--- x/net/bluetooth/af_bluetooth.c
+++ y/net/bluetooth/af_bluetooth.c
@@ -226,6 +226,7 @@ void bt_accept_enqueue(struct sock *pare
 
 	list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
 	bt_sk(sk)->parent = parent;
+	sock_hold(parent);
 
 	/* Copy credentials from parent since for incoming connections the
 	 * socket is allocated by the kernel.
@@ -258,6 +259,7 @@ void bt_accept_unlink(struct sock *sk)
 
 	list_del_init(&bt_sk(sk)->accept_q);
 	sk_acceptq_removed(bt_sk(sk)->parent);
+	sock_put(bt_sk(sk)->parent);
 	bt_sk(sk)->parent = NULL;
 	sock_put(sk);
 }
--- x/net/bluetooth/l2cap_sock.c
+++ y/net/bluetooth/l2cap_sock.c
@@ -1473,6 +1473,8 @@ static struct l2cap_chan *l2cap_sock_new
 {
 	struct sock *sk, *parent = chan->data;
 
+	if (!parent)
+		return NULL;
 	lock_sock(parent);
 
 	/* Check for backlog size */
@@ -1674,6 +1676,8 @@ static void l2cap_sock_ready_cb(struct l
 	struct sock *sk = chan->data;
 	struct sock *parent;
 
+	if (!sk)
+		return;
 	lock_sock(sk);
 
 	parent = bt_sk(sk)->parent;