From 7b3386dba21f57907931b2e6f09f741633ea3349 Mon Sep 17 00:00:00 2001
From: Gordon Tetlow <gordon@FreeBSD.org>
Date: Tue, 1 Dec 2020 19:37:33 +0000
Subject: [PATCH] Fix race condition in callout CPU migration.

Approved by:	so
Security:	FreeBSD-EN-20:22.callout
---
 sys/kern/kern_timeout.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_timeout.c b/sys/kern/kern_timeout.c
index e7fadbf7be8..51696434a38 100644
--- a/sys/kern/kern_timeout.c
+++ b/sys/kern/kern_timeout.c
@@ -1271,7 +1271,7 @@ _callout_stop_safe(struct callout *c, int flags, callout_func_t *drain)
 			 * just wait for the current invocation to
 			 * finish.
 			 */
-			while (cc_exec_curr(cc, direct) == c) {
+			if (cc_exec_curr(cc, direct) == c) {
 				/*
 				 * Use direct calls to sleepqueue interface
 				 * instead of cv/msleep in order to avoid
@@ -1319,7 +1319,7 @@ _callout_stop_safe(struct callout *c, int flags, callout_func_t *drain)
 
 				/* Reacquire locks previously released. */
 				PICKUP_GIANT();
-				CC_LOCK(cc);
+				goto again;
 			}
 			c->c_flags &= ~CALLOUT_ACTIVE;
 		} else if (use_lock &&
-- 
2.45.0