In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Fix NULL pointer dereference in dwc3gadgetsuspend
In current scenario if Plug-out and Plug-In performed continuously there could be a chance while checking for dwc->gadgetdriver in dwc3gadget_suspend, a NULL pointer dereference may occur.
Call Stack:
CPU1: CPU2:
gadget_unbind_driver dwc3_suspend_common
dwc3_gadget_stop dwc3_gadget_suspend
dwc3_disconnect_gadget
CPU1 basically clears the variable and CPU2 checks the variable. Consider CPU1 is running and right before gadgetdriver is cleared and in parallel CPU2 executes dwc3gadgetsuspend where it finds dwc->gadgetdriver which is not NULL and resumes execution and then CPU1 completes execution. CPU2 executes dwc3disconnectgadget where it checks dwc->gadget_driver is already NULL because of which the NULL pointer deference occur.