WDS);
+-				}
++				LIST_REMOVE(wds, wds_hash);
++				ieee80211_unref_node(&wds->wds_ni);
++				FREE(wds, M_80211_WDS);
+ 			}
+ 		}
+ 	}
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ }
+ EXPORT_SYMBOL(ieee80211_del_wds_node);
+ 
+@@ -980,88 +1008,46 @@
+ 	int hash;
+ 	struct ieee80211_wds_addr *wds, *twds;
+ 
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
+ 		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, twds) {
+ 			if (wds->wds_agingcount != WDS_AGING_STATIC) {
+ 				if (!wds->wds_agingcount) {
+-					if (ieee80211_node_dectestref(wds->wds_ni)) {
+-						_ieee80211_free_node(wds->wds_ni);  
+-						LIST_REMOVE(wds, wds_hash);
+-						FREE(wds, M_80211_WDS);
+-					}
++					LIST_REMOVE(wds, wds_hash);
++					ieee80211_unref_node(&wds->wds_ni);  
++					FREE(wds, M_80211_WDS);
+ 				} else
+ 					wds->wds_agingcount--;
+ 			}
+ 		}
+ 	}
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 	mod_timer(&nt->nt_wds_aging_timer, jiffies + HZ * WDS_AGING_TIMER_VAL);
+ }
+ 
+ 
+ /*
+- * Craft a temporary node suitable for sending a management frame
+- * to the specified station.  We craft only as much state as we
+- * need to do the work since the node will be immediately reclaimed
+- * once the send completes.
+- */
+-struct ieee80211_node *
+-ieee80211_tmp_node(struct ieee80211vap *vap, const u_int8_t *macaddr)
+-{
+-	struct ieee80211com *ic = vap->iv_ic;
+-	struct ieee80211_node *ni;
+-
+-	ni = ic->ic_node_alloc(&ic->ic_sta,vap);
+-	if (ni != NULL) {
+-		IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
+-		"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(macaddr), 
+-		ieee80211_node_refcnt(ni)+1);
+-
+-		IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr);
+-		IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
+-		ieee80211_node_initref(ni);		/* mark referenced */
+-		ni->ni_txpower = vap->iv_bss->ni_txpower;
+-		ni->ni_vap = vap;
+-		/* NB: required by ieee80211_fix_rate */
+-		ieee80211_node_set_chan(ic, ni);
+-		ieee80211_crypto_resetkey(vap, &ni->ni_ucastkey,
+-			IEEE80211_KEYIX_NONE);
+-		/* XXX optimize away */
+-		IEEE80211_NODE_SAVEQ_INIT(ni, "unknown");
+-
+-		ni->ni_table = NULL;		/* NB: pedantic */
+-		ni->ni_ic = ic;
+-		ni->ni_rxfrag = NULL;
+-		ni->ni_challenge = NULL;
+-	} else {
+-		/* XXX msg */
+-		vap->iv_stats.is_rx_nodealloc++;
+-	}
+-	return ni;
+-}
+-
+-/*
+  * Add the specified station to the station table.
+  */
+ struct ieee80211_node *
+-ieee80211_dup_bss(struct ieee80211vap *vap, const u_int8_t *macaddr)
++ieee80211_dup_bss(struct ieee80211vap *vap, const u_int8_t *macaddr, 
++		unsigned char tmp)
+ {
+-	struct ieee80211com *ic = vap->iv_ic;
+ 	struct ieee80211_node *ni;
++	
++	/* FIXME: Hack */
++	if (tmp)
++		ni = ieee80211_alloc_node(vap, macaddr);
++	else
++		ni = ieee80211_alloc_node_table(vap, macaddr);
+ 
+-	ni = ieee80211_alloc_node(&ic->ic_sta, vap, macaddr);
+ 	if (ni != NULL) {
+-		/*
+-		 * Inherit from iv_bss.
+-		 */
+-		ni->ni_authmode = vap->iv_bss->ni_authmode;
+-		ni->ni_txpower = vap->iv_bss->ni_txpower;
+-		ni->ni_vlan = vap->iv_bss->ni_vlan;	/* XXX?? */
++		copy_bss(ni, vap->iv_bss);
+ 		IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
+-		ieee80211_node_set_chan(ic, ni);
+-		ni->ni_rsn = vap->iv_bss->ni_rsn;
+-		ni->ni_rxfrag = NULL;
++		/* Do this only for nodes that already have a BSS. Otherwise
++		 * ic_bsschan is not set and we get a KASSERT failure.
++		 * Required by ieee80211_fix_rate */
++		ieee80211_node_set_chan(vap->iv_ic, ni);
+ 	}
+ 	return ni;
+ }
+@@ -1069,19 +1055,16 @@
+ static struct ieee80211_node *
+ _ieee80211_find_wds_node(struct ieee80211_node_table *nt, const u_int8_t *macaddr)
+ {
+-	struct ieee80211_node *ni;
+ 	struct ieee80211_wds_addr *wds;
+ 	int hash;
+-	IEEE80211_NODE_LOCK_ASSERT(nt);
++	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
+ 
+ 	hash = IEEE80211_NODE_HASH(macaddr);
+ 	LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
+ 		if (IEEE80211_ADDR_EQ(wds->wds_macaddr, macaddr)) {
+-			ni = wds->wds_ni;
+ 			if (wds->wds_agingcount != WDS_AGING_STATIC)
+ 				wds->wds_agingcount = WDS_AGING_COUNT; /* reset the aging count */
+-			ieee80211_ref_node(ni);
+-			return ni;
++			return ieee80211_ref_node(wds->wds_ni);
+ 		}
+ 	}
+ 	return NULL;
+@@ -1099,7 +1082,7 @@
+ 	int hash;
+ 	struct ieee80211_wds_addr *wds;
+ 
+-	IEEE80211_NODE_LOCK_ASSERT(nt);
++	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
+ 
+ 	hash = IEEE80211_NODE_HASH(macaddr);
+ 	LIST_FOREACH(ni, &nt->nt_hash[hash], ni_hash) {
+@@ -1120,9 +1103,7 @@
+ 	   nodes. */
+ 	LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
+ 		if (IEEE80211_ADDR_EQ(wds->wds_macaddr, macaddr)) {
+-			ni = wds->wds_ni;
+-			ieee80211_ref_node(ni);
+-			return ni;
++			return ieee80211_ref_node(wds->wds_ni);
+ 		}
+ 	}
+ 	return NULL;
+@@ -1137,9 +1118,9 @@
+ {
+ 	struct ieee80211_node *ni;
+ 
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	ni = _ieee80211_find_wds_node(nt, macaddr);
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 	return ni;
+ }
+ EXPORT_SYMBOL(ieee80211_find_wds_node);
+@@ -1154,9 +1135,9 @@
+ {
+ 	struct ieee80211_node *ni;
+ 
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	ni = _ieee80211_find_node(nt, macaddr);
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 	return ni;
+ }
+ #ifdef IEEE80211_DEBUG_REFCNT
+@@ -1179,7 +1160,7 @@
+ {
+ 	struct ieee80211_node *ni;
+ 
+-	ni = ieee80211_dup_bss(vap, macaddr);
++	ni = ieee80211_dup_bss(vap, macaddr, 0);
+ 	if (ni != NULL) {
+ 		/* XXX no rate negotiation; just dup */
+ 		ni->ni_rates = vap->iv_bss->ni_rates;
+@@ -1202,14 +1183,13 @@
+  * driver has an opportunity to setup it's private state.
+  */
+ struct ieee80211_node *
+-ieee80211_add_neighbor(struct ieee80211vap *vap,	const struct ieee80211_frame *wh,
++ieee80211_add_neighbor(struct ieee80211vap *vap, const struct ieee80211_frame *wh,
+ 	const struct ieee80211_scanparams *sp)
+ {
+ 	struct ieee80211com *ic = vap->iv_ic;
+ 	struct ieee80211_node *ni;
+ 
+-	ni = ieee80211_dup_bss(vap, wh->i_addr2);	/* XXX alloc_node? */
+-	/* TODO: not really putting itself in a table */
++	ni = ieee80211_dup_bss(vap, wh->i_addr2, 1);
+ 	if (ni != NULL) {
+ 		ni->ni_esslen = sp->ssid[1];
+ 		memcpy(ni->ni_essid, sp->ssid + 2, sp->ssid[1]);
+@@ -1284,12 +1264,12 @@
+ 	/* XXX check ic_bss first in station mode */
+ 	/* XXX 4-address frames? */
+ 	nt = &ic->ic_sta;
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	if (IS_CTL(wh) && !IS_PSPOLL(wh) /*&& !IS_RTS(ah)*/)
+ 		ni = _ieee80211_find_node(nt, wh->i_addr1);
+ 	else
+ 		ni = _ieee80211_find_node(nt, wh->i_addr2);
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 
+ 	return ni;
+ #undef IS_PSPOLL
+@@ -1326,9 +1306,9 @@
+ 
+ 	/* XXX can't hold lock across dup_bss due to recursive locking */
+ 	nt = &vap->iv_ic->ic_sta;
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	ni = _ieee80211_find_node(nt, mac);
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 
+ 	if (ni == NULL) {
+ 		if (vap->iv_opmode == IEEE80211_M_IBSS ||
+@@ -1355,11 +1335,9 @@
+ EXPORT_SYMBOL(ieee80211_find_txnode);
+ #endif
+ 
+-/* Caller must lock the IEEE80211_NODE_LOCK
+- *
+- * Context: hwIRQ, softIRQ and process context
++/* Context: hwIRQ, softIRQ and process context
+  */
+-static void
++void
+ _ieee80211_free_node(struct ieee80211_node *ni)
+ {
+ 	struct ieee80211vap *vap = ni->ni_vap;
+@@ -1373,117 +1351,36 @@
+ 
+ 	if (vap->iv_aid_bitmap != NULL)
+ 		IEEE80211_AID_CLR(vap, ni->ni_associd);
+-	if (nt != NULL) {
+-		TAILQ_REMOVE(&nt->nt_node, ni, ni_list);
+-		LIST_REMOVE(ni, ni_hash);
+-	}
++
+ 	vap->iv_ic->ic_node_free(ni);
+ }
++EXPORT_SYMBOL(_ieee80211_free_node);
+ 
+-void
+-#ifdef IEEE80211_DEBUG_REFCNT
+-ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, int line)
+-#else
+-ieee80211_free_node(struct ieee80211_node *ni)
+-#endif
++static void _reset_node(void *arg, struct ieee80211_node *ni)
+ {
+-	struct ieee80211_node_table *nt = ni->ni_table;
+-	struct ieee80211com *ic = ni->ni_ic;
++	if (ni->ni_associd != 0) {
++		struct ieee80211vap *vap = ni->ni_vap;
+ 
+-#ifdef IEEE80211_DEBUG_REFCNT
+-	IEEE80211_DPRINTF(ni->ni_vap, IEEE80211_MSG_NODE,
+-		"%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, ni,
+-		 ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni) - 1);
+-#endif
+-	/*
+-	 * XXX: may need to lock out the following race. we dectestref
+-	 *      and determine it's time to free the node. between the if()
+-	 *      and lock, we take an rx intr to receive a frame from this
+-	 *      node. the rx path (tasklet or intr) bumps this node's
+-	 *      refcnt and xmits a response frame. eventually that response
+-	 *      will get reaped, and the reaping code will attempt to use
+-	 *      the node. the code below will delete the node prior
+-	 *      to the reap and we could get a crash.
+-	 *
+-	 *      as a stopgap before delving deeper, lock intrs to
+-	 *      prevent this case.
+-	 */
+-	IEEE80211_LOCK_IRQ(ic);
+-	if (ieee80211_node_dectestref(ni)) {
+-		/*
+-		 * Beware; if the node is marked gone then it's already
+-		 * been removed from the table and we cannot assume the
+-		 * table still exists.  Regardless, there's no need to lock
+-		 * the table.
+-		 */
+-		if (ni->ni_table != NULL) {
+-			IEEE80211_NODE_LOCK(nt);
+-			_ieee80211_free_node(ni);
+-			IEEE80211_NODE_UNLOCK(nt);
+-		} else
+-			_ieee80211_free_node(ni);
++		if (vap->iv_auth->ia_node_leave != NULL)
++			vap->iv_auth->ia_node_leave(ni);
++		if (vap->iv_aid_bitmap != NULL)
++			IEEE80211_AID_CLR(vap, ni->ni_associd);
+ 	}
+-	IEEE80211_UNLOCK_IRQ(ic);
+-}
+-#ifdef IEEE80211_DEBUG_REFCNT
+-EXPORT_SYMBOL(ieee80211_free_node_debug);
+-#else
+-EXPORT_SYMBOL(ieee80211_free_node);
+-#endif
+-
+-/*
+- * Reclaim a node.  If this is the last reference count then
+- * do the normal free work.  Otherwise remove it from the node
+- * table and mark it gone by clearing the back-reference.
+- */
+-static void
+-node_reclaim(struct ieee80211_node_table *nt, struct ieee80211_node *ni)
+-{
+ 
+-	IEEE80211_DPRINTF(ni->ni_vap, IEEE80211_MSG_NODE,
+-		"%s: remove %p<%s> from %s table, refcnt %d\n",
+-		__func__, ni, ether_sprintf(ni->ni_macaddr),
+-		nt->nt_name, ieee80211_node_refcnt(ni)-1);
+-	if (!ieee80211_node_dectestref(ni)) {
+-		/*
+-		 * Other references are present, just remove the
+-		 * node from the table so it cannot be found.  When
+-		 * the references are dropped storage will be
+-		 * reclaimed.  This normally only happens for ic_bss.
+-		 */
+-		TAILQ_REMOVE(&nt->nt_node, ni, ni_list);
+-		LIST_REMOVE(ni, ni_hash);
+-		ni->ni_table = NULL;		/* clear reference */
+-	} else
+-		_ieee80211_free_node(ni);
++	ieee80211_node_leave(ni);
+ }
+ 
+ static void
+ ieee80211_node_table_reset(struct ieee80211_node_table *nt,
+-	struct ieee80211vap *match)
++	struct ieee80211vap *vap)
+ {
+-	struct ieee80211_node *ni, *next;
+-
+-	IEEE80211_NODE_LOCK_IRQ(nt);
+-	TAILQ_FOREACH_SAFE(ni, &nt->nt_node, ni_list, next) {
+-		if (match != NULL && ni->ni_vap != match)
+-			continue;
+-		if (ni->ni_associd != 0) {
+-			struct ieee80211vap *vap = ni->ni_vap;
+-
+-			if (vap->iv_auth->ia_node_leave != NULL)
+-				vap->iv_auth->ia_node_leave(ni);
+-			if (vap->iv_aid_bitmap != NULL)
+-				IEEE80211_AID_CLR(vap, ni->ni_associd);
+-		}
+-		node_reclaim(nt, ni);
+-	}
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	ieee80211_iterate_dev_nodes(vap->iv_dev, nt, _reset_node, NULL);
+ }
+ 
+ static void
+ ieee80211_node_table_cleanup(struct ieee80211_node_table *nt)
+ {
++	struct ieee80211com *ic = nt->nt_ic;
+ 	struct ieee80211_node *ni, *next;
+ 
+ 	TAILQ_FOREACH_SAFE(ni, &nt->nt_node, ni_list, next) {
+@@ -1495,11 +1392,11 @@
+ 			if (vap->iv_aid_bitmap != NULL)
+ 				IEEE80211_AID_CLR(vap, ni->ni_associd);
+ 		}
+-		node_reclaim(nt, ni);
++		ic->ic_node_cleanup(ni);
+ 	}
+ 	del_timer(&nt->nt_wds_aging_timer);
+ 	IEEE80211_SCAN_LOCK_DESTROY(nt);
+-	IEEE80211_NODE_LOCK_DESTROY(nt);
++	IEEE80211_NODE_TABLE_LOCK_DESTROY(nt);
+ }
+ 
+ /*
+@@ -1527,19 +1424,22 @@
+ 	IEEE80211_SCAN_LOCK_IRQ(nt); 
+ 	gen = ++nt->nt_scangen;
+ restart:
+-	IEEE80211_NODE_LOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
+ 		if (ni->ni_scangen == gen)	/* previously handled */
+ 			continue;
++		/* Temporary entries should no longer be in the node table */
+ 		/*
+ 		 * Ignore entries for which have yet to receive an
+ 		 * authentication frame.  These are transient and
+ 		 * will be reclaimed when the last reference to them
+ 		 * goes away (when frame xmits complete).
+ 		 */
+-		if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
+-		    (ni->ni_flags & IEEE80211_NODE_AREF) == 0)
+-			continue;
++		/*
++		 *if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
++		 *   (ni->ni_flags & IEEE80211_NODE_AREF) == 0)
++		 *	continue;
++		 */
+ 		ni->ni_scangen = gen;
+ 		/*
+ 		 * Free fragment if not needed anymore
+@@ -1591,7 +1491,7 @@
+ 				 * ref for us as needed.
+ 				 */
+ 				ieee80211_ref_node(ni);
+-				IEEE80211_NODE_UNLOCK_IRQ_EARLY(nt);
++				IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(nt);
+ 				ieee80211_send_nulldata(ni);
+ 				/* XXX stat? */
+ 				goto restart;
+@@ -1614,18 +1514,18 @@
+ 			 */
+ 			ni->ni_vap->iv_stats.is_node_timeout++;
+ 			ieee80211_ref_node(ni);
+-			IEEE80211_NODE_UNLOCK_IRQ_EARLY(nt);
++			IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(nt);
+ 			if (ni->ni_associd != 0) {
+ 				IEEE80211_SEND_MGMT(ni,
+ 					IEEE80211_FC0_SUBTYPE_DEAUTH,
+ 					IEEE80211_REASON_AUTH_EXPIRE);
+ 			}
+ 			ieee80211_node_leave(ni);
+-			ieee80211_free_node(ni);
++			ieee80211_unref_node(&ni);
+ 			goto restart;
+ 		}
+ 	}
+-	IEEE80211_NODE_UNLOCK_IRQ(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 
+ 	IEEE80211_SCAN_UNLOCK_IRQ(nt);
+ }
+@@ -1660,21 +1560,23 @@
+ 
+ 	IEEE80211_SCAN_LOCK_IRQ(nt);
+ 	gen = ++nt->nt_scangen;
++	
+ restart:
+-	IEEE80211_NODE_LOCK(nt);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
+ 	TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
+ 		if (dev != NULL && ni->ni_vap->iv_dev != dev) 
+ 			continue;  /* skip node not for this vap */
+ 		if (ni->ni_scangen != gen) {
+ 			ni->ni_scangen = gen;
+ 			(void) ieee80211_ref_node(ni);
+-			IEEE80211_NODE_UNLOCK(nt);
++			IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(nt);
+ 			(*f)(arg, ni);
+-			ieee80211_free_node(ni);
++			
++			ieee80211_unref_node(&ni);
+ 			goto restart;
+ 		}
+ 	}
+-	IEEE80211_NODE_UNLOCK(nt);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
+ 
+ 	IEEE80211_SCAN_UNLOCK_IRQ(nt);
+ }
+@@ -1948,9 +1850,20 @@
+ 		"station with aid %d leaves (refcnt %u)",
+ 		IEEE80211_NODE_AID(ni), ieee80211_node_refcnt(ni));
+ 
++	/* From this point onwards we can no longer find the node,
++	 * so no more references are generated
++	 */
++	ieee80211_remove_wds_addr(nt, ni->ni_macaddr);
++	ieee80211_del_wds_node(nt, ni);
++	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
++	_node_table_leave(nt, ni);
++	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
++
+ 	/*
+ 	 * If node wasn't previously associated all
+ 	 * we need to do is reclaim the reference.
++	 * This also goes for nodes that are auth'ed but
++	 * not associated.
+ 	 */
+ 	/* XXX ibss mode bypasses 11g and notification */
+ 	if (ni->ni_associd == 0)
+@@ -1968,9 +1881,11 @@
+ 	IEEE80211_LOCK_IRQ(ic);
+ 	if (vap->iv_aid_bitmap != NULL)
+ 		IEEE80211_AID_CLR(vap, ni->ni_associd);
++
+ 	ni->ni_associd = 0;
+ 	vap->iv_sta_assoc--;
+ 	ic->ic_sta_assoc--;
++
+ #ifdef ATH_SUPERG_XR
+ 	if (ni->ni_vap->iv_flags & IEEE80211_F_XR)
+ 		ic->ic_xr_sta_assoc--;
+@@ -1981,6 +1896,7 @@
+ 	if (IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan))
+ 		ieee80211_node_leave_11g(ni);
+ 	IEEE80211_UNLOCK_IRQ(ic);
++
+ 	/*
+ 	 * Cleanup station state.  In particular clear various
+ 	 * state that might otherwise be reused if the node
+@@ -1990,19 +1906,10 @@
+ 	ieee80211_sta_leave(ni);
+ done:
+ 	/*
+-	 * Remove the node from any table it's recorded in and
+-	 * drop the caller's reference.  Removal from the table
+-	 * is important to ensure the node is not reprocessed
+-	 * for inactivity.
+-	 */
+-	if (nt != NULL) {
+-		IEEE80211_NODE_LOCK_IRQ(nt);
+-		node_reclaim(nt, ni);
+-		IEEE80211_NODE_UNLOCK_IRQ(nt);
+-		ieee80211_remove_wds_addr(nt,ni->ni_macaddr);
+-		ieee80211_del_wds_node(nt,ni);
+-	} else
+-		ieee80211_free_node(ni);
++	 * Run a cleanup and then drop the caller's reference
++	 */
++	ic->ic_node_cleanup(ni);
++	ieee80211_unref_node(&ni);
+ }
+ EXPORT_SYMBOL(ieee80211_node_leave);
+ 
+@@ -2062,25 +1969,8 @@
+ void
+ ieee80211_node_reset(struct ieee80211_node *ni, struct ieee80211vap *vap)
+ {
+-	if (ni != NULL) {
+-		struct ieee80211_node_table *nt = ni->ni_table;
+-		if (!nt)
+-			nt = &vap->iv_ic->ic_sta;
+-		IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
+-		ni->ni_prev_vap = ni->ni_vap;
+-		ni->ni_vap = vap;
+-		ni->ni_ic = vap->iv_ic;
+-		/* 
+-		 * if node not found in the node table
+-		 * add it to the node table .
+-		 */
+-		if(nt && ieee80211_find_node(nt, ni->ni_macaddr) != ni) {
+-			int hash = IEEE80211_NODE_HASH(ni->ni_macaddr);
+-			IEEE80211_NODE_LOCK_IRQ(nt);
+-			TAILQ_INSERT_TAIL(&nt->nt_node, ni, ni_list);
+-			LIST_INSERT_HEAD(&nt->nt_hash[hash], ni, ni_hash);
+-			ni->ni_table = nt;
+-			IEEE80211_NODE_UNLOCK_IRQ(nt);
+-		}
+-	}
++	IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
++	ni->ni_prev_vap = ni->ni_vap;
++	ni->ni_vap = vap;
++	ni->ni_ic = vap->iv_ic;
+ }
+diff -ur madwifi.old/net80211/ieee80211_node.h madwifi.dev/net80211/ieee80211_node.h
+--- madwifi.old/net80211/ieee80211_node.h	2007-03-06 11:59:28.000000000 +0100
++++ madwifi.dev/net80211/ieee80211_node.h	2007-05-21 08:10:46.869753416 +0200
+@@ -52,14 +52,14 @@
+  * authorized.  The latter timeout is shorter to more aggressively
+  * reclaim nodes that leave part way through the 802.1x exchange.
+  */
+-#define	IEEE80211_INACT_WAIT	15		/* inactivity interval (secs) */
++#define	IEEE80211_INACT_WAIT	15				/* inactivity interval (secs) */
+ #define	IEEE80211_INACT_INIT	(30/IEEE80211_INACT_WAIT)	/* initial */
+ #define	IEEE80211_INACT_AUTH	(180/IEEE80211_INACT_WAIT)	/* associated but not authorized */
+ #define	IEEE80211_INACT_RUN	(300/IEEE80211_INACT_WAIT)	/* authorized */
+ #define	IEEE80211_INACT_PROBE	(30/IEEE80211_INACT_WAIT)	/* probe */
+ #define	IEEE80211_INACT_SCAN	(300/IEEE80211_INACT_WAIT)	/* scanned */
+ 
+-#define	IEEE80211_TRANS_WAIT 	5		/* mgt frame tx timer (secs) */
++#define	IEEE80211_TRANS_WAIT 	5				/* mgt frame tx timer (secs) */
+ 
+ #define	IEEE80211_NODE_HASHSIZE	32
+ /* simple hash is enough for variation of macaddr */
+@@ -94,7 +94,8 @@
+ 	struct ieee80211_node_table *ni_table;
+ 	TAILQ_ENTRY(ieee80211_node) ni_list;
+ 	LIST_ENTRY(ieee80211_node) ni_hash;
+-	atomic_t ni_refcnt;
++	// ieee80211_node_lock_t ni_nodelock;	/* on node - notably for ref counting */
++	ieee80211_node_ref_count_t ni_refcnt;
+ 	u_int ni_scangen;			/* gen# for timeout scan */
+ 	u_int8_t ni_authmode;			/* authentication algorithm */
+ 	u_int16_t ni_flags;			/* special-purpose state */
+@@ -121,13 +122,13 @@
+ 	u_int16_t ni_associd;			/* assoc response */
+ 	u_int16_t ni_txpower;			/* current transmit power (in 0.5 dBm) */
+ 	u_int16_t ni_vlan;			/* vlan tag */
+-	u_int32_t *ni_challenge;			/* shared-key challenge */
++	u_int32_t *ni_challenge;		/* shared-key challenge */
+ 	u_int8_t *ni_wpa_ie;			/* captured WPA ie */
+ 	u_int8_t *ni_rsn_ie;			/* captured RSN ie */
+ 	u_int8_t *ni_wme_ie;			/* captured WME ie */
+ 	u_int8_t *ni_ath_ie;			/* captured Atheros ie */
+-	u_int16_t ni_txseqs[17];			/* tx seq per-tid */
+-	u_int16_t ni_rxseqs[17];			/* rx seq previous per-tid*/
++	u_int16_t ni_txseqs[17];		/* tx seq per-tid */
++	u_int16_t ni_rxseqs[17];		/* rx seq previous per-tid*/
+ 	u_int32_t ni_rxfragstamp;		/* time stamp of last rx frag */
+ 	struct sk_buff *ni_rxfrag;		/* rx frag reassembly */
+ 	struct ieee80211_rsnparms ni_rsn;	/* RSN/WPA parameters */
+@@ -156,7 +157,7 @@
+ 	struct ieee80211_channel *ni_chan;
+ 	u_int16_t ni_fhdwell;			/* FH only */
+ 	u_int8_t ni_fhindex;			/* FH only */
+-	u_int8_t ni_erp;				/* ERP from beacon/probe resp */
++	u_int8_t ni_erp;			/* ERP from beacon/probe resp */
+ 	u_int16_t ni_timoff;			/* byte offset to TIM ie */
+ 
+ 	/* others */
+@@ -168,7 +169,7 @@
+ 	struct ieee80211vap *ni_prev_vap;  	/* previously associated vap */
+ 	u_int8_t ni_uapsd;			/* U-APSD per-node flags matching WMM STA Qos Info field */
+ 	u_int8_t ni_uapsd_maxsp; 		/* maxsp from flags above */
+-	u_int16_t ni_uapsd_trigseq[WME_NUM_AC]; 	/* trigger suppression on retry */
++	u_int16_t ni_uapsd_trigseq[WME_NUM_AC];	/* trigger suppression on retry */
+ 	__le16 ni_pschangeseq;
+ };
+ MALLOC_DECLARE(M_80211_NODE);
+@@ -186,20 +187,6 @@
+ #define WME_UAPSD_NODE_INVALIDSEQ	0xffff
+ #define WME_UAPSD_NODE_TRIGSEQINIT(_ni)	(memset(&(_ni)->ni_uapsd_trigseq[0], 0xff, sizeof((_ni)->ni_uapsd_trigseq)))
+ 
+-static __inline struct ieee80211_node *
+-ieee80211_ref_node(struct ieee80211_node *ni)
+-{
+-	ieee80211_node_incref(ni);
+-	return ni;
+-}
+-
+-static __inline void
+-ieee80211_unref_node(struct ieee80211_node **ni)
+-{
+-	ieee80211_node_decref(*ni);
+-	*ni = NULL;			/* guard against use */
+-}
+-
+ void ieee80211_node_attach(struct ieee80211com *);
+ void ieee80211_node_detach(struct ieee80211com *);
+ void ieee80211_node_vattach(struct ieee80211vap *);
+@@ -242,43 +229,39 @@
+  * is a second table for associated stations or neighbors.
+  */
+ struct ieee80211_node_table {
++	const char *nt_name;			/* for debugging */
+ 	struct ieee80211com *nt_ic;		/* back reference */
+-	ieee80211_node_lock_t nt_nodelock;	/* on node table */
++	ieee80211_node_table_lock_t nt_nodelock;	/* on node table */
+ 	TAILQ_HEAD(, ieee80211_node) nt_node;	/* information of all nodes */
+ 	ATH_LIST_HEAD(, ieee80211_node) nt_hash[IEEE80211_NODE_HASHSIZE];
+ 	ATH_LIST_HEAD(, ieee80211_wds_addr) nt_wds_hash[IEEE80211_NODE_HASHSIZE];
+-	const char *nt_name;			/* for debugging */
+ 	ieee80211_scan_lock_t nt_scanlock;	/* on nt_scangen */
+ 	u_int nt_scangen;			/* gen# for timeout scan */
+ 	int nt_inact_init;			/* initial node inact setting */
+ 	struct timer_list nt_wds_aging_timer;	/* timer to age out wds entries */
+ };
+ 
+-struct ieee80211_node *ieee80211_alloc_node(struct ieee80211_node_table *,
+-	struct ieee80211vap *, const u_int8_t *);
+-struct ieee80211_node *ieee80211_tmp_node(struct ieee80211vap *,
+-	const u_int8_t *);
+-struct ieee80211_node *ieee80211_dup_bss(struct ieee80211vap *,
++struct ieee80211_node *ieee80211_alloc_node_table(struct ieee80211vap *,
+ 	const u_int8_t *);
++struct ieee80211_node *ieee80211_dup_bss(struct ieee80211vap *, 
++	const u_int8_t *, unsigned char);
+ void ieee80211_node_reset(struct ieee80211_node *, struct ieee80211vap *);
+ #ifdef IEEE80211_DEBUG_REFCNT
+-void ieee80211_free_node_debug(struct ieee80211_node *, const char *, int);
+ struct ieee80211_node *ieee80211_find_node_debug(struct ieee80211_node_table *,
+ 	const u_int8_t *, const char *, int);
+ struct ieee80211_node *ieee80211_find_rxnode_debug(struct ieee80211com *,
+ 	const struct ieee80211_frame_min *, const char *, int);
+ struct ieee80211_node *ieee80211_find_txnode_debug(struct ieee80211vap *,
+ 	const u_int8_t *, const char *, int);
+-#define	ieee80211_free_node(ni) \
+-	ieee80211_free_node_debug(ni, __func__, __LINE__)
+-#define	ieee80211_find_node(nt, mac) \
+-	ieee80211_find_node_debug(nt, mac, __func__, __LINE__)
+-#define	ieee80211_find_rxnode(nt, wh) \
+-	ieee80211_find_rxnode_debug(nt, wh, __func__, __LINE__)
+-#define	ieee80211_find_txnode(nt, mac) \
+-	ieee80211_find_txnode_debug(nt, mac, __func__, __LINE__)
++#define	ieee80211_unref_node(_ni) \
++	ieee80211_unref_node_debug(_ni, __func__, __LINE__)
++#define	ieee80211_find_node(_nt, _mac) \
++	ieee80211_find_node_debug(_nt, _mac, __func__, __LINE__)
++#define	ieee80211_find_rxnode(_nt, _wh) \
++	ieee80211_find_rxnode_debug(_nt, _wh, __func__, __LINE__)
++#define	ieee80211_find_txnode(_nt, _mac) \
++	ieee80211_find_txnode_debug(_nt, _mac, __func__, __LINE__)
+ #else
+-void ieee80211_free_node(struct ieee80211_node *);
+ 
+ struct ieee80211_node *ieee80211_find_node(struct ieee80211_node_table *,
+ 	const u_int8_t *);
+@@ -287,6 +270,53 @@
+ struct ieee80211_node *ieee80211_find_txnode(struct ieee80211vap *,
+ 	const u_int8_t *);
+ #endif
++
++void _ieee80211_free_node(struct ieee80211_node *);
++
++static __inline struct ieee80211_node *
++ieee80211_ref_node(struct ieee80211_node *ni)
++{
++	ieee80211_node_incref(ni);
++	return ni;
++}
++
++static __inline struct ieee80211_node *
++_ieee80211_pass_node(struct ieee80211_node **pni) {
++	struct ieee80211_node *tmp = *pni;
++	*pni = NULL;
++	return (tmp);
++}
++
++#define PASS_NODE(_ni) \
++	_ieee80211_pass_node(&_ni)
++
++static __inline int
++_ieee80211_unref_node(struct ieee80211_node *ni) {
++	if (ieee80211_node_dectestref(ni)) {
++		_ieee80211_free_node(ni);
++		return 1;
++	} else {
++		return 0;
++	}
++}
++
++static __inline void
++#ifdef IEEE80211_DEBUG_REFCNT
++ieee80211_unref_node_debug(struct ieee80211_node **pni, const char *func, int line)
++#else
++ieee80211_unref_node(struct ieee80211_node **pni)
++#endif
++{	
++	struct ieee80211_node *ni = *pni;
++#ifdef IEEE80211_DEBUG_REFCNT
++	IEEE80211_DPRINTF(ni->ni_vap, IEEE80211_MSG_NODE,
++		"%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, ni,
++		 ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni) - 1);
++#endif
++	_ieee80211_unref_node(ni); 
++	*pni = NULL;			/* guard against use */
++}
++
+ int ieee80211_add_wds_addr(struct ieee80211_node_table *, struct ieee80211_node *,
+ 	const u_int8_t *, u_int8_t);
+ void ieee80211_remove_wds_addr(struct ieee80211_node_table *, const u_int8_t *);
+diff -ur madwifi.old/net80211/ieee80211_output.c madwifi.dev/net80211/ieee80211_output.c
+--- madwifi.old/net80211/ieee80211_output.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_output.c	2007-05-21 08:10:46.870753264 +0200
+@@ -254,7 +254,7 @@
+ 		goto bad;
+ 	}
+ 	
+-	cb->ni = ni;
++	cb->ni = ieee80211_ref_node(ni);
+ 	
+ 	/* power-save checks */
+ 	if (WME_UAPSD_AC_CAN_TRIGGER(skb->priority, ni)) {
+@@ -293,13 +293,14 @@
+ 	}
+ #endif
+ 	ieee80211_parent_queue_xmit(skb);
++	ieee80211_unref_node(&ni);
+ 	return 0;
+ 
+ bad:
+ 	if (skb != NULL)
+ 		dev_kfree_skb(skb);
+ 	if (ni != NULL)
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 	return 0;
+ }
+ 
+@@ -453,7 +454,7 @@
+ 	if (skb == NULL) {
+ 		/* XXX debug msg */
+ 		vap->iv_stats.is_tx_nobuf++;
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 		return -ENOMEM;
+ 	}
+ 	cb = (struct ieee80211_cb *)skb->cb;
+@@ -507,16 +508,14 @@
+ 	u_int8_t *frm;
+ 	int tid;
+ 
+-	ieee80211_ref_node(ni);
+ 	skb = ieee80211_getmgtframe(&frm, 2);
+ 	if (skb == NULL) {
+ 		/* XXX debug msg */
+ 		vap->iv_stats.is_tx_nobuf++;
+-		ieee80211_free_node(ni);
+ 		return -ENOMEM;
+ 	}
+ 	cb = (struct ieee80211_cb *)skb->cb;
+-	cb->ni = ni;
++	cb->ni = ieee80211_ref_node(ni);
+ 
+ 	skb->priority = ac;
+ 	qwh = (struct ieee80211_qosframe *)skb_push(skb, sizeof(struct ieee80211_qosframe));
+@@ -865,7 +864,7 @@
+ 				nt = &ic->ic_sta;
+ 				ni_wds = ieee80211_find_wds_node(nt, eh.ether_shost);
+ 				if (ni_wds)
+-					ieee80211_free_node(ni_wds); /* Decr ref count */
++					ieee80211_unref_node(&ni_wds); /* Decr ref count */
+ 				else
+ 					ieee80211_add_wds_addr(nt, ni, eh.ether_shost, 0);
+ 			}
+@@ -1719,7 +1718,6 @@
+ 		__func__, __LINE__,
+ 		ni, ether_sprintf(ni->ni_macaddr),
+ 		ieee80211_node_refcnt(ni) + 1);
+-	ieee80211_ref_node(ni);
+ 
+ 	/*
+ 	 * prreq frame format
+@@ -1735,7 +1733,6 @@
+ 	       vap->app_ie[IEEE80211_APPIE_FRAME_PROBE_REQ].length);
+ 	if (skb == NULL) {
+ 		vap->iv_stats.is_tx_nobuf++;
+-		ieee80211_free_node(ni);
+ 		return -ENOMEM;
+ 	}
+ 
+@@ -1758,7 +1755,7 @@
+ 	skb_trim(skb, frm - skb->data);
+ 
+ 	cb = (struct ieee80211_cb *)skb->cb;
+-	cb->ni = ni;
++	cb->ni = ieee80211_ref_node(ni);
+ 
+ 	wh = (struct ieee80211_frame *)
+ 		skb_push(skb, sizeof(struct ieee80211_frame));
+@@ -2234,7 +2231,7 @@
+ 		mod_timer(&vap->iv_mgtsend, jiffies + timer * HZ);
+ 	return 0;
+ bad:
+-	ieee80211_free_node(ni);
++	ieee80211_unref_node(&ni);
+ 	return ret;
+ #undef senderr
+ }
+diff -ur madwifi.old/net80211/ieee80211_power.c madwifi.dev/net80211/ieee80211_power.c
+--- madwifi.old/net80211/ieee80211_power.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_power.c	2007-05-21 08:10:46.870753264 +0200
+@@ -109,13 +109,15 @@
+ int
+ ieee80211_node_saveq_drain(struct ieee80211_node *ni)
+ {
++	struct ieee80211_cb *cb = NULL;
+ 	struct sk_buff *skb;
+ 	int qlen;
+ 
+ 	IEEE80211_NODE_SAVEQ_LOCK(ni);
+ 	qlen = skb_queue_len(&ni->ni_savedq);
+ 	while ((skb = __skb_dequeue(&ni->ni_savedq)) != NULL) {
+-		ieee80211_free_node(ni);
++		cb = (struct ieee80211_cb *) skb->cb;
++		ieee80211_unref_node(&cb->ni);
+ 		dev_kfree_skb_any(skb);
+ 	}
+ 	IEEE80211_NODE_SAVEQ_UNLOCK(ni);
+diff -ur madwifi.old/net80211/ieee80211_proto.c madwifi.dev/net80211/ieee80211_proto.c
+--- madwifi.old/net80211/ieee80211_proto.c	2006-12-08 18:20:08.000000000 +0100
++++ madwifi.dev/net80211/ieee80211_proto.c	2007-05-21 08:10:46.871753112 +0200
+@@ -1456,7 +1456,7 @@
+ 				 */				
+ 				if (vap->iv_opmode == IEEE80211_M_WDS) {
+ 					struct ieee80211_node *wds_ni;
+-					wds_ni = ieee80211_alloc_node(&ic->ic_sta, vap, vap->wds_mac);
++					wds_ni = ieee80211_alloc_node_table(vap, vap->wds_mac);
+ 					if (wds_ni != NULL) {
+ 						if (ieee80211_add_wds_addr(&ic->ic_sta, wds_ni, vap->wds_mac, 1) == 0) {
+ 							ieee80211_node_authorize(wds_ni);
+diff -ur madwifi.old/net80211/ieee80211_var.h madwifi.dev/net80211/ieee80211_var.h
+--- madwifi.old/net80211/ieee80211_var.h	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_var.h	2007-05-21 08:12:01.499407984 +0200
+@@ -44,6 +44,8 @@
+ 
+ #include <sys/queue.h>
+ 
++struct ieee80211vap;
++
+ #include <net80211/_ieee80211.h>
+ #include <net80211/ieee80211.h>
+ #include <net80211/ieee80211_crypto.h>
+@@ -115,7 +117,6 @@
+  * the underlying device and the net80211 layer is exposed here;
+  * e.g. device-specific callbacks.
+  */
+-struct ieee80211vap;
+ 
+ struct ieee80211com {
+ 	struct net_device *ic_dev;		/* associated device */
+@@ -236,8 +237,7 @@
+ 	/* new station association callback/notification */
+ 	void (*ic_newassoc)(struct ieee80211_node *, int);
+ 	/* node state management */
+-	struct ieee80211_node *(*ic_node_alloc)(struct ieee80211_node_table *,
+-		struct ieee80211vap *);
++	struct ieee80211_node *(*ic_node_alloc)(struct ieee80211vap *);
+ 	void (*ic_node_free)(struct ieee80211_node *);
+ 	void (*ic_node_cleanup)(struct ieee80211_node *);
+ 	u_int8_t (*ic_node_getrssi)(const struct ieee80211_node *);
+diff -ur madwifi.old/net80211/ieee80211_wireless.c madwifi.dev/net80211/ieee80211_wireless.c
+--- madwifi.old/net80211/ieee80211_wireless.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_wireless.c	2007-05-21 08:10:46.874752656 +0200
+@@ -3186,7 +3186,7 @@
+ 		error = -ENXIO;
+ 	ieee80211_key_update_end(vap);
+ 	if (ni != NULL)
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ #ifdef ATH_SUPERG_XR
+ 	/* set the same params on the xr vap device if exists */
+ 	if (vap->iv_xrvap && !(vap->iv_flags & IEEE80211_F_XR))
+@@ -3246,7 +3246,7 @@
+ 		memset(ik.ik_keydata, 0, sizeof(ik.ik_keydata));
+ 	}
+ 	if (ni != NULL)
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 	return (copy_to_user(iwr->u.data.pointer, &ik, sizeof(ik)) ? -EFAULT : 0);
+ }
+ 
+@@ -3271,7 +3271,7 @@
+ 			return -ENOENT; /* No such entity is a more appropriate error */
+ 		/* XXX error return */
+ 		ieee80211_crypto_delkey(vap, &ni->ni_ucastkey, ni);
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 	} else {
+ 		if (kix >= IEEE80211_WEP_NKID)
+ 			return -EINVAL;
+@@ -3382,7 +3382,7 @@
+ 					return -EINVAL;
+ 				if (dev == ni->ni_vap->iv_dev)
+ 					domlme(mlme, ni);
+-				ieee80211_free_node(ni);
++				ieee80211_unref_node(&ni);
+ 			} else
+ 				ieee80211_iterate_dev_nodes(dev, &ic->ic_sta, domlme, mlme);
+ 			break;
+@@ -3401,7 +3401,7 @@
+ 			ieee80211_node_authorize(ni);
+ 		else
+ 			ieee80211_node_unauthorize(ni);
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 		break;
+ 	case IEEE80211_MLME_CLEAR_STATS:
+ 		if (vap->iv_opmode != IEEE80211_M_HOSTAP)
+@@ -3412,7 +3412,7 @@
+ 		
+ 		/* clear statistics */
+ 		memset(&ni->ni_stats, 0, sizeof(struct ieee80211_nodestats));
+-		ieee80211_free_node(ni);
++		ieee80211_unref_node(&ni);
+ 		break;
+ 	default:
+ 		return -EINVAL;
+@@ -3785,7 +3785,7 @@
+ 			ielen = sizeof(wpaie.rsn_ie);
+ 		memcpy(wpaie.rsn_ie, ni->ni_rsn_ie, ielen);
+ 	}
+-	ieee80211_free_node(ni);
++	ieee80211_unref_node(&ni);
+ 	return (copy_to_user(iwr->u.data.pointer, &wpaie, sizeof(wpaie)) ?
+ 		-EFAULT : 0);
+ }
+@@ -3813,7 +3813,7 @@
+ 	/* NB: copy out only the statistics */
+ 	error = copy_to_user(iwr->u.data.pointer + off, &ni->ni_stats,
+ 		iwr->u.data.length - off);
+-	ieee80211_free_node(ni);
++	ieee80211_unref_node(&ni);
+ 	return (error ? -EFAULT : 0);
+ }
+ 
diff --git a/package/madwifi/patches/101-fix_typo.patch b/package/madwifi/patches/101-fix_typo.patch
deleted file mode 100644
index acad71ebe..000000000
--- a/package/madwifi/patches/101-fix_typo.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_hal/ah_os.h madwifi-ng-refcount-r2313-20070505.dev/ath_hal/ah_os.h
---- madwifi-ng-refcount-r2313-20070505.old/ath_hal/ah_os.h	2007-05-04 02:10:06.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath_hal/ah_os.h	2007-05-13 18:17:55.040201656 +0200
-@@ -149,7 +149,7 @@
- 	(0x4000 <= (_reg) && (_reg) < 0x5000) ?			\
- 	 writel((_val), (_ah)->ah_sh + (_reg)) :		\
- 	 ({__raw_writel((_val), (_ah)->ah_sh + (_reg)); 	\
--	   mb(); });
-+	   mb(); }); \
- } while (0)
- #define _OS_REG_READ(_ah, _reg)					\
- 	((0x4000 <= (_reg) && (_reg) < 0x5000) ?		\
diff --git a/package/madwifi/patches/106-minstrel_crash.patch b/package/madwifi/patches/106-minstrel_crash.patch
deleted file mode 100644
index b6dfae2b9..000000000
--- a/package/madwifi/patches/106-minstrel_crash.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/minstrel/minstrel.c madwifi-ng-refcount-r2313-20070505.dev/ath_rate/minstrel/minstrel.c
---- madwifi-ng-refcount-r2313-20070505.old/ath_rate/minstrel/minstrel.c	2007-04-25 22:29:55.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath_rate/minstrel/minstrel.c	2007-05-13 18:17:55.533126720 +0200
-@@ -543,6 +543,9 @@
-         unsigned int i, column_index;
-         int newIndex;
-         u_int8_t random_bytes[12];
-+		
-+		if (num_sample_rates < 0)
-+			return;
- 
-         for(column_index = 0; column_index < MINSTREL_COLUMNS; column_index++) {
-                 for (i = 0; i <= IEEE80211_RATE_MAXSIZE; i++)
diff --git a/package/madwifi/patches/111-wds_fix_PR_914.patch b/package/madwifi/patches/111-wds_fix_PR_914.patch
deleted file mode 100644
index 282b38576..000000000
--- a/package/madwifi/patches/111-wds_fix_PR_914.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c	2007-05-04 23:09:29.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c	2007-05-13 18:17:55.697101792 +0200
-@@ -981,11 +981,11 @@
- ieee80211_del_wds_node(struct ieee80211_node_table *nt, struct ieee80211_node *ni)
- {
- 	int hash;
--	struct ieee80211_wds_addr *wds;
-+	struct ieee80211_wds_addr *wds, *next;
- 
- 	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
--		LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
-+		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) {
- 			if (wds->wds_ni == ni) {
- 				LIST_REMOVE(wds, wds_hash);
- 				ieee80211_unref_node(&wds->wds_ni);
-@@ -1002,11 +1002,11 @@
- {
- 	struct ieee80211_node_table *nt = (struct ieee80211_node_table *)data;
- 	int hash;
--	struct ieee80211_wds_addr *wds;
-+	struct ieee80211_wds_addr *wds, *next;
- 
- 	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
--		LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
-+		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) {
- 			if (wds->wds_agingcount != WDS_AGING_STATIC) {
- 				if (!wds->wds_agingcount) {
- 					LIST_REMOVE(wds, wds_hash);
diff --git a/package/madwifi/patches/112-keycache_PR_962.patch b/package/madwifi/patches/112-keycache_PR_962.patch
index e8ca188ef..c923a3dba 100644
--- a/package/madwifi/patches/112-keycache_PR_962.patch
+++ b/package/madwifi/patches/112-keycache_PR_962.patch
@@ -1,20 +1,20 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c
---- madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c	2007-05-13 18:17:55.691102704 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c	2007-05-13 18:17:55.783088720 +0200
-@@ -5704,7 +5704,8 @@
+diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
+--- madwifi.old/ath/if_ath.c	2007-05-21 07:33:42.392925296 +0200
++++ madwifi.dev/ath/if_ath.c	2007-05-21 07:35:51.933232176 +0200
+@@ -5660,7 +5660,8 @@
  		 * frame; it'll be dropped where it's not wanted.
  		 */
- 		if (ds->ds_rxstat.rs_keyix != HAL_RXKEYIX_INVALID &&
--		    (ni = sc->sc_keyixmap[ds->ds_rxstat.rs_keyix]) != NULL) {
-+		    (ni = sc->sc_keyixmap[ds->ds_rxstat.rs_keyix]) != NULL &&
-+		    ieee80211_check_rxnode(ni, (const struct ieee80211_frame_min *) skb->data)) {
+ 		if (rs->rs_keyix != HAL_RXKEYIX_INVALID &&
+-		    (ni = sc->sc_keyixmap[rs->rs_keyix]) != NULL) {
++		    ((ni = sc->sc_keyixmap[rs->rs_keyix]) != NULL) &&
++			ieee80211_check_rxnode(ni, (const struct ieee80211_frame_min *) skb->data)) {
  			struct ath_node *an;
  			/*
  			 * Fast path: node is present in the key map;
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c	2007-05-13 18:17:55.773090240 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c	2007-05-13 18:17:55.784088568 +0200
-@@ -1268,8 +1268,6 @@
+diff -ur madwifi.old/net80211/ieee80211_node.c madwifi.dev/net80211/ieee80211_node.c
+--- madwifi.old/net80211/ieee80211_node.c	2007-05-21 07:33:42.371928488 +0200
++++ madwifi.dev/net80211/ieee80211_node.c	2007-05-21 07:34:13.689167544 +0200
+@@ -1272,8 +1272,6 @@
  	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
  
  	return ni;
@@ -23,7 +23,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwi
  }
  #ifdef IEEE80211_DEBUG_REFCNT
  EXPORT_SYMBOL(ieee80211_find_rxnode_debug);
-@@ -1277,6 +1275,20 @@
+@@ -1281,6 +1279,20 @@
  EXPORT_SYMBOL(ieee80211_find_rxnode);
  #endif
  
@@ -44,10 +44,10 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwi
  /*
   * Return a reference to the appropriate node for sending
   * a data frame.  This handles node discovery in adhoc networks.
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.h	2007-04-04 04:39:58.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.h	2007-05-13 18:17:55.784088568 +0200
-@@ -318,6 +318,8 @@
+diff -ur madwifi.old/net80211/ieee80211_node.h madwifi.dev/net80211/ieee80211_node.h
+--- madwifi.old/net80211/ieee80211_node.h	2007-05-21 07:33:42.372928336 +0200
++++ madwifi.dev/net80211/ieee80211_node.h	2007-05-21 07:34:13.689167544 +0200
+@@ -317,6 +317,8 @@
  	*pni = NULL;			/* guard against use */
  }
  
diff --git a/package/madwifi/patches/114-fix_ff_corruption.patch b/package/madwifi/patches/114-fix_ff_corruption.patch
deleted file mode 100644
index 9d47648d1..000000000
--- a/package/madwifi/patches/114-fix_ff_corruption.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_output.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_output.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_output.c	2007-04-25 22:29:55.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_output.c	2007-05-13 18:17:55.947063792 +0200
-@@ -942,7 +942,7 @@
- 		llc->llc_snap.org_code[0] = 0;
- 		llc->llc_snap.org_code[1] = 0;
- 		llc->llc_snap.org_code[2] = 0;
--		llc->llc_snap.ether_type = eh.ether_type;
-+		llc->llc_snap.ether_type = eh2.ether_type;
- 
- 		eh_inter = (struct ether_header *) skb_push(skb2, sizeof(struct ether_header));
- 		if (eh_inter == NULL) {
-@@ -952,7 +952,7 @@
- 			return NULL;
- 		}
- 
--		memcpy(eh_inter, &eh2, sizeof(struct ether_header) - sizeof eh.ether_type);
-+		memcpy(eh_inter, &eh2, sizeof(struct ether_header) - sizeof eh2.ether_type);
- 		eh_inter->ether_type = htons(payload);
- 
- 		/* variable length pad */
diff --git a/package/madwifi/patches/115-PR_1270_fix.patch b/package/madwifi/patches/115-PR_1270_fix.patch
deleted file mode 100644
index f175da899..000000000
--- a/package/madwifi/patches/115-PR_1270_fix.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c	2007-05-04 02:10:06.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c	2007-05-13 18:17:56.027051632 +0200
-@@ -2854,7 +2854,7 @@
- 				IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
- 				memcpy(ni->ni_tstamp.data, scan.tstamp,
- 					sizeof(ni->ni_tstamp));
--				ni->ni_intval = scan.bintval;
-+				ni->ni_intval = IEEE80211_BINTVAL_SANITISE(scan.bintval);
- 				ni->ni_capinfo = scan.capinfo;
- 				ni->ni_chan = ic->ic_curchan;
- 				ni->ni_fhdwell = scan.fhdwell;
-@@ -3279,7 +3279,7 @@
- 		ni->ni_rssi = rssi;
- 		ni->ni_rstamp = rstamp;
- 		ni->ni_last_rx = jiffies;
--		ni->ni_intval = bintval;
-+		ni->ni_intval = IEEE80211_BINTVAL_SANITISE(bintval);
- 		ni->ni_capinfo = capinfo;
- 		ni->ni_chan = ic->ic_curchan;
- 		ni->ni_fhdwell = vap->iv_bss->ni_fhdwell;
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c	2007-05-13 18:17:55.862076712 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c	2007-05-13 18:17:56.028051480 +0200
-@@ -658,7 +658,7 @@
- 	memcpy(ni->ni_essid, se->se_ssid + 2, ni->ni_esslen);
- 	ni->ni_rstamp = se->se_rstamp;
- 	ni->ni_tstamp.tsf = se->se_tstamp.tsf;
--	ni->ni_intval = se->se_intval;
-+	ni->ni_intval = IEEE80211_BINTVAL_SANITISE(se->se_intval);
- 	ni->ni_capinfo = se->se_capinfo;
- 	ni->ni_chan = se->se_chan;
- 	ni->ni_timoff = se->se_timoff;
-@@ -1191,7 +1191,7 @@
- 		memcpy(ni->ni_essid, sp->ssid + 2, sp->ssid[1]);
- 		IEEE80211_ADDR_COPY(ni->ni_bssid, wh->i_addr3);
- 		memcpy(ni->ni_tstamp.data, sp->tstamp, sizeof(ni->ni_tstamp));
--		ni->ni_intval = sp->bintval;
-+		ni->ni_intval = IEEE80211_BINTVAL_SANITISE(sp->bintval);
- 		ni->ni_capinfo = sp->capinfo;
- 		ni->ni_chan = ic->ic_curchan;
- 		ni->ni_fhdwell = sp->fhdwell;
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_scan.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_scan.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_scan.h	2007-04-04 04:39:58.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_scan.h	2007-05-13 18:17:56.029051328 +0200
-@@ -131,7 +131,7 @@
- 	u_int8_t bchan;
- 	u_int8_t fhindex;
- 	u_int8_t erp;
--	u_int8_t bintval;
-+	u_int16_t bintval;
- 	u_int8_t timoff;
- 	u_int8_t *tim;
- 	u_int8_t *tstamp;
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h	2007-04-25 22:29:55.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h	2007-05-13 18:17:56.029051328 +0200
-@@ -61,6 +61,12 @@
- #define	IEEE80211_BINTVAL_MAX	500		/* max beacon interval (TU's) */
- #define	IEEE80211_BINTVAL_MIN	25		/* min beacon interval (TU's) */
- #define	IEEE80211_BINTVAL_DEFAULT 100		/* default beacon interval (TU's) */
-+#define IEEE80211_BINTVAL_VALID(_bi) \
-+	((IEEE80211_BINTVAL_MIN <= (_bi)) && \
-+	 ((_bi) <= IEEE80211_BINTVAL_MAX))
-+#define IEEE80211_BINTVAL_SANITISE(_bi) \
-+	(IEEE80211_BINTVAL_VALID(_bi) ? \
-+	 (_bi) : IEEE80211_BINTVAL_DEFAULT)
- 
- #define	IEEE80211_BGSCAN_INTVAL_MIN	15	/* min bg scan intvl (secs) */
- #define	IEEE80211_BGSCAN_INTVAL_DEFAULT	(5*60)	/* default bg scan intvl */
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_wireless.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_wireless.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_wireless.c	2007-05-04 02:10:06.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_wireless.c	2007-05-13 18:17:56.031051024 +0200
-@@ -1271,12 +1271,16 @@
- 		case IW_POWER_UNICAST_R:
- 		case IW_POWER_ALL_R:
- 		case IW_POWER_ON:
--			ic->ic_flags |= IEEE80211_F_PMGTON;
--			
-+			if (wrq->flags & IW_POWER_PERIOD) {
-+				if (IEEE80211_BINTVAL_VALID(wrq->value))
-+					ic->ic_lintval = IEEE80211_MS_TO_TU(wrq->value);
-+				else
-+					return -EINVAL;
-+			}
- 			if (wrq->flags & IW_POWER_TIMEOUT)
- 				ic->ic_holdover = IEEE80211_MS_TO_TU(wrq->value);
--			if (wrq->flags & IW_POWER_PERIOD)
--				ic->ic_lintval = IEEE80211_MS_TO_TU(wrq->value);
-+			
-+			ic->ic_flags |= IEEE80211_F_PMGTON;
- 			break;
- 		default:
- 			return -EINVAL;
-@@ -2364,8 +2368,7 @@
- 		if (vap->iv_opmode != IEEE80211_M_HOSTAP &&
- 		    vap->iv_opmode != IEEE80211_M_IBSS)
- 			return -EINVAL;
--		if (IEEE80211_BINTVAL_MIN <= value &&
--		    value <= IEEE80211_BINTVAL_MAX) {
-+		if (IEEE80211_BINTVAL_VALID(value)) {
- 			ic->ic_lintval = value;		/* XXX multi-bss */
- 			retv = ENETRESET;		/* requires restart */
- 		} else
diff --git a/package/madwifi/patches/116-adhoc_beacon_PR_1033.patch b/package/madwifi/patches/116-adhoc_beacon_PR_1033.patch
index 92a147c1b..76bd8de54 100644
--- a/package/madwifi/patches/116-adhoc_beacon_PR_1033.patch
+++ b/package/madwifi/patches/116-adhoc_beacon_PR_1033.patch
@@ -1,7 +1,7 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c
---- madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c	2007-05-13 18:17:55.862076712 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c	2007-05-13 18:17:56.119037648 +0200
-@@ -4411,16 +4411,31 @@
+diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
+--- madwifi.old/ath/if_ath.c	2007-05-21 07:33:42.392925296 +0200
++++ madwifi.dev/ath/if_ath.c	2007-05-21 07:39:50.536958896 +0200
+@@ -4359,16 +4359,31 @@
  	struct ieee80211com *ic = &sc->sc_ic;
  	struct ath_hal *ah = sc->sc_ah;
  	struct ieee80211_node *ni;
@@ -37,7 +37,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	/* XXX conditionalize multi-bss support? */
  	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {
  		/*
-@@ -4434,20 +4449,61 @@
+@@ -4382,20 +4397,61 @@
  		if (sc->sc_stagbeacons)
  			intval /= ATH_BCBUF;	/* for staggered beacons */
  		if ((sc->sc_nostabeacons) &&
@@ -108,7 +108,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		int dtimperiod, dtimcount;
  		int cfpperiod, cfpcount;
  
-@@ -4463,13 +4519,13 @@
+@@ -4411,13 +4467,13 @@
  			dtimcount = 0;		/* XXX? */
  		cfpperiod = 1;			/* NB: no PCF support yet */
  		cfpcount = 0;
@@ -125,7 +125,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		do {
  			nexttbtt += intval;
  			if (--dtimcount < 0) {
-@@ -4477,7 +4533,7 @@
+@@ -4425,7 +4481,7 @@
  				if (--cfpcount < 0)
  					cfpcount = cfpperiod - 1;
  			}
@@ -134,16 +134,16 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  #undef FUDGE
  		memset(&bs, 0, sizeof(bs));
  		bs.bs_intval = intval;
-@@ -4529,7 +4585,7 @@
+@@ -4477,7 +4533,7 @@
  		DPRINTF(sc, ATH_DEBUG_BEACON, 
  			"%s: tsf %llu tsf:tu %u intval %u nexttbtt %u dtim %u nextdtim %u bmiss %u sleep %u cfp:period %u maxdur %u next %u timoffset %u\n",
  			__func__,
--			(long long) tsf, tsftu,
-+			(long long) hw_tsf, hw_tsftu,
+-			(unsigned long long) tsf, tsftu,
++			(unsigned long long) hw_tsf, hw_tsftu,
  			bs.bs_intval,
  			bs.bs_nexttbtt,
  			bs.bs_dtimperiod,
-@@ -4548,7 +4604,7 @@
+@@ -4496,7 +4552,7 @@
  		ath_hal_intrset(ah, sc->sc_imask);
  	} else {
  		ath_hal_intrset(ah, 0);
@@ -152,7 +152,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  			intval |= HAL_BEACON_RESET_TSF;
  		if (ic->ic_opmode == IEEE80211_M_IBSS) {
  			/*
-@@ -4585,8 +4641,40 @@
+@@ -4533,8 +4589,40 @@
  		if (ic->ic_opmode == IEEE80211_M_IBSS && sc->sc_hasveol)
  			ath_beacon_start_adhoc(sc, vap);
  	}
diff --git a/package/madwifi/patches/117-node_rates.patch b/package/madwifi/patches/117-node_rates.patch
deleted file mode 100644
index 1f2bede8e..000000000
--- a/package/madwifi/patches/117-node_rates.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c	2007-05-13 18:17:56.107039472 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c	2007-05-13 18:17:56.202025032 +0200
-@@ -919,6 +919,7 @@
- 
- 		ni->ni_vap = vap;
- 		ni->ni_ic = ic;
-+		ni->ni_rates = ic->ic_sup_rates[ieee80211_chan2mode(ic->ic_curchan)];
- 	} else {
- 		/* XXX msg */
- 		vap->iv_stats.is_rx_nodealloc++;
diff --git a/package/madwifi/patches/118-txstop_workaround.patch b/package/madwifi/patches/118-txstop_workaround.patch
index 8cab1a439..8719a6d8b 100644
--- a/package/madwifi/patches/118-txstop_workaround.patch
+++ b/package/madwifi/patches/118-txstop_workaround.patch
@@ -1,7 +1,7 @@
 diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
---- madwifi.old/ath/if_ath.c	2007-05-21 05:40:18.320301560 +0200
-+++ madwifi.dev/ath/if_ath.c	2007-05-21 05:49:40.132893064 +0200
-@@ -2264,6 +2264,17 @@
+--- madwifi.old/ath/if_ath.c	2007-05-21 07:45:03.185429104 +0200
++++ madwifi.dev/ath/if_ath.c	2007-05-21 07:45:55.867420224 +0200
+@@ -2206,6 +2206,17 @@
  		txq->axq_link = &lastds->ds_link;
  		ath_hal_txstart(ah, txq->axq_qnum);
  		sc->sc_dev->trans_start = jiffies;
@@ -19,18 +19,18 @@ diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
  	}
  	ATH_TXQ_UNLOCK(txq);
  
-@@ -7299,6 +7310,7 @@
+@@ -7246,6 +7257,7 @@
+ 			__func__, ds);
  #else
  		ds = bf->bf_desc;		/* NB: last descriptor */
- #endif
 +		sc->sc_tx_start = 0;
- 		status = ath_hal_txprocdesc(ah, ds);
- #ifdef AR_DEBUG
- 		if (sc->sc_debug & ATH_DEBUG_XMIT_DESC)
+ #endif
+ 		ts = &bf->bf_dsstatus.ds_txstat;
+ 		status = ath_hal_txprocdesc(ah, ds, ts);
 diff -ur madwifi.old/ath/if_athvar.h madwifi.dev/ath/if_athvar.h
---- madwifi.old/ath/if_athvar.h	2007-05-04 23:09:29.000000000 +0200
-+++ madwifi.dev/ath/if_athvar.h	2007-05-21 05:40:32.958076280 +0200
-@@ -689,6 +689,14 @@
+--- madwifi.old/ath/if_athvar.h	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/ath/if_athvar.h	2007-05-21 07:45:37.720179024 +0200
+@@ -684,6 +684,14 @@
  #endif
  	u_int sc_slottimeconf;			/* manual override for slottime */
  	int16_t sc_channoise; 			/* Measured noise of current channel (dBm) */
diff --git a/package/madwifi/patches/200-no_debug.patch b/package/madwifi/patches/200-no_debug.patch
index 9daeb90e9..d7b5ae417 100644
--- a/package/madwifi/patches/200-no_debug.patch
+++ b/package/madwifi/patches/200-no_debug.patch
@@ -34,12 +34,12 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/amrr/amrr.c madwifi-ng
 diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/minstrel/minstrel.c madwifi-ng-refcount-r2313-20070505.dev/ath_rate/minstrel/minstrel.c
 --- madwifi-ng-refcount-r2313-20070505.old/ath_rate/minstrel/minstrel.c	2007-05-13 18:17:55.605115776 +0200
 +++ madwifi-ng-refcount-r2313-20070505.dev/ath_rate/minstrel/minstrel.c	2007-05-13 18:17:56.458985968 +0200
-@@ -117,7 +117,7 @@
+@@ -116,7 +116,7 @@
+ 
  #include "minstrel.h"
  
- /* XXX: Use standard debug functions */
--#define	MINSTREL_DEBUG 10
-+#undef	MINSTREL_DEBUG
+-#define	MINSTREL_DEBUG 
++#undef	MINSTREL_DEBUG 
  #ifdef MINSTREL_DEBUG
  enum {
  	ATH_DEBUG_RATE		= 0x00000010	/* rate control */
@@ -104,16 +104,14 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.h madw
 diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h
 --- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h	2007-05-13 18:17:56.107039472 +0200
 +++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h	2007-05-13 18:17:56.461985512 +0200
-@@ -35,8 +35,8 @@
- #ifndef _NET80211_IEEE80211_VAR_H_
- #define _NET80211_IEEE80211_VAR_H_
- 
+@@ -37,7 +37,7 @@
+ /*
+  * Definitions for IEEE 802.11 drivers.
+  */
 -#define	IEEE80211_DEBUG
--#define	IEEE80211_DEBUG_REFCNT			/* Node reference count debugging */
 +#undef	IEEE80211_DEBUG
-+#undef	IEEE80211_DEBUG_REFCNT			/* Node reference count debugging */
+ #undef	IEEE80211_DEBUG_REFCNT			/* node refcnt stuff */
  
- /* Definitions for IEEE 802.11 drivers. */
  #include <net80211/ieee80211_linux.h>
 diff -urN madwifi-ng-refcount-r2313-20070505.old/tools/do_multi.c madwifi-ng-refcount-r2313-20070505.dev/tools/do_multi.c
 --- madwifi-ng-refcount-r2313-20070505.old/tools/do_multi.c	2007-05-13 18:17:55.192178552 +0200
diff --git a/package/madwifi/patches/300-napi_polling.patch b/package/madwifi/patches/300-napi_polling.patch
index 0f3efe833..5a547938b 100644
--- a/package/madwifi/patches/300-napi_polling.patch
+++ b/package/madwifi/patches/300-napi_polling.patch
@@ -1,7 +1,7 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c
---- madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c	2007-05-13 18:17:56.576968032 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c	2007-05-13 18:17:56.594965296 +0200
-@@ -170,7 +170,7 @@
+diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
+--- madwifi.old/ath/if_ath.c	2007-05-21 07:49:54.571131744 +0200
++++ madwifi.dev/ath/if_ath.c	2007-05-21 07:51:40.208072488 +0200
+@@ -167,7 +167,7 @@
  	int, u_int32_t);
  static void ath_setdefantenna(struct ath_softc *, u_int);
  static struct ath_txq *ath_txq_setup(struct ath_softc *, int, int);
@@ -10,7 +10,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  static int ath_hardstart(struct sk_buff *, struct net_device *);
  static int ath_mgtstart(struct ieee80211com *, struct sk_buff *);
  #ifdef ATH_SUPERG_COMP
-@@ -420,7 +420,6 @@
+@@ -417,7 +417,6 @@
  	ATH_TXBUF_LOCK_INIT(sc);
  	ATH_RXBUF_LOCK_INIT(sc);
  
@@ -18,7 +18,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	ATH_INIT_TQUEUE(&sc->sc_txtq,	  ath_tx_tasklet,	dev);
  	ATH_INIT_TQUEUE(&sc->sc_bmisstq,  ath_bmiss_tasklet,	dev);
  	ATH_INIT_TQUEUE(&sc->sc_bstucktq, ath_bstuck_tasklet,	dev);
-@@ -674,6 +673,8 @@
+@@ -665,6 +664,8 @@
  	dev->set_mac_address = ath_set_mac_address;
   	dev->change_mtu = ath_change_mtu;
  	dev->tx_queue_len = ATH_TXBUF - 1;		/* 1 for mgmt frame */
@@ -27,7 +27,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  #ifdef USE_HEADERLEN_RESV
  	dev->hard_header_len += sizeof(struct ieee80211_qosframe) +
  				sizeof(struct llc) +
-@@ -1645,6 +1646,7 @@
+@@ -1635,6 +1636,7 @@
  	 */
  	ath_hal_getisr(ah, &status);		/* NB: clears ISR too */
  	DPRINTF(sc, ATH_DEBUG_INTR, "%s: status 0x%x\n", __func__, status);
@@ -35,7 +35,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	status &= sc->sc_imask;			/* discard unasked for bits */
  	if (status & HAL_INT_FATAL) {
  		sc->sc_stats.ast_hardware++;
-@@ -1684,7 +1686,12 @@
+@@ -1674,7 +1676,12 @@
  			 * might take too long to fire */
  			ath_hal_process_noisefloor(ah);
  			sc->sc_channoise = ath_hal_get_channel_noise(ah, &(sc->sc_curchan));
@@ -49,7 +49,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		}
  		if (status & HAL_INT_TX) {
  #ifdef ATH_SUPERG_DYNTURBO
-@@ -1710,6 +1717,11 @@
+@@ -1700,6 +1707,11 @@
  				}
  			} 
  #endif
@@ -59,9 +59,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
 +			sc->sc_imask &= ~HAL_INT_TX;
 +
  			ATH_SCHEDULE_TQUEUE(&sc->sc_txtq, &needmark);
- 			sc->sc_tx_start = 0;
  		}
-@@ -2221,12 +2233,13 @@
+ 		if (status & HAL_INT_BMISS) {
+@@ -2162,12 +2174,13 @@
  	 * Insert the frame on the outbound list and
  	 * pass it on to the hardware.
  	 */
@@ -76,7 +76,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		ath_hal_intrset(ah, sc->sc_imask & ~HAL_INT_SWBA);
  		ATH_TXQ_INSERT_TAIL(txq, bf, bf_list);
  		DPRINTF(sc, ATH_DEBUG_TX_PROC, "%s: txq depth = %d\n", __func__, txq->axq_depth);
-@@ -2242,6 +2255,7 @@
+@@ -2183,6 +2196,7 @@
  				ito64(bf->bf_daddr), bf->bf_desc);
  		}
  		txq->axq_link = &lastds->ds_link;
@@ -84,8 +84,8 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		ath_hal_intrset(ah, sc->sc_imask);
  	} else {
  		ATH_TXQ_INSERT_TAIL(txq, bf, bf_list);
-@@ -2275,7 +2289,7 @@
- 			sc->sc_tx_start = jiffies;
+@@ -2218,7 +2232,7 @@
+ 			}
  		}
  	}
 -	ATH_TXQ_UNLOCK(txq);
@@ -93,7 +93,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  	sc->sc_devstats.tx_packets++;
  	sc->sc_devstats.tx_bytes += framelen;
-@@ -2426,8 +2440,14 @@
+@@ -2369,8 +2383,14 @@
  	unsigned int pktlen;
  	int framecnt;
  
@@ -109,7 +109,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  		bf_ff = TAILQ_LAST(&txq->axq_stageq, axq_headtype);
  		if ((!bf_ff) || ath_ff_flushdonetest(txq, bf_ff)) {
-@@ -2441,7 +2461,7 @@
+@@ -2384,7 +2404,7 @@
  		ATH_NODE(ni)->an_tx_ffbuf[bf_ff->bf_skb->priority] = NULL;
  		TAILQ_REMOVE(&txq->axq_stageq, bf_ff, bf_stagelist);
  
@@ -118,7 +118,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  		/* encap and xmit */
  		bf_ff->bf_skb = ieee80211_encap(ni, bf_ff->bf_skb, &framecnt);
-@@ -2462,15 +2482,16 @@
+@@ -2405,15 +2425,16 @@
  		}
  		bf_ff->bf_node = NULL;
  
@@ -138,7 +138,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	bf = STAILQ_FIRST(&sc->sc_txbuf);				\
  	if (bf != NULL) {						\
  		STAILQ_REMOVE_HEAD(&sc->sc_txbuf, bf_list);		\
-@@ -2485,10 +2506,21 @@
+@@ -2428,11 +2449,23 @@
  		sc->sc_devstopped = 1;					\
  		ATH_SCHEDULE_TQUEUE(&sc->sc_txtq, NULL); 		\
  	}								\
@@ -159,17 +159,11 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  			"%s: discard, no xmit buf\n", __func__);	\
 +	    ATH_TXQ_UNLOCK_BH(txq);					\
  		sc->sc_stats.ast_tx_nobuf++;				\
- 		goto hardstart_fail;					\
- 	}
-@@ -2490,6 +2490,7 @@
- 		DPRINTF(sc,ATH_DEBUG_XMIT,				\
- 			"%s: discard, no xmit buf\n", __func__);	\
- 		sc->sc_stats.ast_tx_nobuf++;				\
 +		goto hardstart_fail;					\
  	}
  
  /*
-@@ -2552,6 +2584,7 @@
+@@ -2494,6 +2527,7 @@
  	if (M_FLAG_GET(skb, M_UAPSD)) {
  		/* bypass FF handling */
  		ATH_HARDSTART_GET_TX_BUF_WITH_LOCK;
@@ -177,7 +171,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		if (bf == NULL)
  			goto hardstart_fail;
  		goto ff_bypass;
-@@ -2573,7 +2606,7 @@
+@@ -2515,7 +2549,7 @@
  	/* NB: use this lock to protect an->an_ff_txbuf in athff_can_aggregate()
  	 *     call too.
  	 */
@@ -186,7 +180,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	if (athff_can_aggregate(sc, eh, an, skb, vap->iv_fragthreshold, &ff_flush)) {
  
  		if (an->an_tx_ffbuf[skb->priority]) { /* i.e., frame on the staging queue */
-@@ -2583,7 +2616,7 @@
+@@ -2525,7 +2559,7 @@
  			TAILQ_REMOVE(&txq->axq_stageq, bf, bf_stagelist);
  			an->an_tx_ffbuf[skb->priority] = NULL;
  
@@ -195,7 +189,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  			/*
  			 * chain skbs and add FF magic
-@@ -2610,6 +2643,7 @@
+@@ -2552,6 +2586,7 @@
  			 *     to give the buffer back.
  			 */
  			ATH_HARDSTART_GET_TX_BUF_WITH_LOCK;
@@ -203,7 +197,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  			if (bf == NULL) {
  				ATH_TXQ_UNLOCK(txq);
  				goto hardstart_fail;
-@@ -2624,7 +2658,7 @@
+@@ -2566,7 +2601,7 @@
  
  			TAILQ_INSERT_HEAD(&txq->axq_stageq, bf, bf_stagelist);
  
@@ -212,7 +206,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  			return 0;
  		}
-@@ -2635,7 +2669,7 @@
+@@ -2577,7 +2612,7 @@
  			TAILQ_REMOVE(&txq->axq_stageq, bf_ff, bf_stagelist);
  			an->an_tx_ffbuf[skb->priority] = NULL;
  
@@ -221,7 +215,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  			/* encap and xmit */
  			bf_ff->bf_skb = ieee80211_encap(ni, bf_ff->bf_skb, &framecnt);
-@@ -2665,9 +2699,9 @@
+@@ -2607,9 +2642,9 @@
  			}
  			bf_ff->bf_node = NULL;
  
@@ -233,7 +227,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  			goto ff_flushdone;
  		}
  		/*
-@@ -2676,14 +2677,13 @@
+@@ -2619,14 +2654,13 @@
  		else if (an->an_tx_ffbuf[skb->priority]) {
  			DPRINTF(sc, ATH_DEBUG_XMIT | ATH_DEBUG_FF,
  				"%s: Out-Of-Order fast-frame\n", __func__);
@@ -251,7 +245,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	}
  
  ff_bypass:
-@@ -2691,6 +2725,7 @@
+@@ -2634,6 +2668,7 @@
  #else /* ATH_SUPERG_FF */
  
  	ATH_HARDSTART_GET_TX_BUF_WITH_LOCK;
@@ -259,7 +253,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  #endif /* ATH_SUPERG_FF */
  
-@@ -2712,7 +2747,7 @@
+@@ -2655,7 +2690,7 @@
  		 *  Allocate 1 ath_buf for each frame given 1 was 
  		 *  already alloc'd
  		 */
@@ -268,7 +262,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		for (bfcnt = 1; bfcnt < framecnt; ++bfcnt) {
  			if ((tbf = STAILQ_FIRST(&sc->sc_txbuf)) != NULL) {
  				STAILQ_REMOVE_HEAD(&sc->sc_txbuf, bf_list);
-@@ -2733,11 +2768,11 @@
+@@ -2676,11 +2711,11 @@
  					STAILQ_INSERT_TAIL(&sc->sc_txbuf, tbf, bf_list);
  				}
  			}
@@ -282,7 +276,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  		while ((bf = STAILQ_FIRST(&bf_head)) != NULL && skb != NULL) {
  			unsigned int nextfraglen = 0;
-@@ -2773,7 +2808,7 @@
+@@ -2716,7 +2751,7 @@
  
  hardstart_fail:
  	if (!STAILQ_EMPTY(&bf_head)) {
@@ -291,7 +285,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		STAILQ_FOREACH_SAFE(tbf, &bf_head, bf_list, tempbf) {
  			tbf->bf_skb = NULL;
  			tbf->bf_node = NULL;
-@@ -2783,7 +2818,7 @@
+@@ -2726,7 +2761,7 @@
  
  			STAILQ_INSERT_TAIL(&sc->sc_txbuf, tbf, bf_list);
  		}
@@ -300,7 +294,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	}
  
  	/* free sk_buffs */
-@@ -2826,7 +2861,7 @@
+@@ -2769,7 +2804,7 @@
  	/*
  	 * Grab a TX buffer and associated resources.
  	 */
@@ -309,7 +303,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	bf = STAILQ_FIRST(&sc->sc_txbuf);
  	if (bf != NULL)
  		STAILQ_REMOVE_HEAD(&sc->sc_txbuf, bf_list);
-@@ -2837,7 +2872,7 @@
+@@ -2780,7 +2815,7 @@
  		sc->sc_devstopped=1;
  		ATH_SCHEDULE_TQUEUE(&sc->sc_txtq, NULL);
  	}
@@ -318,7 +312,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	if (bf == NULL) {
  		printk("ath_mgtstart: discard, no xmit buf\n");
  		sc->sc_stats.ast_tx_nobufmgt++;
-@@ -2866,9 +2901,9 @@
+@@ -2809,9 +2844,9 @@
  		bf->bf_skb = NULL;
  		bf->bf_node = NULL;
  
@@ -330,7 +324,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	}
  	dev_kfree_skb_any(skb);
  	skb = NULL;
-@@ -3336,10 +3371,10 @@
+@@ -3279,10 +3314,10 @@
  	 *
  	 * XXX Using in_softirq is not right since we might
  	 * be called from other soft irq contexts than
@@ -343,7 +337,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	netif_stop_queue(dev);
  }
  
-@@ -3352,7 +3387,7 @@
+@@ -3295,7 +3330,7 @@
  	DPRINTF(sc, ATH_DEBUG_KEYCACHE, "%s:\n", __func__);
  	netif_start_queue(dev);
  	if (!in_softirq())		/* NB: see above */
@@ -352,7 +346,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  }
  
  /*
-@@ -4912,9 +4947,9 @@
+@@ -4861,9 +4896,9 @@
  		bf->bf_node = NULL;
  		bf->bf_desc->ds_link = 0;
  		
@@ -364,7 +358,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  		an->an_uapsd_overflowqdepth--;
  	}
-@@ -5585,13 +5620,12 @@
+@@ -5542,13 +5577,12 @@
  	sc->sc_rxotherant = 0;
  }
  
@@ -380,7 +374,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	struct ath_buf *bf;
  	struct ath_softc *sc = dev->priv;
  	struct ieee80211com *ic = &sc->sc_ic;
-@@ -5602,11 +5636,15 @@
+@@ -5560,11 +5594,15 @@
  	unsigned int len;
  	int type;
  	u_int phyerr;
@@ -396,7 +390,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	do {
  		bf = STAILQ_FIRST(&sc->sc_rxbuf);
  		if (bf == NULL) {		/* XXX ??? can this happen */
-@@ -5630,6 +5668,13 @@
+@@ -5588,6 +5626,13 @@
  			/* NB: never process the self-linked entry at the end */
  			break;
  		}
@@ -410,15 +404,15 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		skb = bf->bf_skb;
  		if (skb == NULL) {		/* XXX ??? can this happen */
  			printk("%s: no skbuff (%s)\n", dev->name, __func__);
-@@ -5668,6 +5668,7 @@
+@@ -5626,6 +5671,7 @@
  				sc->sc_stats.ast_rx_phyerr++;
- 				phyerr = ds->ds_rxstat.rs_phyerr & 0x1f;
+ 				phyerr = rs->rs_phyerr & 0x1f;
  				sc->sc_stats.ast_rx_phy[phyerr]++;
 +				goto rx_next;
  			}
- 			if (ds->ds_rxstat.rs_status & HAL_RXERR_DECRYPT) {
+ 			if (rs->rs_status & HAL_RXERR_DECRYPT) {
  				/*
-@@ -5878,6 +5923,25 @@
+@@ -5829,9 +5875,29 @@
  		STAILQ_INSERT_TAIL(&sc->sc_rxbuf, bf, bf_list);
  		ATH_RXBUF_UNLOCK_IRQ(sc);
  	} while (ath_rxbuf_init(sc, bf) == 0);
@@ -444,15 +438,11 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	
  	/* rx signal state monitoring */
  	ath_hal_rxmonitor(ah, &sc->sc_halstats, &sc->sc_curchan);
-@@ -5885,6 +5949,7 @@
- 		sc->sc_rtasksched = 1;
- 		schedule_work(&sc->sc_radartask);
- 	}
 +	return early_stop;
  #undef PA2DESC
  }
  
-@@ -6160,22 +6225,22 @@
+@@ -6107,22 +6173,22 @@
  				}
  			}
  
@@ -479,7 +469,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  			bf->bf_skbaddr = bus_map_single(sc->sc_bdev,
  				skb->data, skb->len, BUS_DMA_TODEVICE);
-@@ -6641,9 +6706,9 @@
+@@ -6588,9 +6654,9 @@
  		dev_kfree_skb(lastbuf->bf_skb);
  		lastbuf->bf_skb = NULL;
  		ieee80211_unref_node(&lastbuf->bf_node);
@@ -491,7 +481,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		
  		/*
  		 *  move oldest from overflow to delivery
-@@ -7462,9 +7527,6 @@
+@@ -7411,9 +7477,6 @@
  			if (sc->sc_reapcount > ATH_TXBUF_FREE_THRESHOLD) {
  				if (!sc->sc_dfswait)
  					netif_start_queue(sc->sc_dev);
@@ -501,7 +491,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  				sc->sc_reapcount = 0;
  				sc->sc_devstopped = 0;
  			} else
-@@ -7499,11 +7561,22 @@
+@@ -7448,11 +7511,22 @@
  	struct net_device *dev = (struct net_device *)data;
  	struct ath_softc *sc = dev->priv;
  
@@ -524,7 +514,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	netif_wake_queue(dev);
  
  	if (sc->sc_softled)
-@@ -7520,6 +7593,7 @@
+@@ -7469,6 +7543,7 @@
  	struct net_device *dev = (struct net_device *)data;
  	struct ath_softc *sc = dev->priv;
  
@@ -532,7 +522,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	/*
  	 * Process each active queue.
  	 */
-@@ -7540,6 +7614,16 @@
+@@ -7489,6 +7564,16 @@
  	if (sc->sc_uapsdq && txqactive(sc->sc_ah, sc->sc_uapsdq->axq_qnum))
  		ath_tx_processq(sc, sc->sc_uapsdq);
  
@@ -549,7 +539,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	netif_wake_queue(dev);
  
  	if (sc->sc_softled)
-@@ -7557,6 +7641,7 @@
+@@ -7506,6 +7591,7 @@
  	unsigned int i;
  
  	/* Process each active queue. */
@@ -557,7 +547,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	for (i = 0; i < HAL_NUM_TX_QUEUES; i++)
  		if (ATH_TXQ_SETUP(sc, i) && txqactive(sc->sc_ah, i))
  			ath_tx_processq(sc, &sc->sc_txq[i]);
-@@ -7565,6 +7650,16 @@
+@@ -7514,6 +7600,16 @@
  		ath_tx_processq(sc, sc->sc_xrtxq);
  #endif
  
@@ -574,7 +564,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	netif_wake_queue(dev);
  
  	if (sc->sc_softled)
-@@ -7662,6 +7663,7 @@
+@@ -7612,6 +7708,7 @@
  ath_draintxq(struct ath_softc *sc)
  {
  	struct ath_hal *ah = sc->sc_ah;
@@ -582,7 +572,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	unsigned int i;
  
  	/* XXX return value */
-@@ -9221,9 +9316,9 @@
+@@ -9144,9 +9241,9 @@
  	dev->mtu = mtu;
  	if ((dev->flags & IFF_RUNNING) && !sc->sc_invalid) {
  		/* NB: the rx buffers may need to be reallocated */
@@ -594,10 +584,10 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  	}
  	ATH_UNLOCK(sc);
  
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refcount-r2313-20070505.dev/ath/if_athvar.h
---- madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h	2007-05-13 18:17:56.363000560 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath/if_athvar.h	2007-05-13 18:17:56.595965144 +0200
-@@ -47,6 +47,10 @@
+diff -ur madwifi.old/ath/if_athvar.h madwifi.dev/ath/if_athvar.h
+--- madwifi.old/ath/if_athvar.h	2007-05-21 07:49:54.563132960 +0200
++++ madwifi.dev/ath/if_athvar.h	2007-05-21 07:50:22.814838048 +0200
+@@ -48,6 +48,10 @@
  #include "if_athioctl.h"
  #include "net80211/ieee80211.h"		/* XXX for WME_NUM_AC */
  
@@ -608,7 +598,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refc
  /*
   * Deduce if tasklets are available.  If not then
   * fall back to using the immediate work queue.
-@@ -477,8 +481,12 @@
+@@ -478,8 +482,12 @@
  #define	ATH_TXQ_LOCK_DESTROY(_tq)	
  #define	ATH_TXQ_LOCK(_tq)		spin_lock(&(_tq)->axq_lock)
  #define	ATH_TXQ_UNLOCK(_tq)		spin_unlock(&(_tq)->axq_lock)
@@ -623,7 +613,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refc
  #define ATH_TXQ_LOCK_IRQ(_tq)		do {	\
  	unsigned long __axq_lockflags;		\
  	spin_lock_irqsave(&(_tq)->axq_lock, __axq_lockflags);
-@@ -627,7 +635,6 @@
+@@ -623,7 +631,6 @@
  	struct ath_buf *sc_rxbufcur;		/* current rx buffer */
  	u_int32_t *sc_rxlink;			/* link ptr in last RX desc */
  	spinlock_t sc_rxbuflock; 
@@ -631,7 +621,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refc
  	struct ATH_TQ_STRUCT sc_rxorntq;	/* rxorn intr tasklet */
  	u_int8_t sc_defant;			/* current default antenna */
  	u_int8_t sc_rxotherant;			/* rx's on non-default antenna*/
-@@ -640,6 +647,7 @@
+@@ -636,6 +643,7 @@
  	u_int sc_txintrperiod;			/* tx interrupt batching */
  	struct ath_txq sc_txq[HAL_NUM_TX_QUEUES];
  	struct ath_txq *sc_ac2q[WME_NUM_AC];	/* WME AC -> h/w qnum */ 
@@ -639,7 +629,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refc
  	struct ATH_TQ_STRUCT sc_txtq;		/* tx intr tasklet */
  	u_int8_t sc_grppoll_str[GRPPOLL_RATE_STR_LEN];  
  	struct ath_descdma sc_bdma;		/* beacon descriptors */
-@@ -706,8 +714,12 @@
+@@ -701,8 +709,12 @@
  #define	ATH_TXBUF_LOCK_DESTROY(_sc)
  #define	ATH_TXBUF_LOCK(_sc)		spin_lock(&(_sc)->sc_txbuflock)
  #define	ATH_TXBUF_UNLOCK(_sc)		spin_unlock(&(_sc)->sc_txbuflock)
@@ -654,7 +644,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refc
  #define	ATH_TXBUF_LOCK_IRQ(_sc)		do {	\
  	unsigned long __txbuflockflags;		\
  	spin_lock_irqsave(&(_sc)->sc_txbuflock, __txbuflockflags);
-@@ -725,8 +737,12 @@
+@@ -720,8 +732,12 @@
  #define	ATH_RXBUF_LOCK_DESTROY(_sc)
  #define	ATH_RXBUF_LOCK(_sc)		spin_lock(&(_sc)->sc_rxbuflock)
  #define	ATH_RXBUF_UNLOCK(_sc)		spin_unlock(&(_sc)->sc_rxbuflock)
@@ -669,7 +659,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refc
  #define	ATH_RXBUF_LOCK_IRQ(_sc)		do {	\
  	unsigned long __rxbuflockflags;		\
  	spin_lock_irqsave(&(_sc)->sc_rxbuflock, __rxbuflockflags);
-@@ -736,6 +752,8 @@
+@@ -731,6 +747,8 @@
  #define	ATH_RXBUF_UNLOCK_IRQ_EARLY(_sc)		\
  	spin_unlock_irqrestore(&(_sc)->sc_rxbuflock, __rxbuflockflags);
  
@@ -678,9 +668,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_athvar.h madwifi-ng-refc
  
  /* Protects the device from concurrent accesses */
  #define	ATH_LOCK_INIT(_sc)		init_MUTEX(&(_sc)->sc_lock)
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_beacon.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_beacon.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_beacon.c	2007-01-30 05:01:29.000000000 +0100
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_beacon.c	2007-05-13 18:17:56.596964992 +0200
+diff -ur madwifi.old/net80211/ieee80211_beacon.c madwifi.dev/net80211/ieee80211_beacon.c
+--- madwifi.old/net80211/ieee80211_beacon.c	2007-01-31 11:41:05.000000000 +0100
++++ madwifi.dev/net80211/ieee80211_beacon.c	2007-05-21 07:50:22.815837896 +0200
 @@ -286,7 +286,7 @@
  	int len_changed = 0;
  	u_int16_t capinfo;
@@ -699,10 +689,10 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_beacon.c mad
  
  	return len_changed;
  }
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c	2007-05-13 18:17:56.106039624 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c	2007-05-13 18:17:56.597964840 +0200
-@@ -1148,8 +1148,9 @@
+diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c
+--- madwifi.old/net80211/ieee80211_input.c	2007-05-21 07:49:54.527138432 +0200
++++ madwifi.dev/net80211/ieee80211_input.c	2007-05-21 07:50:22.816837744 +0200
+@@ -1155,8 +1155,9 @@
  		if (ni->ni_vlan != 0 && vap->iv_vlgrp != NULL) {
  			/* attach vlan tag */
  			vlan_hwaccel_receive_skb(skb, vap->iv_vlgrp, ni->ni_vlan);
@@ -714,7 +704,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madw
  		dev->last_rx = jiffies;
  	}
  }
-@@ -3623,9 +3624,9 @@
+@@ -3657,9 +3658,9 @@
  	}
  
  	/* Okay, take the first queued packet and put it out... */
@@ -726,9 +716,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madw
  	if (skb == NULL) {
  		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_POWER, wh->i_addr2,
  			"%s", "recv ps-poll, but queue empty");
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_linux.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_linux.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_linux.h	2007-05-04 02:10:06.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_linux.h	2007-05-13 18:17:56.598964688 +0200
+diff -ur madwifi.old/net80211/ieee80211_linux.h madwifi.dev/net80211/ieee80211_linux.h
+--- madwifi.old/net80211/ieee80211_linux.h	2007-05-21 07:49:54.528138280 +0200
++++ madwifi.dev/net80211/ieee80211_linux.h	2007-05-21 07:50:22.817837592 +0200
 @@ -31,6 +31,10 @@
  
  #include <linux/wireless.h>
@@ -829,10 +819,10 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_linux.h madw
  
  #if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
  #define	ACL_LOCK_ASSERT(_as) \
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c	2007-05-13 18:17:56.273014240 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_node.c	2007-05-13 18:17:56.599964536 +0200
-@@ -1567,7 +1567,7 @@
+diff -ur madwifi.old/net80211/ieee80211_node.c madwifi.dev/net80211/ieee80211_node.c
+--- madwifi.old/net80211/ieee80211_node.c	2007-05-21 07:49:54.555134176 +0200
++++ madwifi.dev/net80211/ieee80211_node.c	2007-05-21 07:50:22.818837440 +0200
+@@ -1570,7 +1570,7 @@
  	struct ieee80211_node *ni;
  	u_int gen;
  
@@ -841,7 +831,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwi
  	gen = ++nt->nt_scangen;
  	
  restart:
-@@ -1587,7 +1587,7 @@
+@@ -1590,7 +1590,7 @@
  	}
  	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
  
@@ -850,9 +840,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_node.c madwi
  }
  EXPORT_SYMBOL(ieee80211_iterate_dev_nodes);
  
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_power.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_power.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_power.c	2007-04-25 22:29:55.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_power.c	2007-05-13 18:17:56.599964536 +0200
+diff -ur madwifi.old/net80211/ieee80211_power.c madwifi.dev/net80211/ieee80211_power.c
+--- madwifi.old/net80211/ieee80211_power.c	2007-05-21 07:49:54.532137672 +0200
++++ madwifi.dev/net80211/ieee80211_power.c	2007-05-21 07:50:22.818837440 +0200
 @@ -147,7 +147,7 @@
  #endif
  		struct sk_buff *skb;
@@ -901,7 +891,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_power.c madw
  		if (skb == NULL)
  			break;
  		/* 
-@@ -363,9 +363,9 @@
+@@ -361,9 +361,9 @@
  			for (;;) {
  				struct sk_buff *skb;
  
@@ -913,9 +903,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_power.c madw
  				if (skb == NULL)
  					break;
  				ieee80211_parent_queue_xmit(skb);
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.c	2007-05-13 18:17:56.578967728 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.c	2007-05-13 18:17:56.600964384 +0200
+diff -ur madwifi.old/net80211/ieee80211_proto.c madwifi.dev/net80211/ieee80211_proto.c
+--- madwifi.old/net80211/ieee80211_proto.c	2007-05-21 07:49:54.574131288 +0200
++++ madwifi.dev/net80211/ieee80211_proto.c	2007-05-21 07:50:22.819837288 +0200
 @@ -635,9 +635,9 @@
  {
  	struct ieee80211com *ic = vap->iv_ic;
@@ -940,9 +930,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.c madw
  	}
  }
  
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_scan_sta.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_scan_sta.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_scan_sta.c	2007-02-01 21:49:37.000000000 +0100
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_scan_sta.c	2007-05-13 18:17:56.601964232 +0200
+diff -ur madwifi.old/net80211/ieee80211_scan_sta.c madwifi.dev/net80211/ieee80211_scan_sta.c
+--- madwifi.old/net80211/ieee80211_scan_sta.c	2006-09-20 10:45:13.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_scan_sta.c	2007-05-21 07:50:22.819837288 +0200
 @@ -163,9 +163,11 @@
  {
  	struct sta_table *st = ss->ss_priv;
diff --git a/package/madwifi/patches/308-mlme_fix.patch b/package/madwifi/patches/308-mlme_fix.patch
deleted file mode 100644
index 57776bb59..000000000
--- a/package/madwifi/patches/308-mlme_fix.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_wireless.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_wireless.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_wireless.c	2007-05-13 18:17:56.109039168 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_wireless.c	2007-05-13 18:17:56.795934744 +0200
-@@ -3359,7 +3359,7 @@
- 				if (ieee80211_sta_join(vap, lookup.se))
- 					while (!vap->iv_nsdone)
- 						IEEE80211_RESCHEDULE();
--				if (vap->iv_nsparams.result)
-+				if (!vap->iv_nsparams.result)
- 					return 0;
- 			}
- 		}
diff --git a/package/madwifi/patches/309-micfail_detect.patch b/package/madwifi/patches/309-micfail_detect.patch
index 2ab07bbed..6eed79384 100644
--- a/package/madwifi/patches/309-micfail_detect.patch
+++ b/package/madwifi/patches/309-micfail_detect.patch
@@ -1,7 +1,7 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c
---- madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c	2007-05-13 18:17:56.785936264 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c	2007-05-13 18:17:56.878922128 +0200
-@@ -5640,6 +5640,7 @@
+diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
+--- madwifi.old/ath/if_ath.c	2007-05-21 07:53:37.247279824 +0200
++++ madwifi.dev/ath/if_ath.c	2007-05-21 07:55:23.290158856 +0200
+@@ -5598,6 +5598,7 @@
  	u_int phyerr;
  	int processed = 0, early_stop = 0;
  	int rx_limit = dev->quota;
@@ -9,16 +9,16 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  	/* Let the 802.11 layer know about the new noise floor */
  	ic->ic_channoise = sc->sc_channoise;
-@@ -5734,32 +5735,16 @@
+@@ -5692,31 +5693,16 @@
  			}
- 			if (ds->ds_rxstat.rs_status & HAL_RXERR_MIC) {
+ 			if (rs->rs_status & HAL_RXERR_MIC) {
  				sc->sc_stats.ast_rx_badmic++;
 -				/*
 -				 * Do minimal work required to hand off
 -				 * the 802.11 header for notification.
 -				 */
 -				/* XXX frag's and QoS frames */
--				len = ds->ds_rxstat.rs_datalen;
+-				len = rs->rs_datalen;
 -				if (len >= sizeof (struct ieee80211_frame)) {
 -					bus_dma_sync_single(sc->sc_bdev,
 -					    bf->bf_skbaddr, len,
@@ -28,8 +28,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
 -					ieee80211_notify_michael_failure(ic,
 -					    (struct ieee80211_frame *) skb->data,
 -					    sc->sc_splitmic ?
--					        ds->ds_rxstat.rs_keyix - 32 :
--					        ds->ds_rxstat.rs_keyix
+-					        rs->rs_keyix - 32 : rs->rs_keyix
 -					);
 -#endif
 -				}
@@ -40,15 +39,15 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  			 * are operating in monitor mode.
  			 */
 -			if(sc->sc_nmonvaps == 0) goto rx_next;
-+			if ((ds->ds_rxstat.rs_status & ~HAL_RXERR_MIC) &&
-+				((ds->ds_rxstat.rs_status &~ HAL_RXERR_DECRYPT) ||
++			if ((rs->rs_status & ~HAL_RXERR_MIC) &&
++				((rs->rs_status &~ HAL_RXERR_DECRYPT) ||
 +			     (sc->sc_ic.ic_opmode != IEEE80211_M_MONITOR)))
 +					goto rx_next;
  		}
  rx_accept:
  		/*
-@@ -5843,6 +5828,20 @@
- 				   ds->ds_rxstat.rs_rssi);
+@@ -5800,6 +5786,20 @@
+ 				   rs->rs_rssi);
  		}
  
 +		/* MIC failure. Drop the packet in any case */
@@ -68,9 +67,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  		/*
  		 * Locate the node for sender, track state, and then
  		 * pass the (referenced) node up to the 802.11 layer
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_ccmp.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_ccmp.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_ccmp.c	2007-04-13 07:53:25.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_ccmp.c	2007-05-13 18:17:56.879921976 +0200
+diff -ur madwifi.old/net80211/ieee80211_crypto_ccmp.c madwifi.dev/net80211/ieee80211_crypto_ccmp.c
+--- madwifi.old/net80211/ieee80211_crypto_ccmp.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_crypto_ccmp.c	2007-05-21 07:54:24.892036720 +0200
 @@ -78,7 +78,7 @@
  static int ccmp_encap(struct ieee80211_key *, struct sk_buff *, u_int8_t);
  static int ccmp_decap(struct ieee80211_key *, struct sk_buff *, int);
@@ -89,9 +88,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_ccmp.
  {
  	return 1;
  }
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto.h	2007-04-25 22:29:55.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto.h	2007-05-13 18:17:56.880921824 +0200
+diff -ur madwifi.old/net80211/ieee80211_crypto.h madwifi.dev/net80211/ieee80211_crypto.h
+--- madwifi.old/net80211/ieee80211_crypto.h	2007-05-04 15:45:58.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_crypto.h	2007-05-21 07:54:24.893036568 +0200
 @@ -145,7 +145,7 @@
  	int (*ic_encap)(struct ieee80211_key *, struct sk_buff *, u_int8_t);
  	int (*ic_decap)(struct ieee80211_key *, struct sk_buff *, int);
@@ -114,9 +113,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto.h mad
  }
  
  /*
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_none.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_none.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_none.c	2006-09-20 10:45:13.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_none.c	2007-05-13 18:17:56.880921824 +0200
+diff -ur madwifi.old/net80211/ieee80211_crypto_none.c madwifi.dev/net80211/ieee80211_crypto_none.c
+--- madwifi.old/net80211/ieee80211_crypto_none.c	2006-09-20 10:45:13.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_crypto_none.c	2007-05-21 07:54:24.893036568 +0200
 @@ -52,7 +52,7 @@
  static int none_encap(struct ieee80211_key *, struct sk_buff *, u_int8_t);
  static int none_decap(struct ieee80211_key *, struct sk_buff *, int);
@@ -135,9 +134,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_none.
  {
  	struct ieee80211vap *vap = k->wk_private;
  
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_tkip.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_tkip.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_tkip.c	2007-01-30 04:51:52.000000000 +0100
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_tkip.c	2007-05-13 18:17:56.880921824 +0200
+diff -ur madwifi.old/net80211/ieee80211_crypto_tkip.c madwifi.dev/net80211/ieee80211_crypto_tkip.c
+--- madwifi.old/net80211/ieee80211_crypto_tkip.c	2007-05-18 13:19:16.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_crypto_tkip.c	2007-05-21 07:54:24.893036568 +0200
 @@ -57,7 +57,7 @@
  static int tkip_encap(struct ieee80211_key *, struct sk_buff *, u_int8_t);
  static int tkip_enmic(struct ieee80211_key *, struct sk_buff *, int);
@@ -165,9 +164,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_tkip.
  		struct ieee80211vap *vap = ctx->tc_vap;
  		u8 mic[IEEE80211_WEP_MICLEN];
  		u8 mic0[IEEE80211_WEP_MICLEN];
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_wep.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_wep.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_wep.c	2006-09-20 10:45:13.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_crypto_wep.c	2007-05-13 18:17:56.881921672 +0200
+diff -ur madwifi.old/net80211/ieee80211_crypto_wep.c madwifi.dev/net80211/ieee80211_crypto_wep.c
+--- madwifi.old/net80211/ieee80211_crypto_wep.c	2006-09-20 10:45:13.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_crypto_wep.c	2007-05-21 07:54:24.894036416 +0200
 @@ -54,7 +54,7 @@
  static int wep_encap(struct ieee80211_key *, struct sk_buff *, u_int8_t);
  static int wep_decap(struct ieee80211_key *, struct sk_buff *, int);
@@ -186,9 +185,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_crypto_wep.c
  {
  	return 1;
  }
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c	2007-05-13 18:17:56.786936112 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_input.c	2007-05-13 18:17:56.883921368 +0200
+diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c
+--- madwifi.old/net80211/ieee80211_input.c	2007-05-21 07:53:37.249279520 +0200
++++ madwifi.dev/net80211/ieee80211_input.c	2007-05-21 07:54:24.895036264 +0200
 @@ -654,7 +654,7 @@
  		 * Next strip any MSDU crypto bits.
  		 */
@@ -198,7 +197,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madw
  			IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
  				ni->ni_macaddr, "data", "%s", "demic error");
  			IEEE80211_NODE_STAT(ni, rx_demicfail);
-@@ -3734,6 +3734,47 @@
+@@ -3778,6 +3778,47 @@
  }
  #endif
  
@@ -246,10 +245,10 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_input.c madw
  #ifdef IEEE80211_DEBUG
  /*
   * Debugging support.
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_linux.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_linux.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_linux.c	2007-04-25 22:29:55.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_linux.c	2007-05-13 18:17:56.883921368 +0200
-@@ -309,8 +309,8 @@
+diff -ur madwifi.old/net80211/ieee80211_linux.c madwifi.dev/net80211/ieee80211_linux.c
+--- madwifi.old/net80211/ieee80211_linux.c	2007-05-21 07:49:54.528138280 +0200
++++ madwifi.dev/net80211/ieee80211_linux.c	2007-05-21 07:54:24.896036112 +0200
+@@ -311,8 +311,8 @@
  
  	/* TODO: needed parameters: count, keyid, key type, src address, TSC */
  	snprintf(buf, sizeof(buf), "%s(keyid=%d %scast addr=%s)", tag,
@@ -260,9 +259,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_linux.c madw
  	memset(&wrqu, 0, sizeof(wrqu));
  	wrqu.data.length = strlen(buf);
  	wireless_send_event(dev, IWEVCUSTOM, &wrqu, buf);
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.h	2007-05-13 18:17:56.579967576 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.h	2007-05-13 18:17:56.884921216 +0200
+diff -ur madwifi.old/net80211/ieee80211_proto.h madwifi.dev/net80211/ieee80211_proto.h
+--- madwifi.old/net80211/ieee80211_proto.h	2007-05-21 07:49:54.574131288 +0200
++++ madwifi.dev/net80211/ieee80211_proto.h	2007-05-21 07:54:24.896036112 +0200
 @@ -91,6 +91,7 @@
  void ieee80211_set11gbasicrates(struct ieee80211_rateset *, enum ieee80211_phymode);
  enum ieee80211_phymode ieee80211_get11gbasicrates(struct ieee80211_rateset *);
-- 
cgit v1.2.3