Index: madwifi-ng-r2978-20071127/ath/if_ath.c
===================================================================
--- madwifi-ng-r2978-20071127.orig/ath/if_ath.c	2007-11-27 21:18:24.910671912 +0100
+++ madwifi-ng-r2978-20071127/ath/if_ath.c	2007-11-27 21:21:37.137626301 +0100
@@ -515,7 +515,6 @@
  */
 #define ATH_SET_VAP_BSSID_MASK(bssid_mask)				\
 	((bssid_mask)[0] &= ~(((ATH_BCBUF-1) << 2) | 0x02))
-#define ATH_GET_VAP_ID(bssid)                   ((bssid)[0] >> 2)
 #define ATH_SET_VAP_BSSID(bssid, id)					\
 		do {							\
 			if (id)						\
@@ -1203,7 +1202,11 @@
 	case IEEE80211_M_IBSS:
 		if ((sc->sc_nvaps != 0) && (ic->ic_opmode == IEEE80211_M_STA))
 			return NULL;
-		ic_opmode = opmode;
+		else if (sc->sc_nvaps == 0)
+			ic_opmode = opmode;
+		else
+			ic_opmode = IEEE80211_M_HOSTAP;
+		sc->sc_nibssvaps++;
 		break;
 	case IEEE80211_M_AHDEMO:
 	case IEEE80211_M_MONITOR:
@@ -1233,7 +1236,7 @@
 		return NULL;
 	}
 
-	if (sc->sc_nvaps >= ATH_BCBUF) {
+	if (sc->sc_nvaps + sc->sc_nibssvaps >= ATH_BCBUF) {
 		printk(KERN_WARNING "too many virtual APs (already got %d)\n", 
 				sc->sc_nvaps);
 		return NULL;
@@ -1288,6 +1291,7 @@
 		/* Use RadioTAP interface type for monitor mode. */
 		dev->type = ARPHRD_IEEE80211_RADIOTAP;
 
+	avp->av_bslot = -1;
 	if ((flags & IEEE80211_CLONE_BSSID) && sc->sc_hasbmask) {
 		struct ieee80211vap *v;
 		unsigned int id_mask, id;
@@ -1301,18 +1305,22 @@
 
 		/* do a full search to mark all the allocated VAPs */
 		id_mask = 0;
-		TAILQ_FOREACH(v, &ic->ic_vaps, iv_next)
-			id_mask |= (1 << ATH_GET_VAP_ID(v->iv_myaddr));
+		TAILQ_FOREACH(v, &ic->ic_vaps, iv_next) {
+			struct ath_vap *a = (struct ath_vap *) v->iv_dev->priv;
+			if (a->av_bslot >= 0)
+				id_mask |= (1 << a->av_bslot);
+		}
 
-		for (id = 1; id < ATH_BCBUF; id++) {
+		/* IBSS mode has local always set, so don't hand out beacon slot 0 to an IBSS vap */
+		for (id = (opmode == IEEE80211_M_IBSS ? 1 : 0); id < ATH_BCBUF; id++) {
 			/* get the first available slot */
 			if ((id_mask & (1 << id)) == 0) {
 				ATH_SET_VAP_BSSID(vap->iv_myaddr, id);
+				avp->av_bslot = id;
 				break;
 			}
 		}
 	}
-	avp->av_bslot = -1;
 	STAILQ_INIT(&avp->av_mcastq.axq_q);
 	ATH_TXQ_LOCK_INIT(&avp->av_mcastq);
 	if (opmode == IEEE80211_M_HOSTAP || opmode == IEEE80211_M_IBSS) {
@@ -1322,33 +1330,14 @@
 		 */
 		avp->av_bcbuf = STAILQ_FIRST(&sc->sc_bbuf);
 		STAILQ_REMOVE_HEAD(&sc->sc_bbuf, bf_list);
-		if (opmode == IEEE80211_M_HOSTAP || !sc->sc_hasveol) {
+		if ((opmode == IEEE80211_M_IBSS) || (opmode == IEEE80211_M_HOSTAP) || !sc->sc_hasveol) {
 			unsigned int slot;
-			/*
-			 * Assign the VAP to a beacon xmit slot.  As
-			 * above, this cannot fail to find one.
-			 */
-			avp->av_bslot = 0;
-			for (slot = 0; slot < ATH_BCBUF; slot++)
-				if (sc->sc_bslot[slot] == NULL) {
-					/*
-					 * XXX hack, space out slots to better
-					 * deal with misses
-					 */
-					if (slot + 1 < ATH_BCBUF &&
-					    sc->sc_bslot[slot+1] == NULL) {
-						avp->av_bslot = slot + 1;
-						break;
-					}
-					avp->av_bslot = slot;
-					/* NB: keep looking for a double slot */
-				}
 			KASSERT(sc->sc_bslot[avp->av_bslot] == NULL,
 				("beacon slot %u not empty?", avp->av_bslot));
 			sc->sc_bslot[avp->av_bslot] = vap;
 			sc->sc_nbcnvaps++;
 		}
-		if ((opmode == IEEE80211_M_HOSTAP) && (sc->sc_hastsfadd)) {
+		if ((sc->sc_opmode == IEEE80211_M_HOSTAP) && (sc->sc_hastsfadd)) {
 			/*
 			 * Multiple VAPs are to transmit beacons and we
 			 * have h/w support for TSF adjusting; enable use
@@ -1460,7 +1449,9 @@
 			sc->sc_stagbeacons = 0;
 	}
 
-	if (vap->iv_opmode == IEEE80211_M_STA) {
+	if (vap->iv_opmode == IEEE80211_M_IBSS) {
+		sc->sc_nibssvaps--;
+	} else if (vap->iv_opmode == IEEE80211_M_STA) {
 		sc->sc_nstavaps--;
 		sc->sc_nostabeacons = 0;
 	} else if (vap->iv_opmode == IEEE80211_M_MONITOR)
@@ -3816,7 +3807,7 @@
 	    sc->sc_opmode == HAL_M_IBSS ||	/* NB: AHDEMO too */
 	    (sc->sc_nostabeacons) || sc->sc_scanning)
 		rfilt |= HAL_RX_FILTER_BEACON;
-	if (sc->sc_nmonvaps > 0)
+	if ((sc->sc_nmonvaps > 0) || ((sc->sc_nvaps > 0) && (sc->sc_nibssvaps > 0)))
 		rfilt |= (HAL_RX_FILTER_CONTROL | HAL_RX_FILTER_BEACON |
 			  HAL_RX_FILTER_PROBEREQ | HAL_RX_FILTER_PROM);
 	return rfilt;
@@ -6284,12 +6275,20 @@
 			type = ieee80211_input(ni, skb, rs->rs_rssi, bf->bf_tsf);
 			ieee80211_unref_node(&ni);
 		} else {
+			const struct ieee80211_frame_min *wh = (const struct ieee80211_frame_min *) skb->data;
 			/*
 			 * No key index or no entry, do a lookup and
 			 * add the node to the mapping table if possible.
 			 */
-			ni = ieee80211_find_rxnode(ic,
-				(const struct ieee80211_frame_min *) skb->data);
+			if (((wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK) == IEEE80211_FC0_SUBTYPE_PROBE_REQ) &&
+					(sc->sc_nibssvaps > 0))
+				/* if this is a probe request, send it to all vaps
+				 * when looking up nodes, hostap will be preferred over ibss,
+				 * because ibss will catch all nodes */
+				ni = NULL;
+			else
+				ni = ieee80211_find_rxnode(ic, (const struct ieee80211_frame_min *) skb->data);
+
 			if (ni != NULL) {
 				struct ath_node *an = ATH_NODE(ni);
 				ieee80211_keyix_t keyix;
Index: madwifi-ng-r2978-20071127/ath/if_athvar.h
===================================================================
--- madwifi-ng-r2978-20071127.orig/ath/if_athvar.h	2007-11-27 21:18:08.257722921 +0100
+++ madwifi-ng-r2978-20071127/ath/if_athvar.h	2007-11-27 21:18:30.026963473 +0100
@@ -209,7 +209,7 @@
 #define	ATH_RXBUF	40		/* number of RX buffers */
 #define	ATH_TXBUF	200		/* number of TX buffers */
 
-#define	ATH_BCBUF	4		/* number of beacon buffers */
+#define	ATH_BCBUF	8		/* number of beacon buffers */
 
 /* free buffer threshold to restart net dev */
 #define	ATH_TXBUF_FREE_THRESHOLD  (ATH_TXBUF / 20)
@@ -667,6 +667,7 @@
 	u_int16_t sc_nvaps;			/* # of active virtual APs */
 	u_int8_t sc_nstavaps;			/* # of active station VAPs */
 	u_int8_t sc_nmonvaps;			/* # of monitor VAPs */
+	u_int8_t sc_nibssvaps;			/* # of active ibss vaps */
 	u_int8_t sc_nbcnvaps;			/* # of vaps sending beacons */
 	u_int sc_fftxqmin;			/* aggregation threshold */
 	HAL_INT sc_imask;			/* interrupt mask copy */
Index: madwifi-ng-r2978-20071127/net80211/ieee80211_beacon.c
===================================================================
--- madwifi-ng-r2978-20071127.orig/net80211/ieee80211_beacon.c	2007-11-27 21:18:08.265723374 +0100
+++ madwifi-ng-r2978-20071127/net80211/ieee80211_beacon.c	2007-11-27 21:18:30.034963929 +0100
@@ -111,7 +111,7 @@
 	bo->bo_tim = frm;
 
 	/* IBSS/TIM */
-	if (vap->iv_opmode == IEEE80211_M_IBSS) {
+	if (ic->ic_opmode == IEEE80211_M_IBSS) {
 		*frm++ = IEEE80211_ELEMID_IBSSPARMS;
 		*frm++ = 2;
 		*frm++ = 0; *frm++ = 0;		/* TODO: ATIM window */
Index: madwifi-ng-r2978-20071127/net80211/ieee80211_input.c
===================================================================
--- madwifi-ng-r2978-20071127.orig/net80211/ieee80211_input.c	2007-11-27 21:18:08.269723596 +0100
+++ madwifi-ng-r2978-20071127/net80211/ieee80211_input.c	2007-11-27 21:18:30.038964155 +0100
@@ -3069,7 +3069,13 @@
 			return;
 		}
 		if (ni == vap->iv_bss) {
-			if (vap->iv_opmode == IEEE80211_M_IBSS) {
+			/* this probe request may have been sent to all vaps
+			 * to give each a chance of creating a node for this.
+			 * important for hostap+ibss mode */
+			ni = ieee80211_find_rxnode(ic, (const struct ieee80211_frame_min *) skb->data);
+			if (ni) {
+				allocbs = 0;
+			} else if (vap->iv_opmode == IEEE80211_M_IBSS) {
 				/*
 				 * XXX Cannot tell if the sender is operating
 				 * in ibss mode.  But we need a new node to
@@ -3078,12 +3084,13 @@
 				 */
 				ni = ieee80211_fakeup_adhoc_node(vap,
 					wh->i_addr2);
+				allocbs = 1;
 			} else {
 				ni = ieee80211_dup_bss(vap, wh->i_addr2, 1);
+				allocbs = 1;
 			}
 			if (ni == NULL)
 				return;
-			allocbs = 1;
 		}
 
 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
Index: madwifi-ng-r2978-20071127/net80211/ieee80211_node.c
===================================================================
--- madwifi-ng-r2978-20071127.orig/net80211/ieee80211_node.c	2007-11-27 21:18:08.281724279 +0100
+++ madwifi-ng-r2978-20071127/net80211/ieee80211_node.c	2007-11-27 21:24:30.083481925 +0100
@@ -1326,13 +1326,26 @@
 	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
 
 	hash = IEEE80211_NODE_HASH(macaddr);
+
+	/* look for non-ibss nodes first */
 	LIST_FOREACH(ni, &nt->nt_hash[hash], ni_hash) {
-		if (IEEE80211_ADDR_EQ(ni->ni_macaddr, macaddr)) {
+		if (IEEE80211_ADDR_EQ(ni->ni_macaddr, macaddr) && ni->ni_vap->iv_opmode != IEEE80211_M_IBSS) {
 #ifdef IEEE80211_DEBUG_REFCNT
 			ieee80211_ref_node_debug(ni, func, line);
 #else
 			ieee80211_ref_node(ni);
-#endif 
+#endif
+			return ni;
+		}
+	}
+
+	LIST_FOREACH(ni, &nt->nt_hash[hash], ni_hash) {
+		if (IEEE80211_ADDR_EQ(ni->ni_macaddr, macaddr) && ni->ni_vap->iv_opmode == IEEE80211_M_IBSS) {
+#ifdef IEEE80211_DEBUG_REFCNT
+			ieee80211_ref_node_debug(ni, func, line);
+#else
+			ieee80211_ref_node(ni);
+#endif
 			return ni;
 		}
 	}
@@ -1345,7 +1358,7 @@
 			return ieee80211_ref_node_debug(wds->wds_ni, func, line);
 #else
 			return ieee80211_ref_node(wds->wds_ni);
-#endif 
+#endif
 		}
 	}
 	return NULL;