dock: fix dereference after kfree()
authorDan Carpenter <error27@gmail.com>
Thu, 2 Apr 2009 05:29:56 +0000 (08:29 +0300)
committerLen Brown <len.brown@intel.com>
Fri, 3 Apr 2009 16:48:59 +0000 (12:48 -0400)
dock_remove() calls kfree() on dock_station so we should use
list_for_each_entry_safe() to avoid dereferencing freed memory.

Found by smatch (http://repo.or.cz/w/smatch.git/).  Compile tested.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Len Brown <len.brown@intel.com>
drivers/acpi/dock.c

index 35094f230b1e339d2d969ca27cb89816c7d3d9de..8f62fa01a9c76f910d1c88d4245f18eeab995708 100644 (file)
@@ -1146,9 +1146,10 @@ static int __init dock_init(void)
 static void __exit dock_exit(void)
 {
        struct dock_station *dock_station;
+       struct dock_station *tmp;
 
        unregister_acpi_bus_notifier(&dock_acpi_notifier);
-       list_for_each_entry(dock_station, &dock_stations, sibiling)
+       list_for_each_entry_safe(dock_station, tmp, &dock_stations, sibiling)
                dock_remove(dock_station);
 }