--- xnu/xnu-12377.121.6/iokit/Kernel/IOWorkLoop.cpp
+++ xnu/xnu-6153.41.3/iokit/Kernel/IOWorkLoop.cpp
@@ -47,9 +47,9 @@
 OSMetaClassDefineReservedUnused(IOWorkLoop, 1);
 OSMetaClassDefineReservedUnused(IOWorkLoop, 2);
 #else
-OSMetaClassDefineReservedUsedX86(IOWorkLoop, 0);
-OSMetaClassDefineReservedUsedX86(IOWorkLoop, 1);
-OSMetaClassDefineReservedUsedX86(IOWorkLoop, 2);
+OSMetaClassDefineReservedUsed(IOWorkLoop, 0);
+OSMetaClassDefineReservedUsed(IOWorkLoop, 1);
+OSMetaClassDefineReservedUsed(IOWorkLoop, 2);
 #endif
 OSMetaClassDefineReservedUnused(IOWorkLoop, 3);
 OSMetaClassDefineReservedUnused(IOWorkLoop, 4);
@@ -133,7 +133,12 @@
 
 	// Allocate our ExpansionData if it hasn't been allocated already.
 	if (!reserved) {
-		reserved = IOMallocType(ExpansionData);
+		reserved = IONew(ExpansionData, 1);
+		if (!reserved) {
+			return false;
+		}
+
+		bzero(reserved, sizeof(ExpansionData));
 	}
 
 	if (gateLock == NULL) {
@@ -198,7 +203,12 @@
 	IOWorkLoop *me = new IOWorkLoop;
 
 	if (me && options) {
-		me->reserved = IOMallocType(ExpansionData);
+		me->reserved = IONew(ExpansionData, 1);
+		if (!me->reserved) {
+			me->release();
+			return NULL;
+		}
+		bzero(me->reserved, sizeof(ExpansionData));
 		me->reserved->options = options;
 	}
 
@@ -210,29 +220,6 @@
 	return me;
 }
 
-void
-IOWorkLoop::releaseEventChain(LIBKERN_CONSUMED IOEventSource *eventChain)
-{
-	IOEventSource *event, *next;
-	for (event = eventChain; event; event = next) {
-		next = event->getNext();
-#ifdef __clang_analyzer__
-		// Unlike the usual IOKit memory management convention, IOWorkLoop
-		// manages the retain count for the IOEventSource instances in the
-		// the chain rather than have IOEventSource do that itself. This means
-		// it is safe to call release() on the result of getNext() while the
-		// chain is being torn down. However, the analyzer doesn't
-		// realize this. We add an extra retain under analysis to suppress
-		// an analyzer diagnostic about violations of the memory management rules.
-		if (next) {
-			next->retain();
-		}
-#endif
-		event->setWorkLoop(NULL);
-		event->setNext(NULL);
-		event->release();
-	}
-}
 // Free is called twice:
 // First when the atomic retainCount transitions from 1 -> 0
 // Secondly when the work loop itself is commiting hari kari
@@ -259,10 +246,22 @@
 
 		openGate();
 	} else { /* !workThread */
-		releaseEventChain(eventChain);
+		IOEventSource *event, *next;
+
+		for (event = eventChain; event; event = next) {
+			next = event->getNext();
+			event->setWorkLoop(NULL);
+			event->setNext(NULL);
+			event->release();
+		}
 		eventChain = NULL;
 
-		releaseEventChain(passiveEventChain);
+		for (event = passiveEventChain; event; event = next) {
+			next = event->getNext();
+			event->setWorkLoop(NULL);
+			event->setNext(NULL);
+			event->release();
+		}
 		passiveEventChain = NULL;
 
 		// Either we have a partial initialization to clean up
@@ -288,7 +287,7 @@
 		IOStatisticsUnregisterCounter();
 
 		if (reserved) {
-			IOFreeType(reserved, ExpansionData);
+			IODelete(reserved, ExpansionData, 1);
 			reserved = NULL;
 		}