KVM: MMU: Fix incorrect direct gfn for unpaged mode shadow

commit c093b8b46c5f0dd12d799f0d6a3b579863df72f6 upstream.

We use the physical address instead of the base gfn for the four
PAE page directories we use in unpaged mode.  When the guest accesses
an address above 1GB that is backed by a large host page, a BUG_ON()
in kvm_mmu_set_gfn() triggers.

Resolves: https://bugzilla.kernel.org/show_bug.cgi?id=21962
Reported-and-tested-by: Nicolas Prochazka <prochazka.nicolas@gmail.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 311f6dad89513385a8f9de804baa651a02b84e39..d856829134c4aa5e419d0fd56e6e3a1c937fe40b 100644 (file)
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -2271,7 +2271,7 @@ static int mmu_alloc_roots(struct kvm_vcpu *vcpu)
                        return 1;
                if (tdp_enabled) {
                        direct = 1;
-                       root_gfn = i << 30;
+                       root_gfn = i << (30 - PAGE_SHIFT);
                }
                spin_lock(&vcpu->kvm->mmu_lock);
                kvm_mmu_free_some_pages(vcpu);