--- x/net/bluetooth/sco.c
+++ y/net/bluetooth/sco.c
@@ -1287,16 +1287,19 @@ static void sco_conn_ready(struct sco_co
 			return;
 		}
 
+		sock_hold(parent);
+		sco_conn_unlock(conn);
 		lock_sock(parent);
 
 		sk = sco_sock_alloc(sock_net(parent), NULL,
 				    BTPROTO_SCO, GFP_ATOMIC, 0);
 		if (!sk) {
 			release_sock(parent);
-			sco_conn_unlock(conn);
+			sock_put(parent);
 			return;
 		}
 
+		sco_conn_lock(conn);
 		sco_sock_init(sk, parent);
 
 		bacpy(&sco_pi(sk)->src, &conn->hcon->src);
@@ -1313,9 +1316,9 @@ static void sco_conn_ready(struct sco_co
 		/* Wake up parent */
 		parent->sk_data_ready(parent);
 
-		release_sock(parent);
-
 		sco_conn_unlock(conn);
+		release_sock(parent);
+		sock_put(parent);
 	}
 }