Linux EUVD-2026-32829

In the Linux kernel, the following vulnerability has been resolved:

HID: appletb-kbd: run inactivity autodim from workqueues

The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts:

• appletb_inactivity_timer() is a struct timer_list callback, so it

runs in softirq context. Every expiry triggers

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq

• reset_inactivity_timer() is called from appletb_kbd_hid_event() and

appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning.

Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue:

• Convert the inactivity timer from struct timer_list to

struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal.

• Add a dedicated struct work_struct restore_brightness_work and have

reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly.

Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop.

The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer".