kernel - Possible fix to 'Bad link elm' panic in random callout

kernel - Possible fix to 'Bad link elm' panic in random callout

* Fix a rare race condition where the acquisition of p_token in the
  tsleep callout code can delay the setting of TDF_TIMEOUT, potentially
  causing it to skip the current tsleep entirely and trigger on a later
  tsleep.

  If this occurs the later callout is not terminated and tsleep() can return
  with it still active.  The callout is declared on the kernel stack, leading
  to the assertion and crash.

* During evaluation I noticed that the corrupted callout structure in
  Rumko's crash dump contained information that indicated it was part of
  a stack frame.  I think only tsleep() declares callout structures on the
  stack.

PR: 1977, 1835, 2037 (tracking using 2037)
Reported-by: Rumko, Francois Tigeot <ftigeot@wolfpond.org>