io_uring: fix race between timeout flush and removal

stable inclusion
from stable-v5.10.110
commit 2827328e646d0c2d3db1bfcad4b5f5016ce0d643
category: bugfix
bugzilla: 186670, https://gitee.com/src-openeuler/kernel/issues/I54H78
CVE: CVE-2022-29582

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.19.y&id=2827328e646d0c2d3db1bfcad4b5f5016ce0d643



--------------------------------

commit e677edbc upstream.

io_flush_timeouts() assumes the timeout isn't in progress of triggering
or being removed/canceled, so it unconditionally removes it from the
timeout list and attempts to cancel it.

Leave it on the list and let the normal timeout cancelation take care
of it.

Cc: stable@vger.kernel.org # 5.5+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Conflicts:
	fs/io_uring.c

Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>