KVM: SVM: Fix nested msr intercept handling

The nested_svm_exit_handled_msr() function maps only one
page of the guests msr permission bitmap. This patch changes
the code to use kvm_read_guest to fix the bug.

Cc: stable@kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Avi Kivity <avi@redhat.com>

1 files changed, 3 insertions, 10 deletions

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 4bc018333d76..4459c477af9f 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1461,19 +1461,13 @@ static bool nested_svm_exit_handled_msr(struct vcpu_svm *svm)
 {
         u32 param = svm->vmcb->control.exit_info_1 & 1;
         u32 msr = svm->vcpu.arch.regs[VCPU_REGS_RCX];
-        struct page *page;
         bool ret = false;
         u32 t0, t1;
-        u8 *msrpm;
+        u8 val;
 
         if (!(svm->nested.intercept & (1ULL << INTERCEPT_MSR_PROT)))
                 return false;
 
-        msrpm = nested_svm_map(svm, svm->nested.vmcb_msrpm, &page);
-
-        if (!msrpm)
-                goto out;
-
         switch (msr) {
         case 0 ... 0x1fff:
                 t0 = (msr * 2) % 8;
@@ -1494,11 +1488,10 @@ static bool nested_svm_exit_handled_msr(struct vcpu_svm *svm)
                 goto out;
         }
 
-        ret = msrpm[t1] & ((1 << param) << t0);
+        if (!kvm_read_guest(svm->vcpu.kvm, svm->nested.vmcb_msrpm + t1, &val, 1))
+                ret = val & ((1 << param) << t0);
 
 out:
-        nested_svm_unmap(page);
-
         return ret;
 }