Index: sys/net80211/ieee80211_ddb.c
===================================================================
--- sys/net80211/ieee80211_ddb.c
+++ sys/net80211/ieee80211_ddb.c
@@ -233,9 +233,8 @@
 	db_printf("\tvap %p wdsvap %p ic %p table %p\n",
 		ni->ni_vap, ni->ni_wdsvap, ni->ni_ic, ni->ni_table);
 	db_printf("\tflags=%b\n", ni->ni_flags, IEEE80211_NODE_BITS);
-	db_printf("\tscangen %u authmode %u ath_flags 0x%x ath_defkeyix %u\n",
-		ni->ni_scangen, ni->ni_authmode,
-		ni->ni_ath_flags, ni->ni_ath_defkeyix);
+	db_printf("\tauthmode %u ath_flags 0x%x ath_defkeyix %u\n",
+		ni->ni_authmode, ni->ni_ath_flags, ni->ni_ath_defkeyix);
 	db_printf("\tassocid 0x%x txpower %u vlan %u\n",
 		ni->ni_associd, ni->ni_txpower, ni->ni_vlan);
 	db_printf("\tjointime %d (%lu secs) challenge %p\n",
@@ -688,8 +687,6 @@
 	db_printf("%s%s@%p:\n", tag, nt->nt_name, nt);
 	db_printf("%s nodelock %p", tag, &nt->nt_nodelock);
 	db_printf(" inact_init %d", nt->nt_inact_init);
-	db_printf(" scanlock %p", &nt->nt_scanlock);
-	db_printf(" scangen %u\n", nt->nt_scangen);
 	db_printf("%s keyixmax %d keyixmap %p\n",
 	    tag, nt->nt_keyixmax, nt->nt_keyixmap);
 	for (i = 0; i < nt->nt_keyixmax; i++) {
Index: sys/net80211/ieee80211_freebsd.h
===================================================================
--- sys/net80211/ieee80211_freebsd.h
+++ sys/net80211/ieee80211_freebsd.h
@@ -107,28 +107,6 @@
 	mtx_assert(IEEE80211_NODE_LOCK_OBJ(_nt), MA_OWNED)
 
 /*
- * Node table iteration locking definitions; this protects the
- * scan generation # used to iterate over the station table
- * while grabbing+releasing the node lock.
- */
-typedef struct {
-	char		name[16];		/* e.g. "ath0_scan_lock" */
-	struct mtx	mtx;
-} ieee80211_scan_lock_t;
-#define	IEEE80211_NODE_ITERATE_LOCK_INIT(_nt, _name) do {		\
-	ieee80211_scan_lock_t *sl = &(_nt)->nt_scanlock;		\
-	snprintf(sl->name, sizeof(sl->name), "%s_scan_lock", _name);	\
-	mtx_init(&sl->mtx, sl->name, NULL, MTX_DEF);			\
-} while (0)
-#define	IEEE80211_NODE_ITERATE_LOCK_OBJ(_nt)	(&(_nt)->nt_scanlock.mtx)
-#define	IEEE80211_NODE_ITERATE_LOCK_DESTROY(_nt) \
-	mtx_destroy(IEEE80211_NODE_ITERATE_LOCK_OBJ(_nt))
-#define	IEEE80211_NODE_ITERATE_LOCK(_nt) \
-	mtx_lock(IEEE80211_NODE_ITERATE_LOCK_OBJ(_nt))
-#define	IEEE80211_NODE_ITERATE_UNLOCK(_nt) \
-	mtx_unlock(IEEE80211_NODE_ITERATE_LOCK_OBJ(_nt))
-
-/*
  * Power-save queue definitions. 
  */
 typedef struct mtx ieee80211_psq_lock_t;
Index: sys/net80211/ieee80211_node.h
===================================================================
--- sys/net80211/ieee80211_node.h
+++ sys/net80211/ieee80211_node.h
@@ -115,7 +115,6 @@
 	TAILQ_ENTRY(ieee80211_node) ni_list;	/* list of all nodes */
 	LIST_ENTRY(ieee80211_node) ni_hash;	/* hash collision list */
 	u_int			ni_refcnt;	/* count of held references */
-	u_int			ni_scangen;	/* gen# for timeout scan */
 	u_int			ni_flags;
 #define	IEEE80211_NODE_AUTH	0x000001	/* authorized for data */
 #define	IEEE80211_NODE_QOS	0x000002	/* QoS enabled */
@@ -137,6 +136,7 @@
 #define	IEEE80211_NODE_ASSOCID	0x020000	/* xmit requires associd */
 #define	IEEE80211_NODE_AMSDU_RX	0x040000	/* AMSDU rx enabled */
 #define	IEEE80211_NODE_AMSDU_TX	0x080000	/* AMSDU tx enabled */
+#define	IEEE80211_NODE_SCANNED	0x100000	/* checked by timeout scan */
 	uint16_t		ni_associd;	/* association ID */
 	uint16_t		ni_vlan;	/* vlan tag */
 	uint16_t		ni_txpower;	/* current transmit power */
@@ -360,8 +360,6 @@
 	struct ieee80211_node	**nt_keyixmap;	/* key ix -> node map */
 	int			nt_keyixmax;	/* keyixmap size */
 	const char		*nt_name;	/* table name for debug msgs */
-	ieee80211_scan_lock_t	nt_scanlock;	/* on nt_scangen */
-	u_int			nt_scangen;	/* gen# for iterators */
 	int			nt_inact_init;	/* initial node inact setting */
 };
 
Index: sys/net80211/ieee80211_node.c
===================================================================
--- sys/net80211/ieee80211_node.c
+++ sys/net80211/ieee80211_node.c
@@ -1922,10 +1922,8 @@
 
 	nt->nt_ic = ic;
 	IEEE80211_NODE_LOCK_INIT(nt, ic->ic_name);
-	IEEE80211_NODE_ITERATE_LOCK_INIT(nt, ic->ic_name);
 	TAILQ_INIT(&nt->nt_node);
 	nt->nt_name = name;
-	nt->nt_scangen = 1;
 	nt->nt_inact_init = inact;
 	nt->nt_keyixmax = keyixmax;
 	if (nt->nt_keyixmax > 0) {
@@ -1994,7 +1992,6 @@
 		IEEE80211_FREE(nt->nt_keyixmap, M_80211_NODE);
 		nt->nt_keyixmap = NULL;
 	}
-	IEEE80211_NODE_ITERATE_LOCK_DESTROY(nt);
 	IEEE80211_NODE_LOCK_DESTROY(nt);
 }
 
@@ -2002,8 +1999,8 @@
  * Timeout inactive stations and do related housekeeping.
  * Note that we cannot hold the node lock while sending a
  * frame as this would lead to a LOR.  Instead we use a
- * generation number to mark nodes that we've scanned and
- * drop the lock and restart a scan if we have to time out
+ * flag to mark nodes that we've scanned and drop the lock
+ * and restart a scan if we have to time out
  * a node.  Since we are single-threaded by virtue of
  * controlling the inactivity timer we can be sure this will
  * process each node only once.
@@ -2014,16 +2011,14 @@
 	struct ieee80211_node_table *nt = &ic->ic_sta;
 	struct ieee80211vap *vap;
 	struct ieee80211_node *ni;
-	int gen = 0;
 
-	IEEE80211_NODE_ITERATE_LOCK(nt);
-	gen = ++nt->nt_scangen;
 restart:
 	IEEE80211_NODE_LOCK(nt);
 	TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
-		if (ni->ni_scangen == gen)	/* previously handled */
+		/* Check if this node was previously handled. */
+		if (ni->ni_flags & IEEE80211_NODE_SCANNED)
 			continue;
-		ni->ni_scangen = gen;
+		ni->ni_flags |= IEEE80211_NODE_SCANNED;
 		/*
 		 * Ignore entries for which have yet to receive an
 		 * authentication frame.  These are transient and
@@ -2144,9 +2139,11 @@
 			goto restart;
 		}
 	}
-	IEEE80211_NODE_UNLOCK(nt);
 
-	IEEE80211_NODE_ITERATE_UNLOCK(nt);
+	/* Remove temporary flag. */
+	TAILQ_FOREACH(ni, &nt->nt_node, ni_list)
+		ni->ni_flags &= ~IEEE80211_NODE_SCANNED;
+	IEEE80211_NODE_UNLOCK(nt);
 }
 
 /*
@@ -2247,23 +2244,12 @@
 ieee80211_iterate_nt(struct ieee80211_node_table *nt,
     struct ieee80211_node **ni_arr, uint16_t max_aid)
 {
-	u_int gen;
 	int i, j, ret;
 	struct ieee80211_node *ni;
 
-	IEEE80211_NODE_ITERATE_LOCK(nt);
 	IEEE80211_NODE_LOCK(nt);
 
-	gen = ++nt->nt_scangen;
 	i = ret = 0;
-
-	/*
-	 * We simply assume here that since the node
-	 * scan generation doesn't change (as
-	 * we are holding both the node table and
-	 * node table iteration locks), we can simply
-	 * assign it to the node here.
-	 */
 	TAILQ_FOREACH(ni, &nt->nt_node, ni_list) {
 		if (i >= max_aid) {
 			ret = E2BIG;
@@ -2272,7 +2258,6 @@
 			break;
 		}
 		ni_arr[i] = ieee80211_ref_node(ni);
-		ni_arr[i]->ni_scangen = gen;
 		i++;
 	}
 
@@ -2287,7 +2272,6 @@
 	 * ieee80211_free_node().
 	 */
 	IEEE80211_NODE_UNLOCK(nt);
-	IEEE80211_NODE_ITERATE_UNLOCK(nt);
 
 	/*
 	 * If ret is non-zero, we hit some kind of error.
@@ -2362,8 +2346,8 @@
 {
 	printf("0x%p: mac %s refcnt %d\n", ni,
 		ether_sprintf(ni->ni_macaddr), ieee80211_node_refcnt(ni));
-	printf("\tscangen %u authmode %u flags 0x%x\n",
-		ni->ni_scangen, ni->ni_authmode, ni->ni_flags);
+	printf("\tauthmode %u flags 0x%x\n",
+		ni->ni_authmode, ni->ni_flags);
 	printf("\tassocid 0x%x txpower %u vlan %u\n",
 		ni->ni_associd, ni->ni_txpower, ni->ni_vlan);
 	printf("\ttxseq %u rxseq %u fragno %u rxfragstamp %u\n",