--- y/net/bluetooth/rfcomm/sock.c
+++ x/net/bluetooth/rfcomm/sock.c
@@ -64,13 +64,17 @@ static void rfcomm_sk_data_ready(struct
 static void rfcomm_sk_state_change(struct rfcomm_dlc *d, int err)
 {
 	struct sock *sk = d->owner, *parent;
+	bool locked = false;
 
 	if (!sk)
 		return;
 
 	BT_DBG("dlc %p state %ld err %d", d, d->state, err);
 
-	lock_sock(sk);
+	if (!sk->sk_shutdown) {
+		lock_sock(sk);
+		locked = true;
+	}
 
 	if (err)
 		sk->sk_err = err;
@@ -91,7 +95,8 @@ static void rfcomm_sk_state_change(struc
 		sk->sk_state_change(sk);
 	}
 
-	release_sock(sk);
+	if (locked)
+		release_sock(sk);
 
 	if (parent && sock_flag(sk, SOCK_ZAPPED)) {
 		/* We have to drop DLC lock here, otherwise