venus: fix unbound malloc leak in vn_ring_get_submits

Credits to Toshinari Morikawa, and this supersedes
https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/41904.

ring->free_submits can go unbound for heavy scenes that use 3 or more
shm pool allocs for CS storage. This change fixes to loop through the
free list for a cached entry, which is good enough in practice since
the most recently retired submit is cached at the list head.

Cc: mesa-stable
Reported-by: Toshinari Morikawa <morikawa.toshinari@jp.panasonic.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/41917>

src/virtio/vulkan/vn_ring.c

@@ -418,22 +418,18 @@ vn_ring_get_id(struct vn_ring *ring)
 static struct vn_ring_submit *
 vn_ring_get_submit(struct vn_ring *ring, uint32_t shmem_count)
 {
-   const uint32_t min_shmem_count = 2;
-   struct vn_ring_submit *submit;
-
-   /* TODO this could be simplified if we could omit shmem_count */
-   if (shmem_count <= min_shmem_count &&
-       !list_is_empty(&ring->free_submits)) {
-      submit =
-         list_first_entry(&ring->free_submits, struct vn_ring_submit, head);
-      list_del(&submit->head);
-   } else {
-      const size_t submit_size = offsetof(
-         struct vn_ring_submit, shmems[MAX2(shmem_count, min_shmem_count)]);
-      submit = malloc(submit_size);
+   list_for_each_entry_safe(struct vn_ring_submit, submit,
+                            &ring->free_submits, head) {
+      if (submit->shmem_count >= shmem_count) {
+         list_del(&submit->head);
+         return submit;
+      }
    }
 
-   return submit;
+   const uint32_t min_shmem_count = 2;
+   const size_t submit_size = offsetof(
+      struct vn_ring_submit, shmems[MAX2(shmem_count, min_shmem_count)]);
+   return malloc(submit_size);
 }
 
 static bool