--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1506,13 +1506,6 @@ static void handle_assoc_cb(struct hosta
 	int new_assoc = 1;
 	struct ieee80211_ht_capabilities ht_cap;
 
-	if (!ok) {
-		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
-			       HOSTAPD_LEVEL_DEBUG,
-			       "did not acknowledge association response");
-		return;
-	}
-
 	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_resp) :
 				      sizeof(mgmt->u.assoc_resp))) {
 		printf("handle_assoc_cb(reassoc=%d) - too short payload "
@@ -1520,11 +1513,6 @@ static void handle_assoc_cb(struct hosta
 		return;
 	}
 
-	if (reassoc)
-		status = le_to_host16(mgmt->u.reassoc_resp.status_code);
-	else
-		status = le_to_host16(mgmt->u.assoc_resp.status_code);
-
 	sta = ap_get_sta(hapd, mgmt->da);
 	if (!sta) {
 		printf("handle_assoc_cb: STA " MACSTR " not found\n",
@@ -1532,6 +1520,19 @@ static void handle_assoc_cb(struct hosta
 		return;
 	}
 
+	if (!ok) {
+		hostapd_logger(hapd, mgmt->da, HOSTAPD_MODULE_IEEE80211,
+			       HOSTAPD_LEVEL_DEBUG,
+			       "did not acknowledge association response");
+		sta->flags &= ~WLAN_STA_ASSOC_REQ_OK;
+		return;
+	}
+
+	if (reassoc)
+		status = le_to_host16(mgmt->u.reassoc_resp.status_code);
+	else
+		status = le_to_host16(mgmt->u.assoc_resp.status_code);
+
 	if (status != WLAN_STATUS_SUCCESS)
 		goto fail;
 
@@ -1830,6 +1831,9 @@ void ieee802_11_rx_from_unknown(struct h
 
 	sta = ap_get_sta(hapd, src);
 	if (sta && (sta->flags & WLAN_STA_ASSOC)) {
+		if (!hapd->conf->wds_sta)
+			return;
+
 		if (wds && !(sta->flags & WLAN_STA_WDS)) {
 			wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for "
 				   "STA " MACSTR " (aid %u)",
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -2661,10 +2661,10 @@ static int wpa_driver_nl80211_capa(struc
 	drv->data_tx_status = info.data_tx_status;
 
 	/*
-	 * If poll command is supported mac80211 is new enough to
-	 * have everything we need to not need monitor interfaces.
+	 * If poll command and tx status are supported, mac80211 is new enough
+	 * to have everything we need to not need monitor interfaces.
 	 */
-	drv->use_monitor = !info.poll_command_supported;
+	drv->use_monitor = !info.poll_command_supported || !info.data_tx_status;
 
 	if (drv->device_ap_sme && drv->use_monitor) {
 		/*
@@ -6392,8 +6392,8 @@ static int wpa_driver_nl80211_hapd_send_
 	pos = (u8 *) (hdr + 1);
 
 	if (qos) {
-		/* add an empty QoS header if needed */
-		pos[0] = 0;
+		/* Set highest priority in QoS header */
+		pos[0] = 7;
 		pos[1] = 0;
 		pos += 2;
 	}
@@ -7698,6 +7698,10 @@ static int i802_set_wds_sta(void *priv, 
 		}
 		return i802_set_sta_vlan(priv, addr, name, 0);
 	} else {
+		if (bridge_ifname)
+			linux_br_del_if(drv->global->ioctl_sock, bridge_ifname,
+					name);
+
 		i802_set_sta_vlan(priv, addr, bss->ifname, 0);
 		return wpa_driver_nl80211_if_remove(priv, WPA_IF_AP_VLAN,
 						    name);
@@ -8065,7 +8069,12 @@ static int wpa_driver_nl80211_if_remove(
 	if (ifindex <= 0)
 		return -1;
 
+	nl80211_remove_iface(drv, ifindex);
+
 #ifdef HOSTAPD
+	if (type != WPA_IF_AP_BSS)
+		return 0;
+
 	if (bss->added_if_into_bridge) {
 		if (linux_br_del_if(drv->global->ioctl_sock, bss->brname,
 				    bss->ifname) < 0)
@@ -8079,13 +8088,6 @@ static int wpa_driver_nl80211_if_remove(
 				   "bridge %s: %s",
 				   bss->brname, strerror(errno));
 	}
-#endif /* HOSTAPD */
-
-	nl80211_remove_iface(drv, ifindex);
-
-#ifdef HOSTAPD
-	if (type != WPA_IF_AP_BSS)
-		return 0;
 
 	if (bss != &drv->first_bss) {
 		struct i802_bss *tbss;
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -672,12 +672,15 @@ static void hostapd_event_eapol_rx(struc
 				   const u8 *data, size_t data_len)
 {
 	struct hostapd_iface *iface = hapd->iface;
+	struct sta_info *sta;
 	size_t j;
 
 	for (j = 0; j < iface->num_bss; j++) {
-		if (ap_get_sta(iface->bss[j], src)) {
-			hapd = iface->bss[j];
-			break;
+		if ((sta = ap_get_sta(iface->bss[j], src))) {
+			if (sta->flags & WLAN_STA_ASSOC) {
+				hapd = iface->bss[j];
+				break;
+			}
 		}
 	}
 
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -348,6 +348,7 @@ SM_STATE(EAP, METHOD)
 {
 	struct wpabuf *eapReqData;
 	struct eap_method_ret ret;
+	int min_len = 1;
 
 	SM_ENTRY(EAP, METHOD);
 	if (sm->m == NULL) {
@@ -356,7 +357,9 @@ SM_STATE(EAP, METHOD)
 	}
 
 	eapReqData = eapol_get_eapReqData(sm);
-	if (!eap_hdr_len_valid(eapReqData, 1))
+	if (sm->m->vendor == EAP_VENDOR_IETF && sm->m->method == EAP_TYPE_LEAP)
+		min_len = 0; /* LEAP uses EAP-Success without payload */
+	if (!eap_hdr_len_valid(eapReqData, min_len))
 		return;
 
 	/*