inconsistent SME2 ID register fields confuse kernel into reporting but not enabling it

Peter Maydell peter.maydell at linaro.org
Mon Feb 2 03:37:46 PST 2026 

I noticed that if the CPU reports an inconsistent set of SME2 related
ID register fields, this confuses the kernel into reporting it in
hwcaps and /proc/cpuinfo but not actually enabling it (so userspace
programs fall over with SIGILL).

The immediate cause of this is a QEMU bug, but Marc suggested that
you'd be interested in this report for potentially making the
kernel more robust against it.

The repro case is to use a current head-of-git QEMU (I tested with
commit 587f4a1805c83a4e) and tell it '-cpu max,sme=on'. The QEMU
bug means that this gives you a CPU that generally reports SME2p1
but incorrectly has the ID_AA64PFR1_EL1.SME field set to 1, not 2.
(If you just say "-cpu max" you get SME2p1 with correct ID regs.)

The kernel's bootup feature detection does not report SME2, because
it is looking at ID_AA64PFR1_EL1.SME:

[    0.039909] CPU features: detected: Scalable Matrix Extension
[    0.039973] CPU features: detected: FA64
[    0.040017] CPU features: detected: Speculative Store Bypassing Safe (SSBS)
[    0.040093] CPU features: detected: Scalable Vector Extension

but the code that generates /proc/cpuinfo and the hwcaps must
be looking at something else (I think ID_AA64SMFR0_EL1.SMEver) and
not cross-checking whether the earlier probing enabled SME2,
because it reports sme2 and sme2p1:

Features        : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics
fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4
asimddp sha512 sve asimdfhm dit uscat ilrcpc flagm ssbs sb gcs dcpodp
sve2 sveaes svepmull svebitperm svesha3 svesm4 flagm2 frint svei8mm
svef32mm svef64mm svebf16 i8mm bf16 dgh rng bti ecv afp rpres sme
smei16i64 smef64f64 smei8i32 smef16f32 smeb16f32 smef32f32 smefa64
wfxt ebf16 sveebf16 cssc sve2p1 sme2 sme2p1 smei16i32 smebi32i32
smeb16b16 smef16f16 mops hbc sveb16b16 lse128

The kernel commit I'm using here is commit 63804fed149a (6.19-rc7).

Full QEMU command line, for reference:

${QEMU} \
  -machine type=virt,virtualization=off,gic-version=max,mte=off \
  -m 4G -smp 1 \
  -cpu max,pauth=off,sve=on,sme=on \
  -kernel "${KERNEL}" \
  -initrd "${INITRD}" \
  -semihosting \
  -drive if=none,index=0,id=mydrive,file="${TESTDIR}"/hda.qcow2,format=qcow2 \
  -device virtio-blk-pci,drive=mydrive \
  -netdev user,id=mynet,hostfwd=tcp::4040-:4040 \
  -device virtio-net-pci,netdev=mynet \
  -chardev socket,id=monitor,host=127.0.0.1,port=4444,server=on,wait=off,telnet=on
\
  -mon chardev=monitor,mode=readline \
  -append 'console=ttyAMA0,38400 root=/dev/vda3 earlycon' \
  -display none -serial stdio

thanks
-- PMM

More information about the linux-arm-kernel mailing list