Clear Element.mRef immediately after deallocating it

DNSServiceRefDeallocate() and pointer dereferencing in request handler
thread are protected by two separate lock/unlock pairs on mHeadMutex.
If rescan() runs between these, it could dereference mRef, causing
a heap-use-after-free bug.

Solution: set mRef to null immediately after freeing it.

Bug: 121327565
Test: build
Change-Id: I56ace2ad8a2da528afa375aefb1b9420547658a7