kevent: Fix races between timer detach and kqtimer_proc_continue()

• When detaching a knote, we need to double check the enqueued flag after acquiring the process lock, as kqtimer_proc_continue() may have toggled it.
• kqtimer_proc_continue() could in principle reschedule a stopped callout after filt_timerdetach() drains the callout. So, we need to re-check.

Reported by: syzbot+4a4cebb3ec07892cb040@syzkaller.appspotmail.com
Reported by: syzbot+a9c04bc76078a3b7dd8d@syzkaller.appspotmail.com
Reviewed by: kib
Sponsored by: The FreeBSD Foundation

(cherry picked from commit c511383de7a0325a80b9c5d2b8678b438db146dc)