aio: Fix a race in sys_aio_cancel()

sys_aio_cancel() loops over pending jobs for the process, cancelling
some of them. To cancel a job with a cancel callback, it must drop the
job list mutex. It uses flags, KAIOCB_CANCELLING and KAIOCB_CANCELLED,
to make sure that a job isn't double-cancelled. However, when iterating
over the list it uses TAILQ_FOREACH_SAFE and thus assumes that the next
job isn't going to be removed while the lock is dropped. Of course,
this assumption is false.

We could simply start search from the beginning after cancelling a job,
but that might be quite expensive. Instead, introduce the notion of a
marker job, used to keep track of one's position in the queue. Use it
in sys_aio_cancel() to resume iteration after a job is cancelled.

Reported by: syzkaller
Reviewed by: kib, jhb
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D51626