disallow clock_settime too far in the future to avoid panic

clock_ts_to_ct has a KASSERT that the converted year fits into four
digits. By default (sysctl debug.allow_insane_settime is 0) the kernel
disallows a time too far in the future, using a value of 9999 366-day
years. However, clock_settime is epoch-relative and the assertion will
fail with a tv_sec corresponding to some 8030 years.

Avoid trying to be too clever, and just use a limit of 8000 365-day
years past the epoch.

Submitted by: Heqing Yan <scottieyan@gmail.com>
Reported by: Syzkaller (https://github.com/google/syzkaller)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation