--- x/net/bluetooth/hci_core.c
+++ y/net/bluetooth/hci_core.c
@@ -2922,8 +2922,15 @@ int hci_recv_frame(struct hci_dev *hdev,
 	/* Time stamp */
 	__net_timestamp(skb);
 
+	rcu_read_lock();
+	if (hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE)) {
+		rcu_read_unlock();
+		kfree_skb(skb);
+		return -EINVAL;
+	}
 	skb_queue_tail(&hdev->rx_q, skb);
 	queue_work(hdev->workqueue, &hdev->rx_work);
+	rcu_read_unlock();
 
 	return 0;
 }