In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: core: flush gadget workqueue after device removal
devicedel() can lead to new work being scheduled in gadget->work workqueue. This is observed, for example, with the dwc3 driver with the following call stack: devicedel() gadgetunbinddriver() usbgadgetdisconnectlocked() dwc3gadgetpullup() dwc3gadgetsoftdisconnect() usbgadgetsetstate() schedulework(&gadget->work)
Move flushwork() after devicedel() to ensure the workqueue is cleaned up.