From nobody Mon Jun  8 07:22:52 2026
Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com
 [209.85.215.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14B5A2868AB
	for <linux-kernel@vger.kernel.org>; Mon,  1 Jun 2026 04:08:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780286905; cv=none;
 b=LPjG2IDpa46AmsMi6unFBZ5RPEDYn8EWf3OtHR9wjqo9xg/Gz//gXNkx+sNtoadyWT19r5+oHasth4izJ1KwszcbGQXOXPCpgvPDuiA3SayJjW8Xe856l98V/dU6z1Ca+Yiuq+ZD0gcQGugPHUWpkE6bpWv6kRrS8rtYqUGO4l4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780286905; c=relaxed/simple;
	bh=oJimIsAjTwG5Dit/F6xdNVXfNM3aibFK0k8tDI7amWk=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=aMhxl3tQuwNVxN46/cJ2i5as98B6TsXMFJt6jOY4oB9U7SgZqsZfqkFaMo/Is27IEf+Kc/tqV0e8BKcL+Q7+1MzXBtFoscXTLxteCoFi1ofpcPOn5xkwq/71oVakmhUpXg1eqlgGNbCBjgBvij1ZlIRNvFuotKTNc0gHZmBuyPY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=NDceongj; arc=none smtp.client-ip=209.85.215.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="NDceongj"
Received: by mail-pg1-f175.google.com with SMTP id
 41be03b00d2f7-c85b73ffb52so152025a12.3
        for <linux-kernel@vger.kernel.org>;
 Sun, 31 May 2026 21:08:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780286903; x=1780891703;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=C8Fqls1Lkn4zrbHNsK46iIjuBoOprBS4OmT07ypRGlQ=;
        b=NDceongjF586QFYe31ZFLS9da+ygryZWIguvnWGNbzct/DWllhxyAuRrC/pMlloZho
         2/rwZiIN1r2Pezn6ilJyLjQHd4HrQoulIUuub2uGl+wfDcIuR3PDqf30AGdEQngJgRtd
         gPEz0jyeztkE3CFtBD3QP96vGgv3NP9qreIA3GcmWabZYV83zOc8SjQ4CUNP6ALqkE1P
         9TBVlRhdflwog9n/jeGQHGuuTQh3ejI5dWmfjq2w2ZFYnLmH72Ctaq84QJ9vPzfU3WBV
         l7A9rQPYOxtUaAD4iXP05N7GK2n2zIWB2Nkm9LqlVYKKPnZPn6agPy5EQTtNfio+loBP
         tRoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780286903; x=1780891703;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=C8Fqls1Lkn4zrbHNsK46iIjuBoOprBS4OmT07ypRGlQ=;
        b=C6cWdyP95cwTiEuxE8gQqzRQwWGfQa6tehjYUf89tngOPvBN8rVAvg9brGGkj8BZCb
         Vo+z9P99BKqJGgtthmMk9NR0K2Xq9iHVi5/mYWcBVQ1QddfhflmBV3rYLj1XlS/qeaBz
         aD4EB8eeT3gNT5YN5M5ZkmPHvMnJccKARhvgIFdYzdrdqz8U1hP2/CXpEleL4uJuKAcP
         7hjzDKUiyoA4vblZJ/oX6D+X6RDeZUUUXdVpwxYmSfWjsS/ZgPXryfgy/1IQ+rpyUPxf
         sfqSi5Rz2stz6A69EAMLoqaPLIB86ZK7O5UzX7hcw9ZxNohP7aTQM3wkDEPN3jxXHn6N
         I62w==
X-Forwarded-Encrypted: i=1;
 AFNElJ/7qb7OmiiGh9TgBGn6FhwcdgmyxX4G9eLc8ky8jl3zHKGS3DMCmy3Z8KhG11v1TWjxgZFkYPnrc+F47bY=@vger.kernel.org
X-Gm-Message-State: AOJu0YxZVSjQ8wd4suvvuWCtmayjqCDvZJW9XZkB3z4sTIuREMFL8Bas
	I4rrOPIdcuuAhlyl1/CFQSDnuaaGFA0nv1h28iSBL89yu+U3AmS31gUv
X-Gm-Gg: Acq92OH52iKTBtVtvqEghgC3KB9sP02nu8Dt7WDR67BA8X3NGz7vXmtthwsd/+dGW4t
	oY8pXTE/mBmzeNmyCJsekb5Rm52gO54MWBlvWFTuZ/82M+VDTxBKmzncQdzWTLCPidMl4N5xzdz
	IjWylgYo4/NKFWMHmZA5IC9XYPyzNcTNlENKNdVFYbqX/25aR579X5WDEu6zzFr9q9OnfcOPgxj
	t+0HRQrKL0yXD+ySMoaU1pYrbghghDbRk1wl2wywBBuAF/DJHjsisriIGHMMzvXCa5elz8Ov73T
	LofsjvxTNQuYF/P5N6p5pWqFUbJ2iLlF2MatT+kTKgpcEhydQ5tzmQsjQvAJti47OzrESTNP7OP
	lxn5vHPXqy19S7/OkRG4rvu3FUq6Fio6zc6q9Pg/+ewV89BWAKJ+oUcFNLbyqVmVJdS6ik+ZaSA
	5szvrAtf/DK7Ycm9cfDTPq+Yxa/PbB9W1G39OYW+s8cMjuNhptqonMC798IuY=
X-Received: by 2002:a05:6a21:512:b0:3b2:86e8:a817 with SMTP id
 adf61e73a8af0-3b42806972amr9448023637.31.1780286903228;
        Sun, 31 May 2026 21:08:23 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-84237a41a3esm5017686b3a.22.2026.05.31.21.08.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 31 May 2026 21:08:22 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
To: Jan Hoeppner <hoeppner@linux.ibm.com>,
	Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	linux-s390@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Maoyi Xie <maoyixie.tju@gmail.com>
Subject: [PATCH] s390/tape: avoid past-the-end iterator in tape_assign_minor()
Date: Mon,  1 Jun 2026 12:08:18 +0800
Message-Id: <20260601040818.1285976-1-maoyixie.tju@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20260519100026.1970224-1-maoyixie.tju@gmail.com>
References: <20260519100026.1970224-1-maoyixie.tju@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

tape_assign_minor() walks tape_device_list to find the sorted
insertion point, then does list_add_tail(&device->node, &tmp->node).
When the loop runs to the end without break, tmp is past the end and
&tmp->node aliases the list head via container_of. list_add_tail then
appends at the tail, which is the intended result, but the iterator is
dereferenced past the end, which is undefined per the C standard.

Track the insertion point explicitly. insert_before starts at the list
head and is set to &tmp->node only when the loop breaks early. The
list_add_tail uses insert_before, so the behaviour is unchanged in
every case including an empty list.

Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 drivers/s390/char/tape_core.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/s390/char/tape_core.c b/drivers/s390/char/tape_core.c
index bd8e3deb1199..361184c05940 100644
--- a/drivers/s390/char/tape_core.c
+++ b/drivers/s390/char/tape_core.c
@@ -330,14 +330,17 @@ __tape_cancel_io(struct tape_device *device, struct t=
ape_request *request)
 static int
 tape_assign_minor(struct tape_device *device)
 {
+	struct list_head *insert_before =3D &tape_device_list;
 	struct tape_device *tmp;
 	int minor;
=20
 	minor =3D 0;
 	write_lock(&tape_device_lock);
 	list_for_each_entry(tmp, &tape_device_list, node) {
-		if (minor < tmp->first_minor)
+		if (minor < tmp->first_minor) {
+			insert_before =3D &tmp->node;
 			break;
+		}
 		minor +=3D TAPE_MINORS_PER_DEV;
 	}
 	if (minor >=3D 256) {
@@ -345,7 +348,7 @@ tape_assign_minor(struct tape_device *device)
 		return -ENODEV;
 	}
 	device->first_minor =3D minor;
-	list_add_tail(&device->node, &tmp->node);
+	list_add_tail(&device->node, insert_before);
 	write_unlock(&tape_device_lock);
 	return 0;
 }
--=20
2.34.1