iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug

commit d444edc679e7713412f243b792b1f964e5cff1e1 upstream.

This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message()
where during ERL=2 connection recovery, a bogus conn_p pointer could
end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION
notifying the initiator that cmd->logout_cid has failed.

The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with
a bogus conn_p pointer in iscsit_build_conn_drop_async_message().

Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com>
Reported-by: santosh kulkarni <santosh.kulkarni@calsoftinc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 3 insertions, 1 deletions

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 5232ac7b0745..58c479d13b57 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2454,6 +2454,7 @@ static void iscsit_build_conn_drop_async_message(struct iscsi_conn *conn)
 {
         struct iscsi_cmd *cmd;
         struct iscsi_conn *conn_p;
+        bool found = false;
 
         /*
          * Only send a Asynchronous Message on connections whos network
@@ -2462,11 +2463,12 @@ static void iscsit_build_conn_drop_async_message(struct iscsi_conn *conn)
         list_for_each_entry(conn_p, &conn->sess->sess_conn_list, conn_list) {
                 if (conn_p->conn_state == TARG_CONN_STATE_LOGGED_IN) {
                         iscsit_inc_conn_usage_count(conn_p);
+                        found = true;
                         break;
                 }
         }
 
-        if (!conn_p)
+        if (!found)
                 return;
 
         cmd = iscsit_allocate_cmd(conn_p, GFP_ATOMIC);