No, it's not allowed. Here is a paragraph from the spec that mentioned this.
The SUM (permit Supervisor User Memory access) bit modifies the
privilege with which S-mode loads and stores access virtual memory.
When SUM=0, S-mode memory accesses to pages that are accessible by
U-mode (U=1 in Figure 5.18) will fault. When SUM=1, these accesses are
permitted. SUM has no effect when page-based virtual memory is not in
effect, nor when executing in U-mode. Note that S-mode can never
execute instructions from user pages, regardless of the state of SUM.
Note that S-mode can never execute instructions from user pages, regardless of the state of SUM.
And spec further mentions why it's not allowed and how to work around some use cases:
The SUM mechanism does not avail S-mode software of permission to
execute instructions in user code pages. Legitimate uses cases for
execution from user memory in supervisor context are rare in general
and nonexistent in POSIX environments. However, bugs in supervisors
that lead to arbitrary code execution are much easier to exploit if
the supervisor exploit code can be stored in a user buffer at a
virtual address chosen by an attacker.
Some non-POSIX single address
space operating systems do allow certain privileged software to
partially execute in supervisor mode, while most programs run in user
mode, all in a shared address space. This use case can be realized by
mapping the physical code pages at multiple virtual addresses with
different permissions, possibly with the assistance of the instruction
page- fault handler to direct supervisor software to use the alternate
mapping.
