--- x/include/net/bluetooth/hci_core.h
+++ y/include/net/bluetooth/hci_core.h
@@ -1687,6 +1687,7 @@ static inline void hci_conn_drop(struct
 
 	if (atomic_dec_and_test(&conn->refcnt)) {
 		unsigned long timeo;
+		struct hci_dev *hdev;
 
 		switch (conn->type) {
 		case ACL_LINK:
@@ -1707,8 +1708,14 @@ static inline void hci_conn_drop(struct
 		}
 
 		cancel_delayed_work(&conn->disc_work);
-		queue_delayed_work(conn->hdev->workqueue,
-				   &conn->disc_work, timeo);
+		hdev = conn->hdev;
+		rcu_read_lock();
+		if (test_bit(HCI_RESET, &hdev->flags) ||
+		    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+			;
+		else
+			queue_delayed_work(hdev->workqueue, &conn->disc_work, timeo);
+		rcu_read_unlock();
 	}
 }