PT-2026-44325 · Linux · Linux
Published
2026-05-28
·
Updated
2026-05-28
·
CVE-2026-46202
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
HID: appletb-kbd: run inactivity autodim from workqueues
The autodim code in hid-appletb-kbd takes backlight device->ops lock
via backlight device set brightness() -> mutex lock() from two
different atomic contexts:
-
appletb inactivity timer() is a struct timer list callback, so it runs in softirq context. Every expiry triggersBUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: might resched mutex lock backlight device set brightness appletb inactivity timer call timer fn run timer softirq
-
reset inactivity timer() is called from appletb kbd hid event() and appletb kbd inp event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight device set brightness() directly to restore brightness, producing the same warning.
Both call sites hit the same mutex lock()-from-atomic bug. Fix them
together by moving the blocking work onto the system workqueue:
- Convert the inactivity timer from struct timer list to struct delayed work; the callback (appletb inactivity work) now runs in process context where mutex lock() is legal.
- Add a dedicated struct work struct restore brightness work and have reset inactivity timer() schedule it instead of calling backlight device set brightness() directly.
Cancel both works synchronously during driver tear-down alongside the
existing backlight reference drop.
The semantics are unchanged (same delays, same state transitions on
dim, turn-off and user activity); only the execution context of the
sleeping call changes. The timer field and callback are renamed to
match their new type; reset inactivity timer() keeps its name because
it is invoked from input event paths that read naturally as "reset
the inactivity timer".
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux