diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index a5ac160c592e..9a28b2f83e7c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -76,6 +76,27 @@ struct sco_pinfo {
 #define SCO_CONN_TIMEOUT	(HZ * 40)
 #define SCO_DISCONN_TIMEOUT	(HZ * 2)
 
+static bool sco_conn_linked(struct sco_conn *conn)
+{
+	struct sock *sk;
+
+	if (!conn || !conn->sk)
+		return false;
+
+	read_lock(&sco_sk_list.lock);
+
+	sk_for_each(sk, &sco_sk_list.head) {
+		if (sk == conn->sk) {
+			read_unlock(&sco_sk_list.lock);
+			return true;
+		}
+	}
+
+	read_unlock(&sco_sk_list.lock);
+
+	return false;
+}
+
 static void sco_sock_timeout(struct work_struct *work)
 {
 	struct sco_conn *conn = container_of(work, struct sco_conn,
@@ -87,7 +108,7 @@ static void sco_sock_timeout(struct work_struct *work)
 		sco_conn_unlock(conn);
 		return;
 	}
-	sk = conn->sk;
+	sk = sco_conn_linked(conn) ? conn->sk : NULL;
 	if (sk)
 		sock_hold(sk);
 	sco_conn_unlock(conn);