It presumes that you have found *another* explicit that allows you to set the RIP while in kernel mode to an arbitrary address. To demonstrate this, they created a kernel module that let userspace do this. They effectively created their own exploit.
SMEP is a new x86 feature that improves security by preventing the kernel from writing to userspace address spaces that it doesn't explicitly allow itself to write to. Kernel exploits typically rely on redirecting RIP to a userspace address since you can easily put your target exploit code in userspace.
This blog post points out that JITs allow userspace to generate executable kernel space areas that could be used by future exploits to get around SMEP.
SMEP support in Linux is still very new. The hardware won't be out for a long time. I suspect there's clever ways to work around this sort of problem. There's no doubt though that SMEP improves security though as generating uploading BPF routines is certainly a privileged (and restricted) capability.
I don't know what the JIT you refer to is, but if it's in userspace, it's totally unrelated to what's discussed here. If it's a kernelspace JIT, then it's likely the same trick could be done.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds