Wow, crazy issue bypasses PAN: Part of the uaccess routines (__arch_clear_user() and __arch_copy_{in,from,to}_user()) fail to re-enable PAN if they encounter an unhandled fault while accessing userspace. Check out the patch: https://lore.kernel.org/patchwork/patch/1157641/ … @Liran_Alon
Short time after the publish of the crazy design issue, contradicting XOM on EL0 && PAN (the arch can't create ---/--x, checkout @s1guza's amazing post. TL;DR https://twitter.com/AmarSaar/status/1214414716140998656?s=19 …)