Bluetooth: Correctly take hci_dev->dev refcount

The hci_dev->dev device structure has an internal refcount. This
refcount is used to protect the whole hci_dev object. However, we
currently do not use it.  Therefore, if someone calls hci_free_dev() we
currently immediately destroy the hci_dev object because we never took
the device refcount.

This even happens if the hci_dev->refcnt is not 0. In fact, the
hci_dev->refcnt is totally useless in its current state. Therefore, we
simply remove hci_dev->refcnt and instead use hci_dev->dev refcnt.

This fixes all the symptoms and also correctly integrates the device
structure into our bluetooth bus system.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

include/net/bluetooth/hci_core.h

@@ -129,7 +129,6 @@ struct adv_entry {
 struct hci_dev {
 	struct list_head list;
 	struct mutex	lock;
-	atomic_t	refcnt;
 
 	char		name[8];
 	unsigned long	flags;
@@ -592,7 +591,7 @@ static inline void hci_conn_put(struct hci_conn *conn)
 /* ----- HCI Devices ----- */
 static inline void __hci_dev_put(struct hci_dev *d)
 {
-	atomic_dec(&d->refcnt);
+	put_device(&d->dev);
 }
 
 /*
@@ -603,7 +602,7 @@ static inline void __hci_dev_put(struct hci_dev *d)
 
 static inline struct hci_dev *__hci_dev_hold(struct hci_dev *d)
 {
-	atomic_inc(&d->refcnt);
+	get_device(&d->dev);
 	return d;
 }
 

net/bluetooth/hci_core.c

@@ -1571,7 +1571,6 @@ int hci_register_dev(struct hci_dev *hdev)
 	hdev->id = id;
 	list_add_tail(&hdev->list, head);
 
-	atomic_set(&hdev->refcnt, 1);
 	mutex_init(&hdev->lock);
 
 	hdev->flags = 0;
@@ -1655,6 +1654,7 @@ int hci_register_dev(struct hci_dev *hdev)
 	schedule_work(&hdev->power_on);
 
 	hci_notify(hdev, HCI_DEV_REG);
+	__hci_dev_hold(hdev);
 
 	return id;