--- x/net/bluetooth/l2cap_core.c
+++ y/net/bluetooth/l2cap_core.c
@@ -1792,13 +1792,10 @@ static void l2cap_conn_del(struct hci_co
 
 	mutex_unlock(&conn->chan_lock);
 
-	hci_chan_del(conn->hchan);
-
 	if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
 		cancel_delayed_work_sync(&conn->info_timer);
 
 	hcon->l2cap_data = NULL;
-	conn->hchan = NULL;
 	l2cap_conn_put(conn);
 }
 
@@ -1806,6 +1803,7 @@ static void l2cap_conn_free(struct kref
 {
 	struct l2cap_conn *conn = container_of(ref, struct l2cap_conn, ref);
 
+	hci_chan_del(conn->hchan);
 	hci_conn_put(conn->hcon);
 	kfree(conn);
 }
@@ -7486,6 +7484,14 @@ void l2cap_recv_acldata(struct hci_conn
 	if (!conn)
 		goto drop;
 
+	hci_dev_lock(hcon->hdev);
+	if (conn != hcon->l2cap_data)
+		conn = NULL;
+	else
+		l2cap_conn_get(conn);
+	hci_dev_unlock(hcon->hdev);
+	if (!conn)
+		goto drop;
 	BT_DBG("conn %p len %u flags 0x%x", conn, skb->len, flags);
 
 	switch (flags) {
@@ -7512,6 +7518,7 @@ void l2cap_recv_acldata(struct hci_conn
 		if (len == skb->len) {
 			/* Complete frame received */
 			l2cap_recv_frame(conn, skb);
+			l2cap_conn_put(conn);
 			return;
 		}
 
@@ -7576,6 +7583,8 @@ void l2cap_recv_acldata(struct hci_conn
 
 drop:
 	kfree_skb(skb);
+	if (conn)
+		l2cap_conn_put(conn);
 }
 
 static struct hci_cb l2cap_cb = {
--- x/net/bluetooth/hci_core.c
+++ y/net/bluetooth/hci_core.c
@@ -3782,6 +3782,8 @@ static void hci_acldata_packet(struct hc
 
 	hci_dev_lock(hdev);
 	conn = hci_conn_hash_lookup_handle(hdev, handle);
+	if (conn)
+		hci_conn_get(conn);
 	hci_dev_unlock(hdev);
 
 	if (conn) {
@@ -3789,6 +3791,7 @@ static void hci_acldata_packet(struct hc
 
 		/* Send to upper protocol */
 		l2cap_recv_acldata(conn, skb, flags);
+		hci_conn_put(conn);
 		return;
 	} else {
 		bt_dev_err(hdev, "ACL packet for unknown connection handle %d",