From: Joerg Roedel <jroedel@suse.de>
Date: Wed, 4 Feb 2015 13:33:33 +0100
Subject: x86: irq: Check for valid irq descriptor in
 check_irq_vectors_for_cpu_disable
Git-commit: 153e8f6cf39c42dd9767eb49a27eacfb69738fb0
Patch-mainline: not yet
References: bnc#914726

When an interrupt is migrated away from a cpu it will stay
in its vector_irq array until smp_irq_move_cleanup_interrupt
succeeded. The cfg->move_in_progress flag is cleared already
when the IPI was sent.

When the interrupt is destroyed after migration its 'struct
irq_desc' is freed and the vector_irq arrays are cleaned up.
But since cfg->move_in_progress is already 0 the references
at cpus before the last migration will not be cleared. So
this would leave a reference to an already destroyed irq
alive.

When the cpu is taken down at this point, the
check_irq_vectors_for_cpu_disable function finds a valid irq
number in the vector_irq array, but gets NULL for its
descriptor and dereferences it, causing a kernel panic.

This has been observed on real systems at shutdown. Add a
check to check_irq_vectors_for_cpu_disable for a valid
'struct irq_desc' to prevent this issue.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 arch/x86/kernel/irq.c | 3 +++
 1 file changed, 3 insertions(+)

Index: linux-3.0-SLE11-SP3/arch/x86/kernel/irq.c
===================================================================
--- linux-3.0-SLE11-SP3.orig/arch/x86/kernel/irq.c
+++ linux-3.0-SLE11-SP3/arch/x86/kernel/irq.c
@@ -272,6 +272,9 @@ int check_irq_vectors_for_cpu_disable(vo
 		irq = __this_cpu_read(vector_irq[vector]);
 		if (irq >= 0) {
 			desc = irq_to_desc(irq);
+			if (!desc)
+				continue;
+
 			data = irq_desc_get_irq_data(desc);
 			cpumask_copy(&affinity_new, data->affinity);
 			cpu_clear(this_cpu, affinity_new);
