revocation bitmap capabilities aren't revoked when an arena is unmapped

[brooksdavis]

If an allocator obtains a capability to part of revocation bitmap corresponding to an mmaped arena using cheri_revoke_get_shadow and then the arena is unmapped, the bitmap capability is not revoked. Likely the kernel should paint the appropriate bitmap either immediately upon transition to the quarantined state (or maybe when the item is picked for revocation at the beginning of an epoch) so the bitmap caps are cleared before the area is reused.

It's not immediately obvious how the ability trigger revocation of new allocations is useful to an attacker, but any source of UB is likely to be an attack surface.