posixshm: Fix range locking in shm_write()

There is a somewhat strange case where when writing to a POSIX shm
object, the object is not allowed to grow, and the I/O offset+length
overflows. In that case we simply truncate the I/O to the object size.
Later we write-lock the range [offset, objsize). However, we were not
checking whether offset > objsize, in which case we're writing zero
bytes but locking an invalid range.

Modify the range locking in shm_write() to take this possibility into
account. While here, rename a variable to make its purpose a bit more
clear, and add an assertion against negative offsets (which is supposed
to be enforced by the caller of fo_write for I/O to files that aren't
character devices).

Reported by: syzkaller
Reviewed by: kevans, kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D49673