--- l/net/bluetooth/l2cap_core.c
+++ c/net/bluetooth/l2cap_core.c
@@ -1747,6 +1747,8 @@ static void l2cap_unregister_all_users(s
 	}
 }
 
+static DEFINE_MUTEX(l2cap_conn_del_mutex);
+
 static void l2cap_conn_del(struct hci_conn *hcon, int err)
 {
 	struct l2cap_conn *conn = hcon->l2cap_data;
@@ -1797,8 +1799,10 @@ static void l2cap_conn_del(struct hci_co
 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
 		cancel_delayed_work_sync(&conn->info_timer);
 
+	mutex_lock(&l2cap_conn_del_mutex);
 	hcon->l2cap_data = NULL;
 	conn->hchan = NULL;
+	mutex_unlock(&l2cap_conn_del_mutex);
 	l2cap_conn_put(conn);
 }
 
@@ -7480,11 +7484,21 @@ void l2cap_recv_acldata(struct hci_conn
 	struct l2cap_conn *conn = hcon->l2cap_data;
 	int len;
 
-	if (!conn)
+	if (!conn) {
 		conn = l2cap_conn_add(hcon);
-
-	if (!conn)
-		goto drop;
+		if (!conn)
+			goto drop;
+		l2cap_conn_get(conn);
+	} else {
+		mutex_lock(&l2cap_conn_del_mutex);
+		conn = hcon->l2cap_data;
+		if (conn)
+			if (!kref_get_unless_zero(&conn->ref))
+				conn = NULL;
+		mutex_unlock(&l2cap_conn_del_mutex);
+		if (!conn)
+			goto drop;
+	}
 
 	BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
 
@@ -7512,6 +7526,7 @@ void l2cap_recv_acldata(struct hci_conn
 		if (len == skb->len) {
 			/* Complete frame received */
 			l2cap_recv_frame(conn, skb);
+			l2cap_conn_put(conn);
 			return;
 		}
 
@@ -7576,6 +7591,8 @@ void l2cap_recv_acldata(struct hci_conn
 
 drop:
 	kfree_skb(skb);
+	if (conn)
+		l2cap_conn_put(conn);
 }
 
 static struct hci_cb l2cap_cb = {