Comment 31 for bug 459961

I was getting this crash in UrbanTerror. It only happens WITHOUT KMS on (radeon.modeset=0). I made this change and it works for me:
diff -r mesa-7.7.0~git20091125+mesa-7-7-branch.7fac8ce7/src/mesa/drivers/dri/radeon/radeon_dma.c mesa-7.7.0~git20091125+mesa-7-7-branch.7fac8ce7-mine/src/mesa/drivers/dri/radeon/radeon_dma.c
351c351,352
< while ((dma_bo->bo = radeon_bo_unref(dma_bo->bo))) {}
---
> /* while ((dma_bo->bo = radeon_bo_unref(dma_bo->bo))) {} */
> radeon_bo_unref(dma_bo->bo);

This code is reused for all of the radeon drivers. If you are going to use reference counting, you can't artificially unref like that. If something else real has a pointer to that bo, it will crash (as we see) when you release the memory. It looked like to me that this line at the end of the file (in releaseRadeonArrays) caused the crash:
        radeon_bo_unref(radeon->tcl.aos[i].bo);
Apparently, it's bo pointer was the same as the one that was unrefed in the above code.

There also seems to be something wrong with the calloc() in bo_allocate(). I changed it to malloc and then memset. I don't remember if you need both of these changes or just the first.

I have attached my patch. One note, I change the variable "bo_legacy" in bo_allocate() to "bol" to make it easier for me. It should not be necessary.