Index: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/31-EN-16:04.hyperv
===================================================================
--- user/cperciva/freebsd-update-build/patches/10.1-RELEASE/31-EN-16:04.hyperv	(nonexistent)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/31-EN-16:04.hyperv	(revision 296928)
@@ -0,0 +1,48 @@
+--- sys/dev/hyperv/utilities/hv_kvp.c.orig
++++ sys/dev/hyperv/utilities/hv_kvp.c
+@@ -44,6 +44,7 @@
+ #include <sys/reboot.h>
+ #include <sys/lock.h>
+ #include <sys/taskqueue.h>
++#include <sys/selinfo.h>
+ #include <sys/sysctl.h>
+ #include <sys/poll.h>
+ #include <sys/proc.h>
+@@ -114,6 +115,8 @@
+ static struct hv_kvp_msg *hv_kvp_dev_buf;
+ struct proc *daemon_task;
+ 
++static struct selinfo hv_kvp_selinfo;
++
+ /*
+  * Global state to track and synchronize multiple
+  * KVP transaction requests from the host.
+@@ -628,6 +631,9 @@
+ 
+ 	/* Send the msg to user via function deamon_read - setting sema */
+ 	sema_post(&kvp_globals.dev_sema);
++
++	/* We should wake up the daemon, in case it's doing poll() */
++	selwakeup(&hv_kvp_selinfo);
+ }
+ 
+ 
+@@ -940,7 +946,7 @@
+  * for daemon to read.
+  */
+ static int
+-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td  __unused)
++hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
+ {
+ 	int revents = 0;
+ 
+@@ -953,6 +959,9 @@
+ 	 */
+ 	if (kvp_globals.daemon_busy == true)
+ 		revents = POLLIN;
++	else
++		selrecord(td, &hv_kvp_selinfo);
++
+ 	mtx_unlock(&kvp_globals.pending_mutex);
+ 
+ 	return (revents);
Index: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/31-SA-16:14.openssh-xauth
===================================================================
--- user/cperciva/freebsd-update-build/patches/10.1-RELEASE/31-SA-16:14.openssh-xauth	(nonexistent)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/31-SA-16:14.openssh-xauth	(revision 296928)
@@ -0,0 +1,62 @@
+--- crypto/openssh/session.c.orig
++++ crypto/openssh/session.c
+@@ -46,6 +46,7 @@
+ 
+ #include <arpa/inet.h>
+ 
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -274,6 +275,21 @@
+ 	do_cleanup(authctxt);
+ }
+ 
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++	size_t i;
++
++	for (i = 0; s[i] != '\0'; i++) {
++		if (!isalnum((u_char)s[i]) &&
++		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++		    s[i] != '-' && s[i] != '_')
++		return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Prepares for an interactive session.  This is called after the user has
+  * been successfully authenticated.  During this message exchange, pseudo
+@@ -347,7 +363,13 @@
+ 				s->screen = 0;
+ 			}
+ 			packet_check_eom();
+-			success = session_setup_x11fwd(s);
++			if (xauth_valid_string(s->auth_proto) &&
++			    xauth_valid_string(s->auth_data))
++				success = session_setup_x11fwd(s);
++			else {
++				success = 0;
++				error("Invalid X11 forwarding data");
++			}
+ 			if (!success) {
+ 				free(s->auth_proto);
+ 				free(s->auth_data);
+@@ -2178,7 +2200,13 @@
+ 	s->screen = packet_get_int();
+ 	packet_check_eom();
+ 
+-	success = session_setup_x11fwd(s);
++	if (xauth_valid_string(s->auth_proto) &&
++	    xauth_valid_string(s->auth_data))
++		success = session_setup_x11fwd(s);
++	else {
++		success = 0;
++		error("Invalid X11 forwarding data");
++	}
+ 	if (!success) {
+ 		free(s->auth_proto);
+ 		free(s->auth_data);
Index: user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-EN-16:04.hyperv
===================================================================
--- user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-EN-16:04.hyperv	(nonexistent)
+++ user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-EN-16:04.hyperv	(revision 296928)
@@ -0,0 +1,48 @@
+--- sys/dev/hyperv/utilities/hv_kvp.c.orig
++++ sys/dev/hyperv/utilities/hv_kvp.c
+@@ -44,6 +44,7 @@
+ #include <sys/reboot.h>
+ #include <sys/lock.h>
+ #include <sys/taskqueue.h>
++#include <sys/selinfo.h>
+ #include <sys/sysctl.h>
+ #include <sys/poll.h>
+ #include <sys/proc.h>
+@@ -114,6 +115,8 @@
+ static struct hv_kvp_msg *hv_kvp_dev_buf;
+ struct proc *daemon_task;
+ 
++static struct selinfo hv_kvp_selinfo;
++
+ /*
+  * Global state to track and synchronize multiple
+  * KVP transaction requests from the host.
+@@ -628,6 +631,9 @@
+ 
+ 	/* Send the msg to user via function deamon_read - setting sema */
+ 	sema_post(&kvp_globals.dev_sema);
++
++	/* We should wake up the daemon, in case it's doing poll() */
++	selwakeup(&hv_kvp_selinfo);
+ }
+ 
+ 
+@@ -940,7 +946,7 @@
+  * for daemon to read.
+  */
+ static int
+-hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td  __unused)
++hv_kvp_dev_daemon_poll(struct cdev *dev __unused, int events, struct thread *td)
+ {
+ 	int revents = 0;
+ 
+@@ -953,6 +959,9 @@
+ 	 */
+ 	if (kvp_globals.daemon_busy == true)
+ 		revents = POLLIN;
++	else
++		selrecord(td, &hv_kvp_selinfo);
++
+ 	mtx_unlock(&kvp_globals.pending_mutex);
+ 
+ 	return (revents);
Index: user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-EN-16:05.hyperv
===================================================================
--- user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-EN-16:05.hyperv	(nonexistent)
+++ user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-EN-16:05.hyperv	(revision 296928)
@@ -0,0 +1,28 @@
+--- sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c.orig
++++ sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
+@@ -128,6 +128,15 @@
+ #define HV_NV_SC_PTR_OFFSET_IN_BUF         0
+ #define HV_NV_PACKET_OFFSET_IN_BUF         16
+ 
++/*
++ * A unified flag for all outbound check sum flags is useful,
++ * and it helps avoiding unnecessary check sum calculation in
++ * network forwarding scenario.
++ */
++#define HV_CSUM_FOR_OUTBOUND						\
++    (CSUM_IP|CSUM_IP_UDP|CSUM_IP_TCP|CSUM_IP_SCTP|CSUM_IP_TSO|		\
++    CSUM_IP_ISCSI|CSUM_IP6_UDP|CSUM_IP6_TCP|CSUM_IP6_SCTP|		\
++    CSUM_IP6_TSO|CSUM_IP6_ISCSI)
+ 
+ /*
+  * Data types
+@@ -570,7 +579,8 @@
+ 			    packet->vlan_tci & 0xfff;
+ 		}
+ 
+-		if (0 == m_head->m_pkthdr.csum_flags) {
++		/* Only check the flags for outbound and ignore the ones for inbound */
++		if (0 == (m_head->m_pkthdr.csum_flags & HV_CSUM_FOR_OUTBOUND)) {
+ 			goto pre_send;
+ 		}
+ 
Index: user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-SA-16:14.openssh-xauth
===================================================================
--- user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-SA-16:14.openssh-xauth	(nonexistent)
+++ user/cperciva/freebsd-update-build/patches/10.2-RELEASE/14-SA-16:14.openssh-xauth	(revision 296928)
@@ -0,0 +1,62 @@
+--- crypto/openssh/session.c.orig
++++ crypto/openssh/session.c
+@@ -46,6 +46,7 @@
+ 
+ #include <arpa/inet.h>
+ 
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -274,6 +275,21 @@
+ 	do_cleanup(authctxt);
+ }
+ 
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++	size_t i;
++
++	for (i = 0; s[i] != '\0'; i++) {
++		if (!isalnum((u_char)s[i]) &&
++		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++		    s[i] != '-' && s[i] != '_')
++		return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Prepares for an interactive session.  This is called after the user has
+  * been successfully authenticated.  During this message exchange, pseudo
+@@ -347,7 +363,13 @@
+ 				s->screen = 0;
+ 			}
+ 			packet_check_eom();
+-			success = session_setup_x11fwd(s);
++			if (xauth_valid_string(s->auth_proto) &&
++			    xauth_valid_string(s->auth_data))
++				success = session_setup_x11fwd(s);
++			else {
++				success = 0;
++				error("Invalid X11 forwarding data");
++			}
+ 			if (!success) {
+ 				free(s->auth_proto);
+ 				free(s->auth_data);
+@@ -2178,7 +2200,13 @@
+ 	s->screen = packet_get_int();
+ 	packet_check_eom();
+ 
+-	success = session_setup_x11fwd(s);
++	if (xauth_valid_string(s->auth_proto) &&
++	    xauth_valid_string(s->auth_data))
++		success = session_setup_x11fwd(s);
++	else {
++		success = 0;
++		error("Invalid X11 forwarding data");
++	}
+ 	if (!success) {
+ 		free(s->auth_proto);
+ 		free(s->auth_data);
Index: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/39-SA-16:14.openssh-xauth
===================================================================
--- user/cperciva/freebsd-update-build/patches/9.3-RELEASE/39-SA-16:14.openssh-xauth	(nonexistent)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/39-SA-16:14.openssh-xauth	(revision 296928)
@@ -0,0 +1,62 @@
+--- crypto/openssh/session.c.orig
++++ crypto/openssh/session.c
+@@ -46,6 +46,7 @@
+ 
+ #include <arpa/inet.h>
+ 
++#include <ctype.h>
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <grp.h>
+@@ -274,6 +275,21 @@
+ 	do_cleanup(authctxt);
+ }
+ 
++/* Check untrusted xauth strings for metacharacters */
++static int
++xauth_valid_string(const char *s)
++{
++	size_t i;
++
++	for (i = 0; s[i] != '\0'; i++) {
++		if (!isalnum((u_char)s[i]) &&
++		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
++		    s[i] != '-' && s[i] != '_')
++		return 0;
++	}
++	return 1;
++}
++
+ /*
+  * Prepares for an interactive session.  This is called after the user has
+  * been successfully authenticated.  During this message exchange, pseudo
+@@ -347,7 +363,13 @@
+ 				s->screen = 0;
+ 			}
+ 			packet_check_eom();
+-			success = session_setup_x11fwd(s);
++			if (xauth_valid_string(s->auth_proto) &&
++			    xauth_valid_string(s->auth_data))
++				success = session_setup_x11fwd(s);
++			else {
++				success = 0;
++				error("Invalid X11 forwarding data");
++			}
+ 			if (!success) {
+ 				free(s->auth_proto);
+ 				free(s->auth_data);
+@@ -2178,7 +2200,13 @@
+ 	s->screen = packet_get_int();
+ 	packet_check_eom();
+ 
+-	success = session_setup_x11fwd(s);
++	if (xauth_valid_string(s->auth_proto) &&
++	    xauth_valid_string(s->auth_data))
++		success = session_setup_x11fwd(s);
++	else {
++		success = 0;
++		error("Invalid X11 forwarding data");
++	}
+ 	if (!success) {
+ 		free(s->auth_proto);
+ 		free(s->auth_data);