Sharing pages between user processes and kernel is extremely bug-prone, because threads in the user process can mutate the data while the kernel is reading it, leading to all kinds of race conditions. You can't depend on user processes respecting mutexes for security.
You can make this work by removing the page from the user process before making it available to the kernel, but the synchronization overhead of doing this (especially on a NUMA system) is probably worse than copying moderate amounts of data.
Hmm. Perhaps temporarily switching the TLB entry to read-only mode for that page during kernel accesses? There might be some interesting software-hardware co-design solutions here.
You can make this work by removing the page from the user process before making it available to the kernel, but the synchronization overhead of doing this (especially on a NUMA system) is probably worse than copying moderate amounts of data.