BACKPORT: blk-mq: clear stale request in tags->rq[] before freeing one request pool

refcount_inc_not_zero() in bt_tags_iter() still may read one freed
request.

Fix the issue by the following approach:

1) hold a per-tags spinlock when reading ->rqs[tag] and calling
refcount_inc_not_zero in bt_tags_iter()

2) clearing stale request referred via ->rqs[tag] before freeing
request pool, the per-tags spinlock is held for clearing stale
->rq[tag]

So after we cleared stale requests, bt_tags_iter() won't observe
freed request any more, also the clearing will wait for pending
request reference.

The idea of clearing ->rqs[] is borrowed from John Garry's previous
patch and one recent David's patch.

Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: David Jeffery <djeffery@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com&gt;.>

Bug: 197804811
Change-Id: If49478d7b05d3f5b0a26966ddf9ae764cf2fb6b0
[Upstream: cherry picked from commit bd63141d585bef14f4caf111f6d0e27fe2300ec6]
[Todd: refactored to avoid breaking KMI ]
Signed-off-by: Pradeep P V K <pragalla@codeaurora.org>
Signed-off-by: Todd Kjos <tkjos@google.com>
Git-commit: bb96e7f45dc6ac1d6ec12190f1f286e3014fb068
Git-repo: https://android.googlesource.com/kernel/common/


Signed-off-by: Pradeep P V K <quic_pragalla@quicinc.com>
(cherry picked from commit 02c9fbde)

Change-Id: I58693eddf77156f574a80542f719bd132906f0cc
Signed-off-by: Surapusetty Naresh Babu <snareshb@qti.qualcomm.com>