CVE-2022-49376: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49376 affects the Linux kernel's SCSI subsystem, specifically in the sd (SCSI disk) driver. The vulnerability was discovered when sd_probe() encounters an early error before sdkp->device is initialized, leading to a NULL pointer dereference in sd_is_zoned() when called inside sd_zbc_release_disk() function (Kernel Git).

The vulnerability occurs in the error handling path of sd_probe() function in the SCSI disk driver. When an error occurs before sdkp->device initialization, the code calls sd_zbc_release_disk(), which internally calls sd_is_zoned() with an uninitialized pointer, resulting in a NULL pointer dereference. This issue was introduced by commit 89d947561077 which implemented support for ZBC devices (Kernel Git).

The vulnerability can lead to a kernel crash when the system attempts to probe a SCSI disk device and encounters specific error conditions, potentially causing a denial of service condition (NVD).

The issue has been fixed by removing the call to sd_zbc_release_disk() in the sd_probe() error path. This fix is safe and does not result in zone information memory leakage, as zone information for a zoned disk is only allocated when sd_revalidate_disk() is called, at which point sdkp->disk_dev is fully set (Kernel Git).