ipc: fix double sem unlock in semctl error path

Fix another ipc locking buglet introduced by the scalability patches:
when semctl_down() was changed to delay the semaphore locking, one error
path for security_sem_semctl() went through the semaphore unlock logic
even though the semaphore had never been locked.

Introduced by commit 16df3674efe3 ("ipc,sem: do not hold ipc lock more
than necessary")

Acked-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/ipc/sem.c b/ipc/sem.c
index 8f5aa34f8d30d4495a84fdcfeef83f3f9ed9fa5c..1f8f01a542de2ba52c83b71b8d550ee0eeec81fb 100644 (file)
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -1280,7 +1280,7 @@ static int semctl_down(struct ipc_namespace *ns, int semid,
        err = security_sem_semctl(sma, cmd);
        if (err) {
                rcu_read_unlock();
-               goto out_unlock;
+               goto out_up;
        }
 
        switch(cmd){