Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c
+++ sys/vm/vm_map.c
@@ -1499,6 +1499,9 @@
 	    vm_prot_t prot, vm_prot_t max, int cow)
 {
 	vm_offset_t alignment, initial_addr, start;
+#ifdef INVARIANTS
+	vm_offset_t prev_start;
+#endif
 	int result;
 
 	KASSERT((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) == 0 ||
@@ -1515,6 +1518,7 @@
 	initial_addr = *addr;
 	vm_map_lock(map);
 again:
+	result = KERN_SUCCESS;
 	start = initial_addr;
 	do {
 		if (find_space != VMFS_NO_SPACE) {
@@ -1542,9 +1546,14 @@
 				}
 				break;
 			}
-
+			if (*addr < start || *addr + length < *addr ||
+			    *addr + length < length) {
+				vm_map_unlock(map);
+				return (KERN_NO_SPACE);
+			}
 			start = *addr;
 		}
+		MPASS(result == KERN_SUCCESS || prev_start < start);
 		if ((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) != 0) {
 			result = vm_map_stack_locked(map, start, length,
 			    sgrowsiz, prot, max, cow);
@@ -1552,6 +1561,9 @@
 			result = vm_map_insert(map, object, offset, start,
 			    start + length, prot, max, cow);
 		}
+#ifdef INVARIANTS
+		prev_start = start;
+#endif
 	} while (result == KERN_NO_SPACE && find_space != VMFS_NO_SPACE &&
 	    find_space != VMFS_ANY_SPACE);
 	vm_map_unlock(map);