tmem: properly drop lock on error path in do_tmem_get()

Also remove a bogus assertion.

This is part of XSA-15 / CVE-2012-3497.

Reported-by: Tim Deegan <tim@xxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1790,7 +1790,6 @@ static NOINLINE int do_tmem_get(pool_t *
             list_del(&pgp->us.client_eph_pages);
             list_add_tail(&pgp->us.client_eph_pages,&client->ephemeral_page_list);
             tmem_spin_unlock(&eph_lists_spinlock);
-            ASSERT(obj != NULL);
             obj->last_client = tmh_get_cli_id_from_current();
         }
     }
@@ -1807,6 +1806,8 @@ static NOINLINE int do_tmem_get(pool_t *
     return 1;
 
 bad_copy:
+    obj->no_evict = 0;
+    tmem_spin_unlock(&obj->obj_spinlock);
     failed_copies++;
     return rc;
 }