kernel - Possible fix to 'Bad link elm' panic in random callout
* Fix a rare race condition where the acquisition of p_token in the
tsleep callout code can delay the setting of TDF_TIMEOUT, potentially
causing it to skip the current tsleep entirely and trigger on a later
tsleep.
If this occurs the later callout is not terminated and tsleep() can return
with it still active. The callout is declared on the kernel stack, leading
to the assertion and crash.
* During evaluation I noticed that the corrupted callout structure in
Rumko's crash dump contained information that indicated it was part of
a stack frame. I think only tsleep() declares callout structures on the
stack.
PR: 1977, 1835, 2037 (tracking using 2037)
Reported-by: Rumko, Francois Tigeot <ftigeot@wolfpond.org>