CVE-2026-46202

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: appletb-kbd: run inactivity autodim from workqueues<br /> <br /> The autodim code in hid-appletb-kbd takes backlight_device-&gt;ops_lock<br /> via backlight_device_set_brightness() -&gt; mutex_lock() from two<br /> different atomic contexts:<br /> <br /> * appletb_inactivity_timer() is a struct timer_list callback, so it<br /> runs in softirq context. Every expiry triggers<br /> <br /> BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591<br /> Call Trace:<br /> <br /> __might_resched<br /> __mutex_lock<br /> backlight_device_set_brightness<br /> appletb_inactivity_timer<br /> call_timer_fn<br /> run_timer_softirq<br /> <br /> * reset_inactivity_timer() is called from appletb_kbd_hid_event() and<br /> appletb_kbd_inp_event(). On real USB hardware these run in<br /> softirq/IRQ context (URB completion and input-event dispatch).<br /> When the Touch Bar has already been dimmed or turned off, the<br /> reset path calls backlight_device_set_brightness() directly to<br /> restore brightness, producing the same warning.<br /> <br /> Both call sites hit the same mutex_lock()-from-atomic bug. Fix them<br /> together by moving the blocking work onto the system workqueue:<br /> <br /> * Convert the inactivity timer from struct timer_list to<br /> struct delayed_work; the callback (appletb_inactivity_work) now<br /> runs in process context where mutex_lock() is legal.<br /> * Add a dedicated struct work_struct restore_brightness_work and have<br /> reset_inactivity_timer() schedule it instead of calling<br /> backlight_device_set_brightness() directly.<br /> <br /> Cancel both works synchronously during driver tear-down alongside the<br /> existing backlight reference drop.<br /> <br /> The semantics are unchanged (same delays, same state transitions on<br /> dim, turn-off and user activity); only the execution context of the<br /> sleeping call changes. The timer field and callback are renamed to<br /> match their new type; reset_inactivity_timer() keeps its name because<br /> it is invoked from input event paths that read naturally as "reset<br /> the inactivity timer".