xen: allow limiting the amount of duplicated pending xenstore watches

Xenstore watches received are queued in a list and processed in a
deferred thread. Such queuing was done without any checking, so a
guest could potentially trigger a resource starvation against the
FreeBSD kernel if such kernel is watching any user-controlled xenstore
path.

Allowing limiting the amount of pending events a watch can accumulate
to prevent a remote guest from triggering this resource starvation
issue.

For the PV device backends and frontends this limitation is only
applied to the other end /state node, which is limited to 1 pending
event, the rest of the watched paths can still have unlimited pending
watches because they are either local or controlled by a privileged
domain.

The xenstore user-space device gets special treatment as it's not
possible for the kernel to know whether the paths being watched by
user-space processes are controlled by a guest domain. For this reason
watches set by the xenstore user-space device are limited to 1000
pending events. Note this can be modified using the
max_pending_watch_events sysctl of the device.

This is XSA-349.

Sponsored by: Citrix Systems R&D
MFC after: 3 days

(cherry picked from commit 4e4e43dc9e1afc863670a031cc5cc75eb5e668d6)

Note the xenstore user-space device part of this backport is dropped,
as in stable/11 the device doesn't support setting up watches.

(cherry picked from commit d9bd043f93df1a31ef16d2198d720a0a0831357f)

Approved by: so
Security: XSA-349, CVE-2020-29568