No bounds checking on signal arguments processing in device driver allows to overwrite any kernel memory area.
vulners.com/securityvulns/securityvulns:doc:8727