[PATCH] s390/tape: avoid past-the-end iterator in tape_assign_minor()
From: Maoyi Xie
Date: Mon Jun 01 2026 - 00:09:02 EST
tape_assign_minor() walks tape_device_list to find the sorted
insertion point, then does list_add_tail(&device->node, &tmp->node).
When the loop runs to the end without break, tmp is past the end and
&tmp->node aliases the list head via container_of. list_add_tail then
appends at the tail, which is the intended result, but the iterator is
dereferenced past the end, which is undefined per the C standard.
Track the insertion point explicitly. insert_before starts at the list
head and is set to &tmp->node only when the loop breaks early. The
list_add_tail uses insert_before, so the behaviour is unchanged in
every case including an empty list.
Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>
---
drivers/s390/char/tape_core.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/char/tape_core.c b/drivers/s390/char/tape_core.c
index bd8e3deb1199..361184c05940 100644
--- a/drivers/s390/char/tape_core.c
+++ b/drivers/s390/char/tape_core.c
@@ -330,14 +330,17 @@ __tape_cancel_io(struct tape_device *device, struct tape_request *request)
static int
tape_assign_minor(struct tape_device *device)
{
+ struct list_head *insert_before = &tape_device_list;
struct tape_device *tmp;
int minor;
minor = 0;
write_lock(&tape_device_lock);
list_for_each_entry(tmp, &tape_device_list, node) {
- if (minor < tmp->first_minor)
+ if (minor < tmp->first_minor) {
+ insert_before = &tmp->node;
break;
+ }
minor += TAPE_MINORS_PER_DEV;
}
if (minor >= 256) {
@@ -345,7 +348,7 @@ tape_assign_minor(struct tape_device *device)
return -ENODEV;
}
device->first_minor = minor;
- list_add_tail(&device->node, &tmp->node);
+ list_add_tail(&device->node, insert_before);
write_unlock(&tape_device_lock);
return 0;
}
--
2.34.1