1 files changed, 7 insertions, 25 deletions

diff --git a/fs/aio.c b/fs/aio.c
index d6b1551342b7..edfca5b75535 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -398,7 +398,7 @@ static struct kiocb fastcall *__aio_get_req(struct kioctx *ctx)
         if (unlikely(!req))
                 return NULL;
 
-        req->ki_flags = 1 << KIF_LOCKED;
+        req->ki_flags = 0;
         req->ki_users = 2;
         req->ki_key = 0;
         req->ki_ctx = ctx;
@@ -547,25 +547,6 @@ struct kioctx *lookup_ioctx(unsigned long ctx_id)
         return ioctx;
 }
 
-static int lock_kiocb_action(void *param)
-{
-        schedule();
-        return 0;
-}
-
-static inline void lock_kiocb(struct kiocb *iocb)
-{
-        wait_on_bit_lock(&iocb->ki_flags, KIF_LOCKED, lock_kiocb_action,
-                         TASK_UNINTERRUPTIBLE);
-}
-
-static inline void unlock_kiocb(struct kiocb *iocb)
-{
-        kiocbClearLocked(iocb);
-        smp_mb__after_clear_bit();
-        wake_up_bit(&iocb->ki_flags, KIF_LOCKED);
-}
-
 /*
  * use_mm
  *      Makes the calling kernel thread take on the specified
@@ -796,9 +777,7 @@ static int __aio_run_iocbs(struct kioctx *ctx)
                  * Hold an extra reference while retrying i/o.
                  */
                 iocb->ki_users++;       /* grab extra reference */
-                lock_kiocb(iocb);
                 aio_run_iocb(iocb);
-                unlock_kiocb(iocb);
                 if (__aio_put_req(ctx, iocb))  /* drop extra ref */
                         put_ioctx(ctx);
         }
@@ -1418,6 +1397,9 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb)
                 if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
                         kiocb->ki_left)))
                         break;
+                ret = security_file_permission(file, MAY_READ);
+                if (unlikely(ret))
+                        break;
                 ret = -EINVAL;
                 if (file->f_op->aio_read)
                         kiocb->ki_retry = aio_pread;
@@ -1430,6 +1412,9 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb)
                 if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
                         kiocb->ki_left)))
                         break;
+                ret = security_file_permission(file, MAY_WRITE);
+                if (unlikely(ret))
+                        break;
                 ret = -EINVAL;
                 if (file->f_op->aio_write)
                         kiocb->ki_retry = aio_pwrite;
@@ -1542,7 +1527,6 @@ int fastcall io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
 
         spin_lock_irq(&ctx->ctx_lock);
         aio_run_iocb(req);
-        unlock_kiocb(req);
         if (!list_empty(&ctx->run_list)) {
                 /* drain the run list */
                 while (__aio_run_iocbs(ctx))
@@ -1674,7 +1658,6 @@ asmlinkage long sys_io_cancel(aio_context_t ctx_id, struct iocb __user *iocb,
         if (NULL != cancel) {
                 struct io_event tmp;
                 pr_debug("calling cancel\n");
-                lock_kiocb(kiocb);
                 memset(&tmp, 0, sizeof(tmp));
                 tmp.obj = (u64)(unsigned long)kiocb->ki_obj.user;
                 tmp.data = kiocb->ki_user_data;
@@ -1686,7 +1669,6 @@ asmlinkage long sys_io_cancel(aio_context_t ctx_id, struct iocb __user *iocb,
                         if (copy_to_user(result, &tmp, sizeof(tmp)))
                                 ret = -EFAULT;
                 }
-                unlock_kiocb(kiocb);
         } else
                 ret = -EINVAL;