The workaround patch above is insufficient if I change userspace to set TCF0=1. With that I get a kernel panic: [ 13.336255][ C0] Bad mode in Synchronous Abort handler detected on CPU0, code 0x92000011 -- DABT (lower EL) [ 13.337437][ C0] CPU: 0 PID: 1 Comm: init Not tainted 5.10.0-rc7-mainline-00300-gf4328758abb6 #1 [ 13.338086][ C0] Hardware name: linux,dummy-virt (DT) [ 13.338948][ C0] pstate: 20400005 (nzCv daif +PAN -UAO -TCO BTYPE=--) [ 13.339951][ C0] pc : __arch_copy_from_user+0x1e4/0x340 [ 13.340483][ C0] lr : _copy_from_user+0xbc/0x564 [ 13.340930][ C0] sp : ffffffc01000bda0 [ 13.341385][ C0] x29: ffffffc01000bda0 [ 13.342295][ C0] x28: ffffff804011c100 [ 13.342951][ C0] [ 13.343321][ C0] x27: 0000000000000000 [ 13.343759][ C0] x26: 0000000000000000 [ 13.344178][ C0] [ 13.344513][ C0] x25: 0000000000000000 [ 13.344954][ C0] x24: 0000000000000000 [ 13.345382][ C0] [ 13.345713][ C0] x23: 0300007e18aca850 [ 13.346153][ C0] x22: 0300007e18aca860 [ 13.346809][ C0] [ 13.347144][ C0] x21: ffffff8043d1ef80 [ 13.347596][ C0] x20: 0300007e18aca850 [ 13.348023][ C0] [ 13.348354][ C0] x19: ffffff8043295000 [ 13.348806][ C0] x18: ffffff8040103c38 [ 13.349232][ C0] [ 13.349557][ C0] x17: 0000000004000000 [ 13.349998][ C0] x16: 0000007fffffffff [ 13.350634][ C0] [ 13.350965][ C0] x15: 0000007f9fed34f8 [ 13.351409][ C0] x14: 006d65747379730c [ 13.351844][ C0] [ 13.352167][ C0] x13: 00000000000001ed [ 13.352610][ C0] x12: 0000000000000000 [ 13.353034][ C0] [ 13.353358][ C0] x11: 0000000000000000 [ 13.353802][ C0] x10: 0000000000000000 [ 13.354232][ C0] [ 13.354785][ C0] x9 : 006d65747379730c [ 13.355236][ C0] x8 : 0000000000000000 [ 13.355673][ C0] [ 13.355998][ C0] x7 : 0000000000000000 [ 13.356448][ C0] x6 : ffffff8043295040 [ 13.356874][ C0] [ 13.357200][ C0] x5 : ffffff8043296000 [ 13.357646][ C0] x4 : 0000000000000000 [ 13.358077][ C0] [ 13.358423][ C0] x3 : 0000000000000001 [ 13.359055][ C0] x2 : 0000000000000f80 [ 13.359497][ C0] [ 13.359829][ C0] x1 : 0300007e18aca8c0 [ 13.360278][ C0] x0 : ffffff8043295000 [ 13.360705][ C0] [ 13.362315][ C0] Kernel panic - not syncing: bad mode [ 13.362377][ C0] CPU: 0 PID: 1 Comm: init Not tainted 5.10.0-rc7-mainline-00300-gf4328758abb6 #1 [ 13.362410][ C0] Hardware name: linux,dummy-virt (DT) [ 13.362442][ C0] Call trace: [ 13.362474][ C0] dump_backtrace+0x0/0x1e0 [ 13.362507][ C0] show_stack+0x1c/0x2c [ 13.362539][ C0] dump_stack+0xd0/0x154 [ 13.362570][ C0] panic+0x158/0x370 [ 13.362602][ C0] bad_el0_sync+0x0/0x5c [ 13.362634][ C0] el1_inv+0x3c/0x5c [ 13.362666][ C0] el1_sync_handler+0x64/0x8c [ 13.362698][ C0] el1_sync+0x84/0x140 [ 13.362730][ C0] __arch_copy_from_user+0x1e4/0x340 [ 13.362762][ C0] copy_mount_options+0x40/0x1d0 [ 13.362794][ C0] __arm64_sys_mount+0x84/0x13c [ 13.362826][ C0] el0_svc_common+0xc0/0x1b4 [ 13.362858][ C0] do_el0_svc+0x20/0x30 [ 13.362890][ C0] el0_svc+0x14/0x24 [ 13.362922][ C0] el0_sync_handler+0x88/0xec [ 13.362953][ C0] el0_sync+0x17c/0x180 [ 13.363547][ C0] Kernel Offset: 0x2abd800000 from 0xffffffc010000000 [ 13.363580][ C0] PHYS_OFFSET: 0x40000000 [ 13.363613][ C0] CPU features: 0x27e0152,6180a230 [ 13.363644][ C0] Memory Limit: none It looks like the tag check fault coming from the LDTR is reported using the wrong EL.