From f121baaa45677ab30295056dd2ca5d5355998cb1 Mon Sep 17 00:00:00 2001
From: Brian Somers <brian@FreeBSD.org>
Date: Fri, 5 Jun 2009 09:16:52 +0000
Subject: [PATCH] If we're passed garbage in malloc_init(), panic() rather than
 expecting a KASSERT to handle it.  People are likely to turn off INVARIANTS
 RSN and loading an old module can cause garbage-in here.

I saw the issue with an older nvidia driver (x11/nvidia-driver) loading
into a new kernel - a crash wasn't seen 'till sysctl_kern_malloc_stats().
I was lucky that mtp->ks_shortdesc was NULL and not something horrible.

While I'm here, KASSERT that malloc_uninit() isn't passed something that's
not in kmemstatistics.

MFC after:	3 weeks
---
 sys/kern/kern_malloc.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c
index e699a4e51e67..51045eed5afc 100644
--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@@ -675,8 +675,8 @@ malloc_init(void *data)
 	KASSERT(cnt.v_page_count != 0, ("malloc_register before vm_init"));
 
 	mtp = data;
-	KASSERT(mtp->ks_magic == M_MAGIC,
-	    ("malloc_init: bad malloc type magic"));
+	if (mtp->ks_magic != M_MAGIC)
+		panic("malloc_init: bad malloc type magic");
 
 	mtip = uma_zalloc(mt_zone, M_WAITOK | M_ZERO);
 	mtp->ks_handle = mtip;
@@ -709,9 +709,13 @@ malloc_uninit(void *data)
 	if (mtp != kmemstatistics) {
 		for (temp = kmemstatistics; temp != NULL;
 		    temp = temp->ks_next) {
-			if (temp->ks_next == mtp)
+			if (temp->ks_next == mtp) {
 				temp->ks_next = mtp->ks_next;
+				break;
+			}
 		}
+		KASSERT(temp,
+		    ("malloc_uninit: type '%s' not found", mtp->ks_shortdesc));
 	} else
 		kmemstatistics = mtp->ks_next;
 	kmemcount--;