Loading...
iokit/Kernel/IOUserClient.cpp xnu-344.32 xnu-792.22.5
--- xnu/xnu-344.32/iokit/Kernel/IOUserClient.cpp
+++ xnu/xnu-792.22.5/iokit/Kernel/IOUserClient.cpp
@@ -1,34 +1,34 @@
 /*
- * Copyright (c) 1998-2000 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 1998-2004 Apple Computer, Inc. All rights reserved.
  *
- * @APPLE_LICENSE_HEADER_START@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
  * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
  * 
- * @APPLE_LICENSE_HEADER_END@
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
-/*
- * Copyright (c) 1998 Apple Computer, Inc.  All rights reserved. 
- *
- * HISTORY
- *
- * 14 Aug 98 sdouglas created.
- * 08 Dec 98 sdouglas cpp.
- */
+
 
 #include <IOKit/IOKitServer.h>
+#include <IOKit/IOKitKeysPrivate.h>
 #include <IOKit/IOUserClient.h>
 #include <IOKit/IOService.h>
 #include <IOKit/IORegistryEntry.h>
@@ -38,6 +38,8 @@
 
 #include <IOKit/assert.h>
 
+#include "IOServicePrivate.h"
+
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 // definitions we should get from osfmk
@@ -59,6 +61,8 @@
 extern mach_port_name_t iokit_make_send_right( task_t task,
 				io_object_t obj, ipc_kobject_type_t type );
 
+extern kern_return_t iokit_mod_send_right( task_t task, mach_port_name_t name, mach_port_delta_t delta );
+
 extern io_object_t iokit_lookup_connect_ref(io_object_t clientRef, ipc_space_t task);
 
 extern io_object_t iokit_lookup_connect_ref_current_task(io_object_t clientRef);
@@ -68,6 +72,9 @@
 extern void iokit_retain_port( ipc_port_t port );
 extern void iokit_release_port( ipc_port_t port );
 
+extern kern_return_t iokit_switch_object_port( ipc_port_t port, io_object_t obj, ipc_kobject_type_t type );
+
+#include <mach/mach_traps.h>
 #include <vm/vm_map.h>
 
 } /* extern "C" */
@@ -84,6 +91,7 @@
     OSObject *	object;
     ipc_port_t	port;
     UInt32      mscount;
+    UInt8	holdDestroy;
 
     static IOMachPort * portForObject( OSObject * obj,
 				ipc_kobject_type_t type );
@@ -91,6 +99,8 @@
 				ipc_kobject_type_t type, mach_port_mscount_t * mscount );
     static void releasePortForObject( OSObject * obj,
 				ipc_kobject_type_t type );
+    static void setHoldDestroy( OSObject * obj, ipc_kobject_type_t type );
+
     static OSDictionary * dictForType( ipc_kobject_type_t type );
 
     static mach_port_name_t makeSendRightForTask( task_t task,
@@ -191,7 +201,7 @@
 		dict->removeObject( (const OSSymbol *) obj );
 	    else
 		*mscount = machPort->mscount;
-	}
+	} 
 	obj->release();
     }
 
@@ -204,22 +214,69 @@
 				ipc_kobject_type_t type )
 {
     OSDictionary *	dict;
+    IOMachPort *	machPort;
 
     IOTakeLock( gIOObjectPortLock);
 
     if( (dict = dictForType( type ))) {
         obj->retain();
-        dict->removeObject( (const OSSymbol *) obj );
+	machPort = (IOMachPort *) dict->getObject( (const OSSymbol *) obj );
+	if( machPort && !machPort->holdDestroy)
+            dict->removeObject( (const OSSymbol *) obj );
         obj->release();
     }
 
     IOUnlock( gIOObjectPortLock);
 }
 
+void IOMachPort::setHoldDestroy( OSObject * obj, ipc_kobject_type_t type )
+{
+    OSDictionary *	dict;
+    IOMachPort * 	machPort;
+
+    IOLockLock( gIOObjectPortLock );
+
+    if( (dict = dictForType( type ))) {
+        machPort = (IOMachPort *) dict->getObject( (const OSSymbol *) obj );
+        if( machPort)
+            machPort->holdDestroy = true;
+    }
+
+    IOLockUnlock( gIOObjectPortLock );
+}
+
 void IOUserClient::destroyUserReferences( OSObject * obj )
 {
     IOMachPort::releasePortForObject( obj, IKOT_IOKIT_OBJECT );
-    IOMachPort::releasePortForObject( obj, IKOT_IOKIT_CONNECT );
+
+    // panther, 3160200
+    // IOMachPort::releasePortForObject( obj, IKOT_IOKIT_CONNECT );
+
+    OSDictionary * dict;
+
+    IOTakeLock( gIOObjectPortLock);
+    obj->retain();
+
+    if( (dict = IOMachPort::dictForType( IKOT_IOKIT_CONNECT )))
+    {
+	IOMachPort * port;
+	port = (IOMachPort *) dict->getObject( (const OSSymbol *) obj );
+	if (port)
+	{
+	    IOUserClient * uc;
+	    if ((uc = OSDynamicCast(IOUserClient, obj)) && uc->mappings)
+	    {
+		dict->setObject((const OSSymbol *) uc->mappings, port);
+		iokit_switch_object_port(port->port, uc->mappings, IKOT_IOKIT_CONNECT);
+
+		uc->mappings->release();
+		uc->mappings = 0;
+	    }
+	    dict->removeObject( (const OSSymbol *) obj );
+	}
+    }
+    obj->release();
+    IOUnlock( gIOObjectPortLock);
 }
 
 mach_port_name_t IOMachPort::makeSendRightForTask( task_t task,
@@ -237,6 +294,26 @@
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
+class IOUserNotification : public OSIterator
+{
+    OSDeclareDefaultStructors(IOUserNotification)
+
+    IONotifier 	* 	holdNotify;
+    IOLock 	*	lock;
+
+public:
+
+    virtual bool init( void );
+    virtual void free();
+
+    virtual void setNotification( IONotifier * obj );
+
+    virtual void reset();
+    virtual bool isValid();
+};
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
 extern "C" {
 
 // functions called from osfmk/device/iokit_rpc.c
@@ -281,16 +358,23 @@
 {
     IOUserClient *	client;
     IOMemoryMap *	map;
+    IOUserNotification * notify;
 
     if( !IOMachPort::noMoreSendersForObject( obj, type, mscount ))
 	return( kIOReturnNotReady );
 
-    if( (IKOT_IOKIT_CONNECT == type)
-     && (client = OSDynamicCast( IOUserClient, obj )))
-	client->clientDied();
-    else if( (IKOT_IOKIT_OBJECT == type)
-     && (map = OSDynamicCast( IOMemoryMap, obj )))
-	map->taskDied();
+    if( IKOT_IOKIT_CONNECT == type)
+    {
+	if( (client = OSDynamicCast( IOUserClient, obj )))
+	    client->clientDied();
+    }
+    else if( IKOT_IOKIT_OBJECT == type)
+    {
+	if( (map = OSDynamicCast( IOMemoryMap, obj )))
+	    map->taskDied();
+	else if( (notify = OSDynamicCast( IOUserNotification, obj )))
+	    notify->setNotification( 0 );
+    }
 
     return( kIOReturnSuccess );
 }
@@ -299,39 +383,19 @@
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
-class IOUserNotification : public OSIterator
-{
-    OSDeclareDefaultStructors(IOUserNotification)
+class IOServiceUserNotification : public IOUserNotification
+{
+    OSDeclareDefaultStructors(IOServiceUserNotification)
 
     struct PingMsg {
-        mach_msg_header_t	msgHdr;
-        OSNotificationHeader	notifyHeader;
+        mach_msg_header_t		msgHdr;
+        OSNotificationHeader		notifyHeader;
     };
 
-    PingMsg 	*	pingMsg;
+    enum { kMaxOutstanding = 1024 };
+
+    PingMsg *		pingMsg;
     vm_size_t		msgSize;
-    IONotifier 	* 	holdNotify;
-    IOLock 	*	lock;
-
-public:
-
-    virtual bool init( mach_port_t port, natural_t type,
-                       OSAsyncReference reference,
-                       vm_size_t messageSize );
-    virtual void free();
-
-    virtual void setNotification( IONotifier * obj );
-
-    virtual void reset();
-    virtual bool isValid();
-};
-
-class IOServiceUserNotification : public IOUserNotification
-{
-    OSDeclareDefaultStructors(IOServiceUserNotification)
-
-    enum { kMaxOutstanding = 256 };
-
     OSArray 	*	newSet;
     OSObject	*	lastEntry;
     bool		armed;
@@ -352,6 +416,16 @@
 class IOServiceMessageUserNotification : public IOUserNotification
 {
     OSDeclareDefaultStructors(IOServiceMessageUserNotification)
+
+    struct PingMsg {
+        mach_msg_header_t		msgHdr;
+	mach_msg_body_t			msgBody;
+	mach_msg_port_descriptor_t	ports[1];
+        OSNotificationHeader		notifyHeader;
+    };
+
+    PingMsg *		pingMsg;
+    vm_size_t		msgSize;
 
 public:
 
@@ -378,8 +452,7 @@
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
-bool IOUserNotification::init( mach_port_t port, natural_t type,
-                               OSAsyncReference reference, vm_size_t extraSize )
+bool IOUserNotification::init( void )
 {
     if( !super::init())
 	return( false );
@@ -388,7 +461,63 @@
     if( !lock)
         return( false );
 
-    msgSize = sizeof( PingMsg) + extraSize;
+    return( true );
+}
+
+void IOUserNotification::free( void )
+{
+    if( holdNotify)
+	holdNotify->remove();
+    // can't be in handler now
+
+    if( lock)
+	IOLockFree( lock );
+
+    super::free();
+}
+
+
+void IOUserNotification::setNotification( IONotifier * notify )
+{
+    IONotifier * previousNotify;
+
+    IOLockLock( gIOObjectPortLock);
+
+    previousNotify = holdNotify;
+    holdNotify = notify;
+
+    IOLockUnlock( gIOObjectPortLock);
+
+    if( previousNotify)
+	previousNotify->remove();
+}
+
+void IOUserNotification::reset()
+{
+    // ?
+}
+
+bool IOUserNotification::isValid()
+{
+    return( true );
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+#undef super
+#define super IOUserNotification
+OSDefineMetaClassAndStructors(IOServiceUserNotification, IOUserNotification)
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+bool IOServiceUserNotification::init( mach_port_t port, natural_t type,
+                                OSAsyncReference reference )
+{
+    newSet = OSArray::withCapacity( 1 );
+    if( !newSet)
+        return( false );
+
+    msgSize = sizeof( PingMsg) + 0;
     pingMsg = (PingMsg *) IOMalloc( msgSize);
     if( !pingMsg)
         return( false );
@@ -397,79 +526,40 @@
 
     pingMsg->msgHdr.msgh_remote_port	= port;
     pingMsg->msgHdr.msgh_bits 		= MACH_MSGH_BITS(
-                                            MACH_MSG_TYPE_COPY_SEND,
-                                            MACH_MSG_TYPE_MAKE_SEND );
+                                            MACH_MSG_TYPE_COPY_SEND /*remote*/,
+                                            MACH_MSG_TYPE_MAKE_SEND /*local*/);
     pingMsg->msgHdr.msgh_size 		= msgSize;
     pingMsg->msgHdr.msgh_id		= kOSNotificationMessageID;
 
-    pingMsg->notifyHeader.size = extraSize;
+    pingMsg->notifyHeader.size = 0;
     pingMsg->notifyHeader.type = type;
     bcopy( reference, pingMsg->notifyHeader.reference, sizeof(OSAsyncReference) );
 
-    return( true );
-}
-
-void IOUserNotification::free( void )
-{
-    if( holdNotify)
-	holdNotify->remove();
-    // can't be in handler now
-
-    if( pingMsg)
-        IOFree( pingMsg, msgSize);
-
-    if( lock)
-	IOLockFree( lock );
+    return( super::init() );
+}
+
+void IOServiceUserNotification::free( void )
+{
+    PingMsg   *	_pingMsg;
+    vm_size_t	_msgSize;
+    OSArray   *	_newSet;
+    OSObject  *	_lastEntry;
+
+    _pingMsg   = pingMsg;
+    _msgSize   = msgSize;
+    _lastEntry = lastEntry;
+    _newSet    = newSet;
 
     super::free();
-}
-
-
-void IOUserNotification::setNotification( IONotifier * notify )
-{
-    if( holdNotify)
-	holdNotify->remove();
-
-    holdNotify = notify;
-}
-
-void IOUserNotification::reset()
-{
-    // ?
-}
-
-bool IOUserNotification::isValid()
-{
-    return( true );
-}
-
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-
-#undef super
-#define super IOUserNotification
-OSDefineMetaClassAndStructors(IOServiceUserNotification, IOUserNotification)
-
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-
-bool IOServiceUserNotification::init( mach_port_t port, natural_t type,
-                                OSAsyncReference reference )
-{
-    newSet = OSArray::withCapacity( 1 );
-    if( !newSet)
-        return( false );
-
-    return( super::init( port, type, reference, 0) );
-}
-
-void IOServiceUserNotification::free( void )
-{
-    if( lastEntry)
-        lastEntry->release();
-
-    if( newSet)
-        newSet->release();
-
-    super::free();
+
+    if( _pingMsg && _msgSize)
+        IOFree( _pingMsg, _msgSize);
+
+    if( _lastEntry)
+        _lastEntry->release();
+
+    if( _newSet)
+        _newSet->release();
 }
 
 bool IOServiceUserNotification::_handler( void * target,
@@ -478,7 +568,7 @@
     return( ((IOServiceUserNotification *) target)->handler( ref, newService ));
 }
 
-bool IOServiceUserNotification::handler( void * /* ref */,
+bool IOServiceUserNotification::handler( void * ref,
                                 IOService * newService )
 {
     unsigned int	count;
@@ -497,6 +587,9 @@
     }
 
     IOUnlock( lock );
+
+    if( kIOServiceTerminatedNotificationType == pingMsg->notifyHeader.type)
+        IOMachPort::setHoldDestroy( newService, IKOT_IOKIT_OBJECT );
 
     if( sendPing) {
 	if( (port = iokit_port_for_object( this, IKOT_IOKIT_OBJECT ) ))
@@ -551,13 +644,48 @@
 bool IOServiceMessageUserNotification::init( mach_port_t port, natural_t type,
                        OSAsyncReference reference, vm_size_t extraSize )
 {
-    return( super::init( port, type, reference,
-                       sizeof(IOServiceInterestContent) + extraSize) );
+
+    extraSize += sizeof(IOServiceInterestContent);
+    msgSize = sizeof( PingMsg) + extraSize;
+    pingMsg = (PingMsg *) IOMalloc( msgSize);
+    if( !pingMsg)
+        return( false );
+
+    bzero( pingMsg, msgSize);
+
+    pingMsg->msgHdr.msgh_remote_port	= port;
+    pingMsg->msgHdr.msgh_bits 		= MACH_MSGH_BITS_COMPLEX
+					|  MACH_MSGH_BITS(
+                                            MACH_MSG_TYPE_COPY_SEND /*remote*/,
+                                            MACH_MSG_TYPE_MAKE_SEND /*local*/);
+    pingMsg->msgHdr.msgh_size 		= msgSize;
+    pingMsg->msgHdr.msgh_id		= kOSNotificationMessageID;
+
+    pingMsg->msgBody.msgh_descriptor_count = 1;
+
+    pingMsg->ports[0].name 		= 0;
+    pingMsg->ports[0].disposition 	= MACH_MSG_TYPE_MAKE_SEND;
+    pingMsg->ports[0].type 		= MACH_MSG_PORT_DESCRIPTOR;
+
+    pingMsg->notifyHeader.size 		= extraSize;
+    pingMsg->notifyHeader.type 		= type;
+    bcopy( reference, pingMsg->notifyHeader.reference, sizeof(OSAsyncReference) );
+
+    return( super::init() );
 }
 
 void IOServiceMessageUserNotification::free( void )
 {
+    PingMsg *	_pingMsg;
+    vm_size_t	_msgSize;
+
+    _pingMsg   = pingMsg;
+    _msgSize   = msgSize;
+
     super::free();
+
+    if( _pingMsg && _msgSize)
+        IOFree( _pingMsg, _msgSize);
 }
 
 IOReturn IOServiceMessageUserNotification::_handler( void * target, void * ref,
@@ -573,7 +701,7 @@
                                     void * messageArgument, vm_size_t argSize )
 {
     kern_return_t		kr;
-    ipc_port_t 			port;
+    ipc_port_t 			thisPort, providerPort;
     IOServiceInterestContent * 	data = (IOServiceInterestContent *)
                                        pingMsg->notifyHeader.content;
 
@@ -591,16 +719,16 @@
         - sizeof( data->messageArgument)
         + argSize;
 
-    if( (port = iokit_port_for_object( provider, IKOT_IOKIT_OBJECT ) ))
-	pingMsg->msgHdr.msgh_local_port = port;
-    else
-	pingMsg->msgHdr.msgh_local_port = NULL;
-    
+    providerPort = iokit_port_for_object( provider, IKOT_IOKIT_OBJECT );
+    pingMsg->ports[0].name = providerPort;
+    thisPort = iokit_port_for_object( this, IKOT_IOKIT_OBJECT );
+    pingMsg->msgHdr.msgh_local_port = thisPort;
     kr = mach_msg_send_from_kernel( &pingMsg->msgHdr,
-                                    pingMsg->msgHdr.msgh_size);
-
-    if( port)
-	iokit_release_port( port );
+				    pingMsg->msgHdr.msgh_size);
+    if( thisPort)
+	iokit_release_port( thisPort );
+    if( providerPort)
+	iokit_release_port( providerPort );
 
     if( KERN_SUCCESS != kr)
         IOLog("%s: mach_msg_send_from_kernel {%x}\n", __FILE__, kr );
@@ -635,24 +763,93 @@
     asyncRef[kIOAsyncCalloutRefconIndex] = (natural_t) refcon;
 }
 
+inline OSDictionary * CopyConsoleUser(UInt32 uid)
+{
+	OSArray * array;
+	OSDictionary * user = 0; 
+
+	if ((array = OSDynamicCast(OSArray,
+	    IORegistryEntry::getRegistryRoot()->copyProperty(gIOConsoleUsersKey))))
+	{
+	    for (unsigned int idx = 0;
+		    (user = OSDynamicCast(OSDictionary, array->getObject(idx)));
+		    idx++) {
+            OSNumber * num;
+            
+            if ((num = OSDynamicCast(OSNumber, user->getObject(gIOConsoleSessionUIDKey)))
+              && (uid == num->unsigned32BitValue())) {
+                user->retain();
+                break;
+            }
+	    }
+	    array->release();
+	}
+    return user;
+}
+
 IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
                                             const char * privilegeName )
 {
-    kern_return_t	   kr;
-    security_token_t	   token;
-    mach_msg_type_number_t count;
-
-    if( 0 != strcmp( privilegeName, kIOClientPrivilegeAdministrator))
-        return( kIOReturnUnsupported );
-
+    kern_return_t           kr;
+    security_token_t        token;
+    mach_msg_type_number_t  count;
+    task_t                  task;
+    OSDictionary *          user;
+    bool                    secureConsole;
+
+    if ((secureConsole = !strcmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess)))
+        task = (task_t)((IOUCProcessToken *)securityToken)->token;
+    else
+        task = (task_t)securityToken;
+    
     count = TASK_SECURITY_TOKEN_COUNT;
-    kr = task_info( (task_t) securityToken, TASK_SECURITY_TOKEN,
-                    (task_info_t) &token, &count );
-    if( (kr == kIOReturnSuccess)
-      && (0 != token.val[0]))
-        kr = kIOReturnNotPrivileged;
-
-    return( kr );
+    kr = task_info( task, TASK_SECURITY_TOKEN, (task_info_t) &token, &count );
+
+    if (KERN_SUCCESS != kr)
+    {}
+    else if (!strcmp(privilegeName, kIOClientPrivilegeAdministrator)) {
+        if (0 != token.val[0])
+            kr = kIOReturnNotPrivileged;
+    } else if (!strcmp(privilegeName, kIOClientPrivilegeLocalUser)) {
+        user = CopyConsoleUser(token.val[0]);
+        if ( user )
+            user->release();
+        else
+            kr = kIOReturnNotPrivileged;            
+    } else if (secureConsole || !strcmp(privilegeName, kIOClientPrivilegeConsoleUser)) {
+        user = CopyConsoleUser(token.val[0]);
+        if ( user ) {
+            if (user->getObject(gIOConsoleSessionOnConsoleKey) != kOSBooleanTrue)
+                kr = kIOReturnNotPrivileged;
+            else if ( secureConsole ) {
+                OSNumber * pid = OSDynamicCast(OSNumber, user->getObject(gIOConsoleSessionSecureInputPIDKey));
+                if ( pid && pid->unsigned32BitValue() != ((IOUCProcessToken *)securityToken)->pid)
+                    kr = kIOReturnNotPrivileged;
+            }
+            user->release();
+        }
+        else 
+            kr = kIOReturnNotPrivileged;
+    } else
+        kr = kIOReturnUnsupported;
+
+    return (kr);
+}
+
+bool IOUserClient::init()
+{
+    if( getPropertyTable())
+        return true;
+    else
+        return super::init();
+}
+
+bool IOUserClient::init(OSDictionary * dictionary)
+{
+    if( getPropertyTable())
+        return true;
+    else
+        return super::init(dictionary);
 }
 
 bool IOUserClient::initWithTask(task_t owningTask,
@@ -833,7 +1030,8 @@
     
     if(numArgs > kMaxAsyncArgs)
         return kIOReturnMessageTooLarge;
-    replyMsg.msgHdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND,0);
+    replyMsg.msgHdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND /*remote*/,
+                                                0 /*local*/);
     replyMsg.msgHdr.msgh_size =
         sizeof(replyMsg) - (kMaxAsyncArgs-numArgs)*sizeof(void *);
     replyMsg.msgHdr.msgh_remote_port = replyPort;
@@ -869,11 +1067,98 @@
 	io_object_t object,
 	io_name_t className )
 {
+	const OSMetaClass* my_obj = NULL;
+
     if( !object)
         return( kIOReturnBadArgument );
-
-    strcpy( className, object->getMetaClass()->getClassName());
+		
+	my_obj = object->getMetaClass();
+	if (!my_obj) {
+		return (kIOReturnNotFound);
+	}
+	
+    strcpy( className, my_obj->getClassName());
     return( kIOReturnSuccess );
+}
+
+/* Routine io_object_get_superclass */
+kern_return_t is_io_object_get_superclass(
+	mach_port_t master_port,
+	io_name_t obj_name, 
+	io_name_t class_name)
+{
+	const OSMetaClass* my_obj = NULL;
+	const OSMetaClass* superclass = NULL;
+	const OSSymbol *my_name = NULL;
+	const char *my_cstr = NULL;
+
+	if (!obj_name || !class_name) 
+		return (kIOReturnBadArgument);
+
+    if( master_port != master_device_port)
+        return( kIOReturnNotPrivileged);
+
+	my_name = OSSymbol::withCString(obj_name);
+	
+	if (my_name) {
+		my_obj = OSMetaClass::getMetaClassWithName(my_name);
+		my_name->release();
+	}
+	if (my_obj) {
+		superclass = my_obj->getSuperClass();
+	}
+	
+	if (!superclass)  {
+		return( kIOReturnNotFound );
+	}
+
+	my_cstr = superclass->getClassName();
+		
+	if (my_cstr) {
+		strncpy(class_name, my_cstr, sizeof(io_name_t)-1);
+		return( kIOReturnSuccess );
+	}
+	return (kIOReturnNotFound);
+}
+
+/* Routine io_object_get_bundle_identifier */
+kern_return_t is_io_object_get_bundle_identifier(
+	mach_port_t master_port,
+	io_name_t obj_name, 
+	io_name_t bundle_name)
+{
+	const OSMetaClass* my_obj = NULL;
+	const OSSymbol *my_name = NULL;
+	const OSSymbol *identifier = NULL;
+	const char *my_cstr = NULL;
+
+	if (!obj_name || !bundle_name) 
+		return (kIOReturnBadArgument);
+
+    if( master_port != master_device_port)
+        return( kIOReturnNotPrivileged);
+	
+	my_name = OSSymbol::withCString(obj_name);	
+	
+	if (my_name) {
+		my_obj = OSMetaClass::getMetaClassWithName(my_name);
+		my_name->release();
+	}
+
+	if (my_obj) {
+		identifier = my_obj->getKmodName();
+	}
+	if (!identifier) {
+		return( kIOReturnNotFound );
+	}
+	
+	my_cstr = identifier->getCStringNoCopy();
+	if (my_cstr) {
+		strncpy(bundle_name, identifier->getCStringNoCopy(), sizeof(io_name_t)-1);
+		return( kIOReturnSuccess );
+	}
+
+	return (kIOReturnBadArgument);
 }
 
 /* Routine io_object_conforms_to */
@@ -968,6 +1253,31 @@
     return( kr );
 }
 
+/* Routine io_service_match_property_table_ool */
+kern_return_t is_io_service_match_property_table_ool(
+	io_object_t service,
+	io_buf_ptr_t matching,
+	mach_msg_type_number_t matchingCnt,
+	natural_t *result,
+	boolean_t *matches )
+{
+    kern_return_t	kr;
+    vm_offset_t 	data;
+    vm_map_offset_t	map_data;
+
+    kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
+    data = CAST_DOWN(vm_offset_t, map_data);
+
+    if( KERN_SUCCESS == kr) {
+        // must return success after vm_map_copyout() succeeds
+	*result = is_io_service_match_property_table( service,
+		(char *) data, matches );
+	vm_deallocate( kernel_map, data, matchingCnt );
+    }
+
+    return( kr );
+}
+
 /* Routine io_service_get_matching_services */
 kern_return_t is_io_service_get_matching_services(
 	mach_port_t master_port,
@@ -991,6 +1301,31 @@
 
     if( obj)
         obj->release();
+
+    return( kr );
+}
+
+/* Routine io_service_get_matching_services_ool */
+kern_return_t is_io_service_get_matching_services_ool(
+	mach_port_t master_port,
+	io_buf_ptr_t matching,
+	mach_msg_type_number_t matchingCnt,
+	natural_t *result,
+	io_object_t *existing )
+{
+    kern_return_t	kr;
+    vm_offset_t 	data;
+    vm_map_offset_t	map_data;
+
+    kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
+    data = CAST_DOWN(vm_offset_t, map_data);
+
+    if( KERN_SUCCESS == kr) {
+        // must return success after vm_map_copyout() succeeds
+	*result = is_io_service_get_matching_services( master_port,
+			(char *) data, existing );
+	vm_deallocate( kernel_map, data, matchingCnt );
+    }
 
     return( kr );
 }
@@ -1005,7 +1340,6 @@
 	mach_msg_type_number_t referenceCnt,
 	io_object_t * notification )
 {
-
     IOServiceUserNotification *	userNotify = 0;
     IONotifier *		notify = 0;
     const OSSymbol *		sym;
@@ -1070,6 +1404,36 @@
     return( err );
 }
 
+/* Routine io_service_add_notification_ool */
+kern_return_t is_io_service_add_notification_ool(
+	mach_port_t master_port,
+	io_name_t notification_type,
+	io_buf_ptr_t matching,
+	mach_msg_type_number_t matchingCnt,
+	mach_port_t wake_port,
+	io_async_ref_t reference,
+	mach_msg_type_number_t referenceCnt,
+	natural_t *result,
+	io_object_t *notification )
+{
+    kern_return_t	kr;
+    vm_offset_t 	data;
+    vm_map_offset_t	map_data;
+
+    kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
+    data = CAST_DOWN(vm_offset_t, map_data);
+
+    if( KERN_SUCCESS == kr) {
+        // must return success after vm_map_copyout() succeeds
+	*result = is_io_service_add_notification( master_port, notification_type,
+			(char *) data, wake_port, reference, referenceCnt, notification );
+	vm_deallocate( kernel_map, data, matchingCnt );
+    }
+
+    return( kr );
+}
+
+
 /* Routine io_service_add_notification_old */
 kern_return_t is_io_service_add_notification_old(
 	mach_port_t master_port,
@@ -1122,6 +1486,8 @@
         } else
             err = kIOReturnUnsupported;
 
+	sym->release();
+
     } while( false );
 
     return( err );
@@ -1337,7 +1703,7 @@
     kern_return_t	err;
     vm_map_copy_t	copy;
 
-    err = vm_map_copyin( kernel_map, (vm_offset_t) data, len,
+    err = vm_map_copyin( kernel_map, CAST_USER_ADDR_T(data), len,
                     false /* src_destroy */, &copy);
 
     assert( err == KERN_SUCCESS );
@@ -1388,7 +1754,7 @@
 	offsetBytes = off->unsigned64BitValue();
 	len = off->numberOfBytes();
 	bytes = &offsetBytes;
-#if __BIG_ENDIAN__
+#ifdef __BIG_ENDIAN__
 	bytes = (const void *)
 		(((UInt32) bytes) + (sizeof( UInt64) - len));
 #endif
@@ -1409,6 +1775,7 @@
     return( ret );
 }
 
+
 /* Routine io_registry_entry_get_property */
 kern_return_t is_io_registry_entry_get_property(
 	io_object_t registry_entry,
@@ -1531,10 +1898,12 @@
     kern_return_t	err;
     IOReturn		res;
     vm_offset_t 	data;
+    vm_map_offset_t	map_data;
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
-    err = vm_map_copyout( kernel_map, &data, (vm_map_copy_t) properties );
+    err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
+    data = CAST_DOWN(vm_offset_t, map_data);
 
     if( KERN_SUCCESS == err) {
 
@@ -1594,6 +1963,18 @@
     return( kIOReturnSuccess );
 }
 
+/* Routine io_service_get_state */
+kern_return_t is_io_service_get_state(
+	io_object_t _service,
+	uint64_t *state )
+{
+    CHECK( IOService, _service, service );
+
+    *state = service->getState();
+
+    return( kIOReturnSuccess );
+}
+
 /* Routine io_service_wait_quiet */
 kern_return_t is_io_service_wait_quiet(
 	io_object_t _service,
@@ -1628,7 +2009,7 @@
     CHECK( IOService, _service, service );
 
     err = service->newUserClient( owningTask, (void *) owningTask,
-		connect_type, &client );
+		connect_type, 0, &client );
 
     if( err == kIOReturnSuccess) {
 	assert( OSDynamicCast(IOUserClient, client) );
@@ -1638,10 +2019,109 @@
     return( err);
 }
 
+/* Routine io_service_open_ndr */
+kern_return_t is_io_service_open_extended(
+	io_object_t _service,
+	task_t owningTask,
+	int connect_type,
+	NDR_record_t ndr,
+	io_buf_ptr_t properties,
+	mach_msg_type_number_t propertiesCnt,
+        natural_t * result,
+	io_object_t *connection )
+{
+    IOUserClient * client = 0;
+    kern_return_t  err = KERN_SUCCESS;
+    IOReturn	   res = kIOReturnSuccess;
+    OSDictionary * propertiesDict = 0;
+    bool	   crossEndian;
+    bool	   disallowAccess;
+
+    CHECK( IOService, _service, service );
+
+    do
+    {
+	if (properties)
+	{
+	    OSObject *	    obj;
+	    vm_offset_t     data;
+	    vm_map_offset_t map_data;
+
+	    err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
+	    res = err;
+	    data = CAST_DOWN(vm_offset_t, map_data);
+	    if (KERN_SUCCESS == err)
+	    {
+		// must return success after vm_map_copyout() succeeds
+		obj = OSUnserializeXML( (const char *) data );
+		vm_deallocate( kernel_map, data, propertiesCnt );
+		propertiesDict = OSDynamicCast(OSDictionary, obj);
+		if (!propertiesDict)
+		{
+		    res = kIOReturnBadArgument;
+		    if (obj)
+			obj->release();
+		}
+	    }
+	    if (kIOReturnSuccess != res)
+		break;
+	}
+
+	crossEndian = (ndr.int_rep != NDR_record.int_rep);
+	if (crossEndian)
+	{
+	    if (!propertiesDict)
+		propertiesDict = OSDictionary::withCapacity(4);
+	    OSData * data = OSData::withBytes(&ndr, sizeof(ndr));
+	    if (data)
+	    {
+		if (propertiesDict)
+		    propertiesDict->setObject(kIOUserClientCrossEndianKey, data);
+		data->release();
+	    }
+	}
+
+	res = service->newUserClient( owningTask, (void *) owningTask,
+		    connect_type, propertiesDict, &client );
+
+	if (propertiesDict)
+	    propertiesDict->release();
+
+	if (res == kIOReturnSuccess)
+	{
+	    assert( OSDynamicCast(IOUserClient, client) );
+
+	    disallowAccess = (crossEndian
+		&& (kOSBooleanTrue != service->getProperty(kIOUserClientCrossEndianCompatibleKey))
+		&& (kOSBooleanTrue != client->getProperty(kIOUserClientCrossEndianCompatibleKey)));
+
+	    if (disallowAccess)
+	    {
+		client->clientClose();
+		client->release();
+		client = 0;
+		res = kIOReturnUnsupported;
+		break;
+	    }
+	    client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
+	}
+    }
+    while (false);
+
+    *connection = client;
+    *result = res;
+
+    return (err);
+}
+
 /* Routine io_service_close */
 kern_return_t is_io_service_close(
 	io_object_t connection )
 {
+    OSSet * mappings;
+    if ((mappings = OSDynamicCast(OSSet, connection)))
+	return( kIOReturnSuccess );
+
     CHECK( IOUserClient, connection, client );
 
     client->clientClose();
@@ -1700,10 +2180,14 @@
         if( mapSize)
             *mapSize = map->getLength();
 
-        if( task != current_task()) {
+        if( client->sharedInstance
+	    || (task != current_task())) {
             // push a name out to the task owning the map,
             // so we can clean up maps
-            mach_port_name_t name = IOMachPort::makeSendRightForTask(
+#if IOASSERT
+	    mach_port_name_t name =
+#endif
+	    IOMachPort::makeSendRightForTask(
                                     task, map, IKOT_IOKIT_OBJECT );
             assert( name );
 
@@ -1725,6 +2209,33 @@
     return( err );
 }
 
+IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
+{
+    OSIterator *  iter;
+    IOMemoryMap * map = 0;
+
+    IOLockLock(gIOObjectPortLock);
+
+    iter = OSCollectionIterator::withCollection(mappings);
+    if(iter)
+    {
+        while ((map = OSDynamicCast(IOMemoryMap, iter->getNextObject())))
+        {
+            if(mem == map->getMemoryDescriptor())
+            {
+                map->retain();
+                mappings->removeObject(map);
+                break;
+            }
+        }
+        iter->release();
+    }
+
+    IOLockUnlock(gIOObjectPortLock);
+
+    return (map);
+}
+
 kern_return_t is_io_connect_unmap_memory(
 	io_object_t     connect,
 	int		type,
@@ -1747,14 +2258,28 @@
 
 	map = memory->map( task, mapAddr, options );
 	memory->release();
-        if( map) {
+        if( map)
+	{
             IOLockLock( gIOObjectPortLock);
             if( client->mappings)
                 client->mappings->removeObject( map);
             IOLockUnlock( gIOObjectPortLock);
-            IOMachPort::releasePortForObject( map, IKOT_IOKIT_OBJECT );
-            map->release();
-        } else
+
+	    mach_port_name_t name = 0;
+	    if (task != current_task())
+		name = IOMachPort::makeSendRightForTask( task, map, IKOT_IOKIT_OBJECT );
+	    if (name)
+	    {
+		map->unmap();
+		err = iokit_mod_send_right( task, name, -2 );
+		err = kIOReturnSuccess;
+	    }
+	    else
+		IOMachPort::releasePortForObject( map, IKOT_IOKIT_OBJECT );
+	    if (task == current_task())
+		map->release();
+        }
+	else
             err = kIOReturnBadArgument;
     }
 
@@ -2431,8 +2956,12 @@
     if(flag != kIOCatalogRemoveKernelLinker && ( !inData || !inDataCount) )
         return kIOReturnBadArgument;
 
-    if (data) {
-        kr = vm_map_copyout( kernel_map, &data, (vm_map_copy_t)inData);
+    if (inData) {
+        vm_map_offset_t map_data;
+
+        kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t)inData);
+	data = CAST_DOWN(vm_offset_t, map_data);
+
         if( kr != KERN_SUCCESS)
             return kr;
 
@@ -2593,17 +3122,8 @@
         return kIOReturnNoMemory;
 
     s->clearText();
-    switch ( flag ) {
-        case kIOCatalogGetContents:
-            if ( !gIOCatalogue->serialize(s) ) {
-                kr = kIOReturnNoMemory;
-            }
-            break;
-
-        default:
-            kr = kIOReturnBadArgument;
-            break;
-    }
+
+    kr = gIOCatalogue->serializeData(flag, s);
 
     if ( kr == kIOReturnSuccess ) {
         vm_offset_t data;
@@ -2611,10 +3131,11 @@
         vm_size_t size;
 
         size = s->getLength();
-        kr = vm_allocate(kernel_map, &data, size, true);
+        kr = vm_allocate(kernel_map, &data, size, VM_FLAGS_ANYWHERE);
         if ( kr == kIOReturnSuccess ) {
             bcopy(s->text(), (void *)data, size);
-            kr = vm_map_copyin(kernel_map, data, size, true, &copy);
+            kr = vm_map_copyin(kernel_map, (vm_map_address_t)data,
+			       (vm_map_size_t)size, true, &copy);
             *outData = (char *)copy;
             *outDataCount = size;
         }
@@ -2680,19 +3201,17 @@
     return kIOReturnSuccess;
 }
 
-kern_return_t iokit_user_client_trap(io_object_t userClientRef, UInt32 index,
-                                    void *p1, void *p2, void *p3,
-                                    void *p4, void *p5, void *p6)
+kern_return_t iokit_user_client_trap(struct iokit_user_client_trap_args *args)
 {
     kern_return_t result = kIOReturnBadArgument;
     IOUserClient *userClient;
 
     if ((userClient = OSDynamicCast(IOUserClient,
-            iokit_lookup_connect_ref_current_task(userClientRef)))) {
+            iokit_lookup_connect_ref_current_task((OSObject *)(args->userClientRef))))) {
         IOExternalTrap *trap;
         IOService *target = NULL;
 
-        trap = userClient->getTargetAndTrapForIndex(&target, index);
+        trap = userClient->getTargetAndTrapForIndex(&target, args->index);
 
         if (trap && target) {
             IOTrap func;
@@ -2700,7 +3219,7 @@
             func = trap->func;
 
             if (func) {
-                result = (target->*func)(p1, p2, p3, p4, p5, p6);
+                result = (target->*func)(args->p1, args->p2, args->p3, args->p4, args->p5, args->p6);
             }
         }