if (TAILQ_NEXT(vap, iv_next) != NULL) {
                        skb1 = skb_copy(skb, GFP_ATOMIC);
                        if (skb1 == NULL) {
-@@ -950,8 +957,10 @@ ieee80211_input_all(struct ieee80211com 
+@@ -950,8 +957,12 @@ ieee80211_input_all(struct ieee80211com 
                        skb1 = skb;
                        skb = NULL;
                }
 -              type = ieee80211_input(vap, NULL, skb1, rssi, rtsf);
 +              type = ieee80211_input(vap, ni, skb1, rssi, rtsf);
++              if (ni)
++                      ieee80211_unref_node(&ni);
        }
 +
 +out:
        if (skb != NULL)                /* no vaps, reclaim skb */
                ieee80211_dev_kfree_skb(&skb);
        return type;
-@@ -1146,11 +1155,9 @@ ieee80211_deliver_data(struct ieee80211_
+@@ -1146,11 +1157,9 @@ ieee80211_deliver_data(struct ieee80211_
                         * sending it will not work; just let it be
                         * delivered normally.
                         */
                                        !ni1->ni_subif &&
                                    ni1 != vap->iv_bss) {
  
+@@ -3519,6 +3528,7 @@ ieee80211_recv_mgmt(struct ieee80211vap 
+                                (vap->iv_opmode == IEEE80211_M_WDS)) &&
+                               (scan.capinfo & IEEE80211_CAPINFO_ESS))) {
+                       struct ieee80211vap *avp = NULL;
++                      int do_unref = 0;
+                       int found = 0;
+ 
+                       IEEE80211_LOCK_IRQ(vap->iv_ic);
+@@ -3550,10 +3560,12 @@ ieee80211_recv_mgmt(struct ieee80211vap 
+                                       ni->ni_associd |= 0xc000;
+                                       avp->iv_wdsnode = ieee80211_ref_node(ni);
+                                       IEEE80211_UNLOCK_IRQ(ic);
+-                              } else if (vap->iv_opmode == IEEE80211_M_IBSS) {
++                              } else if ((vap->iv_opmode == IEEE80211_M_IBSS) &&
++                                         IEEE80211_ADDR_EQ(wh->i_addr3, vap->iv_bssid)) {
+                                       /* Create a new entry in the neighbor table. */
+                                       ni = ieee80211_add_neighbor(vap, wh, &scan);
+                               }
++                              do_unref = 1;
+                       } else {
+                               /*
+                                * Copy data from beacon to neighbor table.
+@@ -3592,6 +3604,8 @@ ieee80211_recv_mgmt(struct ieee80211vap 
+                               ni->ni_rssi = rssi;
+                               ni->ni_rtsf = rtsf;
+                               ni->ni_last_rx = jiffies;
++                              if (do_unref)
++                                      ieee80211_unref_node(&ni);
+                       }
+               }
+               break;
 --- a/ath/if_ath.c
 +++ b/ath/if_ath.c
 @@ -6589,9 +6589,8 @@ ath_recv_mgmt(struct ieee80211vap * vap,
                        ATH_RSSI_LPF(ATH_NODE(ni)->an_avgrssi, rs->rs_rssi);
                        type = ieee80211_input(ni->ni_vap, ni, skb, rs->rs_rssi, bf->bf_tsf);
                        ieee80211_unref_node(&ni);
-@@ -6981,24 +6998,35 @@ drop_micfail:
+@@ -6981,24 +6998,39 @@ drop_micfail:
                         * No key index or no entry, do a lookup and
                         * add the node to the mapping table if possible.
                         */
 -                              (const struct ieee80211_frame_min *)skb->data);
 +
 +lookup_slowpath:
-+                      vap = ieee80211_find_rxvap(ic, wh->i_addr1);
++                      if (IEEE80211_IS_MULTICAST(wh->i_addr1))
++                              vap = NULL;
++                      else
++                              vap = ieee80211_find_rxvap(ic, wh->i_addr1);
++
 +                      if (vap)
 +                              ni = ieee80211_find_rxnode(ic, vap, wh);
 +                      else
 
 --- a/net80211/ieee80211_input.c
 +++ b/net80211/ieee80211_input.c
-@@ -3611,6 +3611,8 @@ ieee80211_recv_mgmt(struct ieee80211vap 
+@@ -3618,6 +3618,8 @@ ieee80211_recv_mgmt(struct ieee80211vap 
                        vap->iv_stats.is_rx_mgtdiscard++;
                        return;
                }
 
 --- a/ath/if_ath.c
 +++ b/ath/if_ath.c
-@@ -13530,7 +13530,7 @@ cleanup_ath_buf(struct ath_softc *sc, st
+@@ -13534,7 +13534,7 @@ cleanup_ath_buf(struct ath_softc *sc, st
                                bus_unmap_single(
                                        sc->sc_bdev,
                                        bf->bf_skbaddrff[i], 
 
  
                skb = bf->bf_skb;
                if (skb == NULL) {
-@@ -7070,8 +7072,8 @@ rx_next:
+@@ -7074,8 +7076,8 @@ rx_next:
                if (sc->sc_isr & HAL_INT_RX) {
                        u_int64_t hw_tsf = ath_hal_gettsf64(ah);
                        sc->sc_isr &= ~HAL_INT_RX;
                local_irq_restore(flags);
 --- a/net80211/ieee80211_input.c
 +++ b/net80211/ieee80211_input.c
-@@ -1203,6 +1203,7 @@ ieee80211_deliver_data(struct ieee80211_
+@@ -1205,6 +1205,7 @@ ieee80211_deliver_data(struct ieee80211_
                }
        }
  
 
        /*
         * Check if the MAC has multi-rate retry support.
         * We do this by trying to setup a fake extended
-@@ -7564,7 +7572,7 @@ ath_txq_setup(struct ath_softc *sc, int 
+@@ -7568,7 +7576,7 @@ ath_txq_setup(struct ath_softc *sc, int 
        if (qtype == HAL_TX_QUEUE_UAPSD)
                qi.tqi_qflags = HAL_TXQ_TXDESCINT_ENABLE;
        else
 
                ieee80211_stop(vap->iv_dev);
 --- a/net80211/ieee80211_input.c
 +++ b/net80211/ieee80211_input.c
-@@ -2772,6 +2772,7 @@ static void
+@@ -2774,6 +2774,7 @@ static void
  ieee80211_doth_switch_channel(struct ieee80211vap *vap)
  {
        struct ieee80211com *ic = vap->iv_ic;
  
        IEEE80211_DPRINTF(vap, IEEE80211_MSG_DOTH,
                          "%s: Channel switch to %3d (%4d MHz) NOW!\n",
-@@ -2794,6 +2795,9 @@ ieee80211_doth_switch_channel(struct iee
+@@ -2796,6 +2797,9 @@ ieee80211_doth_switch_channel(struct iee
  
        ic->ic_curchan = ic->ic_bsschan = vap->iv_csa_chan;
        ic->ic_set_channel(ic);
 
        hdrlen = ieee80211_anyhdrsize(wh);
        pktlen = skb->len + IEEE80211_CRC_LEN;
  
-@@ -8390,7 +8389,7 @@ ath_tx_start(struct net_device *dev, str
+@@ -8394,7 +8393,7 @@ ath_tx_start(struct net_device *dev, str
                            pktlen,                     /* packet length */
                            hdrlen,                     /* header length */
                            atype,                      /* Atheros packet type */
                            txrate, try0,               /* series 0 rate/tries */
                            keyix,                      /* key cache index */
                            antenna,                    /* antenna mode */
-@@ -10383,59 +10382,16 @@ ath_get_clamped_maxtxpower(struct ath_so
+@@ -10387,59 +10386,16 @@ ath_get_clamped_maxtxpower(struct ath_so
  
  /* XXX: this function needs some locking to avoid being called 
   * twice/interrupted */
 
                        type = ieee80211_input(ni->ni_vap, ni, skb, rs->rs_rssi, bf->bf_tsf);
                        ieee80211_unref_node(&ni);
                } else {
-@@ -7020,15 +7026,22 @@ drop_micfail:
+@@ -7024,15 +7030,21 @@ lookup_slowpath:
+                       else
+                               vap = ieee80211_find_rxvap(ic, wh->i_addr1);
  
- lookup_slowpath:
-                       vap = ieee80211_find_rxvap(ic, wh->i_addr1);
 -                      if (vap)
 +                      if (vap) {
 +                              ath_wprobe_report_rx(vap, rs, skb);
 +                              TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
 +                                      ath_wprobe_report_rx(vap, rs, skb);
 +                              }
-+                              vap = NULL;
                                ni = NULL;
 +                      }
  
                                type = ieee80211_input(vap, ni, skb, rs->rs_rssi, bf->bf_tsf);
                                /*
                                 * If the station has a key cache slot assigned
-@@ -8608,6 +8621,7 @@ ath_tx_processq(struct ath_softc *sc, st
+@@ -8612,6 +8624,7 @@ ath_tx_processq(struct ath_softc *sc, st
                                sc->sc_stats.ast_tx_rssi = ts->ts_rssi;
                                ATH_RSSI_LPF(an->an_halstats.ns_avgtxrssi,
                                        ts->ts_rssi);
                                if (bf->bf_skb->priority == WME_AC_VO ||
                                    bf->bf_skb->priority == WME_AC_VI)
                                        ni->ni_ic->ic_wme.wme_hipri_traffic++;
-@@ -10107,6 +10121,7 @@ ath_newassoc(struct ieee80211_node *ni, 
+@@ -10111,6 +10124,7 @@ ath_newassoc(struct ieee80211_node *ni, 
        struct ath_softc *sc = ic->ic_dev->priv;
  
        sc->sc_rc->ops->newassoc(sc, ATH_NODE(ni), isnew);
 
 --- a/ath/if_ath.c
 +++ b/ath/if_ath.c
-@@ -13496,7 +13496,7 @@ cleanup_ath_buf(struct ath_softc *sc, st
+@@ -13499,7 +13499,7 @@ cleanup_ath_buf(struct ath_softc *sc, st
        if (bf == NULL) 
                return bf;
  
                bus_unmap_single(
                        sc->sc_bdev,
                        bf->bf_skbaddr, 
-@@ -13504,8 +13504,6 @@ cleanup_ath_buf(struct ath_softc *sc, st
+@@ -13507,8 +13507,6 @@ cleanup_ath_buf(struct ath_softc *sc, st
                                sc->sc_rxbufsize : bf->bf_skb->len),
                        direction);
                bf->bf_skbaddr = 0;
 
        if (sc->sc_defant != antenna)
                sc->sc_stats.ast_ant_defswitch++;
        sc->sc_defant = antenna;
-@@ -11157,7 +11130,7 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11160,7 +11133,7 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                                        break;
                                }
                                sc->sc_diversity = val;
 
  
        if (bfaddr != 0) {
                /*
-@@ -7799,12 +7815,14 @@ ath_get_ivlen(struct ieee80211_key *k)
+@@ -7802,12 +7818,14 @@ ath_get_ivlen(struct ieee80211_key *k)
   * Get transmit rate index using rate in Kbps
   */
  static __inline int
                        ndx = i;
                        break;
                }
-@@ -8097,7 +8115,7 @@ ath_tx_start(struct net_device *dev, str
+@@ -8100,7 +8118,7 @@ ath_tx_start(struct net_device *dev, str
                atype = HAL_PKT_TYPE_NORMAL;            /* default */
  
                if (ismcast) {
                        txrate = rt->info[rix].rateCode;
                        if (shortPreamble)
                                txrate |= rt->info[rix].shortPreamble;
-@@ -9064,7 +9082,7 @@ ath_chan_change(struct ath_softc *sc, st
+@@ -9067,7 +9085,7 @@ ath_chan_change(struct ath_softc *sc, st
        struct net_device *dev = sc->sc_dev;
        enum ieee80211_phymode mode;
  
  
        ath_rate_setup(dev, mode);
        ath_setcurmode(sc, mode);
-@@ -10121,8 +10139,7 @@ ath_newassoc(struct ieee80211_node *ni, 
+@@ -10124,8 +10142,7 @@ ath_newassoc(struct ieee80211_node *ni, 
  }
  
  static int
  {
        struct ath_softc *sc = dev->priv;
        struct ieee80211com *ic = &sc->sc_ic;
-@@ -10136,17 +10153,31 @@ ath_getchannels(struct net_device *dev, 
+@@ -10139,17 +10156,31 @@ ath_getchannels(struct net_device *dev, 
                EPRINTF(sc, "Insufficient memory for channel table!\n");
                return -ENOMEM;
        }
        /*
         * Convert HAL channels to ieee80211 ones.
         */
-@@ -10392,7 +10423,7 @@ ath_xr_rate_setup(struct net_device *dev
+@@ -10395,7 +10426,7 @@ ath_xr_rate_setup(struct net_device *dev
        struct ieee80211com *ic = &sc->sc_ic;
        const HAL_RATE_TABLE *rt;
        struct ieee80211_rateset *rs;
        sc->sc_xr_rates = ath_hal_getratetable(ah, HAL_MODE_XR);
        rt = sc->sc_xr_rates;
        if (rt == NULL)
-@@ -10405,57 +10436,16 @@ ath_xr_rate_setup(struct net_device *dev
+@@ -10408,57 +10439,16 @@ ath_xr_rate_setup(struct net_device *dev
        } else
                maxrates = rt->rateCount;
        rs = &ic->ic_sup_xr_rates;
  static int
  ath_rate_setup(struct net_device *dev, u_int mode)
  {
-@@ -10464,7 +10454,7 @@ ath_rate_setup(struct net_device *dev, u
+@@ -10467,7 +10457,7 @@ ath_rate_setup(struct net_device *dev, u
        struct ieee80211com *ic = &sc->sc_ic;
        const HAL_RATE_TABLE *rt;
        struct ieee80211_rateset *rs;
  
        switch (mode) {
        case IEEE80211_MODE_11A:
-@@ -10482,6 +10472,12 @@ ath_rate_setup(struct net_device *dev, u
+@@ -10485,6 +10475,12 @@ ath_rate_setup(struct net_device *dev, u
        case IEEE80211_MODE_TURBO_G:
                sc->sc_rates[mode] = ath_hal_getratetable(ah, HAL_MODE_108G);
                break;
        default:
                DPRINTF(sc, ATH_DEBUG_ANY, "Invalid mode %u\n", mode);
                return 0;
-@@ -10496,10 +10492,16 @@ ath_rate_setup(struct net_device *dev, u
+@@ -10499,10 +10495,16 @@ ath_rate_setup(struct net_device *dev, u
                maxrates = IEEE80211_RATE_MAXSIZE;
        } else
                maxrates = rt->rateCount;
        return 1;
  }
  
-@@ -10528,13 +10530,18 @@ ath_setcurmode(struct ath_softc *sc, enu
+@@ -10531,13 +10533,18 @@ ath_setcurmode(struct ath_softc *sc, enu
                {   0, 500, 130 },
        };
        const HAL_RATE_TABLE *rt;
        memset(sc->sc_hwmap, 0, sizeof(sc->sc_hwmap));
        for (i = 0; i < 32; i++) {
                u_int8_t ix = rt->rateCodeToIndex[i];
-@@ -10544,7 +10551,7 @@ ath_setcurmode(struct ath_softc *sc, enu
+@@ -10547,7 +10554,7 @@ ath_setcurmode(struct ath_softc *sc, enu
                        continue;
                }
                sc->sc_hwmap[i].ieeerate =
                if (rt->info[ix].shortPreamble ||
                    rt->info[ix].phy == IEEE80211_T_OFDM)
                        sc->sc_hwmap[i].flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
-@@ -10945,9 +10952,106 @@ enum {
+@@ -10948,9 +10955,106 @@ enum {
        ATH_MAXVAPS             = 26,
        ATH_INTMIT                      = 27,
        ATH_NOISE_IMMUNITY      = 28,
  static int
  ath_sysctl_set_intmit(struct ath_softc *sc, long ctl, u_int val)
  {
-@@ -11026,6 +11130,7 @@ static int
+@@ -11029,6 +11133,7 @@ static int
  ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl, write, filp, buffer, lenp, ppos)
  {
        struct ath_softc *sc = ctl->extra1;
        struct ath_hal *ah = sc->sc_ah;
        u_int val;
        u_int tab_3_val[3];
-@@ -11049,25 +11154,34 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11052,25 +11157,34 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                                lenp, ppos);
                if (ret == 0) {
                        switch ((long)ctl->extra2) {
                                break;
                        case ATH_SOFTLED:
                                if (val != sc->sc_softled) {
-@@ -11220,6 +11334,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11223,6 +11337,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                }
        } else {
                switch ((long)ctl->extra2) {
                case ATH_SLOTTIME:
                        val = ath_hal_getslottime(ah);
                        break;
-@@ -11238,6 +11355,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11241,6 +11358,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                case ATH_COUNTRYCODE:
                        ath_hal_getcountrycode(ah, &val);
                        break;
                case ATH_MAXVAPS:
                        val = ath_maxvaps;
                        break;
-@@ -11351,11 +11471,17 @@ static const ctl_table ath_sysctl_templa
+@@ -11354,11 +11474,17 @@ static const ctl_table ath_sysctl_templa
        },
        { .ctl_name     = CTL_AUTO,
          .procname     = "countrycode",
          .procname     = "maxvaps",
          .mode         = 0444,
          .proc_handler = ath_sysctl_halparam,
-@@ -11363,7 +11489,7 @@ static const ctl_table ath_sysctl_templa
+@@ -11366,7 +11492,7 @@ static const ctl_table ath_sysctl_templa
        },
        { .ctl_name     = CTL_AUTO,
          .procname     = "regdomain",
          .proc_handler = ath_sysctl_halparam,
          .extra2       = (void *)ATH_REGDOMAIN,
        },
-@@ -11426,6 +11552,12 @@ static const ctl_table ath_sysctl_templa
+@@ -11429,6 +11555,12 @@ static const ctl_table ath_sysctl_templa
          .extra2       = (void *)ATH_ACKRATE,
        },
        { .ctl_name     = CTL_AUTO,
          .procname     = "rp",
          .mode         = 0200,
          .proc_handler = ath_sysctl_halparam,
-@@ -11666,13 +11798,6 @@ static ctl_table ath_static_sysctls[] = 
+@@ -11669,13 +11801,6 @@ static ctl_table ath_static_sysctls[] = 
        },
  #endif
        { .ctl_name     = CTL_AUTO,
          .procname     = "maxvaps",
          .mode         = 0444,
          .data         = &ath_maxvaps,
-@@ -11680,13 +11805,6 @@ static ctl_table ath_static_sysctls[] = 
+@@ -11683,13 +11808,6 @@ static ctl_table ath_static_sysctls[] = 
          .proc_handler = proc_dointvec
        },
        { .ctl_name     = CTL_AUTO,
 
  
        if (bfaddr != 0) {
                /*
-@@ -9430,7 +9468,8 @@ ath_set_coverageclass(struct ieee80211co
+@@ -9433,7 +9471,8 @@ ath_set_coverageclass(struct ieee80211co
  {
        struct ath_softc *sc = ic->ic_dev->priv;
  
  
        return;
  }
-@@ -10953,6 +10992,7 @@ enum {
+@@ -10956,6 +10995,7 @@ enum {
        ATH_OFDM_WEAK_DET       = 29,
        ATH_CHANBW              = 30,
        ATH_OUTDOOR             = 31,
  };
  
  /*
-@@ -11165,21 +11205,31 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11168,21 +11208,31 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                                        sc->sc_slottimeconf = val;
                                else
                                        sc->sc_slottimeconf = 0;
                                break;
                        case ATH_SOFTLED:
                                if (val != sc->sc_softled) {
-@@ -11335,6 +11385,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11338,6 +11388,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                case ATH_CHANBW:
                        val = sc->sc_chanbw ?: 20;
                        break;
                case ATH_SLOTTIME:
                        val = ath_hal_getslottime(ah);
                        break;
-@@ -11456,6 +11509,12 @@ static const ctl_table ath_sysctl_templa
+@@ -11459,6 +11512,12 @@ static const ctl_table ath_sysctl_templa
          .extra2       = (void *)ATH_CTSTIMEOUT,
        },
        { .ctl_name     = CTL_AUTO,
 
  struct ath_ratectrl {
 --- a/ath/if_ath.c
 +++ b/ath/if_ath.c
-@@ -8635,6 +8635,8 @@ ath_tx_processq(struct ath_softc *sc, st
+@@ -8638,6 +8638,8 @@ ath_tx_processq(struct ath_softc *sc, st
  
                ni = bf->bf_node;
                if (ni != NULL) {
                        an = ATH_NODE(ni);
                        if (ts->ts_status == 0) {
                                u_int8_t txant = ts->ts_antenna;
-@@ -8687,15 +8689,43 @@ ath_tx_processq(struct ath_softc *sc, st
+@@ -8690,15 +8692,43 @@ ath_tx_processq(struct ath_softc *sc, st
                        lr = ts->ts_longretry;
                        sc->sc_stats.ast_tx_shortretry += sr;
                        sc->sc_stats.ast_tx_longretry += lr;
 
        int rx_limit = min(dev->quota, *budget);
  #endif
        struct ath_buf *bf;
-@@ -7302,7 +7302,7 @@ static void ath_grppoll_start(struct iee
+@@ -7305,7 +7305,7 @@ static void ath_grppoll_start(struct iee
        struct sk_buff *skb = NULL;
        struct ath_buf *bf, *head = NULL;
        struct ieee80211com *ic = vap->iv_ic;
        struct ath_hal *ah = sc->sc_ah;
        u_int8_t rate;
        unsigned int ctsrate = 0, ctsduration = 0;
-@@ -7520,7 +7520,7 @@ static void ath_grppoll_start(struct iee
+@@ -7523,7 +7523,7 @@ static void ath_grppoll_start(struct iee
  static void ath_grppoll_stop(struct ieee80211vap *vap)
  {
        struct ieee80211com *ic = vap->iv_ic;
        struct ath_hal *ah = sc->sc_ah;
        struct ath_txq *txq = &sc->sc_grpplq;
        struct ath_buf *bf;
-@@ -7732,7 +7732,7 @@ ath_txq_update(struct ath_softc *sc, str
+@@ -7735,7 +7735,7 @@ ath_txq_update(struct ath_softc *sc, str
  static int
  ath_wme_update(struct ieee80211com *ic)
  {
  
        if (sc->sc_uapsdq)
                ath_txq_update(sc, sc->sc_uapsdq, WME_AC_VO);
-@@ -7751,7 +7751,7 @@ ath_uapsd_flush(struct ieee80211_node *n
+@@ -7754,7 +7754,7 @@ ath_uapsd_flush(struct ieee80211_node *n
  {
        struct ath_node *an = ATH_NODE(ni);
        struct ath_buf *bf;
        struct ath_txq *txq;
  
        ATH_NODE_UAPSD_LOCK_IRQ(an);
-@@ -7942,7 +7942,7 @@ ath_tx_start(struct net_device *dev, str
+@@ -7945,7 +7945,7 @@ ath_tx_start(struct net_device *dev, str
                struct ath_buf *bf, struct sk_buff *skb, int nextfraglen)
  {
  #define       MIN(a,b)        ((a) < (b) ? (a) : (b))
        struct ieee80211com *ic = ni->ni_ic;
        struct ieee80211vap *vap = ni->ni_vap;
        struct ath_hal *ah = sc->sc_ah;
-@@ -8851,7 +8851,7 @@ static void
+@@ -8854,7 +8854,7 @@ static void
  ath_tx_tasklet_q0(TQUEUE_ARG data)
  {
        struct net_device *dev = (struct net_device *)data;
        unsigned long flags;
  
  process_tx_again:
-@@ -8882,7 +8882,7 @@ static void
+@@ -8885,7 +8885,7 @@ static void
  ath_tx_tasklet_q0123(TQUEUE_ARG data)
  {
        struct net_device *dev = (struct net_device *)data;
        unsigned long flags;
  
  process_tx_again:
-@@ -8927,7 +8927,7 @@ static void
+@@ -8930,7 +8930,7 @@ static void
  ath_tx_tasklet(TQUEUE_ARG data)
  {
        struct net_device *dev = (struct net_device *)data;
        unsigned int i;
        unsigned long flags;
  
-@@ -8955,7 +8955,7 @@ process_tx_again:
+@@ -8958,7 +8958,7 @@ process_tx_again:
  static void
  ath_tx_timeout(struct net_device *dev)
  {
  
        if (ath_chan_unavail(sc))
                return;
-@@ -9363,7 +9363,7 @@ static void
+@@ -9366,7 +9366,7 @@ static void
  ath_calibrate(unsigned long arg)
  {
        struct net_device *dev = (struct net_device *)arg;
        struct ath_hal *ah = sc->sc_ah;
        struct ieee80211com *ic = &sc->sc_ic;
        /* u_int32_t nchans; */
-@@ -9438,7 +9438,7 @@ static void
+@@ -9441,7 +9441,7 @@ static void
  ath_scan_start(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        struct ath_hal *ah = sc->sc_ah;
        u_int32_t rfilt;
  
-@@ -9458,7 +9458,7 @@ static void
+@@ -9461,7 +9461,7 @@ static void
  ath_scan_end(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        struct ath_hal *ah = sc->sc_ah;
        u_int32_t rfilt;
  
-@@ -9476,7 +9476,7 @@ static void
+@@ -9479,7 +9479,7 @@ static void
  ath_set_channel(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
  
        (void) ath_chan_set(sc, ic->ic_curchan);
        ic->ic_channoise = ath_hal_get_channel_noise(sc->sc_ah, &(sc->sc_curchan));
-@@ -9493,7 +9493,7 @@ ath_set_channel(struct ieee80211com *ic)
+@@ -9496,7 +9496,7 @@ ath_set_channel(struct ieee80211com *ic)
  static void
  ath_set_coverageclass(struct ieee80211com *ic)
  {
  
        sc->sc_coverage = ic->ic_coverageclass * 3;
        ath_set_timing(sc);
-@@ -9504,7 +9504,7 @@ ath_set_coverageclass(struct ieee80211co
+@@ -9507,7 +9507,7 @@ ath_set_coverageclass(struct ieee80211co
  static u_int
  ath_mhz2ieee(struct ieee80211com *ic, u_int freq, u_int flags)
  {
  
        return (ath_hal_mhz2ieee(sc->sc_ah, freq, flags));
  }
-@@ -9519,7 +9519,7 @@ ath_newstate(struct ieee80211vap *vap, e
+@@ -9522,7 +9522,7 @@ ath_newstate(struct ieee80211vap *vap, e
        struct ath_vap *avp = ATH_VAP(vap);
        struct ieee80211com *ic = vap->iv_ic;
        struct net_device *dev = ic->ic_dev;
        struct ath_hal *ah = sc->sc_ah;
        struct ieee80211_node *ni, *wds_ni;
        unsigned int i;
-@@ -9959,7 +9959,7 @@ ath_setup_comp(struct ieee80211_node *ni
+@@ -9962,7 +9962,7 @@ ath_setup_comp(struct ieee80211_node *ni
  {
  #define       IEEE80211_KEY_XR        (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV)
        struct ieee80211vap *vap = ni->ni_vap;
        struct ath_node *an = ATH_NODE(ni);
        ieee80211_keyix_t keyix;
  
-@@ -10013,7 +10013,7 @@ static void
+@@ -10016,7 +10016,7 @@ static void
  ath_setup_stationkey(struct ieee80211_node *ni)
  {
        struct ieee80211vap *vap = ni->ni_vap;
        ieee80211_keyix_t keyix;
  
        keyix = ath_key_alloc(vap, &ni->ni_ucastkey);
-@@ -10174,7 +10174,7 @@ ath_newassoc(struct ieee80211_node *ni, 
+@@ -10177,7 +10177,7 @@ ath_newassoc(struct ieee80211_node *ni, 
  {
        struct ieee80211com *ic = ni->ni_ic;
        struct ieee80211vap *vap = ni->ni_vap;
  
        sc->sc_rc->ops->newassoc(sc, ATH_NODE(ni), isnew);
        ath_wprobe_node_join(ni->ni_vap, ni);
-@@ -10205,7 +10205,7 @@ ath_newassoc(struct ieee80211_node *ni, 
+@@ -10208,7 +10208,7 @@ ath_newassoc(struct ieee80211_node *ni, 
  static int
  ath_getchannels(struct net_device *dev)
  {
        struct ieee80211com *ic = &sc->sc_ic;
        struct ath_hal *ah = sc->sc_ah;
        HAL_CHANNEL *chans;
-@@ -10482,7 +10482,7 @@ ath_update_txpow(struct ath_softc *sc)
+@@ -10485,7 +10485,7 @@ ath_update_txpow(struct ath_softc *sc)
  static int
  ath_xr_rate_setup(struct net_device *dev)
  {
        struct ath_hal *ah = sc->sc_ah;
        struct ieee80211com *ic = &sc->sc_ic;
        const HAL_RATE_TABLE *rt;
-@@ -10513,7 +10513,7 @@ ath_xr_rate_setup(struct net_device *dev
+@@ -10516,7 +10516,7 @@ ath_xr_rate_setup(struct net_device *dev
  static int
  ath_rate_setup(struct net_device *dev, u_int mode)
  {
        struct ath_hal *ah = sc->sc_ah;
        struct ieee80211com *ic = &sc->sc_ic;
        const HAL_RATE_TABLE *rt;
-@@ -10760,7 +10760,7 @@ ath_printtxbuf(const struct ath_buf *bf,
+@@ -10763,7 +10763,7 @@ ath_printtxbuf(const struct ath_buf *bf,
  {
        const struct ath_tx_status *ts = &bf->bf_dsstatus.ds_txstat;
        const struct ath_desc *ds = bf->bf_desc;
        u_int8_t status = done ? ts->ts_status : 0;
  
        DPRINTF(sc, ATH_DEBUG_ANY, 
-@@ -10787,7 +10787,7 @@ ath_printtxbuf(const struct ath_buf *bf,
+@@ -10790,7 +10790,7 @@ ath_printtxbuf(const struct ath_buf *bf,
  static struct net_device_stats *
  ath_getstats(struct net_device *dev)
  {
        struct net_device_stats *stats = &sc->sc_devstats;
  
        /* update according to private statistics */
-@@ -10810,7 +10810,7 @@ ath_getstats(struct net_device *dev)
+@@ -10813,7 +10813,7 @@ ath_getstats(struct net_device *dev)
  static int
  ath_set_mac_address(struct net_device *dev, void *addr)
  {
        struct ieee80211com *ic = &sc->sc_ic;
        struct ath_hal *ah = sc->sc_ah;
        struct sockaddr *mac = addr;
-@@ -10839,7 +10839,7 @@ ath_set_mac_address(struct net_device *d
+@@ -10842,7 +10842,7 @@ ath_set_mac_address(struct net_device *d
  static int
  ath_change_mtu(struct net_device *dev, int mtu)
  {
        int error = 0;
  
        if (!(ATH_MIN_MTU < mtu && mtu <= ATH_MAX_MTU)) {
-@@ -10926,7 +10926,7 @@ bad:
+@@ -10929,7 +10929,7 @@ bad:
  static int
  ath_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
  {
        struct ieee80211com *ic = &sc->sc_ic;
        int error;
  
-@@ -11807,7 +11807,7 @@ static void
+@@ -11810,7 +11810,7 @@ static void
  ath_announce(struct net_device *dev)
  {
  #define       HAL_MODE_DUALBAND       (HAL_MODE_11A|HAL_MODE_11B)
        struct ath_hal *ah = sc->sc_ah;
        u_int modes, cc;
        static const int MLEN = 1024;
-@@ -11994,7 +11994,7 @@ static void
+@@ -11997,7 +11997,7 @@ static void
  txcont_configure_radio(struct ieee80211com *ic)
  {
        struct net_device           *dev = ic->ic_dev;
        struct ath_hal              *ah = sc->sc_ah;
        struct ieee80211_wme_state  *wme = &ic->ic_wme;
        struct ieee80211vap         *vap = TAILQ_FIRST(&ic->ic_vaps);
-@@ -12268,7 +12268,7 @@ static void
+@@ -12271,7 +12271,7 @@ static void
  txcont_queue_packet(struct ieee80211com *ic, struct ath_txq* txq)
  {
        struct net_device *dev             = ic->ic_dev;
        struct ath_hal *ah                 = sc->sc_ah;
        struct ath_buf *bf                 = NULL;
        struct sk_buff *skb                = NULL;
-@@ -12401,7 +12401,7 @@ static void
+@@ -12404,7 +12404,7 @@ static void
  txcont_on(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
  
        if (IFF_RUNNING != (ic->ic_dev->flags & IFF_RUNNING)) {
                EPRINTF(sc, "Cannot enable txcont when"
-@@ -12422,7 +12422,7 @@ static void
+@@ -12425,7 +12425,7 @@ static void
  txcont_off(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
  
        if (TAILQ_FIRST(&ic->ic_vaps)->iv_opmode != IEEE80211_M_WDS)
                sc->sc_beacons = 1;
-@@ -12436,7 +12436,7 @@ static int
+@@ -12439,7 +12439,7 @@ static int
  ath_get_dfs_testmode(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        return sc->sc_dfs_testmode;
  }
  
-@@ -12463,7 +12463,7 @@ static void
+@@ -12466,7 +12466,7 @@ static void
  ath_set_dfs_testmode(struct ieee80211com *ic, int value)
  {
        struct net_device *dev = ic->ic_dev;
        sc->sc_dfs_testmode = !!value;
  }
  
-@@ -12473,7 +12473,7 @@ static int
+@@ -12476,7 +12476,7 @@ static int
  ath_get_txcont(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        return sc->sc_txcont;
  }
  
-@@ -12491,7 +12491,7 @@ static void
+@@ -12494,7 +12494,7 @@ static void
  ath_set_txcont_power(struct ieee80211com *ic, unsigned int txpower)
  {
        struct net_device *dev = ic->ic_dev;
        int new_txcont_power = txpower > IEEE80211_TXPOWER_MAX ? 
                IEEE80211_TXPOWER_MAX : txpower;
        if (sc->sc_txcont_power != new_txcont_power) {
-@@ -12509,7 +12509,7 @@ static int
+@@ -12512,7 +12512,7 @@ static int
  ath_get_txcont_power(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        /* VERY conservative default */
        return sc->sc_txcont_power ? sc->sc_txcont_power : 0;
  }
-@@ -12519,7 +12519,7 @@ ath_get_txcont_power(struct ieee80211com
+@@ -12522,7 +12522,7 @@ ath_get_txcont_power(struct ieee80211com
  ath_set_txcont_rate(struct ieee80211com *ic, unsigned int new_rate)
  {
        struct net_device *dev = ic->ic_dev;
        if (sc->sc_txcont_rate != new_rate) {
                /*  NOTE: This value is sanity checked and dropped down to 
                 *  closest rate in txcont_on. */
-@@ -12536,7 +12536,7 @@ ath_set_txcont_rate(struct ieee80211com 
+@@ -12539,7 +12539,7 @@ ath_set_txcont_rate(struct ieee80211com 
  ath_get_txcont_rate(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        return sc->sc_txcont_rate ? sc->sc_txcont_rate : 0;
  }
  
-@@ -12546,7 +12546,7 @@ static void
+@@ -12549,7 +12549,7 @@ static void
  ath_set_dfs_cac_time(struct ieee80211com *ic, unsigned int time_s)
  {
        struct net_device *dev = ic->ic_dev;
        sc->sc_dfs_cac_period = time_s;
  }
  
-@@ -12556,7 +12556,7 @@ static unsigned int
+@@ -12559,7 +12559,7 @@ static unsigned int
  ath_get_dfs_cac_time(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        return sc->sc_dfs_cac_period;
  }
  
-@@ -12576,7 +12576,7 @@ static void
+@@ -12579,7 +12579,7 @@ static void
  ath_set_dfs_excl_period(struct ieee80211com *ic, unsigned int time_s)
  {
        struct net_device *dev = ic->ic_dev;
        sc->sc_dfs_excl_period = time_s;
  }
  
-@@ -12585,7 +12585,7 @@ static unsigned int
+@@ -12588,7 +12588,7 @@ static unsigned int
  ath_get_dfs_excl_period(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        return sc->sc_dfs_excl_period;
  }
  
-@@ -12597,7 +12597,7 @@ static unsigned int
+@@ -12600,7 +12600,7 @@ static unsigned int
  ath_test_radar(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        if ((ic->ic_flags & IEEE80211_F_DOTH) && (sc->sc_curchan.privFlags & CHANNEL_DFS))
                ath_radar_detected(sc, "ath_test_radar from user space");
        else
-@@ -12613,7 +12613,7 @@ static unsigned int
+@@ -12616,7 +12616,7 @@ static unsigned int
  ath_dump_hal_map(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        ath_hal_dump_map(sc->sc_ah);
        return 0;
  }
-@@ -12721,7 +12721,7 @@ ath_rcv_dev_event(struct notifier_block 
+@@ -12724,7 +12724,7 @@ ath_rcv_dev_event(struct notifier_block 
        void *ptr)
  {
        struct net_device *dev = (struct net_device *)ptr;
  
        if (!dev || !sc || dev->open != &ath_init)
                return 0;
-@@ -13456,7 +13456,7 @@ static unsigned int
+@@ -13459,7 +13459,7 @@ static unsigned int
  ath_read_register(struct ieee80211com *ic, unsigned int address, 
                unsigned int* value)
  {
        if (address >= MAX_REGISTER_ADDRESS) {
                IPRINTF(sc, "Illegal Atheros register access "
                                "attempted: 0x%04x >= 0x%04x\n",
-@@ -13486,7 +13486,7 @@ static unsigned int
+@@ -13489,7 +13489,7 @@ static unsigned int
  ath_write_register(struct ieee80211com *ic, unsigned int address, 
                unsigned int value)
  {
        if (address >= MAX_REGISTER_ADDRESS) {
                IPRINTF(sc, "Illegal Atheros register access "
                                "attempted: 0x%04x >= 0x%04x\n",
-@@ -13514,7 +13514,7 @@ static void
+@@ -13517,7 +13517,7 @@ static void
  ath_registers_dump(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        ath_ar5212_registers_dump(sc);
  }
  #endif /* #ifdef ATH_REVERSE_ENGINEERING */
-@@ -13526,7 +13526,7 @@ static void
+@@ -13529,7 +13529,7 @@ static void
  ath_registers_mark(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
        ath_ar5212_registers_mark(sc);
  }
  #endif /* #ifdef ATH_REVERSE_ENGINEERING */
-@@ -13538,7 +13538,7 @@ static void
+@@ -13541,7 +13541,7 @@ static void
  ath_registers_dump_delta(struct ieee80211com *ic)
  {
        struct net_device *dev = ic->ic_dev;
 
                                __netif_rx_schedule(dev, &sc->sc_napi);
  #else
                                __netif_rx_schedule(dev);
-@@ -7132,7 +7136,9 @@ rx_next:
+@@ -7135,7 +7139,9 @@ rx_next:
                local_irq_restore(flags);
        }
  
 
        unregister_netdev(dev);
        return 0;
  }
-@@ -12729,8 +12746,13 @@ ath_rcv_dev_event(struct notifier_block 
+@@ -12732,8 +12749,13 @@ ath_rcv_dev_event(struct notifier_block 
        struct net_device *dev = (struct net_device *)ptr;
        struct ath_softc *sc = (struct ath_softc *)netdev_priv(dev);
  
  #endif
 --- a/net80211/ieee80211_input.c
 +++ b/net80211/ieee80211_input.c
-@@ -1185,7 +1185,11 @@ ieee80211_deliver_data(struct ieee80211_
+@@ -1187,7 +1187,11 @@ ieee80211_deliver_data(struct ieee80211_
                        skb1->protocol = __constant_htons(ETH_P_802_2);
                        /* XXX insert vlan tag before queue it? */
                        ni_tmp = SKB_CB(skb1)->ni; /* remember node so we can free it */
 
 --- a/ath/if_ath.c
 +++ b/ath/if_ath.c
-@@ -11018,38 +11018,38 @@ enum {
+@@ -11021,38 +11021,38 @@ enum {
   * mirrored in /proc/sys.
   */
  enum {
 
 --- a/ath/if_ath.c
 +++ b/ath/if_ath.c
-@@ -10473,11 +10473,11 @@ set_node_txpower(void *arg, struct ieee8
+@@ -10476,11 +10476,11 @@ set_node_txpower(void *arg, struct ieee8
   * XXX: this function needs some locking to avoid being called 
   * twice/interrupted. Returns the value actually stored. */
  static u_int32_t
        return ath_get_clamped_maxtxpower(sc);
  }
  
-@@ -11028,6 +11028,7 @@ enum {
+@@ -11031,6 +11031,7 @@ enum {
        ATH_DEBUG,
        ATH_TXANTENNA,
        ATH_RXANTENNA,
        ATH_DIVERSITY,
        ATH_TXINTRPERIOD,
        ATH_FFTXQMIN,
-@@ -11308,6 +11309,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11311,6 +11312,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                                ath_debug_global = (val &  ATH_DEBUG_GLOBAL);
  #endif
                                break;
                        case ATH_TXANTENNA:
                                /*
                                 * antenna can be:
-@@ -11475,6 +11479,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
+@@ -11478,6 +11482,9 @@ ATH_SYSCTL_DECL(ath_sysctl_halparam, ctl
                case ATH_DEBUG:
                        val = sc->sc_debug | ath_debug_global;
                        break;
                case ATH_TXANTENNA:
                        val = sc->sc_txantenna;
                        break;
-@@ -11616,6 +11623,12 @@ static const ctl_table ath_sysctl_templa
+@@ -11619,6 +11626,12 @@ static const ctl_table ath_sysctl_templa
        },
  #endif
        { .ctl_name     = CTL_AUTO,
 
                        if (dir != IEEE80211_FC1_DIR_NODS) {
                                IEEE80211_DISCARD(vap, IEEE80211_MSG_ANY,
                                        wh, "data", "invalid dir 0x%x", dir);
-@@ -3552,6 +3557,11 @@ ieee80211_recv_mgmt(struct ieee80211vap 
+@@ -3555,6 +3560,11 @@ ieee80211_recv_mgmt(struct ieee80211vap 
                        } else if (vap->iv_opmode == IEEE80211_M_WDS) {
                                found = 1;
                                ni = ni_or_null = vap->iv_wdsnode;
                        }
                        IEEE80211_UNLOCK_IRQ(vap->iv_ic);
  
-@@ -3676,19 +3686,8 @@ ieee80211_recv_mgmt(struct ieee80211vap 
+@@ -3683,19 +3693,8 @@ ieee80211_recv_mgmt(struct ieee80211vap 
                        vap->iv_stats.is_rx_ssidmismatch++; /*XXX*/
                        return;
                }
                        allocbs = 1;
 --- a/net80211/ieee80211_node.c
 +++ b/net80211/ieee80211_node.c
-@@ -601,6 +601,7 @@ ieee80211_ibss_merge(struct ieee80211_no
+@@ -601,6 +601,8 @@ ieee80211_ibss_merge(struct ieee80211_no
                ic->ic_flags & IEEE80211_F_SHPREAMBLE ? "short" : "long",
                ic->ic_flags & IEEE80211_F_SHSLOT ? "short" : "long",
                ic->ic_flags & IEEE80211_F_USEPROT ? ", protection" : "");
-+      ieee80211_node_table_reset(&vap->iv_ic->ic_sta, vap);
++      if (!IEEE80211_ADDR_EQ(ni->ni_bssid, vap->iv_bssid))
++              ieee80211_node_table_reset(&vap->iv_ic->ic_sta, vap);
        return ieee80211_sta_join1(ieee80211_ref_node(ni));
  }
  EXPORT_SYMBOL(ieee80211_ibss_merge);
+@@ -1378,9 +1380,7 @@ ieee80211_add_neighbor(struct ieee80211v
+               if (sp->ath != NULL)
+                       ieee80211_saveath(ni, sp->ath);
+ 
+-              /* NB: must be after ni_chan is setup */
+-              ieee80211_setup_rates(ni, sp->rates, sp->xrates, IEEE80211_F_DOSORT);
+-
++              ni->ni_rates = vap->iv_bss->ni_rates;
+               if (ic->ic_newassoc != NULL)
+                       ic->ic_newassoc(ni, 1);
+               /* XXX not right for 802.1x/WPA */
 
 --- a/net80211/ieee80211_node.c
 +++ b/net80211/ieee80211_node.c
-@@ -1591,10 +1591,6 @@ found:
+@@ -1590,10 +1590,6 @@ found:
                                ieee80211_ref_node(ni);
  #endif
                        }
 
 +#endif
 --- a/ath/if_ath.c
 +++ b/ath/if_ath.c
-@@ -13777,3 +13777,5 @@ cleanup_ath_buf(struct ath_softc *sc, st
+@@ -13780,3 +13780,5 @@ cleanup_ath_buf(struct ath_softc *sc, st
        return bf;
  }