--- c/include/net/bluetooth/l2cap.h	2024-06-17 18:33:27.096664300 +0800
+++ d/include/net/bluetooth/l2cap.h	2024-06-17 18:34:47.465834700 +0800
@@ -612,6 +612,7 @@ struct l2cap_chan {
 	void			*data;
 	const struct l2cap_ops	*ops;
 	struct mutex		lock;
+	unsigned int		closed;
 };
 
 struct l2cap_ops {
--- c/net/bluetooth/l2cap_core.c	2024-06-17 18:32:21.249083200 +0800
+++ d/net/bluetooth/l2cap_core.c	2024-06-17 18:35:47.981139900 +0800
@@ -812,6 +812,7 @@ void l2cap_chan_close(struct l2cap_chan
 {
 	struct l2cap_conn *conn = chan->conn;
 
+	chan->closed++;
 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
 
 	switch (chan->state) {
--- c/net/bluetooth/l2cap_sock.c	2024-06-17 18:31:43.431535400 +0800
+++ d/net/bluetooth/l2cap_sock.c	2024-06-17 18:41:00.785238900 +0800
@@ -1482,10 +1482,17 @@ static struct l2cap_chan *l2cap_sock_new
 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
 {
 	struct sock *sk = chan->data;
-	struct l2cap_pinfo *pi = l2cap_pi(sk);
+	struct l2cap_pinfo *pi;
 	int err;
 
+	l2cap_chan_lock(chan);
+	if (chan->closed) {
+		l2cap_chan_unlock(chan);
+		return -ENOMEM;
+	}
 	lock_sock(sk);
+	pi = l2cap_pi(sk);
+	l2cap_chan_unlock(chan);
 
 	if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) {
 		err = -ENOMEM;