--- x/net/bluetooth/hci_conn.c
+++ y/net/bluetooth/hci_conn.c
@@ -2819,16 +2819,13 @@ void hci_chan_del(struct hci_chan *chan)
 	BT_DBG("%s hcon %p chan %p", hdev->name, conn, chan);
 
 	list_del_rcu(&chan->list);
-
-	synchronize_rcu();
-
 	/* Prevent new hci_chan's to be created for this hci_conn */
 	set_bit(HCI_CONN_DROP, &conn->flags);
 
 	hci_conn_put(conn);
 
 	skb_queue_purge(&chan->data_q);
-	kfree(chan);
+	kfree_rcu(chan, rcu);
 }
 
 void hci_chan_list_flush(struct hci_conn *conn)
--- x/include/net/bluetooth/hci_core.h
+++ y/include/net/bluetooth/hci_core.h
@@ -797,7 +797,10 @@ struct hci_chan {
 	struct list_head list;
 	__u16 handle;
 	struct hci_conn *conn;
-	struct sk_buff_head data_q;
+	union {
+		struct sk_buff_head 	data_q;
+		struct rcu_head 	rcu;
+	};
 	unsigned int	sent;
 	__u8		state;
 	bool		amp;