Hi John,

> I finally burned some time, studied the code, and created a
> working patch for bt3c_cs.c (patch attached).  It adds a test
> in bt3c_release to check whether the DEV_CONFIG_PENDING bit of
> link->state is clear before a call to bt3c_close.  If the
> DEV_CONFIG_PENDING bit is not clear, bt3c_open has failed,
> and never succeeded in a call to hci_register_dev and friends.
> 
> When loading the firmware fails, the unpatched code ignores the
> failure of bt3c_open, goes ahead with bt3c_close, and invokes 
> hci_unregister_dev and friends (despite the fact that
> hci_register_dev was never called), thus provoking a kernel panic
> with the NULL pointer dereference. (aiee!)

you are right. That is the problem. I fixed it in a different way.
Please try out the attached patch and report if it also works.

> I suspect the 2.6 kernel may have the same problem by casual
> inspection, but I have neither confirmed the existence of a problem
> through testing of the 2.6 kernel, nor carefully traced that code
> of Linux 2.6 for possible key differences.

No. The 2.6 kernel is not affected, because the hdev is a pointer in
that kernel series and we have the NULL pointer check in place.

Regards

Marcel