unionfs: fix NULL deref on closing an fd passed through SCM_RIGHTS

If the last reference to an open file is contained in an SCM_RIGHTS
message in a UNIX domain socket, and that message is discarded without
being read out by the receiver, VOP_CLOSE will ultimately be called
with ap->a_td == NULL.

Change unionfs_close() to check for this condition instead of blindly
passing the thread to unionfs_find_node_status() which will try to
dereference it. Also add relevant asserts on the node status lookup
paths.

PR: 289700
Reported by: asomers
Reviewed by: asomers, olce
Differential Revision: https://reviews.freebsd.org/D53079

(cherry picked from commit 880d180bb21c764aec6bd5bc8c0a6b07b8c2e199)