On Mon, Jan 06, 2025 at 09:40:56AM +0000, Mark Rutland wrote:
On Fri, Jan 03, 2025 at 06:22:55PM +0000, Marc Zyngier wrote:
The hwcaps code that exposes SVE features to userspace only considers ID_AA64ZFR0_EL1, while this is only valid when ID_AA64PFR0_EL1.SVE advertises that SVE is actually supported.
The expectations are that when ID_AA64PFR0_EL1.SVE is 0, the ID_AA64ZFR0_EL1 register is also 0. So far, so good.
Things become a bit more interesting if the HW implements SME. In this case, a few ID_AA64ZFR0_EL1 fields indicate *SME* features. And these fields overlap with their SVE interpretations. But the architecture says that the SME and SVE feature sets must match, so we're still hunky-dory.
This goes wrong if the HW implements SME, but not SVE. In this case, we end-up advertising some SVE features to userspace, even if the HW has none. That's because we never consider whether SVE is actually implemented. Oh well.
Ugh; this is a massive pain. :(
Was this found by inspection, or is some real software going wrong?
It goes wrong on M4 in a VM. The latest macOS (15.2 I think) enabled those ID regs for guests and Linux user space started falling apart (first one reported was a fairly recent JDK getting SIGILL when trying to use the INCB instruction). Reported initially on the Parallels forum.
Fix it by restricting all SVE capabilities to ID_AA64PFR0_EL1.SVE being non-zero.
Unfortunately, I'm not sure this fix is correct+complete.
We expose ID_AA64PFR0_EL1 and ID_AA64ZFR0_EL1 via ID register emulation, so any userspace software reading ID_AA64ZFR0_EL1 will encounter the same surprise. If we hide that I'm worried we might hide some SME-only information that isn't exposed elsewhere, and I'm not sure we can reasonably hide ID_AA64ZFR0_EL1 emulation for SME-only (more on that below).
Good point about the user also accessing these registers through emulation.
Secondly, all our HWCAP documentation is written in the form:
| HWCAP2_SVEBF16 | Functionality implied by ID_AA64ZFR0_EL1.BF16 == 0b0001.
... so while the architectural behaviour is a surprise, the kernel is (techincallyy) behaving exactly as documented prior to this patch. Maybe we need to change that documentation?
The kernel is also reporting HWCAP2_SVE2 based on ID_AA64ZFR0_EL1.SVEver which I don't think it should (my reading of the spec). I suspect that's what's causing JDK failures.
Do we have equivalent SME hwcaps for the relevant features?
... looking at:
https://developer.arm.com/documentation/ddi0601/2024-12/AArch64-Registers/ID...
... I see that ID_AA64ZFR0_EL1.B16B16 >= 0b0010 implies the presence of SME BFMUL and BFSCALE instructions, but I don't see something equivalent in ID_AA64SMFR0_EL1 per:
https://developer.arm.com/documentation/ddi0601/2024-12/AArch64-Registers/ID...
... so I suspect ID_AA64ZFR0_EL1 might be the only source of truth for this.
It is bizarre that ID_AA64SMFR0_EL1 doesn't follow the same format, and ID_AA64SMFR0_EL1.B16B16 is a single-bit field that cannot encode the same values as ID_AA64ZFR0_EL1.B16B16 (which is a 4-bit field).
Oh, I'm getting confused now. Do we have this information exposed twice in the ID regs? I think in the kernel we use ZFR0 for SVE and SMFR0 for the SME equivalent but the architecture is actually confusing with ZFR0 describing both SME and SVE features available. I guess at some point the architects thought we can't have SME without SVE but changed their mind and we haven't spotted.