In vmap::pagefault the assert assumed a PRIVATE vma would have a
vmnode with 1 ref.  In vmap::copy, however, the vmnode reference is
incremented, then the vma is replaced with one of type COW.  If a
thread is pagefaulting while another is forking there is a race.