diff --git a/drivers/kvm/mmu.c b/drivers/kvm/mmu.c
index 346aa65a08d54dd3c92fe78a674fd66fd6db7fb1..a9fed594ac580e319c40da8fd9457b898b5b5e0e 100644
--- a/drivers/kvm/mmu.c
+++ b/drivers/kvm/mmu.c
@@ -218,6 +218,13 @@ static int is_rmap_pte(u64 pte)
 		&& pte != shadow_notrap_nonpresent_pte;
 }
 
+static gfn_t pse36_gfn_delta(u32 gpte)
+{
+	int shift = 32 - PT32_DIR_PSE36_SHIFT - PAGE_SHIFT;
+
+	return (gpte & PT32_DIR_PSE36_MASK) << shift;
+}
+
 static void set_shadow_pte(u64 *sptep, u64 spte)
 {
 #ifdef CONFIG_X86_64
diff --git a/drivers/kvm/paging_tmpl.h b/drivers/kvm/paging_tmpl.h
index 6f79ae87d0cfed9f26160a25478249bf4202b083..dceb4b9137a4e604741e1585f98c0c36dcdba7d4 100644
--- a/drivers/kvm/paging_tmpl.h
+++ b/drivers/kvm/paging_tmpl.h
@@ -149,6 +149,8 @@ static int FNAME(walk_addr)(struct guest_walker *walker,
 		    && (PTTYPE == 64 || is_pse(vcpu))) {
 			walker->gfn = gpte_to_gfn_pde(pte);
 			walker->gfn += PT_INDEX(addr, PT_PAGE_TABLE_LEVEL);
+			if (PTTYPE == 32 && is_cpuid_PSE36())
+				walker->gfn += pse36_gfn_delta(pte);
 			break;
 		}
 
@@ -320,9 +322,6 @@ static void FNAME(set_pde)(struct kvm_vcpu *vcpu, pt_element_t gpde,
 
 	access_bits &= gpde;
 	gaddr = (gpa_t)gfn << PAGE_SHIFT;
-	if (PTTYPE == 32 && is_cpuid_PSE36())
-		gaddr |= (gpde & PT32_DIR_PSE36_MASK) <<
-			(32 - PT32_DIR_PSE36_SHIFT);
 	FNAME(set_pte_common)(vcpu, shadow_pte, gaddr,
 			      gpde, access_bits, user_fault, write_fault,
 			      ptwrite, walker, gfn);