"There are a number of different approaches, but the most obvious is to simply modify the page table entry associated with the virtual address the attacker is attempting to modify. To do this, a review of the code of set_pte_vaddr and the exported swapper_pg_dir symbol would be of use. If you actually knew as much as you think you know, I wouldn't have to generate these scenarios for you."
This is what I meant when I wrote in my first post:
"Of course if module interface is available, one can load a malicious code that can set arbitrary memory as both writable and executable. There are even (usually un-exported but obtainable via System.map or /proc/kallsyms) kernel functions that will do it for you. Using module interface is much more practical to achieve the result described in the article."
Or are you claiming that you know of a "trick" to change page tables permissions by using io on /dev/mem (without mmap)?
I do not think /dev/mem has much longer to live. The drivers (Xorg) are encouraged to use /sys/.../resource files to map what they need and the need for /dev/mem will be eventually gone.