CVE-2026-46213

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: appletb-kbd: fix UAF in inactivity-timer cleanup path<br /> <br /> Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in<br /> appletb_kbd_probe") added timer_delete_sync(&amp;kbd-&gt;inactivity_timer) to<br /> both the probe close_hw error path and appletb_kbd_remove(), but the<br /> way it was wired in left the inactivity timer reachable during driver<br /> tear-down via two distinct windows.<br /> <br /> Window A -- put_device() before timer_delete_sync():<br /> <br /> put_device(&amp;kbd-&gt;backlight_dev-&gt;dev);<br /> timer_delete_sync(&amp;kbd-&gt;inactivity_timer);<br /> <br /> The inactivity_timer softirq reads kbd-&gt;backlight_dev and calls<br /> backlight_device_set_brightness() -&gt; mutex_lock(&amp;ops_lock). If a<br /> concurrent hid_appletb_bl unbind drops the last devm reference<br /> between these two calls, the backlight_device is freed and the<br /> mutex_lock() touches freed memory.<br /> <br /> Window B -- backlight cleanup before hid_hw_stop():<br /> <br /> if (kbd-&gt;backlight_dev) {<br /> timer_delete_sync(...);<br /> put_device(...);<br /> }<br /> hid_hw_close(hdev);<br /> hid_hw_stop(hdev);<br /> <br /> Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run<br /> afterwards, so a late ".event" callback from the HID core (USB URB<br /> completion on real Apple hardware) can arrive after<br /> timer_delete_sync() drained the softirq but before put_device() drops<br /> the reference. That callback reaches reset_inactivity_timer(), which<br /> calls mod_timer() and re-arms the timer. The freshly re-armed timer<br /> can then fire on the about-to-be-freed backlight_device.<br /> <br /> Both windows produce the same KASAN slab-use-after-free:<br /> <br /> BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0<br /> Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0<br /> Call Trace:<br /> <br /> __mutex_lock<br /> backlight_device_set_brightness<br /> appletb_inactivity_timer<br /> call_timer_fn<br /> run_timer_softirq<br /> handle_softirqs<br /> Allocated by task N:<br /> devm_backlight_device_register<br /> appletb_bl_probe<br /> Freed by task M:<br /> (concurrent hid_appletb_bl unbind path)<br /> <br /> Close both windows at once by reworking the tear-down in<br /> appletb_kbd_remove() and in the probe close_hw error path so that<br /> <br /> 1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup,<br /> guaranteeing no further .event callback can fire and re-arm the<br /> timer, and<br /> 2) inside the "if (kbd-&gt;backlight_dev)" block, timer_delete_sync()<br /> runs before put_device(), so the softirq is drained before the<br /> final reference is dropped.