Bluetooth: fix use-after-free in hci_conn_del with ISO connections

If hci_conn_del gets called on a LE connection linked to a CIS
connection, subsequent hci_conn_del on the CIS connection results to
use-after-free [1] as cis->link still points to the deleted connection.

This occurs e.g. if hci_cmd_sync_queue fails in hci_le_create_cis.

Fix it by doing the same what is done with the SCO+ACL linked
connections.

[1]:
BUG: KASAN: use-after-free in hci_conn_del+0xa4/0x3e0
Write of size 8 at addr ffff8880013d2668 by task iso-tester/29

CPU: 0 PID: 29 Comm: iso-tester Not tainted 6.2.0-rc7-00024-g0e21956501c0-dirty torvalds#203
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x19/0x27
 print_report+0x160/0x484
 ? __virt_addr_valid+0xd4/0x150
 ? hci_conn_del+0xa4/0x3e0
 kasan_report+0xc7/0xf0
 ? hci_conn_del+0xa4/0x3e0
 hci_conn_del+0xa4/0x3e0
 hci_conn_hash_flush+0xea/0x130
 hci_dev_close_sync+0x34f/0x930
 hci_unregister_dev+0x104/0x2a0
 vhci_release+0x4c/0x90
 __fput+0x102/0x410
 task_work_run+0xfe/0x180
 ? __pfx_task_work_run+0x10/0x10
 exit_to_user_mode_prepare+0xfd/0x100
 syscall_exit_to_user_mode+0x1c/0x50
 do_syscall_64+0x4e/0x90
 entry_SYSCALL_64_after_hwframe+0x70/0xda
RIP: 0033:0x7f9880de0944

net/bluetooth/hci_conn.c

@@ -1074,8 +1074,16 @@ int hci_conn_del(struct hci_conn *conn)
 		/* Unacked frames */
 		hdev->acl_cnt += conn->sent;
 	} else if (conn->type == LE_LINK) {
+		struct hci_conn *iso = conn->link;
+
 		cancel_delayed_work(&conn->le_conn_timeout);
 
+		if (iso) {
+			iso->link = NULL;
+			if (iso->handle == HCI_CONN_HANDLE_UNSET)
+				hci_conn_del(iso);
+		}
+
 		if (hdev->le_pkts)
 			hdev->le_cnt += conn->sent;
 		else