User provided data are not check in every part of the kernel
For now, many functions of the kernel may manipulate user-provided data pointers, when called inside a syscall. This is a major flaw on several aspects (security, kernel stability, etc...), because none of these data are really checked before accessing them.
A process must only be able to provide data inside its own address space, and every access should be done carefully (specifically for zero-terminated strings and other variable-length data types). Any MMU exception caused by an access to a used data should kill the process (or send it a SIGSEGV), and not cause a kernel oops.