--- x/net/bluetooth/l2cap_sock.c
+++ y/net/bluetooth/l2cap_sock.c
@@ -1227,14 +1227,17 @@ done:
  */
 static void l2cap_sock_kill(struct sock *sk)
 {
+	struct l2cap_chan *chan;
+
 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
 		return;
 
 	BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state));
 
+	chan = l2cap_pi(sk)->chan;
+	chan->data = NULL;
+	l2cap_chan_put(chan);
 	/* Kill poor orphan */
-
-	l2cap_chan_put(l2cap_pi(sk)->chan);
 	sock_set_flag(sk, SOCK_DEAD);
 	sock_put(sk);
 }
@@ -1627,6 +1630,8 @@ static void l2cap_sock_ready_cb(struct l
 	struct sock *sk = chan->data;
 	struct sock *parent;
 
+	if (!sk)
+		return;
 	lock_sock(sk);
 
 	parent = bt_sk(sk)->parent;