~hc/RK356X_SDK_RELEASE.git

..	..	@@ -279,10 +279,18 @@
279	279	drm_gem_object_release(obj);
280	280	return ret;
281	281	}
282		- drm_gem_object_put(obj);
283	282
284	283	rc->res_handle = qobj->hw_res_handle; /* similiar to a VM address */
285	284	rc->bo_handle = handle;
	285	+
	286	+ /*
	287	+ * The handle owns the reference now. But we must drop our
	288	+ * remaining reference after we no longer need to dereference
	289	+ * the obj. Otherwise userspace could guess the handle and
	290	+ * race closing it from another thread.
	291	+ */
	292	+ drm_gem_object_put(obj);
	293	+
286	294	return 0;
287	295	}
288	296