From 6e97df1d76cc24d46b329d06ff2d2f1cb07f8257 Mon Sep 17 00:00:00 2001
From: Emma Anholt <emma@anholt.net>
Date: Fri, 6 Jun 2025 12:39:29 +0200
Subject: [PATCH] u_trace: Fix payload refcounting in u_trace_clone_append().

If the clone_append was to a chunk of the same u_trace that gets
process_chunk()ed after where we're cloning from, then the payloads would
have been unreffed in the previous chunk's cleanup_chunk().

Fixes use-after-frees with turnip gmem rendering that resulted in
corrupted payloads.

Fixes: 14e45cb21eaf ("util/u_trace: refcount payloads")
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/35379>
---
 src/util/perf/u_trace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util/perf/u_trace.c b/src/util/perf/u_trace.c
index 3cb1d90cfbc..17f3544d1d2 100644
--- a/src/util/perf/u_trace.c
+++ b/src/util/perf/u_trace.c
@@ -898,7 +898,7 @@ u_trace_clone_append(struct u_trace_iterator begin_it,
              to_copy * sizeof(struct u_trace_event));
 
       /* Take a refcount on payloads from from_chunk if needed. */
-      if (begin_it.ut != into) {
+      if (from_chunk != to_chunk) {
          struct u_trace_payload_buf **in_payload;
          u_vector_foreach (in_payload, &from_chunk->payloads) {
             struct u_trace_payload_buf **out_payload =