[PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Uros Bizjak]

Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
inline assembly sequences.

These prefixes (CS/DS segment overrides used as branch hints on
very old x86 CPUs) have been ignored by modern processors for a
long time. Keeping them provides no measurable benefit and only
enlarges the generated code.

No functional change intended.

Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
---
 arch/x86/kvm/vmx/vmx_ops.h | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/arch/x86/kvm/vmx/vmx_ops.h b/arch/x86/kvm/vmx/vmx_ops.h
index 96677576c836..1000d37f5b0c 100644
--- a/arch/x86/kvm/vmx/vmx_ops.h
+++ b/arch/x86/kvm/vmx/vmx_ops.h
@@ -119,7 +119,6 @@ static __always_inline unsigned long __vmcs_readl(unsigned long field)
 #else /* !CONFIG_CC_HAS_ASM_GOTO_OUTPUT */
 
 	asm volatile("1: vmread %[field], %[output]\n\t"
-		     ".byte 0x3e\n\t" /* branch taken hint */
 		     "ja 3f\n\t"
 
 		     /*
@@ -191,7 +190,6 @@ static __always_inline unsigned long vmcs_readl(unsigned long field)
 #define vmx_asm1(insn, op1, error_args...)				\
 do {									\
 	asm goto("1: " __stringify(insn) " %0\n\t"			\
-			  ".byte 0x2e\n\t" /* branch not taken hint */	\
 			  "jna %l[error]\n\t"				\
 			  _ASM_EXTABLE(1b, %l[fault])			\
 			  : : op1 : "cc" : error, fault);		\
@@ -208,7 +206,6 @@ fault:									\
 #define vmx_asm2(insn, op1, op2, error_args...)				\
 do {									\
 	asm goto("1: "  __stringify(insn) " %1, %0\n\t"			\
-			  ".byte 0x2e\n\t" /* branch not taken hint */	\
 			  "jna %l[error]\n\t"				\
 			  _ASM_EXTABLE(1b, %l[fault])			\
 			  : : op1, op2 : "cc" : error, fault);		\
-- 
2.53.0

[PATCH 2/2] KVM: VMX: Use ASM_INPUT_RM in __vmcs_writel

[Uros Bizjak]

Use the ASM_INPUT_RM macro for VMCS write operation in vmx_ops.h to
work around clang problems with "rm" asm constraint. clang seems to
always chose the memory input, while it is almost always the worst
choice.

Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
---
 arch/x86/kvm/vmx/vmx_ops.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/vmx/vmx_ops.h b/arch/x86/kvm/vmx/vmx_ops.h
index 1000d37f5b0c..81784befaaf4 100644
--- a/arch/x86/kvm/vmx/vmx_ops.h
+++ b/arch/x86/kvm/vmx/vmx_ops.h
@@ -221,7 +221,7 @@ fault:									\
 
 static __always_inline void __vmcs_writel(unsigned long field, unsigned long value)
 {
-	vmx_asm2(vmwrite, "r"(field), "rm"(value), field, value);
+	vmx_asm2(vmwrite, "r" (field), ASM_INPUT_RM (value), field, value);
 }
 
 static __always_inline void vmcs_write16(unsigned long field, u16 value)
-- 
2.53.0

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Andrew Cooper]

> Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
> inline assembly sequences.
>
> These prefixes (CS/DS segment overrides used as branch hints on
> very old x86 CPUs) have been ignored by modern processors for a
> long time. Keeping them provides no measurable benefit and only
> enlarges the generated code.

It's actually worse than this.

The branch-taken hint has new meaning in Lion Cove cores and later,
along with a warning saying "performance penalty for misuse".

i.e. "only insert this prefix after profiling".

~Andrew

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Sean Christopherson]

On Wed, Feb 11, 2026, Andrew Cooper wrote:
> > Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
> > inline assembly sequences.
> >
> > These prefixes (CS/DS segment overrides used as branch hints on
> > very old x86 CPUs) have been ignored by modern processors for a
> > long time. Keeping them provides no measurable benefit and only
> > enlarges the generated code.
> 
> It's actually worse than this.
> 
> The branch-taken hint has new meaning in Lion Cove cores and later,
> along with a warning saying "performance penalty for misuse".

Well that's just lovely.  Sounds like maybe this should be tagged for stable@?

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[David Laight]

On Wed, 11 Feb 2026 10:57:31 +0000
Andrew Cooper <andrew.cooper3@citrix.com> wrote:

> > Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
> > inline assembly sequences.
> >
> > These prefixes (CS/DS segment overrides used as branch hints on
> > very old x86 CPUs) have been ignored by modern processors for a
> > long time. Keeping them provides no measurable benefit and only
> > enlarges the generated code.  
> 
> It's actually worse than this.
> 
> The branch-taken hint has new meaning in Lion Cove cores and later,
> along with a warning saying "performance penalty for misuse".
> 
> i.e. "only insert this prefix after profiling".

Don't they really have much the same meaning as before?
Perhaps the branch prediction logic is ignored (which would make
getting then wrong very bad).
But here (and a few other places) the branch really is 'never taken',
so perhaps the branch hints should have been removed 20 years ago
and now is the time to add them back?

Of course, the branch-hint can only have an effect when the branch
prediction logic gets to see the branch.
The initial instruction prefetch (etc) is done without regard to
the contents of the memory being read - so initially all branches
are effectively predicted 'not-taken'.

(I got the impression that some AMD cpu 'attached' some of the branch
prediction info to the cache-line - and would use it when the cache
line was re-used for an entirely different address. Hence the issues
where non-branch instructions would be predicted as branches.)

	David

> 
> ~Andrew
> 

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Andrew Cooper]

On 11/02/2026 1:43 pm, David Laight wrote:
> On Wed, 11 Feb 2026 10:57:31 +0000
> Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>
>>> Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
>>> inline assembly sequences.
>>>
>>> These prefixes (CS/DS segment overrides used as branch hints on
>>> very old x86 CPUs) have been ignored by modern processors for a
>>> long time. Keeping them provides no measurable benefit and only
>>> enlarges the generated code.  
>> It's actually worse than this.
>>
>> The branch-taken hint has new meaning in Lion Cove cores and later,
>> along with a warning saying "performance penalty for misuse".
>>
>> i.e. "only insert this prefix after profiling".
> Don't they really have much the same meaning as before?

Architecturally yes, microarchitecturally very much not.

For a branch known to the predictor, there is no effect.  If a branch
unknown to the predictor gets decoded, it triggers a frontend flush and
resteer.

It is only useful for programs large enough to exceed the working set of
the conditional predictor, and for which certain branches are known to
be ~always taken.

Putting the prefix on a branch that isn't ~always taken is worse than
not having the prefix in the first place, hence the warning.

~Andrew

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Sean Christopherson]

On Wed, Feb 11, 2026, Andrew Cooper wrote:
> On 11/02/2026 1:43 pm, David Laight wrote:
> > On Wed, 11 Feb 2026 10:57:31 +0000
> > Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> >
> >>> Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
> >>> inline assembly sequences.
> >>>
> >>> These prefixes (CS/DS segment overrides used as branch hints on
> >>> very old x86 CPUs) have been ignored by modern processors for a
> >>> long time. Keeping them provides no measurable benefit and only
> >>> enlarges the generated code.  
> >> It's actually worse than this.
> >>
> >> The branch-taken hint has new meaning in Lion Cove cores and later,
> >> along with a warning saying "performance penalty for misuse".
> >>
> >> i.e. "only insert this prefix after profiling".
> > Don't they really have much the same meaning as before?
> 
> Architecturally yes, microarchitecturally very much not.
> 
> For a branch known to the predictor, there is no effect.  If a branch
> unknown to the predictor gets decoded, it triggers a frontend flush and
> resteer.
> 
> It is only useful for programs large enough to exceed the working set of
> the conditional predictor, and for which certain branches are known to
> be ~always taken.
> 
> Putting the prefix on a branch that isn't ~always taken is worse than
> not having the prefix in the first place, hence the warning.

These branches indeed ~always follow the hinted path (not taken in this case).

So it sounds like this definitely isn't stable@ material, and maybe even begs
the question if dropping the hints is a net positive?

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Andrew Cooper]

On 11/02/2026 3:44 pm, Sean Christopherson wrote:
> On Wed, Feb 11, 2026, Andrew Cooper wrote:
>> On 11/02/2026 1:43 pm, David Laight wrote:
>>> On Wed, 11 Feb 2026 10:57:31 +0000
>>> Andrew Cooper <andrew.cooper3@citrix.com> wrote:
>>>
>>>>> Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
>>>>> inline assembly sequences.
>>>>>
>>>>> These prefixes (CS/DS segment overrides used as branch hints on
>>>>> very old x86 CPUs) have been ignored by modern processors for a
>>>>> long time. Keeping them provides no measurable benefit and only
>>>>> enlarges the generated code.  
>>>> It's actually worse than this.
>>>>
>>>> The branch-taken hint has new meaning in Lion Cove cores and later,
>>>> along with a warning saying "performance penalty for misuse".
>>>>
>>>> i.e. "only insert this prefix after profiling".
>>> Don't they really have much the same meaning as before?
>> Architecturally yes, microarchitecturally very much not.
>>
>> For a branch known to the predictor, there is no effect.  If a branch
>> unknown to the predictor gets decoded, it triggers a frontend flush and
>> resteer.
>>
>> It is only useful for programs large enough to exceed the working set of
>> the conditional predictor, and for which certain branches are known to
>> be ~always taken.
>>
>> Putting the prefix on a branch that isn't ~always taken is worse than
>> not having the prefix in the first place, hence the warning.
> These branches indeed ~always follow the hinted path (not taken in this case).
>
> So it sounds like this definitely isn't stable@ material, and maybe even begs
> the question if dropping the hints is a net positive?

The new behaviour only exists for hint-taken. Because it only has any
effect for a branch unknown to the predictor, the behaviour without this
hint would be as if it were a larger basic block.

hint-not-takens have no behaviour since the Pentium 4 that I'm aware of.

This change is almost certainly marginal at best.  It's not as if
VMREAD/VMWRITE lead to good code gen even at the best of times.

~Andrew

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Sean Christopherson]

On Wed, Feb 11, 2026, Andrew Cooper wrote:
> On 11/02/2026 3:44 pm, Sean Christopherson wrote:
> > On Wed, Feb 11, 2026, Andrew Cooper wrote:
> >> On 11/02/2026 1:43 pm, David Laight wrote:
> >>> On Wed, 11 Feb 2026 10:57:31 +0000
> >>> Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> >>>
> >>>>> Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
> >>>>> inline assembly sequences.
> >>>>>
> >>>>> These prefixes (CS/DS segment overrides used as branch hints on
> >>>>> very old x86 CPUs) have been ignored by modern processors for a
> >>>>> long time. Keeping them provides no measurable benefit and only
> >>>>> enlarges the generated code.  
> >>>> It's actually worse than this.
> >>>>
> >>>> The branch-taken hint has new meaning in Lion Cove cores and later,
> >>>> along with a warning saying "performance penalty for misuse".
> >>>>
> >>>> i.e. "only insert this prefix after profiling".
> >>> Don't they really have much the same meaning as before?
> >> Architecturally yes, microarchitecturally very much not.
> >>
> >> For a branch known to the predictor, there is no effect.  If a branch
> >> unknown to the predictor gets decoded, it triggers a frontend flush and
> >> resteer.
> >>
> >> It is only useful for programs large enough to exceed the working set of
> >> the conditional predictor, and for which certain branches are known to
> >> be ~always taken.
> >>
> >> Putting the prefix on a branch that isn't ~always taken is worse than
> >> not having the prefix in the first place, hence the warning.
> > These branches indeed ~always follow the hinted path (not taken in this case).

Doh, forgot the !CC_HAS_ASM_GOTO_OUTPUT case uses a branch-taken hint.

> > So it sounds like this definitely isn't stable@ material, and maybe even begs
> > the question if dropping the hints is a net positive?
> 
> The new behaviour only exists for hint-taken. Because it only has any
> effect for a branch unknown to the predictor, the behaviour without this
> hint would be as if it were a larger basic block.
> 
> hint-not-takens have no behaviour since the Pentium 4 that I'm aware of.
> 
> This change is almost certainly marginal at best.  It's not as if
> VMREAD/VMWRITE lead to good code gen even at the best of times.

Yeah, but adding in them in the first place was even more marginal (I added the
hints as much for documentation purposes as anything else).  Absent proof that
having the hints is a net positive, I'm inclined to trust the compiler folks on
what is/isn't optimal, and drop them.

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Andrew Cooper]

On 11/02/2026 4:17 pm, Sean Christopherson wrote:
> On Wed, Feb 11, 2026, Andrew Cooper wrote:
>> On 11/02/2026 3:44 pm, Sean Christopherson wrote:
>>> On Wed, Feb 11, 2026, Andrew Cooper wrote:
>> This change is almost certainly marginal at best.  It's not as if
>> VMREAD/VMWRITE lead to good code gen even at the best of times.
> Yeah, but adding in them in the first place was even more marginal (I added the
> hints as much for documentation purposes as anything else).  Absent proof that
> having the hints is a net positive, I'm inclined to trust the compiler folks on
> what is/isn't optimal, and drop them.

Branch mispredicts in the P4 could easily eat up 150 cycles before the
frontend got it's act together.

However, optimising VMREAD/VMWRITE and not the whole kernel seems
somewhat futile.

~Andrew

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Sean Christopherson]

On Wed, Feb 11, 2026, Andrew Cooper wrote:
> On 11/02/2026 4:17 pm, Sean Christopherson wrote:
> > On Wed, Feb 11, 2026, Andrew Cooper wrote:
> >> On 11/02/2026 3:44 pm, Sean Christopherson wrote:
> >>> On Wed, Feb 11, 2026, Andrew Cooper wrote:
> >> This change is almost certainly marginal at best.  It's not as if
> >> VMREAD/VMWRITE lead to good code gen even at the best of times.
> > Yeah, but adding in them in the first place was even more marginal (I added the
> > hints as much for documentation purposes as anything else).  Absent proof that
> > having the hints is a net positive, I'm inclined to trust the compiler folks on
> > what is/isn't optimal, and drop them.
> 
> Branch mispredicts in the P4 could easily eat up 150 cycles before the
> frontend got it's act together.

Heh, I'm willing to risk getting yelled at by the one person running KVM on P4.

> However, optimising VMREAD/VMWRITE and not the whole kernel seems
> somewhat futile.
> 
> ~Andrew

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[David Laight]

On Wed, 11 Feb 2026 13:55:35 +0000
Andrew Cooper <andrew.cooper3@citrix.com> wrote:

> On 11/02/2026 1:43 pm, David Laight wrote:
> > On Wed, 11 Feb 2026 10:57:31 +0000
> > Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> >  
> >>> Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
> >>> inline assembly sequences.
> >>>
> >>> These prefixes (CS/DS segment overrides used as branch hints on
> >>> very old x86 CPUs) have been ignored by modern processors for a
> >>> long time. Keeping them provides no measurable benefit and only
> >>> enlarges the generated code.    
> >> It's actually worse than this.
> >>
> >> The branch-taken hint has new meaning in Lion Cove cores and later,
> >> along with a warning saying "performance penalty for misuse".
> >>
> >> i.e. "only insert this prefix after profiling".  
> > Don't they really have much the same meaning as before?  
> 
> Architecturally yes, microarchitecturally very much not.
> 
> For a branch known to the predictor, there is no effect.  If a branch
> unknown to the predictor gets decoded, it triggers a frontend flush and
> resteer.

That'll be 'decoded taken'.
I suspect that it is less 'painful' than a normal mispredict since it happens
as lot earlier.
Of course, if you get it wrong, there will be a mispredict penalty as well.

	David

> It is only useful for programs large enough to exceed the working set of
> the conditional predictor, and for which certain branches are known to
> be ~always taken.
> 
> Putting the prefix on a branch that isn't ~always taken is worse than
> not having the prefix in the first place, hence the warning.
> 
> ~Andrew
> 

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Christian Ludloff]

Andrew Cooper wrote:
> The branch-taken hint has new meaning in Lion Cove cores and later,
> along with a warning saying "performance penalty for misuse".

Make that Redwood Cove. For details, see the
Intel ORM Vol1 #248966-050 Section 2.1.1.1.

Also, for the sake of completeness, the officially
undocumented old "Alternate Taken/Not Taken"
hint on the P4 (prefix 0x64) is covered in Agner
Vol3 Section 3.4; in the 2025-12-14 pdf you can
find it in the top half of page 26 of 277.

--
C.

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Andrew Cooper]

On 12/02/2026 5:33 am, Christian Ludloff wrote:
> Andrew Cooper wrote:
>> The branch-taken hint has new meaning in Lion Cove cores and later,
>> along with a warning saying "performance penalty for misuse".
> Make that Redwood Cove. For details, see the
> Intel ORM Vol1 #248966-050 Section 2.1.1.1.

My apologies.  The ORM is the source of truth here, and I clearly mixed
up the uarch.

~Andrew

Re: [PATCH 2/2] KVM: VMX: Use ASM_INPUT_RM in __vmcs_writel

[Nathan Chancellor]

On Wed, Feb 11, 2026 at 11:28:50AM +0100, Uros Bizjak wrote:
> Use the ASM_INPUT_RM macro for VMCS write operation in vmx_ops.h to
> work around clang problems with "rm" asm constraint. clang seems to
> always chose the memory input, while it is almost always the worst
> choice.
> 
> Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
> Cc: Sean Christopherson <seanjc@google.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Thomas Gleixner <tglx@kernel.org>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: Borislav Petkov <bp@alien8.de>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>

Acked-by: Nathan Chancellor <nathan@kernel.org>

FWIW, I hope this issue will soon be fixed in clang properly so we can
add a version check to this workaround:

  https://github.com/llvm/llvm-project/pull/181973

> ---
>  arch/x86/kvm/vmx/vmx_ops.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/vmx/vmx_ops.h b/arch/x86/kvm/vmx/vmx_ops.h
> index 1000d37f5b0c..81784befaaf4 100644
> --- a/arch/x86/kvm/vmx/vmx_ops.h
> +++ b/arch/x86/kvm/vmx/vmx_ops.h
> @@ -221,7 +221,7 @@ fault:									\
>  
>  static __always_inline void __vmcs_writel(unsigned long field, unsigned long value)
>  {
> -	vmx_asm2(vmwrite, "r"(field), "rm"(value), field, value);
> +	vmx_asm2(vmwrite, "r" (field), ASM_INPUT_RM (value), field, value);
>  }
>  
>  static __always_inline void vmcs_write16(unsigned long field, u16 value)
> -- 
> 2.53.0
> 

Re: [PATCH 1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm

[Sean Christopherson]

On Wed, 11 Feb 2026 11:28:49 +0100, Uros Bizjak wrote:
> Remove explicit branch hint prefixes (.byte 0x2e / 0x3e) from VMX
> inline assembly sequences.
> 
> These prefixes (CS/DS segment overrides used as branch hints on
> very old x86 CPUs) have been ignored by modern processors for a
> long time. Keeping them provides no measurable benefit and only
> enlarges the generated code.
> 
> [...]

Applied to kvm-x86 vmx, thanks!

[1/2] KVM: VMX: Drop obsolete branch hint prefixes from inline asm
      https://github.com/kvm-x86/linux/commit/6dad59124e15
[2/2] KVM: VMX: Use ASM_INPUT_RM in __vmcs_writel
      https://github.com/kvm-x86/linux/commit/192f777b3af0

--
https://github.com/kvm-x86/linux/tree/next