kern/60160: assert failed: it->it_time.it_value.tv_sec >= NUM

["r772577952%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60160
>Category:       kern
>Synopsis:       assert failed: it->it_time.it_value.tv_sec >= NUM
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 02 08:10:00 +0000 2026
>Originator:     Jiaming Zhang
>Release:        image: NetBSD-10.1; kernel: trunk branch, commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b
>Organization:
>Environment:
NetBSD  11.99.5 NetBSD 11.99.5 (CLOUD) #0: Wed Apr  1 18:34:06 CST 2026  root@ustb520lab-MS-7E07:/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/amd64/compile/obj/CLOUD amd64
>Description:
When fuzzing NetBSD kernel with syzkaller and our generated syscall descriptions, we encountered an issue: assert failed: it->it_time.it_value.tv_sec >= NUM. This issues is reproducible in a recent version of NetBSD kernel (commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b).

The kernel console output, kernel config, and reproducers are available at: https://drive.google.com/drive/folders/1Mp2auLj17ajwYab1KNCbWwqLr0MS8_YZ?usp=sharing

The symbolized issue report is also shown below to help with analysis:

```
TITLE: assert failed: it->it_time.it_value.tv_sec >= NUM
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

login: [  24.3857012] panic: kernel diagnostic assertion "it->it_time.it_value.tv_sec >= 0" failed: file "/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_time.c", line 921 
[  24.3857012] cpu1: Begin traceback...
[  24.3956906] asan.module_ctor() at ffffffff81ebbd0e
[  24.4056888] asan.module_ctor() at ffffffff8229fb3e
[  24.4056888] itimer_callout() at netbsd:itimer_callout+0xed2 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_time.c:-1
[  24.4156880] asan.module_ctor() at ffffffff81f0fc17
[  24.4256864] asan.module_ctor() at ffffffff81f0fe41
[  24.4356872] asan.module_dtor() at ffffffff81e1c909
[  24.4456896] syscall() at netbsd:syscall+0x26d sy_call vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:65 [inline]
[  24.4456896] syscall() at netbsd:syscall+0x26d sy_invoke vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:94 [inline]
[  24.4456896] syscall() at netbsd:syscall+0x26d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/x86/x86/syscall.c:137
[  24.4456896] --- syscall (number 178 via SYS_syscall) ---
[  24.4456896] netbsd:syscall+0x26d:
[  24.4456896] cpu1: End traceback...

[  24.4456896] dumping to dev 168,1 (offset=29361126, size=524159):
[  24.4456896] dump 607 606 605 604 603 602 601 600 599 598 597 596 595 594 593 592 591 590 589 588 587 586 585 584 583 582 581 580 579 578 577 576 575 574 573 572 571 570 569 568 567 566 565 564 563 562 561 560 559 558 557 556 555 554 553 552 551 550 549 548 547 546 545 544 543 542 541 540 539 538 537 536 535 534 533 532 531 530 529 528 527 526 525 524 523 522 521 520 519 518 517 516 515 514 513 512 511 510 509 508 507 506 505 504 503 502 501 500 499 498 497 496 495 494 493 492 491 490 489 488 487 486 485 484 483 482 481 480 479 478 477 476 475 474 473 472 471 470 469 468 467 466 465 464 463 462 461 460 459 458 457 456 455 454 453 452 451 450 449 448 447 446 445 444 443 442 441 440 439 438 437 436 435 434 433 432 431 430 429 428 427 426 425 424 423 422 421 420 419 418 417 416 415 414 413 412 411 410 409 408 
```
>How-To-Repeat:
The issues can be reproduced by running the syz reproducer on the kernel under a specified config.
>Fix: