In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix shift issue in ufshcdclearcmd()
When tasktag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U << tasktag will out of bounds for a u32 mask. Fix this up to prevent SHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).
[name:debugmonitors&]Unexpected kernel BRK exception at EL1 [name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP [name:mediatekcpufreqhw&]cpufreq stop DVFS log done [name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000 [name:mrdump&]PHYSOFFSET: 0x80000000 [name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO) [name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcdclearcmd+0x280/0x288 [name:mrdump&]lr : [0xffffffdbaf52a774] ufshcdwaitfordevcmd+0x3e4/0x82c [name:mrdump&]sp : ffffffc0081471b0 <snip> Workqueue: ufsehwq0 ufshcderrhandler Call trace: dumpbacktrace+0xf8/0x144 showstack+0x18/0x24 dumpstacklvl+0x78/0x9c dumpstack+0x18/0x44 mrdumpcommondie+0x254/0x480 [mrdump] ipanicdie+0x20/0x30 [mrdump] notifydie+0x15c/0x204 die+0x10c/0x5f8 arm64notifydie+0x74/0x13c dodebugexception+0x164/0x26c el1dbg+0x64/0x80 el1h64synchandler+0x3c/0x90 el1h64sync+0x68/0x6c ufshcdclearcmd+0x280/0x288 ufshcdwaitfordevcmd+0x3e4/0x82c ufshcdexecdevcmd+0x5bc/0x9ac ufshcdverifydevinit+0x84/0x1c8 ufshcdprobehba+0x724/0x1ce0 ufshcdhostresetandrestore+0x260/0x574 ufshcdresetandrestore+0x138/0xbd0 ufshcderrhandler+0x1218/0x2f28 processonework+0x5fc/0x1140 workerthread+0x7d8/0xe20 kthread+0x25c/0x468 retfromfork+0x10/0x20