From: Joerg Roedel <jroedel@suse.de>
Date: Wed, 4 Feb 2015 13:33:33 +0100
Subject: x86: irq: Check for valid irq descriptor in
 check_irq_vectors_for_cpu_disable
Patch-mainline: not yet
References: bnc#914726

When an interrupt is migrated away from a cpu it will stay
in its vector_irq array until smp_irq_move_cleanup_interrupt
succeeded. The cfg->move_in_progress flag is cleared already
when the IPI was sent.

When the interrupt is destroyed after migration its 'struct
irq_desc' is freed and the vector_irq arrays are cleaned up.
But since cfg->move_in_progress is already 0 the references
at cpus before the last migration will not be cleared. So
this would leave a reference to an already destroyed irq
alive.

When the cpu is taken down at this point, the
check_irq_vectors_for_cpu_disable function finds a valid irq
number in the vector_irq array, but gets NULL for its
descriptor and dereferences it, causing a kernel panic.

This has been observed on real systems at shutdown. Add a
check to check_irq_vectors_for_cpu_disable for a valid
'struct irq_desc' to prevent this issue.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Automatically created from "patches.fixes/x86-irq-check-for-valid-irq-descriptor-in-check_irq_vectors_for_cpu_disable" by xen-port-patches.py

--- sle11sp4.orig/arch/x86/kernel/irq-xen.c	2014-09-19 11:13:24.000000000 +0200
+++ sle11sp4/arch/x86/kernel/irq-xen.c	2015-02-18 15:07:25.000000000 +0100
@@ -273,6 +273,9 @@ int check_irq_vectors_for_cpu_disable(vo
 		irq = __this_cpu_read(vector_irq[vector]);
 		if (irq >= 0) {
 			desc = irq_to_desc(irq);
+			if (!desc)
+				continue;
+
 			data = irq_desc_get_irq_data(desc);
 			cpumask_copy(&affinity_new, data->affinity);
 			cpu_clear(this_cpu, affinity_new);
