--- x/include/net/bluetooth/hci_core.h
+++ y/include/net/bluetooth/hci_core.h
@@ -1687,6 +1687,7 @@ static inline void hci_conn_drop(struct
 
 	if (atomic_dec_and_test(&conn->refcnt)) {
 		unsigned long timeo;
+		struct hci_dev *hdev;
 
 		switch (conn->type) {
 		case ACL_LINK:
@@ -1707,8 +1708,14 @@ static inline void hci_conn_drop(struct
 		}
 
 		cancel_delayed_work(&conn->disc_work);
-		queue_delayed_work(conn->hdev->workqueue,
-				   &conn->disc_work, timeo);
+		hdev = conn->hdev;
+		rcu_read_lock();
+		if (test_bit(HCI_RESET, &hdev->flags) ||
+		    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+			;
+		else
+			queue_delayed_work(hdev->workqueue, &conn->disc_work, timeo);
+		rcu_read_unlock();
 	}
 }
 
--- x/net/bluetooth/hci_sync.c
+++ y/net/bluetooth/hci_sync.c
@@ -5307,10 +5307,13 @@ int hci_dev_close_sync(struct hci_dev *h
 			cancel_delayed_work_sync(&adv_instance->rpa_expired_cb);
 	}
 
+	hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
+	synchronize_rcu();
 	/* Avoid potential lockdep warnings from the *_flush() calls by
 	 * ensuring the workqueue is empty up front.
 	 */
 	drain_workqueue(hdev->workqueue);
+	hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
 
 	hci_dev_lock(hdev);