MMU permission flags not enforced in user mode on RISC-V (Sv32 + QEMU)

[kgingerale]

Hi all,

We're working on adding MMU support for the qemu_riscv64 target using Sv32, and have run into a situation where PTE permission flags are not being enforced, even when the thread is in user mode.

Specifically, we are:

-Setting up Sv32 paging using a 2-level page table.
-Calling z_riscv_mm_init() early in z_riscv_prep_c(), before z_cstart().
-Mapping a virtual address (VA) to a physical address (PA) with PTE_VALID | PTE_READ | PTE_USER, but without PTE_WRITE.
-Flushing the TLB and setting SATP with mode = 1 and the root PPN.
-Running the test logic from a Zephyr user thread (we confirmed this by checking mstatus and satp at runtime).

Expected behavior:
Attempting to write to the mapped VA from user mode should fault due to lack of write permission.

Observed behavior:
The write succeeds, and no exception is raised. This contradicts behavior we've validated on qemu_cortex_a53 (ARM64), where write attempts without PTE_WRITE correctly fault in user mode.

We’ve verified that:
-The correct PTE is being written (W=0, U=1, V=1, R=1).
-The TLB is flushed after setting SATP.
-The thread is running in user mode (mstatus.MPP = 0 and MPRV not set).
-The page table layout and PTE construction match RISC-V spec (Sv32).

Has anyone seen something similar, or is there a quirk with QEMU’s RISC-V MMU emulation?
We'd appreciate any insights or pointers.

Thanks!