Description: binder: fix UAF of alloc->vma in race with munmap()
References:
 https://android.googlesource.com/kernel/common/+/201d5f4a3ec1
 https://source.android.com/docs/security/bulletin/2023-01-01
 https://bugs.chromium.org/p/project-zero/issues/detail?id=2374
Notes:
 carnil> As noted in the commit: Note this patch is specific to stable
 carnil> branches 5.4 and 5.10. Since in newer kernel releases binder no
 carnil> longer caches a pointer to the vma. Instead, it has been
 carnil> refactored to use vma_lookup() which avoids the issue described
 carnil> here. This switch was introduced in commit a43cfc87caaf
 carnil> ("android: binder: stop saving a pointer to the VMA").
Bugs:
upstream: released (6.0-rc1) [a43cfc87caaf46710c8027a8c23b8a55f1078f19]
5.10-upstream-stable: released (5.10.154) [015ac18be7de25d17d6e5f1643cb3b60bfbe859e]
4.19-upstream-stable: N/A "Vulnerable code introduced later"
sid: released (5.19.6-1)
5.10-bullseye-security: released (5.10.158-1)
4.19-buster-security: N/A "Vulnerable code introduced later"