--- x/net/bluetooth/hci_conn.c
+++ y/net/bluetooth/hci_conn.c
@@ -970,6 +970,9 @@ struct hci_conn *hci_conn_add(struct hci
 
 	bt_dev_dbg(hdev, "dst %pMR handle 0x%4.4x", dst, handle);
 
+	if (HCI_CONN_HANDLE_UNSET(handle))
+		BUG_ON(!ida_alloc_range(&hdev->unset_handle_ida, handle, handle +1, GFP_ATOMIC));
+
 	conn = kzalloc(sizeof(*conn), GFP_KERNEL);
 	if (!conn)
 		return NULL;