runtime: ensure allocToCache updates searchAddr in a valid way

Currently allocToCache assumes it can move the search address past the
block it allocated the cache from, which violates the property that
searchAddr should always point to mapped memory (i.e. memory represented
by pageAlloc.inUse).

This bug was already fixed once for pageAlloc.alloc in the Go 1.14
release via CL 216697, but that changed failed to take into account
allocToCache.

Fixes #38605.

Change-Id: Id08180aa10d19dc0f9f551a1d9e327a295560dff
Reviewed-on: https://go-review.googlesource.com/c/go/+/229577
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>

1 files changed, 9 insertions, 4 deletions

diff --git a/src/runtime/mpagecache.go b/src/runtime/mpagecache.go
index 5b679d357d..fae54d7cdd 100644
--- a/src/runtime/mpagecache.go
+++ b/src/runtime/mpagecache.go
@@ -148,9 +148,14 @@ func (s *pageAlloc) allocToCache() pageCache {
 	// Update as an allocation, but note that it's not contiguous.
 	s.update(c.base, pageCachePages, false, true)
 
-	// We're always searching for the first free page, and we always know the
-	// up to pageCache size bits will be allocated, so we can always move the
-	// searchAddr past the cache.
-	s.searchAddr = c.base + pageSize*pageCachePages
+	// Set the search address to the last page represented by the cache.
+	// Since all of the pages in this block are going to the cache, and we
+	// searched for the first free page, we can confidently start at the
+	// next page.
+	//
+	// However, s.searchAddr is not allowed to point into unmapped heap memory
+	// unless it is maxSearchAddr, so make it the last page as opposed to
+	// the page after.
+	s.searchAddr = c.base + pageSize*(pageCachePages-1)
 	return c
 }