timeout: make to_kclock validation more rigorous
In kern_timeout.c, the to_kclock checks are not strict enough to catch
all plausible programmer mistakes. Tighten them up:
- timeout_set_flags: KASSERT that kclock is valid
- timeout_abs_ts: KASSERT that to_kclock is KCLOCK_UPTIME
We can also add to_kclock validation to softclock() and
db_show_timeout(), which may help to debug memory corruption:
- softclock: panic if to_kclock is not KCLOCK_NONE or KCLOCK_UPTIME
- db_show_timeout: print warning if to_kclock is invalid
Prompted by bluhm@ in response to a syzbot panic. Hopefully these
changes help to narrow down the root cause.
Link: https://syzkaller.appspot.com/bug?extid=49d3f7118413963f651a
Reported-by: syzbot+49d3f7118413963f651a@syzkaller.appspotmail.com
ok bluhm@
projects / openbsd / commit