kern/60166: assert failed: ts->tv_nsec >= NUM

["r772577952%gmail.com@localhost via gnats" <gnats-admin%NetBSD.org@localhost>]

>Number:         60166
>Category:       kern
>Synopsis:       assert failed: ts->tv_nsec >= NUM
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 02 08:25:01 +0000 2026
>Originator:     Jiaming Zhang
>Release:        image: NetBSD-10.1; kernel: trunk branch, commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b
>Organization:
>Environment:
NetBSD  11.99.5 NetBSD 11.99.5 (CLOUD) #0: Wed Apr  1 18:34:06 CST 2026  root@ustb520lab-MS-7E07:/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/amd64/compile/obj/CLOUD amd64
>Description:
When fuzzing NetBSD kernel with syzkaller and our generated syscall descriptions, we encountered an issue: assert failed: ts->tv_nsec >= NUM. This issues is reproducible in a recent version of NetBSD kernel (commit fcca2226d50a3222f4010b6ef59cb5a1f9aa319b).

The kernel console output, kernel config, and reproducers are available at: https://drive.google.com/drive/folders/1s6_7-GqMJfUOiN5v_Exvfa9ulN4FpMoO?usp=sharing

The symbolized issue report is also shown below to help with analysis:

```
TITLE: assert failed: ts->tv_nsec >= NUM
CORRUPTED: false ()
SUPPRESSED: false
MAINTAINERS (TO): []
MAINTAINERS (CC): []

login: [ 146.3884042] panic: kernel diagnostic assertion "ts->tv_nsec >= 0" failed: file "/vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/subr_time_arith.c", line 170 
[ 146.3884042] cpu0: Begin traceback...
[ 146.3884042] asan.module_ctor() at ffffffff81ebbd0e
[ 146.3984161] asan.module_ctor() at ffffffff8229fb3e
[ 146.4084100] asan.module_ctor() at ffffffff81ec7d48
[ 146.4084100] filt_timercompute() at netbsd:filt_timercompute+0x394 vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c:1373
[ 146.4184063] filt_timerattach() at netbsd:filt_timerattach+0x13c vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c:1446
[ 146.4284077] kqueue1() at netbsd:kqueue1+0x1a6e filter_attach vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c:569 [inline]
[ 146.4284077] kqueue1() at netbsd:kqueue1+0x1a6e kqueue_register vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c:2027 [inline]
[ 146.4284077] kqueue1() at netbsd:kqueue1+0x1a6e vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/kern/kern_event.c:1855
[ 146.4384107] asan.module_dtor() at ffffffff8162d647
[ 146.4484063] asan.module_dtor() at ffffffff81e1c909
[ 146.4484063] syscall() at netbsd:syscall+0x26d sy_call vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:65 [inline]
[ 146.4484063] syscall() at netbsd:syscall+0x26d sy_invoke vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/sys/syscallvar.h:94 [inline]
[ 146.4484063] syscall() at netbsd:syscall+0x26d vol/workdir/cloud-netbsd-dev/netbsd/20260401-fcca2226/src/sys/arch/x86/x86/syscall.c:137
[ 146.4584032] --- syscall (number 435 via SYS_syscall) ---
[ 146.4584032] netbsd:syscall+0x26d:
[ 146.4584032] cpu0: End traceback...

[ 146.4584032] dumping to dev 168,1 (offset=29361126, size=524159):
[ 146.4584032] dump 607 606 605 WARNING: lwp 1073 (cron) flags 0x20020020: timecounter went backwards from (147 + 0x72debdf530ede164/2^64) sec to (146 + 0xa61268719a7f2804/2^64) sec in netbsd:sched_lendpri+0x12fc
[ 146.4584032] 604 603 602 601 600 599 598 597 596 595 594 593 592 591 590 589 588 587 586 585 584 583 582 581 580 579 578 577 576 575 574 573 572 571 570 569 
```
>How-To-Repeat:
The issues can be reproduced by running the C or syz reproducer on the kernel under a specified config.
>Fix: