From c4968279218cf246323e38bbbd44ce2774871fde Mon Sep 17 00:00:00 2001
From: Thomas Hellstrom <thomas-at-tungstengraphics-dot-com>
Date: Tue, 3 Apr 2007 10:54:23 +0200
Subject: [PATCH] Fix user object reference when caller is not object creator.
 (Reported by Dave Airlie).

---
 linux-core/drm_object.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/linux-core/drm_object.c b/linux-core/drm_object.c
index 23412ed0..03906034 100644
--- a/linux-core/drm_object.c
+++ b/linux-core/drm_object.c
@@ -240,11 +240,17 @@ int drm_user_object_ref(drm_file_t * priv, uint32_t user_token,
 {
 	drm_device_t *dev = priv->head->dev;
 	drm_user_object_t *uo;
+	drm_hash_item_t *hash;
 	int ret;
 
 	mutex_lock(&dev->struct_mutex);
-	uo = drm_lookup_user_object(priv, user_token);
-	if (!uo || (uo->type != type)) {
+	ret = drm_ht_find_item(&dev->object_hash, user_token, &hash);
+	if (ret) {
+		DRM_ERROR("Could not find user object to reference.\n");
+		goto out_err;
+	}
+	uo = drm_hash_entry(hash, drm_user_object_t, hash);
+	if (uo->type != type) {
 		ret = -EINVAL;
 		goto out_err;
 	}
@@ -253,7 +259,6 @@ int drm_user_object_ref(drm_file_t * priv, uint32_t user_token,
 		goto out_err;
 	mutex_unlock(&dev->struct_mutex);
 	*object = uo;
-	DRM_ERROR("Referenced an object\n");
 	return 0;
       out_err:
 	mutex_unlock(&dev->struct_mutex);
@@ -281,7 +286,6 @@ int drm_user_object_unref(drm_file_t * priv, uint32_t user_token,
 	}
 	drm_remove_ref_object(priv, ro);
 	mutex_unlock(&dev->struct_mutex);
-	DRM_ERROR("Unreferenced an object\n");
 	return 0;
       out_err:
 	mutex_unlock(&dev->struct_mutex);
-- 
2.11.0