ASM Function call return address

Question 1

That after the call - that will be the next instruction executed when the subroutine terminates.

Question 2

The processor pushes the value of the EIP register (which contains the offset of the instruction following the CALL instruction) onto the stack (for use later as a return-instruction pointer).

As @Jester posted, RTFM.

Question 3

The call instruction pushes the return address - in the way you've "numbered" your lines that'd be q - on the stack before transferring execution to the called function.

The ret instruction pops it off - you could say it does pop EIP.
But this also means ... before ret, [ ESP ] == EIP. Since ret does nothing else to the stack but adjust the stackpointer (i.e. ESP -> ESP + 4), by the time you return, you should still have EIP == [ ESP - 4 ].

You could therefore do:

call func
mov EAX, [ ESP - 4 ]

and are very likely to get the code location for the first byte of that MOV instruction.

Why only very likely ? The answer to that is that stack contents within the unallocated parts of the stack aren't guaranteed; there are asynchronous events (UN*X signals and similar mechanisms in other operating systems) which might interrupt execution just between the ret having done the stack pointer adjustment / EIP change but before that instruction actually executes. If that happens, the signal frame might overwrite the unallocated part of the stack, and thereby clobber the return address that was stored there.

If you want to reliably retrieve your current EIP, do a PC-relative call that just "skips the call instruction". Then pop the value on the stack off. I.e. like:

call +5   ;; the size of a call is 5 bytes, so ... "skip yourself"
pop EAX   ;; EAX now contains the "return address" - its own EIP

See also Reading Program Counter directly as previously answered on SO.