From ebefd3cc650b28f23b23869f92d78b8ac45bdbf9 Mon Sep 17 00:00:00 2001
From: Justin M. Forbes <jforbes@redhat.com>
Date: Nov 15 2012 17:06:52 +0000
Subject: Fix panic in  panic in smp_irq_move_cleanup_interrupt


---

diff --git a/kernel.spec b/kernel.spec
index 243ac06..f2ad7d6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -773,6 +773,8 @@ Patch22110: usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch
 Patch22111: USB-EHCI-urb-hcpriv-should-not-be-NULL.patch
 Patch22112: USB-report-submission-of-active-URBs.patch
 
+Patch22113: smp_irq_move_cleanup_interrupt.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1495,6 +1497,8 @@ ApplyPatch usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch
 ApplyPatch USB-EHCI-urb-hcpriv-should-not-be-NULL.patch
 ApplyPatch USB-report-submission-of-active-URBs.patch
 
+ApplyPatch smp_irq_move_cleanup_interrupt.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2358,6 +2362,9 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Thu Nov 15 2012 Justin M. Forbes <jforbes@redhat.com>
+- Fix panic in  panic in smp_irq_move_cleanup_interrupt
+
 * Mon Nov 12 2012 Justin M. Forbes <jforbes@redhat.com>
 - fix list_del corruption warning on USB audio with twinkle (rhbz 871078)
 
diff --git a/smp_irq_move_cleanup_interrupt.patch b/smp_irq_move_cleanup_interrupt.patch
new file mode 100644
index 0000000..c9b385a
--- /dev/null
+++ b/smp_irq_move_cleanup_interrupt.patch
@@ -0,0 +1,50 @@
+commit 94777fc51b3ad85ff9f705ddf7cdd0eb3bbad5a6
+Author: Dimitri Sivanich <sivanich@sgi.com>
+Date:   Tue Oct 16 07:50:21 2012 -0500
+
+    x86/irq/ioapic: Check for valid irq_cfg pointer in smp_irq_move_cleanup_interrupt
+    
+    Posting this patch to fix an issue concerning sparse irq's that
+    I raised a while back.  There was discussion about adding
+    refcounting to sparse irqs (to fix other potential race
+    conditions), but that does not appear to have been addressed
+    yet.  This covers the only issue of this type that I've
+    encountered in this area.
+    
+    A NULL pointer dereference can occur in
+    smp_irq_move_cleanup_interrupt() if we haven't yet setup the
+    irq_cfg pointer in the irq_desc.irq_data.chip_data.
+    
+    In create_irq_nr() there is a window where we have set
+    vector_irq in __assign_irq_vector(), but not yet called
+    irq_set_chip_data() to set the irq_cfg pointer.
+    
+    Should an IRQ_MOVE_CLEANUP_VECTOR hit the cpu in question during
+    this time, smp_irq_move_cleanup_interrupt() will attempt to
+    process the aforementioned irq, but panic when accessing
+    irq_cfg.
+    
+    Only continue processing the irq if irq_cfg is non-NULL.
+    
+    Signed-off-by: Dimitri Sivanich <sivanich@sgi.com>
+    Cc: Suresh Siddha <suresh.b.siddha@intel.com>
+    Cc: Joerg Roedel <joerg.roedel@amd.com>
+    Cc: Yinghai Lu <yinghai@kernel.org>
+    Cc: Alexander Gordeev <agordeev@redhat.com>
+    Link: http://lkml.kernel.org/r/20121016125021.GA22935@sgi.com
+    Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
+index c265593..1817fa9 100644
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -2257,6 +2257,9 @@ asmlinkage void smp_irq_move_cleanup_interrupt(void)
+ 			continue;
+
+ 		cfg = irq_cfg(irq);
++		if (!cfg)
++			continue;
++
+ 		raw_spin_lock(&desc->lock);
+
+ 		/*