From: Greg Kroah-Hartman Date: Tue, 18 Apr 2017 13:59:48 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.4.63~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a090c3b666c04504d44640ce1ecc67a8c8e2f58c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ftrace-fix-removing-of-second-function-probe.patch iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch scsi-sr-sanity-check-returned-mode-data.patch xen-fbfront-fix-connecting-to-backend.patch --- diff --git a/queue-3.18/ftrace-fix-removing-of-second-function-probe.patch b/queue-3.18/ftrace-fix-removing-of-second-function-probe.patch new file mode 100644 index 00000000000..6568ee0566d --- /dev/null +++ b/queue-3.18/ftrace-fix-removing-of-second-function-probe.patch @@ -0,0 +1,174 @@ +From 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Fri, 14 Apr 2017 17:45:45 -0400 +Subject: ftrace: Fix removing of second function probe + +From: Steven Rostedt (VMware) + +commit 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae upstream. + +When two function probes are added to set_ftrace_filter, and then one of +them is removed, the update to the function locations is not performed, and +the record keeping of the function states are corrupted, and causes an +ftrace_bug() to occur. + +This is easily reproducable by adding two probes, removing one, and then +adding it back again. + + # cd /sys/kernel/debug/tracing + # echo schedule:traceoff > set_ftrace_filter + # echo do_IRQ:traceoff > set_ftrace_filter + # echo \!do_IRQ:traceoff > /debug/tracing/set_ftrace_filter + # echo do_IRQ:traceoff > set_ftrace_filter + +Causes: + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 1098 at kernel/trace/ftrace.c:2369 ftrace_get_addr_curr+0x143/0x220 + Modules linked in: [...] + CPU: 2 PID: 1098 Comm: bash Not tainted 4.10.0-test+ #405 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 + Call Trace: + dump_stack+0x68/0x9f + __warn+0x111/0x130 + ? trace_irq_work_interrupt+0xa0/0xa0 + warn_slowpath_null+0x1d/0x20 + ftrace_get_addr_curr+0x143/0x220 + ? __fentry__+0x10/0x10 + ftrace_replace_code+0xe3/0x4f0 + ? ftrace_int3_handler+0x90/0x90 + ? printk+0x99/0xb5 + ? 0xffffffff81000000 + ftrace_modify_all_code+0x97/0x110 + arch_ftrace_update_code+0x10/0x20 + ftrace_run_update_code+0x1c/0x60 + ftrace_run_modify_code.isra.48.constprop.62+0x8e/0xd0 + register_ftrace_function_probe+0x4b6/0x590 + ? ftrace_startup+0x310/0x310 + ? debug_lockdep_rcu_enabled.part.4+0x1a/0x30 + ? update_stack_state+0x88/0x110 + ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320 + ? preempt_count_sub+0x18/0xd0 + ? mutex_lock_nested+0x104/0x800 + ? ftrace_regex_write.isra.43.part.44+0x1d3/0x320 + ? __unwind_start+0x1c0/0x1c0 + ? _mutex_lock_nest_lock+0x800/0x800 + ftrace_trace_probe_callback.isra.3+0xc0/0x130 + ? func_set_flag+0xe0/0xe0 + ? __lock_acquire+0x642/0x1790 + ? __might_fault+0x1e/0x20 + ? trace_get_user+0x398/0x470 + ? strcmp+0x35/0x60 + ftrace_trace_onoff_callback+0x48/0x70 + ftrace_regex_write.isra.43.part.44+0x251/0x320 + ? match_records+0x420/0x420 + ftrace_filter_write+0x2b/0x30 + __vfs_write+0xd7/0x330 + ? do_loop_readv_writev+0x120/0x120 + ? locks_remove_posix+0x90/0x2f0 + ? do_lock_file_wait+0x160/0x160 + ? __lock_is_held+0x93/0x100 + ? rcu_read_lock_sched_held+0x5c/0xb0 + ? preempt_count_sub+0x18/0xd0 + ? __sb_start_write+0x10a/0x230 + ? vfs_write+0x222/0x240 + vfs_write+0xef/0x240 + SyS_write+0xab/0x130 + ? SyS_read+0x130/0x130 + ? trace_hardirqs_on_caller+0x182/0x280 + ? trace_hardirqs_on_thunk+0x1a/0x1c + entry_SYSCALL_64_fastpath+0x18/0xad + RIP: 0033:0x7fe61c157c30 + RSP: 002b:00007ffe87890258 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: ffffffff8114a410 RCX: 00007fe61c157c30 + RDX: 0000000000000010 RSI: 000055814798f5e0 RDI: 0000000000000001 + RBP: ffff8800c9027f98 R08: 00007fe61c422740 R09: 00007fe61ca53700 + R10: 0000000000000073 R11: 0000000000000246 R12: 0000558147a36400 + R13: 00007ffe8788f160 R14: 0000000000000024 R15: 00007ffe8788f15c + ? trace_hardirqs_off_caller+0xc0/0x110 + ---[ end trace 99fa09b3d9869c2c ]--- + Bad trampoline accounting at: ffffffff81cc3b00 (do_IRQ+0x0/0x150) + +Fixes: 59df055f1991 ("ftrace: trace different functions with a different tracer") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3408,23 +3408,24 @@ static void __enable_ftrace_function_pro + ftrace_probe_registered = 1; + } + +-static void __disable_ftrace_function_probe(void) ++static bool __disable_ftrace_function_probe(void) + { + int i; + + if (!ftrace_probe_registered) +- return; ++ return false; + + for (i = 0; i < FTRACE_FUNC_HASHSIZE; i++) { + struct hlist_head *hhd = &ftrace_func_hash[i]; + if (hhd->first) +- return; ++ return false; + } + + /* no more funcs left */ + ftrace_shutdown(&trace_probe_ops, 0); + + ftrace_probe_registered = 0; ++ return true; + } + + +@@ -3550,6 +3551,7 @@ static void + __unregister_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops, + void *data, int flags) + { ++ struct ftrace_ops_hash old_hash_ops; + struct ftrace_func_entry *rec_entry; + struct ftrace_func_probe *entry; + struct ftrace_func_probe *p; +@@ -3563,6 +3565,7 @@ __unregister_ftrace_function_probe(char + int i, len = 0; + char *search; + int ret; ++ bool disabled; + + if (glob && (strcmp(glob, "*") == 0 || !strlen(glob))) + glob = NULL; +@@ -3579,6 +3582,10 @@ __unregister_ftrace_function_probe(char + + mutex_lock(&trace_probe_ops.func_hash->regex_lock); + ++ old_hash_ops.filter_hash = old_hash; ++ /* Probes only have filters */ ++ old_hash_ops.notrace_hash = NULL; ++ + hash = alloc_and_copy_ftrace_hash(FTRACE_HASH_DEFAULT_BITS, *orig_hash); + if (!hash) + /* Hmm, should report this somehow */ +@@ -3616,12 +3623,17 @@ __unregister_ftrace_function_probe(char + } + } + mutex_lock(&ftrace_lock); +- __disable_ftrace_function_probe(); ++ disabled = __disable_ftrace_function_probe(); + /* + * Remove after the disable is called. Otherwise, if the last + * probe is removed, a null hash means *all enabled*. + */ + ret = ftrace_hash_move(&trace_probe_ops, 1, orig_hash, hash); ++ ++ /* still need to update the function call sites */ ++ if (ftrace_enabled && !disabled) ++ ftrace_run_modify_code(&trace_probe_ops, FTRACE_UPDATE_CALLS, ++ &old_hash_ops); + synchronize_sched(); + if (!ret) + free_ftrace_hash_rcu(old_hash); diff --git a/queue-3.18/iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch b/queue-3.18/iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch new file mode 100644 index 00000000000..95ac8f6db42 --- /dev/null +++ b/queue-3.18/iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch @@ -0,0 +1,83 @@ +From 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 2 Apr 2017 13:36:44 -0700 +Subject: iscsi-target: Drop work-around for legacy GlobalSAN initiator + +From: Nicholas Bellinger + +commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 upstream. + +Once upon a time back in 2009, a work-around was added to support +the GlobalSAN iSCSI initiator v3.3 for MacOSX, which during login +did not propose nor respond to MaxBurstLength, FirstBurstLength, +DefaultTime2Wait and DefaultTime2Retain keys. + +The work-around in iscsi_check_proposer_for_optional_reply() +allowed the missing keys to be proposed, but did not require +waiting for a response before moving to full feature phase +operation. This allowed GlobalSAN v3.3 to work out-of-the +box, and for many years we didn't run into login interopt +issues with any other initiators.. + +Until recently, when Martin tried a QLogic 57840S iSCSI Offload +HBA on Windows 2016 which completed login, but subsequently +failed with: + + Got unknown iSCSI OpCode: 0x43 + +The issue was QLogic MSFT side did not propose DefaultTime2Wait + +DefaultTime2Retain, so LIO proposes them itself, and immediately +transitions to full feature phase because of the GlobalSAN hack. +However, the QLogic MSFT side still attempts to respond to +DefaultTime2Retain + DefaultTime2Wait, even though LIO has set +ISCSI_FLAG_LOGIN_NEXT_STAGE3 + ISCSI_FLAG_LOGIN_TRANSIT +in last login response. + +So while the QLogic MSFT side should have been proposing these +two keys to start, it was doing the correct thing per RFC-3720 +attempting to respond to proposed keys before transitioning to +full feature phase. + +All that said, recent versions of GlobalSAN iSCSI (v5.3.0.541) +does correctly propose the four keys during login, making the +original work-around moot. + +So in order to allow QLogic MSFT to run unmodified as-is, go +ahead and drop this long standing work-around. + +Reported-by: Martin Svec +Cc: Martin Svec +Cc: Himanshu Madhani +Cc: Arun Easi +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_parameters.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -804,22 +804,6 @@ static void iscsi_check_proposer_for_opt + if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH)) + SET_PSTATE_REPLY_OPTIONAL(param); + /* +- * The GlobalSAN iSCSI Initiator for MacOSX does +- * not respond to MaxBurstLength, FirstBurstLength, +- * DefaultTime2Wait or DefaultTime2Retain parameter keys. +- * So, we set them to 'reply optional' here, and assume the +- * the defaults from iscsi_parameters.h if the initiator +- * is not RFC compliant and the keys are not negotiated. +- */ +- if (!strcmp(param->name, MAXBURSTLENGTH)) +- SET_PSTATE_REPLY_OPTIONAL(param); +- if (!strcmp(param->name, FIRSTBURSTLENGTH)) +- SET_PSTATE_REPLY_OPTIONAL(param); +- if (!strcmp(param->name, DEFAULTTIME2WAIT)) +- SET_PSTATE_REPLY_OPTIONAL(param); +- if (!strcmp(param->name, DEFAULTTIME2RETAIN)) +- SET_PSTATE_REPLY_OPTIONAL(param); +- /* + * Required for gPXE iSCSI boot client + */ + if (!strcmp(param->name, MAXCONNECTIONS)) diff --git a/queue-3.18/iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch b/queue-3.18/iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch new file mode 100644 index 00000000000..96b0445bf09 --- /dev/null +++ b/queue-3.18/iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch @@ -0,0 +1,79 @@ +From efb2ea770bb3b0f40007530bc8b0c22f36e1c5eb Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Thu, 23 Mar 2017 17:19:24 -0700 +Subject: iscsi-target: Fix TMR reference leak during session shutdown + +From: Nicholas Bellinger + +commit efb2ea770bb3b0f40007530bc8b0c22f36e1c5eb upstream. + +This patch fixes a iscsi-target specific TMR reference leak +during session shutdown, that could occur when a TMR was +quiesced before the hand-off back to iscsi-target code +via transport_cmd_check_stop_to_fabric(). + +The reference leak happens because iscsit_free_cmd() was +incorrectly skipping the final target_put_sess_cmd() for +TMRs when transport_generic_free_cmd() returned zero because +the se_cmd->cmd_kref did not reach zero, due to the missing +se_cmd assignment in original code. + +The result was iscsi_cmd and it's associated se_cmd memory +would be freed once se_sess->sess_cmd_map where released, +but the associated se_tmr_req was leaked and remained part +of se_device->dev_tmr_list. + +This bug would manfiest itself as kernel paging request +OOPsen in core_tmr_lun_reset(), when a left-over se_tmr_req +attempted to dereference it's se_cmd pointer that had +already been released during normal session shutdown. + +To address this bug, go ahead and treat ISCSI_OP_SCSI_CMD +and ISCSI_OP_SCSI_TMFUNC the same when there is an extra +se_cmd->cmd_kref to drop in iscsit_free_cmd(), and use +op_scsi to signal __iscsit_free_cmd() when the former +needs to clear any further iscsi related I/O state. + +Reported-by: Rob Millner +Cc: Rob Millner +Reported-by: Chu Yuan Lin +Cc: Chu Yuan Lin +Tested-by: Chu Yuan Lin +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_util.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_util.c ++++ b/drivers/target/iscsi/iscsi_target_util.c +@@ -731,21 +731,23 @@ void iscsit_free_cmd(struct iscsi_cmd *c + { + struct se_cmd *se_cmd = NULL; + int rc; ++ bool op_scsi = false; + /* + * Determine if a struct se_cmd is associated with + * this struct iscsi_cmd. + */ + switch (cmd->iscsi_opcode) { + case ISCSI_OP_SCSI_CMD: +- se_cmd = &cmd->se_cmd; +- __iscsit_free_cmd(cmd, true, shutdown); ++ op_scsi = true; + /* + * Fallthrough + */ + case ISCSI_OP_SCSI_TMFUNC: +- rc = transport_generic_free_cmd(&cmd->se_cmd, shutdown); +- if (!rc && shutdown && se_cmd && se_cmd->se_sess) { +- __iscsit_free_cmd(cmd, true, shutdown); ++ se_cmd = &cmd->se_cmd; ++ __iscsit_free_cmd(cmd, op_scsi, shutdown); ++ rc = transport_generic_free_cmd(se_cmd, shutdown); ++ if (!rc && shutdown && se_cmd->se_sess) { ++ __iscsit_free_cmd(cmd, op_scsi, shutdown); + target_put_sess_cmd(se_cmd); + } + break; diff --git a/queue-3.18/scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch b/queue-3.18/scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch new file mode 100644 index 00000000000..ac1267a6cd4 --- /dev/null +++ b/queue-3.18/scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch @@ -0,0 +1,70 @@ +From 7c856152cb92f8eee2df29ef325a1b1f43161aff Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Tue, 4 Apr 2017 10:42:30 -0400 +Subject: scsi: sd: Fix capacity calculation with 32-bit sector_t + +From: Martin K. Petersen + +commit 7c856152cb92f8eee2df29ef325a1b1f43161aff upstream. + +We previously made sure that the reported disk capacity was less than +0xffffffff blocks when the kernel was not compiled with large sector_t +support (CONFIG_LBDAF). However, this check assumed that the capacity +was reported in units of 512 bytes. + +Add a sanity check function to ensure that we only enable disks if the +entire reported capacity can be expressed in terms of sector_t. + +Reported-by: Steve Magnani +Cc: Bart Van Assche +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1979,6 +1979,22 @@ static void read_capacity_error(struct s + + #define READ_CAPACITY_RETRIES_ON_RESET 10 + ++/* ++ * Ensure that we don't overflow sector_t when CONFIG_LBDAF is not set ++ * and the reported logical block size is bigger than 512 bytes. Note ++ * that last_sector is a u64 and therefore logical_to_sectors() is not ++ * applicable. ++ */ ++static bool sd_addressable_capacity(u64 lba, unsigned int sector_size) ++{ ++ u64 last_sector = (lba + 1ULL) << (ilog2(sector_size) - 9); ++ ++ if (sizeof(sector_t) == 4 && last_sector > U32_MAX) ++ return false; ++ ++ return true; ++} ++ + static int read_capacity_16(struct scsi_disk *sdkp, struct scsi_device *sdp, + unsigned char *buffer) + { +@@ -2044,7 +2060,7 @@ static int read_capacity_16(struct scsi_ + return -ENODEV; + } + +- if ((sizeof(sdkp->capacity) == 4) && (lba >= 0xffffffffULL)) { ++ if (!sd_addressable_capacity(lba, sector_size)) { + sd_printk(KERN_ERR, sdkp, "Too big for this kernel. Use a " + "kernel compiled with support for large block " + "devices.\n"); +@@ -2130,7 +2146,7 @@ static int read_capacity_10(struct scsi_ + return sector_size; + } + +- if ((sizeof(sdkp->capacity) == 4) && (lba == 0xffffffff)) { ++ if (!sd_addressable_capacity(lba, sector_size)) { + sd_printk(KERN_ERR, sdkp, "Too big for this kernel. Use a " + "kernel compiled with support for large block " + "devices.\n"); diff --git a/queue-3.18/scsi-sr-sanity-check-returned-mode-data.patch b/queue-3.18/scsi-sr-sanity-check-returned-mode-data.patch new file mode 100644 index 00000000000..49b5aa7d0c0 --- /dev/null +++ b/queue-3.18/scsi-sr-sanity-check-returned-mode-data.patch @@ -0,0 +1,46 @@ +From a00a7862513089f17209b732f230922f1942e0b9 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Fri, 17 Mar 2017 08:47:14 -0400 +Subject: scsi: sr: Sanity check returned mode data + +From: Martin K. Petersen + +commit a00a7862513089f17209b732f230922f1942e0b9 upstream. + +Kefeng Wang discovered that old versions of the QEMU CD driver would +return mangled mode data causing us to walk off the end of the buffer in +an attempt to parse it. Sanity check the returned mode sense data. + +Reported-by: Kefeng Wang +Tested-by: Kefeng Wang +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -839,6 +839,7 @@ static void get_capabilities(struct scsi + unsigned char *buffer; + struct scsi_mode_data data; + struct scsi_sense_hdr sshdr; ++ unsigned int ms_len = 128; + int rc, n; + + static const char *loadmech[] = +@@ -865,10 +866,11 @@ static void get_capabilities(struct scsi + scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr); + + /* ask for mode page 0x2a */ +- rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, 128, ++ rc = scsi_mode_sense(cd->device, 0, 0x2a, buffer, ms_len, + SR_TIMEOUT, 3, &data, NULL); + +- if (!scsi_status_is_good(rc)) { ++ if (!scsi_status_is_good(rc) || data.length > ms_len || ++ data.header_length + data.block_descriptor_length > data.length) { + /* failed, drive doesn't have capabilities mode page */ + cd->cdi.speed = 1; + cd->cdi.mask |= (CDC_CD_R | CDC_CD_RW | CDC_DVD_R | diff --git a/queue-3.18/series b/queue-3.18/series index 4b6390495b6..d3c14010f3e 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -4,3 +4,9 @@ input-xpad-add-support-for-razer-wildcat-gamepad.patch perf-x86-avoid-exposing-wrong-stale-data-in-intel_pmu_lbr_read_32.patch x86-vdso-plug-race-between-mapping-and-elf-header-setup.patch x86-vdso-ensure-vdso32_enabled-gets-set-to-valid-values-only.patch +iscsi-target-fix-tmr-reference-leak-during-session-shutdown.patch +iscsi-target-drop-work-around-for-legacy-globalsan-initiator.patch +scsi-sr-sanity-check-returned-mode-data.patch +scsi-sd-fix-capacity-calculation-with-32-bit-sector_t.patch +xen-fbfront-fix-connecting-to-backend.patch +ftrace-fix-removing-of-second-function-probe.patch diff --git a/queue-3.18/xen-fbfront-fix-connecting-to-backend.patch b/queue-3.18/xen-fbfront-fix-connecting-to-backend.patch new file mode 100644 index 00000000000..78e70c2ceaa --- /dev/null +++ b/queue-3.18/xen-fbfront-fix-connecting-to-backend.patch @@ -0,0 +1,44 @@ +From 9121b15b5628b38b4695282dc18c553440e0f79b Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 7 Apr 2017 17:28:23 +0200 +Subject: xen, fbfront: fix connecting to backend + +From: Juergen Gross + +commit 9121b15b5628b38b4695282dc18c553440e0f79b upstream. + +Connecting to the backend isn't working reliably in xen-fbfront: in +case XenbusStateInitWait of the backend has been missed the backend +transition to XenbusStateConnected will trigger the connected state +only without doing the actions required when the backend has +connected. + +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/xen-fbfront.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/xen-fbfront.c ++++ b/drivers/video/fbdev/xen-fbfront.c +@@ -644,7 +644,6 @@ static void xenfb_backend_changed(struct + break; + + case XenbusStateInitWait: +-InitWait: + xenbus_switch_state(dev, XenbusStateConnected); + break; + +@@ -655,7 +654,8 @@ InitWait: + * get Connected twice here. + */ + if (dev->state != XenbusStateConnected) +- goto InitWait; /* no InitWait seen yet, fudge it */ ++ /* no InitWait seen yet, fudge it */ ++ xenbus_switch_state(dev, XenbusStateConnected); + + if (xenbus_scanf(XBT_NIL, info->xbdev->otherend, + "request-update", "%d", &val) < 0)