--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c
@@ -415,6 +415,8 @@ static void sco_sock_cleanup_listen(stru
  */
 static void sco_sock_kill(struct sock *sk)
 {
+	struct sco_conn *conn;
+
 	if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
 		return;
 
@@ -423,6 +425,14 @@ static void sco_sock_kill(struct sock *s
 	/* Kill poor orphan */
 	bt_sock_unlink(&sco_sk_list, sk);
 	sock_set_flag(sk, SOCK_DEAD);
+
+	conn = sco_pi(sk)->conn;
+	if (conn) {
+		sco_conn_lock(conn);
+		conn->sk = NULL;
+		sco_pi(sk)->conn = NULL;
+		sco_conn_unlock(conn);
+	}
 	sock_put(sk);
 }