The interrupt resume (Xdoreti) and recurse (Xspllower) paths are

invoked using indirect branches and should have endbr64's.

ok deraadt@

3 files changed, 16 insertions, 5 deletions

diff --git a/sys/arch/amd64/amd64/spl.S b/sys/arch/amd64/amd64/spl.S
index b2327d0a72e..078d84063df 100644
--- a/sys/arch/amd64/amd64/spl.S
+++ b/sys/arch/amd64/amd64/spl.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: spl.S,v 1.19 2022/12/01 00:26:15 guenther Exp $	*/
+/*	$OpenBSD: spl.S,v 1.20 2023/07/27 00:30:07 guenther Exp $	*/
 /*	$NetBSD: spl.S,v 1.3 2004/06/28 09:13:11 fvdl Exp $	*/
 
 /*
@@ -122,7 +122,8 @@ KIDTVEC(spllower)
 	RETGUARD_PUSH(r11)
 	movl	%edi,%ebx
 	leaq	1f(%rip),%r13		# address to resume loop at
-1:	movl	%ebx,%eax		# get cpl
+1:	endbr64
+	movl	%ebx,%eax		# get cpl
 	movq	CPUVAR(IUNMASK)(,%rax,8),%rax
 	cli
 	andq	CPUVAR(IPENDING),%rax		# any non-masked bits left?
@@ -153,7 +154,8 @@ KIDTVEC(doreti)
 	movq	IF_PPL(%rsp),%rbx	# get previous priority
 	decl	CPUVAR(IDEPTH)
 	leaq	1f(%rip),%r13
-1:	movl	%ebx,%eax
+1:	endbr64
+	movl	%ebx,%eax
 	movq	CPUVAR(IUNMASK)(,%rax,8),%rax
 	cli
 	andq	CPUVAR(IPENDING),%rax
diff --git a/sys/arch/amd64/amd64/vector.S b/sys/arch/amd64/amd64/vector.S
index a7c1d5dd726..d3b31c76198 100644
--- a/sys/arch/amd64/amd64/vector.S
+++ b/sys/arch/amd64/amd64/vector.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vector.S,v 1.92 2023/04/17 00:02:14 deraadt Exp $	*/
+/*	$OpenBSD: vector.S,v 1.93 2023/07/27 00:30:07 guenther Exp $	*/
 /*	$NetBSD: vector.S,v 1.5 2004/06/28 09:13:11 fvdl Exp $	*/
 
 /*
@@ -551,6 +551,7 @@ IDTVEC(intr_lapic_ipi)
 	jae	2f
 END(INTRENTRY_LABEL(intr_lapic_ipi))
 KIDTVEC_FALLTHROUGH(resume_lapic_ipi)
+	endbr64
 1:
 	incl	CPUVAR(IDEPTH)
 	movl	$IPL_IPI,CPUVAR(ILEVEL)
@@ -757,6 +758,7 @@ IDTVEC(intr_lapic_ltimer)
 	jae	2f
 END(INTRENTRY_LABEL(intr_lapic_ltimer))
 KIDTVEC_FALLTHROUGH(resume_lapic_ltimer)
+	endbr64
 1:
 	incl	CPUVAR(IDEPTH)
 	movl	$IPL_CLOCK,CPUVAR(ILEVEL)
@@ -790,6 +792,7 @@ IDTVEC(intr_xen_upcall)
 	jae	2f
 END(INTRENTRY_LABEL(intr_xen_upcall))
 KIDTVEC_FALLTHROUGH(resume_xen_upcall)
+	endbr64
 1:
 	incl	CPUVAR(IDEPTH)
 	movl	$IPL_NET,CPUVAR(ILEVEL)
@@ -822,6 +825,7 @@ IDTVEC(intr_hyperv_upcall)
 	jae	2f
 END(INTRENTRY_LABEL(intr_hyperv_upcall))
 KIDTVEC_FALLTHROUGH(resume_hyperv_upcall)
+	endbr64
 1:
 	incl	CPUVAR(IDEPTH)
 	movl	$IPL_NET,CPUVAR(ILEVEL)
@@ -852,6 +856,7 @@ KIDTVEC(recurse_##name##num)						;\
 	INTR_RECURSE							;\
 END(Xrecurse_##name##num)						;\
 KIDTVEC_FALLTHROUGH(resume_##name##num)					\
+	endbr64								;\
 	movq	$IREENT_MAGIC,TF_ERR(%rsp)				;\
 	movl	%ebx,%r13d						;\
 	movq	CPUVAR(ISOURCES) + (num) * 8, %r14			;\
@@ -1268,6 +1273,7 @@ NENTRY(retpoline_r13)
 END(retpoline_r13)
 
 KIDTVEC(softtty)
+	endbr64
 	movl	$IPL_SOFTTTY, CPUVAR(ILEVEL)
 	sti
 	incl	CPUVAR(IDEPTH)
@@ -1278,6 +1284,7 @@ KIDTVEC(softtty)
 END(Xsofttty)
 
 KIDTVEC(softnet)
+	endbr64
 	movl	$IPL_SOFTNET, CPUVAR(ILEVEL)
 	sti
 	incl	CPUVAR(IDEPTH)
@@ -1288,6 +1295,7 @@ KIDTVEC(softnet)
 END(Xsoftnet)
 
 KIDTVEC(softclock)
+	endbr64
 	movl	$IPL_SOFTCLOCK, CPUVAR(ILEVEL)
 	sti
 	incl	CPUVAR(IDEPTH)
diff --git a/sys/arch/amd64/include/frameasm.h b/sys/arch/amd64/include/frameasm.h
index 5f1de16748d..18840bc7180 100644
--- a/sys/arch/amd64/include/frameasm.h
+++ b/sys/arch/amd64/include/frameasm.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: frameasm.h,v 1.26 2023/04/17 00:02:14 deraadt Exp $	*/
+/*	$OpenBSD: frameasm.h,v 1.27 2023/07/27 00:30:07 guenther Exp $	*/
 /*	$NetBSD: frameasm.h,v 1.1 2003/04/26 18:39:40 fvdl Exp $	*/
 
 #ifndef _AMD64_MACHINE_FRAMEASM_H
@@ -111,6 +111,7 @@ _ENTRY(INTRENTRY_LABEL(label)) /* from kernel */ \
  * to return to.  %r10 and %r11 are scratch.
  */
 #define	INTR_RECURSE \
+	endbr64				; \
 	/* fake the iretq_frame */	; \
 	movq	%rsp,%r10		; \
 	movl	%ss,%r11d		; \