Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

jira VULN-3967
jira VULN-68015
cve CVE-2023-1989
cve CVE-2023-53145
commit-author Zheng Wang <zyytlz.wz@163.com>
commit 73f7b17

In btsdio_probe, the data->work is bound with btsdio_work. It will be
started in btsdio_send_frame.

If the btsdio_remove runs with a unfinished work, there may be a race
condition that hdev is freed but used in btsdio_work. Fix it by
canceling the work before do cleanup in btsdio_remove.

	Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 73f7b17)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>

Author: pvts-mat

drivers/bluetooth/btsdio.c

@@ -370,6 +370,7 @@ static void btsdio_remove(struct sdio_func *func)
 	if (!data)
 		return;
 
+	cancel_work_sync(&data->work);
 	hdev = data->hdev;
 
 	sdio_set_drvdata(func, NULL);