>> What we definitely should do here is at least frame this check with
>>> That being said, what ends up in the high bits of esp when we iret to
>>> vm86 mode?
>>
>> I don't know. I guess it's time to write an actual vm86 testcase :)
>
> Ick.  I can try...

I found an example which runs small bit of 16-bit code using vm86 machinery.
Tried in 32-bit kernel under qemu, it worked: printed "Hello".