In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: run...

Description

In the Linux kernel, the following vulnerability has been resolved:

HID: appletb-kbd: run inactivity autodim from workqueues

The autodim code in hid-appletb-kbd takes backlight_device->ops_lock
via backlight_device_set_brightness() -> mutex_lock() from two
different atomic contexts:

  • appletb_inactivity_timer() is a struct timer_list callback, so it
    runs in softirq context. Every expiry triggers

    BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591
    Call Trace:
    <IRQ>
    __might_resched
    __mutex_lock
    backlight_device_set_brightness
    appletb_inactivity_timer
    call_timer_fn
    run_timer_softirq

  • reset_inactivity_timer() is called from appletb_kbd_hid_event() and
    appletb_kbd_inp_event(). On real USB hardware these run in
    softirq/IRQ context (URB completion and input-event dispatch).
    When the Touch Bar has already been dimmed or turned off, the
    reset path calls backlight_device_set_brightness() directly to
    restore brightness, producing the same warning.

Both call sites hit the same mutex_lock()-from-atomic bug. Fix them
together by moving the blocking work onto the system workqueue:

  • Convert the inactivity timer from struct timer_list to
    struct delayed_work; the callback (appletb_inactivity_work) now
    runs in process context where mutex_lock() is legal.
  • Add a dedicated struct work_struct restore_brightness_work and have
    reset_inactivity_timer() schedule it instead of calling
    backlight_device_set_brightness() directly.

Cancel both works synchronously during driver tear-down alongside the
existing backlight reference drop.

The semantics are unchanged (same delays, same state transitions on
dim, turn-off and user activity); only the execution context of the
sleeping call changes. The timer field and callback are renamed to
match their new type; reset_inactivity_timer() keeps its name because
it is invoked from input event paths that read naturally as "reset
the inactivity timer".

Basic information

Type
unreviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2026-05-28 12:30:33 UTC
Updated
2026-06-10 18:32:45 UTC
NVD published
2026-05-28

EPSS Score

Score Percentile
0.01% 2.30%

CVSS Scores

Base score Version Severity Vector
5.5 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

References

cvelogic Threat Intelligence