The title says it all. Here is a backport of commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 that patches CVE-2016-5195.
This is a serious privilege escalation bug, although it does require local access in order to exploit.
Still cannot submit any tickets to trac, so posting here for those who are running CC and feel an urgent need to patch this bug
git apply <patch-name>
diff --git a/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch b/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch
new file mode 100644
index 0000000..2febc79
--- /dev/null
+++ b/target/linux/generic/patches-3.18/099-CVE-2016-5195.patch
@@ -0,0 +1,47 @@
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -2029,6 +2029,7 @@ static inline struct page *follow_page(s
+ #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */
+ #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */
+ #define FOLL_TRIED 0x800 /* a retry, previous pass started an IO */
++#define FOLL_COW 0x4000 /* internal GUP flag */
+
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ void *data);
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -32,6 +32,16 @@ static struct page *no_page_table(struct
+ return NULL;
+ }
+
++/*
++ * FOLL_FORCE can write to even unwritable pte's, but only
++ * after we've gone through a COW cycle and they are dirty.
++ */
++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
++{
++ return pte_write(pte) ||
++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
++}
++
+ static struct page *follow_page_pte(struct vm_area_struct *vma,
+ unsigned long address, pmd_t *pmd, unsigned int flags)
+ {
+@@ -66,7 +76,7 @@ retry:
+ }
+ if ((flags & FOLL_NUMA) && pte_numa(pte))
+ goto no_page;
+- if ((flags & FOLL_WRITE) && !pte_write(pte)) {
++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
+ pte_unmap_unlock(ptep, ptl);
+ return NULL;
+ }
+@@ -315,7 +325,7 @@ static int faultin_page(struct task_stru
+ * reCOWed by userspace write).
+ */
+ if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
+- *flags &= ~FOLL_WRITE;
++ *flags |= FOLL_COW;
+ return 0;
+ }
+
--
1.8.3.1