fix(security): Red Team bug fixes + deep analysis hardening

fix(security): Red Team bug fixes + deep analysis hardening

Red Team report fixes (8 bugs):
- pmm_free_page: add rc==0 double-free guard with BUG log
- uaccess: move global state to per-CPU via GS segment (SMP safety)
- elf.c: add overflow checks for p_vaddr+base_offset and vaddr+p_memsz
- ksem_wait: retry loop on waiter-array-full instead of silent discard
- kstack: add free-slot recycling stack (256 entries) to prevent leak
- schedule(): fix fallback dequeue from active (not expired) after swap
- buddy_of(): add bounds check, kfree handles NULL return
- e1000: add compiler memory barriers to MMIO read/write helpers

Deep analysis fixes (4 additional bugs):
- readdir: fix strcpy buffer overflow d_name[24] from name[128] in
  tmpfs, devfs, initrd (use strncpy + null termination)
- mq_send_impl: fix TOCTOU race — copy user data to kbuf before lock
- dlopen: add 32-bit overflow checks for p_vaddr+base and vaddr+p_memsz
- tmpfs/overlayfs: replace unbounded strcpy into vfs.name[128] and
  symlink_target[128] with strncpy

Regression fix:
- percpu: add self-pointer as first field of percpu_data so that
  percpu_get() returns a valid pointer (was returning cpu_index=0 as
  NULL pointer on BSP, causing triple fault)

Verified: make ARCH=x86 builds clean, cppcheck+sparse pass,
102/103 smoke tests PASS (1 pre-existing timeout).