The sysenter variant of the vDSO cannot be used with exec-shield because of two constraints in the sysexit instruction. First we should try using sysenter and not using sysexit, which may have a performance improvement vs using int. The first issue is conflicts with cs segment limits used by exec-shield. sysexit cannot be used when cs segment limits are being used. But, newer processors have NX support and do not need to use segment limits. We should conditionalize sysexit use on that. The second issue is sysexit's constant return EIP value. When using exec-shield, the correct value differs in each process. It may be feasible to rewrite the MSR on context switches or something similar, would have to compare the performance of this to the iret return path.
Hmm, looks like Ingo already added some cleverness to address the sysexit trouble. And, sysenter use is disabled when NX is not available. So, this is probably all good to go when bug #151450 is fixed.
sysenter works fine when the generic vdso issues are fixed