Avoiding retpolines with static calls

You could extend this to an unrolled binary search similar to what the compiler does with large, sparsely populated switch-case statements. I'm wondering whether the kernel could just generate trampoline functions with such code on-the-fly. Then you could just register a new indirect call target, the kernel rewrites its trampoline and everything is done via direct calls. You can even leave in the indirect call as a fallback.