Multi-bss (aka vap) support for 802.11 devices.

Note this includes changes to all drivers and moves some device firmware
loading to use firmware(9) and a separate module (e.g. ral).  Also there
no longer are separate wlan_scan* modules; this functionality is now
bundled into the wlan module.

Supported by:	Hobnob and Marvell
Reviewed by:	many
Obtained from:	Atheros (some bits)

1 files changed, 776 insertions, 475 deletions

diff --git a/sys/net80211/ieee80211_proto.c b/sys/net80211/ieee80211_proto.c
index e67d40c..fe03b15 100644
--- a/sys/net80211/ieee80211_proto.c
+++ b/sys/net80211/ieee80211_proto.c
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 2001 Atsushi Onoe
- * Copyright (c) 2002-2007 Sam Leffler, Errno Consulting
+ * Copyright (c) 2002-2008 Sam Leffler, Errno Consulting
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32,25 +32,32 @@ __FBSDID("$FreeBSD$");
  */
 
 #include "opt_inet.h"
+#include "opt_wlan.h"
 
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/systm.h>
+#include <sys/taskqueue.h>
 
 #include <sys/socket.h>
+#include <sys/sockio.h>
 
 #include <net/if.h>
 #include <net/if_media.h>
 #include <net/ethernet.h>		/* XXX for ether_sprintf */
 
 #include <net80211/ieee80211_var.h>
+#include <net80211/ieee80211_adhoc.h>
+#include <net80211/ieee80211_sta.h>
+#include <net80211/ieee80211_hostap.h>
+#include <net80211/ieee80211_wds.h>
+#include <net80211/ieee80211_monitor.h>
+#include <net80211/ieee80211_input.h>
 
 /* XXX tunables */
 #define	AGGRESSIVE_MODE_SWITCH_HYSTERESIS	3	/* pkts / 100ms */
 #define	HIGH_PRI_SWITCH_THRESH			10	/* pkts / 100ms */
 
-#define	IEEE80211_RATE2MBS(r)	(((r) & IEEE80211_RATE_VAL) / 2)
-
 const char *ieee80211_mgt_subtype_name[] = {
 	"assoc_req",	"assoc_resp",	"reassoc_req",	"reassoc_resp",
 	"probe_req",	"probe_resp",	"reserved#6",	"reserved#7",
@@ -66,11 +73,9 @@ const char *ieee80211_ctl_subtype_name[] = {
 const char *ieee80211_opmode_name[IEEE80211_OPMODE_MAX] = {
 	"IBSS",		/* IEEE80211_M_IBSS */
 	"STA",		/* IEEE80211_M_STA */
-	"#2",
+	"WDS",		/* IEEE80211_M_WDS */
 	"AHDEMO",	/* IEEE80211_M_AHDEMO */
-	"#4", "#5",
 	"HOSTAP",	/* IEEE80211_M_HOSTAP */
-	"#7",
 	"MONITOR"	/* IEEE80211_M_MONITOR */
 };
 const char *ieee80211_state_name[IEEE80211_S_MAX] = {
@@ -91,11 +96,19 @@ const char *ieee80211_wme_acnames[] = {
 	"WME_UPSD",
 };
 
-static int ieee80211_newstate(struct ieee80211com *, enum ieee80211_state, int);
+static void parent_updown(void *, int);
+static int ieee80211_new_state_locked(struct ieee80211vap *,
+	enum ieee80211_state, int);
 
-static void
-null_update_beacon(struct ieee80211com *ic, int item)
+static int
+null_raw_xmit(struct ieee80211_node *ni, struct mbuf *m,
+	const struct ieee80211_bpf_params *params)
 {
+	struct ifnet *ifp = ni->ni_ic->ic_ifp;
+
+	if_printf(ifp, "missing ic_raw_xmit callback, drop frame\n");
+	m_freem(m);
+	return ENETDOWN;
 }
 
 void
@@ -103,54 +116,131 @@ ieee80211_proto_attach(struct ieee80211com *ic)
 {
 	struct ifnet *ifp = ic->ic_ifp;
 
-	/* XXX room for crypto  */
-	ifp->if_hdrlen = sizeof(struct ieee80211_qosframe_addr4);
-
-	ic->ic_rtsthreshold = IEEE80211_RTS_DEFAULT;
-	ic->ic_fragthreshold = IEEE80211_FRAG_DEFAULT;
-	ic->ic_fixed_rate = IEEE80211_FIXED_RATE_NONE;
-	ic->ic_bmiss_max = IEEE80211_BMISS_MAX;
-	callout_init(&ic->ic_swbmiss, CALLOUT_MPSAFE);
-	callout_init(&ic->ic_mgtsend, CALLOUT_MPSAFE);
-	ic->ic_mcast_rate = IEEE80211_MCAST_RATE_DEFAULT;
+	/* override the 802.3 setting */
+	ifp->if_hdrlen = ic->ic_headroom
+		+ sizeof(struct ieee80211_qosframe_addr4)
+		+ IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN
+		+ IEEE80211_WEP_EXTIVLEN;
+	/* XXX no way to recalculate on ifdetach */
+	if (ALIGN(ifp->if_hdrlen) > max_linkhdr) {
+		/* XXX sanity check... */
+		max_linkhdr = ALIGN(ifp->if_hdrlen);
+		max_hdr = max_linkhdr + max_protohdr;
+		max_datalen = MHLEN - max_hdr;
+	}
 	ic->ic_protmode = IEEE80211_PROT_CTSONLY;
-	ic->ic_roaming = IEEE80211_ROAMING_AUTO;
+
+	TASK_INIT(&ic->ic_parent_task, 0, parent_updown, ifp);
 
 	ic->ic_wme.wme_hipri_switch_hysteresis =
 		AGGRESSIVE_MODE_SWITCH_HYSTERESIS;
 
-	mtx_init(&ic->ic_mgtq.ifq_mtx, ifp->if_xname, "mgmt send q", MTX_DEF);
-
-	/* protocol state change handler */
-	ic->ic_newstate = ieee80211_newstate;
-	ic->ic_update_beacon = null_update_beacon;
-
 	/* initialize management frame handlers */
-	ic->ic_recv_mgmt = ieee80211_recv_mgmt;
 	ic->ic_send_mgmt = ieee80211_send_mgmt;
-	ic->ic_raw_xmit = ieee80211_raw_xmit;
+	ic->ic_raw_xmit = null_raw_xmit;
+
+	ieee80211_adhoc_attach(ic);
+	ieee80211_sta_attach(ic);
+	ieee80211_wds_attach(ic);
+	ieee80211_hostap_attach(ic);
+	ieee80211_monitor_attach(ic);
 }
 
 void
 ieee80211_proto_detach(struct ieee80211com *ic)
 {
+	ieee80211_monitor_detach(ic);
+	ieee80211_hostap_detach(ic);
+	ieee80211_wds_detach(ic);
+	ieee80211_adhoc_detach(ic);
+	ieee80211_sta_detach(ic);
+}
+
+static void
+null_update_beacon(struct ieee80211vap *vap, int item)
+{
+}
+
+void
+ieee80211_proto_vattach(struct ieee80211vap *vap)
+{
+	struct ieee80211com *ic = vap->iv_ic;
+	struct ifnet *ifp = vap->iv_ifp;
+	int i;
+
+	/* override the 802.3 setting */
+	ifp->if_hdrlen = ic->ic_ifp->if_hdrlen;
+
+	vap->iv_rtsthreshold = IEEE80211_RTS_DEFAULT;
+	vap->iv_fragthreshold = IEEE80211_FRAG_DEFAULT;
+	vap->iv_bmiss_max = IEEE80211_BMISS_MAX;
+	callout_init(&vap->iv_swbmiss, CALLOUT_MPSAFE);
+	callout_init(&vap->iv_mgtsend, CALLOUT_MPSAFE);
+	/*
+	 * Install default tx rate handling: no fixed rate, lowest
+	 * supported rate for mgmt and multicast frames.  Default
+	 * max retry count.  These settings can be changed by the
+	 * driver and/or user applications.
+	 */
+	for (i = IEEE80211_MODE_11A; i < IEEE80211_MODE_11NA; i++) {
+		const struct ieee80211_rateset *rs = &ic->ic_sup_rates[i];
+
+		vap->iv_txparms[i].ucastrate = IEEE80211_FIXED_RATE_NONE;
+		/* NB: we default to min supported rate for channel */
+		vap->iv_txparms[i].mgmtrate =
+		    rs->rs_rates[0] & IEEE80211_RATE_VAL;
+		vap->iv_txparms[i].mcastrate = 
+		    rs->rs_rates[0] & IEEE80211_RATE_VAL;
+		vap->iv_txparms[i].maxretry = IEEE80211_TXMAX_DEFAULT;
+	}
+	for (; i < IEEE80211_MODE_MAX; i++) {
+		vap->iv_txparms[i].ucastrate = IEEE80211_FIXED_RATE_NONE;
+		/* NB: default to MCS 0 */
+		vap->iv_txparms[i].mgmtrate = 0 | 0x80;
+		vap->iv_txparms[i].mcastrate = 0 | 0x80;
+		vap->iv_txparms[i].maxretry = IEEE80211_TXMAX_DEFAULT;
+	}
+	vap->iv_roaming = IEEE80211_ROAMING_AUTO;
+
+	vap->iv_update_beacon = null_update_beacon;
+	vap->iv_deliver_data = ieee80211_deliver_data;
+
+	/* attach support for operating mode */
+	ic->ic_vattach[vap->iv_opmode](vap);
+}
 
+void
+ieee80211_proto_vdetach(struct ieee80211vap *vap)
+{
+#define	FREEAPPIE(ie) do { \
+	if (ie != NULL) \
+		FREE(ie, M_80211_NODE_IE); \
+} while (0)
+	/*
+	 * Detach operating mode module.
+	 */
+	if (vap->iv_opdetach != NULL)
+		vap->iv_opdetach(vap);
 	/*
 	 * This should not be needed as we detach when reseting
 	 * the state but be conservative here since the
 	 * authenticator may do things like spawn kernel threads.
 	 */
-	if (ic->ic_auth->ia_detach)
-		ic->ic_auth->ia_detach(ic);
-
-	ieee80211_drain_ifq(&ic->ic_mgtq);
-	mtx_destroy(&ic->ic_mgtq.ifq_mtx);
-
+	if (vap->iv_auth->ia_detach != NULL)
+		vap->iv_auth->ia_detach(vap);
 	/*
 	 * Detach any ACL'ator.
 	 */
-	if (ic->ic_acl != NULL)
-		ic->ic_acl->iac_detach(ic);
+	if (vap->iv_acl != NULL)
+		vap->iv_acl->iac_detach(vap);
+
+	FREEAPPIE(vap->iv_appie_beacon);
+	FREEAPPIE(vap->iv_appie_probereq);
+	FREEAPPIE(vap->iv_appie_proberesp);
+	FREEAPPIE(vap->iv_appie_assocreq);
+	FREEAPPIE(vap->iv_appie_assocresp);
+	FREEAPPIE(vap->iv_appie_wpa);
+#undef FREEAPPIE
 }
 
 /*
@@ -363,16 +453,53 @@ ieee80211_fix_rate(struct ieee80211_node *ni,
 	struct ieee80211_rateset *nrs, int flags)
 {
 #define	RV(v)	((v) & IEEE80211_RATE_VAL)
+	struct ieee80211vap *vap = ni->ni_vap;
 	struct ieee80211com *ic = ni->ni_ic;
 	int i, j, rix, error;
-	int okrate, badrate, fixedrate;
+	int okrate, badrate, fixedrate, ucastrate;
 	const struct ieee80211_rateset *srs;
 	uint8_t r;
 
 	error = 0;
 	okrate = badrate = 0;
+	ucastrate = vap->iv_txparms[ieee80211_chan2mode(ni->ni_chan)].ucastrate;
+	if (ucastrate != IEEE80211_FIXED_RATE_NONE) {
+		/*
+		 * Workaround awkwardness with fixed rate.  We are called
+		 * to check both the legacy rate set and the HT rate set
+		 * but we must apply any legacy fixed rate check only to the
+		 * legacy rate set and vice versa.  We cannot tell what type
+		 * of rate set we've been given (legacy or HT) but we can
+		 * distinguish the fixed rate type (MCS have 0x80 set).
+		 * So to deal with this the caller communicates whether to
+		 * check MCS or legacy rate using the flags and we use the
+		 * type of any fixed rate to avoid applying an MCS to a
+		 * legacy rate and vice versa.
+		 */
+		if (ucastrate & 0x80) {
+			if (flags & IEEE80211_F_DOFRATE)
+				flags &= ~IEEE80211_F_DOFRATE;
+		} else if ((ucastrate & 0x80) == 0) {
+			if (flags & IEEE80211_F_DOFMCS)
+				flags &= ~IEEE80211_F_DOFMCS;
+		}
+		/* NB: required to make MCS match below work */
+		ucastrate &= IEEE80211_RATE_VAL;
+	}
 	fixedrate = IEEE80211_FIXED_RATE_NONE;
-	srs = ieee80211_get_suprates(ic, ni->ni_chan);
+	/*
+	 * XXX we are called to process both MCS and legacy rates;
+	 * we must use the appropriate basic rate set or chaos will
+	 * ensue; for now callers that want MCS must supply
+	 * IEEE80211_F_DOBRS; at some point we'll need to split this
+	 * function so there are two variants, one for MCS and one
+	 * for legacy rates.
+	 */
+	if (flags & IEEE80211_F_DOBRS)
+		srs = (const struct ieee80211_rateset *)
+		    ieee80211_get_suphtrates(ic, ni->ni_chan);
+	else
+		srs = ieee80211_get_suprates(ic, ni->ni_chan);
 	for (i = 0; i < nrs->rs_nrates; ) {
 		if (flags & IEEE80211_F_DOSORT) {
 			/*
@@ -391,7 +518,7 @@ ieee80211_fix_rate(struct ieee80211_node *ni,
 		/*
 		 * Check for fixed rate.
 		 */
-		if (r == ic->ic_fixed_rate)
+		if (r == ucastrate)
 			fixedrate = r;
 		/*
 		 * Check against supported rates.
@@ -431,9 +558,13 @@ ieee80211_fix_rate(struct ieee80211_node *ni,
 		i++;
 	}
 	if (okrate == 0 || error != 0 ||
-	    ((flags & IEEE80211_F_DOFRATE) && fixedrate != ic->ic_fixed_rate))
+	    ((flags & (IEEE80211_F_DOFRATE|IEEE80211_F_DOFMCS)) &&
+	     fixedrate != ucastrate)) {
+		IEEE80211_NOTE(vap, IEEE80211_MSG_XRATE | IEEE80211_MSG_11N, ni,
+		    "%s: flags 0x%x okrate %d error %d fixedrate 0x%x "
+		    "ucastrate %x\n", __func__, fixedrate, ucastrate, flags);
 		return badrate | IEEE80211_RATE_BASIC;
-	else
+	} else
 		return RV(okrate);
 #undef RV
 }
@@ -491,7 +622,7 @@ ieee80211_set_shortslottime(struct ieee80211com *ic, int onoff)
  * NB: the rate set is assumed to be sorted.
  */
 int
-ieee80211_iserp_rateset(struct ieee80211com *ic, struct ieee80211_rateset *rs)
+ieee80211_iserp_rateset(const struct ieee80211_rateset *rs)
 {
 #define N(a)	(sizeof(a) / sizeof(a[0]))
 	static const int rates[] = { 2, 4, 11, 22, 12, 24, 48 };
@@ -516,14 +647,15 @@ ieee80211_iserp_rateset(struct ieee80211com *ic, struct ieee80211_rateset *rs)
 }
 
 /*
- * Mark the basic rates for the 11g rate table based on the
+ * Mark the basic rates for the rate table based on the
  * operating mode.  For real 11g we mark all the 11b rates
  * and 6, 12, and 24 OFDM.  For 11b compatibility we mark only
  * 11b rates.  There's also a pseudo 11a-mode used to mark only
  * the basic OFDM rates.
  */
-void
-ieee80211_set11gbasicrates(struct ieee80211_rateset *rs, enum ieee80211_phymode mode)
+static void
+setbasicrates(struct ieee80211_rateset *rs,
+    enum ieee80211_phymode mode, int add)
 {
 	static const struct ieee80211_rateset basic[IEEE80211_MODE_MAX] = {
 	    { .rs_nrates = 0 },		/* IEEE80211_MODE_AUTO */
@@ -531,16 +663,17 @@ ieee80211_set11gbasicrates(struct ieee80211_rateset *rs, enum ieee80211_phymode
 	    { 2, { 2, 4 } },		/* IEEE80211_MODE_11B */
 	    { 4, { 2, 4, 11, 22 } },	/* IEEE80211_MODE_11G (mixed b/g) */
 	    { .rs_nrates = 0 },		/* IEEE80211_MODE_FH */
-					/* IEEE80211_MODE_PUREG (not yet) */
-	    { 7, { 2, 4, 11, 22, 12, 24, 48 } },
+	    { 3, { 12, 24, 48 } },	/* IEEE80211_MODE_TURBO_A */
+	    { 4, { 2, 4, 11, 22 } },	/* IEEE80211_MODE_TURBO_G (mixed b/g) */
+	    { 3, { 12, 24, 48 } },	/* IEEE80211_MODE_STURBO_A */
 	    { 3, { 12, 24, 48 } },	/* IEEE80211_MODE_11NA */
-					/* IEEE80211_MODE_11NG (mixed b/g) */
-	    { 7, { 2, 4, 11, 22, 12, 24, 48 } },
+	    { 4, { 2, 4, 11, 22 } },	/* IEEE80211_MODE_11NG (mixed b/g) */
 	};
 	int i, j;
 
 	for (i = 0; i < rs->rs_nrates; i++) {
-		rs->rs_rates[i] &= IEEE80211_RATE_VAL;
+		if (!add)
+			rs->rs_rates[i] &= IEEE80211_RATE_VAL;
 		for (j = 0; j < basic[mode].rs_nrates; j++)
 			if (basic[mode].rs_rates[j] == rs->rs_rates[i]) {
 				rs->rs_rates[i] |= IEEE80211_RATE_BASIC;
@@ -550,14 +683,40 @@ ieee80211_set11gbasicrates(struct ieee80211_rateset *rs, enum ieee80211_phymode
 }
 
 /*
- * WME protocol support.  The following parameters come from the spec.
+ * Set the basic rates in a rate set.
+ */
+void
+ieee80211_setbasicrates(struct ieee80211_rateset *rs,
+    enum ieee80211_phymode mode)
+{
+	setbasicrates(rs, mode, 0);
+}
+
+/*
+ * Add basic rates to a rate set.
+ */
+void
+ieee80211_addbasicrates(struct ieee80211_rateset *rs,
+    enum ieee80211_phymode mode)
+{
+	setbasicrates(rs, mode, 1);
+}
+
+/*
+ * WME protocol support.
+ *
+ * The default 11a/b/g/n parameters come from the WiFi Alliance WMM
+ * System Interopability Test Plan (v1.4, Appendix F) and the 802.11n
+ * Draft 2.0 Test Plan (Appendix D).
+ *
+ * Static/Dynamic Turbo mode settings come from Atheros.
  */
 typedef struct phyParamType {
-	uint8_t aifsn;
-	uint8_t logcwmin;
-	uint8_t logcwmax;
-	uint16_t txopLimit;
-	uint8_t acm;
+	uint8_t		aifsn;
+	uint8_t		logcwmin;
+	uint8_t		logcwmax;
+	uint16_t	txopLimit;
+	uint8_t 	acm;
 } paramType;
 
 static const struct phyParamType phyParamForAC_BE[IEEE80211_MODE_MAX] = {
@@ -646,15 +805,18 @@ static const struct phyParamType bssPhyParamForAC_VO[IEEE80211_MODE_MAX] = {
 	{ 2, 2, 3,  47, 0 },	/* IEEE80211_MODE_11NG */
 };
 
-void
-ieee80211_wme_initparams(struct ieee80211com *ic)
+static void
+ieee80211_wme_initparams_locked(struct ieee80211vap *vap)
 {
+	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211_wme_state *wme = &ic->ic_wme;
 	const paramType *pPhyParam, *pBssPhyParam;
 	struct wmeParams *wmep;
 	enum ieee80211_phymode mode;
 	int i;
 
+	IEEE80211_LOCK_ASSERT(ic);
+
 	if ((ic->ic_caps & IEEE80211_C_WME) == 0)
 		return;
 
@@ -704,7 +866,7 @@ ieee80211_wme_initparams(struct ieee80211com *ic)
 			wmep->wmep_txopLimit = pBssPhyParam->txopLimit;
 
 		}	
-		IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
+		IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
 			"%s: %s chan [acm %u aifsn %u log2(cwmin) %u "
 			"log2(cwmax) %u txpoLimit %u]\n", __func__
 			, ieee80211_wme_acnames[i]
@@ -721,7 +883,7 @@ ieee80211_wme_initparams(struct ieee80211com *ic)
 		wmep->wmep_logcwmin = pBssPhyParam->logcwmin;	
 		wmep->wmep_logcwmax = pBssPhyParam->logcwmax;		
 		wmep->wmep_txopLimit = pBssPhyParam->txopLimit;
-		IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
+		IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
 			"%s: %s  bss [acm %u aifsn %u log2(cwmin) %u "
 			"log2(cwmax) %u txpoLimit %u]\n", __func__
 			, ieee80211_wme_acnames[i]
@@ -733,7 +895,7 @@ ieee80211_wme_initparams(struct ieee80211com *ic)
 		);
 	}
 	/* NB: check ic_bss to avoid NULL deref on initial attach */
-	if (ic->ic_bss != NULL) {
+	if (vap->iv_bss != NULL) {
 		/*
 		 * Calculate agressive mode switching threshold based
 		 * on beacon interval.  This doesn't need locking since
@@ -741,16 +903,26 @@ ieee80211_wme_initparams(struct ieee80211com *ic)
 		 * which point we start sending beacon frames.
 		 */
 		wme->wme_hipri_switch_thresh =
-			(HIGH_PRI_SWITCH_THRESH * ic->ic_bss->ni_intval) / 100;
-		ieee80211_wme_updateparams(ic);
+			(HIGH_PRI_SWITCH_THRESH * vap->iv_bss->ni_intval) / 100;
+		ieee80211_wme_updateparams(vap);
 	}
 }
 
+void
+ieee80211_wme_initparams(struct ieee80211vap *vap)
+{
+	struct ieee80211com *ic = vap->iv_ic;
+
+	IEEE80211_LOCK(ic);
+	ieee80211_wme_initparams_locked(vap);
+	IEEE80211_UNLOCK(ic);
+}
+
 /*
  * Update WME parameters for ourself and the BSS.
  */
 void
-ieee80211_wme_updateparams_locked(struct ieee80211com *ic)
+ieee80211_wme_updateparams_locked(struct ieee80211vap *vap)
 {
 	static const paramType phyParam[IEEE80211_MODE_MAX] = {
 		{ 2, 4, 10, 64, 0 },	/* IEEE80211_MODE_AUTO */
@@ -764,6 +936,7 @@ ieee80211_wme_updateparams_locked(struct ieee80211com *ic)
 		{ 2, 4, 10, 64, 0 },	/* IEEE80211_MODE_11NA */ /*XXXcheck*/
 		{ 2, 4, 10, 64, 0 },	/* IEEE80211_MODE_11NG */ /*XXXcheck*/
 	};
+	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211_wme_state *wme = &ic->ic_wme;
 	const struct wmeParams *wmep;
 	struct wmeParams *chanp, *bssp;
@@ -806,11 +979,11 @@ ieee80211_wme_updateparams_locked(struct ieee80211com *ic)
 	 * BE uses agressive params to optimize performance of
 	 * legacy/non-QoS traffic.
 	 */
-        if ((ic->ic_opmode == IEEE80211_M_HOSTAP &&
+        if ((vap->iv_opmode == IEEE80211_M_HOSTAP &&
 	     (wme->wme_flags & WME_F_AGGRMODE) != 0) ||
-	    (ic->ic_opmode == IEEE80211_M_STA &&
-	     (ic->ic_bss->ni_flags & IEEE80211_NODE_QOS) == 0) ||
-	    (ic->ic_flags & IEEE80211_F_WME) == 0) {
+	    (vap->iv_opmode == IEEE80211_M_STA &&
+	     (vap->iv_bss->ni_flags & IEEE80211_NODE_QOS) == 0) ||
+	    (vap->iv_flags & IEEE80211_F_WME) == 0) {
 		chanp = &wme->wme_chanParams.cap_wmeParams[WME_AC_BE];
 		bssp = &wme->wme_bssChanParams.cap_wmeParams[WME_AC_BE];
 
@@ -820,9 +993,9 @@ ieee80211_wme_updateparams_locked(struct ieee80211com *ic)
 		chanp->wmep_logcwmax = bssp->wmep_logcwmax =
 			phyParam[mode].logcwmax;
 		chanp->wmep_txopLimit = bssp->wmep_txopLimit =
-			(ic->ic_flags & IEEE80211_F_BURST) ?
+			(vap->iv_flags & IEEE80211_F_BURST) ?
 				phyParam[mode].txopLimit : 0;		
-		IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
+		IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
 			"%s: %s [acm %u aifsn %u log2(cwmin) %u "
 			"log2(cwmax) %u txpoLimit %u]\n", __func__
 			, ieee80211_wme_acnames[WME_AC_BE]
@@ -834,7 +1007,8 @@ ieee80211_wme_updateparams_locked(struct ieee80211com *ic)
 		);
 	}
 	
-	if (ic->ic_opmode == IEEE80211_M_HOSTAP &&
+	/* XXX multi-bss */
+	if (vap->iv_opmode == IEEE80211_M_HOSTAP &&
 	    ic->ic_sta_assoc < 2 && (wme->wme_flags & WME_F_AGGRMODE) != 0) {
         	static const uint8_t logCwMin[IEEE80211_MODE_MAX] = {
               		3,	/* IEEE80211_MODE_AUTO */
@@ -852,77 +1026,238 @@ ieee80211_wme_updateparams_locked(struct ieee80211com *ic)
 		bssp = &wme->wme_bssChanParams.cap_wmeParams[WME_AC_BE];
 
 		chanp->wmep_logcwmin = bssp->wmep_logcwmin = logCwMin[mode];
-		IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
+		IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
 			"%s: %s log2(cwmin) %u\n", __func__
 			, ieee80211_wme_acnames[WME_AC_BE]
 			, chanp->wmep_logcwmin
 		);
     	}	
-	if (ic->ic_opmode == IEEE80211_M_HOSTAP) {	/* XXX ibss? */
+	if (vap->iv_opmode == IEEE80211_M_HOSTAP) {	/* XXX ibss? */
 		/*
 		 * Arrange for a beacon update and bump the parameter
 		 * set number so associated stations load the new values.
 		 */
 		wme->wme_bssChanParams.cap_info =
 			(wme->wme_bssChanParams.cap_info+1) & WME_QOSINFO_COUNT;
-		ieee80211_beacon_notify(ic, IEEE80211_BEACON_WME);
+		ieee80211_beacon_notify(vap, IEEE80211_BEACON_WME);
 	}
 
 	wme->wme_update(ic);
 
-	IEEE80211_DPRINTF(ic, IEEE80211_MSG_WME,
+	IEEE80211_DPRINTF(vap, IEEE80211_MSG_WME,
 		"%s: WME params updated, cap_info 0x%x\n", __func__,
-		ic->ic_opmode == IEEE80211_M_STA ?
+		vap->iv_opmode == IEEE80211_M_STA ?
 			wme->wme_wmeChanParams.cap_info :
 			wme->wme_bssChanParams.cap_info);
 }
 
 void
-ieee80211_wme_updateparams(struct ieee80211com *ic)
+ieee80211_wme_updateparams(struct ieee80211vap *vap)
 {
+	struct ieee80211com *ic = vap->iv_ic;
 
 	if (ic->ic_caps & IEEE80211_C_WME) {
-		IEEE80211_BEACON_LOCK(ic);
-		ieee80211_wme_updateparams_locked(ic);
-		IEEE80211_BEACON_UNLOCK(ic);
+		IEEE80211_LOCK(ic);
+		ieee80211_wme_updateparams_locked(vap);
+		IEEE80211_UNLOCK(ic);
 	}
 }
 
+static void
+parent_updown(void *arg, int npending)
+{
+	struct ifnet *parent = arg;
+
+	parent->if_ioctl(parent, SIOCSIFFLAGS, NULL);
+}
+
 /*
- * Start a device.  If this is the first vap running on the
- * underlying device then we first bring it up.
+ * Start a vap running.  If this is the first vap to be
+ * set running on the underlying device then we
+ * automatically bring the device up.
  */
-int
-ieee80211_init(struct ieee80211com *ic, int forcescan)
+void
+ieee80211_start_locked(struct ieee80211vap *vap)
 {
+	struct ifnet *ifp = vap->iv_ifp;
+	struct ieee80211com *ic = vap->iv_ic;
+	struct ifnet *parent = ic->ic_ifp;
 
-	IEEE80211_DPRINTF(ic,
+	IEEE80211_LOCK_ASSERT(ic);
+
+	IEEE80211_DPRINTF(vap,
 		IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
-		"%s\n", "start running");
+		"start running, %d vaps running\n", ic->ic_nrunning);
 
+	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0) {
+		/*
+		 * Mark us running.  Note that it's ok to do this first;
+		 * if we need to bring the parent device up we defer that
+		 * to avoid dropping the com lock.  We expect the device
+		 * to respond to being marked up by calling back into us
+		 * through ieee80211_start_all at which point we'll come
+		 * back in here and complete the work.
+		 */
+		ifp->if_drv_flags |= IFF_DRV_RUNNING;
+		/*
+		 * We are not running; if this we are the first vap
+		 * to be brought up auto-up the parent if necessary.
+		 */
+		if (ic->ic_nrunning++ == 0 &&
+		    (parent->if_drv_flags & IFF_DRV_RUNNING) == 0) {
+			IEEE80211_DPRINTF(vap,
+			    IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
+			    "%s: up parent %s\n", __func__, parent->if_xname);
+			parent->if_flags |= IFF_UP;
+			taskqueue_enqueue(taskqueue_thread, &ic->ic_parent_task);
+			return;
+		}
+	}
 	/*
-	 * Kick the 802.11 state machine as appropriate.
+	 * If the parent is up and running, then kick the
+	 * 802.11 state machine as appropriate.
 	 */
-	if (ic->ic_roaming != IEEE80211_ROAMING_MANUAL) {
-		if (ic->ic_opmode == IEEE80211_M_STA) {
-			ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
+	if ((parent->if_drv_flags & IFF_DRV_RUNNING) &&
+	    vap->iv_roaming != IEEE80211_ROAMING_MANUAL) {
+		if (vap->iv_opmode == IEEE80211_M_STA) {
+#if 0
+			/* XXX bypasses scan too easily; disable for now */
+			/*
+			 * Try to be intelligent about clocking the state
+			 * machine.  If we're currently in RUN state then
+			 * we should be able to apply any new state/parameters
+			 * simply by re-associating.  Otherwise we need to
+			 * re-scan to select an appropriate ap.
+			 */ 
+			if (vap->iv_state >= IEEE80211_S_RUN)
+				ieee80211_new_state_locked(vap,
+				    IEEE80211_S_ASSOC, 1);
+			else
+#endif
+				ieee80211_new_state_locked(vap,
+				    IEEE80211_S_SCAN, 0);
 		} else {
 			/*
-			 * For monitor+wds modes there's nothing to do but
-			 * start running.  Otherwise, if this is the first
+			 * For monitor+wds mode there's nothing to do but
+			 * start running.  Otherwise if this is the first
 			 * vap to be brought up, start a scan which may be
 			 * preempted if the station is locked to a particular
 			 * channel.
 			 */
-			if (ic->ic_opmode == IEEE80211_M_MONITOR ||
-			    ic->ic_opmode == IEEE80211_M_WDS) {
-				ic->ic_state = IEEE80211_S_INIT;	/* XXX*/
-				ieee80211_new_state(ic, IEEE80211_S_RUN, -1);
-			} else
-				ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
+			/* XXX needed? */
+			ieee80211_new_state_locked(vap, IEEE80211_S_INIT, 0);
+			if (vap->iv_opmode == IEEE80211_M_MONITOR ||
+			    vap->iv_opmode == IEEE80211_M_WDS)
+				ieee80211_new_state_locked(vap,
+				    IEEE80211_S_RUN, -1);
+			else
+				ieee80211_new_state_locked(vap,
+				    IEEE80211_S_SCAN, 0);
 		}
 	}
-	return 0;
+}
+
+/*
+ * Start a single vap.
+ */
+void
+ieee80211_init(void *arg)
+{
+	struct ieee80211vap *vap = arg;
+
+	/*
+	 * This routine is publicly accessible through the vap's
+	 * if_init method so guard against calls during detach.
+	 * ieee80211_vap_detach null's the backpointer before
+	 * tearing down state to signal any callback should be
+	 * rejected/ignored.
+	 */
+	if (vap != NULL) {
+		IEEE80211_DPRINTF(vap,
+		    IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
+		    "%s\n", __func__);
+
+		IEEE80211_LOCK(vap->iv_ic);
+		ieee80211_start_locked(vap);
+		IEEE80211_UNLOCK(vap->iv_ic);
+	}
+}
+
+/*
+ * Start all runnable vap's on a device.
+ */
+void
+ieee80211_start_all(struct ieee80211com *ic)
+{
+	struct ieee80211vap *vap;
+
+	IEEE80211_LOCK(ic);
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
+		struct ifnet *ifp = vap->iv_ifp;
+		if (IFNET_IS_UP_RUNNING(ifp))	/* NB: avoid recursion */
+			ieee80211_start_locked(vap);
+	}
+	IEEE80211_UNLOCK(ic);
+}
+
+/*
+ * Stop a vap.  We force it down using the state machine
+ * then mark it's ifnet not running.  If this is the last
+ * vap running on the underlying device then we close it
+ * too to insure it will be properly initialized when the
+ * next vap is brought up.
+ */
+void
+ieee80211_stop_locked(struct ieee80211vap *vap)
+{
+	struct ieee80211com *ic = vap->iv_ic;
+	struct ifnet *ifp = vap->iv_ifp;
+	struct ifnet *parent = ic->ic_ifp;
+
+	IEEE80211_LOCK_ASSERT(ic);
+
+	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
+	    "stop running, %d vaps running\n", ic->ic_nrunning);
+
+	ieee80211_new_state_locked(vap, IEEE80211_S_INIT, -1);
+	if (ifp->if_drv_flags & IFF_DRV_RUNNING) {
+		ifp->if_drv_flags &= ~IFF_DRV_RUNNING;	/* mark us stopped */
+		if (--ic->ic_nrunning == 0 &&
+		    (parent->if_drv_flags & IFF_DRV_RUNNING)) {
+			IEEE80211_DPRINTF(vap,
+			    IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
+			    "down parent %s\n", parent->if_xname);
+			parent->if_flags &= ~IFF_UP;
+			taskqueue_enqueue(taskqueue_thread, &ic->ic_parent_task);
+		}
+	}
+}
+
+void
+ieee80211_stop(struct ieee80211vap *vap)
+{
+	struct ieee80211com *ic = vap->iv_ic;
+
+	IEEE80211_LOCK(ic);
+	ieee80211_stop_locked(vap);
+	IEEE80211_UNLOCK(ic);
+}
+
+/*
+ * Stop all vap's running on a device.
+ */
+void
+ieee80211_stop_all(struct ieee80211com *ic)
+{
+	struct ieee80211vap *vap;
+
+	IEEE80211_LOCK(ic);
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
+		struct ifnet *ifp = vap->iv_ifp;
+		if (IFNET_IS_UP_RUNNING(ifp))	/* NB: avoid recursion */
+			ieee80211_stop_locked(vap);
+	}
+	IEEE80211_UNLOCK(ic);
 }
 
 /*
@@ -932,19 +1267,20 @@ ieee80211_init(struct ieee80211com *ic, int forcescan)
  * the driver to effect the change.
  */
 void
-ieee80211_dturbo_switch(struct ieee80211com *ic, int newflags)
+ieee80211_dturbo_switch(struct ieee80211vap *vap, int newflags)
 {
+	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211_channel *chan;
 
 	chan = ieee80211_find_channel(ic, ic->ic_bsschan->ic_freq, newflags);
 	if (chan == NULL) {		/* XXX should not happen */
-		IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
+		IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG,
 		    "%s: no channel with freq %u flags 0x%x\n",
 		    __func__, ic->ic_bsschan->ic_freq, newflags);
 		return;
 	}
 
-	IEEE80211_DPRINTF(ic, IEEE80211_MSG_SUPERG,
+	IEEE80211_DPRINTF(vap, IEEE80211_MSG_SUPERG,
 	    "%s: %s -> %s (freq %u flags 0x%x)\n", __func__,
 	    ieee80211_phymode_name[ieee80211_chan2mode(ic->ic_bsschan)],
 	    ieee80211_phymode_name[ieee80211_chan2mode(chan)],
@@ -960,57 +1296,21 @@ ieee80211_dturbo_switch(struct ieee80211com *ic, int newflags)
 void
 ieee80211_beacon_miss(struct ieee80211com *ic)
 {
+	struct ieee80211vap *vap;
 
-	if (ic->ic_flags & IEEE80211_F_SCAN) {
-		/* XXX check ic_curchan != ic_bsschan? */
+	if (ic->ic_flags & IEEE80211_F_SCAN)
 		return;
-	}
-	IEEE80211_DPRINTF(ic, IEEE80211_MSG_STATE | IEEE80211_MSG_DEBUG,
-		"%s\n", "beacon miss");
-
-	/*
-	 * Our handling is only meaningful for stations that are
-	 * associated; any other conditions else will be handled
-	 * through different means (e.g. the tx timeout on mgt frames).
-	 */
-	if (ic->ic_opmode != IEEE80211_M_STA || ic->ic_state != IEEE80211_S_RUN)
-		return;
-
-	if (++ic->ic_bmiss_count < ic->ic_bmiss_max) {
+	/* XXX locking */
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
 		/*
-		 * Send a directed probe req before falling back to a scan;
-		 * if we receive a response ic_bmiss_count will be reset.
-		 * Some cards mistakenly report beacon miss so this avoids
-		 * the expensive scan if the ap is still there.
+		 * We only pass events through for sta vap's in RUN state;
+		 * may be too restrictive but for now this saves all the
+		 * handlers duplicating these checks.
 		 */
-		ieee80211_send_probereq(ic->ic_bss, ic->ic_myaddr,
-			ic->ic_bss->ni_bssid, ic->ic_bss->ni_bssid,
-			ic->ic_bss->ni_essid, ic->ic_bss->ni_esslen,
-			ic->ic_opt_ie, ic->ic_opt_ie_len);
-		return;
-	}
-	ic->ic_bmiss_count = 0;
-	if (ic->ic_roaming == IEEE80211_ROAMING_AUTO) {
-		/*
-		 * If we receive a beacon miss interrupt when using
-		 * dynamic turbo, attempt to switch modes before
-		 * reassociating.
-		 */
-		if (IEEE80211_ATH_CAP(ic, ic->ic_bss, IEEE80211_NODE_TURBOP))
-			ieee80211_dturbo_switch(ic,
-			    ic->ic_bsschan->ic_flags ^ IEEE80211_CHAN_TURBO);
-		/*
-		 * Try to reassociate before scanning for a new ap.
-		 */
-		ieee80211_new_state(ic, IEEE80211_S_ASSOC, 1);
-	} else {
-		/*
-		 * Somebody else is controlling state changes (e.g.
-		 * a user-mode app) don't do anything that would
-		 * confuse them; just drop into scan mode so they'll
-		 * notified of the state change and given control.
-		 */
-		ieee80211_new_state(ic, IEEE80211_S_SCAN, 0);
+		if (vap->iv_opmode == IEEE80211_M_STA &&
+		    vap->iv_state == IEEE80211_S_RUN &&
+		    vap->iv_bmiss != NULL)
+			vap->iv_bmiss(vap);
 	}
 }
 
@@ -1019,377 +1319,378 @@ ieee80211_beacon_miss(struct ieee80211com *ic)
  * were received in the last period.  If not post a
  * beacon miss; otherwise reset the counter.
  */
-static void
+void
 ieee80211_swbmiss(void *arg)
 {
-	struct ieee80211com *ic = arg;
+	struct ieee80211vap *vap = arg;
 
-	if (ic->ic_swbmiss_count == 0) {
-		ieee80211_beacon_miss(ic);
-		if (ic->ic_bmiss_count == 0)	/* don't re-arm timer */
+	if (vap->iv_swbmiss_count == 0) {
+		if (vap->iv_bmiss != NULL)
+			vap->iv_bmiss(vap);
+		if (vap->iv_bmiss_count == 0)	/* don't re-arm timer */
 			return;
 	} else
-		ic->ic_swbmiss_count = 0;
-	callout_reset(&ic->ic_swbmiss, ic->ic_swbmiss_period,
-		ieee80211_swbmiss, ic);
+		vap->iv_swbmiss_count = 0;
+	callout_reset(&vap->iv_swbmiss, vap->iv_swbmiss_period,
+		ieee80211_swbmiss, vap);
+}
+
+/*
+ * Start an 802.11h channel switch.  We record the parameters,
+ * mark the operation pending, notify each vap through the
+ * beacon update mechanism so it can update the beacon frame
+ * contents, and then switch vap's to CSA state to block outbound
+ * traffic.  Devices that handle CSA directly can use the state
+ * switch to do the right thing so long as they call
+ * ieee80211_csa_completeswitch when it's time to complete the
+ * channel change.  Devices that depend on the net80211 layer can
+ * use ieee80211_beacon_update to handle the countdown and the
+ * channel switch.
+ */
+void
+ieee80211_csa_startswitch(struct ieee80211com *ic,
+	struct ieee80211_channel *c, int mode, int count)
+{
+	struct ieee80211vap *vap;
+
+	IEEE80211_LOCK_ASSERT(ic);
+
+	ic->ic_csa_newchan = c;
+	ic->ic_csa_count = count;
+	/* XXX record mode? */
+	ic->ic_flags |= IEEE80211_F_CSAPENDING;
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
+		if (vap->iv_opmode == IEEE80211_M_HOSTAP ||
+		    vap->iv_opmode == IEEE80211_M_IBSS)
+			ieee80211_beacon_notify(vap, IEEE80211_BEACON_CSA);
+		/* switch to CSA state to block outbound traffic */
+		if (vap->iv_state == IEEE80211_S_RUN)
+			ieee80211_new_state_locked(vap, IEEE80211_S_CSA, 0);
+	}
+	ieee80211_notify_csa(ic, c, mode, count);
+}
+
+/*
+ * Complete an 802.11h channel switch started by ieee80211_csa_startswitch.
+ * We clear state and move all vap's in CSA state to RUN state
+ * so they can again transmit.
+ */
+void
+ieee80211_csa_completeswitch(struct ieee80211com *ic)
+{
+	struct ieee80211vap *vap;
+
+	IEEE80211_LOCK_ASSERT(ic);
+
+	KASSERT(ic->ic_flags & IEEE80211_F_CSAPENDING, ("csa not pending"));
+
+	ieee80211_setcurchan(ic, ic->ic_csa_newchan);
+	ic->ic_csa_newchan = NULL;
+	ic->ic_flags &= ~IEEE80211_F_CSAPENDING;
+
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next)
+		if (vap->iv_state == IEEE80211_S_CSA)
+			ieee80211_new_state_locked(vap, IEEE80211_S_RUN, 0);
+}
+
+/*
+ * Complete a DFS CAC started by ieee80211_dfs_cac_start.
+ * We clear state and move all vap's in CAC state to RUN state.
+ */
+void
+ieee80211_cac_completeswitch(struct ieee80211vap *vap0)
+{
+	struct ieee80211com *ic = vap0->iv_ic;
+	struct ieee80211vap *vap;
+
+	IEEE80211_LOCK(ic);
+	/*
+	 * Complete CAC state change for lead vap first; then
+	 * clock all the other vap's waiting.
+	 */
+	KASSERT(vap0->iv_state == IEEE80211_S_CAC,
+	    ("wrong state %d", vap0->iv_state));
+	ieee80211_new_state_locked(vap0, IEEE80211_S_RUN, 0);
+
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next)
+		if (vap->iv_state == IEEE80211_S_CAC)
+			ieee80211_new_state_locked(vap, IEEE80211_S_RUN, 0);
+	IEEE80211_UNLOCK(ic);
 }
 
+/*
+ * Force all vap's other than the specified vap to the INIT state
+ * and mark them as waiting for a scan to complete.  These vaps
+ * will be brought up when the scan completes and the scanning vap
+ * reaches RUN state by wakeupwaiting.
+ * XXX if we do this in threads we can use sleep/wakeup.
+ */
 static void
-sta_disassoc(void *arg, struct ieee80211_node *ni)
+markwaiting(struct ieee80211vap *vap0)
 {
-	struct ieee80211com *ic = arg;
+	struct ieee80211com *ic = vap0->iv_ic;
+	struct ieee80211vap *vap;
+
+	IEEE80211_LOCK_ASSERT(ic);
 
-	if (ni->ni_associd != 0) {
-		IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DISASSOC,
-			IEEE80211_REASON_ASSOC_LEAVE);
-		ieee80211_node_leave(ic, ni);
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
+		if (vap == vap0)
+			continue;
+		if (vap->iv_state != IEEE80211_S_INIT) {
+			vap->iv_newstate(vap, IEEE80211_S_INIT, 0);
+			vap->iv_flags_ext |= IEEE80211_FEXT_SCANWAIT;
+		}
 	}
 }
 
+/*
+ * Wakeup all vap's waiting for a scan to complete.  This is the
+ * companion to markwaiting (above) and is used to coordinate
+ * multiple vaps scanning.
+ */
 static void
-sta_deauth(void *arg, struct ieee80211_node *ni)
+wakeupwaiting(struct ieee80211vap *vap0)
 {
-	struct ieee80211com *ic = arg;
+	struct ieee80211com *ic = vap0->iv_ic;
+	struct ieee80211vap *vap;
+
+	IEEE80211_LOCK_ASSERT(ic);
 
-	IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_DEAUTH,
-		IEEE80211_REASON_ASSOC_LEAVE);
+	TAILQ_FOREACH(vap, &ic->ic_vaps, iv_next) {
+		if (vap == vap0)
+			continue;
+		if (vap->iv_flags_ext & IEEE80211_FEXT_SCANWAIT) {
+			vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANWAIT;
+			/* NB: sta's cannot go INIT->RUN */
+			vap->iv_newstate(vap,
+			    vap->iv_opmode == IEEE80211_M_STA ?
+			        IEEE80211_S_SCAN : IEEE80211_S_RUN, 0);
+		}
+	}
 }
 
 /*
- * Handle deauth with reason.  We retry only for
- * the cases where we might succeed.  Otherwise
- * we downgrade the ap and scan.
+ * Handle post state change work common to all operating modes.
  */
 static void
-sta_authretry(struct ieee80211com *ic, struct ieee80211_node *ni, int reason)
+ieee80211_newstate_cb(struct ieee80211vap *vap, 
+	enum ieee80211_state nstate, int arg)
 {
-	switch (reason) {
-	case IEEE80211_STATUS_SUCCESS:
-	case IEEE80211_STATUS_TIMEOUT:
-	case IEEE80211_REASON_ASSOC_EXPIRE:
-	case IEEE80211_REASON_NOT_AUTHED:
-	case IEEE80211_REASON_NOT_ASSOCED:
-	case IEEE80211_REASON_ASSOC_LEAVE:
-	case IEEE80211_REASON_ASSOC_NOT_AUTHED:
-		IEEE80211_SEND_MGMT(ic, ni, IEEE80211_FC0_SUBTYPE_AUTH, 1);
-		break;
-	default:
-		ieee80211_scan_assoc_fail(ic, ic->ic_bss->ni_macaddr, reason);
-		if (ic->ic_roaming == IEEE80211_ROAMING_AUTO)
-			ieee80211_check_scan(ic,
-				IEEE80211_SCAN_ACTIVE,
-				IEEE80211_SCAN_FOREVER,
-				ic->ic_des_nssid, ic->ic_des_ssid);
-		break;
+	struct ieee80211com *ic = vap->iv_ic;
+
+	IEEE80211_LOCK_ASSERT(ic);
+
+	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
+	    "%s: %s arg %d\n", __func__, ieee80211_state_name[nstate], arg);
+
+	if (nstate == IEEE80211_S_RUN) {
+		/*
+		 * OACTIVE may be set on the vap if the upper layer
+		 * tried to transmit (e.g. IPv6 NDP) before we reach
+		 * RUN state.  Clear it and restart xmit.
+		 *
+		 * Note this can also happen as a result of SLEEP->RUN
+		 * (i.e. coming out of power save mode).
+		 */
+		vap->iv_ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
+		if_start(vap->iv_ifp);
+
+		/* bring up any vaps waiting on us */
+		wakeupwaiting(vap);
+	} else if (nstate == IEEE80211_S_INIT) {
+		/*
+		 * Flush the scan cache if we did the last scan (XXX?)
+		 * and flush any frames on send queues from this vap.
+		 * Note the mgt q is used only for legacy drivers and
+		 * will go away shortly.
+		 */
+		ieee80211_scan_flush(vap);
+
+		/* XXX NB: cast for altq */
+		ieee80211_flush_ifq((struct ifqueue *)&ic->ic_ifp->if_snd, vap);
 	}
+	vap->iv_newstate_cb = NULL;
 }
 
+/*
+ * Public interface for initiating a state machine change.
+ * This routine single-threads the request and coordinates
+ * the scheduling of multiple vaps for the purpose of selecting
+ * an operating channel.  Specifically the following scenarios
+ * are handled:
+ * o only one vap can be selecting a channel so on transition to
+ *   SCAN state if another vap is already scanning then
+ *   mark the caller for later processing and return without
+ *   doing anything (XXX? expectations by caller of synchronous operation)
+ * o only one vap can be doing CAC of a channel so on transition to
+ *   CAC state if another vap is already scanning for radar then
+ *   mark the caller for later processing and return without
+ *   doing anything (XXX? expectations by caller of synchronous operation)
+ * o if another vap is already running when a request is made
+ *   to SCAN then an operating channel has been chosen; bypass
+ *   the scan and just join the channel
+ *
+ * Note that the state change call is done through the iv_newstate
+ * method pointer so any driver routine gets invoked.  The driver
+ * will normally call back into operating mode-specific
+ * ieee80211_newstate routines (below) unless it needs to completely
+ * bypass the state machine (e.g. because the firmware has it's
+ * own idea how things should work).  Bypassing the net80211 layer
+ * is usually a mistake and indicates lack of proper integration
+ * with the net80211 layer.
+ */
 static int
-ieee80211_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg)
+ieee80211_new_state_locked(struct ieee80211vap *vap,
+	enum ieee80211_state nstate, int arg)
 {
-	struct ifnet *ifp = ic->ic_ifp;
-	struct ieee80211_node *ni;
+	struct ieee80211com *ic = vap->iv_ic;
+	struct ieee80211vap *vp;
 	enum ieee80211_state ostate;
-
-	ostate = ic->ic_state;
-	IEEE80211_DPRINTF(ic, IEEE80211_MSG_STATE, "%s: %s -> %s\n", __func__,
-		ieee80211_state_name[ostate], ieee80211_state_name[nstate]);
-	ic->ic_state = nstate;			/* state transition */
-	callout_stop(&ic->ic_mgtsend);		/* XXX callout_drain */
-	if (ostate != IEEE80211_S_SCAN)
-		ieee80211_cancel_scan(ic);	/* background scan */
-	ni = ic->ic_bss;			/* NB: no reference held */
-	if (ic->ic_flags_ext & IEEE80211_FEXT_SWBMISS)
-		callout_stop(&ic->ic_swbmiss);
-	switch (nstate) {
-	case IEEE80211_S_INIT:
-		switch (ostate) {
-		case IEEE80211_S_INIT:
-			break;
-		case IEEE80211_S_RUN:
-			switch (ic->ic_opmode) {
-			case IEEE80211_M_STA:
-				IEEE80211_SEND_MGMT(ic, ni,
-				    IEEE80211_FC0_SUBTYPE_DISASSOC,
-				    IEEE80211_REASON_ASSOC_LEAVE);
-				ieee80211_sta_leave(ic, ni);
-				break;
-			case IEEE80211_M_HOSTAP:
-				ieee80211_iterate_nodes(&ic->ic_sta,
-					sta_disassoc, ic);
-				break;
-			default:
-				break;
-			}
-			break;
-		case IEEE80211_S_ASSOC:
-			switch (ic->ic_opmode) {
-			case IEEE80211_M_STA:
-				IEEE80211_SEND_MGMT(ic, ni,
-				    IEEE80211_FC0_SUBTYPE_DEAUTH,
-				    IEEE80211_REASON_AUTH_LEAVE);
-				break;
-			case IEEE80211_M_HOSTAP:
-				ieee80211_iterate_nodes(&ic->ic_sta,
-					sta_deauth, ic);
-				break;
-			default:
-				break;
-			}
-			break;
-		case IEEE80211_S_SCAN:
-			ieee80211_cancel_scan(ic);
-			break;
-		case IEEE80211_S_AUTH:
-			break;
-		default:
-			break;
+	int nrunning, nscanning, rc;
+
+	IEEE80211_LOCK_ASSERT(ic);
+
+	nrunning = nscanning = 0;
+	/* XXX can track this state instead of calculating */
+	TAILQ_FOREACH(vp, &ic->ic_vaps, iv_next) {
+		if (vp != vap) {
+			if (vp->iv_state >= IEEE80211_S_RUN)
+				nrunning++;
+			/* XXX doesn't handle bg scan */
+			/* NB: CAC+AUTH+ASSOC treated like SCAN */
+			else if (vp->iv_state > IEEE80211_S_INIT)
+				nscanning++;
 		}
-		if (ostate != IEEE80211_S_INIT) {
-			/* NB: optimize INIT -> INIT case */
-			ieee80211_drain_ifq(&ic->ic_mgtq);
-			ieee80211_reset_bss(ic);
-			ieee80211_scan_flush(ic);
-		}
-		if (ic->ic_auth->ia_detach != NULL)
-			ic->ic_auth->ia_detach(ic);
-		break;
+	}
+	ostate = vap->iv_state;
+	IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
+	    "%s: %s -> %s (nrunning %d nscanning %d)\n", __func__,
+	    ieee80211_state_name[ostate], ieee80211_state_name[nstate],
+	    nrunning, nscanning);
+	switch (nstate) {
 	case IEEE80211_S_SCAN:
-		switch (ostate) {
-		case IEEE80211_S_INIT:
-		createibss:
-			if ((ic->ic_opmode == IEEE80211_M_HOSTAP ||
-			     ic->ic_opmode == IEEE80211_M_IBSS ||
-			     ic->ic_opmode == IEEE80211_M_AHDEMO) &&
-			    ic->ic_des_chan != IEEE80211_CHAN_ANYC) {
-				/*
-				 * Already have a channel; bypass the
-				 * scan and startup immediately.  Because
-				 * of this explicitly sync the scanner state.
-				 */
-				ieee80211_scan_update(ic);
-				ieee80211_create_ibss(ic, ic->ic_des_chan);
-			} else {
-				ieee80211_check_scan(ic,
-					IEEE80211_SCAN_ACTIVE |
-					IEEE80211_SCAN_FLUSH,
-					IEEE80211_SCAN_FOREVER,
-					ic->ic_des_nssid, ic->ic_des_ssid);
-			}
-			break;
-		case IEEE80211_S_SCAN:
-		case IEEE80211_S_AUTH:
-		case IEEE80211_S_ASSOC:
+		if (ostate == IEEE80211_S_INIT) {
 			/*
-			 * These can happen either because of a timeout
-			 * on an assoc/auth response or because of a
-			 * change in state that requires a reset.  For
-			 * the former we're called with a non-zero arg
-			 * that is the cause for the failure; pass this
-			 * to the scan code so it can update state.
-			 * Otherwise trigger a new scan unless we're in
-			 * manual roaming mode in which case an application
-			 * must issue an explicit scan request.
+			 * INIT -> SCAN happens on initial bringup.
 			 */
-			if (arg != 0)
-				ieee80211_scan_assoc_fail(ic,
-					ic->ic_bss->ni_macaddr, arg);
-			if (ic->ic_roaming == IEEE80211_ROAMING_AUTO)
-				ieee80211_check_scan(ic,
-					IEEE80211_SCAN_ACTIVE,
-					IEEE80211_SCAN_FOREVER,
-					ic->ic_des_nssid, ic->ic_des_ssid);
-			break;
-		case IEEE80211_S_RUN:		/* beacon miss */
-			if (ic->ic_opmode == IEEE80211_M_STA) {
-				ieee80211_sta_leave(ic, ni);
-				ic->ic_flags &= ~IEEE80211_F_SIBSS;	/* XXX */
-				if (ic->ic_roaming == IEEE80211_ROAMING_AUTO)
-					ieee80211_check_scan(ic,
-						IEEE80211_SCAN_ACTIVE,
-						IEEE80211_SCAN_FOREVER,
-						ic->ic_des_nssid,
-						ic->ic_des_ssid);
-			} else {
-				ieee80211_iterate_nodes(&ic->ic_sta,
-					sta_disassoc, ic);
-				goto createibss;
-			}
-			break;
-		default:
-			break;
-		}
-		break;
-	case IEEE80211_S_AUTH:
-		KASSERT(ic->ic_opmode == IEEE80211_M_STA,
-			("switch to %s state when operating in mode %u",
-			 ieee80211_state_name[nstate], ic->ic_opmode));
-		switch (ostate) {
-		case IEEE80211_S_INIT:
-		case IEEE80211_S_SCAN:
-			IEEE80211_SEND_MGMT(ic, ni,
-			    IEEE80211_FC0_SUBTYPE_AUTH, 1);
-			break;
-		case IEEE80211_S_AUTH:
-		case IEEE80211_S_ASSOC:
-			switch (arg & 0xff) {
-			case IEEE80211_FC0_SUBTYPE_AUTH:
-				/* ??? */
-				IEEE80211_SEND_MGMT(ic, ni,
-				    IEEE80211_FC0_SUBTYPE_AUTH, 2);
-				break;
-			case IEEE80211_FC0_SUBTYPE_DEAUTH:
-				sta_authretry(ic, ni, arg>>8);
-				break;
-			}
-			break;
-		case IEEE80211_S_RUN:
-			switch (arg & 0xff) {
-			case IEEE80211_FC0_SUBTYPE_AUTH:
-				IEEE80211_SEND_MGMT(ic, ni,
-				    IEEE80211_FC0_SUBTYPE_AUTH, 2);
-				ic->ic_state = ostate;	/* stay RUN */
-				break;
-			case IEEE80211_FC0_SUBTYPE_DEAUTH:
-				ieee80211_sta_leave(ic, ni);
-				if (ic->ic_roaming == IEEE80211_ROAMING_AUTO) {
-					/* try to reauth */
-					IEEE80211_SEND_MGMT(ic, ni,
-					    IEEE80211_FC0_SUBTYPE_AUTH, 1);
-				}
-				break;
-			}
-			break;
-		default:
-			break;
-		}
-		break;
-	case IEEE80211_S_ASSOC:
-		KASSERT(ic->ic_opmode == IEEE80211_M_STA,
-			("switch to %s state when operating in mode %u",
-			 ieee80211_state_name[nstate], ic->ic_opmode));
-		switch (ostate) {
-		case IEEE80211_S_INIT:
-		case IEEE80211_S_SCAN:
-			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
-				"%s: invalid transition\n", __func__);
-			break;
-		case IEEE80211_S_AUTH:
-		case IEEE80211_S_ASSOC:
-			IEEE80211_SEND_MGMT(ic, ni,
-			    IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
-			break;
-		case IEEE80211_S_RUN:
-			ieee80211_sta_leave(ic, ni);
-			if (ic->ic_roaming == IEEE80211_ROAMING_AUTO) {
-				IEEE80211_SEND_MGMT(ic, ni, arg ?
-				    IEEE80211_FC0_SUBTYPE_REASSOC_REQ :
-				    IEEE80211_FC0_SUBTYPE_ASSOC_REQ, 0);
-			}
-			break;
-		default:
-			break;
-		}
-		break;
-	case IEEE80211_S_RUN:
-		if (ic->ic_flags & IEEE80211_F_WPA) {
-			/* XXX validate prerequisites */
-		}
-		switch (ostate) {
-		case IEEE80211_S_INIT:
-			if (ic->ic_opmode == IEEE80211_M_MONITOR ||
-			    ic->ic_opmode == IEEE80211_M_WDS ||
-			    ic->ic_opmode == IEEE80211_M_HOSTAP) {
+			KASSERT(!(nscanning && nrunning),
+			    ("%d scanning and %d running", nscanning, nrunning));
+			if (nscanning) {
 				/*
-				 * Already have a channel; bypass the
-				 * scan and startup immediately.  Because
-				 * of this explicitly sync the scanner state.
+				 * Someone is scanning, defer our state
+				 * change until the work has completed.
 				 */
-				ieee80211_scan_update(ic);
-				ieee80211_create_ibss(ic,
-				    ieee80211_ht_adjust_channel(ic,
-					ic->ic_curchan, ic->ic_flags_ext));
-				break;
+				IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
+				    "%s: defer %s -> %s\n",
+				    __func__, ieee80211_state_name[ostate],
+				    ieee80211_state_name[nstate]);
+				vap->iv_flags_ext |= IEEE80211_FEXT_SCANWAIT;
+				rc = 0;
+				goto done;
 			}
-			/* fall thru... */
-		case IEEE80211_S_AUTH:
-			IEEE80211_DPRINTF(ic, IEEE80211_MSG_ANY,
-				"%s: invalid transition\n", __func__);
-			/* fall thru... */
-		case IEEE80211_S_RUN:
-			break;
-		case IEEE80211_S_SCAN:		/* adhoc/hostap mode */
-		case IEEE80211_S_ASSOC:		/* infra mode */
-			KASSERT(ni->ni_txrate < ni->ni_rates.rs_nrates,
-				("%s: bogus xmit rate %u setup\n", __func__,
-					ni->ni_txrate));
-#ifdef IEEE80211_DEBUG
-			if (ieee80211_msg_debug(ic)) {
-				if (ic->ic_opmode == IEEE80211_M_STA)
-					if_printf(ifp, "associated ");
+			if (nrunning) {
+				/*
+				 * Someone is operating; just join the channel
+				 * they have chosen.
+				 */
+				/* XXX kill arg? */
+				/* XXX check each opmode, adhoc? */
+				if (vap->iv_opmode == IEEE80211_M_STA)
+					nstate = IEEE80211_S_SCAN;
 				else
-					if_printf(ifp, "synchronized ");
-				printf("with %s ssid ",
-				    ether_sprintf(ni->ni_bssid));
-				ieee80211_print_essid(ic->ic_bss->ni_essid,
-				    ni->ni_esslen);
-				printf(" channel %d start %uMb\n",
-					ieee80211_chan2ieee(ic, ic->ic_curchan),
-					IEEE80211_RATE2MBS(ni->ni_rates.rs_rates[ni->ni_txrate]));
-			}
+					nstate = IEEE80211_S_RUN;
+#ifdef IEEE80211_DEBUG
+				if (nstate != IEEE80211_S_SCAN) {
+					IEEE80211_DPRINTF(vap,
+					    IEEE80211_MSG_STATE,
+					    "%s: override, now %s -> %s\n",
+					    __func__,
+					    ieee80211_state_name[ostate],
+					    ieee80211_state_name[nstate]);
+				}
 #endif
-			if (ic->ic_opmode == IEEE80211_M_STA) {
-				ieee80211_scan_assoc_success(ic,
-					ni->ni_macaddr);
-				ieee80211_notify_node_join(ic, ni, 
-					arg == IEEE80211_FC0_SUBTYPE_ASSOC_RESP);
 			}
-			if_start(ifp);		/* XXX not authorized yet */
-			break;
-		default:
-			break;
+		} else {
+			/*
+			 * SCAN was forced; e.g. on beacon miss.  Force
+			 * other running vap's to INIT state and mark
+			 * them as waiting for the scan to complete.  This
+			 * insures they don't interfere with our scanning.
+			 *
+			 * XXX not always right, assumes ap follows sta
+			 */
+			markwaiting(vap);
 		}
-		if (ostate != IEEE80211_S_RUN &&
-		    ic->ic_opmode == IEEE80211_M_STA &&
-		    (ic->ic_flags_ext & IEEE80211_FEXT_SWBMISS)) {
+		break;
+	case IEEE80211_S_RUN:
+		if (vap->iv_opmode == IEEE80211_M_WDS &&
+		    (vap->iv_flags_ext & IEEE80211_FEXT_WDSLEGACY) &&
+		    nscanning) {
 			/*
-			 * Start s/w beacon miss timer for devices w/o
-			 * hardware support.  We fudge a bit here since
-			 * we're doing this in software.
+			 * Legacy WDS with someone else scanning; don't
+			 * go online until that completes as we should
+			 * follow the other vap to the channel they choose.
 			 */
-			ic->ic_swbmiss_period = IEEE80211_TU_TO_TICKS(
-				2 * ic->ic_bmissthreshold * ni->ni_intval);
-			ic->ic_swbmiss_count = 0;
-			callout_reset(&ic->ic_swbmiss, ic->ic_swbmiss_period,
-				ieee80211_swbmiss, ic);
+			IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
+			     "%s: defer %s -> %s (legacy WDS)\n", __func__,
+			     ieee80211_state_name[ostate],
+			     ieee80211_state_name[nstate]);
+			vap->iv_flags_ext |= IEEE80211_FEXT_SCANWAIT;
+			rc = 0;
+			goto done;
 		}
-		/*
-		 * Start/stop the authenticator when operating as an
-		 * AP.  We delay until here to allow configuration to
-		 * happen out of order.
-		 */
-		if (ic->ic_opmode == IEEE80211_M_HOSTAP && /* XXX IBSS/AHDEMO */
-		    ic->ic_auth->ia_attach != NULL) {
-			/* XXX check failure */
-			ic->ic_auth->ia_attach(ic);
-		} else if (ic->ic_auth->ia_detach != NULL) {
-			ic->ic_auth->ia_detach(ic);
+		if (vap->iv_opmode == IEEE80211_M_HOSTAP &&
+		    IEEE80211_IS_CHAN_DFS(ic->ic_bsschan) &&
+		    (vap->iv_flags_ext & IEEE80211_FEXT_DFS) &&
+		    !IEEE80211_IS_CHAN_CACDONE(ic->ic_bsschan)) {
+			/*
+			 * This is a DFS channel, transition to CAC state
+			 * instead of RUN.  This allows us to initiate
+			 * Channel Availability Check (CAC) as specified
+			 * by 11h/DFS.
+			 */
+			nstate = IEEE80211_S_CAC;
+			IEEE80211_DPRINTF(vap, IEEE80211_MSG_STATE,
+			     "%s: override %s -> %s (DFS)\n", __func__,
+			     ieee80211_state_name[ostate],
+			     ieee80211_state_name[nstate]);
 		}
-		/*
-		 * When 802.1x is not in use mark the port authorized
-		 * at this point so traffic can flow.
-		 */
-		if (ni->ni_authmode != IEEE80211_AUTH_8021X)
-			ieee80211_node_authorize(ni);
-		/*
-		 * Enable inactivity processing.
-		 * XXX
-		 */
-		callout_reset(&ic->ic_inact, IEEE80211_INACT_WAIT*hz,
-			ieee80211_node_timeout, ic);
 		break;
+	case IEEE80211_S_INIT:
+		if (ostate == IEEE80211_S_INIT ) {
+			/* XXX don't believe this */
+			/* INIT -> INIT. nothing to do */
+			vap->iv_flags_ext &= ~IEEE80211_FEXT_SCANWAIT;
+		}
+		/* fall thru... */
 	default:
 		break;
 	}
-	return 0;
+	/* XXX on transition RUN->CAC do we need to set nstate = iv_state? */
+	if (ostate != nstate) {
+		/*
+		 * Arrange for work to happen after state change completes.
+		 * If this happens asynchronously the caller must arrange
+		 * for the com lock to be held.
+		 */
+		vap->iv_newstate_cb = ieee80211_newstate_cb;
+	}
+	rc = vap->iv_newstate(vap, nstate, arg);
+	if (rc == 0 && vap->iv_newstate_cb != NULL)
+		vap->iv_newstate_cb(vap, nstate, arg);
+done:
+	return rc;
+}
+
+int
+ieee80211_new_state(struct ieee80211vap *vap,
+	enum ieee80211_state nstate, int arg)
+{
+	struct ieee80211com *ic = vap->iv_ic;
+	int rc;
+
+	IEEE80211_LOCK(ic);
+	rc = ieee80211_new_state_locked(vap, nstate, arg);
+	IEEE80211_UNLOCK(ic);
+	return rc;
 }