update madwifi to latest trunk (refcount and hal-0.9.30.13 got merged) and include a security fix that was merged in 0.9.3.1

SVN-Revision: 7309

package/madwifi/Makefile

@@ -10,13 +10,13 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=madwifi
-PKG_VERSION:=r2351-20070519
-PKG_BRANCH:=madwifi-hal-0.9.30.13
+PKG_VERSION:=r2362-20070522
+PKG_BRANCH:=madwifi-ng
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_BRANCH)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://snapshots.madwifi.org/$(PKG_BRANCH)
-PKG_MD5SUM:=215b6c66eb1a3c4bcd947f358ade823f
+PKG_MD5SUM:=7a7783ecf6596089afc4aeebdffb397b
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_BRANCH)-$(PKG_VERSION)
 
 include $(INCLUDE_DIR)/package.mk

package/madwifi/patches/010-refcount_merge.patch

@@ -1,2208 +0,0 @@
-diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
---- madwifi.old/ath/if_ath.c	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/ath/if_ath.c	2007-05-21 08:10:46.864754176 +0200
-@@ -158,8 +158,7 @@
- static int ath_desc_alloc(struct ath_softc *);
- static void ath_desc_free(struct ath_softc *);
- static void ath_desc_swap(struct ath_desc *);
--static struct ieee80211_node *ath_node_alloc(struct ieee80211_node_table *,
--	struct ieee80211vap *);
-+static struct ieee80211_node *ath_node_alloc(struct ieee80211vap *);
- static void ath_node_cleanup(struct ieee80211_node *);
- static void ath_node_free(struct ieee80211_node *);
- static u_int8_t ath_node_getrssi(const struct ieee80211_node *);
-@@ -2385,7 +2384,7 @@
- 		if (ath_tx_start(sc->sc_dev, ni, bf_ff, bf_ff->bf_skb, 0) == 0)
- 			continue;
- 	bad:
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 		if (bf_ff->bf_skb != NULL) {
- 			dev_kfree_skb(bf_ff->bf_skb);
- 			bf_ff->bf_skb = NULL;
-@@ -2525,8 +2524,10 @@
- 			skb = bf->bf_skb;
- 			ATH_FF_MAGIC_PUT(skb);
- 
-+#if 0
- 			/* decrement extra node reference made when an_tx_ffbuf[] was set */
--			//ieee80211_free_node(ni); /* XXX where was it set ? */
-+			ieee80211_unref_node(&ni); /* XXX where was it set ? */
-+#endif
- 
- 			DPRINTF(sc, ATH_DEBUG_XMIT | ATH_DEBUG_FF,
- 				"%s: aggregating fast-frame\n", __func__);
-@@ -2585,7 +2586,7 @@
- 		ff_flushbad:
- 			DPRINTF(sc, ATH_DEBUG_XMIT | ATH_DEBUG_FF,
- 				"%s: ff stageq flush failure\n", __func__);
--			ieee80211_free_node(ni);
-+			ieee80211_unref_node(&ni);
- 			if (bf_ff->bf_skb) {
- 				dev_kfree_skb(bf_ff->bf_skb);
- 				bf_ff->bf_skb = NULL;
-@@ -2707,7 +2708,7 @@
- 			tbf->bf_node = NULL;
- 			
- 			if (ni != NULL) 
--				ieee80211_free_node(ni);
-+				ieee80211_unref_node(&ni);
- 
- 			STAILQ_INSERT_TAIL(&sc->sc_txbuf, tbf, bf_list);
- 		}
-@@ -2789,7 +2790,7 @@
- 	/* fall thru... */
- bad:
- 	if (ni != NULL)
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 	if (bf != NULL) {
- 		bf->bf_skb = NULL;
- 		bf->bf_node = NULL;
-@@ -3178,7 +3179,7 @@
- 	 */
- 	ni = sc->sc_keyixmap[keyix];
- 	if (ni != NULL) {
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 		sc->sc_keyixmap[keyix] = NULL;
- 	}
- 	/*
-@@ -3189,7 +3190,7 @@
- 		ath_hal_keyreset(ah, keyix + 32);	/* RX key */
- 		ni = sc->sc_keyixmap[keyix + 32];
- 		if (ni != NULL) {			/* as above... */
--			ieee80211_free_node(ni);
-+			ieee80211_unref_node(&ni);
- 			sc->sc_keyixmap[keyix + 32] = NULL;
- 		}
- 	}
-@@ -3202,7 +3203,7 @@
- 			ath_hal_keyreset(ah, keyix + rxkeyoff);
- 			ni = sc->sc_keyixmap[keyix + rxkeyoff];
- 			if (ni != NULL) {	/* as above... */
--				ieee80211_free_node(ni);
-+				ieee80211_unref_node(&ni);
- 				sc->sc_keyixmap[keyix + rxkeyoff] = NULL;
- 			}
- 		}
-@@ -3764,10 +3765,8 @@
- 		dev_kfree_skb(bf->bf_skb);
- 		bf->bf_skb = NULL;
- 	}
--	if (bf->bf_node != NULL) {
--		ieee80211_free_node(bf->bf_node);
--		bf->bf_node = NULL;
--	}
-+	if (bf->bf_node != NULL)
-+		ieee80211_unref_node(&bf->bf_node);
- 
- 	/*
- 	 * NB: the beacon data buffer must be 32-bit aligned;
-@@ -3808,7 +3807,7 @@
- 		DPRINTF(sc, ATH_DEBUG_BEACON,
- 			"%s: %s beacons, bslot %d intval %u tsfadjust(Kus) %llu\n",
- 			__func__, sc->sc_stagbeacons ? "stagger" : "burst",
--			avp->av_bslot, ni->ni_intval, (unsigned long long) tuadjust);
-+			avp->av_bslot, ni->ni_intval, (long long) tuadjust);
- 
- 		wh = (struct ieee80211_frame *) skb->data;
- 		memcpy(&wh[1], &tsfadjust, sizeof(tsfadjust));
-@@ -4128,7 +4127,7 @@
- 		vap = sc->sc_bslot[(slot + 1) % ATH_BCBUF];
- 		DPRINTF(sc, ATH_DEBUG_BEACON_PROC,
- 			"%s: slot %d [tsf %llu tsftu %u intval %u] vap %p\n",
--			__func__, slot, (unsigned long long) tsf, tsftu, ic->ic_lintval, vap);
-+			__func__, slot, (long long) tsf, tsftu, ic->ic_lintval, vap);
- 		bfaddr = 0;
- 		if (vap != NULL) {
- 			bf = ath_beacon_generate(sc, vap, needmark);
-@@ -4309,10 +4308,8 @@
- 		dev_kfree_skb(bf->bf_skb);
- 		bf->bf_skb = NULL;
- 	}
--	if (bf->bf_node != NULL) {
--		ieee80211_free_node(bf->bf_node);
--		bf->bf_node = NULL;
--	}
-+	if (bf->bf_node != NULL) 
-+		ieee80211_unref_node(&bf->bf_node);
- 	STAILQ_INSERT_TAIL(&sc->sc_bbuf, bf, bf_list);
- }
- 
-@@ -4331,10 +4328,8 @@
- 			dev_kfree_skb(bf->bf_skb);
- 			bf->bf_skb = NULL;
- 		}
--		if (bf->bf_node != NULL) {
--			ieee80211_free_node(bf->bf_node);
--			bf->bf_node = NULL;
--		}
-+		if (bf->bf_node != NULL)
-+			ieee80211_unref_node(&bf->bf_node);
- 	}
- }
- 
-@@ -4620,7 +4615,7 @@
- 			/*
- 			 * Reclaim node reference.
- 			 */
--			ieee80211_free_node(ni);
-+			ieee80211_unref_node(&ni);
- 		}
- 	}
- 
-@@ -4679,37 +4674,39 @@
- }
- 
- static struct ieee80211_node *
--ath_node_alloc(struct ieee80211_node_table *nt,struct ieee80211vap *vap)
-+ath_node_alloc(struct ieee80211vap *vap)
- {
--	struct ath_softc *sc = nt->nt_ic->ic_dev->priv;
-+	struct ath_softc *sc = vap->iv_ic->ic_dev->priv;
- 	const size_t space = sizeof(struct ath_node) + sc->sc_rc->arc_space;
- 	struct ath_node *an;
- 
- 	an = kmalloc(space, GFP_ATOMIC);
--	if (an == NULL)
--		return NULL;
--	memset(an, 0, space);
--	an->an_decomp_index = INVALID_DECOMP_INDEX;
--	an->an_avgrssi = ATH_RSSI_DUMMY_MARKER;
--	an->an_halstats.ns_avgbrssi = ATH_RSSI_DUMMY_MARKER;
--	an->an_halstats.ns_avgrssi = ATH_RSSI_DUMMY_MARKER;
--	an->an_halstats.ns_avgtxrssi = ATH_RSSI_DUMMY_MARKER;
--	/*
--	 * ath_rate_node_init needs a VAP pointer in node
--	 * to decide which mgt rate to use
--	 */
--	an->an_node.ni_vap = vap;
--	sc->sc_rc->ops->node_init(sc, an);
--
--	/* U-APSD init */
--	STAILQ_INIT(&an->an_uapsd_q);
--	an->an_uapsd_qdepth = 0;
--	STAILQ_INIT(&an->an_uapsd_overflowq);
--	an->an_uapsd_overflowqdepth = 0;
--	ATH_NODE_UAPSD_LOCK_INIT(an);
-+	if (an != NULL) {
-+		memset(an, 0, space);
-+		an->an_decomp_index = INVALID_DECOMP_INDEX;
-+		an->an_avgrssi = ATH_RSSI_DUMMY_MARKER;
-+		an->an_halstats.ns_avgbrssi = ATH_RSSI_DUMMY_MARKER;
-+		an->an_halstats.ns_avgrssi = ATH_RSSI_DUMMY_MARKER;
-+		an->an_halstats.ns_avgtxrssi = ATH_RSSI_DUMMY_MARKER;
-+		/*
-+		 * ath_rate_node_init needs a vap pointer in node
-+		 * to decide which mgt rate to use
-+		 */
-+		an->an_node.ni_vap = vap;
-+		sc->sc_rc->ops->node_init(sc, an);
- 
--	DPRINTF(sc, ATH_DEBUG_NODE, "%s: an %p\n", __func__, an);
--	return &an->an_node;
-+		/* U-APSD init */
-+		STAILQ_INIT(&an->an_uapsd_q);
-+		an->an_uapsd_qdepth = 0;
-+		STAILQ_INIT(&an->an_uapsd_overflowq);
-+		an->an_uapsd_overflowqdepth = 0;
-+		ATH_NODE_UAPSD_LOCK_INIT(an);
-+		
-+		DPRINTF(sc, ATH_DEBUG_NODE, "%s: an %p\n", __func__, an);
-+		return &an->an_node;
-+	} else {
-+		return NULL;
-+	}
- }
- 
- static void
-@@ -4719,6 +4716,7 @@
- 	struct ath_softc *sc = ni->ni_ic->ic_dev->priv;
- 	struct ath_node *an = ATH_NODE(ni);
- 	struct ath_buf *bf;
-+	struct ieee80211_cb *cb = NULL;
- 	
- 	/*
- 	 * U-APSD cleanup
-@@ -4733,15 +4731,18 @@
- 	while (an->an_uapsd_qdepth) {
- 		bf = STAILQ_FIRST(&an->an_uapsd_q);
- 		STAILQ_REMOVE_HEAD(&an->an_uapsd_q, bf_list);
--		bf->bf_desc->ds_link = 0;
- 
-+		cb = (struct ieee80211_cb *) bf->bf_skb->cb;
-+		ieee80211_unref_node(&cb->ni);
- 		dev_kfree_skb_any(bf->bf_skb);
-+
-+		bf->bf_desc->ds_link = 0;
- 		bf->bf_skb = NULL;
- 		bf->bf_node = NULL;
-+
- 		ATH_TXBUF_LOCK_IRQ(sc);
- 		STAILQ_INSERT_TAIL(&sc->sc_txbuf, bf, bf_list);
- 		ATH_TXBUF_UNLOCK_IRQ(sc);
--		ieee80211_free_node(ni);
- 
- 		an->an_uapsd_qdepth--;
- 	}
-@@ -4749,19 +4750,25 @@
- 	while (an->an_uapsd_overflowqdepth) {
- 		bf = STAILQ_FIRST(&an->an_uapsd_overflowq);
- 		STAILQ_REMOVE_HEAD(&an->an_uapsd_overflowq, bf_list);
--		bf->bf_desc->ds_link = 0;
- 
-+		cb = (struct ieee80211_cb *) bf->bf_skb->cb;
-+		ieee80211_unref_node(&cb->ni);
- 		dev_kfree_skb_any(bf->bf_skb);
-+
- 		bf->bf_skb = NULL;
- 		bf->bf_node = NULL;
-+		bf->bf_desc->ds_link = 0;
-+		
- 		ATH_TXBUF_LOCK_IRQ(sc);
- 		STAILQ_INSERT_TAIL(&sc->sc_txbuf, bf, bf_list);
- 		ATH_TXBUF_UNLOCK_IRQ(sc);
--		ieee80211_free_node(ni);
- 
- 		an->an_uapsd_overflowqdepth--;
- 	}
- 
-+	/* Clean up node-specific rate things - this currently appears to always be a no-op */
-+	sc->sc_rc->ops->node_cleanup(sc, ATH_NODE(ni));
-+
- 	ATH_NODE_UAPSD_LOCK_IRQ(an);
- 	sc->sc_node_cleanup(ni);
- 	ATH_NODE_UAPSD_UNLOCK_IRQ(an);
-@@ -4772,7 +4779,6 @@
- {
- 	struct ath_softc *sc = ni->ni_ic->ic_dev->priv;
- 
--	sc->sc_rc->ops->node_cleanup(sc, ATH_NODE(ni));
- 	sc->sc_node_free(ni);
- #ifdef ATH_SUPERG_XR
- 	ath_grppoll_period_update(sc);
-@@ -5660,7 +5666,7 @@
- 			an = ATH_NODE(ieee80211_ref_node(ni));
- 			ATH_RSSI_LPF(an->an_avgrssi, rs->rs_rssi);
- 			type = ieee80211_input(ni, skb, rs->rs_rssi, rs->rs_tstamp);
--			ieee80211_free_node(ni);
-+			ieee80211_unref_node(&ni);
- 		} else {
- 			/*
- 			 * No key index or no entry, do a lookup and
-@@ -5682,7 +5688,7 @@
- 				if (keyix != IEEE80211_KEYIX_NONE &&
- 				    sc->sc_keyixmap[keyix] == NULL)
- 					sc->sc_keyixmap[keyix] = ieee80211_ref_node(ni);
--				ieee80211_free_node(ni); 
-+				ieee80211_unref_node(&ni); 
- 			} else
- 				type = ieee80211_input_all(ic, skb,
- 					rs->rs_rssi, rs->rs_tstamp);
-@@ -6478,8 +6484,7 @@
- 		STAILQ_REMOVE_HEAD(&an->an_uapsd_q, bf_list);
- 		dev_kfree_skb(lastbuf->bf_skb);
- 		lastbuf->bf_skb = NULL;
--		ieee80211_free_node(lastbuf->bf_node);
--		lastbuf->bf_node = NULL;
-+		ieee80211_unref_node(&lastbuf->bf_node);
- 		ATH_TXBUF_LOCK_IRQ(sc);
- 		STAILQ_INSERT_TAIL(&sc->sc_txbuf, lastbuf, bf_list);
- 		ATH_TXBUF_UNLOCK_IRQ(sc);
-@@ -7229,7 +7234,7 @@
- 			 *     this is a DEAUTH message that was sent and the
- 			 *     node was timed out due to inactivity.
- 			 */
--			 ieee80211_free_node(ni); 
-+			 ieee80211_unref_node(&ni); 
- 		}
- 
- 		bus_unmap_single(sc->sc_bdev, bf->bf_skbaddr, 
-@@ -7474,7 +7479,7 @@
- 		}
- #endif /* ATH_SUPERG_FF */
- 		if (bf->bf_node)
--			ieee80211_free_node(bf->bf_node);
-+			ieee80211_unref_node(&bf->bf_node);
- 
- 		bf->bf_skb = NULL;
- 		bf->bf_node = NULL;
-diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c
---- madwifi.old/net80211/ieee80211_input.c	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_input.c	2007-05-21 08:10:46.865754024 +0200
-@@ -489,7 +489,7 @@
- 					nt = &ic->ic_sta;
- 					ni_wds = ieee80211_find_wds_node(nt, wh->i_addr3);
- 					if (ni_wds) {
--						ieee80211_free_node(ni_wds); /* Decr ref count */
-+						ieee80211_unref_node(&ni_wds); /* Decr ref count */
- 						IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
- 							wh, NULL, "%s",
- 							"multicast echo originated from node behind me");
-@@ -543,10 +543,12 @@
- 			 * the node table for the packet source address (addr4).
- 			 * If not, add one.
- 			 */
-+			/* XXX: Useless node mgmt API; make better */
- 			if (dir == IEEE80211_FC1_DIR_DSTODS) {
- 				struct ieee80211_node_table *nt;
- 				struct ieee80211_frame_addr4 *wh4;
- 				struct ieee80211_node *ni_wds;
-+
- 				if (!(vap->iv_flags_ext & IEEE80211_FEXT_WDS)) {
- 					IEEE80211_DISCARD(vap, IEEE80211_MSG_INPUT,
- 						wh, "data", "%s", "4 addr not allowed");
-@@ -569,7 +571,7 @@
- 				if (ni_wds == NULL)
- 					ieee80211_add_wds_addr(nt, ni, wh4->i_addr4, 0);
- 				else
--					ieee80211_free_node(ni_wds); /* Decr ref count */
-+					ieee80211_unref_node(&ni_wds); /* Decr. ref count */
- 			}
- 			
- 			/*
-@@ -936,7 +938,7 @@
- 		}
- 		ni = ieee80211_ref_node(vap->iv_bss);
- 		type = ieee80211_input(ni, skb1, rssi, rstamp);
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 	}
- 	if (skb != NULL)		/* no vaps, reclaim skb */
- 		dev_kfree_skb(skb);
-@@ -986,22 +988,14 @@
- 	}
- 
- 	/*
--	 * Use this lock to make sure ni->ni_rxfrag is
--	 * not freed by the timer process while we use it.
--	 * XXX bogus
--	 */
--	IEEE80211_NODE_LOCK_IRQ(ni->ni_table);
--
--	/*
- 	 * Update the time stamp.  As a side effect, it
- 	 * also makes sure that the timer will not change
- 	 * ni->ni_rxfrag for at least 1 second, or in
- 	 * other words, for the remaining of this function.
-+	 * XXX HUGE HORRIFIC HACK
- 	 */
- 	ni->ni_rxfragstamp = jiffies;
- 
--	IEEE80211_NODE_UNLOCK_IRQ(ni->ni_table);
--
- 	/*
- 	 * Validate that fragment is in order and
- 	 * related to the previous ones.
-@@ -1130,7 +1124,7 @@
- 					skb = NULL;
- 				}
- 				/* XXX statistic? */
--				ieee80211_free_node(ni1);
-+				ieee80211_unref_node(&ni1);
- 			}
- 		}
- 		if (skb1 != NULL) {
-@@ -1265,6 +1259,7 @@
- 	int rssi, u_int32_t rstamp, u_int16_t seq, u_int16_t status)
- {
- 	struct ieee80211vap *vap = ni->ni_vap;
-+	unsigned int tmpnode = 0;
- 
- 	if (ni->ni_authmode == IEEE80211_AUTH_SHARED) {
- 		IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_AUTH,
-@@ -1272,22 +1267,21 @@
- 			"bad sta auth mode %u", ni->ni_authmode);
- 		vap->iv_stats.is_rx_bad_auth++;	/* XXX maybe a unique error? */
- 		if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
--			/* XXX hack to workaround calling convention */
--
--			/* XXX To send the frame to the requesting STA, we have to
--			 * create a node for the station that we're going to reject.
--			 * The node will be freed automatically */
- 			if (ni == vap->iv_bss) {
--				ni = ieee80211_dup_bss(vap, wh->i_addr2);
-+				ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
- 				if (ni == NULL)
- 					return;
- 
- 				IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
- 				"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(ni->ni_macaddr), 
- 				ieee80211_node_refcnt(ni));
-+				tmpnode = 1;
- 			}
- 			IEEE80211_SEND_MGMT(ni,	IEEE80211_FC0_SUBTYPE_AUTH,
- 				(seq + 1) | (IEEE80211_STATUS_ALG << 16));
-+			
-+			if (tmpnode)
-+				ieee80211_unref_node(&ni);
- 			return;
- 		}
- 	}
-@@ -1315,23 +1309,16 @@
- 		}
- 		/* always accept open authentication requests */
- 		if (ni == vap->iv_bss) {
--			ni = ieee80211_dup_bss(vap, wh->i_addr2); 
-+			ni = ieee80211_dup_bss(vap, wh->i_addr2, 0); 
- 			if (ni == NULL)
- 				return;
- 
- 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
- 			"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(ni->ni_macaddr), 
- 			ieee80211_node_refcnt(ni));
--
--		} else if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
--			(void) ieee80211_ref_node(ni);
--		/*
--		 * Mark the node as referenced to reflect that it's
--		 * reference count has been bumped to ensure it remains
--		 * after the transaction completes.
--		 */
--		ni->ni_flags |= IEEE80211_NODE_AREF;
--
-+			tmpnode = 1;
-+		}
-+		
- 		IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
- 		IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
- 			ni, "station authenticated (%s)", "open");
-@@ -1341,6 +1328,8 @@
- 		 */
- 		if (ni->ni_authmode != IEEE80211_AUTH_8021X)
- 			ieee80211_node_authorize(ni);
-+		if (tmpnode)
-+			ieee80211_unref_node(&ni);
- 		break;
- 
- 	case IEEE80211_M_STA:
-@@ -1379,7 +1368,7 @@
- 	int istmp;
- 
- 	if (ni == vap->iv_bss) {
--		ni = ieee80211_tmp_node(vap, mac);
-+		ni = ieee80211_dup_bss(vap, mac, 1);
- 		if (ni == NULL) {
- 			/* XXX msg */
- 			return;
-@@ -1389,7 +1378,7 @@
- 		istmp = 0;
- 	IEEE80211_SEND_MGMT(ni, subtype, arg);
- 	if (istmp)
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- }
- 
- static int
-@@ -1505,7 +1494,7 @@
- 		switch (seq) {
- 		case IEEE80211_AUTH_SHARED_REQUEST:
- 			if (ni == vap->iv_bss) {
--				ni = ieee80211_dup_bss(vap, wh->i_addr2);
-+				ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
- 				if (ni == NULL) {
- 					/* NB: no way to return an error */
- 					return;
-@@ -1516,17 +1505,8 @@
- 				ieee80211_node_refcnt(ni));
- 
- 				allocbs = 1;
--			} else {
--				if ((ni->ni_flags & IEEE80211_NODE_AREF) == 0)
--					(void) ieee80211_ref_node(ni);
--				allocbs = 0;
- 			}
--			/*
--			 * Mark the node as referenced to reflect that it's
--			 * reference count has been bumped to ensure it remains
--			 * after the transaction completes.
--			 */
--			ni->ni_flags |= IEEE80211_NODE_AREF;
-+
- 			ni->ni_rssi = rssi;
- 			ni->ni_rstamp = rstamp;
- 			ni->ni_last_rx = jiffies;
-@@ -1620,14 +1600,13 @@
- 	}
- 	return;
- bad:
--	/*
--	 * Send an error response; but only when operating as an AP.
--	 */
-+	/* Send an error response; but only when operating as an AP. */
- 	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {
- 		/* XXX hack to workaround calling convention */
- 		ieee80211_send_error(ni, wh->i_addr2, 
- 			IEEE80211_FC0_SUBTYPE_AUTH,
- 			(seq + 1) | (estatus<<16));
-+		ieee80211_node_leave(ni);
- 	} else if (vap->iv_opmode == IEEE80211_M_STA) {
- 		/*
- 		 * Kick the state machine.  This short-circuits
-@@ -2600,7 +2579,7 @@
- 	u_int8_t *frm, *efrm;
- 	u_int8_t *ssid, *rates, *xrates, *wpa, *rsn, *wme, *ath;
- 	u_int8_t rate;
--	int reassoc, resp, allocbs;
-+	int reassoc, resp, allocbs = 0;
- 	u_int8_t qosinfo;
- 
- 	wh = (struct ieee80211_frame *) skb->data;
-@@ -3008,13 +2987,13 @@
- 				ni = ieee80211_fakeup_adhoc_node(vap,
- 					wh->i_addr2);
- 			} else {
--				ni = ieee80211_tmp_node(vap, wh->i_addr2);
-+				ni = ieee80211_dup_bss(vap, wh->i_addr2, 1);
- 			}
- 			if (ni == NULL)
- 				return;
- 			allocbs = 1;
--		} else
--			allocbs = 0;
-+		}
-+
- 		IEEE80211_NOTE_MAC(vap, IEEE80211_MSG_INPUT, wh->i_addr2,
- 			"%s", "recv probe req");
- 		ni->ni_rssi = rssi;
-@@ -3037,7 +3016,7 @@
- 			 * Temporary node created just to send a
- 			 * response, reclaim immediately
- 			 */
--			ieee80211_free_node(ni);
-+			ieee80211_unref_node(&ni);
- 		} else if (ath != NULL)
- 			ieee80211_saveath(ni, ath);
- 		break;
-@@ -3067,6 +3046,9 @@
- 					ni = vap->iv_xrvap->iv_bss;
- 				else {
- 					ieee80211_node_leave(ni);
-+					/* This would be a stupid place to add a node to the table
-+					 * XR stuff needs work anyway
-+					 */
- 					ieee80211_node_reset(ni, vap->iv_xrvap);
- 				}
- 				vap = vap->iv_xrvap;
-diff -ur madwifi.old/net80211/ieee80211_linux.c madwifi.dev/net80211/ieee80211_linux.c
---- madwifi.old/net80211/ieee80211_linux.c	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_linux.c	2007-05-21 08:10:46.866753872 +0200
-@@ -358,7 +358,7 @@
-         struct ieee80211_node *ni;
-         struct ieee80211_node_table *nt = (struct ieee80211_node_table *) &vap->iv_ic->ic_sta;
- 
--        //IEEE80211_NODE_LOCK(nt);                                                                               
-+        /* IEEE80211_NODE_LOCK(nt); */
-         TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
-                 /* Assume each node needs 500 bytes */
-                 if (buf + space < p + 500)
-@@ -376,7 +376,7 @@
- 
- 		}
-         }
--        //IEEE80211_NODE_UNLOCK(nt);                                                                             
-+        /* IEEE80211_NODE_UNLOCK(nt); */
-         return (p - buf);
- }
- 
-diff -ur madwifi.old/net80211/ieee80211_linux.h madwifi.dev/net80211/ieee80211_linux.h
---- madwifi.old/net80211/ieee80211_linux.h	2007-05-04 15:45:58.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_linux.h	2007-05-21 08:10:46.867753720 +0200
-@@ -63,6 +63,12 @@
- 
- #define	IEEE80211_RESCHEDULE	schedule
- 
-+/* Locking */
-+/* NB: beware, spin_is_locked() is not usefully defined for !(DEBUG || SMP)
-+ * because spinlocks do not exist in this configuration. Instead IRQs 
-+ * or pre-emption are simply disabled, as this is all that is needed.
-+ */
-+
- /*
-  * Beacon handler locking definitions.
-  * Beacon locking 
-@@ -85,14 +91,14 @@
- #define IEEE80211_LOCK(_ic)	spin_lock(&(_ic)->ic_comlock)
- #define IEEE80211_UNLOCK(_ic)	spin_unlock(&(_ic)->ic_comlock)
- 
--/* NB: beware, spin_is_locked() is unusable for !SMP */
--#if defined(CONFIG_SMP)
-+#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
- #define	IEEE80211_LOCK_ASSERT(_ic) \
- 	KASSERT(spin_is_locked(&(_ic)->ic_comlock),("ieee80211com not locked!"))
- #else
- #define	IEEE80211_LOCK_ASSERT(_ic)
- #endif
- 
-+
- #define IEEE80211_VAPS_LOCK_INIT(_ic, _name)		\
- 	spin_lock_init(&(_ic)->ic_vapslock)
- #define IEEE80211_VAPS_LOCK_DESTROY(_ic)
-@@ -108,11 +114,10 @@
- } while (0)
- #define IEEE80211_VAPS_UNLOCK_IRQ_EARLY(_ic)	spin_unlock_irqrestore(&(_ic)->ic_vapslock, _vaps_lockflags)
- 
--
--/* NB: beware, spin_is_locked() is unusable for !SMP */
--#if defined(CONFIG_SMP)
-+#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
- #define IEEE80211_VAPS_LOCK_ASSERT(_ic) \
--	KASSERT(spin_is_locked(&(_ic)->ic_vapslock),("ieee80211com_vaps not locked!"))
-+	KASSERT(spin_is_locked(&(_ic)->ic_vapslock), \
-+		("ieee80211com_vaps not locked!"))
- #else
- #define IEEE80211_VAPS_LOCK_ASSERT(_ic)
- #endif
-@@ -121,29 +126,63 @@
- /*
-  * Node locking definitions.
-  */
-+#if 0
-+
- typedef spinlock_t ieee80211_node_lock_t;
--#define	IEEE80211_NODE_LOCK_INIT(_nt, _name)	spin_lock_init(&(_nt)->nt_nodelock)
--#define	IEEE80211_NODE_LOCK_DESTROY(_nt)
--#define	IEEE80211_NODE_LOCK(_nt)	spin_lock(&(_nt)->nt_nodelock)
--#define	IEEE80211_NODE_UNLOCK(_nt)	spin_unlock(&(_nt)->nt_nodelock)
--#define	IEEE80211_NODE_LOCK_BH(_nt)	spin_lock_bh(&(_nt)->nt_nodelock)
--#define	IEEE80211_NODE_UNLOCK_BH(_nt)	spin_unlock_bh(&(_nt)->nt_nodelock)
--#define	IEEE80211_NODE_LOCK_IRQ(_nt)	do {	\
-+#define	IEEE80211_NODE_LOCK_INIT(_ni, _name)	spin_lock_init(&(_ni)->ni_nodelock)
-+#define	IEEE80211_NODE_LOCK_DESTROY(_ni)
-+#if 0	/* We should always be contesting in the same contexts */
-+#define	IEEE80211_NODE_LOCK(_ni)	spin_lock(&(_ni)->ni_nodelock)
-+#define	IEEE80211_NODE_UNLOCK(_ni)	spin_unlock(&(_ni)->ni_nodelock)
-+#define	IEEE80211_NODE_LOCK_BH(_ni)	spin_lock_bh(&(_ni)->ni_nodelock)
-+#define	IEEE80211_NODE_UNLOCK_BH(_ni)	spin_unlock_bh(&(_ni)->ni_nodelock)
-+#endif
-+#define	IEEE80211_NODE_LOCK_IRQ(_ni)	do {	\
-+	unsigned long __node_lockflags;		\
-+	spin_lock_irqsave(&(_ni)->ni_nodelock, __node_lockflags);
-+#define	IEEE80211_NODE_UNLOCK_IRQ(_ni)		\
-+	spin_unlock_irqrestore(&(_ni)->ni_nodelock, __node_lockflags); \
-+} while(0)
-+#define	IEEE80211_NODE_UNLOCK_IRQ_EARLY(_ni)		\
-+	spin_unlock_irqrestore(&(_ni)->ni_nodelock, __node_lockflags);
-+
-+#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
-+#define	IEEE80211_NODE_LOCK_ASSERT(_nt) \
-+	KASSERT(spin_is_locked(&(_ni)->ni_nodelock), \
-+		("802.11 node not locked!"))
-+#else
-+#define	IEEE80211_NODE_LOCK_ASSERT(_ni)
-+#endif
-+
-+#endif /* node lock */
-+
-+/*
-+ * Node table locking definitions.
-+ */
-+typedef spinlock_t ieee80211_node_table_lock_t;
-+#define	IEEE80211_NODE_TABLE_LOCK_INIT(_nt, _name)	spin_lock_init(&(_nt)->nt_nodelock)
-+#define	IEEE80211_NODE_TABLE_LOCK_DESTROY(_nt)
-+#if 0	/* We should always be contesting in the same contexts */
-+#define	IEEE80211_NODE_TABLE_LOCK(_nt)	spin_lock(&(_nt)->nt_nodelock)
-+#define	IEEE80211_NODE_TABLE_UNLOCK(_nt)	spin_unlock(&(_nt)->nt_nodelock)
-+#define	IEEE80211_NODE_TABLE_LOCK_BH(_nt)	spin_lock_bh(&(_nt)->nt_nodelock)
-+#define	IEEE80211_NODE_TABLE_UNLOCK_BH(_nt)	spin_unlock_bh(&(_nt)->nt_nodelock)
-+#endif
-+#define	IEEE80211_NODE_TABLE_LOCK_IRQ(_nt)	do {	\
- 	unsigned long __node_lockflags;		\
- 	spin_lock_irqsave(&(_nt)->nt_nodelock, __node_lockflags);
--#define	IEEE80211_NODE_UNLOCK_IRQ(_nt)		\
-+#define	IEEE80211_NODE_TABLE_UNLOCK_IRQ(_nt)		\
- 	spin_unlock_irqrestore(&(_nt)->nt_nodelock, __node_lockflags); \
- } while(0)
--#define	IEEE80211_NODE_UNLOCK_IRQ_EARLY(_nt)		\
-+#define	IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(_nt)		\
- 	spin_unlock_irqrestore(&(_nt)->nt_nodelock, __node_lockflags);
- 
--/* NB: beware, *_is_locked() are bogusly defined for UP+!PREEMPT */
--#if (defined(CONFIG_SMP) || defined(CONFIG_PREEMPT)) && defined(spinlock_is_locked)
--#define	IEEE80211_NODE_LOCK_ASSERT(_nt) \
--	KASSERT(spinlock_is_locked(&(_nt)->nt_nodelock), \
-+#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
-+#define	IEEE80211_NODE_TABLE_LOCK_ASSERT(_nt) \
-+	KASSERT(spin_is_locked(&(_nt)->nt_nodelock), \
- 		("802.11 node table not locked!"))
- #else
--#define	IEEE80211_NODE_LOCK_ASSERT(_nt)
-+#define	IEEE80211_NODE_TABLE_LOCK_ASSERT(_nt)
- #endif
- 
- /*
-@@ -163,8 +202,7 @@
- #define	IEEE80211_SCAN_UNLOCK_IRQ_EARLY(_nt)		\
- 	spin_unlock_irqrestore(&(_nt)->nt_scanlock, __scan_lockflags);
- 
--/* NB: beware, spin_is_locked() is unusable for !SMP */
--#if defined(CONFIG_SMP)
-+#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
- #define	IEEE80211_SCAN_LOCK_ASSERT(_nt) \
- 	KASSERT(spin_is_locked(&(_nt)->nt_scanlock), ("scangen not locked!"))
- #else
-@@ -182,8 +220,7 @@
- #define	ACL_LOCK_BH(_as)		spin_lock_bh(&(_as)->as_lock)
- #define	ACL_UNLOCK_BH(_as)		spin_unlock_bh(&(_as)->as_lock)
- 
--/* NB: beware, spin_is_locked() is unusable for !SMP */
--#if defined(CONFIG_SMP)
-+#if (defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)) && defined(spin_is_locked)
- #define	ACL_LOCK_ASSERT(_as) \
- 	KASSERT(spin_is_locked(&(_as)->as_lock), ("ACL not locked!"))
- #else
-@@ -299,6 +336,7 @@
-  *				is the last reference, otherwise 0
-  * ieee80211_node_refcnt	reference count for printing (only)
-  */
-+typedef atomic_t ieee80211_node_ref_count_t; 
- #define ieee80211_node_initref(_ni)	atomic_set(&(_ni)->ni_refcnt, 1)
- #define ieee80211_node_incref(_ni)	atomic_inc(&(_ni)->ni_refcnt)
- #define	ieee80211_node_decref(_ni)	atomic_dec(&(_ni)->ni_refcnt)
-@@ -379,8 +417,8 @@
- /* msecs_to_jiffies appeared in 2.6.7 and 2.4.29 */
- #include <linux/delay.h>
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) && \
--      LINUX_VERSION_CODE < KERNEL_VERSION(2,6,7)) || \
--     LINUX_VERSION_CODE < KERNEL_VERSION(2,4,29)
-+     LINUX_VERSION_CODE < KERNEL_VERSION(2,6,7)) || \
-+    LINUX_VERSION_CODE < KERNEL_VERSION(2,4,29)
- 
- /* The following definitions and inline functions are
-  * copied from the kernel src, include/linux/jiffies.h */
-diff -ur madwifi.old/net80211/ieee80211_node.c madwifi.dev/net80211/ieee80211_node.c
---- madwifi.old/net80211/ieee80211_node.c	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_node.c	2007-05-21 08:10:46.868753568 +0200
-@@ -65,16 +65,17 @@
- #define	IEEE80211_AID_ISSET(_vap, _b) \
- 	((_vap)->iv_aid_bitmap[IEEE80211_AID(_b) / 32] & (1 << (IEEE80211_AID(_b) % 32)))
- 
-+static struct ieee80211_node *ieee80211_alloc_node(struct ieee80211vap *, const u_int8_t *);
-+
- static int ieee80211_sta_join1(struct ieee80211_node *);
- 
--static struct ieee80211_node *node_alloc(struct ieee80211_node_table *,
--	struct ieee80211vap *);
-+static struct ieee80211_node *node_alloc(struct ieee80211vap *);
- static void node_cleanup(struct ieee80211_node *);
- static void node_free(struct ieee80211_node *);
- static u_int8_t node_getrssi(const struct ieee80211_node *);
- 
--static void _ieee80211_free_node(struct ieee80211_node *);
--static void node_reclaim(struct ieee80211_node_table *, struct ieee80211_node*);
-+static void _node_table_leave(struct ieee80211_node_table *, struct ieee80211_node *);
-+static void _node_table_join(struct ieee80211_node_table *, struct ieee80211_node *);
- 
- static void ieee80211_node_timeout(unsigned long);
- 
-@@ -194,8 +195,7 @@
- 
- 	ieee80211_node_table_reset(&ic->ic_sta, vap);
- 	if (vap->iv_bss != NULL) {
--		ieee80211_free_node(vap->iv_bss);
--		vap->iv_bss = NULL;
-+		ieee80211_unref_node(&vap->iv_bss);
- 	}
- 	if (vap->iv_aid_bitmap != NULL) {
- 		FREE(vap->iv_aid_bitmap, M_DEVBUF);
-@@ -250,6 +250,7 @@
- 	nbss->ni_txpower = obss->ni_txpower;
- 	nbss->ni_vlan = obss->ni_vlan;
- 	nbss->ni_rsn = obss->ni_rsn;
-+	nbss->ni_rates = obss->ni_rates;
- 	/* XXX statistics? */
- }
- 
-@@ -263,17 +264,17 @@
- 		"%s: creating ibss on channel %u\n", __func__,
- 		ieee80211_chan2ieee(ic, chan));
- 
--	/* Check to see if we already have a node for this mac */
-+	/* Check to see if we already have a node for this mac 
-+	 * NB: we gain a node reference here
-+	 */
- 	ni = ieee80211_find_node(&ic->ic_sta, vap->iv_myaddr);
- 	if (ni == NULL) {
--		ni = ieee80211_alloc_node(&ic->ic_sta, vap, vap->iv_myaddr);
-+		ni = ieee80211_alloc_node_table(vap, vap->iv_myaddr);
- 		if (ni == NULL) {
- 			/* XXX recovery? */
- 			return;
- 		}
- 	}
--	else
--		ieee80211_free_node(ni);
- 
- 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, "%s: %p<%s> refcnt %d\n",
- 		__func__, vap->iv_bss, ether_sprintf(vap->iv_bss->ni_macaddr),
-@@ -339,7 +340,7 @@
- 	else if (IEEE80211_IS_CHAN_QUARTER(chan))
- 		ni->ni_rates = ic->ic_sup_quarter_rates;
- 
--	(void) ieee80211_sta_join1(ieee80211_ref_node(ni));
-+	(void) ieee80211_sta_join1(PASS_NODE(ni));
- }
- EXPORT_SYMBOL(ieee80211_create_ibss);
- 
-@@ -363,9 +364,10 @@
- 	/* XXX multi-bss wrong */
- 	ieee80211_reset_erp(ic, ic->ic_curmode);
- 
--	ni = ieee80211_alloc_node(&ic->ic_sta, vap, vap->iv_myaddr);
-+	ni = ieee80211_alloc_node_table(vap, vap->iv_myaddr);
- 	KASSERT(ni != NULL, ("unable to setup inital BSS node"));
- 	obss = vap->iv_bss;
-+	/* New reference for caller */
- 	vap->iv_bss = ieee80211_ref_node(ni);
- 
- 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, "%s: new bss %p<%s> refcnt %d\n",
-@@ -375,7 +377,8 @@
- 	if (obss != NULL) {
- 		copy_bss(ni, obss);
- 		ni->ni_intval = ic->ic_lintval;
--		ieee80211_free_node(obss);
-+		/* Caller's reference */
-+		ieee80211_unref_node(&obss);
- 	}
- }
- 
-@@ -581,7 +584,7 @@
- 		vap->iv_state == IEEE80211_S_RUN && ssid_equal(obss, selbs));
- 	vap->iv_bss = selbs;
- 	if (obss != NULL)
--		ieee80211_free_node(obss);
-+		ieee80211_unref_node(&obss);
- 	ic->ic_bsschan = selbs->ni_chan;
- 	ic->ic_curchan = ic->ic_bsschan;
- 	ic->ic_curmode = ieee80211_chan2mode(ic->ic_curchan);
-@@ -638,21 +641,20 @@
- 
- 	ni = ieee80211_find_node(&ic->ic_sta, se->se_macaddr);
- 	if (ni == NULL) {
--		ni = ieee80211_alloc_node(&ic->ic_sta, vap, se->se_macaddr);
-+		ni = ieee80211_alloc_node_table(vap, se->se_macaddr);
- 		if (ni == NULL) {
- 			IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
- 			"%s: Unable to allocate node for BSS: %s\n", __func__, 
- 			ether_sprintf(ni->ni_macaddr));
- 			return 0;
- 		}
--	} else
--		ieee80211_free_node(ni);
-+	}
- 
- 	/*
- 	 * Expand scan state into node's format.
- 	 * XXX may not need all this stuff
- 	 */
--	ni->ni_authmode = vap->iv_bss->ni_authmode;		/* inherit authmode from iv_bss */
-+	ni->ni_authmode = vap->iv_bss->ni_authmode;	/* inherit authmode from iv_bss */
- 	/* inherit the WPA setup as well (structure copy!) */
- 	ni->ni_rsn = vap->iv_bss->ni_rsn; 
- 	IEEE80211_ADDR_COPY(ni->ni_bssid, se->se_bssid);
-@@ -686,9 +688,9 @@
- 
- 	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
- 	"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(ni->ni_macaddr), 
--	ieee80211_node_refcnt(ni)+1);
-+	ieee80211_node_refcnt(ni));
- 
--	return ieee80211_sta_join1(ieee80211_ref_node(ni));
-+	return ieee80211_sta_join1(PASS_NODE(ni));
- }
- EXPORT_SYMBOL(ieee80211_sta_join);
- 
-@@ -700,15 +702,13 @@
- ieee80211_sta_leave(struct ieee80211_node *ni)
- {
- 	struct ieee80211vap *vap = ni->ni_vap;
--	struct ieee80211com *ic = vap->iv_ic;
- 
- 	/* WDS/Repeater: Stop software beacon timer for STA */
- 	if (vap->iv_opmode == IEEE80211_M_STA &&
- 	    vap->iv_flags_ext & IEEE80211_FEXT_SWBMISS) {
- 		del_timer(&vap->iv_swbmiss);
- 	}
--
--	ic->ic_node_cleanup(ni);
-+	
- 	ieee80211_notify_node_leave(ni);
- }
- 
-@@ -717,11 +717,11 @@
-  */
- 
- static void
--ieee80211_node_table_init(struct ieee80211com *ic,
--	struct ieee80211_node_table *nt,	const char *name, int inact)
-+ieee80211_node_table_init(struct ieee80211com *ic, struct ieee80211_node_table *nt,
-+		const char *name, int inact)
- {
- 	nt->nt_ic = ic;
--	IEEE80211_NODE_LOCK_INIT(nt, ic->ic_dev->name);
-+	IEEE80211_NODE_TABLE_LOCK_INIT(nt, ic->ic_dev->name);
- 	IEEE80211_SCAN_LOCK_INIT(nt, ic->ic_dev->name);
- 	TAILQ_INIT(&nt->nt_node);
- 	nt->nt_name = name;
-@@ -733,11 +733,31 @@
- 	mod_timer(&nt->nt_wds_aging_timer, jiffies + HZ * WDS_AGING_TIMER_VAL);
- }
- 
-+static __inline void _node_table_join(struct ieee80211_node_table *nt, struct ieee80211_node *ni) {
-+	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
-+
-+	ni->ni_table = nt;
-+	TAILQ_INSERT_TAIL(&nt->nt_node, ieee80211_ref_node(ni), ni_list);
-+	LIST_INSERT_HEAD(&nt->nt_hash[IEEE80211_NODE_HASH(ni->ni_macaddr)], ni, ni_hash);
-+}
-+
-+static __inline void _node_table_leave(struct ieee80211_node_table *nt, struct ieee80211_node *ni) {
-+	struct ieee80211_node *hni;
-+	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
-+	
-+	TAILQ_REMOVE(&nt->nt_node, ni, ni_list);
-+	LIST_FOREACH(hni, &nt->nt_hash[IEEE80211_NODE_HASH(ni->ni_macaddr)], ni_hash) {
-+		LIST_REMOVE(ni, ni_hash);
-+	}
-+	ni->ni_table = NULL;
-+	_ieee80211_unref_node(ni);
-+}
-+
- /* This is overridden by ath_node_alloc in ath/if_ath.c, and so
-- * should never get called
-+ * should never get called.
-  */
- static struct ieee80211_node *
--node_alloc(struct ieee80211_node_table *nt, struct ieee80211vap *vap)
-+node_alloc(struct ieee80211vap *vap)
- {
- 	struct ieee80211_node *ni;
- 
-@@ -776,13 +796,6 @@
- 			IEEE80211_UNLOCK_IRQ(ni->ni_ic);
- 		}
- 	}
--	/*
--	 * Clear AREF flag that marks the authorization refcnt bump
--	 * has happened.  This is probably not needed as the node
--	 * should always be removed from the table so not found but
--	 * do it just in case.
--	 */
--	ni->ni_flags &= ~IEEE80211_NODE_AREF;
- 
- 	/*
- 	 * Drain power save queue and, if needed, clear TIM.
-@@ -791,10 +804,7 @@
- 		vap->iv_set_tim(ni, 0);
- 
- 	ni->ni_associd = 0;
--	if (ni->ni_challenge != NULL) {
--		FREE(ni->ni_challenge, M_DEVBUF);
--		ni->ni_challenge = NULL;
--	}
-+	
- 	/*
- 	 * Preserve SSID, WPA, and WME ie's so the bss node is
- 	 * reusable during a re-auth/re-assoc state transition.
-@@ -819,9 +829,16 @@
- static void
- node_free(struct ieee80211_node *ni)
- {
-+#if 0
-+	/* We should 'cleanup' and then free'ing should be done automatically on decref */
- 	struct ieee80211com *ic = ni->ni_ic;
- 
- 	ic->ic_node_cleanup(ni);
-+#endif 
-+	KASSERT(ieee80211_node_refcnt(ni) == 0, ("node being free whilst still referenced"));
-+
-+	if (ni->ni_challenge != NULL) 
-+		FREE(ni->ni_challenge, M_DEVBUF);
- 	if (ni->ni_wpa_ie != NULL)
- 		FREE(ni->ni_wpa_ie, M_DEVBUF);
- 	if (ni->ni_rsn_ie != NULL)
-@@ -831,6 +848,7 @@
- 	if (ni->ni_ath_ie != NULL)
- 		FREE(ni->ni_ath_ie, M_DEVBUF);
- 	IEEE80211_NODE_SAVEQ_DESTROY(ni);
-+	
- 	FREE(ni, M_80211_NODE);
- }
- 
-@@ -847,55 +865,70 @@
-  * This interface is not intended for general use, it is
-  * used by the routines below to create entries with a
-  * specific purpose.
-+ * Dont assume a BSS?
-  */
- struct ieee80211_node *
--ieee80211_alloc_node(struct ieee80211_node_table *nt,
--	struct ieee80211vap *vap, const u_int8_t *macaddr)
-+ieee80211_alloc_node_table(struct ieee80211vap *vap, 
-+	const u_int8_t *macaddr)
- {
--	struct ieee80211com *ic = nt->nt_ic;
-+	struct ieee80211com *ic = vap->iv_ic;
-+	struct ieee80211_node_table *nt = &ic->ic_sta;
- 	struct ieee80211_node *ni;
--	int hash;
- 
--	ni = ic->ic_node_alloc(nt, vap);
--	if (ni == NULL) {
--		/* XXX msg */
--		vap->iv_stats.is_rx_nodealloc++;
--		return NULL;
--	}
-+	ni = ieee80211_alloc_node(vap, macaddr);
-+	if (ni != NULL) {
-+		ni->ni_inact = ni->ni_inact_reload = nt->nt_inact_init;
- 
--	IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
--		"%s: %p<%s> in %s table, refcnt %d\n", __func__, ni,
--		ether_sprintf(macaddr), nt->nt_name,
--		ieee80211_node_refcnt(ni)+1);
-+		WME_UAPSD_NODE_TRIGSEQINIT(ni);
-+		IEEE80211_NODE_SAVEQ_INIT(ni, "unknown");
- 
--	IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr);
--	hash = IEEE80211_NODE_HASH(macaddr);
--	ieee80211_node_initref(ni);		/* mark referenced */
--	ni->ni_chan = IEEE80211_CHAN_ANYC;
--	ni->ni_authmode = IEEE80211_AUTH_OPEN;
--	ni->ni_txpower = ic->ic_txpowlimit;	/* max power */
--	ieee80211_crypto_resetkey(vap, &ni->ni_ucastkey, IEEE80211_KEYIX_NONE);
--	ni->ni_inact_reload = nt->nt_inact_init;
--	ni->ni_inact = ni->ni_inact_reload;
--	ni->ni_ath_defkeyindex = IEEE80211_INVAL_DEFKEY;
--	ni->ni_rxkeyoff = 0;
--	IEEE80211_NODE_SAVEQ_INIT(ni, "unknown");
-+		IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
-+		_node_table_join(nt, ni);
-+		IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
-+	}
- 
--	IEEE80211_NODE_LOCK_IRQ(nt);
--	ni->ni_vap = vap;
--	ni->ni_ic = ic;
--	ni->ni_table = nt;
--	TAILQ_INSERT_TAIL(&nt->nt_node, ni, ni_list);
--	LIST_INSERT_HEAD(&nt->nt_hash[hash], ni, ni_hash);
--	ni->ni_rxfrag = NULL;
--	ni->ni_challenge = NULL;
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	return ni;
-+}
-+EXPORT_SYMBOL(ieee80211_alloc_node_table);
-+
-+/* Allocate a node structure and initialise specialised structures
-+ * This function does not add the node to the node table, thus this
-+ * node will not be found using ieee80211_find_*node.
-+ * This is useful when sending one off errors or request denials.
-+ */
-+static struct ieee80211_node *
-+ieee80211_alloc_node(struct ieee80211vap *vap, const u_int8_t *macaddr)
-+{
-+	struct ieee80211com *ic = vap->iv_ic;
-+	struct ieee80211_node *ni;
-+	
-+	/* This always allocates zeroed memoery */
-+	ni = ic->ic_node_alloc(vap);
-+	if (ni != NULL) {
-+		IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
-+		"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(macaddr), 
-+		ieee80211_node_refcnt(ni)+1);
- 
--	WME_UAPSD_NODE_TRIGSEQINIT(ni);
-+		ieee80211_node_initref(ni);		/* mark referenced */
-+		
-+		IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr);
-+		
-+		ni->ni_chan = IEEE80211_CHAN_ANYC;
-+		ni->ni_authmode = IEEE80211_AUTH_OPEN;
-+		ni->ni_txpower = ic->ic_txpowlimit;
-+		
-+		ieee80211_crypto_resetkey(vap, &ni->ni_ucastkey,
-+			IEEE80211_KEYIX_NONE);
-+		ni->ni_ath_defkeyindex = IEEE80211_INVAL_DEFKEY;
- 
-+		ni->ni_vap = vap;
-+		ni->ni_ic = ic;
-+	} else {
-+		/* XXX msg */
-+		vap->iv_stats.is_rx_nodealloc++;
-+	}
- 	return ni;
- }
--EXPORT_SYMBOL(ieee80211_alloc_node);
- 
- /* Add wds address to the node table */
- int
-@@ -917,11 +950,11 @@
- 		wds->wds_agingcount = WDS_AGING_COUNT;
- 	hash = IEEE80211_NODE_HASH(macaddr);
- 	IEEE80211_ADDR_COPY(wds->wds_macaddr, macaddr);
--	ieee80211_ref_node(ni);		/* Reference node */
--	wds->wds_ni = ni;
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
-+	wds->wds_ni = ieee80211_ref_node(ni);
- 	LIST_INSERT_HEAD(&nt->nt_wds_hash[hash], wds, wds_hash);
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 	return 0;
- }
- EXPORT_SYMBOL(ieee80211_add_wds_addr);
-@@ -934,22 +967,19 @@
- 	struct ieee80211_wds_addr *wds, *twds;
- 
- 	hash = IEEE80211_NODE_HASH(macaddr);
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, twds) {
- 		if (IEEE80211_ADDR_EQ(wds->wds_macaddr, macaddr)) {
--			if (ieee80211_node_dectestref(wds->wds_ni)) {
--				_ieee80211_free_node(wds->wds_ni);
--				LIST_REMOVE(wds, wds_hash);
--				FREE(wds, M_80211_WDS);
--				break;
--			}
-+			LIST_REMOVE(wds, wds_hash);
-+			ieee80211_unref_node(&wds->wds_ni);
-+			FREE(wds, M_80211_WDS);
-+			break;
- 		}
- 	}
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- }
- EXPORT_SYMBOL(ieee80211_remove_wds_addr);
- 
--
- /* Remove node references from wds table */
- void
- ieee80211_del_wds_node(struct ieee80211_node_table *nt, struct ieee80211_node *ni)
-@@ -957,19 +987,17 @@
- 	int hash;
- 	struct ieee80211_wds_addr *wds, *twds;
- 
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
- 		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, twds) {
- 			if (wds->wds_ni == ni) {
--				if (ieee80211_node_dectestref(ni)) {
--					_ieee80211_free_node(ni);
--					LIST_REMOVE(wds, wds_hash);
--					FREE(wds, M_80211_WDS);
--				}
-+				LIST_REMOVE(wds, wds_hash);
-+				ieee80211_unref_node(&wds->wds_ni);
-+				FREE(wds, M_80211_WDS);
- 			}
- 		}
- 	}
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- }
- EXPORT_SYMBOL(ieee80211_del_wds_node);
- 
-@@ -980,88 +1008,46 @@
- 	int hash;
- 	struct ieee80211_wds_addr *wds, *twds;
- 
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
- 		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, twds) {
- 			if (wds->wds_agingcount != WDS_AGING_STATIC) {
- 				if (!wds->wds_agingcount) {
--					if (ieee80211_node_dectestref(wds->wds_ni)) {
--						_ieee80211_free_node(wds->wds_ni);  
--						LIST_REMOVE(wds, wds_hash);
--						FREE(wds, M_80211_WDS);
--					}
-+					LIST_REMOVE(wds, wds_hash);
-+					ieee80211_unref_node(&wds->wds_ni);  
-+					FREE(wds, M_80211_WDS);
- 				} else
- 					wds->wds_agingcount--;
- 			}
- 		}
- 	}
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 	mod_timer(&nt->nt_wds_aging_timer, jiffies + HZ * WDS_AGING_TIMER_VAL);
- }
- 
- 
- /*
-- * Craft a temporary node suitable for sending a management frame
-- * to the specified station.  We craft only as much state as we
-- * need to do the work since the node will be immediately reclaimed
-- * once the send completes.
-- */
--struct ieee80211_node *
--ieee80211_tmp_node(struct ieee80211vap *vap, const u_int8_t *macaddr)
--{
--	struct ieee80211com *ic = vap->iv_ic;
--	struct ieee80211_node *ni;
--
--	ni = ic->ic_node_alloc(&ic->ic_sta,vap);
--	if (ni != NULL) {
--		IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE, 
--		"%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(macaddr), 
--		ieee80211_node_refcnt(ni)+1);
--
--		IEEE80211_ADDR_COPY(ni->ni_macaddr, macaddr);
--		IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
--		ieee80211_node_initref(ni);		/* mark referenced */
--		ni->ni_txpower = vap->iv_bss->ni_txpower;
--		ni->ni_vap = vap;
--		/* NB: required by ieee80211_fix_rate */
--		ieee80211_node_set_chan(ic, ni);
--		ieee80211_crypto_resetkey(vap, &ni->ni_ucastkey,
--			IEEE80211_KEYIX_NONE);
--		/* XXX optimize away */
--		IEEE80211_NODE_SAVEQ_INIT(ni, "unknown");
--
--		ni->ni_table = NULL;		/* NB: pedantic */
--		ni->ni_ic = ic;
--		ni->ni_rxfrag = NULL;
--		ni->ni_challenge = NULL;
--	} else {
--		/* XXX msg */
--		vap->iv_stats.is_rx_nodealloc++;
--	}
--	return ni;
--}
--
--/*
-  * Add the specified station to the station table.
-  */
- struct ieee80211_node *
--ieee80211_dup_bss(struct ieee80211vap *vap, const u_int8_t *macaddr)
-+ieee80211_dup_bss(struct ieee80211vap *vap, const u_int8_t *macaddr, 
-+		unsigned char tmp)
- {
--	struct ieee80211com *ic = vap->iv_ic;
- 	struct ieee80211_node *ni;
-+	
-+	/* FIXME: Hack */
-+	if (tmp)
-+		ni = ieee80211_alloc_node(vap, macaddr);
-+	else
-+		ni = ieee80211_alloc_node_table(vap, macaddr);
- 
--	ni = ieee80211_alloc_node(&ic->ic_sta, vap, macaddr);
- 	if (ni != NULL) {
--		/*
--		 * Inherit from iv_bss.
--		 */
--		ni->ni_authmode = vap->iv_bss->ni_authmode;
--		ni->ni_txpower = vap->iv_bss->ni_txpower;
--		ni->ni_vlan = vap->iv_bss->ni_vlan;	/* XXX?? */
-+		copy_bss(ni, vap->iv_bss);
- 		IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
--		ieee80211_node_set_chan(ic, ni);
--		ni->ni_rsn = vap->iv_bss->ni_rsn;
--		ni->ni_rxfrag = NULL;
-+		/* Do this only for nodes that already have a BSS. Otherwise
-+		 * ic_bsschan is not set and we get a KASSERT failure.
-+		 * Required by ieee80211_fix_rate */
-+		ieee80211_node_set_chan(vap->iv_ic, ni);
- 	}
- 	return ni;
- }
-@@ -1069,19 +1055,16 @@
- static struct ieee80211_node *
- _ieee80211_find_wds_node(struct ieee80211_node_table *nt, const u_int8_t *macaddr)
- {
--	struct ieee80211_node *ni;
- 	struct ieee80211_wds_addr *wds;
- 	int hash;
--	IEEE80211_NODE_LOCK_ASSERT(nt);
-+	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
- 
- 	hash = IEEE80211_NODE_HASH(macaddr);
- 	LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
- 		if (IEEE80211_ADDR_EQ(wds->wds_macaddr, macaddr)) {
--			ni = wds->wds_ni;
- 			if (wds->wds_agingcount != WDS_AGING_STATIC)
- 				wds->wds_agingcount = WDS_AGING_COUNT; /* reset the aging count */
--			ieee80211_ref_node(ni);
--			return ni;
-+			return ieee80211_ref_node(wds->wds_ni);
- 		}
- 	}
- 	return NULL;
-@@ -1099,7 +1082,7 @@
- 	int hash;
- 	struct ieee80211_wds_addr *wds;
- 
--	IEEE80211_NODE_LOCK_ASSERT(nt);
-+	IEEE80211_NODE_TABLE_LOCK_ASSERT(nt);
- 
- 	hash = IEEE80211_NODE_HASH(macaddr);
- 	LIST_FOREACH(ni, &nt->nt_hash[hash], ni_hash) {
-@@ -1120,9 +1103,7 @@
- 	   nodes. */
- 	LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
- 		if (IEEE80211_ADDR_EQ(wds->wds_macaddr, macaddr)) {
--			ni = wds->wds_ni;
--			ieee80211_ref_node(ni);
--			return ni;
-+			return ieee80211_ref_node(wds->wds_ni);
- 		}
- 	}
- 	return NULL;
-@@ -1137,9 +1118,9 @@
- {
- 	struct ieee80211_node *ni;
- 
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	ni = _ieee80211_find_wds_node(nt, macaddr);
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 	return ni;
- }
- EXPORT_SYMBOL(ieee80211_find_wds_node);
-@@ -1154,9 +1135,9 @@
- {
- 	struct ieee80211_node *ni;
- 
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	ni = _ieee80211_find_node(nt, macaddr);
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 	return ni;
- }
- #ifdef IEEE80211_DEBUG_REFCNT
-@@ -1179,7 +1160,7 @@
- {
- 	struct ieee80211_node *ni;
- 
--	ni = ieee80211_dup_bss(vap, macaddr);
-+	ni = ieee80211_dup_bss(vap, macaddr, 0);
- 	if (ni != NULL) {
- 		/* XXX no rate negotiation; just dup */
- 		ni->ni_rates = vap->iv_bss->ni_rates;
-@@ -1202,14 +1183,13 @@
-  * driver has an opportunity to setup it's private state.
-  */
- struct ieee80211_node *
--ieee80211_add_neighbor(struct ieee80211vap *vap,	const struct ieee80211_frame *wh,
-+ieee80211_add_neighbor(struct ieee80211vap *vap, const struct ieee80211_frame *wh,
- 	const struct ieee80211_scanparams *sp)
- {
- 	struct ieee80211com *ic = vap->iv_ic;
- 	struct ieee80211_node *ni;
- 
--	ni = ieee80211_dup_bss(vap, wh->i_addr2);	/* XXX alloc_node? */
--	/* TODO: not really putting itself in a table */
-+	ni = ieee80211_dup_bss(vap, wh->i_addr2, 1);
- 	if (ni != NULL) {
- 		ni->ni_esslen = sp->ssid[1];
- 		memcpy(ni->ni_essid, sp->ssid + 2, sp->ssid[1]);
-@@ -1284,12 +1264,12 @@
- 	/* XXX check ic_bss first in station mode */
- 	/* XXX 4-address frames? */
- 	nt = &ic->ic_sta;
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	if (IS_CTL(wh) && !IS_PSPOLL(wh) /*&& !IS_RTS(ah)*/)
- 		ni = _ieee80211_find_node(nt, wh->i_addr1);
- 	else
- 		ni = _ieee80211_find_node(nt, wh->i_addr2);
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 
- 	return ni;
- #undef IS_PSPOLL
-@@ -1326,9 +1306,9 @@
- 
- 	/* XXX can't hold lock across dup_bss due to recursive locking */
- 	nt = &vap->iv_ic->ic_sta;
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	ni = _ieee80211_find_node(nt, mac);
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 
- 	if (ni == NULL) {
- 		if (vap->iv_opmode == IEEE80211_M_IBSS ||
-@@ -1355,11 +1335,9 @@
- EXPORT_SYMBOL(ieee80211_find_txnode);
- #endif
- 
--/* Caller must lock the IEEE80211_NODE_LOCK
-- *
-- * Context: hwIRQ, softIRQ and process context
-+/* Context: hwIRQ, softIRQ and process context
-  */
--static void
-+void
- _ieee80211_free_node(struct ieee80211_node *ni)
- {
- 	struct ieee80211vap *vap = ni->ni_vap;
-@@ -1373,117 +1351,36 @@
- 
- 	if (vap->iv_aid_bitmap != NULL)
- 		IEEE80211_AID_CLR(vap, ni->ni_associd);
--	if (nt != NULL) {
--		TAILQ_REMOVE(&nt->nt_node, ni, ni_list);
--		LIST_REMOVE(ni, ni_hash);
--	}
-+
- 	vap->iv_ic->ic_node_free(ni);
- }
-+EXPORT_SYMBOL(_ieee80211_free_node);
- 
--void
--#ifdef IEEE80211_DEBUG_REFCNT
--ieee80211_free_node_debug(struct ieee80211_node *ni, const char *func, int line)
--#else
--ieee80211_free_node(struct ieee80211_node *ni)
--#endif
-+static void _reset_node(void *arg, struct ieee80211_node *ni)
- {
--	struct ieee80211_node_table *nt = ni->ni_table;
--	struct ieee80211com *ic = ni->ni_ic;
-+	if (ni->ni_associd != 0) {
-+		struct ieee80211vap *vap = ni->ni_vap;
- 
--#ifdef IEEE80211_DEBUG_REFCNT
--	IEEE80211_DPRINTF(ni->ni_vap, IEEE80211_MSG_NODE,
--		"%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, ni,
--		 ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni) - 1);
--#endif
--	/*
--	 * XXX: may need to lock out the following race. we dectestref
--	 *      and determine it's time to free the node. between the if()
--	 *      and lock, we take an rx intr to receive a frame from this
--	 *      node. the rx path (tasklet or intr) bumps this node's
--	 *      refcnt and xmits a response frame. eventually that response
--	 *      will get reaped, and the reaping code will attempt to use
--	 *      the node. the code below will delete the node prior
--	 *      to the reap and we could get a crash.
--	 *
--	 *      as a stopgap before delving deeper, lock intrs to
--	 *      prevent this case.
--	 */
--	IEEE80211_LOCK_IRQ(ic);
--	if (ieee80211_node_dectestref(ni)) {
--		/*
--		 * Beware; if the node is marked gone then it's already
--		 * been removed from the table and we cannot assume the
--		 * table still exists.  Regardless, there's no need to lock
--		 * the table.
--		 */
--		if (ni->ni_table != NULL) {
--			IEEE80211_NODE_LOCK(nt);
--			_ieee80211_free_node(ni);
--			IEEE80211_NODE_UNLOCK(nt);
--		} else
--			_ieee80211_free_node(ni);
-+		if (vap->iv_auth->ia_node_leave != NULL)
-+			vap->iv_auth->ia_node_leave(ni);
-+		if (vap->iv_aid_bitmap != NULL)
-+			IEEE80211_AID_CLR(vap, ni->ni_associd);
- 	}
--	IEEE80211_UNLOCK_IRQ(ic);
--}
--#ifdef IEEE80211_DEBUG_REFCNT
--EXPORT_SYMBOL(ieee80211_free_node_debug);
--#else
--EXPORT_SYMBOL(ieee80211_free_node);
--#endif
--
--/*
-- * Reclaim a node.  If this is the last reference count then
-- * do the normal free work.  Otherwise remove it from the node
-- * table and mark it gone by clearing the back-reference.
-- */
--static void
--node_reclaim(struct ieee80211_node_table *nt, struct ieee80211_node *ni)
--{
- 
--	IEEE80211_DPRINTF(ni->ni_vap, IEEE80211_MSG_NODE,
--		"%s: remove %p<%s> from %s table, refcnt %d\n",
--		__func__, ni, ether_sprintf(ni->ni_macaddr),
--		nt->nt_name, ieee80211_node_refcnt(ni)-1);
--	if (!ieee80211_node_dectestref(ni)) {
--		/*
--		 * Other references are present, just remove the
--		 * node from the table so it cannot be found.  When
--		 * the references are dropped storage will be
--		 * reclaimed.  This normally only happens for ic_bss.
--		 */
--		TAILQ_REMOVE(&nt->nt_node, ni, ni_list);
--		LIST_REMOVE(ni, ni_hash);
--		ni->ni_table = NULL;		/* clear reference */
--	} else
--		_ieee80211_free_node(ni);
-+	ieee80211_node_leave(ni);
- }
- 
- static void
- ieee80211_node_table_reset(struct ieee80211_node_table *nt,
--	struct ieee80211vap *match)
-+	struct ieee80211vap *vap)
- {
--	struct ieee80211_node *ni, *next;
--
--	IEEE80211_NODE_LOCK_IRQ(nt);
--	TAILQ_FOREACH_SAFE(ni, &nt->nt_node, ni_list, next) {
--		if (match != NULL && ni->ni_vap != match)
--			continue;
--		if (ni->ni_associd != 0) {
--			struct ieee80211vap *vap = ni->ni_vap;
--
--			if (vap->iv_auth->ia_node_leave != NULL)
--				vap->iv_auth->ia_node_leave(ni);
--			if (vap->iv_aid_bitmap != NULL)
--				IEEE80211_AID_CLR(vap, ni->ni_associd);
--		}
--		node_reclaim(nt, ni);
--	}
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	ieee80211_iterate_dev_nodes(vap->iv_dev, nt, _reset_node, NULL);
- }
- 
- static void
- ieee80211_node_table_cleanup(struct ieee80211_node_table *nt)
- {
-+	struct ieee80211com *ic = nt->nt_ic;
- 	struct ieee80211_node *ni, *next;
- 
- 	TAILQ_FOREACH_SAFE(ni, &nt->nt_node, ni_list, next) {
-@@ -1495,11 +1392,11 @@
- 			if (vap->iv_aid_bitmap != NULL)
- 				IEEE80211_AID_CLR(vap, ni->ni_associd);
- 		}
--		node_reclaim(nt, ni);
-+		ic->ic_node_cleanup(ni);
- 	}
- 	del_timer(&nt->nt_wds_aging_timer);
- 	IEEE80211_SCAN_LOCK_DESTROY(nt);
--	IEEE80211_NODE_LOCK_DESTROY(nt);
-+	IEEE80211_NODE_TABLE_LOCK_DESTROY(nt);
- }
- 
- /*
-@@ -1527,19 +1424,22 @@
- 	IEEE80211_SCAN_LOCK_IRQ(nt); 
- 	gen = ++nt->nt_scangen;
- restart:
--	IEEE80211_NODE_LOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
- 		if (ni->ni_scangen == gen)	/* previously handled */
- 			continue;
-+		/* Temporary entries should no longer be in the node table */
- 		/*
- 		 * Ignore entries for which have yet to receive an
- 		 * authentication frame.  These are transient and
- 		 * will be reclaimed when the last reference to them
- 		 * goes away (when frame xmits complete).
- 		 */
--		if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
--		    (ni->ni_flags & IEEE80211_NODE_AREF) == 0)
--			continue;
-+		/*
-+		 *if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
-+		 *   (ni->ni_flags & IEEE80211_NODE_AREF) == 0)
-+		 *	continue;
-+		 */
- 		ni->ni_scangen = gen;
- 		/*
- 		 * Free fragment if not needed anymore
-@@ -1591,7 +1491,7 @@
- 				 * ref for us as needed.
- 				 */
- 				ieee80211_ref_node(ni);
--				IEEE80211_NODE_UNLOCK_IRQ_EARLY(nt);
-+				IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(nt);
- 				ieee80211_send_nulldata(ni);
- 				/* XXX stat? */
- 				goto restart;
-@@ -1614,18 +1514,18 @@
- 			 */
- 			ni->ni_vap->iv_stats.is_node_timeout++;
- 			ieee80211_ref_node(ni);
--			IEEE80211_NODE_UNLOCK_IRQ_EARLY(nt);
-+			IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(nt);
- 			if (ni->ni_associd != 0) {
- 				IEEE80211_SEND_MGMT(ni,
- 					IEEE80211_FC0_SUBTYPE_DEAUTH,
- 					IEEE80211_REASON_AUTH_EXPIRE);
- 			}
- 			ieee80211_node_leave(ni);
--			ieee80211_free_node(ni);
-+			ieee80211_unref_node(&ni);
- 			goto restart;
- 		}
- 	}
--	IEEE80211_NODE_UNLOCK_IRQ(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 
- 	IEEE80211_SCAN_UNLOCK_IRQ(nt);
- }
-@@ -1660,21 +1560,23 @@
- 
- 	IEEE80211_SCAN_LOCK_IRQ(nt);
- 	gen = ++nt->nt_scangen;
-+	
- restart:
--	IEEE80211_NODE_LOCK(nt);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
- 	TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
- 		if (dev != NULL && ni->ni_vap->iv_dev != dev) 
- 			continue;  /* skip node not for this vap */
- 		if (ni->ni_scangen != gen) {
- 			ni->ni_scangen = gen;
- 			(void) ieee80211_ref_node(ni);
--			IEEE80211_NODE_UNLOCK(nt);
-+			IEEE80211_NODE_TABLE_UNLOCK_IRQ_EARLY(nt);
- 			(*f)(arg, ni);
--			ieee80211_free_node(ni);
-+			
-+			ieee80211_unref_node(&ni);
- 			goto restart;
- 		}
- 	}
--	IEEE80211_NODE_UNLOCK(nt);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
- 
- 	IEEE80211_SCAN_UNLOCK_IRQ(nt);
- }
-@@ -1948,9 +1850,20 @@
- 		"station with aid %d leaves (refcnt %u)",
- 		IEEE80211_NODE_AID(ni), ieee80211_node_refcnt(ni));
- 
-+	/* From this point onwards we can no longer find the node,
-+	 * so no more references are generated
-+	 */
-+	ieee80211_remove_wds_addr(nt, ni->ni_macaddr);
-+	ieee80211_del_wds_node(nt, ni);
-+	IEEE80211_NODE_TABLE_LOCK_IRQ(nt);
-+	_node_table_leave(nt, ni);
-+	IEEE80211_NODE_TABLE_UNLOCK_IRQ(nt);
-+
- 	/*
- 	 * If node wasn't previously associated all
- 	 * we need to do is reclaim the reference.
-+	 * This also goes for nodes that are auth'ed but
-+	 * not associated.
- 	 */
- 	/* XXX ibss mode bypasses 11g and notification */
- 	if (ni->ni_associd == 0)
-@@ -1968,9 +1881,11 @@
- 	IEEE80211_LOCK_IRQ(ic);
- 	if (vap->iv_aid_bitmap != NULL)
- 		IEEE80211_AID_CLR(vap, ni->ni_associd);
-+
- 	ni->ni_associd = 0;
- 	vap->iv_sta_assoc--;
- 	ic->ic_sta_assoc--;
-+
- #ifdef ATH_SUPERG_XR
- 	if (ni->ni_vap->iv_flags & IEEE80211_F_XR)
- 		ic->ic_xr_sta_assoc--;
-@@ -1981,6 +1896,7 @@
- 	if (IEEE80211_IS_CHAN_ANYG(ic->ic_bsschan))
- 		ieee80211_node_leave_11g(ni);
- 	IEEE80211_UNLOCK_IRQ(ic);
-+
- 	/*
- 	 * Cleanup station state.  In particular clear various
- 	 * state that might otherwise be reused if the node
-@@ -1990,19 +1906,10 @@
- 	ieee80211_sta_leave(ni);
- done:
- 	/*
--	 * Remove the node from any table it's recorded in and
--	 * drop the caller's reference.  Removal from the table
--	 * is important to ensure the node is not reprocessed
--	 * for inactivity.
--	 */
--	if (nt != NULL) {
--		IEEE80211_NODE_LOCK_IRQ(nt);
--		node_reclaim(nt, ni);
--		IEEE80211_NODE_UNLOCK_IRQ(nt);
--		ieee80211_remove_wds_addr(nt,ni->ni_macaddr);
--		ieee80211_del_wds_node(nt,ni);
--	} else
--		ieee80211_free_node(ni);
-+	 * Run a cleanup and then drop the caller's reference
-+	 */
-+	ic->ic_node_cleanup(ni);
-+	ieee80211_unref_node(&ni);
- }
- EXPORT_SYMBOL(ieee80211_node_leave);
- 
-@@ -2062,25 +1969,8 @@
- void
- ieee80211_node_reset(struct ieee80211_node *ni, struct ieee80211vap *vap)
- {
--	if (ni != NULL) {
--		struct ieee80211_node_table *nt = ni->ni_table;
--		if (!nt)
--			nt = &vap->iv_ic->ic_sta;
--		IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
--		ni->ni_prev_vap = ni->ni_vap;
--		ni->ni_vap = vap;
--		ni->ni_ic = vap->iv_ic;
--		/* 
--		 * if node not found in the node table
--		 * add it to the node table .
--		 */
--		if(nt && ieee80211_find_node(nt, ni->ni_macaddr) != ni) {
--			int hash = IEEE80211_NODE_HASH(ni->ni_macaddr);
--			IEEE80211_NODE_LOCK_IRQ(nt);
--			TAILQ_INSERT_TAIL(&nt->nt_node, ni, ni_list);
--			LIST_INSERT_HEAD(&nt->nt_hash[hash], ni, ni_hash);
--			ni->ni_table = nt;
--			IEEE80211_NODE_UNLOCK_IRQ(nt);
--		}
--	}
-+	IEEE80211_ADDR_COPY(ni->ni_bssid, vap->iv_bss->ni_bssid);
-+	ni->ni_prev_vap = ni->ni_vap;
-+	ni->ni_vap = vap;
-+	ni->ni_ic = vap->iv_ic;
- }
-diff -ur madwifi.old/net80211/ieee80211_node.h madwifi.dev/net80211/ieee80211_node.h
---- madwifi.old/net80211/ieee80211_node.h	2007-03-06 11:59:28.000000000 +0100
-+++ madwifi.dev/net80211/ieee80211_node.h	2007-05-21 08:10:46.869753416 +0200
-@@ -52,14 +52,14 @@
-  * authorized.  The latter timeout is shorter to more aggressively
-  * reclaim nodes that leave part way through the 802.1x exchange.
-  */
--#define	IEEE80211_INACT_WAIT	15		/* inactivity interval (secs) */
-+#define	IEEE80211_INACT_WAIT	15				/* inactivity interval (secs) */
- #define	IEEE80211_INACT_INIT	(30/IEEE80211_INACT_WAIT)	/* initial */
- #define	IEEE80211_INACT_AUTH	(180/IEEE80211_INACT_WAIT)	/* associated but not authorized */
- #define	IEEE80211_INACT_RUN	(300/IEEE80211_INACT_WAIT)	/* authorized */
- #define	IEEE80211_INACT_PROBE	(30/IEEE80211_INACT_WAIT)	/* probe */
- #define	IEEE80211_INACT_SCAN	(300/IEEE80211_INACT_WAIT)	/* scanned */
- 
--#define	IEEE80211_TRANS_WAIT 	5		/* mgt frame tx timer (secs) */
-+#define	IEEE80211_TRANS_WAIT 	5				/* mgt frame tx timer (secs) */
- 
- #define	IEEE80211_NODE_HASHSIZE	32
- /* simple hash is enough for variation of macaddr */
-@@ -94,7 +94,8 @@
- 	struct ieee80211_node_table *ni_table;
- 	TAILQ_ENTRY(ieee80211_node) ni_list;
- 	LIST_ENTRY(ieee80211_node) ni_hash;
--	atomic_t ni_refcnt;
-+	// ieee80211_node_lock_t ni_nodelock;	/* on node - notably for ref counting */
-+	ieee80211_node_ref_count_t ni_refcnt;
- 	u_int ni_scangen;			/* gen# for timeout scan */
- 	u_int8_t ni_authmode;			/* authentication algorithm */
- 	u_int16_t ni_flags;			/* special-purpose state */
-@@ -121,13 +122,13 @@
- 	u_int16_t ni_associd;			/* assoc response */
- 	u_int16_t ni_txpower;			/* current transmit power (in 0.5 dBm) */
- 	u_int16_t ni_vlan;			/* vlan tag */
--	u_int32_t *ni_challenge;			/* shared-key challenge */
-+	u_int32_t *ni_challenge;		/* shared-key challenge */
- 	u_int8_t *ni_wpa_ie;			/* captured WPA ie */
- 	u_int8_t *ni_rsn_ie;			/* captured RSN ie */
- 	u_int8_t *ni_wme_ie;			/* captured WME ie */
- 	u_int8_t *ni_ath_ie;			/* captured Atheros ie */
--	u_int16_t ni_txseqs[17];			/* tx seq per-tid */
--	u_int16_t ni_rxseqs[17];			/* rx seq previous per-tid*/
-+	u_int16_t ni_txseqs[17];		/* tx seq per-tid */
-+	u_int16_t ni_rxseqs[17];		/* rx seq previous per-tid*/
- 	u_int32_t ni_rxfragstamp;		/* time stamp of last rx frag */
- 	struct sk_buff *ni_rxfrag;		/* rx frag reassembly */
- 	struct ieee80211_rsnparms ni_rsn;	/* RSN/WPA parameters */
-@@ -156,7 +157,7 @@
- 	struct ieee80211_channel *ni_chan;
- 	u_int16_t ni_fhdwell;			/* FH only */
- 	u_int8_t ni_fhindex;			/* FH only */
--	u_int8_t ni_erp;				/* ERP from beacon/probe resp */
-+	u_int8_t ni_erp;			/* ERP from beacon/probe resp */
- 	u_int16_t ni_timoff;			/* byte offset to TIM ie */
- 
- 	/* others */
-@@ -168,7 +169,7 @@
- 	struct ieee80211vap *ni_prev_vap;  	/* previously associated vap */
- 	u_int8_t ni_uapsd;			/* U-APSD per-node flags matching WMM STA Qos Info field */
- 	u_int8_t ni_uapsd_maxsp; 		/* maxsp from flags above */
--	u_int16_t ni_uapsd_trigseq[WME_NUM_AC]; 	/* trigger suppression on retry */
-+	u_int16_t ni_uapsd_trigseq[WME_NUM_AC];	/* trigger suppression on retry */
- 	__le16 ni_pschangeseq;
- };
- MALLOC_DECLARE(M_80211_NODE);
-@@ -186,20 +187,6 @@
- #define WME_UAPSD_NODE_INVALIDSEQ	0xffff
- #define WME_UAPSD_NODE_TRIGSEQINIT(_ni)	(memset(&(_ni)->ni_uapsd_trigseq[0], 0xff, sizeof((_ni)->ni_uapsd_trigseq)))
- 
--static __inline struct ieee80211_node *
--ieee80211_ref_node(struct ieee80211_node *ni)
--{
--	ieee80211_node_incref(ni);
--	return ni;
--}
--
--static __inline void
--ieee80211_unref_node(struct ieee80211_node **ni)
--{
--	ieee80211_node_decref(*ni);
--	*ni = NULL;			/* guard against use */
--}
--
- void ieee80211_node_attach(struct ieee80211com *);
- void ieee80211_node_detach(struct ieee80211com *);
- void ieee80211_node_vattach(struct ieee80211vap *);
-@@ -242,43 +229,39 @@
-  * is a second table for associated stations or neighbors.
-  */
- struct ieee80211_node_table {
-+	const char *nt_name;			/* for debugging */
- 	struct ieee80211com *nt_ic;		/* back reference */
--	ieee80211_node_lock_t nt_nodelock;	/* on node table */
-+	ieee80211_node_table_lock_t nt_nodelock;	/* on node table */
- 	TAILQ_HEAD(, ieee80211_node) nt_node;	/* information of all nodes */
- 	ATH_LIST_HEAD(, ieee80211_node) nt_hash[IEEE80211_NODE_HASHSIZE];
- 	ATH_LIST_HEAD(, ieee80211_wds_addr) nt_wds_hash[IEEE80211_NODE_HASHSIZE];
--	const char *nt_name;			/* for debugging */
- 	ieee80211_scan_lock_t nt_scanlock;	/* on nt_scangen */
- 	u_int nt_scangen;			/* gen# for timeout scan */
- 	int nt_inact_init;			/* initial node inact setting */
- 	struct timer_list nt_wds_aging_timer;	/* timer to age out wds entries */
- };
- 
--struct ieee80211_node *ieee80211_alloc_node(struct ieee80211_node_table *,
--	struct ieee80211vap *, const u_int8_t *);
--struct ieee80211_node *ieee80211_tmp_node(struct ieee80211vap *,
--	const u_int8_t *);
--struct ieee80211_node *ieee80211_dup_bss(struct ieee80211vap *,
-+struct ieee80211_node *ieee80211_alloc_node_table(struct ieee80211vap *,
- 	const u_int8_t *);
-+struct ieee80211_node *ieee80211_dup_bss(struct ieee80211vap *, 
-+	const u_int8_t *, unsigned char);
- void ieee80211_node_reset(struct ieee80211_node *, struct ieee80211vap *);
- #ifdef IEEE80211_DEBUG_REFCNT
--void ieee80211_free_node_debug(struct ieee80211_node *, const char *, int);
- struct ieee80211_node *ieee80211_find_node_debug(struct ieee80211_node_table *,
- 	const u_int8_t *, const char *, int);
- struct ieee80211_node *ieee80211_find_rxnode_debug(struct ieee80211com *,
- 	const struct ieee80211_frame_min *, const char *, int);
- struct ieee80211_node *ieee80211_find_txnode_debug(struct ieee80211vap *,
- 	const u_int8_t *, const char *, int);
--#define	ieee80211_free_node(ni) \
--	ieee80211_free_node_debug(ni, __func__, __LINE__)
--#define	ieee80211_find_node(nt, mac) \
--	ieee80211_find_node_debug(nt, mac, __func__, __LINE__)
--#define	ieee80211_find_rxnode(nt, wh) \
--	ieee80211_find_rxnode_debug(nt, wh, __func__, __LINE__)
--#define	ieee80211_find_txnode(nt, mac) \
--	ieee80211_find_txnode_debug(nt, mac, __func__, __LINE__)
-+#define	ieee80211_unref_node(_ni) \
-+	ieee80211_unref_node_debug(_ni, __func__, __LINE__)
-+#define	ieee80211_find_node(_nt, _mac) \
-+	ieee80211_find_node_debug(_nt, _mac, __func__, __LINE__)
-+#define	ieee80211_find_rxnode(_nt, _wh) \
-+	ieee80211_find_rxnode_debug(_nt, _wh, __func__, __LINE__)
-+#define	ieee80211_find_txnode(_nt, _mac) \
-+	ieee80211_find_txnode_debug(_nt, _mac, __func__, __LINE__)
- #else
--void ieee80211_free_node(struct ieee80211_node *);
- 
- struct ieee80211_node *ieee80211_find_node(struct ieee80211_node_table *,
- 	const u_int8_t *);
-@@ -287,6 +270,53 @@
- struct ieee80211_node *ieee80211_find_txnode(struct ieee80211vap *,
- 	const u_int8_t *);
- #endif
-+
-+void _ieee80211_free_node(struct ieee80211_node *);
-+
-+static __inline struct ieee80211_node *
-+ieee80211_ref_node(struct ieee80211_node *ni)
-+{
-+	ieee80211_node_incref(ni);
-+	return ni;
-+}
-+
-+static __inline struct ieee80211_node *
-+_ieee80211_pass_node(struct ieee80211_node **pni) {
-+	struct ieee80211_node *tmp = *pni;
-+	*pni = NULL;
-+	return (tmp);
-+}
-+
-+#define PASS_NODE(_ni) \
-+	_ieee80211_pass_node(&_ni)
-+
-+static __inline int
-+_ieee80211_unref_node(struct ieee80211_node *ni) {
-+	if (ieee80211_node_dectestref(ni)) {
-+		_ieee80211_free_node(ni);
-+		return 1;
-+	} else {
-+		return 0;
-+	}
-+}
-+
-+static __inline void
-+#ifdef IEEE80211_DEBUG_REFCNT
-+ieee80211_unref_node_debug(struct ieee80211_node **pni, const char *func, int line)
-+#else
-+ieee80211_unref_node(struct ieee80211_node **pni)
-+#endif
-+{	
-+	struct ieee80211_node *ni = *pni;
-+#ifdef IEEE80211_DEBUG_REFCNT
-+	IEEE80211_DPRINTF(ni->ni_vap, IEEE80211_MSG_NODE,
-+		"%s (%s:%u) %p<%s> refcnt %d\n", __func__, func, line, ni,
-+		 ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni) - 1);
-+#endif
-+	_ieee80211_unref_node(ni); 
-+	*pni = NULL;			/* guard against use */
-+}
-+
- int ieee80211_add_wds_addr(struct ieee80211_node_table *, struct ieee80211_node *,
- 	const u_int8_t *, u_int8_t);
- void ieee80211_remove_wds_addr(struct ieee80211_node_table *, const u_int8_t *);
-diff -ur madwifi.old/net80211/ieee80211_output.c madwifi.dev/net80211/ieee80211_output.c
---- madwifi.old/net80211/ieee80211_output.c	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_output.c	2007-05-21 08:10:46.870753264 +0200
-@@ -254,7 +254,7 @@
- 		goto bad;
- 	}
- 	
--	cb->ni = ni;
-+	cb->ni = ieee80211_ref_node(ni);
- 	
- 	/* power-save checks */
- 	if (WME_UAPSD_AC_CAN_TRIGGER(skb->priority, ni)) {
-@@ -293,13 +293,14 @@
- 	}
- #endif
- 	ieee80211_parent_queue_xmit(skb);
-+	ieee80211_unref_node(&ni);
- 	return 0;
- 
- bad:
- 	if (skb != NULL)
- 		dev_kfree_skb(skb);
- 	if (ni != NULL)
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 	return 0;
- }
- 
-@@ -453,7 +454,7 @@
- 	if (skb == NULL) {
- 		/* XXX debug msg */
- 		vap->iv_stats.is_tx_nobuf++;
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 		return -ENOMEM;
- 	}
- 	cb = (struct ieee80211_cb *)skb->cb;
-@@ -507,16 +508,14 @@
- 	u_int8_t *frm;
- 	int tid;
- 
--	ieee80211_ref_node(ni);
- 	skb = ieee80211_getmgtframe(&frm, 2);
- 	if (skb == NULL) {
- 		/* XXX debug msg */
- 		vap->iv_stats.is_tx_nobuf++;
--		ieee80211_free_node(ni);
- 		return -ENOMEM;
- 	}
- 	cb = (struct ieee80211_cb *)skb->cb;
--	cb->ni = ni;
-+	cb->ni = ieee80211_ref_node(ni);
- 
- 	skb->priority = ac;
- 	qwh = (struct ieee80211_qosframe *)skb_push(skb, sizeof(struct ieee80211_qosframe));
-@@ -865,7 +864,7 @@
- 				nt = &ic->ic_sta;
- 				ni_wds = ieee80211_find_wds_node(nt, eh.ether_shost);
- 				if (ni_wds)
--					ieee80211_free_node(ni_wds); /* Decr ref count */
-+					ieee80211_unref_node(&ni_wds); /* Decr ref count */
- 				else
- 					ieee80211_add_wds_addr(nt, ni, eh.ether_shost, 0);
- 			}
-@@ -1719,7 +1718,6 @@
- 		__func__, __LINE__,
- 		ni, ether_sprintf(ni->ni_macaddr),
- 		ieee80211_node_refcnt(ni) + 1);
--	ieee80211_ref_node(ni);
- 
- 	/*
- 	 * prreq frame format
-@@ -1735,7 +1733,6 @@
- 	       vap->app_ie[IEEE80211_APPIE_FRAME_PROBE_REQ].length);
- 	if (skb == NULL) {
- 		vap->iv_stats.is_tx_nobuf++;
--		ieee80211_free_node(ni);
- 		return -ENOMEM;
- 	}
- 
-@@ -1758,7 +1755,7 @@
- 	skb_trim(skb, frm - skb->data);
- 
- 	cb = (struct ieee80211_cb *)skb->cb;
--	cb->ni = ni;
-+	cb->ni = ieee80211_ref_node(ni);
- 
- 	wh = (struct ieee80211_frame *)
- 		skb_push(skb, sizeof(struct ieee80211_frame));
-@@ -2234,7 +2231,7 @@
- 		mod_timer(&vap->iv_mgtsend, jiffies + timer * HZ);
- 	return 0;
- bad:
--	ieee80211_free_node(ni);
-+	ieee80211_unref_node(&ni);
- 	return ret;
- #undef senderr
- }
-diff -ur madwifi.old/net80211/ieee80211_power.c madwifi.dev/net80211/ieee80211_power.c
---- madwifi.old/net80211/ieee80211_power.c	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_power.c	2007-05-21 08:10:46.870753264 +0200
-@@ -109,13 +109,15 @@
- int
- ieee80211_node_saveq_drain(struct ieee80211_node *ni)
- {
-+	struct ieee80211_cb *cb = NULL;
- 	struct sk_buff *skb;
- 	int qlen;
- 
- 	IEEE80211_NODE_SAVEQ_LOCK(ni);
- 	qlen = skb_queue_len(&ni->ni_savedq);
- 	while ((skb = __skb_dequeue(&ni->ni_savedq)) != NULL) {
--		ieee80211_free_node(ni);
-+		cb = (struct ieee80211_cb *) skb->cb;
-+		ieee80211_unref_node(&cb->ni);
- 		dev_kfree_skb_any(skb);
- 	}
- 	IEEE80211_NODE_SAVEQ_UNLOCK(ni);
-diff -ur madwifi.old/net80211/ieee80211_proto.c madwifi.dev/net80211/ieee80211_proto.c
---- madwifi.old/net80211/ieee80211_proto.c	2006-12-08 18:20:08.000000000 +0100
-+++ madwifi.dev/net80211/ieee80211_proto.c	2007-05-21 08:10:46.871753112 +0200
-@@ -1456,7 +1456,7 @@
- 				 */				
- 				if (vap->iv_opmode == IEEE80211_M_WDS) {
- 					struct ieee80211_node *wds_ni;
--					wds_ni = ieee80211_alloc_node(&ic->ic_sta, vap, vap->wds_mac);
-+					wds_ni = ieee80211_alloc_node_table(vap, vap->wds_mac);
- 					if (wds_ni != NULL) {
- 						if (ieee80211_add_wds_addr(&ic->ic_sta, wds_ni, vap->wds_mac, 1) == 0) {
- 							ieee80211_node_authorize(wds_ni);
-diff -ur madwifi.old/net80211/ieee80211_var.h madwifi.dev/net80211/ieee80211_var.h
---- madwifi.old/net80211/ieee80211_var.h	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_var.h	2007-05-21 08:12:01.499407984 +0200
-@@ -44,6 +44,8 @@
- 
- #include <sys/queue.h>
- 
-+struct ieee80211vap;
-+
- #include <net80211/_ieee80211.h>
- #include <net80211/ieee80211.h>
- #include <net80211/ieee80211_crypto.h>
-@@ -115,7 +117,6 @@
-  * the underlying device and the net80211 layer is exposed here;
-  * e.g. device-specific callbacks.
-  */
--struct ieee80211vap;
- 
- struct ieee80211com {
- 	struct net_device *ic_dev;		/* associated device */
-@@ -236,8 +237,7 @@
- 	/* new station association callback/notification */
- 	void (*ic_newassoc)(struct ieee80211_node *, int);
- 	/* node state management */
--	struct ieee80211_node *(*ic_node_alloc)(struct ieee80211_node_table *,
--		struct ieee80211vap *);
-+	struct ieee80211_node *(*ic_node_alloc)(struct ieee80211vap *);
- 	void (*ic_node_free)(struct ieee80211_node *);
- 	void (*ic_node_cleanup)(struct ieee80211_node *);
- 	u_int8_t (*ic_node_getrssi)(const struct ieee80211_node *);
-diff -ur madwifi.old/net80211/ieee80211_wireless.c madwifi.dev/net80211/ieee80211_wireless.c
---- madwifi.old/net80211/ieee80211_wireless.c	2007-05-18 13:19:16.000000000 +0200
-+++ madwifi.dev/net80211/ieee80211_wireless.c	2007-05-21 08:10:46.874752656 +0200
-@@ -3186,7 +3186,7 @@
- 		error = -ENXIO;
- 	ieee80211_key_update_end(vap);
- 	if (ni != NULL)
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- #ifdef ATH_SUPERG_XR
- 	/* set the same params on the xr vap device if exists */
- 	if (vap->iv_xrvap && !(vap->iv_flags & IEEE80211_F_XR))
-@@ -3246,7 +3246,7 @@
- 		memset(ik.ik_keydata, 0, sizeof(ik.ik_keydata));
- 	}
- 	if (ni != NULL)
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 	return (copy_to_user(iwr->u.data.pointer, &ik, sizeof(ik)) ? -EFAULT : 0);
- }
- 
-@@ -3271,7 +3271,7 @@
- 			return -ENOENT; /* No such entity is a more appropriate error */
- 		/* XXX error return */
- 		ieee80211_crypto_delkey(vap, &ni->ni_ucastkey, ni);
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 	} else {
- 		if (kix >= IEEE80211_WEP_NKID)
- 			return -EINVAL;
-@@ -3382,7 +3382,7 @@
- 					return -EINVAL;
- 				if (dev == ni->ni_vap->iv_dev)
- 					domlme(mlme, ni);
--				ieee80211_free_node(ni);
-+				ieee80211_unref_node(&ni);
- 			} else
- 				ieee80211_iterate_dev_nodes(dev, &ic->ic_sta, domlme, mlme);
- 			break;
-@@ -3401,7 +3401,7 @@
- 			ieee80211_node_authorize(ni);
- 		else
- 			ieee80211_node_unauthorize(ni);
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 		break;
- 	case IEEE80211_MLME_CLEAR_STATS:
- 		if (vap->iv_opmode != IEEE80211_M_HOSTAP)
-@@ -3412,7 +3412,7 @@
- 		
- 		/* clear statistics */
- 		memset(&ni->ni_stats, 0, sizeof(struct ieee80211_nodestats));
--		ieee80211_free_node(ni);
-+		ieee80211_unref_node(&ni);
- 		break;
- 	default:
- 		return -EINVAL;
-@@ -3785,7 +3785,7 @@
- 			ielen = sizeof(wpaie.rsn_ie);
- 		memcpy(wpaie.rsn_ie, ni->ni_rsn_ie, ielen);
- 	}
--	ieee80211_free_node(ni);
-+	ieee80211_unref_node(&ni);
- 	return (copy_to_user(iwr->u.data.pointer, &wpaie, sizeof(wpaie)) ?
- 		-EFAULT : 0);
- }
-@@ -3813,7 +3813,7 @@
- 	/* NB: copy out only the statistics */
- 	error = copy_to_user(iwr->u.data.pointer + off, &ni->ni_stats,
- 		iwr->u.data.length - off);
--	ieee80211_free_node(ni);
-+	ieee80211_unref_node(&ni);
- 	return (error ? -EFAULT : 0);
- }
- 

package/madwifi/patches/119-secfix_PR_1335.patch

@@ -0,0 +1,49 @@
+diff -ur madwifi.old/net80211/ieee80211_input.c madwifi.dev/net80211/ieee80211_input.c
+--- madwifi.old/net80211/ieee80211_input.c	2007-05-21 17:53:39.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_input.c	2007-05-23 16:50:21.097957392 +0200
+@@ -695,13 +695,31 @@
+ 
+ 			/* NB: assumes linear (i.e., non-fragmented) skb */
+ 
++			/* check length > header */
++			if (skb->len < sizeof(struct ether_header) + LLC_SNAPFRAMELEN
++			    + roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2) {
++				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
++					ni->ni_macaddr, "data", "%s", "decap error");
++					vap->iv_stats.is_rx_decap++;
++				IEEE80211_NODE_STAT(ni, rx_decap);
++				goto err;
++			}
++
+ 			/* get to the tunneled headers */
+ 			ath_hdr = (struct athl2p_tunnel_hdr *)
+ 				skb_pull(skb, sizeof(struct ether_header) + LLC_SNAPFRAMELEN);
+- 			/* ignore invalid frames */
+-			if(ath_hdr == NULL)
++			eh_tmp = (struct ether_header *)
++				skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
++			/* sanity check for malformed 802.3 length */
++			frame_len = ntohs(eh_tmp->ether_type);
++			if (skb->len < roundup(sizeof(struct ether_header) + frame_len, 4)) {
++				IEEE80211_DISCARD_MAC(vap, IEEE80211_MSG_INPUT,
++					ni->ni_macaddr, "data", "%s", "decap error");
++					vap->iv_stats.is_rx_decap++;
++				IEEE80211_NODE_STAT(ni, rx_decap);
+ 				goto err;
+-			
++			}
++
+ 			/* only implementing FF now. drop all others. */
+ 			if (ath_hdr->proto != ATH_L2TUNNEL_PROTO_FF) {
+ 				IEEE80211_DISCARD_MAC(vap,
+@@ -714,10 +732,6 @@
+ 			}
+ 			vap->iv_stats.is_rx_ffcnt++;
+ 			
+-			/* move past the tunneled header, with alignment */
+-			skb_pull(skb, roundup(sizeof(struct athl2p_tunnel_hdr) - 2, 4) + 2);
+-			eh_tmp = (struct ether_header *)skb->data;
+-			
+ 			/* ether_type must be length as FF frames are always LLC/SNAP encap'd */
+ 			frame_len = ntohs(eh_tmp->ether_type);
+ 

package/madwifi/patches/200-no_debug.patch

@@ -1,6 +1,6 @@
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c
---- madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c	2007-05-13 18:17:56.449987336 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath/if_ath.c	2007-05-13 18:17:56.457986120 +0200
+diff -ur madwifi.old/ath/if_ath.c madwifi.dev/ath/if_ath.c
+--- madwifi.old/ath/if_ath.c	2007-05-23 16:46:50.748935304 +0200
++++ madwifi.dev/ath/if_ath.c	2007-05-23 16:47:03.275031048 +0200
 @@ -75,7 +75,7 @@
  #include <net80211/if_llc.h>
  #endif
@@ -10,7 +10,7 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  
  #include "net80211/if_athproto.h"
  #include "if_athvar.h"
-@@ -359,7 +359,7 @@
+@@ -356,7 +356,7 @@
  		ath_keyprint(sc, __func__, ix, hk, mac);	\
  } while (0)
  #else /* defined(AR_DEBUG) */
@@ -19,9 +19,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath/if_ath.c madwifi-ng-refcoun
  #define	DPRINTF(sc, _m, _fmt, ...)
  #define	KEYPRINTF(sc, k, ix, mac)
  #endif /* defined(AR_DEBUG) */
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/amrr/amrr.c madwifi-ng-refcount-r2313-20070505.dev/ath_rate/amrr/amrr.c
---- madwifi-ng-refcount-r2313-20070505.old/ath_rate/amrr/amrr.c	2007-04-09 23:08:06.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath_rate/amrr/amrr.c	2007-05-13 18:17:56.457986120 +0200
+diff -ur madwifi.old/ath_rate/amrr/amrr.c madwifi.dev/ath_rate/amrr/amrr.c
+--- madwifi.old/ath_rate/amrr/amrr.c	2007-05-21 19:33:26.000000000 +0200
++++ madwifi.dev/ath_rate/amrr/amrr.c	2007-05-23 16:47:03.276030896 +0200
 @@ -69,7 +69,7 @@
  
  #include "amrr.h"
@@ -31,9 +31,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/amrr/amrr.c madwifi-ng
  #ifdef AMRR_DEBUG
  #define	DPRINTF(sc, _fmt, ...) do {					\
  	if (sc->sc_debug & 0x10)					\
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/minstrel/minstrel.c madwifi-ng-refcount-r2313-20070505.dev/ath_rate/minstrel/minstrel.c
---- madwifi-ng-refcount-r2313-20070505.old/ath_rate/minstrel/minstrel.c	2007-05-13 18:17:55.605115776 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath_rate/minstrel/minstrel.c	2007-05-13 18:17:56.458985968 +0200
+diff -ur madwifi.old/ath_rate/minstrel/minstrel.c madwifi.dev/ath_rate/minstrel/minstrel.c
+--- madwifi.old/ath_rate/minstrel/minstrel.c	2007-05-23 16:46:50.731937888 +0200
++++ madwifi.dev/ath_rate/minstrel/minstrel.c	2007-05-23 16:47:03.276030896 +0200
 @@ -116,7 +116,7 @@
  
  #include "minstrel.h"
@@ -43,9 +43,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/minstrel/minstrel.c ma
  #ifdef MINSTREL_DEBUG
  enum {
  	ATH_DEBUG_RATE		= 0x00000010	/* rate control */
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/onoe/onoe.c madwifi-ng-refcount-r2313-20070505.dev/ath_rate/onoe/onoe.c
---- madwifi-ng-refcount-r2313-20070505.old/ath_rate/onoe/onoe.c	2007-04-09 23:08:06.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath_rate/onoe/onoe.c	2007-05-13 18:17:56.458985968 +0200
+diff -ur madwifi.old/ath_rate/onoe/onoe.c madwifi.dev/ath_rate/onoe/onoe.c
+--- madwifi.old/ath_rate/onoe/onoe.c	2007-05-21 19:33:26.000000000 +0200
++++ madwifi.dev/ath_rate/onoe/onoe.c	2007-05-23 16:47:03.312025424 +0200
 @@ -65,7 +65,7 @@
  
  #include "onoe.h"
@@ -55,9 +55,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/onoe/onoe.c madwifi-ng
  #ifdef ONOE_DEBUG
  enum {
  	ATH_DEBUG_RATE	= 0x00000010,	/* rate control */
-diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/sample/sample.c madwifi-ng-refcount-r2313-20070505.dev/ath_rate/sample/sample.c
---- madwifi-ng-refcount-r2313-20070505.old/ath_rate/sample/sample.c	2007-04-09 23:08:06.000000000 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/ath_rate/sample/sample.c	2007-05-13 18:17:56.459985816 +0200
+diff -ur madwifi.old/ath_rate/sample/sample.c madwifi.dev/ath_rate/sample/sample.c
+--- madwifi.old/ath_rate/sample/sample.c	2007-05-21 19:33:26.000000000 +0200
++++ madwifi.dev/ath_rate/sample/sample.c	2007-05-23 16:47:03.346020256 +0200
 @@ -67,7 +67,7 @@
  
  #include "sample.h"
@@ -66,10 +66,10 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/ath_rate/sample/sample.c madwif
 +#undef	SAMPLE_DEBUG
  #ifdef SAMPLE_DEBUG
  enum {
- 	ATH_DEBUG_RATE		= 0x00000010	/* rate control */
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.c madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.c
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.c	2007-02-01 21:49:37.000000000 +0100
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.c	2007-05-13 18:17:56.460985664 +0200
+ 	ATH_DEBUG_NODE		= 0x00080000,	/* node management */
+diff -ur madwifi.old/net80211/ieee80211_proto.c madwifi.dev/net80211/ieee80211_proto.c
+--- madwifi.old/net80211/ieee80211_proto.c	2007-05-21 17:53:39.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_proto.c	2007-05-23 16:47:03.347020104 +0200
 @@ -312,6 +312,7 @@
  }
  EXPORT_SYMBOL(ieee80211_print_essid);
@@ -86,9 +86,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.c madw
  
  int
  ieee80211_fix_rate(struct ieee80211_node *ni, int flags)
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.h	2007-01-30 05:01:29.000000000 +0100
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_proto.h	2007-05-13 18:17:56.460985664 +0200
+diff -ur madwifi.old/net80211/ieee80211_proto.h madwifi.dev/net80211/ieee80211_proto.h
+--- madwifi.old/net80211/ieee80211_proto.h	2007-01-30 05:01:29.000000000 +0100
++++ madwifi.dev/net80211/ieee80211_proto.h	2007-05-23 16:47:03.347020104 +0200
 @@ -247,7 +247,11 @@
  #endif
  int ieee80211_new_state(struct ieee80211vap *, enum ieee80211_state, int);
@@ -101,21 +101,23 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_proto.h madw
  struct sk_buff *ieee80211_getcfframe(struct ieee80211vap *, int);
  
  /*
-diff -urN madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h
---- madwifi-ng-refcount-r2313-20070505.old/net80211/ieee80211_var.h	2007-05-13 18:17:56.107039472 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/net80211/ieee80211_var.h	2007-05-13 18:17:56.461985512 +0200
-@@ -37,7 +37,7 @@
- /*
-  * Definitions for IEEE 802.11 drivers.
-  */
+diff -ur madwifi.old/net80211/ieee80211_var.h madwifi.dev/net80211/ieee80211_var.h
+--- madwifi.old/net80211/ieee80211_var.h	2007-05-21 19:33:26.000000000 +0200
++++ madwifi.dev/net80211/ieee80211_var.h	2007-05-23 16:47:19.427575488 +0200
+@@ -35,8 +35,8 @@
+ #ifndef _NET80211_IEEE80211_VAR_H_
+ #define _NET80211_IEEE80211_VAR_H_
+ 
 -#define	IEEE80211_DEBUG
+-#define	IEEE80211_DEBUG_REFCNT			/* Node reference count debugging */
 +#undef	IEEE80211_DEBUG
- #undef	IEEE80211_DEBUG_REFCNT			/* node refcnt stuff */
++#undef	IEEE80211_DEBUG_REFCNT			/* Node reference count debugging */
  
+ /* Definitions for IEEE 802.11 drivers. */
  #include <net80211/ieee80211_linux.h>
-diff -urN madwifi-ng-refcount-r2313-20070505.old/tools/do_multi.c madwifi-ng-refcount-r2313-20070505.dev/tools/do_multi.c
---- madwifi-ng-refcount-r2313-20070505.old/tools/do_multi.c	2007-05-13 18:17:55.192178552 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/tools/do_multi.c	2007-05-13 18:17:56.461985512 +0200
+diff -ur madwifi.old/tools/do_multi.c madwifi.dev/tools/do_multi.c
+--- madwifi.old/tools/do_multi.c	2007-05-23 16:46:50.718939864 +0200
++++ madwifi.dev/tools/do_multi.c	2007-05-23 16:47:03.349019800 +0200
 @@ -9,16 +9,20 @@
  
      progname = basename(argv[0]);
@@ -137,9 +139,9 @@ diff -urN madwifi-ng-refcount-r2313-20070505.old/tools/do_multi.c madwifi-ng-ref
      if(strcmp(progname, "athkey") == 0)
  	ret =  athkey_init(argc, argv);
      if(strcmp(progname, "athstats") == 0)
-diff -urN madwifi-ng-refcount-r2313-20070505.old/tools/Makefile madwifi-ng-refcount-r2313-20070505.dev/tools/Makefile
---- madwifi-ng-refcount-r2313-20070505.old/tools/Makefile	2007-05-13 18:17:55.192178552 +0200
-+++ madwifi-ng-refcount-r2313-20070505.dev/tools/Makefile	2007-05-13 18:17:56.461985512 +0200
+diff -ur madwifi.old/tools/Makefile madwifi.dev/tools/Makefile
+--- madwifi.old/tools/Makefile	2007-05-23 16:46:50.719939712 +0200
++++ madwifi.dev/tools/Makefile	2007-05-23 16:47:03.349019800 +0200
 @@ -52,7 +52,7 @@
  	
  ifdef DOMULTI