Add EN-17:05 and SA-17:03.

svn path=/head/; revision=50153

share/security/advisories/FreeBSD-EN-17:05.xen.asc

@@ -0,0 +1,177 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-17:05.xen                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Xen migration enhancements
+
+Category:       core
+Module:         xen
+Announced:      2017-04-12
+Credits:        Citrix Systems R&D, Huawei Technologies
+Affects:        All supported versions of FreeBSD.
+Corrected:      2017-03-21 08:38:12 UTC (stable/11, 11.0-STABLE)
+                2017-04-12 06:24:35 UTC (releng/11.0, 11.0-RELEASE-p9)
+                2017-03-29 17:11:41 UTC (stable/10, 10.3-STABLE)
+                2017-04-12 06:24:35 UTC (releng/10.3, 10.3-RELEASE-p18)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD when running as a Xen guest supports live-migration, that means being
+able to move from one physical Xen host to another without interruption of
+service.
+
+Due to the lack of ordering during the resume procedure devices might try to
+use the Xen PV timer before it's correctly resumed, leading to unexpected
+results.
+
+II.  Problem Description
+
+There are three issues that currently prevent FreeBSD from working reliably under
+heavy live-migration stress:
+
+1. FreeBSD cannot recover from a failed live migration. It is a Xen feature to
+fail a live migration, which means the VM will continue running on the same
+host. FreeBSD was not capable of coping with this situation.
+
+[This is https://reviews.freebsd.org/D9635]
+
+2. User-space processes that make use of the xenstore device
+(/dev/xen/xenstore) might manage to lock-up the resume procedure, preventing
+the kernel from resuming correctly after a live-migration.
+
+[This is https://reviews.freebsd.org/D9638]
+
+3. The Xen PV timer is attached to the xenpv bus on FreeBSD 11.0, and the xenpv
+bus itself is attached after the PCI bus and other buses. This means that the
+Xen PV timer is also resume quite late, and device drivers might try to use the
+timer before it's resumed correctly, leading to erratic behavior or lockups.
+
+III. Impact
+
+FreeBSD 10.3 and 11.0 are affected by the 1. and 2. issues when being migrated
+as a Xen guest.
+
+Only FreeBSD 11.0 is affected when live-migrated as a Xen guest.
+
+IV.  Workaround
+
+Not attempting to use live-migration when running as a Xen guest will prevent
+those issues.
+
+Not having user-space processes will prevent issue 2. from happening.
+
+For issue 3, the administrator can switch to a different timer, like the TSC, if
+there is plan to migrate the VM:
+
+# sysctl -a | grep timecounter.choice
+kern.timecounter.choice: XENTIMER(950) ACPI-safe(850) i8254(0) TSC-low(-100) dummy(-1000000)
+# sysctl -w kern.timecounter.hardware=TSC-low
+
+V.   Solution
+
+Issue 1. has been solved by adding the proper logic in FreeBSD in order to
+recover from failed live migrations.
+
+Issue 2. has been resolved by adding xenstore locking around the suspend
+procedure, in order to make sure no user-space process is holding the xenstore
+lock when going into suspension.
+
+Issue 3. has been solved by marking the Xen PV timer as not safe for suspension
+until the order issues can be solved.
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+A reboot is required.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is required.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.0]
+# fetch https://security.FreeBSD.org/patches/EN-17:05/xen-11.0.patch
+# fetch https://security.FreeBSD.org/patches/EN-17:05/xen-11.0.patch.asc
+# gpg --verify xen-11.0.patch.asc
+
+[FreeBSD 10.3]
+# fetch https://security.FreeBSD.org/patches/EN-17:05/xen-10.3.patch
+# fetch https://security.FreeBSD.org/patches/EN-17:05/xen-10.3.patch.asc
+# gpg --verify xen-10.3.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r316170
+releng/10.3/                                                      r316722
+stable/11/                                                        r315668
+releng/11.0/                                                      r316722
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-17:05.xen.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.19 (FreeBSD)
+
+iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljtyccACgkQ7Wfs1l3P
+aucjmxAAtLQLh+Xjlue/pTN4OQFSlfS4drkk2ufnQqJON7qe+P6MUcOJaZPb730C
+uFNX4XbRbUxsAx04N2LAygTungvl79LgacHAOL4UYC9z055qFISMY8/fPZN35k1G
+rDAJ5C0O7/YLCA7Uxcars1FfPFxNuLBK78tjvpP6PHXbI/jm6CO8NRgnlZRjRIAg
+088M5Fqc4ucM6qfesG6cjpsb3QgwJz7ZP8ioLIJpdCsrmCSsW4+ceD9bfCxzIPHJ
+Gsb2nDw++n/QZEU0Ely6CjlNh9Y7oRDC7xcOzCyYGhUASATfqjfqSGOFUFpUD8PB
+IcGNXew4IxTU0hhpkKO42bdi5jORzJy4EVCHOrjPeecZ6NL5Cmj9Yvnd2SEV8ura
+Zm2+gpVmsL4hBTLg4cxjjGApzH11289imUfHCEhv2ehxLXEwSziDzAAcKaWdrTOU
+KQ3HSIaitxynWP8YhmYDgNP2599iuXSnJvUwLtYJ03zEUILV+NTvEKqTMqLzxA90
+lYYjq+vsF3G+A31TWKwIWR1VU+CBec6NHvZd7nxWb236hfxHNJPrrqUDCqhOfHaG
+q6Lf//VPGTHAeLIQ5NPRr5/FwgsAHZCnyslg6bMQyqyql/3j/fMWKu4vOtI554mP
+0GCTyEidEHxm3pXYCiv/RnTmnbiu7hQyZUFwgVISHlmnk+HWXSI=
+=xLET
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-17:03.ntp.asc

@@ -0,0 +1,163 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:03.ntp                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities of ntp
+
+Category:       contrib
+Module:         ntp
+Announced:      2017-04-12
+Credits:        Network Time Foundation
+Affects:        All supported versions of FreeBSD.
+Corrected:      2017-03-28 04:48:17 UTC (stable/11, 11.0-STABLE)
+                2017-04-12 06:24:35 UTC (releng/11.0, 11.0-RELEASE-p9)
+                2017-03-28 04:48:55 UTC (stable/10, 10.3-STABLE)
+                2017-04-12 06:24:35 UTC (releng/10.3, 10.3-RELEASE-p18)
+CVE Name:       CVE-2017-6464, CVE-2017-6462, CVE-2017-6463, CVE-2016-9042
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
+used to synchronize the time of a computer system to a reference time
+source.
+
+II.  Problem Description
+
+A vulnerability was discovered in the NTP server's parsing of configuration
+directives. [CVE-2017-6464]
+
+A vulnerability was found in NTP, in the parsing of packets from the
+DPTS Clock. [CVE-2017-6462]
+
+A vulnerability was discovered in the NTP server's parsing of configuration
+directives. [CVE-2017-6463]
+
+A vulnerability was found in NTP, affecting the origin timestamp check
+function. [CVE-2016-9042]
+
+III. Impact
+
+A remote, authenticated attacker could cause ntpd to crash by sending a
+crafted message. [CVE-2017-6463, CVE-2017-6464]
+
+A malicious device could send crafted messages, causing ntpd to crash.
+[CVE-2017-6462]
+
+An attacker able to spoof messages from all of the configured peers
+could send crafted packets to ntpd, causing later replies from those
+peers to be discarded, resulting in denial of service. [CVE-2016-9042]
+
+IV.  Workaround
+
+No workaround is available, but systems not running ntpd(8) are not
+affected.  Network administrators are advised to implement BCP-38,
+which helps to reduce the risk associated with these attacks.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The ntpd service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The ntpd service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 11.0]
+# fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-11.0.patch.xz
+# fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-11.0.patch.xz.asc
+# gpg --verify ntp-11.0.patch.xz.asc
+
+[FreeBSD 10.3]
+# fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-10.3.patch.xz
+# fetch https://security.FreeBSD.org/patches/SA-17:03/ntp-10.3.patch.xz.asc
+# gpg --verify ntp-10.3.patch.xz.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r316069
+releng/10.3/                                                      r316722
+stable/11/                                                        r316068
+releng/11.0/                                                      r316722
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:03.ntp.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.19 (FreeBSD)
+
+iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljty+gACgkQ7Wfs1l3P
+audFpxAA30Po/44RV8x98fcopL+/qX0bKhs2yORCcYs/ebrPaDW6ghdqPAPyNDen
+qJSoEU6FFZxU508reu6mcJIze0YzSC2D4Xe+BjtVjTUhgZ1mUlfx+0Dqa6DsmyPE
+wreYZ0+aPJPSg82P4pOR+Oo4Omh0BHXw/Yu+uJxd+VSGAWg9zJk9QcRyy3QKsPFn
+YbMYjAsMk1x2i/q6GzRnoJXAFT9c1QsKRP1QU3JivDEQEYwreqKxkG7Ex9OkUOmL
+CIPVG19K7iddnMfiQPjhPhyAOFWrtKMm1rjcg1vSEMUQ24MtVotGOgNkKXEf0vjT
+eVX91sIRYGgy9utg6Mg4pnDT7m94PMh7mORgfphHg7l7LFVGYKAbHF7khIMtrs4k
+/ZU5i7xZqKR6xNm4oWtaBC9EipkWfjnXjBRG30t3kdD2r7ElJ+Y3mvPdalFsxd+U
+gP2Wgn//byToXVUGFLChR7KSWDOjUpdiGu3UUDG4LmG/U4whDsSobPgOF3SzbALF
+mx8f7OWkOYCnQ9WuhI3PVvCdLncjZ5UdLaQ5nP53pn3rGk9C4MJpGlTI2iS1gwFV
+n09mE5zXueI3jVJm+An2X2Z3C8fTCRHb7n3Sej2wnrgiXk8z/8ftX6VJcUxdgW+A
+OYFztl0iKgjgEXix33FZ5baivohQVhAT5rUQRQ/+gcrvL8rbJQg=
+=58Te
+-----END PGP SIGNATURE-----

share/security/patches/EN-17:05/xen-10.3.patch

@@ -0,0 +1,214 @@
+--- sys/dev/xen/blkfront/blkfront.c.orig
++++ sys/dev/xen/blkfront/blkfront.c
+@@ -1503,6 +1503,11 @@
+ {
+ 	struct xbd_softc *sc = device_get_softc(dev);
+ 
++	if (xen_suspend_cancelled) {
++		sc->xbd_state = XBD_STATE_CONNECTED;
++		return (0);
++	}
++
+ 	DPRINTK("xbd_resume: %s\n", xenbus_get_node(dev));
+ 
+ 	xbd_free(sc);
+--- sys/dev/xen/control/control.c.orig
++++ sys/dev/xen/control/control.c
+@@ -151,6 +151,7 @@
+ #include <machine/xen/xenvar.h>
+ #include <machine/xen/xenfunc.h>
+ 
++bool xen_suspend_cancelled;
+ /*--------------------------- Forward Declarations --------------------------*/
+ /** Function signature for shutdown event handlers. */
+ typedef	void (xctrl_shutdown_handler_t)(void);
+@@ -341,8 +342,11 @@
+ #ifdef SMP
+ 	cpuset_t cpu_suspend_map;
+ #endif
+-	int suspend_cancelled;
+ 
++	EVENTHANDLER_INVOKE(power_suspend_early);
++	xs_lock();
++	stop_all_proc();
++	xs_unlock();
+ 	EVENTHANDLER_INVOKE(power_suspend);
+ 
+ 	if (smp_started) {
+@@ -392,16 +396,20 @@
+ 	intr_suspend();
+ 	xen_hvm_suspend();
+ 
+-	suspend_cancelled = HYPERVISOR_suspend(0);
++	xen_suspend_cancelled = !!HYPERVISOR_suspend(0);
+ 
+-	xen_hvm_resume(suspend_cancelled != 0);
+-	intr_resume(suspend_cancelled != 0);
++	if (!xen_suspend_cancelled) {
++		xen_hvm_resume(false);
++	}
++	intr_resume(xen_suspend_cancelled != 0);
+ 	enable_intr();
+ 
+ 	/*
+ 	 * Reset grant table info.
+ 	 */
+-	gnttab_resume();
++	if (!xen_suspend_cancelled) {
++		gnttab_resume();
++	}
+ 
+ #ifdef SMP
+ 	/* Send an IPI_BITMAP in case there are pending bitmap IPIs. */
+@@ -429,6 +437,8 @@
+ 		thread_unlock(curthread);
+ 	}
+ 
++	resume_all_proc();
++
+ 	EVENTHANDLER_INVOKE(power_resume);
+ 
+ 	if (bootverbose)
+--- sys/dev/xen/netfront/netfront.c.orig
++++ sys/dev/xen/netfront/netfront.c
+@@ -509,6 +509,15 @@
+ {
+ 	struct netfront_info *info = device_get_softc(dev);
+ 
++	if (xen_suspend_cancelled) {
++		XN_RX_LOCK(info);
++		XN_TX_LOCK(info);
++		netfront_carrier_on(info);
++		XN_TX_UNLOCK(info);
++		XN_RX_UNLOCK(info);
++		return (0);
++	}
++
+ 	info->xn_resume = true;
+ 	netif_disconnect_backend(info);
+ 	return (0);
+@@ -796,6 +805,45 @@
+ }
+ 
+ static void
++netif_release_rx_bufs_copy(struct netfront_info *np)
++{
++	struct mbuf *m;
++	grant_ref_t ref;
++	unsigned int i, busy, inuse;
++
++	XN_RX_LOCK(np);
++
++	for (busy = inuse = i = 0; i < NET_RX_RING_SIZE; i++) {
++		ref = np->grant_rx_ref[i];
++
++		if (ref == GRANT_REF_INVALID)
++			continue;
++
++		inuse++;
++
++		m = np->rx_mbufs[i];
++
++		if (!gnttab_end_foreign_access_ref(ref)) {
++			busy++;
++			continue;
++		}
++
++		gnttab_release_grant_reference(&np->gref_rx_head, ref);
++		np->grant_rx_ref[i] = GRANT_REF_INVALID;
++		add_id_to_freelist(np->rx_mbufs, i);
++
++		m_freem(m);
++	}
++
++	if (busy != 0)
++		device_printf(np->xbdev,
++		    "Unable to release %u of %u in use grant references out of %zu total.\n",
++		    busy, inuse, NET_RX_RING_SIZE);
++
++	XN_RX_UNLOCK(np);
++}
++
++static void
+ network_alloc_rx_buffers(struct netfront_info *sc)
+ {
+ 	int otherend_id = xenbus_get_otherend_id(sc->xbdev);
+@@ -2190,6 +2238,12 @@
+ 		info->xn_ifp = NULL;
+ 	}
+ 	ifmedia_removeall(&info->sc_media);
++	netif_release_tx_bufs(info);
++	if (info->copying_receiver)
++		netif_release_rx_bufs_copy(info);
++
++	gnttab_free_grant_references(info->gref_tx_head);
++	gnttab_free_grant_references(info->gref_rx_head);
+ }
+ 
+ static void
+--- sys/xen/xen-os.h.orig
++++ sys/xen/xen-os.h
+@@ -57,6 +57,8 @@
+ extern int xen_disable_pv_nics;
+ #endif
+ 
++extern bool xen_suspend_cancelled;
++
+ enum xen_domain_type {
+ 	XEN_NATIVE,             /* running on bare hardware    */
+ 	XEN_PV_DOMAIN,          /* running in a PV domain      */
+--- sys/xen/xenbus/xenbusb.c.orig
++++ sys/xen/xenbus/xenbusb.c
+@@ -791,6 +791,11 @@
+ 			if (device_get_state(kids[i]) == DS_NOTPRESENT)
+ 				continue;
+ 
++			if (xen_suspend_cancelled) {
++				DEVICE_RESUME(kids[i]);
++				continue;
++			}
++
+ 			ivars = device_get_ivars(kids[i]);
+ 
+ 			xs_unregister_watch(&ivars->xd_otherend_watch);
+--- sys/xen/xenstore/xenstore.c.orig
++++ sys/xen/xenstore/xenstore.c
+@@ -1657,3 +1657,20 @@
+ 		sx_xunlock(&xs.xenwatch_mutex);
+ 	}
+ }
++
++void
++xs_lock(void)
++{
++
++	sx_xlock(&xs.request_mutex);
++	return;
++}
++
++void
++xs_unlock(void)
++{
++
++	sx_xunlock(&xs.request_mutex);
++	return;
++}
++
+--- sys/xen/xenstore/xenstorevar.h.orig
++++ sys/xen/xenstore/xenstorevar.h
+@@ -338,4 +338,15 @@
+  */
+ struct sbuf *xs_join(const char *, const char *);
+ 
++/**
++ * Lock the xenstore request mutex.
++ */
++void xs_lock(void);
++
++/**
++ * Unlock the xenstore request mutex.
++ */
++void xs_unlock(void);
++
+ #endif /* _XEN_XENSTORE_XENSTOREVAR_H */
++

share/security/patches/EN-17:05/xen-10.3.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.19 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljtydAACgkQ7Wfs1l3P
+audxcBAA1yPLFy9chiDWxOhsJZxiAL5r7ferseaUBWyAupmECLy7eiZU25W8T2Bc
+zqQXbuqSFpq+LCQ6mIqbd0F9JIQxEkG1VVT3vVIiiuuqsZrO5kZfrHLtB3G9IHbD
+Wrp5NQ4VPQp9ur5oqPKVolAKLtW+XNfu0kMPrK2n2GiyLJyP3uGanCFfQrhsjktS
+a9rXQrYyqk7yx/JXsz3GO2YeUaQUY8Y8B0jxox4pK70WZWvua2OwXdSZadVCzLIx
+7gmCdu8foMGaG2MBlTQf8e2SLQM5TS0RQcmw0WFRwaDUMiUhRP+QB4pdolqHr+G6
+o8WiwsOp65ow7hlbsg2MaWPkF9dKf6dWjX8b4/dw2budlpeMV+SMiDqOiG2U6cdA
+/9I1ZHBBAgOEyUh/X8PPp9snGKHkbNIRCFbJr02SVYy7LXjVrTZiAuEQCTQpMUTy
+hFQ1gF2hgFL3h0DcJ907/lmE5SGFU37m5oC9pRL7tT7EpyiMdSifjukMl0EiWEPp
+MhbZJM71zcTZXqg9KAghTm9gBd1iQcqmBsvC8T6lRQwDShNgIZ7a4J3PVNNG2vQ5
+9clK9eszKRciMpWfuB1IK0JlTUmOAKrkGI/ZBOsvRhRrfpcCAOTKNmDWwDnKR7w1
+w2TZFqsNVdySpR88V2vFK0SgjJzMlrOa1r92bx6AcHcdX0WkFDA=
+=SW3x
+-----END PGP SIGNATURE-----

share/security/patches/EN-17:05/xen-11.0.patch

@@ -0,0 +1,176 @@
+--- sys/dev/xen/blkfront/blkfront.c.orig
++++ sys/dev/xen/blkfront/blkfront.c
+@@ -1529,6 +1529,11 @@
+ {
+ 	struct xbd_softc *sc = device_get_softc(dev);
+ 
++	if (xen_suspend_cancelled) {
++		sc->xbd_state = XBD_STATE_CONNECTED;
++		return (0);
++	}
++
+ 	DPRINTK("xbd_resume: %s\n", xenbus_get_node(dev));
+ 
+ 	xbd_free(sc);
+--- sys/dev/xen/control/control.c.orig
++++ sys/dev/xen/control/control.c
+@@ -148,6 +148,7 @@
+ 
+ #include <xen/xenbus/xenbusvar.h>
+ 
++bool xen_suspend_cancelled;
+ /*--------------------------- Forward Declarations --------------------------*/
+ /** Function signature for shutdown event handlers. */
+ typedef	void (xctrl_shutdown_handler_t)(void);
+@@ -196,10 +197,11 @@
+ #ifdef SMP
+ 	cpuset_t cpu_suspend_map;
+ #endif
+-	int suspend_cancelled;
+ 
+ 	EVENTHANDLER_INVOKE(power_suspend_early);
++	xs_lock();
+ 	stop_all_proc();
++	xs_unlock();
+ 	EVENTHANDLER_INVOKE(power_suspend);
+ 
+ #ifdef EARLY_AP_STARTUP
+@@ -267,16 +269,20 @@
+ 	intr_suspend();
+ 	xen_hvm_suspend();
+ 
+-	suspend_cancelled = HYPERVISOR_suspend(0);
++	xen_suspend_cancelled = !!HYPERVISOR_suspend(0);
+ 
+-	xen_hvm_resume(suspend_cancelled != 0);
+-	intr_resume(suspend_cancelled != 0);
++	if (!xen_suspend_cancelled) {
++		xen_hvm_resume(false);
++	}
++	intr_resume(xen_suspend_cancelled != 0);
+ 	enable_intr();
+ 
+ 	/*
+ 	 * Reset grant table info.
+ 	 */
+-	gnttab_resume(NULL);
++	if (!xen_suspend_cancelled) {
++		gnttab_resume(NULL);
++	}
+ 
+ #ifdef SMP
+ 	if (!CPU_EMPTY(&cpu_suspend_map)) {
+--- sys/dev/xen/netfront/netfront.c.orig
++++ sys/dev/xen/netfront/netfront.c
+@@ -458,7 +458,21 @@
+ netfront_resume(device_t dev)
+ {
+ 	struct netfront_info *info = device_get_softc(dev);
++	u_int i;
+ 
++	if (xen_suspend_cancelled) {
++		for (i = 0; i < info->num_queues; i++) {
++			XN_RX_LOCK(&info->rxq[i]);
++			XN_TX_LOCK(&info->txq[i]);
++		}
++		netfront_carrier_on(info);
++		for (i = 0; i < info->num_queues; i++) {
++			XN_RX_UNLOCK(&info->rxq[i]);
++			XN_TX_UNLOCK(&info->txq[i]);
++		}
++		return (0);
++	}
++
+ 	netif_disconnect_backend(info);
+ 	return (0);
+ }
+--- sys/dev/xen/timer/timer.c.orig
++++ sys/dev/xen/timer/timer.c
+@@ -417,8 +417,20 @@
+ 	/* Register the timecounter. */
+ 	sc->tc.tc_name = "XENTIMER";
+ 	sc->tc.tc_quality = XENTIMER_QUALITY;
+-	sc->tc.tc_flags = TC_FLAGS_SUSPEND_SAFE;
+ 	/*
++	 * FIXME: due to the lack of ordering during resume, FreeBSD cannot
++	 * guarantee that the Xen PV timer is resumed before any other device
++	 * attempts to make use of it, so mark it as not safe for suspension
++	 * (ie: remove the TC_FLAGS_SUSPEND_SAFE flag).
++	 *
++	 * NB: This was not a problem in previous FreeBSD versions because the
++	 * timer was directly attached to the nexus, but it is an issue now
++	 * that the timer is attached to the xenpv bus, and thus resumed
++	 * later.
++	 *
++	 * sc->tc.tc_flags = TC_FLAGS_SUSPEND_SAFE;
++	 */
++    	/*
+ 	 * The underlying resolution is in nanoseconds, since the timer info
+ 	 * scales TSC frequencies using a fraction that represents time in
+ 	 * terms of nanoseconds.
+--- sys/dev/xen/xenstore/xenstore.c.orig
++++ sys/dev/xen/xenstore/xenstore.c
+@@ -1699,3 +1699,20 @@
+ 		sx_xunlock(&xs.xenwatch_mutex);
+ 	}
+ }
++
++void
++xs_lock(void)
++{
++
++	sx_xlock(&xs.request_mutex);
++	return;
++}
++
++void
++xs_unlock(void)
++{
++
++	sx_xunlock(&xs.request_mutex);
++	return;
++}
++
+--- sys/xen/xen-os.h.orig
++++ sys/xen/xen-os.h
+@@ -56,6 +56,8 @@
+ extern int xen_disable_pv_disks;
+ extern int xen_disable_pv_nics;
+ 
++extern bool xen_suspend_cancelled;
++
+ enum xen_domain_type {
+ 	XEN_NATIVE,             /* running on bare hardware    */
+ 	XEN_PV_DOMAIN,          /* running in a PV domain      */
+--- sys/xen/xenbus/xenbusb.c.orig
++++ sys/xen/xenbus/xenbusb.c
+@@ -791,6 +791,11 @@
+ 			if (device_get_state(kids[i]) == DS_NOTPRESENT)
+ 				continue;
+ 
++			if (xen_suspend_cancelled) {
++				DEVICE_RESUME(kids[i]);
++				continue;
++			}
++
+ 			ivars = device_get_ivars(kids[i]);
+ 
+ 			xs_unregister_watch(&ivars->xd_otherend_watch);
+--- sys/xen/xenstore/xenstorevar.h.orig
++++ sys/xen/xenstore/xenstorevar.h
+@@ -338,4 +338,15 @@
+  */
+ struct sbuf *xs_join(const char *, const char *);
+ 
++/**
++ * Lock the xenstore request mutex.
++ */
++void xs_lock(void);
++
++/**
++ * Unlock the xenstore request mutex.
++ */
++void xs_unlock(void);
++
+ #endif /* _XEN_XENSTORE_XENSTOREVAR_H */
++

share/security/patches/EN-17:05/xen-11.0.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.19 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljtydAACgkQ7Wfs1l3P
+auc88A/+OR7nEKgcAvEQgW8gx/LiVXvBIxjVXf7zZ6YgddZiDjkT9kOVgMMkpX3g
+4v0FJ+LHcWcUGtOAncdPox5Her/Vh6p63/sbeAghxoAO1G11gwT06y1GJCOVnUcg
+DcwqrpAinv+96aKY0XNio+VHPLPTmXS/G/0GSaI2zcmwkTKTAojVTIm5XDs+urba
+w/BgiIJn9uUOHWLW2WvUwQLpOZZi+97atH1+pz6m/GTxOy+X8CXL2FClxvsaKZKV
+XLrq/nNrtO2kAqu3CSy6SxJcOR1n+hPf58yGr/km9Zz1RVMGiS5UiPos4FkF6bDN
+O1F6PwfBtHLvKFI0ufNrLAd2fJp73MwzPG1p3rJA+86ijZz5ngqpnDOG/ApAhbyM
+p8oBWM8nKbbVy1ISAFi3M0xUREwxbk4Dg3GjM0MGf3h4p6T3eYh9EBiFSBGKlaQj
+XEejk8FfwV2nDZB/LSBnhw6FCKMQnTjKa1oXxLyVGxhBbDgRdHu87vfRfdaXhjBE
+icDHn1u9pYAR6wrXCDm+VhMv18Lo3jCg6t00r6kjroC6A8V0jqm0EOjIF7WbgA4u
+v0h7w9h+5bZCeY2xlybVoafk32PyzLqKPHO47XiSDFBeZbMXdfamDcTbhxKotuuX
+mtqQ8jntfyuMPA1QkzagbWDi3ytmMPNw+IgUCY8beuOEgDT3C+I=
+=SJ6Q
+-----END PGP SIGNATURE-----

share/security/patches/SA-17:03/ntp-10.3.patch.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.19 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljty/QACgkQ7Wfs1l3P
+audZTA//VWVCVJG3oXcNaA0f1pnwMFWbMk0cioRPNPiZSZtPr/PaAFzQlCb233rh
+VqI1rJQGcQEmDcCTIdq1dhLHj5g5Wpd3wsa1Rmzcsaal0Cz2XFhsYN0kiZbpI4nE
+fOFVYng0+BE4VYY/zKIuSH1uhIJm1luAvPx6T09y/IBcATeqYbJkm1E7Bb80CpJz
+c9+eC+o9ZGoR+5Vs5tD9ex/4w1ukq3A3lzxpvbpuXCgpZhP0stFeHPGg8fc/RUFR
+0JBXyfIcjpUDF4x7osxzCkDBmzTPQyhQ3IPRvvYEdX0sDK9Id7FS3fGNmBF0hz6A
+q95I5UF7EVgaeab4xeMc+Z4XqbozKkgZ15Cy0l3oDJ6ETU/GL2cYYEggOaMiHY0+
+djKv8D3+ipvOMbjE73UymbQDNYDQb04VVV5Gjv4rfrvwzPpbmi63pR7FQLcgSWfY
+F9fc6T6EPuZHkpR7RdNo52YSeVWBC5ICiPySMDV0g/fEZIjdoU1QrT/5dmWtFGTR
+pwQbwOHYdSRXNMsYvhyecsBTQdEFE6w9zgt/85rYfwjmz5nAO9oEn9FdCv2W7PsE
+PbPJ3P/8bEvoA1VjZ46bGz9IuK/0Z9p832pB1K3ppN1rbHLmHK9tPuhIW2EQEgJI
+v4KOeNOzcIIFkfh5EMsZx2LVr1CV9OJ+Krl8oEA5dXjluqigYuk=
+=cXVX
+-----END PGP SIGNATURE-----

share/security/patches/SA-17:03/ntp-11.0.patch.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.19 (FreeBSD)
+
+iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAljty/QACgkQ7Wfs1l3P
+audFIQ//e9QSmpTDaJ7kvmMdSlJEWH3NFdVVTa37HDLVp4Xf8KQHtOIkEogViuwy
+xIRc/NRhJL8Y0lzyeuG/23GooUN27CaKXNFs3saZMS8DCQmo40/dnefa8kuwf9UZ
+9ZeCJhDacGvbEhygPhRXUUgH8DVY1Er2UM5icPI2dmXVplIHGs1RNyPYsAqCXoDc
+5dhlCxXTfDaHO1igX9m/rAhJP4R2anp9oCPzlGFL3+0TJq0hNvD9Z0CutbrfnhId
+ypiV8dNgaTElWTt1VLe+xRZPvhcqkVWjMulqiixc9yRYDJejDwhGkKIi/hY7tvT4
+XhXQqqh8svYiRZ+2Gi/tNeHRT8Rv5nddf0hsikXFvpP/ipHohCpVKlPEWmFp3uSy
+A3L+coguwwTXWiq4Kp/kp9Qad7W9+W1pPFxGjxofQvK9eVJV3iiyM6X0wouXwfaX
+j9GFjDZIdZH/uCGADq6YNn+Pjqmzv9lHblYwXIhAr+MKbhuw4oJIcMa6u/yw8xs8
+nlAzgPzmdkzo3j8Q7cKl+6rInAi3N6JJo42XJsf+L8Rqk0aNdW6C3HDG5omt2Qqa
+r25rr3MC2BPnSoUcPSlSXCgy7i1/LprBISNNbIwtBrhLW0nmcJZAeutPMkOPbVXx
+ng0uXU0XUD3IDiZ9PaKAPTIVvjDAh9f5OC3m3+VEz01yL8teNvg=
+=L1P6
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -7,6 +7,18 @@
   <year>
     <name>2017</name>
 
+    <month>
+      <name>4</name>
+
+      <day>
+        <name>12</name>
+
+        <advisory>
+          <name>FreeBSD-SA-17:03.ntp</name>
+        </advisory>
+      </day>
+    </month>
+
     <month>
       <name>2</name>
 

share/xml/notices.xml

@@ -7,6 +7,18 @@
   <year>
     <name>2017</name>
 
+    <month>
+      <name>4</name>
+
+      <day>
+        <name>12</name>
+
+        <notice>
+          <name>FreeBSD-EN-17:05.xen</name>
+        </notice>
+      </day>
+    </month>
+
     <month>
       <name>2</name>