If de_thread() fails in flush_old_exec() then we try to fail the execve().

That is a bad move, because exec_mmap() has already switched the current
process over to the new mm.  The new process is not yet sufficiently set up
to handle the error and the kernel doublefaults and dies.  exec_mmap() is the
point of no return.

Change flush_old_exec() to call de_thread() before running exec_mmap() so the
execing program sees the error.  I added fault injection to both de_thread()
and exec_mmap() - everything now survives OK.