Input: uinput - race after request submit tiemout

[Hillf Danton]

	uinput_request_submit()		uinput_ioctl_handler()
	---				---
	wait_for_completion_timeout()	case UI_END_FF_ERASE:
					req = uinput_request_find()
	uinput_request_release_slot()
					req->retval = ff_erase.retval;
					complete(&req->done);

Given the race between request submit and ioctl handler, memory corruption
could happen after releasing request slot.