if btmrvl_tx_pkt() is called, and the branch
  if (skb_headroom(skb) < BTM_HEADER_LEN)
evaluates positive, a new skb is allocated via skb_realloc_headroom.

The original skb is stored in a tmp variable, before being free'd.
However on success, the new skb, is not free'd, nor is it
returned to the caller which will then double-free the original skb.

This issue exists from the original driver submission in
 commit: #132ff4e5

If this code path had been alive, it would have been noted from the
double-free causing a panic.

All skb's here should be allocated through bt_skb_alloc which
adds 8 bytes as headroom, which is plenty against the 4 bytes
pushed on by this driver.

This code path is dead, and buggy at the same time, so the cleanest
approach is to remove the affected branch.

Reported by coverity (CID 113422)
Signed-off-by: Kieran Bingham <kieranbingham@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>