--- x/net/bluetooth/rfcomm/core.c
+++ y/net/bluetooth/rfcomm/core.c
@@ -490,8 +490,8 @@ static int __rfcomm_dlc_close(struct rfc
 
 		rfcomm_dlc_lock(d);
 		d->state = BT_CLOSED;
-		d->state_change(d, err);
 		rfcomm_dlc_unlock(d);
+		d->state_change(d, err);
 
 		skb_queue_purge(&d->tx_queue);
 		rfcomm_dlc_unlink(d);
--- x/net/bluetooth/rfcomm/tty.c
+++ y/net/bluetooth/rfcomm/tty.c
@@ -394,6 +394,7 @@ static int __rfcomm_create_dev(struct so
 	struct rfcomm_dlc *dlc;
 	int id;
 
+	lockdep_assert_held(&sk->sk_lock);
 	if (copy_from_user(&req, arg, sizeof(req)))
 		return -EFAULT;
 
@@ -410,8 +411,10 @@ static int __rfcomm_create_dev(struct so
 		dlc = rfcomm_pi(sk)->dlc;
 		rfcomm_dlc_hold(dlc);
 	} else {
+		release_sock(sk);
 		/* Validate the channel is unused */
 		dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
+		lock_sock(sk);
 		if (IS_ERR(dlc))
 			return PTR_ERR(dlc);
 		if (dlc)