HID: appletb-kbd: run inactivity autodim from workqueues
Summary
| CVE | CVE-2026-46202 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-28 10:16:35 UTC |
| Updated | 2026-05-28 13:44:01 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: run inactivity autodim from workqueues The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts: * appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq * reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning. Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue: * Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal. * Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly. Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop. The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer". |
Risk And Classification
EPSS: 0.000170000 probability, percentile 0.044590000 (date 2026-05-28)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 93a0fc48948107e0cc34e1de22c3cb363a8f2783 5c0830323689ef15224f0025276176988861b3b0 git | Not specified |
| CNA | Linux | Linux | affected 93a0fc48948107e0cc34e1de22c3cb363a8f2783 2473a334c292af257ef68e33bc7760f4a8251812 git | Not specified |
| CNA | Linux | Linux | affected 93a0fc48948107e0cc34e1de22c3cb363a8f2783 1654e53349d4e657b331de354313461f401f5063 git | Not specified |
| CNA | Linux | Linux | affected 6.15 | Not specified |
| CNA | Linux | Linux | unaffected 6.15 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.32 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.9 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc4 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.