The function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed.
Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still a alias in sunkbd_reinit so that causing Use After Free.
At this time, Red Hat (And Fedora) do not ship with this kernel build option enabled at this time.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Upstream patch https://github.com/torvalds/linux/commit/77e70d351db7de07a46ac49b87a6c3c7a60fca7e