DF-0169
sysref_get has no refcount overflow guard
Summary
sysref_get (sysref2.h:68) atomic_add_int(&refcnt,1) unchecked. ~2^30 gets overflow INT_MAX -> negative -> _sysref_put KKASSERT panic or (no INVARIANTS) state corruption -> premature free/UAF. Infeasible: each ref consumes kernel memory, OOM first.