virtio_pci: fix array index mismatch in vp_del_vqs

The Issue: During the teardown of the virtio_balloon module (e.g., via rmmod virtio_balloon), a kernel NULL pointer dereference occurs. The crash cascades into an unchecked list_del() and triggers the following kernel panic:
[12261.808190] Call trace:
[12261.808471]  __list_del_entry_valid_or_report+0x18/0xe0
[12261.809064]  vp_del_vqs+0x12c/0x270
[12261.809462]  remove_common+0x80/0x98 [virtio_balloon]
[12261.810034]  virtballoon_remove+0xfc/0x158 [virtio_balloon]
[12261.810663]  virtio_dev_remove+0x68/0xf8
[12261.811108]  device_release_driver_internal+0x17c/0x278
[12261.811701]  driver_detach+0xd4/0x138
[12261.812117]  bus_remove_driver+0x90/0xd0
[12261.812562]  driver_unregister+0x40/0x70
[12261.813006]  unregister_virtio_driver+0x20/0x38
[12261.813518]  cleanup_module+0x20/0x7a8 [virtio_balloon]
[12261.814109]  __arm64_sys_delete_module+0x278/0x3d0
[12261.814654]  invoke_syscall+0x5c/0x120
[12261.815086]  el0_svc_common+0x90/0xf8
[12261.815506]  do_el0_svc+0x2c/0x48
[12261.815883]  el0_svc+0x3c/0xa8
[12261.816235]  el0t_64_sync_handler+0x8c/0x108
[12261.816724]  el0t_64_sync+0x198/0x1a0
[12261.817141] Code: d503233f a9bf7bfd 910003fd aa0003e1 (f9400003)
[12261.817874] SMP: stopping secondary CPUs
[12261.818614] Starting crashdump kernel...
[12261.819053] Bye!

The Root Cause: In vp_find_vqs_msix() and vp_find_vqs_intx(), the PCI device's virtqueue info array vp_dev->vqs is erroneously populated using the virtqueue configuration array index i. However, during teardown, vp_del_vqs() looks up the info structure using vq->index, which corresponds to queue_idx (incremented only when a queue is instantiated).
When a virtio device conditionally skips a queue, i and queue_idx diverge. The debug log proves what the issue is during instantiation and later removal:

[    2.334426] DEBUG: Created intx virtqueue 'inflate' (queue_idx: 0, Config index i: 0, info ptr: ffff935fc1dbbee0)
[    2.347020] DEBUG: Created intx virtqueue 'deflate' (queue_idx: 1, Config index i: 1, info ptr: ffff935fc1dbb7a0)
[    2.361307] DEBUG: Created intx virtqueue 'stats' (queue_idx: 2, Config index i: 2, info ptr: ffff935fc1dbbdc0)
[    2.372745] DEBUG: Created intx virtqueue 'reporting_vq' (queue_idx: 3, Config index i: 4, info ptr: ffff935fc1dbb860)
[  435.481126] DEBUG: Removing virtqueue 'inflate' (index: 0, info ptr: ffff935fc1dbbee0)
[  435.504159] DEBUG: Removing virtqueue 'deflate' (index: 1, info ptr: ffff935fc1dbb7a0)
[  435.525601] DEBUG: Removing virtqueue 'stats' (index: 2, info ptr: ffff935fc1dbbdc0)
[  435.546626] DEBUG: Removing virtqueue 'reporting_vq' (index: 3, info ptr: ffff935fc1dbb860)

The reporting queue gets an index i=4, but a queue_idx=3. During teardown, vp_del_vqs() checks vp_dev->vqs[3], hitting an uninstantiated NULL slot.

The Fix: This change fixes the divergence of queue_idx and i by explicitly using &vp_dev->vqs[vq_idx] instead of the configuration index. This guarantees vp_dev->vqs is always populated using the queue's successfully instantiated index, preventing offsetting and the resulting NULL pointer dereference.

Fixes: fd27ef6b44be ("virtio_pci: add admin vq wrapper and some helpers")
Bug: b/477623032
TEST=tested rmmod virtio_balloon with FS kernel on an E4 VM
RELEASE_NOTE=Fixes a kernel panic in virtio_pci teardown when virtually queues are conditionally skipped.

Change-Id: I0d5ea76630af7a6778350294477112009cd64189
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/141563
Reviewed-by: Chetan Sharma <qoogle@google.com>
Reviewed-by: Miri Amarilio <mirilio@google.com>
Reviewed-by: Kevin Berry <kpberry@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>