git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Li RongQing <lirongqing@baidu.com>
	Mon, 2 Feb 2026 09:50:04 +0000 (04:50 -0500)
committer	Sean Christopherson <seanjc@google.com>
	Mon, 2 Mar 2026 22:50:39 +0000 (14:50 -0800)
commit	52de184badc48d2bb5f2087b19da9d2cddfb0464
tree	a42affb35010a6721e0648032e7208048c695eb4	tree \| snapshot
parent	11439c4635edd669ae435eec308f4ab8a0804808	commit \| diff

KVM: SVM: Mark module parameters as __ro_after_init for security and performance

SVM module parameters such as avic, sev_enabled, npt_enabled, and
pause_filter_thresh are configured exclusively during initialization
(via kernel command line) and remain constant throughout runtime.
Additionally, sev_supported_vmsa_features and svm_gp_erratum_intercept,
while not exposed as module parameters, share the same initialization
pattern and runtime constancy.

Mark these variables with '__ro_after_init' to:
- Harden against accidental or malicious runtime modification
- Enable compiler and CPU optimizations (improved caching, branch prediction)
- Align with kernel security best practices for init-only configuration

The exception is 'iopm_base', which retains '__read_mostly' as it requires
updates during module unloading.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Link: https://patch.msgid.link/20260202095004.1765-1-lirongqing@baidu.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

arch/x86/kvm/svm/avic.c		diff \| blob \| blame \| history
arch/x86/kvm/svm/sev.c		diff \| blob \| blame \| history
arch/x86/kvm/svm/svm.c		diff \| blob \| blame \| history