diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index efea25eb56ce..6f3e2e6cd2f4 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -106,8 +106,10 @@ void hci_req_sync_complete(struct hci_dev *hdev, u8 result, u16 opcode,
 		hdev->req_result = result;
 		hdev->req_status = HCI_REQ_DONE;
 		if (skb) {
-			kfree_skb(hdev->req_skb);
+			struct sk_buff	*old_skb;
+			old_skb = hdev->req_skb;
 			hdev->req_skb = skb_get(skb);
+			kfree_skb(old_skb);
 		}
 		wake_up_interruptible(&hdev->req_wait_q);
 	}
@@ -120,6 +122,7 @@ int __hci_req_sync(struct hci_dev *hdev, int (*func)(struct hci_request *req,
 {
 	struct hci_request req;
 	int err = 0;
+	struct sk_buff	*req_skb;
 
 	bt_dev_dbg(hdev, "start");
 
@@ -181,8 +184,9 @@ int __hci_req_sync(struct hci_dev *hdev, int (*func)(struct hci_request *req,
 		break;
 	}
 
-	kfree_skb(hdev->req_skb);
+	req_skb = hdev->req_skb;
 	hdev->req_skb = NULL;
+	kfree_skb(req_skb);
 	hdev->req_status = hdev->req_result = 0;
 
 	bt_dev_dbg(hdev, "end: err %d", err);