CVE-2025-38229

In the Linux kernel, the following vulnerability has been resolved:

media: cxusb: no longer judge rbuf when the write fails

syzbot reported a uninit-value in cxusbi2cxfer. [1]

Only when the write operation of usbbulkmsg() in dvbusbgenericrw() succeeds and rlen is greater than 0, the read operation of usbbulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf.

In this case, although rlen is 1, the write operation failed which resulted in the dvb read operation not being executed, and ultimately variable i was not initialized.

[1] BUG: KMSAN: uninit-value in cxusbgpiotuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusbi2cxfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusbgpiotuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusbi2cxfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 __i2ctransfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2ctransfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2ctransferbufferflags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2cmastersend include/linux/i2c.h:109 [inline] i2cdevwrite+0x210/0x280 drivers/i2c/i2c-dev.c:183 doloopreadvwritev fs/readwrite.c:848 [inline] vfswritev+0x963/0x14e0 fs/readwrite.c:1057 dowritev+0x247/0x5c0 fs/readwrite.c:1101 __dosyswritev fs/read_write.c:1169 [inline] __sesyswritev fs/read_write.c:1166 [inline] __x64syswritev+0x98/0xe0 fs/readwrite.c:1166 x64syscall+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls64.h:21 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x1e0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f