--- wpasupplicant-0.7.3.orig/src/drivers/driver_wext.c
+++ wpasupplicant-0.7.3/src/drivers/driver_wext.c
@@ -733,6 +733,8 @@ void * wpa_driver_wext_init(void *ctx, c
 
 	drv->mlme_sock = -1;
 
+	drv->scans = 0;
+
 	if (wpa_driver_wext_finish_drv_init(drv) < 0)
 		goto err3;
 
@@ -916,10 +918,13 @@ int wpa_driver_wext_scan(void *priv, str
 static u8 * wpa_driver_wext_giwscan(struct wpa_driver_wext_data *drv,
 				    size_t *len)
 {
+	struct wpa_driver_scan_params params;
 	struct iwreq iwr;
 	u8 *res_buf;
 	size_t res_buf_len;
 
+	drv->scans++;
+
 	res_buf_len = IW_SCAN_MAX_DATA;
 	for (;;) {
 		res_buf = os_malloc(res_buf_len);
@@ -942,6 +947,15 @@ static u8 * wpa_driver_wext_giwscan(stru
 			wpa_printf(MSG_DEBUG, "Scan results did not fit - "
 				   "trying larger buffer (%lu bytes)",
 				   (unsigned long) res_buf_len);
+		} if (errno == EINVAL && drv->scans == 1) {
+			/*
+			 * Broadcom's wl driver is buggy and the first scan
+			 * after ifup always fail with EINVAL. Rerun the
+			 * scan to get scan results.
+			 */
+			os_memset(&params, 0, sizeof(params));
+			wpa_driver_wext_scan(drv, &params);
+			return NULL;
 		} else {
 			perror("ioctl[SIOCGIWSCAN]");
 			os_free(res_buf);
--- wpasupplicant-0.7.3.orig/src/drivers/driver_wext.h
+++ wpasupplicant-0.7.3/src/drivers/driver_wext.h
@@ -42,6 +42,7 @@ struct wpa_driver_wext_data {
 
 	char mlmedev[IFNAMSIZ + 1];
 
+	int scans;
 	int scan_complete_events;
 
 	int cfg80211; /* whether driver is using cfg80211 */