--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -190,15 +190,14 @@ static void sco_conn_del(struct hci_conn
 	sco_conn_unlock(conn);
 
 	if (sk) {
-		sock_hold(sk);
 		lock_sock(sk);
 		sco_sock_clear_timer(sk);
 		sco_chan_del(sk, err);
 		release_sock(sk);
-		sock_put(sk);
 
 		/* Ensure no more work items will run before freeing conn. */
 		cancel_delayed_work_sync(&conn->timeout_work);
+		sock_put(sk);
 	}
 
 	hcon->sco_data = NULL;
@@ -212,6 +211,8 @@ static void __sco_chan_add(struct sco_co
 
 	sco_pi(sk)->conn = conn;
 	conn->sk = sk;
+	/* make timeout_work safe; will be put in  sco_conn_del() */
+	sock_hold(sk);
 
 	INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout);