fhold() integer overflow in addition to missed fdrop() call in fpathcount() allow code execution in kernel space.
vulners.com/securityvulns/securityvulns:doc:3942
vulners.com/securityvulns/securityvulns:doc:3944