DF-0434
bpf_filter_read (knote f_event) reads bd_* state and re-arms callout without bpf_token: race
Summary
bpf_filter_read(:1206-1227) invoked by kqueue WITHOUT bpf_token. Reads bd_hlen/bd_immediate/bd_state/bd_slen/bd_rtout(:1213-1219), programs callout_reset(:1220-1223), writes bd_state=BPF_WAITING. All other paths use bpf_token. Races bpfioctl(:721-723 sets BPF_IDLE+stop_callout under token) or catchpacket/bpf_wakeup -> torn state reads, callout armed on quiesced descriptor. Possible missed/extra wakeup. UAF theoretically if callout derefs d after bpfclose but fd layer detaches knotes first.