Bluetooth: host: ensure ownership of conn on TX path

This is a bug-fix:

When upper layers want to send something, they add a `conn` object to a
list. They do so by adding a node on `struct conn` rather than the object
itself.

We forgot to increase the reference count of the connection object when
doing so. This means that there can be a scenario where the conn object is
destroyed and re-used while still being on the TX list/queue.

This is bad for obvious reasons.

This patch fixes that by:
- increasing the refcount when putting on the TX list
- decreasing the refcount *only* when popping off the TX list
- passing a new reference from `get_conn_ready` into `bt_conn_tx_processor`

Signed-off-by: Jonathan Rico <jonathan.rico@nordicsemi.no>