From 67eeec4810ead3224dc653eccc665c21e34e7c8e Mon Sep 17 00:00:00 2001
From: Gordon Tetlow <gordon@FreeBSD.org>
Date: Tue, 1 Dec 2020 19:37:33 +0000
Subject: [PATCH] Fix race condition in callout CPU migration.

Approved by:	so
Security:	FreeBSD-EN-20:22.callout
---
 sys/kern/kern_timeout.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_timeout.c b/sys/kern/kern_timeout.c
index 81b4a14ecf0..d08e202442a 100644
--- a/sys/kern/kern_timeout.c
+++ b/sys/kern/kern_timeout.c
@@ -1270,7 +1270,7 @@ _callout_stop_safe(struct callout *c, int flags, void (*drain)(void *))
 			 * just wait for the current invocation to
 			 * finish.
 			 */
-			while (cc_exec_curr(cc, direct) == c) {
+			if (cc_exec_curr(cc, direct) == c) {
 				/*
 				 * Use direct calls to sleepqueue interface
 				 * instead of cv/msleep in order to avoid
@@ -1318,7 +1318,7 @@ _callout_stop_safe(struct callout *c, int flags, void (*drain)(void *))
 
 				/* Reacquire locks previously released. */
 				PICKUP_GIANT();
-				CC_LOCK(cc);
+				goto again;
 			}
 			c->c_flags &= ~CALLOUT_ACTIVE;
 		} else if (use_lock &&
-- 
2.45.0