Release 6 errata notices for 10.3-RELEASE, all related to Microsoft Hyper-V.

Submitted by:	Dexuan Cui <decui microsoft.com>, gjb

share/security/advisories/FreeBSD-EN-16:10.dhclient.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:10.dhclient                                       Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Better handle unknown options received from a DHCP server
+
+Category:       core
+Module:         dhclient
+Announced:      2016-08-12
+Credits:        Microsoft OSTC
+Affects:        FreeBSD 10.3
+Corrected:      2016-05-06 05:44:12 UTC (stable/10, 10.3-STABLE)
+                2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The dhclient(8) utility is used to request an IP address from a DHCP server.
+Some implemenations of DHCP servers can use "options" to pass extra
+information to dhclient.
+
+II.  Problem Description
+
+In Azure, the DHCP server adds a private option (id 0xf5), which contains
+binary form of an IPv4 address.  Once this option is converted to string
+form, it could contain '$', for example:
+
+IPv4 address: 100.72.36.54
+binary form: 0x64 0x48 0x24 0x36
+string form: "dH$6"
+
+In this case, dhclient(8) exits upon "illegal" options as shown above, thus
+the an Azure virtual machine will fail to obtain an IP address, and fail to
+start.
+
+III. Impact
+
+The virtual machine in Azure may not set IP address properly and becomes
+inaccessible.
+
+IV.  Workaround
+
+No workaround is available, however it is presumed this issue only affects
+FreeBSD running in Azure.
+
+V.   Solution
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+Afterward, reboot the system or restart dhclient(8).
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system or restart dhclient(8).
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:10/dhclient.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:10/dhclient.patch.asc
+# gpg --verify dhclient.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r299156
+releng/10.3/                                                      r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:10.dhclient.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsbAAoJEO1n7NZdz2rnXk4P/jrIiXpu7f2ueB9qZNGE8I31
+OYFLJcv7xnSy9FRm1t7FxJJ+rJLG8dSCVtvMuyOExgQ+ZuWKg8kgumRG5/MW081O
+r0IXmvyFZgYnmRu34m13ZcH7b0qE+i8HhYqd22yoSnceOEodRMJG1X1urbcFRywO
+UfJz64pqndFYGT0I7lG0Bvt5FwAN3oo8WefaD+eq7kIwnZGLujJHx5cIaG91xLBo
+chfjPkjVgbF2/IC+rcJd2asKsXRxsBLloTh4NvTMLPSvmgItsUImU5H3YWlL5yDm
+GbCA2GLY0C50OEMDnMS2GjKUVzMK76TWgtN3fWBAGRRQYyiZh2be9BOR9ypbG6W3
+dHGSCiVILKgIoFRUMqT3KkR4oE7cxcSj6yD8xo8Nws4cV3nuC4ityBm6Gn5awzkG
+PriRg7SYF3mr7cSGa+L7LG7bvL34E/cKL8gkY/LbTa4ZKLFuprMyx3cOs+8Q6ezp
+u3d51NNPmmprxsFFWKqVIw0yNA6PN6c07v9pFGjUpsPk91+CD6Pgc+UumKI/tsIu
+BxEhEw3Iucf8YB/qfEJReDdDM7NgjXXeYASq6PI7Ag4uBx+6lNqYomZsmwcGO+6w
+JtQAxid2fg3srMjA2ZdryJ0DskQn2B+ff1Z7Zf4h58zGmL16CUfA7qhLweAy//GV
+GBduTyY36OwgkBs5i7wh
+=y0LS
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-16:11.vmbus.asc

@@ -0,0 +1,120 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:11.vmbus                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Avoid using spin locks for channel message locks
+
+Category:       core
+Module:         vmbus
+Announced:      2016-08-12
+Credits:        Microsoft OSTC
+Affects:        FreeBSD 10.3
+Corrected:      2016-06-15 09:52:01 UTC (stable/10, 10.3-STABLE)
+                2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The vmbus driver has a global lock hv_vmbus_g_connection.channel_msg_lock,
+whose type is MTX_SPIN.  The lock is used to protect concurrent access to the
+global pending message list hv_vmbus_g_connection.channel_msg_anchor.
+
+II.  Problem Description
+
+In some cases, sema_post() is invoked when the spin mutex is held.
+
+III. Impact
+
+Using sema_post() with a held spin mutex may trigger a system panic.
+
+IV.  Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V.   Solution
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:11/vmbus.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:11/vmbus.patch.asc
+# gpg --verify vmbus.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+<for a kernel bug:>
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r301925
+releng/10.3/                                                      r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:11.vmbux.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsfAAoJEO1n7NZdz2rnyAgP/3ZQ6JLhVWjdHHQz13XyT32r
+NjhZ5VWdL8ZOd4psbLTmqMh79KT4u/bMZ4RackAcpX2agnpPx8sDQL5kaRNypQuj
+OC+rTyRy4J/TZTeX6OPA+TSwOS/yczdGFhgexk0AuxoqWN3j8yZ/P+DyTC7y5CmD
+8Fc9lcTAyFP/OEwybprWesRsC6wS1hKKhzz32e+i2EONzU5Xk8V3rondLZ2cSC9h
+UaeUqJHCbdIogWt7h0zD3WKbcYEwdTmE6MNFJenjWLaIJQkFxqYUfncK9nePm+v7
+W/QfVhEMuClKJRQRI6hHC+XJU2BxoXVB7uuJxk4rfLYO+TynvJ8w2iAMpf6liQLM
+ChvBsczIDHtha7z1uqMRHouywHgSc/YWXodMrRRbOjDfFFHzsTIE/ZVdAncGqxwQ
+/b7VmBS4kZRG5KP0ip/SHRUR+Ououp79gOkIphsT8ikpQKyHQVfG9FL8desSpE8f
+nTyAWwlbBuIid7PqLcFwlIZuqbx52eMWG3//bZNKnxrx2b9RILNRDbOOrwbD2VHq
+n9mO2EKdEPQg+Fz4omwCcmK2kMhknvotQ9oWUOGFK6i/BqZ6q5PffH4lxTyTS+Jr
+oDxHZ3jmSVFb7bcjCqYwqpvxloOXY3ChgfYvnq3OI8Ry5Y7rnI8sGmKFwgqWcSqE
+KS1LNBSGT1A7/mpgzld7
+=GPUS
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-16:12.hv_storvsc.asc

@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:12.hv_storvsc                                     Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Enable INQUIRY result check only on Windows 10 host systems
+
+Category:       core
+Module:         hv_storvsc
+Announced:      2016-08-12
+Credits:        Microsoft OSTC
+Affects:        FreeBSD 10.3
+Corrected:      2016-05-25 06:15:26 UTC (stable/10, 10.3-STABLE)
+                2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+A FreeBSD virtual machine running on Hyper-V uses hv_storvsc(4) to discover,
+access, and control block devices.  The SCSI INQUIRY command is used to scan
+the disks attached to the virtual machine, and hv_storvsc(4) checks if the
+response from the host is valid.
+
+II.  Problem Description
+
+On Windows 8 and earlier systems, the response to the INQUIRY command may
+return invalid results.
+
+III. Impact
+
+When a SCSI disk hotplug occurs, some disks may not be visible to the guest
+virtual machine despite being present.
+
+IV.  Workaround
+
+No workaround is available however guest machines not running on Hyper-V on
+Windows 8 and earlier are unaffected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:12/hv_storvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:12/hv_storvsc.patch.asc
+# gpg --verify hv_storvsc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r300656
+releng/10.3/                                                      r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209443>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:12.hv_storsvc.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsgAAoJEO1n7NZdz2rns+wP/icFVWd1JaWRxcyRsv/fXIKM
++W2juTwxptg7HaXCUf885pe4ku7KHaAHViaE/Ma7QBK3DYbYMFhFRB+Vz3n45DWg
+Cc9lQfLm1sGOHA1YZml4O9dOnjxkybPhUShiBq06rREOTawdEIb1F5+xUkMo8fx4
+L3pwFBwSgBTJogcld4Ukj8w6iFLoN5SAPaGpOwmXguheja8OhP/K0UHk7SkTWaxj
+AXKyVD9z8GusqST33JOhY+PQEQU4LKZue5Xrxlrblb0eFZn6LiykYAQX0zrufFPi
+W4sg2rCogo2RIUZxmZAX0V1zcVoClKfFu1/o4dPLY4mWSIGvMde2SXanS3E6T1Mz
+PBa3+ugTgwE9+kGuY5T5jeslHcac9i6kOKU8UDMlAYxzdd2r7h9UVznms6laCIx2
+o4Z1morcFhzInuXepGl7ZeV5KEDzlgmtdLzzgZ+sc4D9IYDwig4tjw8O9uRFBDeG
+wU1pInC4M2cfs2h322IyYIg5wo9thoMrRitidLACZfB/xo6x3dEaCtj8NtxQXoYK
+/TwVdT8ltL1RlZun8I/8sdijGG5+eJAU31JOlortHnEDMzyWuSbQcaDqo8dK9fGb
+WmV0Qk+ATMA1NdxKTMHfxQUfZ6EvplTRHBNdghYWJWTvLXDyb6sKjHzo/Eexn0SD
+nh2mSHOlq8xjlCyop+I1
+=FUf1
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-16:13.vmbus.asc

@@ -0,0 +1,122 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:13.vmbus                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Register time counter early enough for TSC freq calibration
+
+Category:       core
+Module:         vmbus
+Announced:      2016-08-12
+Credits:        Microsoft OSTC
+Affects:        FreeBSD 10.3
+Corrected:      2016-06-16 01:57:16 UTC (stable/10, 10.3-STABLE)
+                2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD uses i8254 PIT (Programmable Interval Timer) to calibrate the
+frequency of the CPU TSC (Time Stamp Counter).
+
+II.  Problem Description
+
+The Hyper-V i8254 emulation does not correctly calibrate the TSC frequency,
+and is not available for Generation 2 Hyper-V virtual machines.
+
+III. Impact
+
+FreeBSD virtual machines running on Hyper-V will see warnings logged to
+syslog(8) and the system console resembling:
+calcru: runtime went backwards from 18 usec to 9 usec for pid 0 (kernel)
+
+IV.  Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:13/vmbus.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:13/vmbus.patch.asc
+# gpg --verify vmbus.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r301942
+releng/10.3/                                                      r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:13.vmbus.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUshAAoJEO1n7NZdz2rnZncQALG1iAvkhT+SZZ+MP7bEqlJP
+HP2NsmalVF35PnoGRj+MwG61rbrtZzAB/OHXVx4iotzAW6NCOACJuCnuJqgqFK6N
+pggtIzgE6xXsHlKIL7V9ucIURIUbdAcDoaTnJ4aE373DwmtPn/hKVaWtbspcpZ3F
+QxiFIhbR4kqDjk1fVmM4xAn8E4Q6+eUFb88LUnWh/Cd86uCSQ5cKY8qFQyhoEyeI
+L6iChVTdE7zn3bjavzlJdQn2Rh6N7lmnhBcpm+e1eyDdxDYUPCXAeGqmNrQBShq9
+SwIJKOs6ll0tzDGTI0tmKV5OoEw6InyZ6xRDR7k6j7yOo/IHVNrFAYQ+CRI+IDCv
+q+MXYOUDTIo1KxjYHzRan+f3m7DXUuSXUDye+0sAglK37FJGvUZ206dkNZVFzp2F
+wKpvzT2Pbfzl5AMGJav04YpC7MiXCxD/wsUs+jz9P+9G5UuMcjwYhuLXFecrX7BP
+zhqEtRTShuFviNIsCJxG+pmF/srESTADMckYWLez7Y2qHbO2ZxMRpKOB9XPNQEoK
+PQIWdsmdiUKCjCgKp7Siy/bb42zUVcCXjSFXGP7Eb0+i49SAFZWAO53jbe3qvtQT
+NGf47PReOLpxmLVi84lemS5jl+/GhREWZNQ+b3jdHs8ghKjfkvDPWzihVAMzcfQN
+LNnMDZJlpCUhiGp6yoHG
+=s9XX
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-16:14.hv_storvsc.asc

@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:14.hv_storvsc                                     Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Disable incorrect callout in hv_storvsc(4)
+
+Category:       core
+Module:         hv_storvsc
+Announced:      2016-08-12
+Credits:        Microsoft OSTC
+Affects:        FreeBSD 10.3
+Corrected:      2016-05-06 05:16:42 UTC (stable/10, 10.3-STABLE)
+                2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Hyper-V storage driver, hv_storvsc(4), always sets up a timeout(9) timer
+when sending an I/O request to the host.  When the I/O is completed by the
+host and the host notifies the virtual machine, callout_drain() is used in
+another thread.
+
+II.  Problem Description
+
+The hv_storvsc(4) driver does not correctly set up the timer, and
+callout_drain() does not remove the callout as expected.  When the callout is
+later used again, it is unexpectedly reinitialized, which can cause
+undetermined behavior in the kernel callout(9) system.
+
+III. Impact
+
+Unexpected behavior in the kernel callout(9) system can occur, such as
+inability to halt the system with 'shutdown -h now'.
+
+IV.  Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:14/hv_storvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:14/hv_storvsc.patch.asc
+# gpg --verify hv_storvsc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r299153
+releng/10.3/                                                      r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:14.hv_storvsc.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsiAAoJEO1n7NZdz2rn5qAP/0OmatunIP/2a1U7SPNav55G
+wa0/q9MOYb/+vRfGGynlGLt79E6gxYopwMXnVtm/Z1Hhqt7NEfT6h4Fjb6rjdIiz
+Anwm6kNuesDjZGBSJ1POMP8DCXm16uqxZXQvGvzaVrdj/30gyFFrmUGPetJWnjZk
+CawfOfDS+EynvXoXDuBUu9EeisUGFbcnb3zRTqXYq3adsxW9AwlstvCPnzKzvwom
+KZKQz7AVB4XgD3B65UMpGrK7vi8u8PwXfn5sffhnt3KMchbpMA4HJXubrm9QmxxJ
+KFQm4VOMxiqjSYMtTSW6q8uIArPG2y/Cs4agHUiSehRksMSUs6TCGdmSKN/OMn0D
+Sby2MlcZCBuQDVmRdrotuTGkFvLAs/JagOojIAaz0wNcSWQv3F7DxuKx76C6jjlO
+7mgEPrctDmQJMLIIAIqvzvG94DeleMEwLIV+5omr5hhy0FANfUksgUqPH5z2n6wZ
+c4VJf8d1Jv6kpp8/uq1tcMrhmTtRwP1v7LYUBaHgy++C8azbrrS7BEMyqIB8Upal
+CWlI9ZHZYoMWkpqATtlBs3rFmWNLxtCmf8a7Xa+Ox/hep6wrFD+TFmq2wzukTypq
+BNGPIeHTxe7KdVcMbI87//SGWNEx/+W9iEcF4eGhE8JgGz+E0TvMR/JlK2479KXG
+hsjMFVQWevI7sgvSKkBS
+=XI3q
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-16:15.vmbus.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:15.vmbus                                          Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Better handle the GPADL setup failure in Hyper-V
+
+Category:       core
+Module:         vmbus
+Announced:      2016-08-12
+Credits:        Microsoft OSTC
+Affects:        FreeBSD 10.3
+Corrected:      2016-06-15 09:39:41 UTC (stable/10, 10.3-STABLE)
+                2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD guests on Hyper-V call hv_vmbus_post_message(), which uses hypercalls
+to post various types of VMBus messages to the Hyper-V host.  One kind of the
+messages is to setup GPADL (Guest Physical Addrss Description List), which
+describes shared memory buffers between the host and the guest.
+
+II.  Problem Description
+
+Most often, hv_vmbus_post_message() does not fail.  However, it could fail
+intermittently when GPADLs of large shared memory is to be established with
+the host, such as on the hn(4) attach path, a GPADL of 15MB sendbuf is
+created, for which lots of messages will be flooded to the host.
+
+The host side tries to throttle the message rate by returning
+HV_STATUS_INSUFFICIENT_BUFFERS.
+
+Before this errata notice, several retries for failed messages would be
+attempted, but the delay between each retry is too low, causing sporadic
+message posting failure.  A larger delay (>=1ms) is now used between each
+retry to fix the message posting failure.
+
+III. Impact
+
+Failures when Hyper-V network device driver are loaded and the device cannot
+work would occur.
+
+IV.  Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V.   Solution
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:15/vmbus.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:15/vmbus.patch.asc
+# gpg --verify vmbus.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r301924
+releng/10.3/                                                      r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:15.vmbus.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUskAAoJEO1n7NZdz2rnpSYQAOcdxWeTfHk3Pksvy8tZl1sE
+1HzD7d4LUEd8TJZq6JA8JEmAA3MN6p0FoGDj0NlMviiy1slCo4BuEyriixhkKUqh
+be1+2pVY3d6gMixHFNPVKA0JB5amDvfxF8jY/lMZ1CsfD1tE0bTSRwPYhFFxJI8g
+QK2dbjbGPQF32fAh4953wLV/HO1n6JiQS8dtyJBc4BdGRNCcuZpl69lDeJJWH5Li
+IYtbQQlMIQZA5le7CjGXP+6eFus+U7CoqxuCq50CJwsgt0Rw+klApX85dodImlCR
+qn6FCB0OdM2W3KgrnOLEXjvmajUO1fWAkiwlS6ZlkqST5KSRUHC3pzzZcYrvLBtA
+qOslsoOp7v7uOvjKIt6As8KmX7OjFgNsiH4oxCL8H8HXNlN3uQRayMG8kglWqKWo
+QFjF5cPL1YnDn5cBSThGQY0QBnDFEPiyviJZZ8XInKAESNysOW5rpx4bLKRqz33L
+tZ0ebi+3PpA3M6wK9ag3zARJvqfTgHZ6KoVBF3HKmIB+LnyFQybHBaG5eG1sveWC
+11KobiLoA1Te9v9KunJRBvmPMsV2zjrGJ5MYFw7UH/gYhjO2CGnRlJUCAHDFr7u+
+f/AJYb9qSS6exSFGhl7tBAxEAQAizy2eCSde/rXqbNH8QPz4SM/J436GPdxcaTRD
+Lj+bkbcEPY6QqPPodDHn
+=JVB9
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-16:16.hv_storvsc.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:16.hv_storvsc                                     Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Fix SCSI INQUIRY checks and error handling
+
+Category:       core
+Module:         hv_storvsc
+Announced:      2016-08-12
+Credits:        Microsoft OSTC
+Affects:        FreeBSD 10.3
+Corrected:      2016-07-15 02:29:10 UTC (stable/10, 10.2-STABLE)
+                2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Hyper-V storage driver, hv_storsvc(4), uses the SCSI INQUIRY command to
+detect the presence of SCSI LUNs.
+
+II.  Problem Description
+
+The hv_storsvc(4) driver assumes 36-byte responses to the INQUIRY command,
+which is not always the case.  When a shorter response is received, it can
+lead to unexpected behavior.
+
+If the host changes the virtual disk capacity, responses from the host to the
+virtual machine guest next command (such as READ CAPACITY or INQUIRY) return
+an error with sense data supplied.  The hv_storsvc(4) driver does not check
+the error status properly, so the upper SCSI layer treats the command as being
+successfully executed, resulting in unexpected behavior.
+
+III. Impact
+
+There are several manifestations of the impact, such as disk hotplug not
+working reliably, SMART checks on the disk with 'smartctl -i /dev/da0' can
+cause the disk to detach and crash the machine, and online resizing not
+working reliably.
+
+IV.  Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:16/hv_storvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:16/hv_storvsc.patch.asc
+# gpg --verify hv_storvsc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r302863
+releng/10.3/                                                      r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:16.hv_storvsc.asc>
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUslAAoJEO1n7NZdz2rnoeUP/0dlvrBv/wocTjPu+6K5OjIA
++GAvrrI+pESdnBQwYcIBfxq/YJIsgzVBAlqnrR1/s2fVOtkvhdcvzJAQSEVlvaYa
+sJI2wn3lcT8KcH/JfNTxm/TgdDS25kPFl9SG1EdxE6ZSQHC4A0mjoEO9z4S7cq9i
+FYS3VjY7AqZDJx6lCvQjW0Th4S/tvW1YZ62Tlnq3IT0JVpvVlxxPP9Qau7Z4DX8I
+Pr+EqmBGdKINfzDXlrJ3TtLJ094mZw2CrhF1exmpdPAiuCUcKlt7xa6jGtm939iX
+Pur9bIxl8pB/+uPB+vRq5wjzmg7s3ld8BWBV/NJjeLXSFb0hRxWcdbuvqcpiolQu
+nIFsyaZ5h3QSxZG4NydB2Cr/A5lPG0aVGs76V9OnRbMy53NUrkyWZtGq0Qoyu9Zj
+XaMDGeiFZcuR7VynrClGtJ9L+oeewQvScPsB5D2cwS+xsey7bTlOrpfT55Zouew2
+4gsuW8kmoxq8zE3pqLn41td+ERrH0mFp1/0Zk4NdB5ylJA/o2DFeMIiJpHZ0OtWE
+T0KJ05Hz2UkjaPx1UUUC1D3GTunETXMHu62XhgsJi9tJltKiHZskWZYS9u2zDP57
+67nDjaORLbPIXUvMcQoOw/o7wFB4JWcnu/NUJdCHHHcSlec49fT+tfDzZvcfycrk
+lTEHTA0GabtHC2G7vc+v
+=3gBz
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:10/dhclient.patch

@@ -0,0 +1,39 @@
+Index: sbin/dhclient/dhclient.c
+===================================================================
+--- sbin/dhclient/dhclient.c	(revision 302284)
++++ sbin/dhclient/dhclient.c	(working copy)
+@@ -2277,6 +2277,17 @@ script_set_env(struct client_state *clie
+ {
+ 	int i, j, namelen;
+ 
++	/* No `` or $() command substitution allowed in environment values! */
++	for (j=0; j < strlen(value); j++)
++		switch (value[j]) {
++		case '`':
++		case '$':
++			warning("illegal character (%c) in value '%s'",
++			    value[j], value);
++			/* Ignore this option */
++			return;
++		}
++
+ 	namelen = strlen(name);
+ 
+ 	for (i = 0; client->scriptEnv[i]; i++)
+@@ -2313,16 +2324,6 @@ script_set_env(struct client_state *clie
+ 	    strlen(value) + 1);
+ 	if (client->scriptEnv[i] == NULL)
+ 		error("script_set_env: no memory for variable assignment");
+-
+-	/* No `` or $() command substitution allowed in environment values! */
+-	for (j=0; j < strlen(value); j++)
+-		switch (value[j]) {
+-		case '`':
+-		case '$':
+-			error("illegal character (%c) in value '%s'", value[j],
+-			    value);
+-			/* not reached */
+-		}
+ 	snprintf(client->scriptEnv[i], strlen(prefix) + strlen(name) +
+ 	    1 + strlen(value) + 1, "%s%s=%s", prefix, name, value);
+ }

share/security/patches/EN-16:10/dhclient.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUseAAoJEO1n7NZdz2rnwP0QAI7YUXZJx2RdqNjDyTems1IR
+/tR3utSSm6MUqIA5JkSKXBj6g8o04S9VA+HRBW6TlN/KhKHYhLaCW5O4etMlp7xu
+5OYahVFAj5uMteBpvr0H0WK5NInt5Pw6YAlv7E9G7qjgKWSSsDV5h5C4xUHSSDhP
+PDn3/GXCInEY2bLIhdPcGJelPEzdCKREQWEwz1A2IjOM5rGTMAiCMvW5jW0sZd0K
++b65Dd25X1h37bFbexZy8hNIR0HyROAzsHSOV8yjf0625sib7dippVxv6ARjBX3p
+Lm88B7SI4MwW31CtsOAzjRw0Ibu+ASAx/5jRU8NppS3HZSICAk0Xjqq50m/vtCcs
+ognAqhwKHHtxfrs+UePwA9Xi6hsNcwC66HIeX1MZw7hs7FSTfheo4iy2PohbeCoW
+46RUc66RKehanG67CLe5GtYX5OzlQbzM0/KlqXZ11FvT3yXeTbCqx55ViDMOj31B
+P/Gf43Ct59DB5dIcmjqNCIIIvvAYnlqWuSDZWMj+SmYlrTbPFbKFXZaqGleXIi2j
+VVS7waoD9Bxuz+Qfaw97khFsS+QvpQWQnwGQARrb+74YeK9MbQFQ9jT2CCuWWcjF
+JXwfl8Z1wiMgQxWu7AxzAGGmdlSe9w5xuaPz0ep84t1fXgBvzkG/7W56XJWIXgfZ
+RLkTFs/7ZFPzR2ej1aXw
+=z8D3
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:11/vmbus.patch

@@ -0,0 +1,218 @@
+--- sys/dev/hyperv/vmbus/hv_channel.c.orig
++++ sys/dev/hyperv/vmbus/hv_channel.c
+@@ -180,12 +180,12 @@
+ 	if (user_data_len)
+ 		memcpy(open_msg->user_data, user_data, user_data_len);
+ 
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_INSERT_TAIL(
+ 		&hv_vmbus_g_connection.channel_msg_anchor,
+ 		open_info,
+ 		msg_list_entry);
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	ret = hv_vmbus_post_message(
+ 		open_msg, sizeof(hv_vmbus_channel_open_channel));
+@@ -212,12 +212,12 @@
+ 	}
+ 
+ 	cleanup:
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_REMOVE(
+ 		&hv_vmbus_g_connection.channel_msg_anchor,
+ 		open_info,
+ 		msg_list_entry);
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	sema_destroy(&open_info->wait_sema);
+ 	free(open_info, M_DEVBUF);
+ 
+@@ -401,13 +401,13 @@
+ 	gpadl_msg->child_rel_id = channel->offer_msg.child_rel_id;
+ 	gpadl_msg->gpadl = next_gpadl_handle;
+ 
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_INSERT_TAIL(
+ 		&hv_vmbus_g_connection.channel_msg_anchor,
+ 		msg_info,
+ 		msg_list_entry);
+ 
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	ret = hv_vmbus_post_message(
+ 		gpadl_msg,
+@@ -446,10 +446,10 @@
+ 
+ cleanup:
+ 
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_REMOVE(&hv_vmbus_g_connection.channel_msg_anchor,
+ 		msg_info, msg_list_entry);
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	sema_destroy(&msg_info->wait_sema);
+ 	free(msg_info, M_DEVBUF);
+@@ -488,10 +488,10 @@
+ 	msg->child_rel_id = channel->offer_msg.child_rel_id;
+ 	msg->gpadl = gpadl_handle;
+ 
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_INSERT_TAIL(&hv_vmbus_g_connection.channel_msg_anchor,
+ 			info, msg_list_entry);
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	ret = hv_vmbus_post_message(msg,
+ 			sizeof(hv_vmbus_channel_gpadl_teardown));
+@@ -504,10 +504,10 @@
+ 	/*
+ 	 * Received a torndown response
+ 	 */
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_REMOVE(&hv_vmbus_g_connection.channel_msg_anchor,
+ 			info, msg_list_entry);
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	sema_destroy(&info->wait_sema);
+ 	free(info, M_DEVBUF);
+ 
+--- sys/dev/hyperv/vmbus/hv_channel_mgmt.c.orig
++++ sys/dev/hyperv/vmbus/hv_channel_mgmt.c
+@@ -567,7 +567,7 @@
+ 	/*
+ 	 * Find the open msg, copy the result and signal/unblock the wait event
+ 	 */
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ 	    msg_list_entry) {
+@@ -585,7 +585,7 @@
+ 		}
+ 	    }
+ 	}
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ }
+ 
+@@ -609,7 +609,7 @@
+ 	/* Find the establish msg, copy the result and signal/unblock
+ 	 * the wait event
+ 	 */
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ 		msg_list_entry) {
+ 	    request_header = (hv_vmbus_channel_msg_header*) msg_info->msg;
+@@ -628,7 +628,7 @@
+ 		}
+ 	    }
+ 	}
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ }
+ 
+ /**
+@@ -653,7 +653,7 @@
+ 	 * wait event.
+ 	 */
+ 
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ 		msg_list_entry) {
+@@ -673,7 +673,7 @@
+ 		}
+ 	    }
+ 	}
+-    mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++    mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ }
+ 
+ /**
+@@ -693,7 +693,7 @@
+ 
+ 	versionResponse = (hv_vmbus_channel_version_response*)hdr;
+ 
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ 	    msg_list_entry) {
+ 	    requestHeader = (hv_vmbus_channel_msg_header*) msg_info->msg;
+@@ -707,7 +707,7 @@
+ 		sema_post(&msg_info->wait_sema);
+ 	    }
+ 	}
+-    mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++    mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ }
+ 
+--- sys/dev/hyperv/vmbus/hv_connection.c.orig
++++ sys/dev/hyperv/vmbus/hv_connection.c
+@@ -101,26 +101,26 @@
+ 	 * Add to list before we send the request since we may receive the
+ 	 * response before returning from this routine
+ 	 */
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	TAILQ_INSERT_TAIL(
+ 		&hv_vmbus_g_connection.channel_msg_anchor,
+ 		msg_info,
+ 		msg_list_entry);
+ 
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	ret = hv_vmbus_post_message(
+ 		msg,
+ 		sizeof(hv_vmbus_channel_initiate_contact));
+ 
+ 	if (ret != 0) {
+-		mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++		mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 		TAILQ_REMOVE(
+ 			&hv_vmbus_g_connection.channel_msg_anchor,
+ 			msg_info,
+ 			msg_list_entry);
+-		mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++		mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 		return (ret);
+ 	}
+ 
+@@ -129,12 +129,12 @@
+ 	 */
+ 	ret = sema_timedwait(&msg_info->wait_sema, 5 * hz); /* KYS 5 seconds */
+ 
+-	mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ 	TAILQ_REMOVE(
+ 		&hv_vmbus_g_connection.channel_msg_anchor,
+ 		msg_info,
+ 		msg_list_entry);
+-	mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++	mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ 
+ 	/**
+ 	 * Check if successful
+@@ -173,7 +173,7 @@
+ 
+ 	TAILQ_INIT(&hv_vmbus_g_connection.channel_msg_anchor);
+ 	mtx_init(&hv_vmbus_g_connection.channel_msg_lock, "vmbus channel msg",
+-		NULL, MTX_SPIN);
++		NULL, MTX_DEF);
+ 
+ 	TAILQ_INIT(&hv_vmbus_g_connection.channel_anchor);
+ 	mtx_init(&hv_vmbus_g_connection.channel_lock, "vmbus channel",

share/security/patches/EN-16:11/vmbus.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsfAAoJEO1n7NZdz2rn6HkP/jxUR6mhiG66F9BIdl+eCXko
+c4SzLXhxW4LpDuu106dTyK5/jOVWAfSHQ58IGSlV3YOGEh2f8UsdA1OGtsg4MW6G
+2ljohahowBaKhZvNSEZLvLKKzg5NIvb63NQjg/XJ0GLvHfXp7fA/7LGadGTgiQUs
+iRzjEm/Mjw6UHi8R720CgFJsHSKtPftD9VWzp+J7Bf5vrP8xdFLsWNSWWNZFrMQ7
+knKrtgik/vPxzWonR81MYRcaE7OqyZ9hQb0EqBw5e3Tl4EXC01MpxGBkFwjHRjB2
+DvxQKfpTy//gpM4FrZLS5aXAa9OXkFOCNqXrO+BxaYf4m4DuxhLG6NZI8ocKOr+b
+viHOXucP79jf3u04XUOFVPCf4DJ2jvzuqWYD6cOEakB06uDmjCgpgkbgWyqY1wkl
+tcYmuqIl9cv0vZFLtbhk8zKnkCg+uLRN4C+O5Fc6mQev9ytSy56l16Vm496I56Xx
+zCOy+I7RJRbGtBaE4CXLIXMSlYWVmL+o986m4OGzMN4a7tCRVyxziLPVv3P2Yjnm
+gj4b/9qZzU5Voa/adojj4kmwLDSTyhhofbJuED0Q2eWwo300gfZheNGF8aKkO7yF
+4eZvcUE/+NnsNUz1tPVCfYZ5sf2aB6W6fcXjeMuD/ytUmwrxdN4mSp0z+3mA9SXo
+8Hic0sf3VDsHc4YeEsy9
+=jPaX
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:12/hv_storvsc.patch

@@ -0,0 +1,205 @@
+--- sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
+@@ -81,12 +81,6 @@
+ #define BLKVSC_MAX_IO_REQUESTS		STORVSC_MAX_IO_REQUESTS
+ #define STORVSC_MAX_TARGETS		(2)
+ 
+-#define STORVSC_WIN7_MAJOR 4
+-#define STORVSC_WIN7_MINOR 2
+-
+-#define STORVSC_WIN8_MAJOR 5
+-#define STORVSC_WIN8_MINOR 1
+-
+ #define VSTOR_PKT_SIZE	(sizeof(struct vstor_packet) - vmscsi_size_delta)
+ 
+ #define HV_ALIGN(x, a) roundup2(x, a)
+@@ -208,7 +202,7 @@
+  * Sense buffer size changed in win8; have a run-time
+  * variable to track the size we should use.
+  */
+-static int sense_buffer_size;
++static int sense_buffer_size = PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE;
+ 
+ /*
+  * The size of the vmscsi_request has changed in win8. The
+@@ -218,9 +212,46 @@
+  * Track the correct size we need to apply.
+  */
+ static int vmscsi_size_delta;
++/*
++ * The storage protocol version is determined during the
++ * initial exchange with the host.  It will indicate which
++ * storage functionality is available in the host.
++*/
++static int vmstor_proto_version;
++
++struct vmstor_proto {
++        int proto_version;
++        int sense_buffer_size;
++        int vmscsi_size_delta;
++};
+ 
+-static int storvsc_current_major;
+-static int storvsc_current_minor;
++static const struct vmstor_proto vmstor_proto_list[] = {
++        {
++                VMSTOR_PROTOCOL_VERSION_WIN10,
++                POST_WIN7_STORVSC_SENSE_BUFFER_SIZE,
++                0
++        },
++        {
++                VMSTOR_PROTOCOL_VERSION_WIN8_1,
++                POST_WIN7_STORVSC_SENSE_BUFFER_SIZE,
++                0
++        },
++        {
++                VMSTOR_PROTOCOL_VERSION_WIN8,
++                POST_WIN7_STORVSC_SENSE_BUFFER_SIZE,
++                0
++        },
++        {
++                VMSTOR_PROTOCOL_VERSION_WIN7,
++                PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE,
++                sizeof(struct vmscsi_win8_extension),
++        },
++        {
++                VMSTOR_PROTOCOL_VERSION_WIN6,
++                PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE,
++                sizeof(struct vmscsi_win8_extension),
++        }
++};
+ 
+ /* static functions */
+ static int storvsc_probe(device_t dev);
+@@ -435,7 +466,7 @@
+ static int
+ hv_storvsc_channel_init(struct hv_device *dev)
+ {
+-	int ret = 0;
++	int ret = 0, i;
+ 	struct hv_storvsc_request *request;
+ 	struct vstor_packet *vstor_packet;
+ 	struct storvsc_softc *sc;
+@@ -484,19 +515,20 @@
+ 		goto cleanup;
+ 	}
+ 
+-	/* reuse the packet for version range supported */
++	for (i = 0; i < nitems(vmstor_proto_list); i++) {
++		/* reuse the packet for version range supported */
+ 
+-	memset(vstor_packet, 0, sizeof(struct vstor_packet));
+-	vstor_packet->operation = VSTOR_OPERATION_QUERYPROTOCOLVERSION;
+-	vstor_packet->flags = REQUEST_COMPLETION_FLAG;
++		memset(vstor_packet, 0, sizeof(struct vstor_packet));
++		vstor_packet->operation = VSTOR_OPERATION_QUERYPROTOCOLVERSION;
++		vstor_packet->flags = REQUEST_COMPLETION_FLAG;
+ 
+-	vstor_packet->u.version.major_minor =
+-	    VMSTOR_PROTOCOL_VERSION(storvsc_current_major, storvsc_current_minor);
++		vstor_packet->u.version.major_minor =
++			vmstor_proto_list[i].proto_version;
+ 
+-	/* revision is only significant for Windows guests */
+-	vstor_packet->u.version.revision = 0;
++		/* revision is only significant for Windows guests */
++		vstor_packet->u.version.revision = 0;
+ 
+-	ret = hv_vmbus_channel_send_packet(
++		ret = hv_vmbus_channel_send_packet(
+ 			dev->channel,
+ 			vstor_packet,
+ 			VSTOR_PKT_SIZE,
+@@ -504,20 +536,34 @@
+ 			HV_VMBUS_PACKET_TYPE_DATA_IN_BAND,
+ 			HV_VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+ 
+-	if (ret != 0)
+-		goto cleanup;
++		if (ret != 0)
++			goto cleanup;
+ 
+-	/* wait 5 seconds */
+-	ret = sema_timedwait(&request->synch_sema, 5 * hz);
++		/* wait 5 seconds */
++		ret = sema_timedwait(&request->synch_sema, 5 * hz);
+ 
+-	if (ret)
+-		goto cleanup;
++		if (ret)
++			goto cleanup;
+ 
+-	/* TODO: Check returned version */
+-	if (vstor_packet->operation != VSTOR_OPERATION_COMPLETEIO ||
+-		vstor_packet->status != 0)
+-		goto cleanup;
++		if (vstor_packet->operation != VSTOR_OPERATION_COMPLETEIO) {
++			ret = EINVAL;
++			goto cleanup;	
++		}
++		if (vstor_packet->status == 0) {
++			vmstor_proto_version =
++				vmstor_proto_list[i].proto_version;
++			sense_buffer_size =
++				vmstor_proto_list[i].sense_buffer_size;
++			vmscsi_size_delta =
++				vmstor_proto_list[i].vmscsi_size_delta;
++			break;
++		}
++	}
+ 
++	if (vstor_packet->status != 0) {
++		ret = EINVAL;
++		goto cleanup;
++	}
+ 	/**
+ 	 * Query channel properties
+ 	 */
+@@ -916,19 +962,6 @@
+ 	int ata_disk_enable = 0;
+ 	int ret	= ENXIO;
+ 	
+-	if (hv_vmbus_protocal_version == HV_VMBUS_VERSION_WS2008 ||
+-	    hv_vmbus_protocal_version == HV_VMBUS_VERSION_WIN7) {
+-		sense_buffer_size = PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE;
+-		vmscsi_size_delta = sizeof(struct vmscsi_win8_extension);
+-		storvsc_current_major = STORVSC_WIN7_MAJOR;
+-		storvsc_current_minor = STORVSC_WIN7_MINOR;
+-	} else {
+-		sense_buffer_size = POST_WIN7_STORVSC_SENSE_BUFFER_SIZE;
+-		vmscsi_size_delta = 0;
+-		storvsc_current_major = STORVSC_WIN8_MAJOR;
+-		storvsc_current_minor = STORVSC_WIN8_MINOR;
+-	}
+-	
+ 	switch (storvsc_get_storage_type(dev)) {
+ 	case DRIVER_BLKVSC:
+ 		if(bootverbose)
+@@ -2064,6 +2097,13 @@
+ 		    ((ccb->ccb_h.flags & CAM_CDB_POINTER) ?
+ 		     csio->cdb_io.cdb_ptr : csio->cdb_io.cdb_bytes);
+ 		if (cmd->opcode == INQUIRY &&
++		    /* 
++		     * XXX: Temporary work around disk hot plugin on win2k12r2,
++		     * only filtering the invalid disk on win10 or 2016 server.
++		     * So, the hot plugin on win10 and 2016 server needs
++		     * to be fixed.
++		     */
++		    vmstor_proto_version == VMSTOR_PROTOCOL_VERSION_WIN10 && 
+ 		    is_inquiry_valid(
+ 		    (const struct scsi_inquiry_data *)csio->data_ptr) == 0) {
+ 			ccb->ccb_h.status |= CAM_DEV_NOT_THERE;
+--- sys/dev/hyperv/storvsc/hv_vstorage.h.orig
++++ sys/dev/hyperv/storvsc/hv_vstorage.h
+@@ -41,6 +41,11 @@
+ #define VMSTOR_PROTOCOL_VERSION(MAJOR_, MINOR_) ((((MAJOR_) & 0xff) << 8) | \
+                                                  (((MINOR_) & 0xff)     ))
+ 
++#define VMSTOR_PROTOCOL_VERSION_WIN6       VMSTOR_PROTOCOL_VERSION(2, 0)
++#define VMSTOR_PROTOCOL_VERSION_WIN7       VMSTOR_PROTOCOL_VERSION(4, 2)
++#define VMSTOR_PROTOCOL_VERSION_WIN8       VMSTOR_PROTOCOL_VERSION(5, 1)
++#define VMSTOR_PROTOCOL_VERSION_WIN8_1     VMSTOR_PROTOCOL_VERSION(6, 0)
++#define VMSTOR_PROTOCOL_VERSION_WIN10      VMSTOR_PROTOCOL_VERSION(6, 2)
+ /*
+  * Invalid version.
+  */

share/security/patches/EN-16:12/hv_storvsc.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsgAAoJEO1n7NZdz2rna2MP/0vEjB5HY78W/jI/owx0l5WI
+zFe0R1ZdBDlYmVxnYmUcB9/7FciyvbQDcnpVtr8evqUxnmXj0MEK5iQBoi7t2cao
+gfykz4Yh+ZU8UVPKVGardFvgVsphwnahlEmQ5HJrlJy5b2Cgf1+c5UsBZu+310+n
+O7Z7vuP48DW/n/8ihz0du/kGjl5LAxgDGZsZUfkKpw9JBsrWOf4ssmqprGZOy4f7
+TCXt3OfZo87PdKy+21hVz6ekc7SWuNIrwzEc6Yc8YKgUpTxoOg030L2ixOpOytDb
+a3oen2nqWm/XgjReg/+lA2PkedY6WoOqXmmEWMeIm4JHBrZARJmAJD+2KQwJy/dk
+vjlMrK7Um5jR9r6gmQ2mWZs8HaK4q3cHIcR6j/LiFH3DO6nkTYd24uAe3IkQB3kW
+6z1Yru9cSZA5wuXAA3acGPO6LyVClHm9m3LiDamuSrVHDiLZVt999cBLHPB27rko
+5o0+INutJrkcfiIu2Rxw8Mc8Bw4wL6qaWda0eh2wufNFN9KEMcuIW36pVx58Ya2k
+CIWshuKfBCvAj2x25uZGGs7RyvEKGxPll1KxsmedjWy/ZhSK6bzR1hhUSE7gXMA4
+pYH0pfc0ECBO/AL9213kctmNeo+a9HRUyAPSqWUiiYcSEHTTlFG9efyEPEIcjgwu
+yy8y9/u+1MnI6+9ekO7/
+=L9SS
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:13/vmbus.patch

@@ -0,0 +1,155 @@
+--- sys/dev/hyperv/vmbus/hv_hv.c.orig
++++ sys/dev/hyperv/vmbus/hv_hv.c
+@@ -33,6 +33,7 @@
+ __FBSDID("$FreeBSD$");
+ 
+ #include <sys/param.h>
++#include <sys/kernel.h>
+ #include <sys/malloc.h>
+ #include <sys/pcpu.h>
+ #include <sys/timetc.h>
+@@ -50,6 +51,9 @@
+ 
+ static u_int hv_get_timecount(struct timecounter *tc);
+ 
++u_int	hyperv_features;
++u_int	hyperv_recommends;
++
+ /**
+  * Globals
+  */
+@@ -211,8 +215,6 @@
+ 
+ 	hv_vmbus_g_context.hypercall_page = virt_addr;
+ 
+-	tc_init(&hv_timecounter); /* register virtual timecount */
+-
+ 	hv_et_init();
+ 	
+ 	return (0);
+@@ -427,3 +429,93 @@
+ 	wrmsr(HV_X64_MSR_SIEFP, siefp.as_uint64_t);
+ }
+ 
++static bool
++hyperv_identify(void)
++{
++	u_int regs[4];
++	unsigned int maxLeaf;
++	unsigned int op;
++
++	if (vm_guest != VM_GUEST_HV)
++		return (false);
++
++	op = HV_CPU_ID_FUNCTION_HV_VENDOR_AND_MAX_FUNCTION;
++	do_cpuid(op, regs);
++	maxLeaf = regs[0];
++	if (maxLeaf < HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS)
++		return (false);
++
++	op = HV_CPU_ID_FUNCTION_HV_INTERFACE;
++	do_cpuid(op, regs);
++	if (regs[0] != 0x31237648 /* HV#1 */)
++		return (false);
++
++	op = HV_CPU_ID_FUNCTION_MS_HV_FEATURES;
++	do_cpuid(op, regs);
++	if ((regs[0] & HV_FEATURE_MSR_HYPERCALL) == 0) {
++		/*
++		 * Hyper-V w/o Hypercall is impossible; someone
++		 * is faking Hyper-V.
++		 */
++		return (false);
++	}
++	hyperv_features = regs[0];
++
++	op = HV_CPU_ID_FUNCTION_MS_HV_VERSION;
++	do_cpuid(op, regs);
++	printf("Hyper-V Version: %d.%d.%d [SP%d]\n",
++	    regs[1] >> 16, regs[1] & 0xffff, regs[0], regs[2]);
++
++	printf("  Features: 0x%b\n", hyperv_features,
++	    "\020"
++	    "\001VPRUNTIME"
++	    "\002TMREFCNT"
++	    "\003SYNCIC"
++	    "\004SYNCTM"
++	    "\005APIC"
++	    "\006HYERCALL"
++	    "\007VPINDEX"
++	    "\010RESET"
++	    "\011STATS"
++	    "\012REFTSC"
++	    "\013IDLE"
++	    "\014TMFREQ"
++	    "\015DEBUG");
++
++	op = HV_CPU_ID_FUNCTION_MS_HV_ENLIGHTENMENT_INFORMATION;
++	do_cpuid(op, regs);
++	hyperv_recommends = regs[0];
++	if (bootverbose)
++		printf("  Recommends: %08x %08x\n", regs[0], regs[1]);
++
++	op = HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS;
++	do_cpuid(op, regs);
++	if (bootverbose) {
++		printf("  Limits: Vcpu:%d Lcpu:%d Int:%d\n",
++		    regs[0], regs[1], regs[2]);
++	}
++
++	if (maxLeaf >= HV_CPU_ID_FUNCTION_MS_HV_HARDWARE_FEATURE) {
++		op = HV_CPU_ID_FUNCTION_MS_HV_HARDWARE_FEATURE;
++		do_cpuid(op, regs);
++		if (bootverbose) {
++			printf("  HW Features: %08x AMD: %08x\n",
++			    regs[0], regs[3]);
++		}
++	}
++
++	return (true);
++}
++
++static void
++hyperv_init(void *dummy __unused)
++{
++	if (!hyperv_identify())
++		return;
++
++	if (hyperv_features & HV_FEATURE_MSR_TIME_REFCNT) {
++		/* Register virtual timecount */
++		tc_init(&hv_timecounter);
++	}
++}
++SYSINIT(hyperv_initialize, SI_SUB_HYPERVISOR, SI_ORDER_FIRST, hyperv_init, NULL);
+--- sys/dev/hyperv/vmbus/hv_vmbus_priv.h.orig
++++ sys/dev/hyperv/vmbus/hv_vmbus_priv.h
+@@ -471,10 +471,17 @@
+ 	HV_CPU_ID_FUNCTION_MS_HV_VERSION			= 0x40000002,
+ 	HV_CPU_ID_FUNCTION_MS_HV_FEATURES			= 0x40000003,
+ 	HV_CPU_ID_FUNCTION_MS_HV_ENLIGHTENMENT_INFORMATION	= 0x40000004,
+-	HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS		= 0x40000005
+-
++	HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS		= 0x40000005,
++	HV_CPU_ID_FUNCTION_MS_HV_HARDWARE_FEATURE		= 0x40000006
+ } hv_vmbus_cpuid_function;
+ 
++#define	HV_FEATURE_MSR_TIME_REFCNT	(1 << 1)
++#define	HV_FEATURE_MSR_SYNCIC		(1 << 2)
++#define	HV_FEATURE_MSR_STIMER		(1 << 3)
++#define	HV_FEATURE_MSR_APIC		(1 << 4)
++#define	HV_FEATURE_MSR_HYPERCALL	(1 << 5)
++#define	HV_FEATURE_MSR_GUEST_IDLE	(1 << 10)
++
+ /*
+  * Define the format of the SIMP register
+  */
+@@ -628,6 +635,9 @@
+ extern hv_vmbus_context		hv_vmbus_g_context;
+ extern hv_vmbus_connection	hv_vmbus_g_connection;
+ 
++extern u_int			hyperv_features;
++extern u_int			hyperv_recommends;
++
+ typedef void (*vmbus_msg_handler)(hv_vmbus_channel_msg_header *msg);
+ 
+ typedef struct hv_vmbus_channel_msg_table_entry {

share/security/patches/EN-16:13/vmbus.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsiAAoJEO1n7NZdz2rn7oUQAMIlJ7FfdYN3ncISxokj1Y9o
+TDY+KYS0ucNVrCs1fQZL4oKQptpWjJ65A6559samZgSvf9szrp3NOB3TonyAGBLG
+l/zR0eR7SpMsZZh7uAW1LgUGyTLcnj3/C9800HK5pkfDB8VQWi4a3WldzgkBkG/W
+PSrymoXg8xH4HC0WosOH096RmnOx7mt9PtAm3F0e6pJRvUiJixp1dhYYFFdm8T5Q
+Pgw/bhFBoMlxe3BNAlltLYJ0+YKH3WOjVGdwDcm8X5madmn0KA6KgtvWwu0hKSbH
+SeiThXJxe/uPrCcjGVALgY0iKflgsN38Do32+PIMMtZO/DFxx53bJJIrCPAmq97V
+qeUrkso5lhXDIcUEEs7V9RQJK3MouajQUbFtykd5y9SMPLTcNBes4HddrjIvOcBH
+NOMFAeG/7NwmWpdF703fCoqYO7cx9K2Q+HWi620uI5u2B0BatbU7Sx1uQE3o/XUb
+rtWSJp5mKNN5oPSxV3jd9nC6i14HrgrA/1ouhDTG1FrYBvh7TlfDpxmeuEGojiO/
+3S3l3KfPChOa3xEsdX4huLNlOQAAMtgibUsaQY+Yb2WhP/IOJdxU9FI6uBgmEAD/
+Coz26Dk9qLxvurUfNFUK7Kd4NQPIibjhUdhxjNq+1hJdBmGTVZ862vxTIUXtHeeI
+JXtRAvLVrygKpqu8kXzo
+=P6G6
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:14/hv_storvsc.patch

@@ -0,0 +1,50 @@
+--- sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
+@@ -1273,6 +1273,7 @@
+ }
+ #endif /* HVS_TIMEOUT_TEST */
+ 
++#ifdef notyet
+ /**
+  * @brief timeout handler for requests
+  *
+@@ -1320,6 +1321,7 @@
+ 	storvsc_timeout_test(reqp, MODE_SELECT_10, 1);
+ #endif
+ }
++#endif
+ 
+ /**
+  * @brief StorVSC device poll function
+@@ -1472,6 +1474,7 @@
+ 			return;
+ 		}
+ 
++#ifdef notyet
+ 		if (ccb->ccb_h.timeout != CAM_TIME_INFINITY) {
+ 			callout_init(&reqp->callout, CALLOUT_MPSAFE);
+ 			callout_reset_sbt(&reqp->callout,
+@@ -1491,6 +1494,7 @@
+ 			}
+ #endif /* HVS_TIMEOUT_TEST */
+ 		}
++#endif
+ 
+ 		if ((res = hv_storvsc_io_request(sc->hs_dev, reqp)) != 0) {
+ 			xpt_print(ccb->ccb_h.path,
+@@ -2039,6 +2043,7 @@
+ 		mtx_unlock(&sc->hs_lock);
+ 	}
+ 
++#ifdef notyet
+ 	/*
+ 	 * callout_drain() will wait for the timer handler to finish
+ 	 * if it is running. So we don't need any lock to synchronize
+@@ -2049,6 +2054,7 @@
+ 	if (ccb->ccb_h.timeout != CAM_TIME_INFINITY) {
+ 		callout_drain(&reqp->callout);
+ 	}
++#endif
+ 
+ 	ccb->ccb_h.status &= ~CAM_SIM_QUEUED;
+ 	ccb->ccb_h.status &= ~CAM_STATUS_MASK;

share/security/patches/EN-16:14/hv_storvsc.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsjAAoJEO1n7NZdz2rneWcQALoyKPTxSYmxNSocHI/PYZuS
+aD1S9T6prQZ4nWJXbM5Dqq2/SYXZ8FKCtdDIqZVZEm5iZf5Pv7vdAHcNYDA3fosg
+0y1cskwqhsIQMidS7CrTnX0R224PjrSnZOJlPpRx/EGKAb1OhbGYlBb1BvljpBFl
+oyQ31u63jdIZKR3RIEHWs8Bx6aOC+JDsThmXmOFwuIWk/ssot1kohUd+NQLSEVCh
+sZ6ArGpo6RRXQZXQqVMW9ZAL3q6KN0obmmAeSPadTcUME1U0W1fHtoLgVTRvskoI
+jd752MlnTRfEid9Ci6BiH7kUNM8FEpyWfiupl1/iQXvZevtR70lXHpMZ+vRKiZSt
+tjJa4+hLv8OnhZFCf6K+Ts8lJykswHv34UPYsemyNS+zJyOKbjiEMAXvCxklw8Rh
+AvGZT+Lq6QQeuz+suwL0I/F3XPLarH0waqRi6mbb9FYhmTilrKvjIk946kcIx22B
+8bCuB60RDV/WKOQMJnpts2w/JvXxqoigbTQubmkfZm8cv9VL1My4gHNso6U/OfAn
+C216dljcwYPWa0KTupjMpV8SvOq6YwV0F3AKSTGyu8Pv9A8MOUUt7kjuOIyxzfkH
+D8VO+i8mv96b6Tc5/iB6zJ+/q+aXCcnMlUiwZbF1PNUAHVjMMThwnPiTmuA4o6Ff
+djSfFj4gMMLwYPBnJlHJ
+=KT/g
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:15/vmbus.patch

@@ -0,0 +1,68 @@
+--- sys/dev/hyperv/vmbus/hv_connection.c.orig
++++ sys/dev/hyperv/vmbus/hv_connection.c
+@@ -476,31 +476,35 @@
+ /**
+  * Send a msg on the vmbus's message connection
+  */
+-int hv_vmbus_post_message(void *buffer, size_t bufferLen) {
+-	int ret = 0;
++int hv_vmbus_post_message(void *buffer, size_t bufferLen)
++{
+ 	hv_vmbus_connection_id connId;
+-	unsigned retries = 0;
+-
+-	/* NetScaler delays from previous code were consolidated here */
+-	static int delayAmount[] = {100, 100, 100, 500, 500, 5000, 5000, 5000};
+-
+-	/* for(each entry in delayAmount) try to post message,
+-	 *  delay a little bit before retrying
++	sbintime_t time = SBT_1MS;
++	int retries;
++	int ret;
++
++	connId.as_uint32_t = 0;
++	connId.u.id = HV_VMBUS_MESSAGE_CONNECTION_ID;
++
++	/*
++	 * We retry to cope with transient failures caused by host side's
++	 * insufficient resources. 20 times should suffice in practice.
+ 	 */
+-	for (retries = 0;
+-	    retries < sizeof(delayAmount)/sizeof(delayAmount[0]); retries++) {
+-	    connId.as_uint32_t = 0;
+-	    connId.u.id = HV_VMBUS_MESSAGE_CONNECTION_ID;
+-	    ret = hv_vmbus_post_msg_via_msg_ipc(connId, 1, buffer, bufferLen);
+-	    if (ret != HV_STATUS_INSUFFICIENT_BUFFERS)
+-		break;
+-	    /* TODO: KYS We should use a blocking wait call */
+-	    DELAY(delayAmount[retries]);
++	for (retries = 0; retries < 20; retries++) {
++		ret = hv_vmbus_post_msg_via_msg_ipc(connId, 1, buffer,
++						    bufferLen);
++		if (ret == HV_STATUS_SUCCESS)
++			return (0);
++
++		pause_sbt("pstmsg", time, 0, C_HARDCLOCK);
++		if (time < SBT_1S * 2)
++			time *= 2;
+ 	}
+ 
+-	KASSERT(ret == 0, ("Error VMBUS: Message Post Failed\n"));
++	KASSERT(ret == HV_STATUS_SUCCESS,
++		("Error VMBUS: Message Post Failed, ret=%d\n", ret));
+ 
+-	return (ret);
++	return (EAGAIN);
+ }
+ 
+ /**
+--- sys/dev/hyperv/vmbus/hv_vmbus_priv.h.orig
++++ sys/dev/hyperv/vmbus/hv_vmbus_priv.h
+@@ -70,6 +70,7 @@
+  *    You did not supply enough message buffers to send a message.
+  */
+ 
++#define HV_STATUS_SUCCESS                ((uint16_t)0)
+ #define HV_STATUS_INSUFFICIENT_BUFFERS   ((uint16_t)0x0013)
+ 
+ typedef void (*hv_vmbus_channel_callback)(void *context);

share/security/patches/EN-16:15/vmbus.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUskAAoJEO1n7NZdz2rnKtwP/2M6zkmYtHxSbx0eSIT6Kr9+
+rOhe4WzffqxMS3wCr3uj3gAzOYUJXibtrdZcgok3xm+S/zUo6AvEd43AI1tInzLg
+Wz7OMtagEOxtDml4bQEBGAbT/HWx8EHulmSMhcFyS8X6dwYlIl7xBOIQ9RiGVdS4
+1ILYL6K2dDbB79Pn+wuAdcaJGexZeQNiFdEItVeHkbm+uq9IZRUoKn9ADa/LrFGp
+a9nTKAdRpxflRvk4e60bO10HoleuLEp/2WGkEE83Yo/XvMsfdonUj2htQy1yxki/
+RUYF7lVAU7ZeJPeBBYdocP0FISwWKBzW7P8+7+2aJPPlJF24smBD9dD1D64YMnDf
+qudoLdRAPPCCWdkykswcGFcCcN6V33HlJgEJbAQ2F+6bsktyU9xJ0+aNNVMAs/wD
+lEDAVfTf6Yc2Ly1XaWk9VRuD0xDAVxixURAwFbhTxdDqtmFc8V5ExqR5vrAXG66J
+hhoABljOmVhP23gq+QsCKQyvqjSaymWzCCq1N/3S9mLNrmWC6IOto1kyX0EdQEcX
+L5gb1xrNbKeMVenlqOI4x3xi3+BlAGl/ocXJ+ilQUAWR3JqBMR1PcWImdLK7QMQC
+FvSsZOAdSmo1FpXh8ZWRIxkj+TPwXRJAyL93oXEKqGZdL2OjdbVsuVIWNeXwGKQf
+5PA/9P4SAjXWCEVq3Duy
+=ccKT
+-----END PGP SIGNATURE-----

share/security/patches/EN-16:16/hv_storvsc.patch

@@ -0,0 +1,165 @@
+--- sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
+@@ -805,6 +805,13 @@
+ 
+ 	vm_srb = &vstor_packet->u.vm_srb;
+ 
++	/*
++	 * Copy some fields of the host's response into the request structure,
++	 * because the fields will be used later in storvsc_io_done().
++	 */
++	request->vstor_packet.u.vm_srb.scsi_status = vm_srb->scsi_status;
++	request->vstor_packet.u.vm_srb.transfer_len = vm_srb->transfer_len;
++
+ 	if (((vm_srb->scsi_status & 0xFF) == SCSI_STATUS_CHECK_COND) &&
+ 			(vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID)) {
+ 		/* Autosense data available */
+@@ -1939,62 +1946,24 @@
+ }
+ 
+ /*
+- * Modified based on scsi_print_inquiry which is responsible to
+- * print the detail information for scsi_inquiry_data.
+- *
++ * SCSI Inquiry checks qualifier and type.
++ * If qualifier is 011b, means the device server is not capable
++ * of supporting a peripheral device on this logical unit, and
++ * the type should be set to 1Fh.
++ * 
+  * Return 1 if it is valid, 0 otherwise.
+  */
+ static inline int
+ is_inquiry_valid(const struct scsi_inquiry_data *inq_data)
+ {
+ 	uint8_t type;
+-	char vendor[16], product[48], revision[16];
+-
+-	/*
+-	 * Check device type and qualifier
+-	 */
+-	if (!(SID_QUAL_IS_VENDOR_UNIQUE(inq_data) ||
+-	    SID_QUAL(inq_data) == SID_QUAL_LU_CONNECTED))
++	if (SID_QUAL(inq_data) != SID_QUAL_LU_CONNECTED) {
+ 		return (0);
+-
++	}
+ 	type = SID_TYPE(inq_data);
+-	switch (type) {
+-	case T_DIRECT:
+-	case T_SEQUENTIAL:
+-	case T_PRINTER:
+-	case T_PROCESSOR:
+-	case T_WORM:
+-	case T_CDROM:
+-	case T_SCANNER:
+-	case T_OPTICAL:
+-	case T_CHANGER:
+-	case T_COMM:
+-	case T_STORARRAY:
+-	case T_ENCLOSURE:
+-	case T_RBC:
+-	case T_OCRW:
+-	case T_OSD:
+-	case T_ADC:
+-		break;
+-	case T_NODEVICE:
+-	default:
++	if (type == T_NODEVICE) {
+ 		return (0);
+ 	}
+-
+-	/*
+-	 * Check vendor, product, and revision
+-	 */
+-	cam_strvis(vendor, inq_data->vendor, sizeof(inq_data->vendor),
+-	    sizeof(vendor));
+-	cam_strvis(product, inq_data->product, sizeof(inq_data->product),
+-	    sizeof(product));
+-	cam_strvis(revision, inq_data->revision, sizeof(inq_data->revision),
+-	    sizeof(revision));
+-	if (strlen(vendor) == 0  ||
+-	    strlen(product) == 0 ||
+-	    strlen(revision) == 0)
+-		return (0);
+-
+ 	return (1);
+ }
+ 
+@@ -2071,7 +2040,6 @@
+ 	ccb->ccb_h.status &= ~CAM_STATUS_MASK;
+ 	if (vm_srb->scsi_status == SCSI_STATUS_OK) {
+ 		const struct scsi_generic *cmd;
+-
+ 		/*
+ 		 * Check whether the data for INQUIRY cmd is valid or
+ 		 * not.  Windows 10 and Windows 2016 send all zero
+@@ -2080,23 +2048,59 @@
+ 		cmd = (const struct scsi_generic *)
+ 		    ((ccb->ccb_h.flags & CAM_CDB_POINTER) ?
+ 		     csio->cdb_io.cdb_ptr : csio->cdb_io.cdb_bytes);
+-		if (cmd->opcode == INQUIRY &&
+-		    /* 
+-		     * XXX: Temporary work around disk hot plugin on win2k12r2,
+-		     * only filtering the invalid disk on win10 or 2016 server.
+-		     * So, the hot plugin on win10 and 2016 server needs
+-		     * to be fixed.
++		if (cmd->opcode == INQUIRY) {
++		    /*
++		     * The host of Windows 10 or 2016 server will response
++		     * the inquiry request with invalid data for unexisted device:
++			[0x7f 0x0 0x5 0x2 0x1f ... ]
++		     * But on windows 2012 R2, the response is:
++			[0x7f 0x0 0x0 0x0 0x0 ]
++		     * That is why here wants to validate the inquiry response.
++		     * The validation will skip the INQUIRY whose response is short,
++		     * which is less than SHORT_INQUIRY_LENGTH (36).
++		     *
++		     * For more information about INQUIRY, please refer to:
++		     *  ftp://ftp.avc-pioneer.com/Mtfuji_7/Proposal/Jun09/INQUIRY.pdf
+ 		     */
+-		    vmstor_proto_version == VMSTOR_PROTOCOL_VERSION_WIN10 && 
+-		    is_inquiry_valid(
+-		    (const struct scsi_inquiry_data *)csio->data_ptr) == 0) {
++		    const struct scsi_inquiry_data *inq_data =
++			(const struct scsi_inquiry_data *)csio->data_ptr;
++		    uint8_t* resp_buf = (uint8_t*)csio->data_ptr;
++		    /* Get the buffer length reported by host */
++		    int resp_xfer_len = vm_srb->transfer_len;
++		    /* Get the available buffer length */
++		    int resp_buf_len = resp_xfer_len >= 5 ? resp_buf[4] + 5 : 0;
++		    int data_len = (resp_buf_len < resp_xfer_len) ? resp_buf_len : resp_xfer_len;
++		    if (data_len < SHORT_INQUIRY_LENGTH) {
++			ccb->ccb_h.status |= CAM_REQ_CMP;
++			if (bootverbose && data_len >= 5) {
++				mtx_lock(&sc->hs_lock);
++				xpt_print(ccb->ccb_h.path,
++				    "storvsc skips the validation for short inquiry (%d)"
++				    " [%x %x %x %x %x]\n",
++				    data_len,resp_buf[0],resp_buf[1],resp_buf[2],
++				    resp_buf[3],resp_buf[4]);
++				mtx_unlock(&sc->hs_lock);
++			}
++		    } else if (is_inquiry_valid(inq_data) == 0) {
+ 			ccb->ccb_h.status |= CAM_DEV_NOT_THERE;
++			if (bootverbose && data_len >= 5) {
++				mtx_lock(&sc->hs_lock);
++				xpt_print(ccb->ccb_h.path,
++				    "storvsc uninstalled invalid device"
++				    " [%x %x %x %x %x]\n",
++				resp_buf[0],resp_buf[1],resp_buf[2],resp_buf[3],resp_buf[4]);
++				mtx_unlock(&sc->hs_lock);
++			}
++		    } else {
++			ccb->ccb_h.status |= CAM_REQ_CMP;
+ 			if (bootverbose) {
+ 				mtx_lock(&sc->hs_lock);
+ 				xpt_print(ccb->ccb_h.path,
+-				    "storvsc uninstalled device\n");
++				    "storvsc has passed inquiry response (%d) validation\n",
++				    data_len);
+ 				mtx_unlock(&sc->hs_lock);
+ 			}
++		    }
+ 		} else {
+ 			ccb->ccb_h.status |= CAM_REQ_CMP;
+ 		}

share/security/patches/EN-16:16/hv_storvsc.patch.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUslAAoJEO1n7NZdz2rn/NMQAMvOWBMZC0WhfJ/Y48Gh+gOQ
+wt0FZ6/AJgsUTrOUaYIqdRNpmszVZjujIXdHCsrUu7iJGK1M/OqNEOrVqbjAN3iX
+J/EaJgRKYja3glf2Xzu6ow+uMRy9jM26g1EOpHeUzYk/ndV2/Vg8lrUOvPL40KA6
+QskcbO1RLrVb0ytszGA6l2r2XGKckHKPUrTEv7/43u8FJg05WAn3I1HXAKbzJFzm
+TaDJCMCzjnO/v0bXsoL+2fUrtFJuNbaxGkAzgQsaBgvjRffQCpOxZYUNemWBxuzD
+ZOleQ6IjwUWoZVlbbdjYsLMHyxKOOmATzyerrtKvvVv4gsl7ImKRuiZAPHsk4CR/
+jhVv2ASODQwk879jeqsSuSZhiWj20kf5JS9XoKUm1KF28CltfKCXC+pjBkp0IRDR
+o+SwyCUelPHWYbhHa8PoVIzGLYZIqXav/REJTHeIb6lp88ayfTuL/kK5I7lgHRIC
+DI+yvo5OXhBxL847K8++DH1k5KdB34ySenmX3D1HuOp4tlGcdYJAGxqDrY5rPrGX
+qLQBFrSrpJfGfG0NO3ldUqdcjesVALe7SgQtnblYoj7Nmem4y1MUCXCHaU+oowTI
+37jaaJ476rJJ7Ai4Vkwx8StyaQ3++BYSb+oHtjaFHzBz1X5WI+6ppZPKh6J8kwPK
+m5x91Fjl/SpjlwuxKA3h
+=RWdh
+-----END PGP SIGNATURE-----

share/xml/notices.xml

@@ -7,6 +7,42 @@
   <year>
     <name>2016</name>
 
+    <month>
+      <name>8</name>
+
+      <day>
+        <name>12</name>
+
+        <notice>
+          <name>FreeBSD-EN-16:16.hv_storvsc</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-16:15.vmbus</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-16:14.hv_storvsc</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-16:13.vmbus</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-16:12.hv_storvsc</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-16:11.vmbus</name>
+        </notice>
+
+        <notice>
+          <name>FreeBSD-EN-16:10.dhclient</name>
+        </notice>
+      </day>
+    </month>
+
     <month>
       <name>7</name>