Kernel support for hardware-based control-flow integrity

The point isn't huge in the sense of performance cost: it's huge in the sense of complexity cost. This has needed a whole new mechanism in glibc ld.so to identify cases where shared libraries compiled without CET support are loaded at startup or via dlopen into a process which has CET support active: all you can do in that case is to fail the load (IIRC), reducing reliability unless you do a whole-distro rebuild with CET enabled and never run libraries obtained from any other source. Every single thing involving unusual patterns of control flow needed (often extremely tricky) modification. Some things (like setjmp) involve fixed-size structures baked into user programs: a perennial source of pain, but this made that pain a bit worse. And so on.