CVE-2025-38378

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe<br /> <br /> In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated<br /> via devm_kzalloc() to store touch bar keyboard related data.<br /> Later on if backlight_device_get_by_name() finds a backlight device<br /> with name "appletb_backlight" a timer (kbd-&gt;inactivity_timer) is setup<br /> with appletb_inactivity_timer() and the timer is armed to run after<br /> appletb_tb_dim_timeout (60) seconds.<br /> <br /> A use-after-free is triggered when failure occurs after the timer is<br /> armed. This ultimately means probe failure occurs and as a result the<br /> "struct appletb_kbd *kbd" which is device managed memory is freed.<br /> After 60 seconds the timer will have expired and __run_timers will<br /> attempt to access the timer (kbd-&gt;inactivity_timer) however the kdb<br /> structure has been freed causing a use-after free.<br /> <br /> [ 71.636938] ==================================================================<br /> [ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890<br /> [ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0<br /> [ 71.637915]<br /> [ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary)<br /> [ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> [ 71.637915] Call Trace:<br /> [ 71.637915] <br /> [ 71.637915] dump_stack_lvl+0x53/0x70<br /> [ 71.637915] print_report+0xce/0x670<br /> [ 71.637915] ? __run_timers+0x7ad/0x890<br /> [ 71.637915] kasan_report+0xce/0x100<br /> [ 71.637915] ? __run_timers+0x7ad/0x890<br /> [ 71.637915] __run_timers+0x7ad/0x890<br /> [ 71.637915] ? __pfx___run_timers+0x10/0x10<br /> [ 71.637915] ? update_process_times+0xfc/0x190<br /> [ 71.637915] ? __pfx_update_process_times+0x10/0x10<br /> [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0<br /> [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0<br /> [ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10<br /> [ 71.637915] run_timer_softirq+0x141/0x240<br /> [ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10<br /> [ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10<br /> [ 71.637915] ? kvm_clock_get_cycles+0x18/0x30<br /> [ 71.637915] ? ktime_get+0x60/0x140<br /> [ 71.637915] handle_softirqs+0x1b8/0x5c0<br /> [ 71.637915] ? __pfx_handle_softirqs+0x10/0x10<br /> [ 71.637915] irq_exit_rcu+0xaf/0xe0<br /> [ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80<br /> [ 71.637915] <br /> [ 71.637915]<br /> [ 71.637915] Allocated by task 39:<br /> [ 71.637915] kasan_save_stack+0x33/0x60<br /> [ 71.637915] kasan_save_track+0x14/0x30<br /> [ 71.637915] __kasan_kmalloc+0x8f/0xa0<br /> [ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420<br /> [ 71.637915] devm_kmalloc+0x74/0x1e0<br /> [ 71.637915] appletb_kbd_probe+0x37/0x3c0<br /> [ 71.637915] hid_device_probe+0x2d1/0x680<br /> [ 71.637915] really_probe+0x1c3/0x690<br /> [ 71.637915] __driver_probe_device+0x247/0x300<br /> [ 71.637915] driver_probe_device+0x49/0x210<br /> [...]<br /> [ 71.637915]<br /> [ 71.637915] Freed by task 39:<br /> [ 71.637915] kasan_save_stack+0x33/0x60<br /> [ 71.637915] kasan_save_track+0x14/0x30<br /> [ 71.637915] kasan_save_free_info+0x3b/0x60<br /> [ 71.637915] __kasan_slab_free+0x37/0x50<br /> [ 71.637915] kfree+0xcf/0x360<br /> [ 71.637915] devres_release_group+0x1f8/0x3c0<br /> [ 71.637915] hid_device_probe+0x315/0x680<br /> [ 71.637915] really_probe+0x1c3/0x690<br /> [ 71.637915] __driver_probe_device+0x247/0x300<br /> [ 71.637915] driver_probe_device+0x49/0x210<br /> [...]<br /> <br /> The root cause of the issue is that the timer is not disarmed<br /> on failure paths leading to it remaining active and accessing<br /> freed memory. To fix this call timer_delete_sync() to deactivate<br /> the timer.<br /> <br /> Another small issue is that timer_delete_sync is called<br /> unconditionally in appletb_kbd_remove(), fix this by checking<br /> for a valid kbd-&gt;backlight_dev before calling timer_delete_sync.