diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index b94d202bf3745cbb5135f294560c1eb4095ecd1e..be71082d9eafa7ab4f293a66f6754747a1b7aeb7 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -718,6 +718,13 @@ static void iso_sock_kill(struct sock *sk)
 
 	BT_DBG("sk %p state %d", sk, sk->sk_state);
 
+	/* Sock is dead, so set conn->sk to NULL to avoid possible UAF */
+	if (iso_pi(sk)->conn) {
+		iso_conn_lock(iso_pi(sk)->conn);
+		iso_pi(sk)->conn->sk = NULL;
+		iso_conn_unlock(iso_pi(sk)->conn);
+	}
+
 	/* Kill poor orphan */
 	bt_sock_unlink(&iso_sk_list, sk);
 	sock_set_flag(sk, SOCK_DEAD);