Hi, Currently two checks in free() function confirm the correctness of freedsize argument. I think that it's better to check that provided freedsize fall into the same bucket that was recorded in kmemusage struct: it covers both cases.
Index: sys/kern/kern_malloc.c =================================================================== RCS file: /cvs/src/sys/kern/kern_malloc.c,v retrieving revision 1.128 diff -u -p -r1.128 kern_malloc.c --- sys/kern/kern_malloc.c 14 Mar 2015 03:38:50 -0000 1.128 +++ sys/kern/kern_malloc.c 9 Dec 2015 17:54:30 -0000 @@ -387,12 +387,10 @@ free(void *addr, int type, size_t freeds size = kup->ku_pagecnt << PAGE_SHIFT; s = splvm(); #ifdef DIAGNOSTIC - if (freedsize != 0 && freedsize > size) - panic("free: size too large %zu > %ld (%p) type %s", - freedsize, size, addr, memname[type]); - if (freedsize != 0 && size > MINALLOCSIZE && freedsize < size / 2) - panic("free: size too small %zu < %ld / 2 (%p) type %s", - freedsize, size, addr, memname[type]); + if (freedsize != 0 && kup->ku_indx != BUCKETINDX(freedsize)) + panic("free: size is wrong %zu (bucket %ld, should be %d) type %s", + freedsize, BUCKETINDX(freedsize), + kup->ku_indx, memname[type]); /* * Check for returns of data that do not point to the * begi