From: Kevin Lourenco <klourencodev@gmail.com>

The computation of the loop end pointer can underflow when size is
smaller than the alignment offset:

    (size - (start_phys_aligned - start_phys))

If size < offset, the unsigned subtraction wraps to ~0, causing a
massive loop iteration that writes far beyond the intended region,
leading to memory corruption during early boot.

While unlikely in practice (memblock regions are typically KB/MB), cost is negligible
(one comparison), but it prevents catastrophic memory corruption in
edge cases.

Signed-off-by: Kevin Lourenco <klourencodev@gmail.com>
---
 mm/memtest.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/mm/memtest.c b/mm/memtest.c
index c2c609c39119..d86c41f1c189 100644
--- a/mm/memtest.c
+++ b/mm/memtest.c
@@ -41,12 +41,17 @@ static void __init memtest(u64 pattern, phys_addr_t start_phys, phys_addr_t size
 {
 	u64 *p, *start, *end;
 	phys_addr_t start_bad, last_bad;
-	phys_addr_t start_phys_aligned;
+	phys_addr_t start_phys_aligned, offset;
 	const size_t incr = sizeof(pattern);
 
 	start_phys_aligned = ALIGN(start_phys, incr);
 	start = __va(start_phys_aligned);
-	end = start + (size - (start_phys_aligned - start_phys)) / incr;
+	
+	offset = start_phys_aligned - start_phys;
+	if (size < offset)
+		return;
+
+	end = start + (size - offset) / incr;
 	start_bad = 0;
 	last_bad = 0;
 
-- 
2.47.3