DF-0306
UAF in add_bw_upcall: mfc pointer used after mroute_token released across blocking kmalloc
Summary
add_bw_upcall(:2285) captures mfc under token, releases token(:2301), kmalloc(M_INTWAIT blocks)(:2304), re-acquires token(:2319), writes through stale mfc(:2321-2322). Concurrent del_mfc(:1117) or MRT_DONE(:661) frees mfc during gap. Write to freed heap + dangling bm_mfc deref later. Root (mrouter socket) but kernel-scope.