diff --git a/fs/aio.c b/fs/aio.c
index 28223f511931..0fed22ed9eb8 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1762,9 +1762,8 @@ static void aio_poll_complete_work(struct work_struct *work)
 	} /* else, POLLFREE has freed the waitqueue, so we must complete */
 	list_del_init(&iocb->ki_list);
 	iocb->ki_res.res = mangle_poll(mask);
-	spin_unlock_irq(&ctx->ctx_lock);
-
 	iocb_put(iocb);
+	spin_unlock_irq(&ctx->ctx_lock);
 }
 
 /* assumes we are called with irqs disabled */
@@ -2198,7 +2197,6 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
 			break;
 		}
 	}
-	spin_unlock_irq(&ctx->ctx_lock);
 
 	/*
 	 * The result argument is no longer used - the io_event is always
@@ -2206,6 +2204,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
 	 */
 	if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
 		aio_complete_rw(&kiocb->rw, -EINTR);
+	spin_unlock_irq(&ctx->ctx_lock);
 
 	percpu_ref_put(&ctx->users);