io_uring: fix race between timeout flush and removal

io_uring: fix race between timeout flush and removal

io_flush_timeouts() assumes the timeout isn't in progress of triggering
or being removed/canceled, so it unconditionally removes it from the
timeout list and attempts to cancel it.

Leave it on the list and let the normal timeout cancelation take care
of it.

While we're in there, fix two nonsensical cq_timeouts manipulations
which stem from when we didn't use an atomic_t for them. Setting them
to the read value + 1 can be done much cleaner with just an atomic_inc.

Cc: stable@vger.kernel.org # 5.5+
Signed-off-by: Jens Axboe <axboe@kernel.dk>