--- x/net/bluetooth/l2cap_core.c
+++ y/net/bluetooth/l2cap_core.c
@@ -432,6 +432,13 @@ static void l2cap_chan_timeout(struct wo
 					       chan_timer.work);
 	struct l2cap_conn *conn = chan->conn;
 	int reason;
+	struct hci_dev *hdev = conn->hcon->hdev;
+
+	hci_dev_lock(hdev);
+	if (conn->hcon->state == BT_CLOSED) {
+		hci_dev_unlock(hdev);
+		return;
+	}
 
 	BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
 
@@ -457,6 +464,7 @@ static void l2cap_chan_timeout(struct wo
 	l2cap_chan_put(chan);
 
 	mutex_unlock(&conn->chan_lock);
+	hci_dev_unlock(hdev);
 }
 
 struct l2cap_chan *l2cap_chan_create(void)
@@ -1800,11 +1808,18 @@ static void l2cap_info_timeout(struct wo
 {
 	struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
 					       info_timer.work);
+	struct hci_dev *hdev = conn->hcon->hdev;
 
+	hci_dev_lock(hdev);
+	if (conn->hcon->state == BT_CLOSED) {
+		hci_dev_unlock(hdev);
+		return;
+	}
 	conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
 	conn->info_ident = 0;
 
 	l2cap_conn_start(conn);
+	hci_dev_unlock(hdev);
 }
 
 /*