BUT IM WAY COOL!

Well, if the return returns into the [ret] address stored on the stack, well.. wtf happens if you just like, return into an instruction that happens to be a return? Like the global return that you can find in the vsyscalls table at address 0xffffe413 (in all 2.6 kernels with a vsyscalls table).
Well what happens is that it'll return the address on the stack that happens to be right after it and place it right into EIP.

Well, if the return returns into the [ret] address stored on the stack, well.. wtf happens if you just like, return into an instruction that happens to be a return? Like the global return that you can find in the vsyscalls table at address 0xffffe413 (in all 2.6 kernels with a vsyscalls table).