On Thu, Dec 10, 2015 at 2:33 PM, Kees Cook [off-list ref] wrote:

Instead, detect the need to clear the bits during the page fault, and
actually remove the bits during final fput. Since the file was open for
writing, it wouldn't have been possible to execute it yet.

This is cute but mysterious.  Could you add a comment?

+       /*
+        * XXX: While avoiding mmap_sem, we've already been written to.
+        * We must ignore the return value, since we can't reject the
+        * write.
+        */

e.g. here?