GHSA-W4G4-GF2V-88RM
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-28 12:30In the Linux kernel, the following vulnerability has been resolved:
HID: appletb-kbd: run inactivity autodim from workqueues
The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:
-
appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq
-
reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning.
Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue:
- Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal.
- Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly.
Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.
The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer".
{
"affected": [],
"aliases": [
"CVE-2026-46202"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:35Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: run inactivity autodim from workqueues\n\nThe autodim code in hid-appletb-kbd takes backlight_device-\u003eops_lock\nvia backlight_device_set_brightness() -\u003e mutex_lock() from two\ndifferent atomic contexts:\n\n * appletb_inactivity_timer() is a struct timer_list callback, so it\n runs in softirq context. Every expiry triggers\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591\n Call Trace:\n \u003cIRQ\u003e\n __might_resched\n __mutex_lock\n backlight_device_set_brightness\n appletb_inactivity_timer\n call_timer_fn\n run_timer_softirq\n\n * reset_inactivity_timer() is called from appletb_kbd_hid_event() and\n appletb_kbd_inp_event(). On real USB hardware these run in\n softirq/IRQ context (URB completion and input-event dispatch).\n When the Touch Bar has already been dimmed or turned off, the\n reset path calls backlight_device_set_brightness() directly to\n restore brightness, producing the same warning.\n\nBoth call sites hit the same mutex_lock()-from-atomic bug. Fix them\ntogether by moving the blocking work onto the system workqueue:\n\n * Convert the inactivity timer from struct timer_list to\n struct delayed_work; the callback (appletb_inactivity_work) now\n runs in process context where mutex_lock() is legal.\n * Add a dedicated struct work_struct restore_brightness_work and have\n reset_inactivity_timer() schedule it instead of calling\n backlight_device_set_brightness() directly.\n\nCancel both works synchronously during driver tear-down alongside the\nexisting backlight reference drop.\n\nThe semantics are unchanged (same delays, same state transitions on\ndim, turn-off and user activity); only the execution context of the\nsleeping call changes. The timer field and callback are renamed to\nmatch their new type; reset_inactivity_timer() keeps its name because\nit is invoked from input event paths that read naturally as \"reset\nthe inactivity timer\".",
"id": "GHSA-w4g4-gf2v-88rm",
"modified": "2026-05-28T12:30:33Z",
"published": "2026-05-28T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46202"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.