[syzbot] Monthly media report (Mar 2026)

[syzbot] Monthly media report (Mar 2026)

[syzbot]

Hello media maintainers/developers,

This is a 31-day syzbot report for the media subsystem.
All related reports/information can be found at:
https://syzkaller.appspot.com/upstream/s/media

During the period, 8 new issues were detected and 1 were fixed.
In total, 32 issues are still open and 103 have already been fixed.

Some of the still happening issues:

Ref  Crashes Repro Title
<1>  2684    Yes   KASAN: slab-use-after-free Read in dvb_device_open
                   https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
<2>  451     Yes   KASAN: slab-use-after-free Read in em28xx_release_resources
                   https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
<3>  340     Yes   KMSAN: uninit-value in dvbdmx_release_ts_feed
                   https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74
<4>  137     No    KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4)
                   https://syzkaller.appspot.com/bug?extid=dac8f5eaa46837e97b89
<5>  124     Yes   general protection fault in dvb_usbv2_generic_write
                   https://syzkaller.appspot.com/bug?extid=f9f5333782a854509322
<6>  120     No    KASAN: slab-use-after-free Write in as102_release (2)
                   https://syzkaller.appspot.com/bug?extid=47321e8fd5a4c84088db
<7>  111     Yes   general protection fault in vidtv_psi_desc_assign
                   https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a
<8>  34      No    general protection fault in vidtv_psi_ts_psi_write_into
                   https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
<9>  11      Yes   BUG: corrupted list in az6007_i2c_xfer
                   https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
<10> 4       Yes   KASAN: slab-use-after-free Read in v4l2_release (2)
                   https://syzkaller.appspot.com/bug?extid=a658d41cf8564471775e

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

To disable reminders for individual bugs, reply with the following command:
#syz set <Ref> no-reminders

To change bug's subsystems, reply with:
#syz set <Ref> subsystems: new-subsystem

You may send multiple commands in a single email message.

Re: [syzbot] Monthly media report (Mar 2026)

[Nicolas Dufresne]

[-- Attachment #1: Type: text/plain, Size: 3251 bytes --]

Hi,

Le mardi 03 mars 2026 à 00:07 -0800, syzbot a écrit :
> Hello media maintainers/developers,
> 
> This is a 31-day syzbot report for the media subsystem.
> All related reports/information can be found at:
> https://syzkaller.appspot.com/upstream/s/media
> 
> During the period, 8 new issues were detected and 1 were fixed.
> In total, 32 issues are still open and 103 have already been fixed.
> 
> Some of the still happening issues:
> 
> Ref  Crashes Repro Title
> <1>  2684    Yes   KASAN: slab-use-after-free Read in dvb_device_open
>                    https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
> <2>  451     Yes   KASAN: slab-use-after-free Read in em28xx_release_resources
>                    https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> <3>  340     Yes   KMSAN: uninit-value in dvbdmx_release_ts_feed
>                    https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74
> <4>  137     No    KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4)
>                    https://syzkaller.appspot.com/bug?extid=dac8f5eaa46837e97b89

I'm quite new to this initiative, but I work with a few other initiative in
other project. What is the process for relevant maintainer to gain access to the
reproducing code ? Specifically this issue has been looked at by Hans, but he
never figured out what the robot found and could reproduce.

With ZDI and other initiative, we have private back channel, and they provide C
code so we can go straight into fixing and validating.

cheers,
Nicolas

> <5>  124     Yes   general protection fault in dvb_usbv2_generic_write
>                    https://syzkaller.appspot.com/bug?extid=f9f5333782a854509322
> <6>  120     No    KASAN: slab-use-after-free Write in as102_release (2)
>                    https://syzkaller.appspot.com/bug?extid=47321e8fd5a4c84088db
> <7>  111     Yes   general protection fault in vidtv_psi_desc_assign
>                    https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a
> <8>  34      No    general protection fault in vidtv_psi_ts_psi_write_into
>                    https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
> <9>  11      Yes   BUG: corrupted list in az6007_i2c_xfer
>                    https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> <10> 4       Yes   KASAN: slab-use-after-free Read in v4l2_release (2)
>                    https://syzkaller.appspot.com/bug?extid=a658d41cf8564471775e
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> To disable reminders for individual bugs, reply with the following command:
> #syz set <Ref> no-reminders
> 
> To change bug's subsystems, reply with:
> #syz set <Ref> subsystems: new-subsystem
> 
> You may send multiple commands in a single email message.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [syzbot] Monthly media report (Mar 2026)

[Pimyn Girgis]

On Fri, Mar 6, 2026 at 5:17 PM Nicolas Dufresne <nicolas@ndufresne.ca> wrote:
>
> Hi,
Hi Nicolas!
>
> Le mardi 03 mars 2026 à 00:07 -0800, syzbot a écrit :
> > Hello media maintainers/developers,
> >
> > This is a 31-day syzbot report for the media subsystem.
> > All related reports/information can be found at:
> > https://syzkaller.appspot.com/upstream/s/media
> >
> > During the period, 8 new issues were detected and 1 were fixed.
> > In total, 32 issues are still open and 103 have already been fixed.
> >
> > Some of the still happening issues:
> >
> > Ref  Crashes Repro Title
> > <1>  2684    Yes   KASAN: slab-use-after-free Read in dvb_device_open
> >                    https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
> > <2>  451     Yes   KASAN: slab-use-after-free Read in em28xx_release_resources
> >                    https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> > <3>  340     Yes   KMSAN: uninit-value in dvbdmx_release_ts_feed
> >                    https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74
> > <4>  137     No    KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (4)
> >                    https://syzkaller.appspot.com/bug?extid=dac8f5eaa46837e97b89
>
> I'm quite new to this initiative, but I work with a few other initiative in
> other project. What is the process for relevant maintainer to gain access to the
> reproducing code ? Specifically this issue has been looked at by Hans, but he
> never figured out what the robot found and could reproduce.
Unfortunately, not all issues are easily reproducible. This specific
issue seems to be one of those.
In other cases, the reproducers are available in one or two forms:
1. Syz reproducers (written in Syzkaller DSL)
2. C reproducers
A Syz reproducer is a prerequisite for a C reproducer, so you will
never only find a C reproducer.

The bug right above it:
https://syzkaller.appspot.com/bug?extid=01d4620886bee3db0e74 seems to
have reproducers.
If you scroll down on the bug page, you can see the `Crashes` table,
which contains all the relevant information.
Please see here for instructions on how to reproduce bugs using the
assets: https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md
Here if you don't want to use the assets:
https://github.com/google/syzkaller/blob/master/docs/reproducing_crashes.md
And here for information about Syzkaller DSL
https://github.com/google/syzkaller/blob/master/docs/program_syntax.md

Please let us know if you have any more questions :)


>
> With ZDI and other initiative, we have private back channel, and they provide C
> code so we can go straight into fixing and validating.
>
> cheers,
> Nicolas
>
> > <5>  124     Yes   general protection fault in dvb_usbv2_generic_write
> >                    https://syzkaller.appspot.com/bug?extid=f9f5333782a854509322
> > <6>  120     No    KASAN: slab-use-after-free Write in as102_release (2)
> >                    https://syzkaller.appspot.com/bug?extid=47321e8fd5a4c84088db
> > <7>  111     Yes   general protection fault in vidtv_psi_desc_assign
> >                    https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a
> > <8>  34      No    general protection fault in vidtv_psi_ts_psi_write_into
> >                    https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
> > <9>  11      Yes   BUG: corrupted list in az6007_i2c_xfer
> >                    https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
> > <10> 4       Yes   KASAN: slab-use-after-free Read in v4l2_release (2)
> >                    https://syzkaller.appspot.com/bug?extid=a658d41cf8564471775e
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > To disable reminders for individual bugs, reply with the following command:
> > #syz set <Ref> no-reminders
> >
> > To change bug's subsystems, reply with:
> > #syz set <Ref> subsystems: new-subsystem
> >
> > You may send multiple commands in a single email message.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/76fe124bc112126324d7ed05188518cef7223609.camel%40ndufresne.ca.