ANDROID: SPF: Fix swap faults racing with fast-mremap

pte_unmap_same() and pte_offset_map_lock() in do_swap_page()
do not check that the original faulting pmd_t is still the
same before attempting to take the ptl lock for the page table,
nor do they check the mm_struct’s sequence number.

This is problematic if a concurrent fast-mremap happens where
the pmd_t entry has been moved as now the vmf->pmd is pointing
to the wrong page table.

This incorrect page table may not be allocated which will
cause the kernel to panic when attempting to take the ptl
lock on it.

Reinstate the vma refcount trylock since this will prevent a
concurrent mremap on the VMA on which the speculative fault
is happening.

Note fast-mremap still needs to take the page table ptl lock
(pte level) to avoid SPF races due to VMA splitting.

Bug: 398054290
Bug: 400153677
Change-Id: I447f6f1b57bf1e7dd677e3aec47721702c6e6b88
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
(cherry picked from commit 5a07ad10)