--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c
@@ -203,6 +203,8 @@ static void sco_conn_del(struct hci_conn
 
 	/* Ensure no more work items will run before freeing conn. */
 	cancel_delayed_work_sync(&conn->timeout_work);
+	if (sk)
+		sock_put(sk);
 
 	hcon->sco_data = NULL;
 	kfree(conn);
@@ -215,6 +217,7 @@ static void __sco_chan_add(struct sco_co
 
 	sco_pi(sk)->conn = conn;
 	conn->sk = sk;
+	sock_hold(sk);
 
 	if (parent)
 		bt_accept_enqueue(parent, sk, true);