So it turns out that once in a long while, slashdot serves to notify one of interesting news. If you are looking for a temporary band-aid to patch over this linux kernel security bug, consider the following systemtap script. While running, it will neuter all sys_vmsplice calls by overwriting one of the incoming parameters.

# stap -g -e 'probe syscall.vmsplice {
   printf("blocking vmsplice (%s) uid %d pid %d exec %s\n", argstr, uid(), pid(), execname())
   $nr_segs = 0
}'
blocking vmsplice (4, 0x00007fff25697ac0, 1, 0x0) uid 500 pid 32475 exec a.out
blocking vmsplice (4, 0x00007fff8c1da600, 1, 0x0) uid 500 pid 32476 exec a.out
blocking vmsplice (4, 0x00007fff71aaeed0, 1, 0x0) uid 500 pid 32477 exec a.out
blocking vmsplice (4, 0x00007fff215efa10, 1, 0x0) uid 500 pid 32478 exec a.out

UPDATE: If your systemtap doesn’t understand “syscall.vmsplice”, add this piece into
the script and try again:

probe syscall.vmsplice = kernel.function("sys_vmsplice") ? {
        name = "vmsplice"
        argstr = sprintf("%d, %p, %d, 0x%x", $fd, $iov, $nr_segs, $flags)
}

Hey, why not keep it running until you install a patched kernel and are ready to boot into it?