From: Sébastien Dugué <sebastien.dugue@bull.net>

Make sure we only accept valid sigev_notify values in aio_setup_sigevent(),
namely SIGEV_NONE, SIGEV_THREAD_ID or SIGEV_SIGNAL.

Signed-off-by: Sébastien Dugué <sebastien.dugue@bull.net>
Cc: Laurent Vivier <laurent.vivier@bull.net>
Cc: Bharata B Rao <bharata@in.ibm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Suparna Bhattacharya <suparna@in.ibm.com>
Cc: Zach Brown <zach.brown@oracle.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Cc: Benjamin LaHaise <bcrl@linux.intel.com>
Cc: Jean Pierre Dion <jean-pierre.dion@bull.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/aio.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletion(-)

diff -puN fs/aio.c~aio-completion-signal-notification-fix fs/aio.c
--- a/fs/aio.c~aio-completion-signal-notification-fix
+++ a/fs/aio.c
@@ -938,7 +938,7 @@ static int aio_send_signal(struct aio_no
 	info->si_uid = 0;
 	info->si_value = notify->value;
 
-	if (notify->notify & SIGEV_THREAD_ID)
+	if (notify->notify == SIGEV_THREAD_ID)
 		ret = send_sigqueue(notify->signo, sigq, notify->target);
 	else
 		ret = send_group_sigqueue(notify->signo, sigq, notify->target);
@@ -958,6 +958,10 @@ static long aio_setup_sigevent(struct ai
 	if (event.sigev_notify == SIGEV_NONE)
 		return 0;
 
+	if (event.sigev_notify != SIGEV_SIGNAL &&
+	    event.sigev_notify != SIGEV_THREAD_ID)
+		return -EINVAL;
+
 	notify->notify = event.sigev_notify;
 	notify->signo = event.sigev_signo;
 	notify->value = event.sigev_value;
_