The rest of the vmsplice() exploit story

I wouldn't be surprised if this was the result of some tool that assembles exploits out of
constraint violations. It wouldn't be hard to have a program that lists exploits for cases
where the kernel thinks that some particular data structure is in memory that's either
provided by the userspace or in user address space, which could pick up on what line of what
function gets an oops in the zero page. If somebody's got such a program, it would just be a
matter of noticing that a bad value causes an oops, and running the exploit generator.

Someone not a script kiddie clearly wrote the tricky part of this exploit, but may have
written it to exploit an entirely different bug, and left it somewhere that someone entirely
different could find it to generate a quick proof that the oops that came up with a simple
invalid input was actually exploitable.