diff --git a/share/security/advisories/FreeBSD-EN-16:10.dhclient.asc b/share/security/advisories/FreeBSD-EN-16:10.dhclient.asc
new file mode 100644
index 0000000000..218748720d
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-16:10.dhclient.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:10.dhclient Errata Notice
+ The FreeBSD Project
+
+Topic: Better handle unknown options received from a DHCP server
+
+Category: core
+Module: dhclient
+Announced: 2016-08-12
+Credits: Microsoft OSTC
+Affects: FreeBSD 10.3
+Corrected: 2016-05-06 05:44:12 UTC (stable/10, 10.3-STABLE)
+ 2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The dhclient(8) utility is used to request an IP address from a DHCP server.
+Some implemenations of DHCP servers can use "options" to pass extra
+information to dhclient.
+
+II. Problem Description
+
+In Azure, the DHCP server adds a private option (id 0xf5), which contains
+binary form of an IPv4 address. Once this option is converted to string
+form, it could contain '$', for example:
+
+IPv4 address: 100.72.36.54
+binary form: 0x64 0x48 0x24 0x36
+string form: "dH$6"
+
+In this case, dhclient(8) exits upon "illegal" options as shown above, thus
+the an Azure virtual machine will fail to obtain an IP address, and fail to
+start.
+
+III. Impact
+
+The virtual machine in Azure may not set IP address properly and becomes
+inaccessible.
+
+IV. Workaround
+
+No workaround is available, however it is presumed this issue only affects
+FreeBSD running in Azure.
+
+V. Solution
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+Afterward, reboot the system or restart dhclient(8).
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system or restart dhclient(8).
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:10/dhclient.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:10/dhclient.patch.asc
+# gpg --verify dhclient.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in .
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r299156
+releng/10.3/ r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsbAAoJEO1n7NZdz2rnXk4P/jrIiXpu7f2ueB9qZNGE8I31
+OYFLJcv7xnSy9FRm1t7FxJJ+rJLG8dSCVtvMuyOExgQ+ZuWKg8kgumRG5/MW081O
+r0IXmvyFZgYnmRu34m13ZcH7b0qE+i8HhYqd22yoSnceOEodRMJG1X1urbcFRywO
+UfJz64pqndFYGT0I7lG0Bvt5FwAN3oo8WefaD+eq7kIwnZGLujJHx5cIaG91xLBo
+chfjPkjVgbF2/IC+rcJd2asKsXRxsBLloTh4NvTMLPSvmgItsUImU5H3YWlL5yDm
+GbCA2GLY0C50OEMDnMS2GjKUVzMK76TWgtN3fWBAGRRQYyiZh2be9BOR9ypbG6W3
+dHGSCiVILKgIoFRUMqT3KkR4oE7cxcSj6yD8xo8Nws4cV3nuC4ityBm6Gn5awzkG
+PriRg7SYF3mr7cSGa+L7LG7bvL34E/cKL8gkY/LbTa4ZKLFuprMyx3cOs+8Q6ezp
+u3d51NNPmmprxsFFWKqVIw0yNA6PN6c07v9pFGjUpsPk91+CD6Pgc+UumKI/tsIu
+BxEhEw3Iucf8YB/qfEJReDdDM7NgjXXeYASq6PI7Ag4uBx+6lNqYomZsmwcGO+6w
+JtQAxid2fg3srMjA2ZdryJ0DskQn2B+ff1Z7Zf4h58zGmL16CUfA7qhLweAy//GV
+GBduTyY36OwgkBs5i7wh
+=y0LS
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-16:11.vmbus.asc b/share/security/advisories/FreeBSD-EN-16:11.vmbus.asc
new file mode 100644
index 0000000000..4675931571
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-16:11.vmbus.asc
@@ -0,0 +1,120 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:11.vmbus Errata Notice
+ The FreeBSD Project
+
+Topic: Avoid using spin locks for channel message locks
+
+Category: core
+Module: vmbus
+Announced: 2016-08-12
+Credits: Microsoft OSTC
+Affects: FreeBSD 10.3
+Corrected: 2016-06-15 09:52:01 UTC (stable/10, 10.3-STABLE)
+ 2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The vmbus driver has a global lock hv_vmbus_g_connection.channel_msg_lock,
+whose type is MTX_SPIN. The lock is used to protect concurrent access to the
+global pending message list hv_vmbus_g_connection.channel_msg_anchor.
+
+II. Problem Description
+
+In some cases, sema_post() is invoked when the spin mutex is held.
+
+III. Impact
+
+Using sema_post() with a held spin mutex may trigger a system panic.
+
+IV. Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V. Solution
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:11/vmbus.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:11/vmbus.patch.asc
+# gpg --verify vmbus.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r301925
+releng/10.3/ r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsfAAoJEO1n7NZdz2rnyAgP/3ZQ6JLhVWjdHHQz13XyT32r
+NjhZ5VWdL8ZOd4psbLTmqMh79KT4u/bMZ4RackAcpX2agnpPx8sDQL5kaRNypQuj
+OC+rTyRy4J/TZTeX6OPA+TSwOS/yczdGFhgexk0AuxoqWN3j8yZ/P+DyTC7y5CmD
+8Fc9lcTAyFP/OEwybprWesRsC6wS1hKKhzz32e+i2EONzU5Xk8V3rondLZ2cSC9h
+UaeUqJHCbdIogWt7h0zD3WKbcYEwdTmE6MNFJenjWLaIJQkFxqYUfncK9nePm+v7
+W/QfVhEMuClKJRQRI6hHC+XJU2BxoXVB7uuJxk4rfLYO+TynvJ8w2iAMpf6liQLM
+ChvBsczIDHtha7z1uqMRHouywHgSc/YWXodMrRRbOjDfFFHzsTIE/ZVdAncGqxwQ
+/b7VmBS4kZRG5KP0ip/SHRUR+Ououp79gOkIphsT8ikpQKyHQVfG9FL8desSpE8f
+nTyAWwlbBuIid7PqLcFwlIZuqbx52eMWG3//bZNKnxrx2b9RILNRDbOOrwbD2VHq
+n9mO2EKdEPQg+Fz4omwCcmK2kMhknvotQ9oWUOGFK6i/BqZ6q5PffH4lxTyTS+Jr
+oDxHZ3jmSVFb7bcjCqYwqpvxloOXY3ChgfYvnq3OI8Ry5Y7rnI8sGmKFwgqWcSqE
+KS1LNBSGT1A7/mpgzld7
+=GPUS
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-16:12.hv_storvsc.asc b/share/security/advisories/FreeBSD-EN-16:12.hv_storvsc.asc
new file mode 100644
index 0000000000..6fcf3bd08f
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-16:12.hv_storvsc.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:12.hv_storvsc Errata Notice
+ The FreeBSD Project
+
+Topic: Enable INQUIRY result check only on Windows 10 host systems
+
+Category: core
+Module: hv_storvsc
+Announced: 2016-08-12
+Credits: Microsoft OSTC
+Affects: FreeBSD 10.3
+Corrected: 2016-05-25 06:15:26 UTC (stable/10, 10.3-STABLE)
+ 2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+A FreeBSD virtual machine running on Hyper-V uses hv_storvsc(4) to discover,
+access, and control block devices. The SCSI INQUIRY command is used to scan
+the disks attached to the virtual machine, and hv_storvsc(4) checks if the
+response from the host is valid.
+
+II. Problem Description
+
+On Windows 8 and earlier systems, the response to the INQUIRY command may
+return invalid results.
+
+III. Impact
+
+When a SCSI disk hotplug occurs, some disks may not be visible to the guest
+virtual machine despite being present.
+
+IV. Workaround
+
+No workaround is available however guest machines not running on Hyper-V on
+Windows 8 and earlier are unaffected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:12/hv_storvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:12/hv_storvsc.patch.asc
+# gpg --verify hv_storvsc.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r300656
+releng/10.3/ r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsgAAoJEO1n7NZdz2rns+wP/icFVWd1JaWRxcyRsv/fXIKM
++W2juTwxptg7HaXCUf885pe4ku7KHaAHViaE/Ma7QBK3DYbYMFhFRB+Vz3n45DWg
+Cc9lQfLm1sGOHA1YZml4O9dOnjxkybPhUShiBq06rREOTawdEIb1F5+xUkMo8fx4
+L3pwFBwSgBTJogcld4Ukj8w6iFLoN5SAPaGpOwmXguheja8OhP/K0UHk7SkTWaxj
+AXKyVD9z8GusqST33JOhY+PQEQU4LKZue5Xrxlrblb0eFZn6LiykYAQX0zrufFPi
+W4sg2rCogo2RIUZxmZAX0V1zcVoClKfFu1/o4dPLY4mWSIGvMde2SXanS3E6T1Mz
+PBa3+ugTgwE9+kGuY5T5jeslHcac9i6kOKU8UDMlAYxzdd2r7h9UVznms6laCIx2
+o4Z1morcFhzInuXepGl7ZeV5KEDzlgmtdLzzgZ+sc4D9IYDwig4tjw8O9uRFBDeG
+wU1pInC4M2cfs2h322IyYIg5wo9thoMrRitidLACZfB/xo6x3dEaCtj8NtxQXoYK
+/TwVdT8ltL1RlZun8I/8sdijGG5+eJAU31JOlortHnEDMzyWuSbQcaDqo8dK9fGb
+WmV0Qk+ATMA1NdxKTMHfxQUfZ6EvplTRHBNdghYWJWTvLXDyb6sKjHzo/Eexn0SD
+nh2mSHOlq8xjlCyop+I1
+=FUf1
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-16:13.vmbus.asc b/share/security/advisories/FreeBSD-EN-16:13.vmbus.asc
new file mode 100644
index 0000000000..9512cc934a
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-16:13.vmbus.asc
@@ -0,0 +1,122 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:13.vmbus Errata Notice
+ The FreeBSD Project
+
+Topic: Register time counter early enough for TSC freq calibration
+
+Category: core
+Module: vmbus
+Announced: 2016-08-12
+Credits: Microsoft OSTC
+Affects: FreeBSD 10.3
+Corrected: 2016-06-16 01:57:16 UTC (stable/10, 10.3-STABLE)
+ 2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+FreeBSD uses i8254 PIT (Programmable Interval Timer) to calibrate the
+frequency of the CPU TSC (Time Stamp Counter).
+
+II. Problem Description
+
+The Hyper-V i8254 emulation does not correctly calibrate the TSC frequency,
+and is not available for Generation 2 Hyper-V virtual machines.
+
+III. Impact
+
+FreeBSD virtual machines running on Hyper-V will see warnings logged to
+syslog(8) and the system console resembling:
+calcru: runtime went backwards from 18 usec to 9 usec for pid 0 (kernel)
+
+IV. Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:13/vmbus.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:13/vmbus.patch.asc
+# gpg --verify vmbus.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r301942
+releng/10.3/ r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUshAAoJEO1n7NZdz2rnZncQALG1iAvkhT+SZZ+MP7bEqlJP
+HP2NsmalVF35PnoGRj+MwG61rbrtZzAB/OHXVx4iotzAW6NCOACJuCnuJqgqFK6N
+pggtIzgE6xXsHlKIL7V9ucIURIUbdAcDoaTnJ4aE373DwmtPn/hKVaWtbspcpZ3F
+QxiFIhbR4kqDjk1fVmM4xAn8E4Q6+eUFb88LUnWh/Cd86uCSQ5cKY8qFQyhoEyeI
+L6iChVTdE7zn3bjavzlJdQn2Rh6N7lmnhBcpm+e1eyDdxDYUPCXAeGqmNrQBShq9
+SwIJKOs6ll0tzDGTI0tmKV5OoEw6InyZ6xRDR7k6j7yOo/IHVNrFAYQ+CRI+IDCv
+q+MXYOUDTIo1KxjYHzRan+f3m7DXUuSXUDye+0sAglK37FJGvUZ206dkNZVFzp2F
+wKpvzT2Pbfzl5AMGJav04YpC7MiXCxD/wsUs+jz9P+9G5UuMcjwYhuLXFecrX7BP
+zhqEtRTShuFviNIsCJxG+pmF/srESTADMckYWLez7Y2qHbO2ZxMRpKOB9XPNQEoK
+PQIWdsmdiUKCjCgKp7Siy/bb42zUVcCXjSFXGP7Eb0+i49SAFZWAO53jbe3qvtQT
+NGf47PReOLpxmLVi84lemS5jl+/GhREWZNQ+b3jdHs8ghKjfkvDPWzihVAMzcfQN
+LNnMDZJlpCUhiGp6yoHG
+=s9XX
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-16:14.hv_storvsc.asc b/share/security/advisories/FreeBSD-EN-16:14.hv_storvsc.asc
new file mode 100644
index 0000000000..33031bf762
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-16:14.hv_storvsc.asc
@@ -0,0 +1,125 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:14.hv_storvsc Errata Notice
+ The FreeBSD Project
+
+Topic: Disable incorrect callout in hv_storvsc(4)
+
+Category: core
+Module: hv_storvsc
+Announced: 2016-08-12
+Credits: Microsoft OSTC
+Affects: FreeBSD 10.3
+Corrected: 2016-05-06 05:16:42 UTC (stable/10, 10.3-STABLE)
+ 2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The Hyper-V storage driver, hv_storvsc(4), always sets up a timeout(9) timer
+when sending an I/O request to the host. When the I/O is completed by the
+host and the host notifies the virtual machine, callout_drain() is used in
+another thread.
+
+II. Problem Description
+
+The hv_storvsc(4) driver does not correctly set up the timer, and
+callout_drain() does not remove the callout as expected. When the callout is
+later used again, it is unexpectedly reinitialized, which can cause
+undetermined behavior in the kernel callout(9) system.
+
+III. Impact
+
+Unexpected behavior in the kernel callout(9) system can occur, such as
+inability to halt the system with 'shutdown -h now'.
+
+IV. Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:14/hv_storvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:14/hv_storvsc.patch.asc
+# gpg --verify hv_storvsc.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r299153
+releng/10.3/ r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUsiAAoJEO1n7NZdz2rn5qAP/0OmatunIP/2a1U7SPNav55G
+wa0/q9MOYb/+vRfGGynlGLt79E6gxYopwMXnVtm/Z1Hhqt7NEfT6h4Fjb6rjdIiz
+Anwm6kNuesDjZGBSJ1POMP8DCXm16uqxZXQvGvzaVrdj/30gyFFrmUGPetJWnjZk
+CawfOfDS+EynvXoXDuBUu9EeisUGFbcnb3zRTqXYq3adsxW9AwlstvCPnzKzvwom
+KZKQz7AVB4XgD3B65UMpGrK7vi8u8PwXfn5sffhnt3KMchbpMA4HJXubrm9QmxxJ
+KFQm4VOMxiqjSYMtTSW6q8uIArPG2y/Cs4agHUiSehRksMSUs6TCGdmSKN/OMn0D
+Sby2MlcZCBuQDVmRdrotuTGkFvLAs/JagOojIAaz0wNcSWQv3F7DxuKx76C6jjlO
+7mgEPrctDmQJMLIIAIqvzvG94DeleMEwLIV+5omr5hhy0FANfUksgUqPH5z2n6wZ
+c4VJf8d1Jv6kpp8/uq1tcMrhmTtRwP1v7LYUBaHgy++C8azbrrS7BEMyqIB8Upal
+CWlI9ZHZYoMWkpqATtlBs3rFmWNLxtCmf8a7Xa+Ox/hep6wrFD+TFmq2wzukTypq
+BNGPIeHTxe7KdVcMbI87//SGWNEx/+W9iEcF4eGhE8JgGz+E0TvMR/JlK2479KXG
+hsjMFVQWevI7sgvSKkBS
+=XI3q
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-16:15.vmbus.asc b/share/security/advisories/FreeBSD-EN-16:15.vmbus.asc
new file mode 100644
index 0000000000..59a41ea955
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-16:15.vmbus.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:15.vmbus Errata Notice
+ The FreeBSD Project
+
+Topic: Better handle the GPADL setup failure in Hyper-V
+
+Category: core
+Module: vmbus
+Announced: 2016-08-12
+Credits: Microsoft OSTC
+Affects: FreeBSD 10.3
+Corrected: 2016-06-15 09:39:41 UTC (stable/10, 10.3-STABLE)
+ 2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+FreeBSD guests on Hyper-V call hv_vmbus_post_message(), which uses hypercalls
+to post various types of VMBus messages to the Hyper-V host. One kind of the
+messages is to setup GPADL (Guest Physical Addrss Description List), which
+describes shared memory buffers between the host and the guest.
+
+II. Problem Description
+
+Most often, hv_vmbus_post_message() does not fail. However, it could fail
+intermittently when GPADLs of large shared memory is to be established with
+the host, such as on the hn(4) attach path, a GPADL of 15MB sendbuf is
+created, for which lots of messages will be flooded to the host.
+
+The host side tries to throttle the message rate by returning
+HV_STATUS_INSUFFICIENT_BUFFERS.
+
+Before this errata notice, several retries for failed messages would be
+attempted, but the delay between each retry is too low, causing sporadic
+message posting failure. A larger delay (>=1ms) is now used between each
+retry to fix the message posting failure.
+
+III. Impact
+
+Failures when Hyper-V network device driver are loaded and the device cannot
+work would occur.
+
+IV. Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V. Solution
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot the system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Afterward, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:15/vmbus.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:15/vmbus.patch.asc
+# gpg --verify vmbus.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r301924
+releng/10.3/ r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUskAAoJEO1n7NZdz2rnpSYQAOcdxWeTfHk3Pksvy8tZl1sE
+1HzD7d4LUEd8TJZq6JA8JEmAA3MN6p0FoGDj0NlMviiy1slCo4BuEyriixhkKUqh
+be1+2pVY3d6gMixHFNPVKA0JB5amDvfxF8jY/lMZ1CsfD1tE0bTSRwPYhFFxJI8g
+QK2dbjbGPQF32fAh4953wLV/HO1n6JiQS8dtyJBc4BdGRNCcuZpl69lDeJJWH5Li
+IYtbQQlMIQZA5le7CjGXP+6eFus+U7CoqxuCq50CJwsgt0Rw+klApX85dodImlCR
+qn6FCB0OdM2W3KgrnOLEXjvmajUO1fWAkiwlS6ZlkqST5KSRUHC3pzzZcYrvLBtA
+qOslsoOp7v7uOvjKIt6As8KmX7OjFgNsiH4oxCL8H8HXNlN3uQRayMG8kglWqKWo
+QFjF5cPL1YnDn5cBSThGQY0QBnDFEPiyviJZZ8XInKAESNysOW5rpx4bLKRqz33L
+tZ0ebi+3PpA3M6wK9ag3zARJvqfTgHZ6KoVBF3HKmIB+LnyFQybHBaG5eG1sveWC
+11KobiLoA1Te9v9KunJRBvmPMsV2zjrGJ5MYFw7UH/gYhjO2CGnRlJUCAHDFr7u+
+f/AJYb9qSS6exSFGhl7tBAxEAQAizy2eCSde/rXqbNH8QPz4SM/J436GPdxcaTRD
+Lj+bkbcEPY6QqPPodDHn
+=JVB9
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-16:16.hv_storvsc.asc b/share/security/advisories/FreeBSD-EN-16:16.hv_storvsc.asc
new file mode 100644
index 0000000000..c10829b9d3
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-16:16.hv_storvsc.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-16:16.hv_storvsc Errata Notice
+ The FreeBSD Project
+
+Topic: Fix SCSI INQUIRY checks and error handling
+
+Category: core
+Module: hv_storvsc
+Announced: 2016-08-12
+Credits: Microsoft OSTC
+Affects: FreeBSD 10.3
+Corrected: 2016-07-15 02:29:10 UTC (stable/10, 10.2-STABLE)
+ 2016-08-12 04:01:16 UTC (releng/10.3, 10.3-RELEASE-p7)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+The Hyper-V storage driver, hv_storsvc(4), uses the SCSI INQUIRY command to
+detect the presence of SCSI LUNs.
+
+II. Problem Description
+
+The hv_storsvc(4) driver assumes 36-byte responses to the INQUIRY command,
+which is not always the case. When a shorter response is received, it can
+lead to unexpected behavior.
+
+If the host changes the virtual disk capacity, responses from the host to the
+virtual machine guest next command (such as READ CAPACITY or INQUIRY) return
+an error with sense data supplied. The hv_storsvc(4) driver does not check
+the error status properly, so the upper SCSI layer treats the command as being
+successfully executed, resulting in unexpected behavior.
+
+III. Impact
+
+There are several manifestations of the impact, such as disk hotplug not
+working reliably, SMART checks on the disk with 'smartctl -i /dev/da0' can
+cause the disk to detach and crash the machine, and online resizing not
+working reliably.
+
+IV. Workaround
+
+No workaround is available, however FreeBSD virtual machines not running in
+Hyper-V or Azure are unaffected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. After which, reboot the
+system.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+After which, reboot the system.
+
+3) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-16:16/hv_storvsc.patch
+# fetch https://security.FreeBSD.org/patches/EN-16:16/hv_storvsc.patch.asc
+# gpg --verify hv_storvsc.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r302863
+releng/10.3/ r303984
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+
+
+VII. References
+
+The latest revision of this advisory is available at
+
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJXrUslAAoJEO1n7NZdz2rnoeUP/0dlvrBv/wocTjPu+6K5OjIA
++GAvrrI+pESdnBQwYcIBfxq/YJIsgzVBAlqnrR1/s2fVOtkvhdcvzJAQSEVlvaYa
+sJI2wn3lcT8KcH/JfNTxm/TgdDS25kPFl9SG1EdxE6ZSQHC4A0mjoEO9z4S7cq9i
+FYS3VjY7AqZDJx6lCvQjW0Th4S/tvW1YZ62Tlnq3IT0JVpvVlxxPP9Qau7Z4DX8I
+Pr+EqmBGdKINfzDXlrJ3TtLJ094mZw2CrhF1exmpdPAiuCUcKlt7xa6jGtm939iX
+Pur9bIxl8pB/+uPB+vRq5wjzmg7s3ld8BWBV/NJjeLXSFb0hRxWcdbuvqcpiolQu
+nIFsyaZ5h3QSxZG4NydB2Cr/A5lPG0aVGs76V9OnRbMy53NUrkyWZtGq0Qoyu9Zj
+XaMDGeiFZcuR7VynrClGtJ9L+oeewQvScPsB5D2cwS+xsey7bTlOrpfT55Zouew2
+4gsuW8kmoxq8zE3pqLn41td+ERrH0mFp1/0Zk4NdB5ylJA/o2DFeMIiJpHZ0OtWE
+T0KJ05Hz2UkjaPx1UUUC1D3GTunETXMHu62XhgsJi9tJltKiHZskWZYS9u2zDP57
+67nDjaORLbPIXUvMcQoOw/o7wFB4JWcnu/NUJdCHHHcSlec49fT+tfDzZvcfycrk
+lTEHTA0GabtHC2G7vc+v
+=3gBz
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-16:10/dhclient.patch b/share/security/patches/EN-16:10/dhclient.patch
new file mode 100644
index 0000000000..0594f62180
--- /dev/null
+++ b/share/security/patches/EN-16:10/dhclient.patch
@@ -0,0 +1,39 @@
+Index: sbin/dhclient/dhclient.c
+===================================================================
+--- sbin/dhclient/dhclient.c (revision 302284)
++++ sbin/dhclient/dhclient.c (working copy)
+@@ -2277,6 +2277,17 @@ script_set_env(struct client_state *clie
+ {
+ int i, j, namelen;
+
++ /* No `` or $() command substitution allowed in environment values! */
++ for (j=0; j < strlen(value); j++)
++ switch (value[j]) {
++ case '`':
++ case '$':
++ warning("illegal character (%c) in value '%s'",
++ value[j], value);
++ /* Ignore this option */
++ return;
++ }
++
+ namelen = strlen(name);
+
+ for (i = 0; client->scriptEnv[i]; i++)
+@@ -2313,16 +2324,6 @@ script_set_env(struct client_state *clie
+ strlen(value) + 1);
+ if (client->scriptEnv[i] == NULL)
+ error("script_set_env: no memory for variable assignment");
+-
+- /* No `` or $() command substitution allowed in environment values! */
+- for (j=0; j < strlen(value); j++)
+- switch (value[j]) {
+- case '`':
+- case '$':
+- error("illegal character (%c) in value '%s'", value[j],
+- value);
+- /* not reached */
+- }
+ snprintf(client->scriptEnv[i], strlen(prefix) + strlen(name) +
+ 1 + strlen(value) + 1, "%s%s=%s", prefix, name, value);
+ }
diff --git a/share/security/patches/EN-16:10/dhclient.patch.asc b/share/security/patches/EN-16:10/dhclient.patch.asc
new file mode 100644
index 0000000000..70403c2fb0
--- /dev/null
+++ b/share/security/patches/EN-16:10/dhclient.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUseAAoJEO1n7NZdz2rnwP0QAI7YUXZJx2RdqNjDyTems1IR
+/tR3utSSm6MUqIA5JkSKXBj6g8o04S9VA+HRBW6TlN/KhKHYhLaCW5O4etMlp7xu
+5OYahVFAj5uMteBpvr0H0WK5NInt5Pw6YAlv7E9G7qjgKWSSsDV5h5C4xUHSSDhP
+PDn3/GXCInEY2bLIhdPcGJelPEzdCKREQWEwz1A2IjOM5rGTMAiCMvW5jW0sZd0K
++b65Dd25X1h37bFbexZy8hNIR0HyROAzsHSOV8yjf0625sib7dippVxv6ARjBX3p
+Lm88B7SI4MwW31CtsOAzjRw0Ibu+ASAx/5jRU8NppS3HZSICAk0Xjqq50m/vtCcs
+ognAqhwKHHtxfrs+UePwA9Xi6hsNcwC66HIeX1MZw7hs7FSTfheo4iy2PohbeCoW
+46RUc66RKehanG67CLe5GtYX5OzlQbzM0/KlqXZ11FvT3yXeTbCqx55ViDMOj31B
+P/Gf43Ct59DB5dIcmjqNCIIIvvAYnlqWuSDZWMj+SmYlrTbPFbKFXZaqGleXIi2j
+VVS7waoD9Bxuz+Qfaw97khFsS+QvpQWQnwGQARrb+74YeK9MbQFQ9jT2CCuWWcjF
+JXwfl8Z1wiMgQxWu7AxzAGGmdlSe9w5xuaPz0ep84t1fXgBvzkG/7W56XJWIXgfZ
+RLkTFs/7ZFPzR2ej1aXw
+=z8D3
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-16:11/vmbus.patch b/share/security/patches/EN-16:11/vmbus.patch
new file mode 100644
index 0000000000..2f4b393d08
--- /dev/null
+++ b/share/security/patches/EN-16:11/vmbus.patch
@@ -0,0 +1,218 @@
+--- sys/dev/hyperv/vmbus/hv_channel.c.orig
++++ sys/dev/hyperv/vmbus/hv_channel.c
+@@ -180,12 +180,12 @@
+ if (user_data_len)
+ memcpy(open_msg->user_data, user_data, user_data_len);
+
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_INSERT_TAIL(
+ &hv_vmbus_g_connection.channel_msg_anchor,
+ open_info,
+ msg_list_entry);
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ ret = hv_vmbus_post_message(
+ open_msg, sizeof(hv_vmbus_channel_open_channel));
+@@ -212,12 +212,12 @@
+ }
+
+ cleanup:
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_REMOVE(
+ &hv_vmbus_g_connection.channel_msg_anchor,
+ open_info,
+ msg_list_entry);
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ sema_destroy(&open_info->wait_sema);
+ free(open_info, M_DEVBUF);
+
+@@ -401,13 +401,13 @@
+ gpadl_msg->child_rel_id = channel->offer_msg.child_rel_id;
+ gpadl_msg->gpadl = next_gpadl_handle;
+
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_INSERT_TAIL(
+ &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_info,
+ msg_list_entry);
+
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ ret = hv_vmbus_post_message(
+ gpadl_msg,
+@@ -446,10 +446,10 @@
+
+ cleanup:
+
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_REMOVE(&hv_vmbus_g_connection.channel_msg_anchor,
+ msg_info, msg_list_entry);
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ sema_destroy(&msg_info->wait_sema);
+ free(msg_info, M_DEVBUF);
+@@ -488,10 +488,10 @@
+ msg->child_rel_id = channel->offer_msg.child_rel_id;
+ msg->gpadl = gpadl_handle;
+
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_INSERT_TAIL(&hv_vmbus_g_connection.channel_msg_anchor,
+ info, msg_list_entry);
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ ret = hv_vmbus_post_message(msg,
+ sizeof(hv_vmbus_channel_gpadl_teardown));
+@@ -504,10 +504,10 @@
+ /*
+ * Received a torndown response
+ */
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_REMOVE(&hv_vmbus_g_connection.channel_msg_anchor,
+ info, msg_list_entry);
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ sema_destroy(&info->wait_sema);
+ free(info, M_DEVBUF);
+
+--- sys/dev/hyperv/vmbus/hv_channel_mgmt.c.orig
++++ sys/dev/hyperv/vmbus/hv_channel_mgmt.c
+@@ -567,7 +567,7 @@
+ /*
+ * Find the open msg, copy the result and signal/unblock the wait event
+ */
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_list_entry) {
+@@ -585,7 +585,7 @@
+ }
+ }
+ }
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ }
+
+@@ -609,7 +609,7 @@
+ /* Find the establish msg, copy the result and signal/unblock
+ * the wait event
+ */
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_list_entry) {
+ request_header = (hv_vmbus_channel_msg_header*) msg_info->msg;
+@@ -628,7 +628,7 @@
+ }
+ }
+ }
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ }
+
+ /**
+@@ -653,7 +653,7 @@
+ * wait event.
+ */
+
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_list_entry) {
+@@ -673,7 +673,7 @@
+ }
+ }
+ }
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ }
+
+ /**
+@@ -693,7 +693,7 @@
+
+ versionResponse = (hv_vmbus_channel_version_response*)hdr;
+
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_FOREACH(msg_info, &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_list_entry) {
+ requestHeader = (hv_vmbus_channel_msg_header*) msg_info->msg;
+@@ -707,7 +707,7 @@
+ sema_post(&msg_info->wait_sema);
+ }
+ }
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ }
+
+--- sys/dev/hyperv/vmbus/hv_connection.c.orig
++++ sys/dev/hyperv/vmbus/hv_connection.c
+@@ -101,26 +101,26 @@
+ * Add to list before we send the request since we may receive the
+ * response before returning from this routine
+ */
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ TAILQ_INSERT_TAIL(
+ &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_info,
+ msg_list_entry);
+
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ ret = hv_vmbus_post_message(
+ msg,
+ sizeof(hv_vmbus_channel_initiate_contact));
+
+ if (ret != 0) {
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_REMOVE(
+ &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_info,
+ msg_list_entry);
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+ return (ret);
+ }
+
+@@ -129,12 +129,12 @@
+ */
+ ret = sema_timedwait(&msg_info->wait_sema, 5 * hz); /* KYS 5 seconds */
+
+- mtx_lock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_lock(&hv_vmbus_g_connection.channel_msg_lock);
+ TAILQ_REMOVE(
+ &hv_vmbus_g_connection.channel_msg_anchor,
+ msg_info,
+ msg_list_entry);
+- mtx_unlock_spin(&hv_vmbus_g_connection.channel_msg_lock);
++ mtx_unlock(&hv_vmbus_g_connection.channel_msg_lock);
+
+ /**
+ * Check if successful
+@@ -173,7 +173,7 @@
+
+ TAILQ_INIT(&hv_vmbus_g_connection.channel_msg_anchor);
+ mtx_init(&hv_vmbus_g_connection.channel_msg_lock, "vmbus channel msg",
+- NULL, MTX_SPIN);
++ NULL, MTX_DEF);
+
+ TAILQ_INIT(&hv_vmbus_g_connection.channel_anchor);
+ mtx_init(&hv_vmbus_g_connection.channel_lock, "vmbus channel",
diff --git a/share/security/patches/EN-16:11/vmbus.patch.asc b/share/security/patches/EN-16:11/vmbus.patch.asc
new file mode 100644
index 0000000000..b1efe65fe6
--- /dev/null
+++ b/share/security/patches/EN-16:11/vmbus.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsfAAoJEO1n7NZdz2rn6HkP/jxUR6mhiG66F9BIdl+eCXko
+c4SzLXhxW4LpDuu106dTyK5/jOVWAfSHQ58IGSlV3YOGEh2f8UsdA1OGtsg4MW6G
+2ljohahowBaKhZvNSEZLvLKKzg5NIvb63NQjg/XJ0GLvHfXp7fA/7LGadGTgiQUs
+iRzjEm/Mjw6UHi8R720CgFJsHSKtPftD9VWzp+J7Bf5vrP8xdFLsWNSWWNZFrMQ7
+knKrtgik/vPxzWonR81MYRcaE7OqyZ9hQb0EqBw5e3Tl4EXC01MpxGBkFwjHRjB2
+DvxQKfpTy//gpM4FrZLS5aXAa9OXkFOCNqXrO+BxaYf4m4DuxhLG6NZI8ocKOr+b
+viHOXucP79jf3u04XUOFVPCf4DJ2jvzuqWYD6cOEakB06uDmjCgpgkbgWyqY1wkl
+tcYmuqIl9cv0vZFLtbhk8zKnkCg+uLRN4C+O5Fc6mQev9ytSy56l16Vm496I56Xx
+zCOy+I7RJRbGtBaE4CXLIXMSlYWVmL+o986m4OGzMN4a7tCRVyxziLPVv3P2Yjnm
+gj4b/9qZzU5Voa/adojj4kmwLDSTyhhofbJuED0Q2eWwo300gfZheNGF8aKkO7yF
+4eZvcUE/+NnsNUz1tPVCfYZ5sf2aB6W6fcXjeMuD/ytUmwrxdN4mSp0z+3mA9SXo
+8Hic0sf3VDsHc4YeEsy9
+=jPaX
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-16:12/hv_storvsc.patch b/share/security/patches/EN-16:12/hv_storvsc.patch
new file mode 100644
index 0000000000..0b1b9d3088
--- /dev/null
+++ b/share/security/patches/EN-16:12/hv_storvsc.patch
@@ -0,0 +1,205 @@
+--- sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
+@@ -81,12 +81,6 @@
+ #define BLKVSC_MAX_IO_REQUESTS STORVSC_MAX_IO_REQUESTS
+ #define STORVSC_MAX_TARGETS (2)
+
+-#define STORVSC_WIN7_MAJOR 4
+-#define STORVSC_WIN7_MINOR 2
+-
+-#define STORVSC_WIN8_MAJOR 5
+-#define STORVSC_WIN8_MINOR 1
+-
+ #define VSTOR_PKT_SIZE (sizeof(struct vstor_packet) - vmscsi_size_delta)
+
+ #define HV_ALIGN(x, a) roundup2(x, a)
+@@ -208,7 +202,7 @@
+ * Sense buffer size changed in win8; have a run-time
+ * variable to track the size we should use.
+ */
+-static int sense_buffer_size;
++static int sense_buffer_size = PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE;
+
+ /*
+ * The size of the vmscsi_request has changed in win8. The
+@@ -218,9 +212,46 @@
+ * Track the correct size we need to apply.
+ */
+ static int vmscsi_size_delta;
++/*
++ * The storage protocol version is determined during the
++ * initial exchange with the host. It will indicate which
++ * storage functionality is available in the host.
++*/
++static int vmstor_proto_version;
++
++struct vmstor_proto {
++ int proto_version;
++ int sense_buffer_size;
++ int vmscsi_size_delta;
++};
+
+-static int storvsc_current_major;
+-static int storvsc_current_minor;
++static const struct vmstor_proto vmstor_proto_list[] = {
++ {
++ VMSTOR_PROTOCOL_VERSION_WIN10,
++ POST_WIN7_STORVSC_SENSE_BUFFER_SIZE,
++ 0
++ },
++ {
++ VMSTOR_PROTOCOL_VERSION_WIN8_1,
++ POST_WIN7_STORVSC_SENSE_BUFFER_SIZE,
++ 0
++ },
++ {
++ VMSTOR_PROTOCOL_VERSION_WIN8,
++ POST_WIN7_STORVSC_SENSE_BUFFER_SIZE,
++ 0
++ },
++ {
++ VMSTOR_PROTOCOL_VERSION_WIN7,
++ PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE,
++ sizeof(struct vmscsi_win8_extension),
++ },
++ {
++ VMSTOR_PROTOCOL_VERSION_WIN6,
++ PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE,
++ sizeof(struct vmscsi_win8_extension),
++ }
++};
+
+ /* static functions */
+ static int storvsc_probe(device_t dev);
+@@ -435,7 +466,7 @@
+ static int
+ hv_storvsc_channel_init(struct hv_device *dev)
+ {
+- int ret = 0;
++ int ret = 0, i;
+ struct hv_storvsc_request *request;
+ struct vstor_packet *vstor_packet;
+ struct storvsc_softc *sc;
+@@ -484,19 +515,20 @@
+ goto cleanup;
+ }
+
+- /* reuse the packet for version range supported */
++ for (i = 0; i < nitems(vmstor_proto_list); i++) {
++ /* reuse the packet for version range supported */
+
+- memset(vstor_packet, 0, sizeof(struct vstor_packet));
+- vstor_packet->operation = VSTOR_OPERATION_QUERYPROTOCOLVERSION;
+- vstor_packet->flags = REQUEST_COMPLETION_FLAG;
++ memset(vstor_packet, 0, sizeof(struct vstor_packet));
++ vstor_packet->operation = VSTOR_OPERATION_QUERYPROTOCOLVERSION;
++ vstor_packet->flags = REQUEST_COMPLETION_FLAG;
+
+- vstor_packet->u.version.major_minor =
+- VMSTOR_PROTOCOL_VERSION(storvsc_current_major, storvsc_current_minor);
++ vstor_packet->u.version.major_minor =
++ vmstor_proto_list[i].proto_version;
+
+- /* revision is only significant for Windows guests */
+- vstor_packet->u.version.revision = 0;
++ /* revision is only significant for Windows guests */
++ vstor_packet->u.version.revision = 0;
+
+- ret = hv_vmbus_channel_send_packet(
++ ret = hv_vmbus_channel_send_packet(
+ dev->channel,
+ vstor_packet,
+ VSTOR_PKT_SIZE,
+@@ -504,20 +536,34 @@
+ HV_VMBUS_PACKET_TYPE_DATA_IN_BAND,
+ HV_VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+
+- if (ret != 0)
+- goto cleanup;
++ if (ret != 0)
++ goto cleanup;
+
+- /* wait 5 seconds */
+- ret = sema_timedwait(&request->synch_sema, 5 * hz);
++ /* wait 5 seconds */
++ ret = sema_timedwait(&request->synch_sema, 5 * hz);
+
+- if (ret)
+- goto cleanup;
++ if (ret)
++ goto cleanup;
+
+- /* TODO: Check returned version */
+- if (vstor_packet->operation != VSTOR_OPERATION_COMPLETEIO ||
+- vstor_packet->status != 0)
+- goto cleanup;
++ if (vstor_packet->operation != VSTOR_OPERATION_COMPLETEIO) {
++ ret = EINVAL;
++ goto cleanup;
++ }
++ if (vstor_packet->status == 0) {
++ vmstor_proto_version =
++ vmstor_proto_list[i].proto_version;
++ sense_buffer_size =
++ vmstor_proto_list[i].sense_buffer_size;
++ vmscsi_size_delta =
++ vmstor_proto_list[i].vmscsi_size_delta;
++ break;
++ }
++ }
+
++ if (vstor_packet->status != 0) {
++ ret = EINVAL;
++ goto cleanup;
++ }
+ /**
+ * Query channel properties
+ */
+@@ -916,19 +962,6 @@
+ int ata_disk_enable = 0;
+ int ret = ENXIO;
+
+- if (hv_vmbus_protocal_version == HV_VMBUS_VERSION_WS2008 ||
+- hv_vmbus_protocal_version == HV_VMBUS_VERSION_WIN7) {
+- sense_buffer_size = PRE_WIN8_STORVSC_SENSE_BUFFER_SIZE;
+- vmscsi_size_delta = sizeof(struct vmscsi_win8_extension);
+- storvsc_current_major = STORVSC_WIN7_MAJOR;
+- storvsc_current_minor = STORVSC_WIN7_MINOR;
+- } else {
+- sense_buffer_size = POST_WIN7_STORVSC_SENSE_BUFFER_SIZE;
+- vmscsi_size_delta = 0;
+- storvsc_current_major = STORVSC_WIN8_MAJOR;
+- storvsc_current_minor = STORVSC_WIN8_MINOR;
+- }
+-
+ switch (storvsc_get_storage_type(dev)) {
+ case DRIVER_BLKVSC:
+ if(bootverbose)
+@@ -2064,6 +2097,13 @@
+ ((ccb->ccb_h.flags & CAM_CDB_POINTER) ?
+ csio->cdb_io.cdb_ptr : csio->cdb_io.cdb_bytes);
+ if (cmd->opcode == INQUIRY &&
++ /*
++ * XXX: Temporary work around disk hot plugin on win2k12r2,
++ * only filtering the invalid disk on win10 or 2016 server.
++ * So, the hot plugin on win10 and 2016 server needs
++ * to be fixed.
++ */
++ vmstor_proto_version == VMSTOR_PROTOCOL_VERSION_WIN10 &&
+ is_inquiry_valid(
+ (const struct scsi_inquiry_data *)csio->data_ptr) == 0) {
+ ccb->ccb_h.status |= CAM_DEV_NOT_THERE;
+--- sys/dev/hyperv/storvsc/hv_vstorage.h.orig
++++ sys/dev/hyperv/storvsc/hv_vstorage.h
+@@ -41,6 +41,11 @@
+ #define VMSTOR_PROTOCOL_VERSION(MAJOR_, MINOR_) ((((MAJOR_) & 0xff) << 8) | \
+ (((MINOR_) & 0xff) ))
+
++#define VMSTOR_PROTOCOL_VERSION_WIN6 VMSTOR_PROTOCOL_VERSION(2, 0)
++#define VMSTOR_PROTOCOL_VERSION_WIN7 VMSTOR_PROTOCOL_VERSION(4, 2)
++#define VMSTOR_PROTOCOL_VERSION_WIN8 VMSTOR_PROTOCOL_VERSION(5, 1)
++#define VMSTOR_PROTOCOL_VERSION_WIN8_1 VMSTOR_PROTOCOL_VERSION(6, 0)
++#define VMSTOR_PROTOCOL_VERSION_WIN10 VMSTOR_PROTOCOL_VERSION(6, 2)
+ /*
+ * Invalid version.
+ */
diff --git a/share/security/patches/EN-16:12/hv_storvsc.patch.asc b/share/security/patches/EN-16:12/hv_storvsc.patch.asc
new file mode 100644
index 0000000000..e77109c4f3
--- /dev/null
+++ b/share/security/patches/EN-16:12/hv_storvsc.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsgAAoJEO1n7NZdz2rna2MP/0vEjB5HY78W/jI/owx0l5WI
+zFe0R1ZdBDlYmVxnYmUcB9/7FciyvbQDcnpVtr8evqUxnmXj0MEK5iQBoi7t2cao
+gfykz4Yh+ZU8UVPKVGardFvgVsphwnahlEmQ5HJrlJy5b2Cgf1+c5UsBZu+310+n
+O7Z7vuP48DW/n/8ihz0du/kGjl5LAxgDGZsZUfkKpw9JBsrWOf4ssmqprGZOy4f7
+TCXt3OfZo87PdKy+21hVz6ekc7SWuNIrwzEc6Yc8YKgUpTxoOg030L2ixOpOytDb
+a3oen2nqWm/XgjReg/+lA2PkedY6WoOqXmmEWMeIm4JHBrZARJmAJD+2KQwJy/dk
+vjlMrK7Um5jR9r6gmQ2mWZs8HaK4q3cHIcR6j/LiFH3DO6nkTYd24uAe3IkQB3kW
+6z1Yru9cSZA5wuXAA3acGPO6LyVClHm9m3LiDamuSrVHDiLZVt999cBLHPB27rko
+5o0+INutJrkcfiIu2Rxw8Mc8Bw4wL6qaWda0eh2wufNFN9KEMcuIW36pVx58Ya2k
+CIWshuKfBCvAj2x25uZGGs7RyvEKGxPll1KxsmedjWy/ZhSK6bzR1hhUSE7gXMA4
+pYH0pfc0ECBO/AL9213kctmNeo+a9HRUyAPSqWUiiYcSEHTTlFG9efyEPEIcjgwu
+yy8y9/u+1MnI6+9ekO7/
+=L9SS
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-16:13/vmbus.patch b/share/security/patches/EN-16:13/vmbus.patch
new file mode 100644
index 0000000000..f58e0624a3
--- /dev/null
+++ b/share/security/patches/EN-16:13/vmbus.patch
@@ -0,0 +1,155 @@
+--- sys/dev/hyperv/vmbus/hv_hv.c.orig
++++ sys/dev/hyperv/vmbus/hv_hv.c
+@@ -33,6 +33,7 @@
+ __FBSDID("$FreeBSD$");
+
+ #include
++#include
+ #include
+ #include
+ #include
+@@ -50,6 +51,9 @@
+
+ static u_int hv_get_timecount(struct timecounter *tc);
+
++u_int hyperv_features;
++u_int hyperv_recommends;
++
+ /**
+ * Globals
+ */
+@@ -211,8 +215,6 @@
+
+ hv_vmbus_g_context.hypercall_page = virt_addr;
+
+- tc_init(&hv_timecounter); /* register virtual timecount */
+-
+ hv_et_init();
+
+ return (0);
+@@ -427,3 +429,93 @@
+ wrmsr(HV_X64_MSR_SIEFP, siefp.as_uint64_t);
+ }
+
++static bool
++hyperv_identify(void)
++{
++ u_int regs[4];
++ unsigned int maxLeaf;
++ unsigned int op;
++
++ if (vm_guest != VM_GUEST_HV)
++ return (false);
++
++ op = HV_CPU_ID_FUNCTION_HV_VENDOR_AND_MAX_FUNCTION;
++ do_cpuid(op, regs);
++ maxLeaf = regs[0];
++ if (maxLeaf < HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS)
++ return (false);
++
++ op = HV_CPU_ID_FUNCTION_HV_INTERFACE;
++ do_cpuid(op, regs);
++ if (regs[0] != 0x31237648 /* HV#1 */)
++ return (false);
++
++ op = HV_CPU_ID_FUNCTION_MS_HV_FEATURES;
++ do_cpuid(op, regs);
++ if ((regs[0] & HV_FEATURE_MSR_HYPERCALL) == 0) {
++ /*
++ * Hyper-V w/o Hypercall is impossible; someone
++ * is faking Hyper-V.
++ */
++ return (false);
++ }
++ hyperv_features = regs[0];
++
++ op = HV_CPU_ID_FUNCTION_MS_HV_VERSION;
++ do_cpuid(op, regs);
++ printf("Hyper-V Version: %d.%d.%d [SP%d]\n",
++ regs[1] >> 16, regs[1] & 0xffff, regs[0], regs[2]);
++
++ printf(" Features: 0x%b\n", hyperv_features,
++ "\020"
++ "\001VPRUNTIME"
++ "\002TMREFCNT"
++ "\003SYNCIC"
++ "\004SYNCTM"
++ "\005APIC"
++ "\006HYERCALL"
++ "\007VPINDEX"
++ "\010RESET"
++ "\011STATS"
++ "\012REFTSC"
++ "\013IDLE"
++ "\014TMFREQ"
++ "\015DEBUG");
++
++ op = HV_CPU_ID_FUNCTION_MS_HV_ENLIGHTENMENT_INFORMATION;
++ do_cpuid(op, regs);
++ hyperv_recommends = regs[0];
++ if (bootverbose)
++ printf(" Recommends: %08x %08x\n", regs[0], regs[1]);
++
++ op = HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS;
++ do_cpuid(op, regs);
++ if (bootverbose) {
++ printf(" Limits: Vcpu:%d Lcpu:%d Int:%d\n",
++ regs[0], regs[1], regs[2]);
++ }
++
++ if (maxLeaf >= HV_CPU_ID_FUNCTION_MS_HV_HARDWARE_FEATURE) {
++ op = HV_CPU_ID_FUNCTION_MS_HV_HARDWARE_FEATURE;
++ do_cpuid(op, regs);
++ if (bootverbose) {
++ printf(" HW Features: %08x AMD: %08x\n",
++ regs[0], regs[3]);
++ }
++ }
++
++ return (true);
++}
++
++static void
++hyperv_init(void *dummy __unused)
++{
++ if (!hyperv_identify())
++ return;
++
++ if (hyperv_features & HV_FEATURE_MSR_TIME_REFCNT) {
++ /* Register virtual timecount */
++ tc_init(&hv_timecounter);
++ }
++}
++SYSINIT(hyperv_initialize, SI_SUB_HYPERVISOR, SI_ORDER_FIRST, hyperv_init, NULL);
+--- sys/dev/hyperv/vmbus/hv_vmbus_priv.h.orig
++++ sys/dev/hyperv/vmbus/hv_vmbus_priv.h
+@@ -471,10 +471,17 @@
+ HV_CPU_ID_FUNCTION_MS_HV_VERSION = 0x40000002,
+ HV_CPU_ID_FUNCTION_MS_HV_FEATURES = 0x40000003,
+ HV_CPU_ID_FUNCTION_MS_HV_ENLIGHTENMENT_INFORMATION = 0x40000004,
+- HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS = 0x40000005
+-
++ HV_CPU_ID_FUNCTION_MS_HV_IMPLEMENTATION_LIMITS = 0x40000005,
++ HV_CPU_ID_FUNCTION_MS_HV_HARDWARE_FEATURE = 0x40000006
+ } hv_vmbus_cpuid_function;
+
++#define HV_FEATURE_MSR_TIME_REFCNT (1 << 1)
++#define HV_FEATURE_MSR_SYNCIC (1 << 2)
++#define HV_FEATURE_MSR_STIMER (1 << 3)
++#define HV_FEATURE_MSR_APIC (1 << 4)
++#define HV_FEATURE_MSR_HYPERCALL (1 << 5)
++#define HV_FEATURE_MSR_GUEST_IDLE (1 << 10)
++
+ /*
+ * Define the format of the SIMP register
+ */
+@@ -628,6 +635,9 @@
+ extern hv_vmbus_context hv_vmbus_g_context;
+ extern hv_vmbus_connection hv_vmbus_g_connection;
+
++extern u_int hyperv_features;
++extern u_int hyperv_recommends;
++
+ typedef void (*vmbus_msg_handler)(hv_vmbus_channel_msg_header *msg);
+
+ typedef struct hv_vmbus_channel_msg_table_entry {
diff --git a/share/security/patches/EN-16:13/vmbus.patch.asc b/share/security/patches/EN-16:13/vmbus.patch.asc
new file mode 100644
index 0000000000..e37eefabc3
--- /dev/null
+++ b/share/security/patches/EN-16:13/vmbus.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsiAAoJEO1n7NZdz2rn7oUQAMIlJ7FfdYN3ncISxokj1Y9o
+TDY+KYS0ucNVrCs1fQZL4oKQptpWjJ65A6559samZgSvf9szrp3NOB3TonyAGBLG
+l/zR0eR7SpMsZZh7uAW1LgUGyTLcnj3/C9800HK5pkfDB8VQWi4a3WldzgkBkG/W
+PSrymoXg8xH4HC0WosOH096RmnOx7mt9PtAm3F0e6pJRvUiJixp1dhYYFFdm8T5Q
+Pgw/bhFBoMlxe3BNAlltLYJ0+YKH3WOjVGdwDcm8X5madmn0KA6KgtvWwu0hKSbH
+SeiThXJxe/uPrCcjGVALgY0iKflgsN38Do32+PIMMtZO/DFxx53bJJIrCPAmq97V
+qeUrkso5lhXDIcUEEs7V9RQJK3MouajQUbFtykd5y9SMPLTcNBes4HddrjIvOcBH
+NOMFAeG/7NwmWpdF703fCoqYO7cx9K2Q+HWi620uI5u2B0BatbU7Sx1uQE3o/XUb
+rtWSJp5mKNN5oPSxV3jd9nC6i14HrgrA/1ouhDTG1FrYBvh7TlfDpxmeuEGojiO/
+3S3l3KfPChOa3xEsdX4huLNlOQAAMtgibUsaQY+Yb2WhP/IOJdxU9FI6uBgmEAD/
+Coz26Dk9qLxvurUfNFUK7Kd4NQPIibjhUdhxjNq+1hJdBmGTVZ862vxTIUXtHeeI
+JXtRAvLVrygKpqu8kXzo
+=P6G6
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-16:14/hv_storvsc.patch b/share/security/patches/EN-16:14/hv_storvsc.patch
new file mode 100644
index 0000000000..bfb0fa0671
--- /dev/null
+++ b/share/security/patches/EN-16:14/hv_storvsc.patch
@@ -0,0 +1,50 @@
+--- sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
+@@ -1273,6 +1273,7 @@
+ }
+ #endif /* HVS_TIMEOUT_TEST */
+
++#ifdef notyet
+ /**
+ * @brief timeout handler for requests
+ *
+@@ -1320,6 +1321,7 @@
+ storvsc_timeout_test(reqp, MODE_SELECT_10, 1);
+ #endif
+ }
++#endif
+
+ /**
+ * @brief StorVSC device poll function
+@@ -1472,6 +1474,7 @@
+ return;
+ }
+
++#ifdef notyet
+ if (ccb->ccb_h.timeout != CAM_TIME_INFINITY) {
+ callout_init(&reqp->callout, CALLOUT_MPSAFE);
+ callout_reset_sbt(&reqp->callout,
+@@ -1491,6 +1494,7 @@
+ }
+ #endif /* HVS_TIMEOUT_TEST */
+ }
++#endif
+
+ if ((res = hv_storvsc_io_request(sc->hs_dev, reqp)) != 0) {
+ xpt_print(ccb->ccb_h.path,
+@@ -2039,6 +2043,7 @@
+ mtx_unlock(&sc->hs_lock);
+ }
+
++#ifdef notyet
+ /*
+ * callout_drain() will wait for the timer handler to finish
+ * if it is running. So we don't need any lock to synchronize
+@@ -2049,6 +2054,7 @@
+ if (ccb->ccb_h.timeout != CAM_TIME_INFINITY) {
+ callout_drain(&reqp->callout);
+ }
++#endif
+
+ ccb->ccb_h.status &= ~CAM_SIM_QUEUED;
+ ccb->ccb_h.status &= ~CAM_STATUS_MASK;
diff --git a/share/security/patches/EN-16:14/hv_storvsc.patch.asc b/share/security/patches/EN-16:14/hv_storvsc.patch.asc
new file mode 100644
index 0000000000..7e15e06762
--- /dev/null
+++ b/share/security/patches/EN-16:14/hv_storvsc.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUsjAAoJEO1n7NZdz2rneWcQALoyKPTxSYmxNSocHI/PYZuS
+aD1S9T6prQZ4nWJXbM5Dqq2/SYXZ8FKCtdDIqZVZEm5iZf5Pv7vdAHcNYDA3fosg
+0y1cskwqhsIQMidS7CrTnX0R224PjrSnZOJlPpRx/EGKAb1OhbGYlBb1BvljpBFl
+oyQ31u63jdIZKR3RIEHWs8Bx6aOC+JDsThmXmOFwuIWk/ssot1kohUd+NQLSEVCh
+sZ6ArGpo6RRXQZXQqVMW9ZAL3q6KN0obmmAeSPadTcUME1U0W1fHtoLgVTRvskoI
+jd752MlnTRfEid9Ci6BiH7kUNM8FEpyWfiupl1/iQXvZevtR70lXHpMZ+vRKiZSt
+tjJa4+hLv8OnhZFCf6K+Ts8lJykswHv34UPYsemyNS+zJyOKbjiEMAXvCxklw8Rh
+AvGZT+Lq6QQeuz+suwL0I/F3XPLarH0waqRi6mbb9FYhmTilrKvjIk946kcIx22B
+8bCuB60RDV/WKOQMJnpts2w/JvXxqoigbTQubmkfZm8cv9VL1My4gHNso6U/OfAn
+C216dljcwYPWa0KTupjMpV8SvOq6YwV0F3AKSTGyu8Pv9A8MOUUt7kjuOIyxzfkH
+D8VO+i8mv96b6Tc5/iB6zJ+/q+aXCcnMlUiwZbF1PNUAHVjMMThwnPiTmuA4o6Ff
+djSfFj4gMMLwYPBnJlHJ
+=KT/g
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-16:15/vmbus.patch b/share/security/patches/EN-16:15/vmbus.patch
new file mode 100644
index 0000000000..1fb7b0d14a
--- /dev/null
+++ b/share/security/patches/EN-16:15/vmbus.patch
@@ -0,0 +1,68 @@
+--- sys/dev/hyperv/vmbus/hv_connection.c.orig
++++ sys/dev/hyperv/vmbus/hv_connection.c
+@@ -476,31 +476,35 @@
+ /**
+ * Send a msg on the vmbus's message connection
+ */
+-int hv_vmbus_post_message(void *buffer, size_t bufferLen) {
+- int ret = 0;
++int hv_vmbus_post_message(void *buffer, size_t bufferLen)
++{
+ hv_vmbus_connection_id connId;
+- unsigned retries = 0;
+-
+- /* NetScaler delays from previous code were consolidated here */
+- static int delayAmount[] = {100, 100, 100, 500, 500, 5000, 5000, 5000};
+-
+- /* for(each entry in delayAmount) try to post message,
+- * delay a little bit before retrying
++ sbintime_t time = SBT_1MS;
++ int retries;
++ int ret;
++
++ connId.as_uint32_t = 0;
++ connId.u.id = HV_VMBUS_MESSAGE_CONNECTION_ID;
++
++ /*
++ * We retry to cope with transient failures caused by host side's
++ * insufficient resources. 20 times should suffice in practice.
+ */
+- for (retries = 0;
+- retries < sizeof(delayAmount)/sizeof(delayAmount[0]); retries++) {
+- connId.as_uint32_t = 0;
+- connId.u.id = HV_VMBUS_MESSAGE_CONNECTION_ID;
+- ret = hv_vmbus_post_msg_via_msg_ipc(connId, 1, buffer, bufferLen);
+- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS)
+- break;
+- /* TODO: KYS We should use a blocking wait call */
+- DELAY(delayAmount[retries]);
++ for (retries = 0; retries < 20; retries++) {
++ ret = hv_vmbus_post_msg_via_msg_ipc(connId, 1, buffer,
++ bufferLen);
++ if (ret == HV_STATUS_SUCCESS)
++ return (0);
++
++ pause_sbt("pstmsg", time, 0, C_HARDCLOCK);
++ if (time < SBT_1S * 2)
++ time *= 2;
+ }
+
+- KASSERT(ret == 0, ("Error VMBUS: Message Post Failed\n"));
++ KASSERT(ret == HV_STATUS_SUCCESS,
++ ("Error VMBUS: Message Post Failed, ret=%d\n", ret));
+
+- return (ret);
++ return (EAGAIN);
+ }
+
+ /**
+--- sys/dev/hyperv/vmbus/hv_vmbus_priv.h.orig
++++ sys/dev/hyperv/vmbus/hv_vmbus_priv.h
+@@ -70,6 +70,7 @@
+ * You did not supply enough message buffers to send a message.
+ */
+
++#define HV_STATUS_SUCCESS ((uint16_t)0)
+ #define HV_STATUS_INSUFFICIENT_BUFFERS ((uint16_t)0x0013)
+
+ typedef void (*hv_vmbus_channel_callback)(void *context);
diff --git a/share/security/patches/EN-16:15/vmbus.patch.asc b/share/security/patches/EN-16:15/vmbus.patch.asc
new file mode 100644
index 0000000000..c032520474
--- /dev/null
+++ b/share/security/patches/EN-16:15/vmbus.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUskAAoJEO1n7NZdz2rnKtwP/2M6zkmYtHxSbx0eSIT6Kr9+
+rOhe4WzffqxMS3wCr3uj3gAzOYUJXibtrdZcgok3xm+S/zUo6AvEd43AI1tInzLg
+Wz7OMtagEOxtDml4bQEBGAbT/HWx8EHulmSMhcFyS8X6dwYlIl7xBOIQ9RiGVdS4
+1ILYL6K2dDbB79Pn+wuAdcaJGexZeQNiFdEItVeHkbm+uq9IZRUoKn9ADa/LrFGp
+a9nTKAdRpxflRvk4e60bO10HoleuLEp/2WGkEE83Yo/XvMsfdonUj2htQy1yxki/
+RUYF7lVAU7ZeJPeBBYdocP0FISwWKBzW7P8+7+2aJPPlJF24smBD9dD1D64YMnDf
+qudoLdRAPPCCWdkykswcGFcCcN6V33HlJgEJbAQ2F+6bsktyU9xJ0+aNNVMAs/wD
+lEDAVfTf6Yc2Ly1XaWk9VRuD0xDAVxixURAwFbhTxdDqtmFc8V5ExqR5vrAXG66J
+hhoABljOmVhP23gq+QsCKQyvqjSaymWzCCq1N/3S9mLNrmWC6IOto1kyX0EdQEcX
+L5gb1xrNbKeMVenlqOI4x3xi3+BlAGl/ocXJ+ilQUAWR3JqBMR1PcWImdLK7QMQC
+FvSsZOAdSmo1FpXh8ZWRIxkj+TPwXRJAyL93oXEKqGZdL2OjdbVsuVIWNeXwGKQf
+5PA/9P4SAjXWCEVq3Duy
+=ccKT
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-16:16/hv_storvsc.patch b/share/security/patches/EN-16:16/hv_storvsc.patch
new file mode 100644
index 0000000000..94ff9c816b
--- /dev/null
+++ b/share/security/patches/EN-16:16/hv_storvsc.patch
@@ -0,0 +1,165 @@
+--- sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
+@@ -805,6 +805,13 @@
+
+ vm_srb = &vstor_packet->u.vm_srb;
+
++ /*
++ * Copy some fields of the host's response into the request structure,
++ * because the fields will be used later in storvsc_io_done().
++ */
++ request->vstor_packet.u.vm_srb.scsi_status = vm_srb->scsi_status;
++ request->vstor_packet.u.vm_srb.transfer_len = vm_srb->transfer_len;
++
+ if (((vm_srb->scsi_status & 0xFF) == SCSI_STATUS_CHECK_COND) &&
+ (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID)) {
+ /* Autosense data available */
+@@ -1939,62 +1946,24 @@
+ }
+
+ /*
+- * Modified based on scsi_print_inquiry which is responsible to
+- * print the detail information for scsi_inquiry_data.
+- *
++ * SCSI Inquiry checks qualifier and type.
++ * If qualifier is 011b, means the device server is not capable
++ * of supporting a peripheral device on this logical unit, and
++ * the type should be set to 1Fh.
++ *
+ * Return 1 if it is valid, 0 otherwise.
+ */
+ static inline int
+ is_inquiry_valid(const struct scsi_inquiry_data *inq_data)
+ {
+ uint8_t type;
+- char vendor[16], product[48], revision[16];
+-
+- /*
+- * Check device type and qualifier
+- */
+- if (!(SID_QUAL_IS_VENDOR_UNIQUE(inq_data) ||
+- SID_QUAL(inq_data) == SID_QUAL_LU_CONNECTED))
++ if (SID_QUAL(inq_data) != SID_QUAL_LU_CONNECTED) {
+ return (0);
+-
++ }
+ type = SID_TYPE(inq_data);
+- switch (type) {
+- case T_DIRECT:
+- case T_SEQUENTIAL:
+- case T_PRINTER:
+- case T_PROCESSOR:
+- case T_WORM:
+- case T_CDROM:
+- case T_SCANNER:
+- case T_OPTICAL:
+- case T_CHANGER:
+- case T_COMM:
+- case T_STORARRAY:
+- case T_ENCLOSURE:
+- case T_RBC:
+- case T_OCRW:
+- case T_OSD:
+- case T_ADC:
+- break;
+- case T_NODEVICE:
+- default:
++ if (type == T_NODEVICE) {
+ return (0);
+ }
+-
+- /*
+- * Check vendor, product, and revision
+- */
+- cam_strvis(vendor, inq_data->vendor, sizeof(inq_data->vendor),
+- sizeof(vendor));
+- cam_strvis(product, inq_data->product, sizeof(inq_data->product),
+- sizeof(product));
+- cam_strvis(revision, inq_data->revision, sizeof(inq_data->revision),
+- sizeof(revision));
+- if (strlen(vendor) == 0 ||
+- strlen(product) == 0 ||
+- strlen(revision) == 0)
+- return (0);
+-
+ return (1);
+ }
+
+@@ -2071,7 +2040,6 @@
+ ccb->ccb_h.status &= ~CAM_STATUS_MASK;
+ if (vm_srb->scsi_status == SCSI_STATUS_OK) {
+ const struct scsi_generic *cmd;
+-
+ /*
+ * Check whether the data for INQUIRY cmd is valid or
+ * not. Windows 10 and Windows 2016 send all zero
+@@ -2080,23 +2048,59 @@
+ cmd = (const struct scsi_generic *)
+ ((ccb->ccb_h.flags & CAM_CDB_POINTER) ?
+ csio->cdb_io.cdb_ptr : csio->cdb_io.cdb_bytes);
+- if (cmd->opcode == INQUIRY &&
+- /*
+- * XXX: Temporary work around disk hot plugin on win2k12r2,
+- * only filtering the invalid disk on win10 or 2016 server.
+- * So, the hot plugin on win10 and 2016 server needs
+- * to be fixed.
++ if (cmd->opcode == INQUIRY) {
++ /*
++ * The host of Windows 10 or 2016 server will response
++ * the inquiry request with invalid data for unexisted device:
++ [0x7f 0x0 0x5 0x2 0x1f ... ]
++ * But on windows 2012 R2, the response is:
++ [0x7f 0x0 0x0 0x0 0x0 ]
++ * That is why here wants to validate the inquiry response.
++ * The validation will skip the INQUIRY whose response is short,
++ * which is less than SHORT_INQUIRY_LENGTH (36).
++ *
++ * For more information about INQUIRY, please refer to:
++ * ftp://ftp.avc-pioneer.com/Mtfuji_7/Proposal/Jun09/INQUIRY.pdf
+ */
+- vmstor_proto_version == VMSTOR_PROTOCOL_VERSION_WIN10 &&
+- is_inquiry_valid(
+- (const struct scsi_inquiry_data *)csio->data_ptr) == 0) {
++ const struct scsi_inquiry_data *inq_data =
++ (const struct scsi_inquiry_data *)csio->data_ptr;
++ uint8_t* resp_buf = (uint8_t*)csio->data_ptr;
++ /* Get the buffer length reported by host */
++ int resp_xfer_len = vm_srb->transfer_len;
++ /* Get the available buffer length */
++ int resp_buf_len = resp_xfer_len >= 5 ? resp_buf[4] + 5 : 0;
++ int data_len = (resp_buf_len < resp_xfer_len) ? resp_buf_len : resp_xfer_len;
++ if (data_len < SHORT_INQUIRY_LENGTH) {
++ ccb->ccb_h.status |= CAM_REQ_CMP;
++ if (bootverbose && data_len >= 5) {
++ mtx_lock(&sc->hs_lock);
++ xpt_print(ccb->ccb_h.path,
++ "storvsc skips the validation for short inquiry (%d)"
++ " [%x %x %x %x %x]\n",
++ data_len,resp_buf[0],resp_buf[1],resp_buf[2],
++ resp_buf[3],resp_buf[4]);
++ mtx_unlock(&sc->hs_lock);
++ }
++ } else if (is_inquiry_valid(inq_data) == 0) {
+ ccb->ccb_h.status |= CAM_DEV_NOT_THERE;
++ if (bootverbose && data_len >= 5) {
++ mtx_lock(&sc->hs_lock);
++ xpt_print(ccb->ccb_h.path,
++ "storvsc uninstalled invalid device"
++ " [%x %x %x %x %x]\n",
++ resp_buf[0],resp_buf[1],resp_buf[2],resp_buf[3],resp_buf[4]);
++ mtx_unlock(&sc->hs_lock);
++ }
++ } else {
++ ccb->ccb_h.status |= CAM_REQ_CMP;
+ if (bootverbose) {
+ mtx_lock(&sc->hs_lock);
+ xpt_print(ccb->ccb_h.path,
+- "storvsc uninstalled device\n");
++ "storvsc has passed inquiry response (%d) validation\n",
++ data_len);
+ mtx_unlock(&sc->hs_lock);
+ }
++ }
+ } else {
+ ccb->ccb_h.status |= CAM_REQ_CMP;
+ }
diff --git a/share/security/patches/EN-16:16/hv_storvsc.patch.asc b/share/security/patches/EN-16:16/hv_storvsc.patch.asc
new file mode 100644
index 0000000000..7106b9df71
--- /dev/null
+++ b/share/security/patches/EN-16:16/hv_storvsc.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJXrUslAAoJEO1n7NZdz2rn/NMQAMvOWBMZC0WhfJ/Y48Gh+gOQ
+wt0FZ6/AJgsUTrOUaYIqdRNpmszVZjujIXdHCsrUu7iJGK1M/OqNEOrVqbjAN3iX
+J/EaJgRKYja3glf2Xzu6ow+uMRy9jM26g1EOpHeUzYk/ndV2/Vg8lrUOvPL40KA6
+QskcbO1RLrVb0ytszGA6l2r2XGKckHKPUrTEv7/43u8FJg05WAn3I1HXAKbzJFzm
+TaDJCMCzjnO/v0bXsoL+2fUrtFJuNbaxGkAzgQsaBgvjRffQCpOxZYUNemWBxuzD
+ZOleQ6IjwUWoZVlbbdjYsLMHyxKOOmATzyerrtKvvVv4gsl7ImKRuiZAPHsk4CR/
+jhVv2ASODQwk879jeqsSuSZhiWj20kf5JS9XoKUm1KF28CltfKCXC+pjBkp0IRDR
+o+SwyCUelPHWYbhHa8PoVIzGLYZIqXav/REJTHeIb6lp88ayfTuL/kK5I7lgHRIC
+DI+yvo5OXhBxL847K8++DH1k5KdB34ySenmX3D1HuOp4tlGcdYJAGxqDrY5rPrGX
+qLQBFrSrpJfGfG0NO3ldUqdcjesVALe7SgQtnblYoj7Nmem4y1MUCXCHaU+oowTI
+37jaaJ476rJJ7Ai4Vkwx8StyaQ3++BYSb+oHtjaFHzBz1X5WI+6ppZPKh6J8kwPK
+m5x91Fjl/SpjlwuxKA3h
+=RWdh
+-----END PGP SIGNATURE-----
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index 10b443cafd..18d23d886a 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -7,6 +7,42 @@
2016
+
+ 8
+
+
+ 12
+
+
+ FreeBSD-EN-16:16.hv_storvsc
+
+
+
+ FreeBSD-EN-16:15.vmbus
+
+
+
+ FreeBSD-EN-16:14.hv_storvsc
+
+
+
+ FreeBSD-EN-16:13.vmbus
+
+
+
+ FreeBSD-EN-16:12.hv_storvsc
+
+
+
+ FreeBSD-EN-16:11.vmbus
+
+
+
+ FreeBSD-EN-16:10.dhclient
+
+
+
+
7