virtio_balloon: implement VIRTIO_BALLOON_F_DEVICE_INIT_REPORTED

Add VIRTIO_BALLOON_F_DEVICE_INIT_REPORTED (bit 6): when negotiated,
the device guarantees it initializes reported pages (zeros, or
poison_val if PAGE_POISON). The device signals success via the
used length of each reporting_vq element.

Gate host_zeroes_pages on both the feature bit and the actual
page content: when PAGE_POISON is negotiated with poison_val != 0,
the device fills with poison bytes, not zeros.

Clear the feature in validate() if REPORTING is not present or if running in a
confidential computing environment (untrusted host).

Renumber DEVICE_INIT_ON_INFLATE from bit 6 to bit 7 to make room.

See the virtio spec change:
https://github.com/oasis-tcs/virtio-spec/issues/244

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Assisted-by: Claude:claude-opus-4-6
Assisted-by: cursor-agent:GPT-5.4-xhigh

virtio_balloon: skip zeroing for host-zeroed reported pages

Check per-page used length returned by the device to determine
which reported pages were zeroed. If used_len matches the page
size, the device successfully initialized the page (e.g. via
MADV_DONTNEED), and we set the corresponding zeroed_bitmap bit.

This requires no feature negotiation: existing devices return
used_len=0 (the conservative "not zeroed" case), while updated
devices return the page size on successful discard.

host_zeroes_pages is set unconditionally so the page_reporting
drain path checks the bitmap and marks matching pages as PG_zeroed
in the buddy allocator.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Assisted-by: Claude:claude-opus-4-6