uinput_request_submit() uinput_ioctl_handler() --- --- wait_for_completion_timeout() case UI_END_FF_ERASE: req = uinput_request_find() uinput_request_release_slot() req->retval = ff_erase.retval; complete(&req->done); Given the race between request submit and ioctl handler, memory corruption could happen after releasing request slot.