Exclusive page-frame ownership

KERNEXEC in PaX does a whole lot more than just prevent direct userspace code execution in kernel mode, it also prevents code execution anywhere in kernel memory that wasn't meant to hold code, all the way back since 2003 (incidentally the same year when ROP, albeit not yet named as such, also died).