Loading...
iokit/Kernel/IOUserClient.cpp xnu-1228 xnu-4570.71.2
--- xnu/xnu-1228/iokit/Kernel/IOUserClient.cpp
+++ xnu/xnu-4570.71.2/iokit/Kernel/IOUserClient.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-2006 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 1998-2014 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
@@ -27,6 +27,7 @@
  */
 
 
+#include <libkern/c++/OSKext.h>
 #include <IOKit/IOKitServer.h>
 #include <IOKit/IOKitKeysPrivate.h>
 #include <IOKit/IOUserClient.h>
@@ -34,8 +35,30 @@
 #include <IOKit/IORegistryEntry.h>
 #include <IOKit/IOCatalogue.h>
 #include <IOKit/IOMemoryDescriptor.h>
+#include <IOKit/IOBufferMemoryDescriptor.h>
 #include <IOKit/IOLib.h>
+#include <IOKit/IOBSD.h>
+#include <IOKit/IOStatisticsPrivate.h>
+#include <IOKit/IOTimeStamp.h>
+#include <IOKit/IODeviceTreeSupport.h>
+#include <IOKit/system.h>
+#include <libkern/OSDebug.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
+#include <sys/codesign.h>
+
+#include <mach/sdt.h>
+
+#if CONFIG_MACF
+
+extern "C" {
+#include <security/mac_framework.h>
+};
+#include <sys/kauth.h>
+
+#define IOMACF_LOG 0
+
+#endif /* CONFIG_MACF */
 
 #include <IOKit/assert.h>
 
@@ -44,55 +67,70 @@
 
 #define SCALAR64(x) ((io_user_scalar_t)((unsigned int)x))
 #define SCALAR32(x) ((uint32_t )x)
-#define ARG32(x)    ((void *)SCALAR32(x))
-#define REF64(x)    ((io_user_reference_t)((natural_t)(x)))
+#define ARG32(x)    ((void *)(uintptr_t)SCALAR32(x))
+#define REF64(x)    ((io_user_reference_t)((UInt64)(x)))
 #define REF32(x)    ((int)(x))
 
 enum
 {
-    kIOUCAsync0Flags = 3ULL,
-    kIOUCAsync64Flag = 1ULL
+    kIOUCAsync0Flags          = 3ULL,
+    kIOUCAsync64Flag          = 1ULL,
+    kIOUCAsyncErrorLoggedFlag = 2ULL
 };
 
+#if IOKITSTATS
+
+#define IOStatisticsRegisterCounter() \
+do { \
+	reserved->counter = IOStatistics::registerUserClient(this); \
+} while (0)
+
+#define IOStatisticsUnregisterCounter() \
+do { \
+	if (reserved) \
+		IOStatistics::unregisterUserClient(reserved->counter); \
+} while (0)
+
+#define IOStatisticsClientCall() \
+do { \
+	IOStatistics::countUserClientCall(client); \
+} while (0)
+
+#else
+
+#define IOStatisticsRegisterCounter()
+#define IOStatisticsUnregisterCounter()
+#define IOStatisticsClientCall()
+
+#endif /* IOKITSTATS */
+
+#if DEVELOPMENT || DEBUG
+
+#define FAKE_STACK_FRAME(a)                                             \
+        const void ** __frameptr;                                       \
+        const void  * __retaddr;                                        \
+        __frameptr = (typeof(__frameptr)) __builtin_frame_address(0);   \
+        __retaddr = __frameptr[1];                                      \
+        __frameptr[1] = (a);
+
+#define FAKE_STACK_FRAME_END()                                          \
+        __frameptr[1] = __retaddr;
+
+#else /* DEVELOPMENT || DEBUG */
+
+#define FAKE_STACK_FRAME(a)
+#define FAKE_STACK_FRAME_END()
+
+#endif /* DEVELOPMENT || DEBUG */
+
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
-// definitions we should get from osfmk
-
-//typedef struct ipc_port * ipc_port_t;
-typedef natural_t ipc_kobject_type_t;
-
-#define IKOT_IOKIT_SPARE	27
-#define IKOT_IOKIT_CONNECT	29
-#define IKOT_IOKIT_OBJECT	30
-
 extern "C" {
-
-extern ipc_port_t iokit_alloc_object_port( io_object_t obj,
-			ipc_kobject_type_t type );
-
-extern kern_return_t iokit_destroy_object_port( ipc_port_t port );
-
-extern mach_port_name_t iokit_make_send_right( task_t task,
-				io_object_t obj, ipc_kobject_type_t type );
-
-extern kern_return_t iokit_mod_send_right( task_t task, mach_port_name_t name, mach_port_delta_t delta );
-
-extern io_object_t iokit_lookup_connect_ref(io_object_t clientRef, ipc_space_t task);
-
-extern io_object_t iokit_lookup_connect_ref_current_task(io_object_t clientRef);
-
-extern ipc_port_t master_device_port;
-
-extern void iokit_retain_port( ipc_port_t port );
-extern void iokit_release_port( ipc_port_t port );
-
-extern kern_return_t iokit_switch_object_port( ipc_port_t port, io_object_t obj, ipc_kobject_type_t type );
 
 #include <mach/mach_traps.h>
 #include <vm/vm_map.h>
 
 } /* extern "C" */
-
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
@@ -120,7 +158,7 @@
     static mach_port_name_t makeSendRightForTask( task_t task,
 				io_object_t obj, ipc_kobject_type_t type );
 
-    virtual void free();
+    virtual void free() APPLE_KEXT_OVERRIDE;
 };
 
 #define super OSObject
@@ -133,17 +171,28 @@
 // not in dictForType() for debugging ease
 static OSDictionary *	gIOObjectPorts;
 static OSDictionary *	gIOConnectPorts;
+static OSDictionary *	gIOIdentifierPorts;
 
 OSDictionary * IOMachPort::dictForType( ipc_kobject_type_t type )
 {
     OSDictionary **	 	dict;
 
-    if( IKOT_IOKIT_OBJECT == type )
-	dict = &gIOObjectPorts;
-    else if( IKOT_IOKIT_CONNECT == type )
-	dict = &gIOConnectPorts;
-    else
-	return( 0 );
+    switch (type)
+    {
+	case IKOT_IOKIT_OBJECT:
+	    dict = &gIOObjectPorts;
+	    break;
+	case IKOT_IOKIT_CONNECT:
+	    dict = &gIOConnectPorts;
+	    break;
+	case IKOT_IOKIT_IDENT:
+	    dict = &gIOIdentifierPorts;
+	    break;
+	default:
+	    panic("dictForType %d", type);
+	    dict = NULL;
+	    break;
+    }
 
     if( 0 == *dict)
         *dict = OSDictionary::withCapacity( 1 );
@@ -201,6 +250,7 @@
 {
     OSDictionary *	dict;
     IOMachPort *	machPort;
+    IOUserClient *      uc;
     bool		destroyed = true;
 
     IOTakeLock( gIOObjectPortLock);
@@ -210,11 +260,16 @@
 
 	machPort = (IOMachPort *) dict->getObject( (const OSSymbol *) obj );
 	if( machPort) {
-	    destroyed = (machPort->mscount == *mscount);
-	    if( destroyed)
+	    destroyed = (machPort->mscount <= *mscount);
+	    if (!destroyed) *mscount = machPort->mscount;
+            else
+            {
+		if ((IKOT_IOKIT_CONNECT == type) && (uc = OSDynamicCast(IOUserClient, obj)))
+		{
+		    uc->noMoreSenders();
+		}
 		dict->removeObject( (const OSSymbol *) obj );
-	    else
-		*mscount = machPort->mscount;
+	    }
 	} 
 	obj->release();
     }
@@ -229,6 +284,8 @@
 {
     OSDictionary *	dict;
     IOMachPort *	machPort;
+
+    assert(IKOT_IOKIT_CONNECT != type);
 
     IOTakeLock( gIOObjectPortLock);
 
@@ -278,14 +335,18 @@
 	if (port)
 	{
 	    IOUserClient * uc;
-	    if ((uc = OSDynamicCast(IOUserClient, obj)) && uc->mappings)
+	    if ((uc = OSDynamicCast(IOUserClient, obj)))
 	    {
-		dict->setObject((const OSSymbol *) uc->mappings, port);
-		iokit_switch_object_port(port->port, uc->mappings, IKOT_IOKIT_CONNECT);
-
-		uc->mappings->release();
-		uc->mappings = 0;
-	    }
+                uc->noMoreSenders();
+                if (uc->mappings)
+                {
+                    dict->setObject((const OSSymbol *) uc->mappings, port);
+                    iokit_switch_object_port(port->port, uc->mappings, IKOT_IOKIT_CONNECT);
+
+                    uc->mappings->release();
+                    uc->mappings = 0;
+                }
+            }
 	    dict->removeObject( (const OSSymbol *) obj );
 	}
     }
@@ -308,35 +369,137 @@
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
-class IOUserNotification : public OSIterator
+class IOUserIterator : public OSIterator
+{
+    OSDeclareDefaultStructors(IOUserIterator)
+public:
+    OSObject 	* 	userIteratorObject;
+    IOLock 	*	lock;
+
+    static IOUserIterator * withIterator(OSIterator * iter);
+    virtual bool init( void ) APPLE_KEXT_OVERRIDE;
+    virtual void free() APPLE_KEXT_OVERRIDE;
+
+    virtual void reset() APPLE_KEXT_OVERRIDE;
+    virtual bool isValid() APPLE_KEXT_OVERRIDE;
+    virtual OSObject * getNextObject() APPLE_KEXT_OVERRIDE;
+};
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+class IOUserNotification : public IOUserIterator
 {
     OSDeclareDefaultStructors(IOUserNotification)
 
-    IONotifier 	* 	holdNotify;
-    IOLock 	*	lock;
+#define holdNotify	userIteratorObject
 
 public:
 
-    virtual bool init( void );
-    virtual void free();
+    virtual void free() APPLE_KEXT_OVERRIDE;
 
     virtual void setNotification( IONotifier * obj );
 
-    virtual void reset();
-    virtual bool isValid();
+    virtual void reset() APPLE_KEXT_OVERRIDE;
+    virtual bool isValid() APPLE_KEXT_OVERRIDE;
 };
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
+OSDefineMetaClassAndStructors( IOUserIterator, OSIterator )
+
+IOUserIterator *
+IOUserIterator::withIterator(OSIterator * iter)
+{
+    IOUserIterator * me;
+
+    if (!iter) return (0);
+
+    me = new IOUserIterator;
+    if (me && !me->init())
+    {
+	me->release();
+	me = 0;
+    }
+    if (!me) return me;
+    me->userIteratorObject = iter;
+
+    return (me);
+}
+
+bool
+IOUserIterator::init( void )
+{
+    if (!OSObject::init()) return (false);
+
+    lock = IOLockAlloc();
+    if( !lock)
+        return( false );
+
+    return (true);
+}
+
+void
+IOUserIterator::free()
+{
+    if (userIteratorObject) userIteratorObject->release();
+    if (lock) IOLockFree(lock);
+    OSObject::free();
+}
+
+void
+IOUserIterator::reset()
+{
+    IOLockLock(lock);
+    assert(OSDynamicCast(OSIterator, userIteratorObject));
+    ((OSIterator *)userIteratorObject)->reset();
+    IOLockUnlock(lock);
+}
+
+bool
+IOUserIterator::isValid()
+{
+    bool ret;
+
+    IOLockLock(lock);
+    assert(OSDynamicCast(OSIterator, userIteratorObject));
+    ret = ((OSIterator *)userIteratorObject)->isValid();
+    IOLockUnlock(lock);
+
+    return (ret);
+}
+
+OSObject *
+IOUserIterator::getNextObject()
+{
+    OSObject * ret;
+
+    IOLockLock(lock);
+    assert(OSDynamicCast(OSIterator, userIteratorObject));
+    ret = ((OSIterator *)userIteratorObject)->getNextObject();
+    IOLockUnlock(lock);
+
+    return (ret);
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 extern "C" {
 
 // functions called from osfmk/device/iokit_rpc.c
 
 void
-iokit_add_reference( io_object_t obj )
-{
-    if( obj)
-	obj->retain();
+iokit_add_reference( io_object_t obj, ipc_kobject_type_t type )
+{
+    IOUserClient * uc;
+
+    if (!obj) return;
+
+    if ((IKOT_IOKIT_CONNECT == type)
+	&& (uc = OSDynamicCast(IOUserClient, obj)))
+    {
+	OSIncrementAtomic(&uc->__ipc);
+    }
+
+    obj->retain();
 }
 
 void
@@ -344,6 +507,43 @@
 {
     if( obj)
 	obj->release();
+}
+
+void
+iokit_remove_connect_reference( io_object_t obj )
+{
+    IOUserClient * uc;
+    bool           finalize = false;
+
+    if (!obj) return;
+
+    if ((uc = OSDynamicCast(IOUserClient, obj)))
+    {
+	if (1 == OSDecrementAtomic(&uc->__ipc) && uc->isInactive())
+	{
+	    IOLockLock(gIOObjectPortLock);
+	    if ((finalize = uc->__ipcFinal)) uc->__ipcFinal = false;
+	    IOLockUnlock(gIOObjectPortLock);
+	}
+	if (finalize) uc->scheduleFinalize(true);
+    }
+
+    obj->release();
+}
+
+bool
+IOUserClient::finalizeUserReferences(OSObject * obj)
+{
+    IOUserClient * uc;
+    bool           ok = true;
+
+    if ((uc = OSDynamicCast(IOUserClient, obj)))
+    {
+	IOLockLock(gIOObjectPortLock);
+	if ((uc->__ipcFinal = (0 != uc->__ipc))) ok = false;
+	IOLockUnlock(gIOObjectPortLock);
+    }
+    return (ok);
 }
 
 ipc_port_t
@@ -380,7 +580,12 @@
     if( IKOT_IOKIT_CONNECT == type)
     {
 	if( (client = OSDynamicCast( IOUserClient, obj )))
+	{
+	    IOStatisticsClientCall();
+	    IOLockLock(client->lock);
 	    client->clientDied();
+	    IOLockUnlock(client->lock);
+        }
     }
     else if( IKOT_IOKIT_OBJECT == type)
     {
@@ -413,19 +618,21 @@
     OSArray 	*	newSet;
     OSObject	*	lastEntry;
     bool		armed;
+    bool                ipcLogged;
 
 public:
 
     virtual bool init( mach_port_t port, natural_t type,
                        void * reference, vm_size_t referenceSize,
 		       bool clientIs64 );
-    virtual void free();
+    virtual void free() APPLE_KEXT_OVERRIDE;
+    void invalidatePort(void);
 
     static bool _handler( void * target,
-                          void * ref, IOService * newService );
+                          void * ref, IOService * newService, IONotifier * notifier );
     virtual bool handler( void * ref, IOService * newService );
 
-    virtual OSObject * getNextObject();
+    virtual OSObject * getNextObject() APPLE_KEXT_OVERRIDE;
 };
 
 class IOServiceMessageUserNotification : public IOUserNotification
@@ -436,13 +643,14 @@
         mach_msg_header_t		msgHdr;
 	mach_msg_body_t			msgBody;
 	mach_msg_port_descriptor_t	ports[1];
-        OSNotificationHeader64		notifyHeader;
+        OSNotificationHeader64		notifyHeader __attribute__ ((packed));
     };
 
     PingMsg *		pingMsg;
     vm_size_t		msgSize;
     uint8_t		clientIs64;
     int			owningPID;
+    bool                ipcLogged;
 
 public:
 
@@ -451,7 +659,8 @@
 		       vm_size_t extraSize,
 		       bool clientIs64 );
 
-    virtual void free();
+    virtual void free() APPLE_KEXT_OVERRIDE;
+    void invalidatePort(void);
     
     static IOReturn _handler( void * target, void * ref,
                               UInt32 messageType, IOService * provider,
@@ -460,46 +669,35 @@
                               UInt32 messageType, IOService * provider,
                               void * messageArgument, vm_size_t argSize );
 
-    virtual OSObject * getNextObject();
+    virtual OSObject * getNextObject() APPLE_KEXT_OVERRIDE;
 };
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 #undef super
-#define super OSIterator
-OSDefineMetaClass( IOUserNotification, OSIterator )
-OSDefineAbstractStructors( IOUserNotification, OSIterator )
+#define super IOUserIterator
+OSDefineMetaClass( IOUserNotification, IOUserIterator )
+OSDefineAbstractStructors( IOUserNotification, IOUserIterator )
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
-bool IOUserNotification::init( void )
-{
-    if( !super::init())
-	return( false );
-
-    lock = IOLockAlloc();
-    if( !lock)
-        return( false );
-
-    return( true );
-}
-
 void IOUserNotification::free( void )
 {
-    if( holdNotify)
-	holdNotify->remove();
+    if (holdNotify)
+    {
+	assert(OSDynamicCast(IONotifier, holdNotify));
+	((IONotifier *)holdNotify)->remove();
+	holdNotify = 0;
+    }
     // can't be in handler now
 
-    if( lock)
-	IOLockFree( lock );
-
     super::free();
 }
 
 
 void IOUserNotification::setNotification( IONotifier * notify )
 {
-    IONotifier * previousNotify;
+    OSObject * previousNotify;
 
     IOLockLock( gIOObjectPortLock);
 
@@ -509,7 +707,10 @@
     IOLockUnlock( gIOObjectPortLock);
 
     if( previousNotify)
-	previousNotify->remove();
+    {
+	assert(OSDynamicCast(IONotifier, previousNotify));
+	((IONotifier *)previousNotify)->remove();
+    }
 }
 
 void IOUserNotification::reset()
@@ -534,6 +735,9 @@
 				       void * reference, vm_size_t referenceSize,
 				       bool clientIs64 )
 {
+    if( !super::init())
+        return( false );
+
     newSet = OSArray::withCapacity( 1 );
     if( !newSet)
         return( false );
@@ -559,7 +763,12 @@
     pingMsg->notifyHeader.type = type;
     bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
 
-    return( super::init() );
+    return( true );
+}
+
+void IOServiceUserNotification::invalidatePort(void)
+{
+    if (pingMsg) pingMsg->msgHdr.msgh_remote_port = MACH_PORT_NULL;
 }
 
 void IOServiceUserNotification::free( void )
@@ -576,8 +785,12 @@
 
     super::free();
 
-    if( _pingMsg && _msgSize)
-        IOFree( _pingMsg, _msgSize);
+    if( _pingMsg && _msgSize) {
+		if (_pingMsg->msgHdr.msgh_remote_port) {
+			iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port);
+		}
+        IOFree(_pingMsg, _msgSize);
+	}
 
     if( _lastEntry)
         _lastEntry->release();
@@ -587,7 +800,7 @@
 }
 
 bool IOServiceUserNotification::_handler( void * target,
-                                    void * ref, IOService * newService )
+                                    void * ref, IOService * newService, IONotifier * notifier )
 {
     return( ((IOServiceUserNotification *) target)->handler( ref, newService ));
 }
@@ -621,13 +834,18 @@
 	else
             pingMsg->msgHdr.msgh_local_port = NULL;
 
-        kr = mach_msg_send_from_kernel( &pingMsg->msgHdr,
-                                        pingMsg->msgHdr.msgh_size);
+        kr = mach_msg_send_from_kernel_with_options( &pingMsg->msgHdr,
+						     pingMsg->msgHdr.msgh_size,
+						     (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE),
+						     0);
 	if( port)
 	    iokit_release_port( port );
 
-        if( KERN_SUCCESS != kr)
-            IOLog("%s: mach_msg_send_from_kernel {%x}\n", __FILE__, kr );
+        if( (KERN_SUCCESS != kr) && !ipcLogged)
+        {
+            ipcLogged = true;
+            IOLog("%s: mach_msg_send_from_kernel_proper(0x%x)\n", __PRETTY_FUNCTION__, kr );
+        }
     }
 
     return( true );
@@ -637,12 +855,11 @@
 {
     unsigned int	count;
     OSObject *		result;
-
-    IOTakeLock( lock );
-
-    if( lastEntry)
-        lastEntry->release();
-
+    OSObject *		releaseEntry;
+
+    IOLockLock(lock);
+
+    releaseEntry = lastEntry;
     count = newSet->getCount();
     if( count ) {
         result = newSet->getObject( count - 1 );
@@ -654,7 +871,9 @@
     }
     lastEntry = result;
 
-    IOUnlock( lock );
+    IOLockUnlock(lock);
+
+    if (releaseEntry) releaseEntry->release();
 
     return( result );
 }
@@ -669,6 +888,8 @@
 				void * reference, vm_size_t referenceSize, vm_size_t extraSize,
 				bool client64 )
 {
+    if( !super::init())
+        return( false );
 
     if (referenceSize > sizeof(OSAsyncReference64))
         return( false );
@@ -678,7 +899,7 @@
     owningPID = proc_selfpid();
 
     extraSize += sizeof(IOServiceInterestContent64);
-    msgSize = sizeof(PingMsg) - sizeof(OSAsyncReference64) + referenceSize + extraSize;
+    msgSize = sizeof(PingMsg) - sizeof(OSAsyncReference64) + referenceSize;
     pingMsg = (PingMsg *) IOMalloc( msgSize);
     if( !pingMsg)
         return( false );
@@ -703,7 +924,12 @@
     pingMsg->notifyHeader.type 		= type;
     bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
 
-    return( super::init() );
+    return( true );
+}
+
+void IOServiceMessageUserNotification::invalidatePort(void)
+{
+    if (pingMsg) pingMsg->msgHdr.msgh_remote_port = MACH_PORT_NULL;
 }
 
 void IOServiceMessageUserNotification::free( void )
@@ -716,8 +942,12 @@
 
     super::free();
 
-    if( _pingMsg && _msgSize)
+    if( _pingMsg && _msgSize) {
+		if (_pingMsg->msgHdr.msgh_remote_port) {
+			iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port);
+		}
         IOFree( _pingMsg, _msgSize);
+	}
 }
 
 IOReturn IOServiceMessageUserNotification::_handler( void * target, void * ref,
@@ -730,57 +960,105 @@
 
 IOReturn IOServiceMessageUserNotification::handler( void * ref,
                                     UInt32 messageType, IOService * provider,
-                                    void * messageArgument, vm_size_t argSize )
-{
+                                    void * messageArgument, vm_size_t callerArgSize )
+{
+    enum 			 { kLocalMsgSize = 0x100 };
+    uint64_t                     stackMsg[kLocalMsgSize / sizeof(uint64_t)];
+    void *                       allocMsg;
     kern_return_t		 kr;
+    vm_size_t  			 argSize;
+    vm_size_t  			 thisMsgSize;
     ipc_port_t 			 thisPort, providerPort;
-    IOServiceInterestContent64 * data = (IOServiceInterestContent64 *)
-					((((uint8_t *) pingMsg) + msgSize) - pingMsg->notifyHeader.size);
-                                        // == pingMsg->notifyHeader.content;
+    struct PingMsg *             thisMsg;
+    IOServiceInterestContent64 * data;
 
     if (kIOMessageCopyClientID == messageType)
     {
-	*((void **) messageArgument) = IOCopyLogNameForPID(owningPID);
-	return (kIOReturnSuccess);
-    }
-
+        *((void **) messageArgument) = OSNumber::withNumber(owningPID, 32);
+        return (kIOReturnSuccess);
+    }
+
+    if (callerArgSize == 0)
+    {
+	if (clientIs64) argSize = sizeof(data->messageArgument[0]);
+	else            argSize = sizeof(uint32_t);
+    }
+    else
+    {
+        if( callerArgSize > kIOUserNotifyMaxMessageSize)
+            callerArgSize = kIOUserNotifyMaxMessageSize;
+        argSize = callerArgSize;
+    }
+
+    // adjust message size for ipc restrictions
+    natural_t type;
+    type = pingMsg->notifyHeader.type;
+    type &= ~(kIOKitNoticationMsgSizeMask << kIOKitNoticationTypeSizeAdjShift);
+    type |= ((argSize & kIOKitNoticationMsgSizeMask) << kIOKitNoticationTypeSizeAdjShift);
+    argSize = (argSize + kIOKitNoticationMsgSizeMask) & ~kIOKitNoticationMsgSizeMask;
+
+    thisMsgSize = msgSize
+		+ sizeof( IOServiceInterestContent64 )
+		- sizeof( data->messageArgument)
+		+ argSize;
+
+    if (thisMsgSize > sizeof(stackMsg))
+    {
+	allocMsg = IOMalloc(thisMsgSize);
+	if (!allocMsg) return (kIOReturnNoMemory);
+	thisMsg = (typeof(thisMsg)) allocMsg;
+    }
+    else
+    {
+	allocMsg = 0;
+	thisMsg  = (typeof(thisMsg)) stackMsg;
+    }
+
+    bcopy(pingMsg, thisMsg, msgSize);
+    thisMsg->notifyHeader.type = type;
+    data = (IOServiceInterestContent64 *) (((uint8_t *) thisMsg) + msgSize);
+	// == pingMsg->notifyHeader.content;
     data->messageType = messageType;
 
-    if( argSize == 0)
+    if (callerArgSize == 0)
     {
 	data->messageArgument[0] = (io_user_reference_t) messageArgument;
-	if (clientIs64)
-	    argSize = sizeof(data->messageArgument[0]);
-	else
+	if (!clientIs64)
 	{
 	    data->messageArgument[0] |= (data->messageArgument[0] << 32);
-	    argSize = sizeof(messageArgument);
 	}
     }
     else
     {
-        if( argSize > kIOUserNotifyMaxMessageSize)
-            argSize = kIOUserNotifyMaxMessageSize;
-        bcopy( messageArgument, data->messageArgument, argSize );
-    }
-    pingMsg->msgHdr.msgh_size = msgSize - pingMsg->notifyHeader.size
-        + sizeof( IOServiceInterestContent64 )
-        - sizeof( data->messageArgument)
-        + argSize;
+        bcopy( messageArgument, data->messageArgument, callerArgSize );
+        bzero((void *)(((uintptr_t) &data->messageArgument[0]) + callerArgSize), argSize - callerArgSize);
+    }
+
+    thisMsg->notifyHeader.type = type;
+    thisMsg->msgHdr.msgh_size  = thisMsgSize;
 
     providerPort = iokit_port_for_object( provider, IKOT_IOKIT_OBJECT );
-    pingMsg->ports[0].name = providerPort;
+    thisMsg->ports[0].name = providerPort;
     thisPort = iokit_port_for_object( this, IKOT_IOKIT_OBJECT );
-    pingMsg->msgHdr.msgh_local_port = thisPort;
-    kr = mach_msg_send_from_kernel( &pingMsg->msgHdr,
-				    pingMsg->msgHdr.msgh_size);
+    thisMsg->msgHdr.msgh_local_port = thisPort;
+
+    kr = mach_msg_send_from_kernel_with_options( &thisMsg->msgHdr,
+						 thisMsg->msgHdr.msgh_size,
+						 (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE),
+						 0);
     if( thisPort)
 	iokit_release_port( thisPort );
     if( providerPort)
 	iokit_release_port( providerPort );
 
-    if( KERN_SUCCESS != kr)
-        IOLog("%s: mach_msg_send_from_kernel {%x}\n", __FILE__, kr );
+    if (allocMsg)
+        IOFree(allocMsg, thisMsgSize);
+
+    if((KERN_SUCCESS != kr) && !ipcLogged)
+    {
+        ipcLogged = true;
+        IOLog("%s: mach_msg_send_from_kernel_proper (0x%x)\n", __PRETTY_FUNCTION__, kr );
+    }
 
     return( kIOReturnSuccess );
 }
@@ -796,21 +1074,23 @@
 #define super IOService
 OSDefineMetaClassAndAbstractStructors( IOUserClient, IOService )
 
+IOLock       * gIOUserClientOwnersLock;
+
 void IOUserClient::initialize( void )
 {
-    gIOObjectPortLock = IOLockAlloc();
-
-    assert( gIOObjectPortLock );
+    gIOObjectPortLock       = IOLockAlloc();
+    gIOUserClientOwnersLock = IOLockAlloc();
+    assert(gIOObjectPortLock && gIOUserClientOwnersLock);
 }
 
 void IOUserClient::setAsyncReference(OSAsyncReference asyncRef,
                                      mach_port_t wakePort,
                                      void *callback, void *refcon)
 {
-    asyncRef[kIOAsyncReservedIndex]      = ((natural_t) wakePort) 
+    asyncRef[kIOAsyncReservedIndex]      = ((uintptr_t) wakePort) 
 					 | (kIOUCAsync0Flags & asyncRef[kIOAsyncReservedIndex]);
-    asyncRef[kIOAsyncCalloutFuncIndex]   = (natural_t) callback;
-    asyncRef[kIOAsyncCalloutRefconIndex] = (natural_t) refcon;
+    asyncRef[kIOAsyncCalloutFuncIndex]   = (uintptr_t) callback;
+    asyncRef[kIOAsyncCalloutRefconIndex] = (uintptr_t) refcon;
 }
 
 void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
@@ -823,7 +1103,17 @@
     asyncRef[kIOAsyncCalloutRefconIndex] = refcon;
 }
 
-inline OSDictionary * CopyConsoleUser(UInt32 uid)
+void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
+					mach_port_t wakePort,
+					mach_vm_address_t callback, io_user_reference_t refcon, task_t task)
+{
+    setAsyncReference64(asyncRef, wakePort, callback, refcon);
+    if (vm_map_is_64bit(get_task_map(task))) {
+            asyncRef[kIOAsyncReservedIndex] |= kIOUCAsync64Flag;
+    }
+}
+
+static OSDictionary * CopyConsoleUser(UInt32 uid)
 {
 	OSArray * array;
 	OSDictionary * user = 0; 
@@ -847,6 +1137,52 @@
     return user;
 }
 
+static OSDictionary * CopyUserOnConsole(void)
+{
+    OSArray * array;
+    OSDictionary * user = 0; 
+    
+    if ((array = OSDynamicCast(OSArray,
+	IORegistryEntry::getRegistryRoot()->copyProperty(gIOConsoleUsersKey))))
+    {
+	for (unsigned int idx = 0;
+		(user = OSDynamicCast(OSDictionary, array->getObject(idx)));
+		idx++)
+	{
+	    if (kOSBooleanTrue == user->getObject(gIOConsoleSessionOnConsoleKey))
+	    {
+		user->retain();
+		break;
+	    }
+	}
+	array->release();
+    }
+    return (user);
+}
+
+IOReturn IOUserClient::clientHasAuthorization( task_t task,
+                                               IOService * service )
+{
+    proc_t p;
+    
+    p = (proc_t) get_bsdtask_info(task);
+    if (p)
+    {
+        uint64_t authorizationID;
+
+        authorizationID = proc_uniqueid(p);
+        if (authorizationID)
+        {
+            if (service->getAuthorizationID() == authorizationID)
+            {
+                return (kIOReturnSuccess);
+            }
+        }
+    }
+
+    return (kIOReturnNotPermitted);
+}
+
 IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
                                             const char * privilegeName )
 {
@@ -857,26 +1193,70 @@
     OSDictionary *          user;
     bool                    secureConsole;
 
-    if ((secureConsole = !strcmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess)))
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeForeground, 
+                sizeof(kIOClientPrivilegeForeground)))
+    {
+	if (task_is_gpu_denied(current_task()))
+		return (kIOReturnNotPrivileged);
+	else
+		return (kIOReturnSuccess);
+    }
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeConsoleSession,
+                                sizeof(kIOClientPrivilegeConsoleSession)))
+    {
+	kauth_cred_t cred;
+	proc_t       p;
+
+        task = (task_t) securityToken;
+	if (!task)
+	    task = current_task();
+	p = (proc_t) get_bsdtask_info(task);
+	kr = kIOReturnNotPrivileged;
+
+	if (p && (cred = kauth_cred_proc_ref(p)))
+	{
+	    user = CopyUserOnConsole();
+	    if (user)
+	    {
+		OSNumber * num;
+		if ((num = OSDynamicCast(OSNumber, user->getObject(gIOConsoleSessionAuditIDKey)))
+		  && (cred->cr_audit.as_aia_p->ai_asid == (au_asid_t) num->unsigned32BitValue()))
+		{
+		    kr = kIOReturnSuccess;
+		}
+		user->release();
+	    }
+	    kauth_cred_unref(&cred);
+	}
+	return (kr);
+    }
+
+    if ((secureConsole = !strncmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess,
+            sizeof(kIOClientPrivilegeSecureConsoleProcess))))
         task = (task_t)((IOUCProcessToken *)securityToken)->token;
     else
         task = (task_t)securityToken;
-    
+
     count = TASK_SECURITY_TOKEN_COUNT;
     kr = task_info( task, TASK_SECURITY_TOKEN, (task_info_t) &token, &count );
 
     if (KERN_SUCCESS != kr)
     {}
-    else if (!strcmp(privilegeName, kIOClientPrivilegeAdministrator)) {
+    else if (!strncmp(privilegeName, kIOClientPrivilegeAdministrator, 
+                sizeof(kIOClientPrivilegeAdministrator))) {
         if (0 != token.val[0])
             kr = kIOReturnNotPrivileged;
-    } else if (!strcmp(privilegeName, kIOClientPrivilegeLocalUser)) {
+    } else if (!strncmp(privilegeName, kIOClientPrivilegeLocalUser,
+                sizeof(kIOClientPrivilegeLocalUser))) {
         user = CopyConsoleUser(token.val[0]);
         if ( user )
             user->release();
         else
             kr = kIOReturnNotPrivileged;            
-    } else if (secureConsole || !strcmp(privilegeName, kIOClientPrivilegeConsoleUser)) {
+    } else if (secureConsole || !strncmp(privilegeName, kIOClientPrivilegeConsoleUser,
+                                    sizeof(kIOClientPrivilegeConsoleUser))) {
         user = CopyConsoleUser(token.val[0]);
         if ( user ) {
             if (user->getObject(gIOConsoleSessionOnConsoleKey) != kOSBooleanTrue)
@@ -896,30 +1276,106 @@
     return (kr);
 }
 
+OSObject * IOUserClient::copyClientEntitlement( task_t task,
+                                                const char * entitlement )
+{
+#define	MAX_ENTITLEMENTS_LEN	(128 * 1024)
+
+	proc_t p = NULL;
+	pid_t pid = 0;
+	char procname[MAXCOMLEN + 1] = "";
+	size_t len = 0;
+	void *entitlements_blob = NULL;
+	char *entitlements_data = NULL;
+	OSObject *entitlements_obj = NULL;
+	OSDictionary *entitlements = NULL;
+	OSString *errorString = NULL;
+	OSObject *value = NULL;
+
+	p = (proc_t)get_bsdtask_info(task);
+	if (p == NULL)
+		goto fail;
+	pid = proc_pid(p);
+	proc_name(pid, procname, (int)sizeof(procname));
+
+	if (cs_entitlements_blob_get(p, &entitlements_blob, &len) != 0)
+		goto fail;
+
+	if (len <= offsetof(CS_GenericBlob, data))
+		goto fail;
+
+	/*
+	 * Per <rdar://problem/11593877>, enforce a limit on the amount of XML
+	 * we'll try to parse in the kernel.
+	 */
+	len -= offsetof(CS_GenericBlob, data);
+	if (len > MAX_ENTITLEMENTS_LEN) {
+		IOLog("failed to parse entitlements for %s[%u]: %lu bytes of entitlements exceeds maximum of %u\n", procname, pid, len, MAX_ENTITLEMENTS_LEN);
+		goto fail;
+	}
+
+	/*
+	 * OSUnserializeXML() expects a nul-terminated string, but that isn't
+	 * what is stored in the entitlements blob.  Copy the string and
+	 * terminate it.
+	 */
+	entitlements_data = (char *)IOMalloc(len + 1);
+	if (entitlements_data == NULL)
+		goto fail;
+	memcpy(entitlements_data, ((CS_GenericBlob *)entitlements_blob)->data, len);
+	entitlements_data[len] = '\0';
+
+	entitlements_obj = OSUnserializeXML(entitlements_data, len + 1, &errorString);
+	if (errorString != NULL) {
+		IOLog("failed to parse entitlements for %s[%u]: %s\n", procname, pid, errorString->getCStringNoCopy());
+		goto fail;
+	}
+	if (entitlements_obj == NULL)
+		goto fail;
+
+	entitlements = OSDynamicCast(OSDictionary, entitlements_obj);
+	if (entitlements == NULL)
+		goto fail;
+
+	/* Fetch the entitlement value from the dictionary. */
+	value = entitlements->getObject(entitlement);
+	if (value != NULL)
+		value->retain();
+
+fail:
+	if (entitlements_data != NULL)
+		IOFree(entitlements_data, len + 1);
+	if (entitlements_obj != NULL)
+		entitlements_obj->release();
+	if (errorString != NULL)
+		errorString->release();
+	return value;
+}
+
 bool IOUserClient::init()
 {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+	if (getPropertyTable() || super::init())
+		return reserve();
+	
+	return false;
 }
 
 bool IOUserClient::init(OSDictionary * dictionary)
 {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init(dictionary);
+	if (getPropertyTable() || super::init(dictionary))
+		return reserve();
+	
+	return false;
 }
 
 bool IOUserClient::initWithTask(task_t owningTask,
                                 void * securityID,
                                 UInt32 type )
-{
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+{	
+	if (getPropertyTable() || super::init())
+		return reserve();
+	
+	return false;
 }
 
 bool IOUserClient::initWithTask(task_t owningTask,
@@ -935,17 +1391,160 @@
     return( ok );
 }
 
+bool IOUserClient::reserve()
+{		
+    if(!reserved) {
+	reserved = IONew(ExpansionData, 1);
+	if (!reserved) {
+	    return false;
+	}
+    }
+    setTerminateDefer(NULL, true);
+    IOStatisticsRegisterCounter();
+    
+    return true;
+}
+
+struct IOUserClientOwner
+{
+    task_t         task;
+    queue_chain_t  taskLink;
+    IOUserClient * uc;
+    queue_chain_t  ucLink;
+};
+
+IOReturn
+IOUserClient::registerOwner(task_t task)
+{
+    IOUserClientOwner * owner;
+    IOReturn            ret;
+    bool                newOwner;
+
+    IOLockLock(gIOUserClientOwnersLock);
+
+    newOwner = true;
+    ret = kIOReturnSuccess;
+
+    if (!owners.next) queue_init(&owners);
+    else
+    {
+        queue_iterate(&owners, owner, IOUserClientOwner *, ucLink)
+        {
+            if (task != owner->task) continue;
+            newOwner = false;
+            break;
+        }
+    }
+    if (newOwner)
+    {
+        owner = IONew(IOUserClientOwner, 1);
+        if (!newOwner) ret = kIOReturnNoMemory;
+        else
+        {
+            owner->task = task;
+            owner->uc   = this;
+            queue_enter_first(&owners, owner, IOUserClientOwner *, ucLink);
+            queue_enter_first(task_io_user_clients(task), owner, IOUserClientOwner *, taskLink);
+        }
+    }
+
+    IOLockUnlock(gIOUserClientOwnersLock);
+
+    return (ret);
+}
+
+void
+IOUserClient::noMoreSenders(void)
+{
+    IOUserClientOwner * owner;
+
+    IOLockLock(gIOUserClientOwnersLock);
+
+    if (owners.next)
+    {
+        while (!queue_empty(&owners))
+        {
+            owner = (IOUserClientOwner *)(void *) queue_first(&owners);
+            queue_remove(task_io_user_clients(owner->task), owner, IOUserClientOwner *, taskLink);
+            queue_remove(&owners, owner, IOUserClientOwner *, ucLink);
+            IODelete(owner, IOUserClientOwner, 1);
+        }
+        owners.next = owners.prev = NULL;
+    }
+
+    IOLockUnlock(gIOUserClientOwnersLock);
+}
+
+extern "C" kern_return_t
+iokit_task_terminate(task_t task)
+{
+    IOUserClientOwner * owner;
+    IOUserClient      * dead;
+    IOUserClient      * uc;
+    queue_head_t      * taskque;
+
+    IOLockLock(gIOUserClientOwnersLock);
+
+    taskque = task_io_user_clients(task);
+    dead = NULL;
+    while (!queue_empty(taskque))
+    {
+        owner = (IOUserClientOwner *)(void *) queue_first(taskque);
+        uc = owner->uc;
+        queue_remove(taskque, owner, IOUserClientOwner *, taskLink);
+        queue_remove(&uc->owners, owner, IOUserClientOwner *, ucLink);
+        if (queue_empty(&uc->owners))
+        {
+            uc->retain();
+            IOLog("destroying out of band connect for %s\n", uc->getName());
+            // now using the uc queue head as a singly linked queue,
+            // leaving .next as NULL to mark it empty
+            uc->owners.next = NULL;
+            uc->owners.prev = (queue_entry_t) dead;
+            dead = uc;
+        }
+        IODelete(owner, IOUserClientOwner, 1);
+    }
+
+    IOLockUnlock(gIOUserClientOwnersLock);
+
+    while (dead)
+    {
+        uc = dead;
+        dead = (IOUserClient *)(void *) dead->owners.prev;
+        uc->owners.prev = NULL;
+        if (uc->sharedInstance || !uc->closed) uc->clientDied();
+        uc->release();
+    }
+
+    return (KERN_SUCCESS);
+}
+
 void IOUserClient::free()
 {
-    if( mappings)
-        mappings->release();
-
+    if( mappings) mappings->release();
+    if (lock) IOLockFree(lock);
+		
+    IOStatisticsUnregisterCounter();
+
+    assert(!owners.next);
+    assert(!owners.prev);
+
+    if (reserved) IODelete(reserved, ExpansionData, 1);
+		
     super::free();
 }
 
 IOReturn IOUserClient::clientDied( void )
 {
-    return( clientClose());
+    IOReturn ret = kIOReturnNotReady;
+
+    if (sharedInstance || OSCompareAndSwap8(0, 1, &closed)) 
+    {
+	ret = clientClose();
+    }
+
+    return (ret);
 }
 
 IOReturn IOUserClient::clientClose( void )
@@ -966,6 +1565,14 @@
     return( kIOReturnUnsupported);
 }
 
+IOReturn IOUserClient::registerNotificationPort(
+		mach_port_t port,
+		UInt32		type,
+		io_user_reference_t refCon)
+{
+    return (registerNotificationPort(port, type, (UInt32) refCon));
+}
+
 IOReturn IOUserClient::getNotificationSemaphore( UInt32 notification_type,
                                     semaphore_t * semaphore )
 {
@@ -984,29 +1591,16 @@
     return( kIOReturnUnsupported);
 }
 
+#if !__LP64__
 IOMemoryMap * IOUserClient::mapClientMemory( 
 	IOOptionBits		type,
 	task_t			task,
 	IOOptionBits		mapFlags,
 	IOVirtualAddress	atAddress )
 {
-    IOReturn		err;
-    IOOptionBits	options = 0;
-    IOMemoryDescriptor * memory;
-    IOMemoryMap *	map = 0;
-
-    err = clientMemoryForType( (UInt32) type, &options, &memory );
-
-    if( memory && (kIOReturnSuccess == err)) {
-
-        options = (options & ~kIOMapUserOptionsMask)
-		| (mapFlags & kIOMapUserOptionsMask);
-	map = memory->map( task, atAddress, options );
-	memory->release();
-    }
-
-    return( map );
-}
+    return (NULL);
+}
+#endif
 
 IOMemoryMap * IOUserClient::mapClientMemory64( 
 	IOOptionBits		type,
@@ -1016,17 +1610,21 @@
 {
     IOReturn		err;
     IOOptionBits	options = 0;
-    IOMemoryDescriptor * memory;
+    IOMemoryDescriptor * memory = 0;
     IOMemoryMap *	map = 0;
 
     err = clientMemoryForType( (UInt32) type, &options, &memory );
 
     if( memory && (kIOReturnSuccess == err)) {
+
+        FAKE_STACK_FRAME(getMetaClass());
 
         options = (options & ~kIOMapUserOptionsMask)
 		| (mapFlags & kIOMapUserOptionsMask);
 	map = memory->createMappingInTask( task, atAddress, options );
 	memory->release();
+
+        FAKE_STACK_FRAME_END();
     }
 
     return( map );
@@ -1038,12 +1636,43 @@
     mach_port_name_t	name;
 
     name = IOMachPort::makeSendRightForTask( task, obj, IKOT_IOKIT_OBJECT );
-    assert( name );
 
     *(mach_port_name_t *)clientObj = name;
+
+    if (obj) obj->release();
+
     return kIOReturnSuccess;
 }
 
+IOReturn IOUserClient::copyPortNameForObjectInTask(task_t task,
+			OSObject *obj, mach_port_name_t * port_name)
+{
+    mach_port_name_t	name;
+
+    name = IOMachPort::makeSendRightForTask( task, obj, IKOT_IOKIT_IDENT );
+
+    *(mach_port_name_t *) port_name = name;
+
+    return kIOReturnSuccess;
+}
+
+IOReturn IOUserClient::copyObjectForPortNameInTask(task_t task, mach_port_name_t port_name,
+			OSObject **obj)
+{
+    OSObject * object;
+
+    object = iokit_lookup_object_with_port_name(port_name, IKOT_IOKIT_IDENT, task);
+
+    *obj = object;
+
+    return (object ? kIOReturnSuccess : kIOReturnIPCError);
+}
+
+IOReturn IOUserClient::adjustPortNameReferencesInTask(task_t task, mach_port_name_t port_name, mach_port_delta_t delta)
+{
+    return (iokit_mod_send_right(task, port_name, delta));
+}
+
 IOExternalMethod * IOUserClient::getExternalMethodForIndex( UInt32 /* index */)
 {
     return( 0 );
@@ -1054,6 +1683,17 @@
     return( 0 );
 }
 
+IOExternalTrap * IOUserClient::
+getExternalTrapForIndex(UInt32 index)
+{
+	return NULL;
+}
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
+// Suppressing the deprecated-declarations warning. Avoiding the use of deprecated
+// functions can break clients of kexts implementing getExternalMethodForIndex()
 IOExternalMethod * IOUserClient::
 getTargetAndMethodForIndex(IOService **targetP, UInt32 index)
 {
@@ -1074,12 +1714,6 @@
         *targetP = (IOService *) method->object;
 
     return method;
-}
-
-IOExternalTrap * IOUserClient::
-getExternalTrapForIndex(UInt32 index)
-{
-	return NULL;
 }
 
 IOExternalTrap * IOUserClient::
@@ -1093,6 +1727,26 @@
 
       return trap;
 }
+#pragma clang diagnostic pop
+
+IOReturn IOUserClient::releaseAsyncReference64(OSAsyncReference64 reference)
+{
+    mach_port_t port;
+    port = (mach_port_t) (reference[0] & ~kIOUCAsync0Flags);
+
+    if (MACH_PORT_NULL != port)
+	iokit_release_port_send(port);
+
+    return (kIOReturnSuccess);
+}
+
+IOReturn IOUserClient::releaseNotificationPort(mach_port_t port)
+{
+    if (MACH_PORT_NULL != port)
+	iokit_release_port_send(port);
+
+    return (kIOReturnSuccess);
+}
 
 IOReturn IOUserClient::sendAsyncResult(OSAsyncReference reference,
                                        IOReturn result, void *args[], UInt32 numArgs)
@@ -1113,8 +1767,20 @@
     return (sendAsyncResult64(reference64, result, args64, numArgs));
 }
 
+IOReturn IOUserClient::sendAsyncResult64WithOptions(OSAsyncReference64 reference,
+                                        IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options)
+{
+	return _sendAsyncResult64(reference, result, args, numArgs, options);
+}
+
 IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
                                         IOReturn result, io_user_reference_t args[], UInt32 numArgs)
+{
+        return _sendAsyncResult64(reference, result, args, numArgs, 0);
+}
+
+IOReturn IOUserClient::_sendAsyncResult64(OSAsyncReference64 reference,
+                                        IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options)
 {
     struct ReplyMsg
     {
@@ -1131,8 +1797,7 @@
 	    {
 		OSNotificationHeader64	 notifyHdr;
 		IOAsyncCompletionContent asyncContent;
-		uint32_t		 pad;
-		io_user_reference_t	 args[kMaxAsyncArgs];
+		io_user_reference_t	 args[kMaxAsyncArgs] __attribute__ ((packed));
 	    } msg64;
 	} m;
     };
@@ -1148,6 +1813,7 @@
     if (numArgs > kMaxAsyncArgs)
         return kIOReturnMessageTooLarge;
 
+    bzero(&replyMsg, sizeof(replyMsg));
     replyMsg.msgHdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND /*remote*/,
 						0 /*local*/);
     replyMsg.msgHdr.msgh_remote_port = replyPort;
@@ -1159,7 +1825,6 @@
 	    sizeof(replyMsg.msgHdr) + sizeof(replyMsg.m.msg64) 
 	    - (kMaxAsyncArgs - numArgs) * sizeof(io_user_reference_t);
 	replyMsg.m.msg64.notifyHdr.size = sizeof(IOAsyncCompletionContent)
-					+ sizeof(uint32_t)
 					+ numArgs * sizeof(io_user_reference_t);
 	replyMsg.m.msg64.notifyHdr.type = kIOAsyncCompletionNotificationType;
 	bcopy(reference, replyMsg.m.msg64.notifyHdr.reference, sizeof(OSAsyncReference64));
@@ -1189,10 +1854,19 @@
 	    replyMsg.m.msg32.args[idx] = REF32(args[idx]);
     }
 
-     kr = mach_msg_send_from_kernel( &replyMsg.msgHdr,
-            replyMsg.msgHdr.msgh_size);
-    if( KERN_SUCCESS != kr)
-        IOLog("%s: mach_msg_send_from_kernel {%x}\n", __FILE__, kr );
+	if ((options & kIOUserNotifyOptionCanDrop) != 0) { 
+		kr = mach_msg_send_from_kernel_with_options( &replyMsg.msgHdr,
+										 replyMsg.msgHdr.msgh_size, MACH_SEND_TIMEOUT, MACH_MSG_TIMEOUT_NONE);
+	} else {
+		/* Fail on full queue. */
+		kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr,
+										 replyMsg.msgHdr.msgh_size);
+	}
+    if ((KERN_SUCCESS != kr) && (MACH_SEND_TIMED_OUT != kr) && !(kIOUCAsyncErrorLoggedFlag & reference[0]))
+    {
+        reference[0] |= kIOUCAsyncErrorLoggedFlag;
+        IOLog("%s: mach_msg_send_from_kernel_proper(0x%x)\n", __PRETTY_FUNCTION__, kr );
+    }
     return kr;
 }
 
@@ -1206,22 +1880,63 @@
 	if( !(out = OSDynamicCast( cls, obj)))	\
 	    return( kIOReturnBadArgument )
 
+#define CHECKLOCKED(cls,obj,out)					\
+	IOUserIterator * oIter;						\
+	cls * out;							\
+	if( !(oIter = OSDynamicCast(IOUserIterator, obj)))		\
+	    return (kIOReturnBadArgument);				\
+	if( !(out = OSDynamicCast(cls, oIter->userIteratorObject)))	\
+	    return (kIOReturnBadArgument)
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+// Create a vm_map_copy_t or kalloc'ed data for memory
+// to be copied out. ipc will free after the copyout.
+
+static kern_return_t copyoutkdata( const void * data, vm_size_t len,
+                                    io_buf_ptr_t * buf )
+{
+    kern_return_t	err;
+    vm_map_copy_t	copy;
+
+    err = vm_map_copyin( kernel_map, CAST_USER_ADDR_T(data), len,
+                    false /* src_destroy */, &copy);
+
+    assert( err == KERN_SUCCESS );
+    if( err == KERN_SUCCESS )
+        *buf = (char *) copy;
+
+    return( err );
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+/* Routine io_server_version */
+kern_return_t is_io_server_version(
+	mach_port_t master_port,
+	uint64_t *version)
+{
+    *version = IOKIT_SERVER_VERSION;
+    return (kIOReturnSuccess);
+}
+
 /* Routine io_object_get_class */
 kern_return_t is_io_object_get_class(
-	io_object_t object,
-	io_name_t className )
-{
-	const OSMetaClass* my_obj = NULL;
-
+    io_object_t object,
+    io_name_t className )
+{
+    const OSMetaClass* my_obj = NULL;
+	
     if( !object)
         return( kIOReturnBadArgument );
 		
-	my_obj = object->getMetaClass();
-	if (!my_obj) {
-		return (kIOReturnNotFound);
-	}
-	
-    strcpy( className, my_obj->getClassName());
+    my_obj = object->getMetaClass();
+    if (!my_obj) {
+        return (kIOReturnNotFound);
+    }
+
+    strlcpy( className, my_obj->getClassName(), sizeof(io_name_t));
+
     return( kIOReturnSuccess );
 }
 
@@ -1231,38 +1946,36 @@
 	io_name_t obj_name, 
 	io_name_t class_name)
 {
-	const OSMetaClass* my_obj = NULL;
-	const OSMetaClass* superclass = NULL;
-	const OSSymbol *my_name = NULL;
-	const char *my_cstr = NULL;
-
-	if (!obj_name || !class_name) 
-		return (kIOReturnBadArgument);
-
-    if( master_port != master_device_port)
-        return( kIOReturnNotPrivileged);
-
-	my_name = OSSymbol::withCString(obj_name);
-	
-	if (my_name) {
-		my_obj = OSMetaClass::getMetaClassWithName(my_name);
-		my_name->release();
-	}
-	if (my_obj) {
-		superclass = my_obj->getSuperClass();
-	}
-	
-	if (!superclass)  {
-		return( kIOReturnNotFound );
-	}
-
-	my_cstr = superclass->getClassName();
-		
-	if (my_cstr) {
-		strlcpy(class_name, my_cstr, sizeof(io_name_t));
-		return( kIOReturnSuccess );
-	}
-	return (kIOReturnNotFound);
+    IOReturn            ret;
+    const OSMetaClass * meta;
+    const OSMetaClass * super;
+    const OSSymbol    * name;
+    const char        * cstr;
+
+    if (!obj_name || !class_name)          return (kIOReturnBadArgument);
+    if (master_port != master_device_port) return( kIOReturnNotPrivileged);
+
+    ret = kIOReturnNotFound;
+    meta = 0;
+    do
+    {
+        name = OSSymbol::withCString(obj_name);
+        if (!name) break;
+        meta = OSMetaClass::copyMetaClassWithName(name);
+        if (!meta) break;
+        super = meta->getSuperClass();
+        if (!super) break;
+        cstr = super->getClassName();
+        if (!cstr) break;
+        strlcpy(class_name, cstr, sizeof(io_name_t));
+        ret = kIOReturnSuccess;
+    }
+    while (false);
+
+    OSSafeReleaseNULL(name);
+    if (meta) meta->releaseMetaClass();
+
+    return (ret);
 }
 
 /* Routine io_object_get_bundle_identifier */
@@ -1271,38 +1984,36 @@
 	io_name_t obj_name, 
 	io_name_t bundle_name)
 {
-	const OSMetaClass* my_obj = NULL;
-	const OSSymbol *my_name = NULL;
-	const OSSymbol *identifier = NULL;
-	const char *my_cstr = NULL;
-
-	if (!obj_name || !bundle_name) 
-		return (kIOReturnBadArgument);
-
-    if( master_port != master_device_port)
-        return( kIOReturnNotPrivileged);
-	
-	my_name = OSSymbol::withCString(obj_name);	
-	
-	if (my_name) {
-		my_obj = OSMetaClass::getMetaClassWithName(my_name);
-		my_name->release();
-	}
-
-	if (my_obj) {
-		identifier = my_obj->getKmodName();
-	}
-	if (!identifier) {
-		return( kIOReturnNotFound );
-	}
-	
-	my_cstr = identifier->getCStringNoCopy();
-	if (my_cstr) {
-		strlcpy(bundle_name, identifier->getCStringNoCopy(), sizeof(io_name_t));
-		return( kIOReturnSuccess );
-	}
-
-	return (kIOReturnBadArgument);
+    IOReturn            ret;
+    const OSMetaClass * meta;
+    const OSSymbol    * name;
+    const OSSymbol    * identifier;
+    const char        * cstr;
+
+    if (!obj_name || !bundle_name)         return (kIOReturnBadArgument);
+    if (master_port != master_device_port) return( kIOReturnNotPrivileged);
+
+    ret = kIOReturnNotFound;
+    meta = 0;
+    do
+    {
+        name = OSSymbol::withCString(obj_name);
+        if (!name) break;
+        meta = OSMetaClass::copyMetaClassWithName(name);
+        if (!meta) break;
+        identifier = meta->getKmodName();
+        if (!identifier) break;
+        cstr = identifier->getCStringNoCopy();
+        if (!cstr) break;
+        strlcpy(bundle_name, identifier->getCStringNoCopy(), sizeof(io_name_t));
+        ret = kIOReturnSuccess;
+    }
+    while (false);
+
+    OSSafeReleaseNULL(name);
+    if (meta) meta->releaseMetaClass();
+
+    return (ret);
 }
 
 /* Routine io_object_conforms_to */
@@ -1315,6 +2026,7 @@
         return( kIOReturnBadArgument );
 
     *conforms = (0 != object->metaCast( className ));
+
     return( kIOReturnSuccess );
 }
 
@@ -1335,6 +2047,7 @@
 	io_object_t iterator,
 	io_object_t *object )
 {
+    IOReturn    ret;
     OSObject *	obj;
 
     CHECK( OSIterator, iterator, iter );
@@ -1343,9 +2056,11 @@
     if( obj) {
 	obj->retain();
 	*object = obj;
-        return( kIOReturnSuccess );
+        ret = kIOReturnSuccess;
     } else
-        return( kIOReturnNoDevice );
+        ret = kIOReturnNoDevice;
+
+    return (ret);
 }
 
 /* Routine io_iterator_reset */
@@ -1371,11 +2086,12 @@
     return( kIOReturnSuccess );
 }
 
-/* Routine io_service_match_property_table */
-kern_return_t is_io_service_match_property_table(
+
+static kern_return_t internal_io_service_match_property_table(
 	io_service_t _service,
-	io_string_t matching,
-	boolean_t *matches )
+	const char * matching,
+	mach_msg_type_number_t matching_size,
+	boolean_t *matches)
 {
     CHECK( IOService, _service, service );
 
@@ -1383,7 +2099,8 @@
     OSObject *		obj;
     OSDictionary *	dict;
 
-    obj = OSUnserializeXML( matching );
+    assert(matching_size);
+    obj = OSUnserializeXML(matching, matching_size);
 
     if( (dict = OSDynamicCast( OSDictionary, obj))) {
         *matches = service->passiveMatch( dict );
@@ -1396,6 +2113,16 @@
 
     return( kr );
 }
+
+/* Routine io_service_match_property_table */
+kern_return_t is_io_service_match_property_table(
+	io_service_t service,
+	io_string_t matching,
+	boolean_t *matches )
+{
+    return (kIOReturnUnsupported);
+}
+
 
 /* Routine io_service_match_property_table_ool */
 kern_return_t is_io_service_match_property_table_ool(
@@ -1405,19 +2132,57 @@
 	kern_return_t *result,
 	boolean_t *matches )
 {
-    kern_return_t	kr;
-    vm_offset_t 	data;
-    vm_map_offset_t	map_data;
+    kern_return_t	  kr;
+    vm_offset_t 	  data;
+    vm_map_offset_t	  map_data;
 
     kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
     data = CAST_DOWN(vm_offset_t, map_data);
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
-	*result = is_io_service_match_property_table( service,
-		(char *) data, matches );
+	*result = internal_io_service_match_property_table(service,
+		(const char *)data, matchingCnt, matches );
 	vm_deallocate( kernel_map, data, matchingCnt );
     }
+
+    return( kr );
+}
+
+/* Routine io_service_match_property_table_bin */
+kern_return_t is_io_service_match_property_table_bin(
+	io_object_t service,
+	io_struct_inband_t matching,
+	mach_msg_type_number_t matchingCnt,
+	boolean_t *matches)
+{
+    return (internal_io_service_match_property_table(service, matching, matchingCnt, matches));
+}
+
+static kern_return_t internal_io_service_get_matching_services(
+	mach_port_t master_port,
+	const char * matching,
+	mach_msg_type_number_t matching_size,
+	io_iterator_t *existing )
+{
+    kern_return_t	kr;
+    OSObject *		obj;
+    OSDictionary *	dict;
+
+    if( master_port != master_device_port)
+        return( kIOReturnNotPrivileged);
+
+    assert(matching_size);
+    obj = OSUnserializeXML(matching, matching_size);
+
+    if( (dict = OSDynamicCast( OSDictionary, obj))) {
+        *existing = IOUserIterator::withIterator(IOService::getMatchingServices( dict ));
+	kr = kIOReturnSuccess;
+    } else
+	kr = kIOReturnBadArgument;
+
+    if( obj)
+        obj->release();
 
     return( kr );
 }
@@ -1428,25 +2193,7 @@
 	io_string_t matching,
 	io_iterator_t *existing )
 {
-    kern_return_t	kr;
-    OSObject *		obj;
-    OSDictionary *	dict;
-
-    if( master_port != master_device_port)
-        return( kIOReturnNotPrivileged);
-
-    obj = OSUnserializeXML( matching );
-
-    if( (dict = OSDynamicCast( OSDictionary, obj))) {
-        *existing = IOService::getMatchingServices( dict );
-	kr = kIOReturnSuccess;
-    } else
-	kr = kIOReturnBadArgument;
-
-    if( obj)
-        obj->release();
-
-    return( kr );
+    return (kIOReturnUnsupported);
 }
 
 /* Routine io_service_get_matching_services_ool */
@@ -1466,18 +2213,106 @@
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
-	*result = is_io_service_get_matching_services( master_port,
-			(char *) data, existing );
+        // and mig will copy out objects on success
+        *existing = 0;
+	*result = internal_io_service_get_matching_services(master_port,
+			(const char *) data, matchingCnt, existing);
 	vm_deallocate( kernel_map, data, matchingCnt );
     }
 
     return( kr );
+}
+
+/* Routine io_service_get_matching_services_bin */
+kern_return_t is_io_service_get_matching_services_bin(
+	mach_port_t master_port,
+	io_struct_inband_t matching,
+	mach_msg_type_number_t matchingCnt,
+	io_object_t *existing)
+{
+    return (internal_io_service_get_matching_services(master_port, matching, matchingCnt, existing));
+}
+
+
+static kern_return_t internal_io_service_get_matching_service(
+	mach_port_t master_port,
+	const char * matching,
+	mach_msg_type_number_t matching_size,
+	io_service_t *service )
+{
+    kern_return_t	kr;
+    OSObject *		obj;
+    OSDictionary *	dict;
+
+    if( master_port != master_device_port)
+        return( kIOReturnNotPrivileged);
+
+    assert(matching_size);
+    obj = OSUnserializeXML(matching, matching_size);
+
+    if( (dict = OSDynamicCast( OSDictionary, obj))) {
+        *service = IOService::copyMatchingService( dict );
+	kr = *service ? kIOReturnSuccess : kIOReturnNotFound;
+    } else
+	kr = kIOReturnBadArgument;
+
+    if( obj)
+        obj->release();
+
+    return( kr );
+}
+
+/* Routine io_service_get_matching_service */
+kern_return_t is_io_service_get_matching_service(
+	mach_port_t master_port,
+	io_string_t matching,
+	io_service_t *service )
+{
+    return (kIOReturnUnsupported);
+}
+
+/* Routine io_service_get_matching_services_ool */
+kern_return_t is_io_service_get_matching_service_ool(
+	mach_port_t master_port,
+	io_buf_ptr_t matching,
+	mach_msg_type_number_t matchingCnt,
+	kern_return_t *result,
+	io_object_t *service )
+{
+    kern_return_t	kr;
+    vm_offset_t 	data;
+    vm_map_offset_t	map_data;
+
+    kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
+    data = CAST_DOWN(vm_offset_t, map_data);
+
+    if( KERN_SUCCESS == kr) {
+        // must return success after vm_map_copyout() succeeds
+        // and mig will copy out objects on success
+        *service = 0;
+	*result = internal_io_service_get_matching_service(master_port,
+			(const char *) data, matchingCnt, service );
+	vm_deallocate( kernel_map, data, matchingCnt );
+    }
+
+    return( kr );
+}
+
+/* Routine io_service_get_matching_service_bin */
+kern_return_t is_io_service_get_matching_service_bin(
+	mach_port_t master_port,
+	io_struct_inband_t matching,
+	mach_msg_type_number_t matchingCnt,
+	io_object_t *service)
+{
+    return (internal_io_service_get_matching_service(master_port, matching, matchingCnt, service));
 }
 
 static kern_return_t internal_io_service_add_notification(
 	mach_port_t master_port,
 	io_name_t notification_type,
-	io_string_t matching,
+	const char * matching,
+	size_t matching_size,
 	mach_port_t port,
 	void * reference,
 	vm_size_t referenceSize,
@@ -1491,18 +2326,20 @@
     IOReturn			err;
     unsigned long int		userMsgType;
 
-
     if( master_port != master_device_port)
         return( kIOReturnNotPrivileged);
 
     do {
         err = kIOReturnNoResources;
 
+        if (matching_size > (sizeof(io_struct_inband_t) * 1024)) return(kIOReturnMessageTooLarge);
+
         if( !(sym = OSSymbol::withCString( notification_type )))
 	    err = kIOReturnNoResources;
 
-        if( !(dict = OSDynamicCast( OSDictionary,
-                    OSUnserializeXML( matching )))) {
+	assert(matching_size);
+	dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching, matching_size));
+        if (!dict) {
             err = kIOReturnBadArgument;
 	    continue;
 	}
@@ -1513,7 +2350,8 @@
 	else if( (sym == gIOMatchedNotification)
 	      || (sym == gIOFirstMatchNotification))
 	    userMsgType = kIOServiceMatchedNotificationType;
-	else if( sym == gIOTerminatedNotification)
+	else if ((sym == gIOTerminatedNotification)
+	      || (sym == gIOWillTerminateNotification))
 	    userMsgType = kIOServiceTerminatedNotificationType;
 	else
 	    userMsgType = kLastIOKitNotificationType;
@@ -1528,10 +2366,9 @@
         if( !userNotify)
 	    continue;
 
-        notify = IOService::addNotification( sym, dict,
+        notify = IOService::addMatchingNotification( sym, dict,
                                              &userNotify->_handler, userNotify );
 	if( notify) {
-            dict = 0;
             *notification = userNotify;
 	    userNotify->setNotification( notify );
 	    err = kIOReturnSuccess;
@@ -1539,6 +2376,13 @@
 	    err = kIOReturnUnsupported;
 
     } while( false );
+
+    if ((kIOReturnSuccess != err) && userNotify)
+    {
+	userNotify->invalidatePort();
+	userNotify->release();
+	userNotify = 0;
+    }
 
     if( sym)
 	sym->release();
@@ -1559,9 +2403,7 @@
 	mach_msg_type_number_t referenceCnt,
 	io_object_t * notification )
 {
-    return (internal_io_service_add_notification(master_port, notification_type, 
-		matching, port, &reference[0], sizeof(io_async_ref_t),
-		false, notification));
+    return (kIOReturnUnsupported);
 }
 
 /* Routine io_service_add_notification_64 */
@@ -1574,11 +2416,42 @@
 	mach_msg_type_number_t referenceCnt,
 	io_object_t *notification )
 {
+    return (kIOReturnUnsupported);
+}
+
+/* Routine io_service_add_notification_bin */
+kern_return_t is_io_service_add_notification_bin
+(
+	mach_port_t master_port,
+	io_name_t notification_type,
+	io_struct_inband_t matching,
+	mach_msg_type_number_t matchingCnt,
+	mach_port_t wake_port,
+	io_async_ref_t reference,
+	mach_msg_type_number_t referenceCnt,
+	io_object_t *notification)
+{
     return (internal_io_service_add_notification(master_port, notification_type, 
-		matching, wake_port, &reference[0], sizeof(io_async_ref64_t),
+		matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref_t),
+		false, notification));
+}
+
+/* Routine io_service_add_notification_bin_64 */
+kern_return_t is_io_service_add_notification_bin_64
+(
+	mach_port_t master_port,
+	io_name_t notification_type,
+	io_struct_inband_t matching,
+	mach_msg_type_number_t matchingCnt,
+	mach_port_t wake_port,
+	io_async_ref64_t reference,
+	mach_msg_type_number_t referenceCnt,
+	io_object_t *notification)
+{
+    return (internal_io_service_add_notification(master_port, notification_type, 
+		matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref64_t),
 		true, notification));
 }
-
 
 static kern_return_t internal_io_service_add_notification_ool(
 	mach_port_t master_port,
@@ -1601,8 +2474,10 @@
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
+        // and mig will copy out objects on success
+        *notification = 0;
 	*result = internal_io_service_add_notification( master_port, notification_type,
-			(char *) data, wake_port, reference, referenceSize, client64, notification );
+			(char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification );
 	vm_deallocate( kernel_map, data, matchingCnt );
     }
 
@@ -1649,6 +2524,7 @@
 	io_name_t notification_type,
 	io_string_t matching,
 	mach_port_t port,
+	// for binary compatibility reasons, this must be natural_t for ILP32
 	natural_t ref,
 	io_object_t * notification )
 {
@@ -1702,6 +2578,13 @@
 
     } while( false );
 
+    if ((kIOReturnSuccess != err) && userNotify)
+    {
+	userNotify->invalidatePort();
+	userNotify->release();
+	userNotify = 0;
+    }
+
     return( err );
 }
 
@@ -1740,7 +2623,7 @@
 {
     CHECK( IOService, _service, service );
 
-    return( service->acknowledgeNotification( (IONotificationRef) notify_ref,
+    return( service->acknowledgeNotification( (IONotificationRef)(uintptr_t) notify_ref,
                                               (IOOptionBits) response ));
     
 }
@@ -1753,6 +2636,7 @@
 {
     CHECK( IOUserClient, connection, client );
 
+    IOStatisticsClientCall();
     return( client->getNotificationSemaphore( (UInt32) notification_type,
                                               semaphore ));
 }
@@ -1785,8 +2669,9 @@
     if( master_port != master_device_port)
         return( kIOReturnNotPrivileged);
 
-    *iterator = IORegistryIterator::iterateOver(
-	IORegistryEntry::getPlane( plane ), options );
+    *iterator = IOUserIterator::withIterator(
+	IORegistryIterator::iterateOver(
+		IORegistryEntry::getPlane( plane ), options ));
 
     return( *iterator ? kIOReturnSuccess : kIOReturnBadArgument );
 }
@@ -1800,8 +2685,9 @@
 {
     CHECK( IORegistryEntry, registry_entry, entry );
 
-    *iterator = IORegistryIterator::iterateOver( entry,
-	IORegistryEntry::getPlane( plane ), options );
+    *iterator = IOUserIterator::withIterator(
+	IORegistryIterator::iterateOver( entry,
+		IORegistryEntry::getPlane( plane ), options ));
 
     return( *iterator ? kIOReturnSuccess : kIOReturnBadArgument );
 }
@@ -1810,9 +2696,11 @@
 kern_return_t is_io_registry_iterator_enter_entry(
 	io_object_t iterator )
 {
-    CHECK( IORegistryIterator, iterator, iter );
-
+    CHECKLOCKED( IORegistryIterator, iterator, iter );
+
+    IOLockLock(oIter->lock);
     iter->enterEntry();
+    IOLockUnlock(oIter->lock);
 
     return( kIOReturnSuccess );
 }
@@ -1823,9 +2711,11 @@
 {
     bool	didIt;
 
-    CHECK( IORegistryIterator, iterator, iter );
-
+    CHECKLOCKED( IORegistryIterator, iterator, iter );
+
+    IOLockLock(oIter->lock);
     didIt = iter->exitEntry();
+    IOLockUnlock(oIter->lock);
 
     return( didIt ? kIOReturnSuccess : kIOReturnNoDevice );
 }
@@ -1848,6 +2738,58 @@
     return( kIOReturnSuccess );
 }
 
+
+/* Routine io_registry_entry_from_path */
+kern_return_t is_io_registry_entry_from_path_ool(
+	mach_port_t master_port,
+	io_string_inband_t path,
+	io_buf_ptr_t path_ool,
+	mach_msg_type_number_t path_oolCnt,
+	kern_return_t *result,
+	io_object_t *registry_entry)
+{
+    IORegistryEntry *	entry;
+    vm_map_offset_t	map_data;
+    const char * 	cpath;
+    IOReturn            res;
+    kern_return_t       err;
+
+    if (master_port != master_device_port) return(kIOReturnNotPrivileged);
+
+    map_data = 0;
+    entry    = 0;
+    res = err = KERN_SUCCESS;
+    if (path[0]) cpath = path;
+    else
+    {
+	if (!path_oolCnt)                                      return(kIOReturnBadArgument);
+	if (path_oolCnt > (sizeof(io_struct_inband_t) * 1024)) return(kIOReturnMessageTooLarge);
+
+	err = vm_map_copyout(kernel_map, &map_data, (vm_map_copy_t) path_ool);
+	if (KERN_SUCCESS == err)
+	{
+	    // must return success to mig after vm_map_copyout() succeeds, so result is actual
+	    cpath = CAST_DOWN(const char *, map_data);
+	    if (cpath[path_oolCnt - 1]) res = kIOReturnBadArgument;
+	}
+    }
+
+    if ((KERN_SUCCESS == err) && (KERN_SUCCESS == res))
+    {
+	entry = IORegistryEntry::fromPath(cpath);
+	res = entry ? kIOReturnSuccess : kIOReturnNotFound;
+    }
+
+    if (map_data) vm_deallocate(kernel_map, map_data, path_oolCnt);
+
+    if (KERN_SUCCESS != err) res = err;
+    *registry_entry = entry;
+    *result = res;
+
+    return (err);
+}
+
+
 /* Routine io_registry_entry_in_plane */
 kern_return_t is_io_registry_entry_in_plane(
 	io_object_t registry_entry,
@@ -1878,6 +2820,42 @@
 	return( kIOReturnBadArgument );
 }
 
+/* Routine io_registry_entry_get_path */
+kern_return_t is_io_registry_entry_get_path_ool(
+	io_object_t registry_entry,
+	io_name_t plane,
+	io_string_inband_t path,
+	io_buf_ptr_t *path_ool,
+	mach_msg_type_number_t *path_oolCnt)
+{
+    enum   { kMaxPath = 16384 };
+    IOReturn err;
+    int      length;
+    char   * buf;
+
+    CHECK( IORegistryEntry, registry_entry, entry );
+
+    *path_ool    = NULL;
+    *path_oolCnt = 0;
+    length = sizeof(io_string_inband_t);
+    if (entry->getPath(path, &length, IORegistryEntry::getPlane(plane))) err = kIOReturnSuccess;
+    else
+    {
+	length = kMaxPath;
+	buf = IONew(char, length);
+	if (!buf) err = kIOReturnNoMemory;
+	else if (!entry->getPath(buf, &length, IORegistryEntry::getPlane(plane))) err = kIOReturnError;
+	else
+	{
+	    *path_oolCnt = length;
+	    err = copyoutkdata(buf, length, path_ool);
+	}
+	if (buf) IODelete(buf, char, kMaxPath);
+    }
+
+    return (err);
+}
+
 
 /* Routine io_registry_entry_get_name */
 kern_return_t is_io_registry_entry_get_name(
@@ -1933,23 +2911,16 @@
         return( kIOReturnNotFound );
 }
 
-// Create a vm_map_copy_t or kalloc'ed data for memory
-// to be copied out. ipc will free after the copyout.
-
-static kern_return_t copyoutkdata( void * data, vm_size_t len,
-                                    io_buf_ptr_t * buf )
-{
-    kern_return_t	err;
-    vm_map_copy_t	copy;
-
-    err = vm_map_copyin( kernel_map, CAST_USER_ADDR_T(data), len,
-                    false /* src_destroy */, &copy);
-
-    assert( err == KERN_SUCCESS );
-    if( err == KERN_SUCCESS )
-        *buf = (char *) copy;
-
-    return( err );
+/* Routine io_registry_entry_get_registry_entry_id */
+kern_return_t is_io_registry_entry_get_registry_entry_id(
+	io_object_t registry_entry,
+	uint64_t *entry_id )
+{
+    CHECK( IORegistryEntry, registry_entry, entry );
+
+    *entry_id = entry->getRegistryEntryID();
+
+    return (kIOReturnSuccess);
 }
 
 /* Routine io_registry_entry_get_property */
@@ -1971,6 +2942,11 @@
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
     obj = entry->copyProperty(property_name);
     if( !obj)
         return( kIOReturnNoResources );
@@ -1980,6 +2956,7 @@
     if( (data = OSDynamicCast( OSData, obj ))) {
 	len = data->getLength();
 	bytes = data->getBytesNoCopy();
+	if (!data->isSerializable()) len = 0;
 
     } else if( (str = OSDynamicCast( OSString, obj ))) {
 	len = str->getLength() + 1;
@@ -1992,6 +2969,7 @@
     } else if( (off = OSDynamicCast( OSNumber, obj ))) {
 	offsetBytes = off->unsigned64BitValue();
 	len = off->numberOfBytes();
+	if (len > sizeof(offsetBytes)) len = sizeof(offsetBytes);
 	bytes = &offsetBytes;
 #ifdef __BIG_ENDIAN__
 	bytes = (const void *)
@@ -2028,6 +3006,11 @@
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
     obj = entry->copyProperty(property_name);
     if( !obj)
         return( kIOReturnNotFound );
@@ -2037,7 +3020,6 @@
         obj->release();
 	return( kIOReturnNoMemory );
     }
-    s->clearText();
 
     if( obj->serialize( s )) {
         len = s->getLength();
@@ -2068,8 +3050,13 @@
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
     obj = entry->copyProperty( property_name,
-                               IORegistryEntry::getPlane( plane ), options);
+                               IORegistryEntry::getPlane( plane ), options );
     if( !obj)
         return( kIOReturnNotFound );
 
@@ -2078,8 +3065,6 @@
         obj->release();
 	return( kIOReturnNoMemory );
     }
-
-    s->clearText();
 
     if( obj->serialize( s )) {
         len = s->getLength();
@@ -2101,29 +3086,147 @@
 	io_buf_ptr_t *properties,
 	mach_msg_type_number_t *propertiesCnt )
 {
+    return (kIOReturnUnsupported);
+}
+
+#if CONFIG_MACF
+
+struct GetPropertiesEditorRef
+{
+    kauth_cred_t      cred;
+    IORegistryEntry * entry;
+    OSCollection    * root;
+};
+
+static const OSMetaClassBase *
+GetPropertiesEditor(void                  * reference,
+					OSSerialize           * s, 
+					OSCollection          * container, 
+					const OSSymbol        * name,
+					const OSMetaClassBase * value)
+{
+    GetPropertiesEditorRef * ref = (typeof(ref)) reference;
+
+    if (!ref->root) ref->root = container;
+    if (ref->root == container)
+    {
+        if (0 != mac_iokit_check_get_property(ref->cred, ref->entry, name->getCStringNoCopy()))
+        {
+                value = 0;
+        }
+    }
+    if (value) value->retain();
+    return (value);
+}
+
+#endif /* CONFIG_MACF */
+
+/* Routine io_registry_entry_get_properties */
+kern_return_t is_io_registry_entry_get_properties_bin(
+	io_object_t registry_entry,
+	io_buf_ptr_t *properties,
+	mach_msg_type_number_t *propertiesCnt)
+{
+    kern_return_t	       err = kIOReturnSuccess;
+    vm_size_t 		       len;
+    OSSerialize          * s;
+    OSSerialize::Editor    editor = 0;
+    void                 * editRef = 0;
+
+    CHECK(IORegistryEntry, registry_entry, entry);
+
+#if CONFIG_MACF
+    GetPropertiesEditorRef ref;
+    if (mac_iokit_check_filter_properties(kauth_cred_get(), entry))
+    {
+    	editor    = &GetPropertiesEditor;
+    	editRef   = &ref;
+    	ref.cred  = kauth_cred_get();
+    	ref.entry = entry;
+    	ref.root  = 0;
+    }
+#endif
+
+    s = OSSerialize::binaryWithCapacity(4096, editor, editRef);
+    if (!s) return (kIOReturnNoMemory);
+
+    if (!entry->serializeProperties(s)) err = kIOReturnUnsupported;
+
+    if (kIOReturnSuccess == err)
+    {
+        len = s->getLength();
+        *propertiesCnt = len;
+        err = copyoutkdata(s->text(), len, properties);
+    }
+    s->release();
+
+    return (err);
+}
+
+/* Routine io_registry_entry_get_property_bin */
+kern_return_t is_io_registry_entry_get_property_bin(
+	io_object_t registry_entry,
+	io_name_t plane,
+	io_name_t property_name,
+	uint32_t options,
+	io_buf_ptr_t *properties,
+	mach_msg_type_number_t *propertiesCnt )
+{
     kern_return_t	err;
     vm_size_t 		len;
+    OSObject *		obj;
+    const OSSymbol *    sym;
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
-    OSSerialize * s = OSSerialize::withCapacity(4096);
-    if( !s)
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
+    sym = OSSymbol::withCString(property_name);
+    if (!sym) return (kIOReturnNoMemory);
+
+    if (gIORegistryEntryPropertyKeysKey == sym)
+    {
+        obj = entry->copyPropertyKeys();
+    }
+    else
+    {
+        if ((kIORegistryIterateRecursively & options) && plane[0])
+        {
+            obj = entry->copyProperty(property_name,
+                                      IORegistryEntry::getPlane(plane), options );
+        }
+        else
+        {
+            obj = entry->copyProperty(property_name);
+        }
+        if (obj && gIORemoveOnReadProperties->containsObject(sym)) entry->removeProperty(sym);
+    }
+
+    sym->release();
+    if (!obj) return (kIOReturnNotFound);
+
+    OSSerialize * s = OSSerialize::binaryWithCapacity(4096);
+    if( !s) {
+        obj->release();
 	return( kIOReturnNoMemory );
-
-    s->clearText();
-
-    if( entry->serializeProperties( s )) {
+    }
+
+    if( obj->serialize( s )) {
         len = s->getLength();
         *propertiesCnt = len;
         err = copyoutkdata( s->text(), len, properties );
 
-    } else
-        err = kIOReturnUnsupported;
+    } else err = kIOReturnUnsupported; 
 
     s->release();
+    obj->release();
 
     return( err );
 }
+
 
 /* Routine io_registry_entry_set_properties */
 kern_return_t is_io_registry_entry_set_properties
@@ -2141,20 +3244,39 @@
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+    if( propertiesCnt > sizeof(io_struct_inband_t) * 1024)
+        return( kIOReturnMessageTooLarge);
+
     err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
     data = CAST_DOWN(vm_offset_t, map_data);
 
     if( KERN_SUCCESS == err) {
 
+        FAKE_STACK_FRAME(entry->getMetaClass());
+
         // must return success after vm_map_copyout() succeeds
-        obj = OSUnserializeXML( (const char *) data );
+        obj = OSUnserializeXML( (const char *) data, propertiesCnt );
 	vm_deallocate( kernel_map, data, propertiesCnt );
 
-        if( obj) {
-            res = entry->setProperties( obj );
-            obj->release();
-        } else
-            res = kIOReturnBadArgument;
+	if (!obj)
+	    res = kIOReturnBadArgument;
+#if CONFIG_MACF
+	else if (0 != mac_iokit_check_set_properties(kauth_cred_get(),
+	    registry_entry, obj))
+	{
+	    res = kIOReturnNotPermitted;
+	}
+#endif
+	else
+	{
+	    res = entry->setProperties( obj );
+	}
+
+	if (obj)
+	    obj->release();
+
+        FAKE_STACK_FRAME_END();
+
     } else
         res = err;
 
@@ -2171,7 +3293,7 @@
     CHECK( IORegistryEntry, registry_entry, entry );
 
     *iterator = entry->getChildIterator(
-	IORegistryEntry::getPlane( plane ));
+    IORegistryEntry::getPlane( plane ));
 
     return( kIOReturnSuccess );
 }
@@ -2205,11 +3327,15 @@
 /* Routine io_service_get_state */
 kern_return_t is_io_service_get_state(
 	io_object_t _service,
-	uint64_t *state )
+	uint64_t *state,
+	uint32_t *busy_state,
+	uint64_t *accumulated_busy_time )
 {
     CHECK( IOService, _service, service );
 
-    *state = service->getState();
+    *state                 = service->getState();
+    *busy_state            = service->getBusyState();
+    *accumulated_busy_time = service->getAccumulatedBusyTime();
 
     return( kIOReturnSuccess );
 }
@@ -2219,9 +3345,15 @@
 	io_object_t _service,
 	mach_timespec_t wait_time )
 {
+    uint64_t    timeoutNS;
+    
     CHECK( IOService, _service, service );
 
-    return( service->waitQuiet( &wait_time ));
+    timeoutNS = wait_time.tv_sec;
+    timeoutNS *= kSecondScale;
+    timeoutNS += wait_time.tv_nsec;
+    
+    return( service->waitQuiet(timeoutNS) );
 }
 
 /* Routine io_service_request_probe */
@@ -2234,28 +3366,33 @@
     return( service->requestProbe( options ));
 }
 
-
-/* Routine io_service_open */
-kern_return_t is_io_service_open(
+/* Routine io_service_get_authorization_id */
+kern_return_t is_io_service_get_authorization_id(
 	io_object_t _service,
-	task_t owningTask,
-	uint32_t connect_type,
-	io_object_t *connection )
-{
-    IOUserClient	*	client;
-    IOReturn 			err;
+	uint64_t *authorization_id )
+{
+    kern_return_t	   kr;
 
     CHECK( IOService, _service, service );
 
-    err = service->newUserClient( owningTask, (void *) owningTask,
-		connect_type, 0, &client );
-
-    if( err == kIOReturnSuccess) {
-	assert( OSDynamicCast(IOUserClient, client) );
-	*connection = client;
-    }
-
-    return( err);
+    kr = IOUserClient::clientHasPrivilege( (void *) current_task(),
+                                            kIOClientPrivilegeAdministrator );
+    if( kIOReturnSuccess != kr)
+        return( kr );
+
+    *authorization_id = service->getAuthorizationID();
+
+    return( kr );
+}
+
+/* Routine io_service_set_authorization_id */
+kern_return_t is_io_service_set_authorization_id(
+	io_object_t _service,
+	uint64_t authorization_id )
+{
+    CHECK( IOService, _service, service );
+
+    return( service->setAuthorizationID( authorization_id ) );
 }
 
 /* Routine io_service_open_ndr */
@@ -2278,13 +3415,21 @@
 
     CHECK( IOService, _service, service );
 
+    if (!owningTask)                  return (kIOReturnBadArgument);
+    assert(owningTask == current_task());
+    if (owningTask != current_task()) return (kIOReturnBadArgument);
+
     do
     {
-	if (properties)
+	if (properties) return (kIOReturnUnsupported);
+#if 0
 	{
 	    OSObject *	    obj;
 	    vm_offset_t     data;
 	    vm_map_offset_t map_data;
+
+	    if( propertiesCnt > sizeof(io_struct_inband_t))
+		return( kIOReturnMessageTooLarge);
 
 	    err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
 	    res = err;
@@ -2292,7 +3437,7 @@
 	    if (KERN_SUCCESS == err)
 	    {
 		// must return success after vm_map_copyout() succeeds
-		obj = OSUnserializeXML( (const char *) data );
+		obj = OSUnserializeXML( (const char *) data, propertiesCnt );
 		vm_deallocate( kernel_map, data, propertiesCnt );
 		propertiesDict = OSDynamicCast(OSDictionary, obj);
 		if (!propertiesDict)
@@ -2305,7 +3450,7 @@
 	    if (kIOReturnSuccess != res)
 		break;
 	}
-
+#endif
 	crossEndian = (ndr.int_rep != NDR_record.int_rep);
 	if (crossEndian)
 	{
@@ -2330,19 +3475,36 @@
 	{
 	    assert( OSDynamicCast(IOUserClient, client) );
 
+	    client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
+	    client->closed = false;
+	    client->lock = IOLockAlloc();
+
 	    disallowAccess = (crossEndian
 		&& (kOSBooleanTrue != service->getProperty(kIOUserClientCrossEndianCompatibleKey))
 		&& (kOSBooleanTrue != client->getProperty(kIOUserClientCrossEndianCompatibleKey)));
-
-	    if (disallowAccess)
+            if (disallowAccess) res = kIOReturnUnsupported;
+#if CONFIG_MACF
+	    else if (0 != mac_iokit_check_open(kauth_cred_get(), client, connect_type))
+		res = kIOReturnNotPermitted;
+#endif
+
+	    if (kIOReturnSuccess == res) res = client->registerOwner(owningTask);
+
+	    if (kIOReturnSuccess != res)
 	    {
+		IOStatisticsClientCall();
 		client->clientClose();
 		client->release();
 		client = 0;
-		res = kIOReturnUnsupported;
 		break;
 	    }
-	    client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
+	    OSString * creatorName = IOCopyLogNameForPID(proc_selfpid());
+	    if (creatorName)
+	    {
+		client->setProperty(kIOUserClientCreatorKey, creatorName);
+		creatorName->release();
+	    }
+	    client->setTerminateDefer(service, false);
 	}
     }
     while (false);
@@ -2363,7 +3525,19 @@
 
     CHECK( IOUserClient, connection, client );
 
-    client->clientClose();
+    IOStatisticsClientCall();
+
+    if (client->sharedInstance || OSCompareAndSwap8(0, 1, &client->closed)) 
+    {
+	IOLockLock(client->lock);
+	client->clientClose();
+	IOLockUnlock(client->lock);
+    }
+    else
+    {
+	IOLog("ignored is_io_service_close(0x%qx,%s)\n", 
+		client->getRegistryEntryID(), client->getName());
+    }
 
     return( kIOReturnSuccess );
 }
@@ -2393,10 +3567,15 @@
 	mach_port_t port,
 	uint32_t reference)
 {
+    kern_return_t ret;
     CHECK( IOUserClient, connection, client );
 
-    return( client->registerNotificationPort( port, notification_type,
-						reference ));
+    IOStatisticsClientCall();
+    IOLockLock(client->lock);
+    ret = client->registerNotificationPort( port, notification_type,
+						(io_user_reference_t) reference );
+    IOLockUnlock(client->lock);
+    return (ret);
 }
 
 /* Routine io_connect_set_notification_port */
@@ -2406,10 +3585,15 @@
 	mach_port_t port,
 	io_user_reference_t reference)
 {
+    kern_return_t ret;
     CHECK( IOUserClient, connection, client );
 
-    return( client->registerNotificationPort( port, notification_type,
-						reference ));
+    IOStatisticsClientCall();
+    IOLockLock(client->lock);
+    ret = client->registerNotificationPort( port, notification_type,
+						reference );
+    IOLockUnlock(client->lock);
+    return (ret);
 }
 
 /* Routine io_connect_map_memory_into_task */
@@ -2428,6 +3612,9 @@
 
     CHECK( IOUserClient, connection, client );
 
+    if (!into_task) return (kIOReturnBadArgument);
+
+    IOStatisticsClientCall();
     map = client->mapClientMemory64( memory_type, into_task, flags, *address );
 
     if( map) {
@@ -2442,7 +3629,7 @@
 	    mach_port_name_t name __unused =
 		IOMachPort::makeSendRightForTask(
                                     into_task, map, IKOT_IOKIT_OBJECT );
-            assert( name );
+	    map->release();
 
         } else {
             // keep it with the user client
@@ -2467,8 +3654,8 @@
 	io_object_t     connect,
 	uint32_t	type,
 	task_t		task,
-	vm_address_t *	mapAddr,
-	vm_size_t    *	mapSize,
+	uint32_t  *	mapAddr,
+	uint32_t  *	mapSize,
 	uint32_t	flags )
 {
     IOReturn	      err;
@@ -2485,6 +3672,8 @@
 
     return (err);
 }
+
+} /* extern "C" */
 
 IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
 {
@@ -2513,6 +3702,8 @@
     return (map);
 }
 
+extern "C" {
+
 /* Routine io_connect_unmap_memory_from_task */
 kern_return_t is_io_connect_unmap_memory_from_task
 (
@@ -2523,11 +3714,14 @@
 {
     IOReturn		err;
     IOOptionBits	options = 0;
-    IOMemoryDescriptor * memory;
+    IOMemoryDescriptor * memory = 0;
     IOMemoryMap *	map;
 
     CHECK( IOUserClient, connection, client );
 
+    if (!from_task) return (kIOReturnBadArgument);
+
+    IOStatisticsClientCall();
     err = client->clientMemoryForType( (UInt32) memory_type, &options, &memory );
 
     if( memory && (kIOReturnSuccess == err)) {
@@ -2546,10 +3740,14 @@
 
 	    mach_port_name_t name = 0;
 	    if (from_task != current_task())
+	    {
 		name = IOMachPort::makeSendRightForTask( from_task, map, IKOT_IOKIT_OBJECT );
+		map->release();
+	    }
+
 	    if (name)
 	    {
-		map->unmap();
+		map->userClientUnmap();
 		err = iokit_mod_send_right( from_task, name, -2 );
 		err = kIOReturnSuccess;
 	    }
@@ -2569,7 +3767,7 @@
 	io_object_t     connect,
 	uint32_t	type,
 	task_t		task,
-	vm_address_t 	mapAddr )
+	uint32_t 	mapAddr )
 {
     IOReturn		err;
     mach_vm_address_t   address;
@@ -2590,6 +3788,7 @@
     CHECK( IOUserClient, connection, client );
     CHECK( IOUserClient, connect_to, to );
 
+    IOStatisticsClientCall();
     return( client->connectClient( to ) );
 }
 
@@ -2604,6 +3803,102 @@
     return( is_io_registry_entry_set_properties( connection, properties, propertiesCnt, result ));
 }
 
+/* Routine io_user_client_method */
+kern_return_t is_io_connect_method_var_output
+(
+	io_connect_t connection,
+	uint32_t selector,
+	io_scalar_inband64_t scalar_input,
+	mach_msg_type_number_t scalar_inputCnt,
+	io_struct_inband_t inband_input,
+	mach_msg_type_number_t inband_inputCnt,
+	mach_vm_address_t ool_input,
+	mach_vm_size_t ool_input_size,
+	io_struct_inband_t inband_output,
+	mach_msg_type_number_t *inband_outputCnt,
+	io_scalar_inband64_t scalar_output,
+	mach_msg_type_number_t *scalar_outputCnt,
+	io_buf_ptr_t *var_output,
+	mach_msg_type_number_t *var_outputCnt
+)
+{
+    CHECK( IOUserClient, connection, client );
+
+    IOExternalMethodArguments args;
+    IOReturn ret;
+    IOMemoryDescriptor * inputMD  = 0;
+    OSObject *           structureVariableOutputData = 0;
+
+    bzero(&args.__reserved[0], sizeof(args.__reserved));
+    args.__reservedA = 0;
+    args.version = kIOExternalMethodArgumentsCurrentVersion;
+
+    args.selector = selector;
+
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = &structureVariableOutputData;
+
+    args.scalarInput = scalar_input;
+    args.scalarInputCount = scalar_inputCnt;
+    args.structureInput = inband_input;
+    args.structureInputSize = inband_inputCnt;
+
+    if (ool_input && (ool_input_size <= sizeof(io_struct_inband_t)))    return (kIOReturnIPCError);
+
+    if (ool_input)
+	inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, 
+						    kIODirectionOut | kIOMemoryMapCopyOnWrite,
+						    current_task());
+
+    args.structureInputDescriptor = inputMD;
+
+    args.scalarOutput = scalar_output;
+    args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
+    args.structureOutput = inband_output;
+    args.structureOutputSize = *inband_outputCnt;
+    args.structureOutputDescriptor = NULL;
+    args.structureOutputDescriptorSize = 0;
+
+    IOStatisticsClientCall();
+    ret = client->externalMethod( selector, &args );
+
+    *scalar_outputCnt = args.scalarOutputCount;
+    *inband_outputCnt = args.structureOutputSize;
+
+    if (var_outputCnt && var_output && (kIOReturnSuccess == ret))
+    {
+    	OSSerialize * serialize;
+    	OSData      * data;
+	vm_size_t     len;
+
+	if ((serialize = OSDynamicCast(OSSerialize, structureVariableOutputData)))
+	{
+	    len = serialize->getLength();
+	    *var_outputCnt = len;
+	    ret = copyoutkdata(serialize->text(), len, var_output);
+	}
+	else if ((data = OSDynamicCast(OSData, structureVariableOutputData)))
+	{
+	    len = data->getLength();
+	    *var_outputCnt = len;
+	    ret = copyoutkdata(data->getBytesNoCopy(), len, var_output);
+	}
+	else
+	{
+	    ret = kIOReturnUnderrun;
+	}
+    }
+
+    if (inputMD)
+	inputMD->release();
+    if (structureVariableOutputData)
+    	structureVariableOutputData->release();
+
+    return (ret);
+}
 
 /* Routine io_user_client_method */
 kern_return_t is_io_connect_method
@@ -2616,12 +3911,12 @@
 	mach_msg_type_number_t inband_inputCnt,
 	mach_vm_address_t ool_input,
 	mach_vm_size_t ool_input_size,
+	io_struct_inband_t inband_output,
+	mach_msg_type_number_t *inband_outputCnt,
 	io_scalar_inband64_t scalar_output,
 	mach_msg_type_number_t *scalar_outputCnt,
-	io_struct_inband_t inband_output,
-	mach_msg_type_number_t *inband_outputCnt,
 	mach_vm_address_t ool_output,
-	mach_vm_size_t * ool_output_size
+	mach_vm_size_t *ool_output_size
 )
 {
     CHECK( IOUserClient, connection, client );
@@ -2632,39 +3927,47 @@
     IOMemoryDescriptor * outputMD = 0;
 
     bzero(&args.__reserved[0], sizeof(args.__reserved));
+    args.__reservedA = 0;
     args.version = kIOExternalMethodArgumentsCurrentVersion;
 
     args.selector = selector;
 
-    args.asyncWakePort       = MACH_PORT_NULL;
-    args.asyncReference      = 0;
-    args.asyncReferenceCount = 0;
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = 0;
 
     args.scalarInput = scalar_input;
     args.scalarInputCount = scalar_inputCnt;
     args.structureInput = inband_input;
     args.structureInputSize = inband_inputCnt;
 
+    if (ool_input && (ool_input_size <= sizeof(io_struct_inband_t)))    return (kIOReturnIPCError);
+    if (ool_output && (*ool_output_size <= sizeof(io_struct_inband_t))) return (kIOReturnIPCError);
+
     if (ool_input)
 	inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, 
-						    kIODirectionOut, current_task());
+						    kIODirectionOut | kIOMemoryMapCopyOnWrite,
+						    current_task());
 
     args.structureInputDescriptor = inputMD;
 
     args.scalarOutput = scalar_output;
     args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
     args.structureOutput = inband_output;
     args.structureOutputSize = *inband_outputCnt;
 
-    if (ool_output)
+    if (ool_output && ool_output_size)
     {
 	outputMD = IOMemoryDescriptor::withAddressRange(ool_output, *ool_output_size, 
 						    kIODirectionIn, current_task());
     }
 
     args.structureOutputDescriptor = outputMD;
-    args.structureOutputDescriptorSize = *ool_output_size;
-
+    args.structureOutputDescriptorSize = ool_output_size ? *ool_output_size : 0;
+
+    IOStatisticsClientCall();
     ret = client->externalMethod( selector, &args );
 
     *scalar_outputCnt = args.scalarOutputCount;
@@ -2693,10 +3996,10 @@
 	mach_msg_type_number_t inband_inputCnt,
 	mach_vm_address_t ool_input,
 	mach_vm_size_t ool_input_size,
+	io_struct_inband_t inband_output,
+	mach_msg_type_number_t *inband_outputCnt,
 	io_scalar_inband64_t scalar_output,
 	mach_msg_type_number_t *scalar_outputCnt,
-	io_struct_inband_t inband_output,
-	mach_msg_type_number_t *inband_outputCnt,
 	mach_vm_address_t ool_output,
 	mach_vm_size_t * ool_output_size
 )
@@ -2709,6 +4012,7 @@
     IOMemoryDescriptor * outputMD = 0;
 
     bzero(&args.__reserved[0], sizeof(args.__reserved));
+    args.__reservedA = 0;
     args.version = kIOExternalMethodArgumentsCurrentVersion;
 
     reference[0]	     = (io_user_reference_t) wake_port;
@@ -2720,20 +4024,27 @@
     args.asyncWakePort       = wake_port;
     args.asyncReference      = reference;
     args.asyncReferenceCount = referenceCnt;
+
+    args.structureVariableOutputData = 0;
 
     args.scalarInput = scalar_input;
     args.scalarInputCount = scalar_inputCnt;
     args.structureInput = inband_input;
     args.structureInputSize = inband_inputCnt;
 
+    if (ool_input && (ool_input_size <= sizeof(io_struct_inband_t)))    return (kIOReturnIPCError);
+    if (ool_output && (*ool_output_size <= sizeof(io_struct_inband_t))) return (kIOReturnIPCError);
+
     if (ool_input)
 	inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size,
-						    kIODirectionOut, current_task());
+						    kIODirectionOut | kIOMemoryMapCopyOnWrite,
+						    current_task());
 
     args.structureInputDescriptor = inputMD;
 
     args.scalarOutput = scalar_output;
     args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
     args.structureOutput = inband_output;
     args.structureOutputSize = *inband_outputCnt;
 
@@ -2746,6 +4057,7 @@
     args.structureOutputDescriptor = outputMD;
     args.structureOutputDescriptorSize = *ool_output_size;
 
+    IOStatisticsClientCall();
     ret = client->externalMethod( selector, &args );
 
     *inband_outputCnt = args.structureOutputSize;
@@ -2776,6 +4088,7 @@
     mach_msg_type_number_t struct_outputCnt = 0;
     mach_vm_size_t ool_output_size = 0;
 
+    bzero(&_output[0], sizeof(_output));
     for (i = 0; i < inputCount; i++)
 	_input[i] = SCALAR64(input[i]);
 	
@@ -2783,8 +4096,8 @@
 		    _input, inputCount, 
 		    NULL, 0,
 		    0, 0,
+		    NULL, &struct_outputCnt,
 		    _output, outputCount,
-		    NULL, &struct_outputCnt,
 		    0, &ool_output_size);
 
     for (i = 0; i < *outputCount; i++)
@@ -2806,16 +4119,19 @@
     IOReturn 		err;
     err = kIOReturnBadArgument;
 
+    bzero(&_output[0], sizeof(_output));
     do {
 
 	if( inputCount != method->count0)
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( *outputCount != method->count1)
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)*outputCount, (uint64_t)method->count1);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)*outputCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -2887,6 +4203,7 @@
     io_scalar_inband64_t _output;
     io_async_ref64_t _reference;
 
+    bzero(&_output[0], sizeof(_output));
     for (i = 0; i < referenceCnt; i++)
 	_reference[i] = REF64(reference[i]);
 
@@ -2902,8 +4219,8 @@
 		    _input, inputCount, 
 		    NULL, 0,
 		    0, 0,
+		    NULL, &struct_outputCnt,
 		    _output, outputCount,
-		    NULL, &struct_outputCnt,
 		    0, &ool_output_size);
 
     for (i = 0; i < *outputCount; i++)
@@ -2942,8 +4259,8 @@
 		    _input, inputCount, 
 		    NULL, 0,
 		    0, 0,
+		    output, outputCount,
 		    NULL, &scalar_outputCnt,
-		    output, outputCount,
 		    0, &ool_output_size));
 }
 
@@ -2979,8 +4296,8 @@
 		    _input, inputCount, 
 		    inputStruct, inputStructCount,
 		    0, 0,
+		    NULL, &inband_outputCnt,
 		    NULL, &scalar_outputCnt,
-		    NULL, &inband_outputCnt,
 		    0, &ool_output_size));
 }
 
@@ -3010,8 +4327,8 @@
 		    NULL, 0, 
 		    input, inputCount,
 		    0, 0,
+		    output, outputCount,
 		    NULL, &scalar_outputCnt,
-		    output, outputCount,
 		    0, &ool_output_size));
 }
 
@@ -3033,6 +4350,7 @@
     IOReturn 		err;
     io_async_ref_t	reference;
 
+    bzero(&_output[0], sizeof(_output));
     for (i = 0; i < asyncReferenceCount; i++)
 	reference[i] = REF32(asyncReference[i]);
 
@@ -3042,12 +4360,14 @@
 
 	if( inputCount != method->count0)
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( *outputCount != method->count1)
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)*outputCount, (uint64_t)method->count1);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)*outputCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -3130,8 +4450,8 @@
 		    _input, inputCount, 
 		    NULL, 0,
 		    0, 0,
+		    output, outputCount,
 		    NULL, &scalar_outputCnt,
-		    output, outputCount,
 		    0, &ool_output_size));
 }
 
@@ -3142,7 +4462,7 @@
         const io_user_scalar_t * input,
         mach_msg_type_number_t	inputCount,
         io_struct_inband_t		output,
-        mach_msg_type_number_t *	outputCount )
+        IOByteCount *	outputCount )
 {
     IOMethod		func;
     IOReturn 		err;
@@ -3152,13 +4472,15 @@
     do {
 	if( inputCount != method->count0)
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( (kIOUCVariableStructureSize != method->count1)
 		&& (*outputCount != method->count1))
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)*outputCount, (uint64_t)method->count1, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)*outputCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -3225,13 +4547,15 @@
     do {
 	if( inputCount != method->count0)
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( (kIOUCVariableStructureSize != method->count1)
 		&& (*outputCount != method->count1))
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)*outputCount, (uint64_t)method->count1, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)*outputCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -3303,8 +4627,8 @@
 		    _input, inputCount, 
 		    inputStruct, inputStructCount,
 		    0, 0,
+		    NULL, &inband_outputCnt,
 		    NULL, &scalar_outputCnt,
-		    NULL, &inband_outputCnt,
 		    0, &ool_output_size));
 }
 
@@ -3321,16 +4645,17 @@
 
     do
     {
-	if( (kIOUCVariableStructureSize != method->count0)
-		&& (inputCount != method->count0))
+	if (inputCount != method->count0)
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( (kIOUCVariableStructureSize != method->count1)
 		&& (inputStructCount != method->count1))
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputStructCount, (uint64_t)method->count1, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputStructCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -3346,25 +4671,25 @@
 	    case 4:
 		err = (object->*func)( ARG32(input[0]), ARG32(input[1]), (void *)  input[2],
 					ARG32(input[3]),
-					inputStruct, (void *)inputStructCount );
+					inputStruct, (void *)(uintptr_t)inputStructCount );
 		break;
 	    case 3:
 		err = (object->*func)( ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
-					inputStruct, (void *)inputStructCount,
+					inputStruct, (void *)(uintptr_t)inputStructCount,
 					0 );
 		break;
 	    case 2:
 		err = (object->*func)( ARG32(input[0]), ARG32(input[1]),
-					inputStruct, (void *)inputStructCount,
+					inputStruct, (void *)(uintptr_t)inputStructCount,
 					0, 0 );
 		break;
 	    case 1:
 		err = (object->*func)( ARG32(input[0]),
-					inputStruct, (void *)inputStructCount,
+					inputStruct, (void *)(uintptr_t)inputStructCount,
 					0, 0, 0 );
 		break;
 	    case 0:
-		err = (object->*func)( inputStruct, (void *)inputStructCount,
+		err = (object->*func)( inputStruct, (void *)(uintptr_t)inputStructCount,
 					0, 0, 0, 0 );
 		break;
 
@@ -3398,16 +4723,17 @@
 
     do
     {
-	if( (kIOUCVariableStructureSize != method->count0)
-		&& (inputCount != method->count0))
+	if (inputCount != method->count0)
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( (kIOUCVariableStructureSize != method->count1)
 		&& (inputStructCount != method->count1))
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputStructCount, (uint64_t)method->count1, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputStructCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -3425,29 +4751,29 @@
                 err = (object->*func)(	reference,
                                         ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
                                         ARG32(input[3]),
-                                        inputStruct, (void *)inputStructCount );
+                                        inputStruct, (void *)(uintptr_t)inputStructCount );
                 break;
             case 3:
                 err = (object->*func)(	reference,
                                         ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0 );
                 break;
             case 2:
                 err = (object->*func)(	reference,
                                         ARG32(input[0]), ARG32(input[1]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0 );
                 break;
             case 1:
                 err = (object->*func)(	reference,
                                         ARG32(input[0]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0, 0 );
                 break;
             case 0:
                 err = (object->*func)(	reference,
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0, 0, 0 );
                 break;
 
@@ -3476,8 +4802,8 @@
 		    NULL, 0, 
 		    input, inputCount,
 		    0, 0,
+		    output, outputCount,
 		    NULL, &scalar_outputCnt,
-		    output, outputCount,
 		    0, &ool_output_size));
 }
 
@@ -3487,7 +4813,7 @@
         io_struct_inband_t		input,
         mach_msg_type_number_t	inputCount,
         io_struct_inband_t		output,
-        mach_msg_type_number_t *	outputCount )
+        IOByteCount *	outputCount )
 {
     IOMethod		func;
     IOReturn 		err = kIOReturnBadArgument;
@@ -3497,13 +4823,15 @@
 	if( (kIOUCVariableStructureSize != method->count0)
 		&& (inputCount != method->count0))
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( (kIOUCVariableStructureSize != method->count1)
 		&& (*outputCount != method->count1))
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)*outputCount, (uint64_t)method->count1, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)*outputCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -3512,12 +4840,12 @@
 	if( method->count1) {
 	    if( method->count0) {
 		err = (object->*func)( input, output,
-					(void *)inputCount, outputCount, 0, 0 );
+					(void *)(uintptr_t)inputCount, outputCount, 0, 0 );
 	    } else {
 		err = (object->*func)( output, outputCount, 0, 0, 0, 0 );
 	    }
 	} else {
-		err = (object->*func)( input, (void *)inputCount, 0, 0, 0, 0 );
+		err = (object->*func)( input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 );
 	}
     }
     while( false);
@@ -3551,13 +4879,15 @@
 	if( (kIOUCVariableStructureSize != method->count0)
 		&& (inputCount != method->count0))
 	{
-	    IOLog("%s: IOUserClient inputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient inputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)inputCount, (uint64_t)method->count0, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)inputCount, uint64_t, (uint64_t)method->count0);
 	    continue;
 	}
 	if( (kIOUCVariableStructureSize != method->count1)
 		&& (*outputCount != method->count1))
 	{
-	    IOLog("%s: IOUserClient outputCount count mismatch\n", object->getName());
+	    IOLog("%s:%d %s: IOUserClient outputCount count mismatch 0x%llx 0x%llx 0x%llx\n", __FUNCTION__, __LINE__, object->getName(), (uint64_t)*outputCount, (uint64_t)method->count1, (uint64_t)kIOUCVariableStructureSize);
+	    DTRACE_IO2(iokit_count_mismatch, uint64_t, (uint64_t)*outputCount, uint64_t, (uint64_t)method->count1);
 	    continue;
 	}
 
@@ -3567,14 +4897,14 @@
             if( method->count0) {
                 err = (object->*func)( reference,
                                        input, output,
-                                        (void *)inputCount, outputCount, 0, 0 );
+                                        (void *)(uintptr_t)inputCount, outputCount, 0, 0 );
             } else {
                 err = (object->*func)( reference,
                                        output, outputCount, 0, 0, 0, 0 );
             }
         } else {
                 err = (object->*func)( reference,
-                                       input, (void *)inputCount, 0, 0, 0, 0 );
+                                       input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 );
         }
     }
     while( false);
@@ -3582,71 +4912,9 @@
     return( err);
 }
 
-/* Routine io_make_matching */
-kern_return_t is_io_make_matching(
-	mach_port_t	    master_port,
-	uint32_t	    type,
-	uint32_t		options,
-        io_struct_inband_t	input,
-        mach_msg_type_number_t	inputCount,
-	io_string_t	matching )
-{
-    OSSerialize * 	s;
-    IOReturn		err = kIOReturnSuccess;
-    OSDictionary *	dict;
-
-    if( master_port != master_device_port)
-        return( kIOReturnNotPrivileged);
-
-    switch( type) {
-
-	case kIOServiceMatching:
-            dict = IOService::serviceMatching( gIOServiceKey );
-	    break;
-
-	case kIOBSDNameMatching:
-	    dict = IOBSDNameMatching( (const char *) input );
-	    break;
-
-	case kIOOFPathMatching:
-	    dict = IOOFPathMatching( (const char *) input,
-                                    matching, sizeof( io_string_t));
-	    break;
-
-	default:
-	    dict = 0;
-    }
-
-    if( !dict)
-	return( kIOReturnUnsupported);
-
-    do {
-        s = OSSerialize::withCapacity(4096);
-        if( !s) {
-            err = kIOReturnNoMemory;
-	    continue;
-	}
-        s->clearText();
-        if( !dict->serialize( s )) {
-            err = kIOReturnUnsupported;
-	    continue;
-        }
-
-        if( s->getLength() > sizeof( io_string_t)) {
-            err = kIOReturnNoMemory;
-	    continue;
-        } else
-            strcpy( matching, s->text());
-    }
-    while( false);
-
-    if( s)
-	s->release();
-    if( dict)
-	dict->release();
-
-    return( err);
-}
+#if !NO_KEXTD
+bool gIOKextdClearedBusy = false;
+#endif
 
 /* Routine io_catalog_send_data */
 kern_return_t is_io_catalog_send_data(
@@ -3656,6 +4924,9 @@
         mach_msg_type_number_t 	inDataCount,
         kern_return_t *		result)
 {
+#if NO_KEXTD
+    return kIOReturnNotPrivileged;
+#else /* NO_KEXTD */
     OSObject * obj = 0;
     vm_offset_t data;
     kern_return_t kr = kIOReturnError;
@@ -3665,15 +4936,32 @@
     if( master_port != master_device_port)
         return kIOReturnNotPrivileged;
 
-    // FIXME: This is a hack. Should have own function for removeKernelLinker()
-    if( (flag != kIOCatalogRemoveKernelLinker && flag != kIOCatalogKextdFinishedLaunching) && ( !inData || !inDataCount) )
+    if( (flag != kIOCatalogRemoveKernelLinker && 
+            flag != kIOCatalogKextdActive &&
+            flag != kIOCatalogKextdFinishedLaunching) && 
+        ( !inData || !inDataCount) ) 
+    {
         return kIOReturnBadArgument;
+    }
+
+    if (!IOTaskHasEntitlement(current_task(), "com.apple.rootless.kext-management"))
+    {
+        OSString * taskName = IOCopyLogNameForPID(proc_selfpid());
+        IOLog("IOCatalogueSendData(%s): Not entitled\n", taskName ? taskName->getCStringNoCopy() : "");
+        OSSafeReleaseNULL(taskName);
+        // For now, fake success to not break applications relying on this function succeeding.
+        // See <rdar://problem/32554970> for more details.
+        return kIOReturnSuccess;
+    }
 
     if (inData) {
         vm_map_offset_t map_data;
 
+        if( inDataCount > sizeof(io_struct_inband_t) * 1024)
+            return( kIOReturnMessageTooLarge);
+
         kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t)inData);
-	data = CAST_DOWN(vm_offset_t, map_data);
+		data = CAST_DOWN(vm_offset_t, map_data);
 
         if( kr != KERN_SUCCESS)
             return kr;
@@ -3681,7 +4969,7 @@
         // must return success after vm_map_copyout() succeeds
 
         if( inDataCount ) {
-            obj = (OSObject *)OSUnserializeXML((const char *)data);
+            obj = (OSObject *)OSUnserializeXML((const char *)data, inDataCount);
             vm_deallocate( kernel_map, data, inDataCount );
             if( !obj) {
                 *result = kIOReturnNoMemory;
@@ -3691,6 +4979,23 @@
     }
 
     switch ( flag ) {
+        case kIOCatalogResetDrivers:
+        case kIOCatalogResetDriversNoMatch: {
+                OSArray * array;
+
+                array = OSDynamicCast(OSArray, obj);
+                if (array) {
+                   if ( !gIOCatalogue->resetAndAddDrivers(array,
+                        flag == kIOCatalogResetDrivers) ) {
+
+                        kr = kIOReturnError;
+                    }
+                } else {
+                    kr = kIOReturnBadArgument;
+                }
+            }
+            break;
+
         case kIOCatalogAddDrivers: 
         case kIOCatalogAddDriversNoMatch: {
                 OSArray * array;
@@ -3740,23 +5045,31 @@
             }
             break;
 
-        case kIOCatalogRemoveKernelLinker: {
-                if (gIOCatalogue->removeKernelLinker() != KERN_SUCCESS) {
-                    kr = kIOReturnError;
-                } else {
-                    kr = kIOReturnSuccess;
-                }
-            }
+        case kIOCatalogRemoveKernelLinker:
+            kr = KERN_NOT_SUPPORTED;
+            break;
+
+        case kIOCatalogKextdActive:
+#if !NO_KEXTD
+            IOServiceTrace(IOSERVICE_KEXTD_ALIVE, 0, 0, 0, 0);
+            OSKext::setKextdActive();
+
+           /* Dump all nonloaded startup extensions; kextd will now send them
+            * down on request.
+            */
+            OSKext::flushNonloadedKexts( /* flushPrelinkedKexts */ false);
+#endif
+            kr = kIOReturnSuccess;
             break;
 
         case kIOCatalogKextdFinishedLaunching: {
 #if !NO_KEXTD
-                static bool clearedBusy = false;
-                if (!clearedBusy) {
+                if (!gIOKextdClearedBusy) {
                     IOService * serviceRoot = IOService::getServiceRoot();
                     if (serviceRoot) {
+                        IOServiceTrace(IOSERVICE_KEXTD_READY, 0, 0, 0, 0);
                         serviceRoot->adjustBusy(-1);
-                        clearedBusy = true;
+                        gIOKextdClearedBusy = true;
                     }
                 }
 #endif
@@ -3770,9 +5083,10 @@
     }
 
     if (obj) obj->release();
-    
+
     *result = kr;
     return( KERN_SUCCESS);
+#endif /* NO_KEXTD */
 }
 
 /* Routine io_catalog_terminate */
@@ -3792,6 +5106,7 @@
         return( kr );
 
     switch ( flag ) {
+#if !defined(SECURE_KERNEL)
         case kIOCatalogServiceTerminate:
             OSIterator *	iter;
             IOService *		service;
@@ -3821,6 +5136,7 @@
             kr = gIOCatalogue->terminateDriversForModule(name,
                                         flag == kIOCatalogModuleUnload);
             break;
+#endif
 
         default:
             kr = kIOReturnBadArgument;
@@ -3849,8 +5165,6 @@
     if ( !s )
         return kIOReturnNoMemory;
 
-    s->clearText();
-
     kr = gIOCatalogue->serializeData(flag, s);
 
     if ( kr == kIOReturnSuccess ) {
@@ -3859,7 +5173,7 @@
         vm_size_t size;
 
         size = s->getLength();
-        kr = vm_allocate(kernel_map, &data, size, VM_FLAGS_ANYWHERE);
+        kr = vm_allocate_kernel(kernel_map, &data, size, VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_IOKIT);
         if ( kr == kIOReturnSuccess ) {
             bcopy(s->text(), (void *)data, size);
             kr = vm_map_copyin(kernel_map, (vm_map_address_t)data,
@@ -3892,7 +5206,9 @@
     return kIOReturnSuccess;
 }
 
-/* Routine io_catalog_module_loaded */
+/* Routine io_catalog_module_loaded.
+ * Is invoked from IOKitLib's IOCatalogueModuleLoaded(). Doesn't seem to be used.
+ */
 kern_return_t is_io_catalog_module_loaded(
         mach_port_t		master_port,
         io_name_t               name)
@@ -3935,7 +5251,7 @@
     IOUserClient *userClient;
 
     if ((userClient = OSDynamicCast(IOUserClient,
-            iokit_lookup_connect_ref_current_task((OSObject *)(args->userClientRef))))) {
+            iokit_lookup_connect_ref_current_task((mach_port_name_t)(uintptr_t)args->userClientRef)))) {
         IOExternalTrap *trap;
         IOService *target = NULL;
 
@@ -3951,17 +5267,38 @@
             }
         }
 
-        userClient->release();
+	iokit_remove_connect_reference(userClient);
     }
 
     return result;
 }
+
+/* Routine io_device_tree_entry_exists_with_name */
+kern_return_t is_io_device_tree_entry_exists_with_name(
+	mach_port_t master_port,
+	io_name_t name,
+	boolean_t *exists )
+{
+	OSCollectionIterator *iter;
+
+	if (master_port != master_device_port)
+		return (kIOReturnNotPrivileged);
+
+	iter = IODTFindMatchingEntries(IORegistryEntry::getRegistryRoot(), kIODTRecursive, name);
+	*exists = iter && iter->getNextObject();
+	OSSafeReleaseNULL(iter);
+
+	return kIOReturnSuccess;
+}
+
+} /* extern "C" */
 
 IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArguments * args,
 					IOExternalMethodDispatch * dispatch, OSObject * target, void * reference )
 {
     IOReturn    err;
     IOService * object;
+    IOByteCount structureOutputSize;
 
     if (dispatch)
     {
@@ -4002,6 +5339,7 @@
 	return (err);
     }
 
+
     // pre-Leopard API's don't do ool structs
     if (args->structureInputDescriptor || args->structureOutputDescriptor)
     {
@@ -4009,12 +5347,20 @@
        return (err);
     }
 
+    structureOutputSize = args->structureOutputSize;
+
     if (args->asyncWakePort)
     {
 	IOExternalAsyncMethod *	method;
-
-	if( !(method = getAsyncTargetAndMethodForIndex(&object, selector)) )
+	object = 0;
+	if( !(method = getAsyncTargetAndMethodForIndex(&object, selector)) || !object )
 	    return (kIOReturnUnsupported);
+
+    if (kIOUCForegroundOnly & method->flags)
+    {
+	if (task_is_gpu_denied(current_task()))
+            return (kIOReturnNotPermitted);
+    }
 
 	switch (method->flags & kIOUCTypeMask)
 	{
@@ -4055,16 +5401,22 @@
     else
     {
 	IOExternalMethod *	method;
-
-	if( !(method = getTargetAndMethodForIndex(&object, selector)) )
+	object = 0;
+	if( !(method = getTargetAndMethodForIndex(&object, selector)) || !object )
 	    return (kIOReturnUnsupported);
+
+    if (kIOUCForegroundOnly & method->flags)
+    {
+	if (task_is_gpu_denied(current_task()))
+            return (kIOReturnNotPermitted);
+    }
 
 	switch (method->flags & kIOUCTypeMask)
 	{
 	    case kIOUCScalarIStructI:
 		err = shim_io_connect_method_scalarI_structureI( method, object,
 					args->scalarInput, args->scalarInputCount,
-					(char *)args->structureInput, args->structureInputSize );
+					(char *) args->structureInput, args->structureInputSize );
 		break;
 
 	    case kIOUCScalarIScalarO:
@@ -4076,14 +5428,14 @@
 	    case kIOUCScalarIStructO:
 		err = shim_io_connect_method_scalarI_structureO( method, object,
 					args->scalarInput, args->scalarInputCount,
-					(char *) args->structureOutput, &args->structureOutputSize );
+					(char *) args->structureOutput, &structureOutputSize );
 		break;
 
 
 	    case kIOUCStructIStructO:
 		err = shim_io_connect_method_structureI_structureO( method, object,
-					(char *)args->structureInput, args->structureInputSize,
-					(char *) args->structureOutput, &args->structureOutputSize );
+					(char *) args->structureInput, args->structureInputSize,
+					(char *) args->structureOutput, &structureOutputSize );
 		break;
 
 	    default:
@@ -4091,14 +5443,19 @@
 		break;
 	}
     }
+
+    args->structureOutputSize = structureOutputSize;
+
     return (err);
 }
 
-
-};	/* extern "C" */
-
+#if __LP64__
+OSMetaClassDefineReservedUnused(IOUserClient, 0);
+OSMetaClassDefineReservedUnused(IOUserClient, 1);
+#else
 OSMetaClassDefineReservedUsed(IOUserClient, 0);
-OSMetaClassDefineReservedUnused(IOUserClient, 1);
+OSMetaClassDefineReservedUsed(IOUserClient, 1);
+#endif
 OSMetaClassDefineReservedUnused(IOUserClient, 2);
 OSMetaClassDefineReservedUnused(IOUserClient, 3);
 OSMetaClassDefineReservedUnused(IOUserClient, 4);