tape_assign_minor() walks tape_device_list to find the sorted
insertion point, then does list_add_tail(&device->node, &tmp->node).
When the loop runs to the end without break, tmp is past the end and
&tmp->node aliases the list head via container_of. list_add_tail then
appends at the tail, which is the intended result, but the iterator is
dereferenced past the end, which is undefined per the C standard.

Track the insertion point explicitly. insert_before starts at the list
head and is set to &tmp->node only when the loop breaks early. The
list_add_tail uses insert_before, so the behaviour is unchanged in
every case including an empty list.

Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 drivers/s390/char/tape_core.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/s390/char/tape_core.c b/drivers/s390/char/tape_core.c
index bd8e3deb1199..361184c05940 100644
--- a/drivers/s390/char/tape_core.c
+++ b/drivers/s390/char/tape_core.c
@@ -330,14 +330,17 @@ __tape_cancel_io(struct tape_device *device, struct tape_request *request)
 static int
 tape_assign_minor(struct tape_device *device)
 {
+	struct list_head *insert_before = &tape_device_list;
 	struct tape_device *tmp;
 	int minor;
 
 	minor = 0;
 	write_lock(&tape_device_lock);
 	list_for_each_entry(tmp, &tape_device_list, node) {
-		if (minor < tmp->first_minor)
+		if (minor < tmp->first_minor) {
+			insert_before = &tmp->node;
 			break;
+		}
 		minor += TAPE_MINORS_PER_DEV;
 	}
 	if (minor >= 256) {
@@ -345,7 +348,7 @@ tape_assign_minor(struct tape_device *device)
 		return -ENODEV;
 	}
 	device->first_minor = minor;
-	list_add_tail(&device->node, &tmp->node);
+	list_add_tail(&device->node, insert_before);
 	write_unlock(&tape_device_lock);
 	return 0;
 }
-- 
2.34.1