Index: net80211/ieee80211_wireless.c
===================================================================
--- net80211/ieee80211_wireless.c	(revision 4020)
+++ net80211/ieee80211_wireless.c	(working copy)
@@ -1628,18 +1628,23 @@
 {
 	struct ieee80211vap *vap = netdev_priv(dev);
 	struct ieee80211com *ic = vap->iv_ic;
-	struct waplistreq req;		/* XXX off stack */
+	struct waplistreq *req = kmalloc(sizeof (struct waplistreq), GFP_KERNEL);
+	if (!req) {
+		return -ENOMEM;
+	}
 
-	req.vap = vap;
-	req.i = 0;
-	ieee80211_scan_iterate(ic, waplist_cb, &req);
+	req->vap = vap;
+	req->i = 0;
+	ieee80211_scan_iterate(ic, waplist_cb, req);
 
-	data->length = req.i;
-	memcpy(extra, &req.addr, req.i * sizeof(req.addr[0]));
+	data->length = req->i;
+	memcpy(extra, &req->addr, req->i * sizeof(req->addr[0]));
 	data->flags = 1;		/* signal quality present (sort of) */
-	memcpy(extra + req.i * sizeof(req.addr[0]), &req.qual,
-		req.i * sizeof(req.qual[0]));
+	memcpy(extra + req->i * sizeof(req->addr[0]), &req->qual,
+		req->i * sizeof(req->qual[0]));
 
+	kfree (req);
+
 	return 0;
 }
 
@@ -3930,11 +3935,11 @@
 	struct ieee80211vap *vap = netdev_priv(dev);
 	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211req_chaninfo *chans;
-	u_int8_t reported[IEEE80211_CHAN_BYTES];	/* XXX stack usage? */
+	u_int8_t *reported = kzalloc(IEEE80211_CHAN_BYTES, GFP_KERNEL);
 	int i;
 
 	chans = kzalloc(sizeof(*chans), GFP_KERNEL);
-	if (!chans)
+	if (!reported || !chans)
 		return -ENOMEM;
 
 	memset(&reported, 0, sizeof(reported));
@@ -3967,6 +3972,7 @@
 		}
 	}
 	memcpy(extra, chans, sizeof(struct ieee80211req_chaninfo));
+	kfree(reported);
 	kfree(chans);
 	return 0;
 }
Index: net80211/ieee80211_skb.c
===================================================================
--- net80211/ieee80211_skb.c	(revision 4020)
+++ net80211/ieee80211_skb.c	(working copy)
@@ -105,7 +105,11 @@
 {
 	va_list args;
 	char skb_count[32] = { '\0' };
-	char expanded_message[1024] = { '\0' };
+	char *expanded_message = kmalloc(1024, GFP_KERNEL);
+	if (!expanded_message) {
+		return;
+	}
+
 	if (show_counter) {
 #ifdef IEEE80211_DEBUG_REFCNT
 		snprintf(skb_count, 
@@ -122,12 +126,13 @@
 
 	}
 	va_start(args, message);
-	vsnprintf(expanded_message, sizeof(expanded_message), message, args);
+	vsnprintf(expanded_message, 1024, message, args);
 	printk(KERN_DEBUG "%s: %s%s:%d %s\n",
 		((skb != NULL) ? DEV_NAME(skb->dev) : "none"),
 		skb_count, 
 		func, line,
 		expanded_message);
+	kfree(expanded_message);
 	va_end(args);
 }
 
Index: net80211/ieee80211_linux.c
===================================================================
--- net80211/ieee80211_linux.c	(revision 4020)
+++ net80211/ieee80211_linux.c	(working copy)
@@ -288,9 +288,11 @@
 	static const char *tag = "STA-TRAFFIC-STAT";
 	struct net_device *dev = vap->iv_dev;
 	union iwreq_data wreq;
-	char buf[1024];
-
-	snprintf(buf, sizeof(buf), "%s\nmac=" MAC_FMT "\nrx_packets=%u\nrx_bytes=%llu\n"
+	char *buf = kmalloc(1024, GFP_KERNEL);
+	if (!buf) {
+		return;
+	}
+	snprintf(buf, 1024, "%s\nmac=" MAC_FMT "\nrx_packets=%u\nrx_bytes=%llu\n"
 			"tx_packets=%u\ntx_bytes=%llu\n", tag,
 			MAC_ADDR(ni->ni_macaddr), ni->ni_stats.ns_rx_data,
 			(unsigned long long)ni->ni_stats.ns_rx_bytes,
@@ -299,6 +301,7 @@
 	memset(&wreq, 0, sizeof(wreq));
 	wreq.data.length = strlen(buf);
 	wireless_send_event(dev, IWEVCUSTOM, &wreq, buf);
+	kfree(buf);
 }
 
 void