ASA-2020-00051 – Linux kernel: vsyscall page refcounting error

Allele Security Alert



ASA-2020-00051, CVE-2020-25221, CID-9fa2dd946743


vsyscall page refcounting error


Linux foundation


Linux kernel

Affected version(s)

Linux kernel version 5.7
Linux kernel versions 5.8.x before 5.8.7

Linux kernel versions since the following commit:

mm/gup: track FOLL_PIN pages

Fixed version(s)

Linux kernel version 5.8.7

Linux kernel versions with the following commit applied:

mm: fix pin vs. gup mismatch with gate pages

Proof of concept



Linux 5.7 and 5.8 have a bug in the reference counting of the struct page that backs the vsyscall page. The result is a refcount underflow. This can be triggered by any 64-bit process that is permitted to use ptrace() or process_vm_readv().

Technical details

Gate pages were missed when converting from get to pin_user_pages(). This can lead to refcount imbalances. This is reliably and quickly reproducible running the x86 selftests when vsyscall=emulate is enabled (the default). The fix is done by using try_grab_page() with appropriate flags passed.

Today, pin_user_pages() and get_user_pages() are similar interfaces for manipulating page reference counts. However, “pins” use a “bias” value and manipulate the actual reference count by 1024 instead of 1 used by plain “gets”.

That means that pin_user_pages() must be matched with unpin_user_pages() and can’t be mixed with a plain put_user_pages() or put_page().

Enter gate pages, like the vsyscall page. They are pages usually in the kernel image, but which are mapped to userspace. Userspace is allowed access to them, including interfaces using get/pin_user_pages(). The refcount of these kernel pages is manipulated just like a normal user
page on the get/pin side so that the put/unpin side can work the same for normal user pages or gate pages.

get_gate_page() uses try_get_page() which only bumps the refcount by 1, not 1024, even if called in the pin_user_pages() path. If someone pins a gate page, this happens:

try_get_page() // bump refcount +1
... some time later
page_ref_sub_and_test(page, 1024))

this results in a refcount off by 1023. This is reliably and quickly reproducible running the x86 selftests when booted with vsyscall=emulate (the default).

To fix it, simply use try_grab_page() instead of try_get_page(), and pass ‘gup_flags’ in so that FOLL_PIN can be respected.


Peter Zijlstra


oss-security – CVE Request: Linux kernel vsyscall page refcounting error


mm: fix pin vs. gup mismatch with gate pages

mm: fix pin vs. gup mismatch with gate pages

mm/gup: track FOLL_PIN pages

mm/gup: track FOLL_PIN pages

Linux 5.8.7

CVE-2020-25221 - Red Hat Customer Portal

CVE-2020-25221 in Ubuntu

CVE-2020-25221 | SUSE




If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 16, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.