ANDROID: userfaultfd: Fix use-after-free in userfaultfd_using_sigbus()

In ee9964b3 ("ANDROID: userfaultfd: allow SPF for
UFFD_FEATURE_SIGBUS on private+anon"), we allowed userfaultfd
registered VMAs using SIGBUS to be handled with SPF. But during
page-fault handling, when the VMA is copied, userfaultfd_ctx pointer
is also copied. However, another thread may call userfaultfd_release()
and thereby cause deallocation of the same userfaultfd_ctx. Eventually,
the first thread may access the dangling pointer in
userfaultfd_using_sigbus().

It is insufficient to do the access under rcu read-lock as the context
may have been deallocated before entering the critical section. Checking
mmap_seq in the critical section ensures we are not looking at
dangling pointer to userfaultfd_ctx. This is because mmap_seq is
updated on mmap_write_lock()/unlock(), and therefore
userfaultfd_release() running simultaneously on another thread and
thereby unlinking the vma will update mmap_seq.

Change-Id: I9c3ba0f1352e49f0ea387b92c18b5f1b5dcad7f1
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
Bug: 349936398