binder: fix race between munmap() and direct reclaim

An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.

If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().

The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and bail out of binder_alloc_free_page() if it
has changed to NULL.

Change-Id: I9ea0558a57635a747d7a48ed35991d39b860abf6
Signed-off-by: Todd Kjos <tkjos@google.com>

Change-Id: I6a52aa3f0bad46a27a236ae163b7f535e3040477