DF-0246
UAF: eventhandler dispatch traverses entry list without token while deregister frees entries
Summary
EVENTHANDLER_INVOKE(eventhandler.h:114-126) traverses el_entries WITHOUT evlist_token. EVENTHANDLER_FAST_INVOKE never touches token. eventhandler_deregister(subr_eventhandler.c:125-126) TAILQ_REMOVE+kfree under token. Dispatch on CPU A holds raw TAILQ_NEXT pointer, deregister+kfree on CPU B -> UAF. Module self-deregister during active invoke loop -> immediate UAF. No refcount/RCU grace period.