Reuse ptrace PoC for CVE-2014-4699 to trigger sysret bug. Use prefetch attack to leak kernel base and gsbase. Write a standard privilege escalation ROP chain into unused region near gsbase with first iteration of sysret bug. In second iteration, target tcp_prot and overwrite a function pointer to help you stack pivot into the previously written ROP chain to become root.