err = nl80211_calculate_ap_params(params);
        if (err)
 -              goto out_unlock;
 +              goto out;
  
 -              goto out_unlock;
+       err = nl80211_validate_ap_phy_operation(params);
+       if (err)
++              goto out;
+ 
        if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
                params->flags = nla_get_u32(
                        info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
                                u32 hysteresis)
  {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+       struct cfg80211_cqm_config *cqm_config = NULL, *old;
        struct net_device *dev = info->user_ptr[1];
        struct wireless_dev *wdev = dev->ieee80211_ptr;
 -      int i, err;
        s32 prev = S32_MIN;
-       int i;
++      int i, err;
  
        /* Check all values negative and sorted */
        for (i = 0; i < n_thresholds; i++) {
        if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
                n_thresholds = 0;
  
-       if (n_thresholds) {
-               struct cfg80211_cqm_config *cqm_config;
 -      wdev_lock(wdev);
 -      old = rcu_dereference_protected(wdev->cqm_config,
 -                                      lockdep_is_held(&wdev->mtx));
++      old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
  
+       if (n_thresholds) {
                cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
                                                 n_thresholds),
                                     GFP_KERNEL);
                       flex_array_size(cqm_config, rssi_thresholds,
                                       n_thresholds));
  
-               wdev->cqm_config = cqm_config;
+               rcu_assign_pointer(wdev->cqm_config, cqm_config);
+       } else {
+               RCU_INIT_POINTER(wdev->cqm_config, NULL);
+       }
+ 
+       err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
+       if (err) {
+               rcu_assign_pointer(wdev->cqm_config, old);
+               kfree_rcu(cqm_config, rcu_head);
+       } else {
+               kfree_rcu(old, rcu_head);
        }
 -unlock:
 -      wdev_unlock(wdev);
  
-       return cfg80211_cqm_rssi_update(rdev, dev);
+       return err;
  }
  
  static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
                    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
                return;
  
-       if (wdev->cqm_config) {
-               wdev->cqm_config->last_rssi_event_value = rssi_level;
+       rcu_read_lock();
+       cqm_config = rcu_dereference(wdev->cqm_config);
+       if (cqm_config) {
+               cqm_config->last_rssi_event_value = rssi_level;
+               cqm_config->last_rssi_event_type = rssi_event;
+               wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
+       }
+       rcu_read_unlock();
+ }
+ EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
  
-               cfg80211_cqm_rssi_update(rdev, dev);
+ void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
+ {
+       struct wireless_dev *wdev = container_of(work, struct wireless_dev,
+                                                cqm_rssi_work);
+       struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+       enum nl80211_cqm_rssi_threshold_event rssi_event;
+       struct cfg80211_cqm_config *cqm_config;
+       struct sk_buff *msg;
+       s32 rssi_level;
  
-               if (rssi_level == 0)
-                       rssi_level = wdev->cqm_config->last_rssi_event_value;
-       }
 -      wdev_lock(wdev);
 -      cqm_config = rcu_dereference_protected(wdev->cqm_config,
 -                                             lockdep_is_held(&wdev->mtx));
++      cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
+       if (!wdev->cqm_config)
 -              goto unlock;
++              return;
+ 
+       cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
+ 
+       rssi_level = cqm_config->last_rssi_event_value;
+       rssi_event = cqm_config->last_rssi_event_type;
  
-       msg = cfg80211_prepare_cqm(dev, NULL, gfp);
+       msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
        if (!msg)
 -              goto unlock;
 +              return;
  
        if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
                        rssi_event))
                                      rssi_level))
                goto nla_put_failure;
  
-       cfg80211_send_cqm(msg, gfp);
+       cfg80211_send_cqm(msg, GFP_KERNEL);
  
 -      goto unlock;
 +      return;
  
   nla_put_failure:
        nlmsg_free(msg);
 - unlock:
 -      wdev_unlock(wdev);
  }
- EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
  
  void cfg80211_cqm_txe_notify(struct net_device *dev,
                             const u8 *peer, u32 num_packets,