vhpi: Fix use-after-free when removing callbacks

vhpi: Fix use-after-free when removing callbacks

Callbacks can generally be in a few states:

- Disabled or mature
- Actively executing
- Waiting to execute

For all callbacks except for AfterDelay, when the callback is waiting to
execute then clearing it will prevent further execution. However,
AfterDelay callbacks can be absent from the eventq_heap in the driverq
workqueue awaiting execution. Clearing these callbacks will not prevent
them from executing.

To work around this, make model_clear_timeout_cb return a boolean
indicating whether a callback was actually cleared. If no callback was
cleared and the callback is not currently executing, then the callback
is in a workqueue. In this case, just free the callback later.
Otherwise, we have actually removed a callback and we can be sure that
it will not execute, so free it now.

Fixes: d6e523a4 ("vhpi: Free callbacks in remove")