diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 8ab26dec5f6e..839dffab6ead 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -155,11 +155,11 @@ static inline ssize_t vhci_get_user(struct vhci_data *data,
 				    struct iov_iter *from)
 {
 	size_t len = iov_iter_count(from);
-	struct sk_buff *skb;
+	struct sk_buff *skb = NULL;
 	__u8 pkt_type, opcode;
 	int ret;
 
-	if (len < 2 || len > HCI_MAX_FRAME_SIZE)
+	if (len < 4 || len > HCI_MAX_FRAME_SIZE)
 		return -EINVAL;
 
 	skb = bt_skb_alloc(len, GFP_KERNEL);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 9832f8445d43..8c57aeafb588 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1756,9 +1756,10 @@ void hci_chan_list_flush(struct hci_conn *conn)
 static struct hci_chan *__hci_chan_lookup_handle(struct hci_conn *hcon,
 						 __u16 handle)
 {
-	struct hci_chan *hchan;
+	struct hci_chan *hchan = NULL;
+	struct hci_chan *n;
 
-	list_for_each_entry(hchan, &hcon->chan_list, list) {
+	list_for_each_entry(hchan, n, &hcon->chan_list, list) {
 		if (hchan->handle == handle)
 			return hchan;
 	}
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..429221ec38f6 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4962,9 +4962,9 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
 static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct hci_ev_logical_link_complete *ev = (void *) skb->data;
-	struct hci_conn *hcon;
-	struct hci_chan *hchan;
-	struct amp_mgr *mgr;
+	struct hci_conn *hcon = NULL;
+	struct hci_chan *hchan = NULL;
+	struct amp_mgr *mgr = NULL;
 
 	BT_DBG("%s log_handle 0x%4.4x phy_handle 0x%2.2x status 0x%2.2x",
 	       hdev->name, le16_to_cpu(ev->handle), ev->phy_handle,