Hold the mutex throughout BoundedPageAllocator::ReleasePages

Previously, an allocation from a separate thread could grab the
just-released region and make it accessible before the regions
permissions are changed to kNoAccess at the end of ReleasePages.

Bug: v8:12414
Change-Id: I98c8f8e3df76d4a44c357ddab107cfeff20049b8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3293083Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77997}

src/base/bounded-page-allocator.cc

@@ -142,6 +142,9 @@ bool BoundedPageAllocator::ReleasePages(void* raw_address, size_t size,
   DCHECK_LT(new_size, size);
   DCHECK(IsAligned(size - new_size, commit_page_size_));
 
+  // This must be held until the page permissions are updated.
+  MutexGuard guard(&mutex_);
+
   // Check if we freed any allocatable pages by this release.
   size_t allocated_size = RoundUp(size, allocate_page_size_);
   size_t new_allocated_size = RoundUp(new_size, allocate_page_size_);
@@ -150,13 +153,11 @@ bool BoundedPageAllocator::ReleasePages(void* raw_address, size_t size,
   {
     // There must be an allocated region at given |address| of a size not
     // smaller than |size|.
-    MutexGuard guard(&mutex_);
     DCHECK_EQ(allocated_size, region_allocator_.CheckRegion(address));
   }
 #endif
 
   if (new_allocated_size < allocated_size) {
-    MutexGuard guard(&mutex_);
     region_allocator_.TrimRegion(address, new_allocated_size);
   }