DF-0511
UAF/stale-socket race in deferred upcall ng_ksocket_incoming2: queued so pointer may be freed by shutdown
Summary
ng_ksocket_incoming(:985-998) reads NG_NODE_PRIVATE(node) no node ref. ng_ksocket_incoming2(:1012) takes so=arg1 raw socket ptr queued via ng_send_fn1(:999). KASSERT(so==priv->so)(:1023) debug-only. If ng_ksocket_shutdown runs between queue+exec(clears priv->so=NULL:933 soclose:932 frees socket) -> so=arg1 dangling -> every deref(so_error/so_state/soreceive) UAF. Shutdown clears upcall(:929-931) but already-queued work item carries raw so. Fix: soreference before ng_send_fn1, sorele in incoming2.