--- x/net/bluetooth/hci_core.c
+++ y/net/bluetooth/hci_core.c
@@ -2901,12 +2901,18 @@ int hci_recv_frame(struct hci_dev *hdev,
 {
 	u8 dev_pkt_type;
 
-	if (!hdev || (!test_bit(HCI_UP, &hdev->flags)
-		      && !test_bit(HCI_INIT, &hdev->flags))) {
+	if (!hdev || !test_bit(HCI_UP, &hdev->flags)) {
+out:
 		kfree_skb(skb);
 		return -ENXIO;
 	}
 
+	hci_req_sync_lock(hdev);
+	if (!test_bit(HCI_UP, &hdev->flags)) {
+		hci_req_sync_unlock(hdev);
+		goto out;
+	}
+
 	/* Check if the driver agree with packet type classification */
 	dev_pkt_type = hci_dev_classify_pkt_type(hdev, skb);
 	if (hci_skb_pkt_type(skb) != dev_pkt_type) {
@@ -2933,6 +2939,7 @@ int hci_recv_frame(struct hci_dev *hdev,
 		break;
 	default:
 		kfree_skb(skb);
+		hci_req_sync_unlock(hdev);
 		return -EINVAL;
 	}
 
@@ -2944,6 +2951,7 @@ int hci_recv_frame(struct hci_dev *hdev,
 
 	skb_queue_tail(&hdev->rx_q, skb);
 	queue_work(hdev->workqueue, &hdev->rx_work);
+	hci_req_sync_unlock(hdev);
 
 	return 0;
 }