--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c
@@ -155,6 +155,7 @@ static struct sco_conn *sco_conn_add(str
  * Must be called on the locked socket. */
 static void sco_chan_del(struct sock *sk, int err)
 {
+	struct hci_conn *hcon;
 	struct sco_conn *conn;
 
 	conn = sco_pi(sk)->conn;
@@ -165,10 +166,12 @@ static void sco_chan_del(struct sock *sk
 		sco_conn_lock(conn);
 		conn->sk = NULL;
 		sco_pi(sk)->conn = NULL;
+		hcon = conn->hcon;
+		conn->hcon = NULL;
 		sco_conn_unlock(conn);
 
-		if (conn->hcon)
-			hci_conn_drop(conn->hcon);
+		if (hcon)
+			hci_conn_drop(hcon);
 	}
 
 	sk->sk_state = BT_CLOSED;
--- x/net/bluetooth/hci_conn.c
+++ y/net/bluetooth/hci_conn.c
@@ -618,16 +618,6 @@ static void hci_conn_timeout(struct work
 
 	WARN_ON(refcnt < 0);
 
-	/* FIXME: It was observed that in pairing failed scenario, refcnt
-	 * drops below 0. Probably this is because l2cap_conn_del calls
-	 * l2cap_chan_del for each channel, and inside l2cap_chan_del conn is
-	 * dropped. After that loop hci_chan_del is called which also drops
-	 * conn. For now make sure that ACL is alive if refcnt is higher then 0,
-	 * otherwise drop it.
-	 */
-	if (refcnt > 0)
-		return;
-
 	hci_abort_conn(conn, hci_proto_disconn_ind(conn));
 }
 
@@ -1019,7 +1009,7 @@ struct hci_conn *hci_conn_add(struct hci
 	INIT_DELAYED_WORK(&conn->idle_work, hci_conn_idle);
 	INIT_DELAYED_WORK(&conn->le_conn_timeout, le_conn_timeout);
 
-	atomic_set(&conn->refcnt, 0);
+	atomic_set(&conn->refcnt, 1);
 
 	hci_dev_hold(hdev);