DF-0131
fp_mmap size arithmetic can wrap past SSIZE_MAX after signedness check
Summary
fp_mmap rejects (ssize_t)size<0(:409) but size+=pageoff(:416)+round_page(:417) can push past SSIZE_MAX. No wrap re-check (unlike sys_msync:474). Contained by vm_mmap downstream validation. Phantom success if wraps to 0.