Well, one possible fix is to rip the ioctl() and unlocked_ioctl() operations out of file_operations completely, turning them into a mandatory lookup into a (per-driver? per-filesystem?) map from ioctl request to (read_required, write_required, function to call to implement this operation).
Upside: makes it impossible to define a new ioctl() request without specifying whether it is a read or write op. Downside: this is... unlikely to be a nondisruptive change, and it's only really for the benefit of LSMs (since the read/write permission bits on devices supporting ioctl() are not used to validate this sort of thing, though they should be, but that would probably break too much of userspace). Which is probably why nobody's done it already.