As the logic will become more complicated with the introduction
of MBEC, at least write it only once.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 arch/x86/kvm/mmu/spte.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
index df31039b5d63..e2acd9ed9dba 100644
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -317,14 +317,15 @@ static u64 modify_spte_protections(u64 spte, u64 set, u64 clear)
 	return spte;
 }
 
-static u64 make_spte_executable(u64 spte)
+static u64 make_spte_executable(u64 spte, u8 access)
 {
-	return modify_spte_protections(spte, shadow_x_mask, shadow_nx_mask);
-}
-
-static u64 make_spte_nonexecutable(u64 spte)
-{
-	return modify_spte_protections(spte, shadow_nx_mask, shadow_x_mask);
+	u64 set, clear;
+	if (access & ACC_EXEC_MASK)
+		set = shadow_x_mask;
+	else
+		set = shadow_nx_mask;
+	clear = set ^ (shadow_nx_mask | shadow_x_mask);
+	return modify_spte_protections(spte, set, clear);
 }
 
 /*
@@ -356,8 +357,8 @@ u64 make_small_spte(struct kvm *kvm, u64 huge_spte,
 		 * the page executable as the NX hugepage mitigation no longer
 		 * applies.
 		 */
-		if ((role.access & ACC_EXEC_MASK) && is_nx_huge_page_enabled(kvm))
-			child_spte = make_spte_executable(child_spte);
+		if (is_nx_huge_page_enabled(kvm))
+			child_spte = make_spte_executable(child_spte, role.access);
 	}
 
 	return child_spte;
@@ -379,7 +380,7 @@ u64 make_huge_spte(struct kvm *kvm, u64 small_spte, int level)
 	huge_spte &= KVM_HPAGE_MASK(level) | ~PAGE_MASK;
 
 	if (is_nx_huge_page_enabled(kvm))
-		huge_spte = make_spte_nonexecutable(huge_spte);
+		huge_spte = make_spte_executable(huge_spte, 0);
 
 	return huge_spte;
 }
-- 
2.52.0

> On Mar 20, 2026, at 8:09 PM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> As the logic will become more complicated with the introduction
> of MBEC, at least write it only once.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> arch/x86/kvm/mmu/spte.c | 21 +++++++++++----------
> 1 file changed, 11 insertions(+), 10 deletions(-)
> 
> diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
> index df31039b5d63..e2acd9ed9dba 100644
> --- a/arch/x86/kvm/mmu/spte.c
> +++ b/arch/x86/kvm/mmu/spte.c
> @@ -317,14 +317,15 @@ static u64 modify_spte_protections(u64 spte, u64 set, u64 clear)
> return spte;
> }
> 
> -static u64 make_spte_executable(u64 spte)
> +static u64 make_spte_executable(u64 spte, u8 access)
> {
> - return modify_spte_protections(spte, shadow_x_mask, shadow_nx_mask);
> -}
> -
> -static u64 make_spte_nonexecutable(u64 spte)
> -{
> - return modify_spte_protections(spte, shadow_nx_mask, shadow_x_mask);
> + u64 set, clear;
> + if (access & ACC_EXEC_MASK)

checkpatch.pl complaint:
WARNING: Missing a blank line after declarations
#33: FILE: arch/x86/kvm/mmu/spte.c:323:
+       u64 set, clear;
+       if (access & ACC_EXEC_MASK)

> + set = shadow_x_mask;
> + else
> + set = shadow_nx_mask;
> + clear = set ^ (shadow_nx_mask | shadow_x_mask);
> + return modify_spte_protections(spte, set, clear);
> }
> 
> /*
> @@ -356,8 +357,8 @@ u64 make_small_spte(struct kvm *kvm, u64 huge_spte,
> * the page executable as the NX hugepage mitigation no longer
> * applies.
> */
> - if ((role.access & ACC_EXEC_MASK) && is_nx_huge_page_enabled(kvm))
> - child_spte = make_spte_executable(child_spte);
> + if (is_nx_huge_page_enabled(kvm))
> + child_spte = make_spte_executable(child_spte, role.access);
> }
> 
> return child_spte;
> @@ -379,7 +380,7 @@ u64 make_huge_spte(struct kvm *kvm, u64 small_spte, int level)
> huge_spte &= KVM_HPAGE_MASK(level) | ~PAGE_MASK;
> 
> if (is_nx_huge_page_enabled(kvm))
> - huge_spte = make_spte_nonexecutable(huge_spte);
> + huge_spte = make_spte_executable(huge_spte, 0);
> 
> return huge_spte;
> }
> -- 
> 2.52.0
>