Re: [PATCH 06/28] KVM: x86/mmu: merge make_spte_{non,}executable

[Sean Christopherson]

On Thu, Apr 30, 2026, Paolo Bonzini wrote:
> As the logic will become more complicated with the introduction
> of MBEC, at least write it only once.
> 
> Tested-by: David Riley <d.riley@xxxxxxxxxxx>
> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> ---
>  arch/x86/kvm/mmu/spte.c | 20 +++++++++++---------
>  1 file changed, 11 insertions(+), 9 deletions(-)
> 
> diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
> index 85a0473809b0..e9dc0ae44274 100644
> --- a/arch/x86/kvm/mmu/spte.c
> +++ b/arch/x86/kvm/mmu/spte.c
> @@ -317,14 +317,16 @@ static u64 modify_spte_protections(u64 spte, u64 set, u64 clear)
>  	return spte;
>  }
>  
> -static u64 make_spte_executable(u64 spte)
> +static u64 make_spte_executable(u64 spte, u8 access)

make_spte_executable() is a less-than-awesome name for the combined functionality.
I read it as "Make an executable SPTE", but when called from make_huge_spte() it's
obviously not making an executable SPTE.

What about something like this, either as fixup or on top? (completely untested)

diff --git a/arch/x86/kvm/mmu/spte.c b/arch/x86/kvm/mmu/spte.c
index 9b5ce4d1fa65..84d716e91566 100644
--- a/arch/x86/kvm/mmu/spte.c
+++ b/arch/x86/kvm/mmu/spte.c
@@ -320,10 +320,13 @@ static u64 modify_spte_protections(u64 spte, u64 set, u64 clear)
        return spte;
 }
 
-static u64 make_spte_executable(u64 spte, u8 access)
+static u64 apply_nx_huge_page_adjustments(struct kvm *kvm, u64 spte, u8 access)
 {
        u64 set, clear;
 
+       if (!is_nx_huge_page_enabled(kvm))
+               return spte;
+
        if (shadow_nx_mask)
                set = (access & ACC_EXEC_MASK) ? 0 : shadow_nx_mask;
        else
@@ -363,8 +366,8 @@ u64 make_small_spte(struct kvm *kvm, u64 huge_spte,
                 * the page executable as the NX hugepage mitigation no longer
                 * applies.
                 */
-               if (is_nx_huge_page_enabled(kvm))
-                       child_spte = make_spte_executable(child_spte, role.access);
+               child_spte = apply_nx_huge_page_adjustments(kvm, child_spte,
+                                                           role.access);
        }
 
        return child_spte;
@@ -384,11 +387,7 @@ u64 make_huge_spte(struct kvm *kvm, u64 small_spte, int level)
         * huge page address.
         */
        huge_spte &= KVM_HPAGE_MASK(level) | ~PAGE_MASK;
-
-       if (is_nx_huge_page_enabled(kvm))
-               huge_spte = make_spte_executable(huge_spte, 0);
-
-       return huge_spte;
+       return apply_nx_huge_page_adjustments(kvm, huge_spte, 0);
 }
 
 u64 make_nonleaf_spte(u64 *child_pt, bool ad_disabled)