In the past we've had bugs where lack of argument validation allowed a
user-controlled size to be passed to kmem_malloc() and friends.
Explicitly check before rounding up the allocation size to the page size.
This requires a bit of reorganization for kmem_alloc_san(), which wants
both the requested size and the true allocation size.