Linux kernel versions 2.6.28 and above suffer from an issue where locked fasync file descriptors can be referenced after free.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/85123/fasync-ref.txt
Source: https://packetstormsecurity.com/files/85123/Linux-2.6.28-fasync-File-Descriptor-Issue.html