CVE-2025-71073

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Input: lkkbd - disable pending work before freeing device<br /> <br /> lkkbd_interrupt() schedules lk-&gt;tq via schedule_work(), and the work<br /> handler lkkbd_reinit() dereferences the lkkbd structure and its<br /> serio/input_dev fields.<br /> <br /> lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd<br /> structure without preventing the reinit work from being queued again<br /> until serio_close() returns. This can allow the work handler to run<br /> after the structure has been freed, leading to a potential use-after-free.<br /> <br /> Use disable_work_sync() instead of cancel_work_sync() to ensure the<br /> reinit work cannot be re-queued, and call it both in lkkbd_disconnect()<br /> and in lkkbd_connect() error paths after serio_open().