module_unload: avoid potential use-after-free

module_unload: avoid potential use-after-free

Given three modules (A, B, C), where:

B depends on A
C depends on B
C depends on A

Module A can end up with this reverse dependency graph (as represented
in the modules' required_by lists):

A -> B -> C
A -> C

Given B is listed first in required_by, it will be unloaded;
recursively, C will be unloaded. However, unloading a module also
removes it from its dependencies' required_by lists, thus removing C
from A's required_by list. While the _SAFE variant of the list iteration
macro is designed to handle the current element being removed, it is not
able to handle an arbitrary number of following elements being removed
as well.

As unloading a module will always remove it from the required_by list,
we can instead keep unloading the first element of the list until the
list is empty.