fget_mmap() extracts the max_prot flags corresponding to rights on the
descriptor. The issue is, those rights may change if another thread
closes the fd or something like that. This is caught using the sequence
counter, but not before it can trip assertions in the cap_rights code.
Instead, make a local copy of the rights, using seqc to ensure that the
copy is consistent, and use that to derive max_prot. This is what
fget_unlocked() does as well.
I quickly looked for other places where we might have a similar
problem and didn't find any, but will do a more careful audit before
committing. We hold the fildesc lock in most places that extract the
capability rights from an fd.