--- x/net/bluetooth/l2cap_core.c
+++ l/net/bluetooth/l2cap_core.c
@@ -7562,6 +7562,7 @@ static void l2cap_data_channel(struct l2
 			       struct sk_buff *skb)
 {
 	struct l2cap_chan *chan;
+	int a2mp = 0;
 
 	chan = l2cap_get_chan_by_scid(conn, cid);
 	if (!chan) {
@@ -7572,6 +7573,7 @@ static void l2cap_data_channel(struct l2
 				return;
 			}
 
+			a2mp = 1;
 			l2cap_chan_lock(chan);
 		} else {
 			BT_DBG("unknown cid 0x%4.4x", cid);
@@ -7631,6 +7633,8 @@ drop:
 
 done:
 	l2cap_chan_unlock(chan);
+	if (a2mp)
+		return;
 	l2cap_chan_put(chan);
 }