dock: fix dereference after kfree()

upstream commit: f240729832dff3785104d950dad2d3ced4387f6d

dock_remove() calls kfree() on dock_station so we should use
list_for_each_entry_safe() to avoid dereferencing freed memory.

Found by smatch (http://repo.or.cz/w/smatch.git/).  Compile tested.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/acpi/dock.c b/drivers/acpi/dock.c
index afd5db3c75622a79be5a4e87255315ddfd31dfbf..349d69bfa022c7a503b85130b89df971e0286884 100644 (file)
--- a/drivers/acpi/dock.c
+++ b/drivers/acpi/dock.c
@@ -1146,9 +1146,10 @@ static int __init dock_init(void)
 static void __exit dock_exit(void)
 {
        struct dock_station *dock_station;
+       struct dock_station *tmp;
 
        unregister_acpi_bus_notifier(&dock_acpi_notifier);
-       list_for_each_entry(dock_station, &dock_stations, sibiling)
+       list_for_each_entry_safe(dock_station, tmp, &dock_stations, sibiling)
                dock_remove(dock_station);
 }