uinput_request_submit() uinput_ioctl_handler()
--- ---
wait_for_completion_timeout() case UI_END_FF_ERASE:
req = uinput_request_find()
uinput_request_release_slot()
req->retval = ff_erase.retval;
complete(&req->done);
Given the race between request submit and ioctl handler, memory corruption
could happen after releasing request slot.