--- /dev/null
+--- a/net80211/ieee80211_proto.c
++++ b/net80211/ieee80211_proto.c
+@@ -1406,7 +1406,8 @@ __ieee80211_newstate(struct ieee80211vap
+ vap->iv_state = nstate; /* state transition */
+ del_timer(&vap->iv_mgtsend);
+ if ((vap->iv_opmode != IEEE80211_M_HOSTAP) &&
+- (ostate != IEEE80211_S_SCAN))
++ (ostate != IEEE80211_S_SCAN) &&
++ !(vap->iv_flags_ext & IEEE80211_FEXT_SCAN_PENDING))
+ ieee80211_cancel_scan(vap); /* background scan */
+ ni = vap->iv_bss; /* NB: no reference held */
+ switch (nstate) {
+@@ -1448,7 +1449,8 @@ __ieee80211_newstate(struct ieee80211vap
+ }
+ goto reset;
+ case IEEE80211_S_SCAN:
+- ieee80211_cancel_scan(vap);
++ if (!(vap->iv_flags_ext & IEEE80211_FEXT_SCAN_PENDING))
++ ieee80211_cancel_scan(vap);
+ goto reset;
+ reset:
+ ieee80211_reset_bss(vap);
+@@ -1985,7 +1987,9 @@ ieee80211_newstate(struct ieee80211vap *
+ }
+ }
+ }
+- } else if (dstate == IEEE80211_S_SCAN) {
++ } else if ((dstate == IEEE80211_S_SCAN) ||
++ (dstate == IEEE80211_S_AUTH) ||
++ (dstate == IEEE80211_S_ASSOC)) {
+ /* Force to scan pending... someone is scanning */
+ vap->iv_flags_ext |= IEEE80211_FEXT_SCAN_PENDING;
+ __ieee80211_newstate(vap, IEEE80211_S_INIT, arg);
+--- a/net80211/ieee80211_output.c
++++ b/net80211/ieee80211_output.c
+@@ -238,7 +238,9 @@ ieee80211_hardstart(struct sk_buff *skb,
+ }
+
+ /* Cancel any running BG scan */
+- if (!(ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN_THR) && (vap->iv_state == IEEE80211_S_RUN))
++ if (!(ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN_THR) &&
++ (vap->iv_state == IEEE80211_S_RUN) &&
++ (ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN))
+ ieee80211_cancel_scan(vap);
+
+ /*
+--- a/net80211/ieee80211_wireless.c
++++ b/net80211/ieee80211_wireless.c
+@@ -2728,9 +2728,9 @@ ieee80211_ioctl_setparam(struct net_devi
+ return -EINVAL;
+ vap->iv_flags |= IEEE80211_F_BGSCAN;
+ } else {
+- /* XXX racey? */
++ if (ic->ic_flags_ext & IEEE80211_FEXT_BGSCAN)
++ ieee80211_cancel_scan(vap); /* anything current */
+ vap->iv_flags &= ~IEEE80211_F_BGSCAN;
+- ieee80211_cancel_scan(vap); /* anything current */
+ }
+ break;
+ case IEEE80211_PARAM_BGSCAN_IDLE: