> It is not unlikely that most of a module's code is released as a > binary 'blob', with only the part that needs to match the kernel ABI > compiled on the target system.
Yes that is true. However such blob build systems are usually done with custom Makefiles, not Kbuild, and those Makefiles don't set -DRETPOLINE, so it would still be caught. Now if someone sets -DRETPOLINE on a blob build it wouldn't warn, but that would be actively malicious and there's no way to protect against that. It's merely aimed at detecting mistakes. -Andi
