kern_dup(): Call filecaps_free_prep() in a write section.

filecaps_free_prep() bzeros the capabilities structure and we need to be
careful to synchronize with unlocked readers, which expect a consistent
rights structure.

Reviewed by:	kib, mjg
Reported by:	syzbot+5f30b507f91ddedded21@syzkaller.appspotmail.com
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D24120

sys/kern/kern_descrip.c

@@ -968,7 +968,6 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new)
 	newfde = &fdp->fd_ofiles[new];
 	delfp = newfde->fde_file;
 
-	oioctls = filecaps_free_prep(&newfde->fde_caps);
 	nioctls = filecaps_copy_prep(&oldfde->fde_caps);
 
 	/*
@@ -977,6 +976,7 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new)
 #ifdef CAPABILITIES
 	seqc_write_begin(&newfde->fde_seqc);
 #endif
+	oioctls = filecaps_free_prep(&newfde->fde_caps);
 	memcpy(newfde, oldfde, fde_change_size);
 	filecaps_copy_finish(&oldfde->fde_caps, &newfde->fde_caps,
 	    nioctls);