]> git.saurik.com Git - apple/xnu.git/blobdiff - osfmk/ipc/ipc_kmsg.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-7195.101.1.tar.gz
[apple/xnu.git] / osfmk / ipc / ipc_kmsg.c
diff --git a/osfmk/ipc/ipc_kmsg.c b/osfmk/ipc/ipc_kmsg.c
index 3afee2bd44b886d2eab29962311b04d230f3e003..8b219581df51e6bf2079801eb2b0f039229ca96a 100644 (file)
--- a/osfmk/ipc/ipc_kmsg.c
+++ b/osfmk/ipc/ipc_kmsg.c
@@ -1,52 +1,65 @@
 /*
 /*
- * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 2000-2020 Apple Inc. All rights reserved.
  *
  *
- * @APPLE_LICENSE_HEADER_START@
- * 
- * The contents of this file constitute Original Code as defined in and
- * are subject to the Apple Public Source License Version 1.1 (the
- * "License").  You may not use this file except in compliance with the
- * License.  Please obtain a copy of the License at
- * http://www.apple.com/publicsource and read it before using this file.
- * 
- * This Original Code and all software distributed under the License are
- * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ *
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
- * License for the specific language governing rights and limitations
- * under the License.
- * 
- * @APPLE_LICENSE_HEADER_END@
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
 /*
  * @OSF_COPYRIGHT@
  */
  */
 /*
  * @OSF_COPYRIGHT@
  */
-/* 
+/*
  * Mach Operating System
  * Copyright (c) 1991,1990,1989 Carnegie Mellon University
  * All Rights Reserved.
  * Mach Operating System
  * Copyright (c) 1991,1990,1989 Carnegie Mellon University
  * All Rights Reserved.
- * 
+ *
  * Permission to use, copy, modify and distribute this software and its
  * documentation is hereby granted, provided that both the copyright
  * notice and this permission notice appear in all copies of the
  * software, derivative works or modified versions, and any portions
  * thereof, and that both notices appear in supporting documentation.
  * Permission to use, copy, modify and distribute this software and its
  * documentation is hereby granted, provided that both the copyright
  * notice and this permission notice appear in all copies of the
  * software, derivative works or modified versions, and any portions
  * thereof, and that both notices appear in supporting documentation.
- * 
+ *
  * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
  * CONDITION.  CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
  * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
  * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
  * CONDITION.  CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
  * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
- * 
+ *
  * Carnegie Mellon requests users of this software to return to
  * Carnegie Mellon requests users of this software to return to
- * 
+ *
  *  Software Distribution Coordinator  or  Software.Distribution@CS.CMU.EDU
  *  School of Computer Science
  *  Carnegie Mellon University
  *  Pittsburgh PA 15213-3890
  *  Software Distribution Coordinator  or  Software.Distribution@CS.CMU.EDU
  *  School of Computer Science
  *  Carnegie Mellon University
  *  Pittsburgh PA 15213-3890
- * 
+ *
  * any improvements or extensions that they make and grant Carnegie Mellon
  * the rights to redistribute these changes.
  */
  * any improvements or extensions that they make and grant Carnegie Mellon
  * the rights to redistribute these changes.
  */
+/*
+ * NOTICE: This file was modified by McAfee Research in 2004 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ * Copyright (c) 2005 SPARTA, Inc.
+ */
 /*
  */
 /*
 /*
  */
 /*
@@ -57,25 +70,40 @@
  *     Operations on kernel messages.
  */
 
  *     Operations on kernel messages.
  */
 
-#include <cpus.h>
-#include <norma_vm.h>
 
 
+#include <mach/mach_types.h>
 #include <mach/boolean.h>
 #include <mach/kern_return.h>
 #include <mach/message.h>
 #include <mach/port.h>
 #include <mach/boolean.h>
 #include <mach/kern_return.h>
 #include <mach/message.h>
 #include <mach/port.h>
+#include <mach/vm_map.h>
+#include <mach/mach_vm.h>
 #include <mach/vm_statistics.h>
 #include <mach/vm_statistics.h>
+
+#include <kern/kern_types.h>
 #include <kern/assert.h>
 #include <kern/assert.h>
+#include <kern/debug.h>
+#include <kern/ipc_kobject.h>
 #include <kern/kalloc.h>
 #include <kern/kalloc.h>
+#include <kern/zalloc.h>
+#include <kern/processor.h>
 #include <kern/thread.h>
 #include <kern/sched_prim.h>
 #include <kern/thread.h>
 #include <kern/sched_prim.h>
-#include <kern/spl.h>
 #include <kern/misc_protos.h>
 #include <kern/misc_protos.h>
-#include <kern/counters.h>
+#include <kern/cpu_data.h>
+#include <kern/policy_internal.h>
+#include <kern/mach_filter.h>
+
+#include <pthread/priority_private.h>
+
+#include <machine/limits.h>
+
 #include <vm/vm_map.h>
 #include <vm/vm_object.h>
 #include <vm/vm_kern.h>
 #include <vm/vm_map.h>
 #include <vm/vm_object.h>
 #include <vm/vm_kern.h>
+
 #include <ipc/port.h>
 #include <ipc/port.h>
+#include <ipc/ipc_types.h>
 #include <ipc/ipc_entry.h>
 #include <ipc/ipc_kmsg.h>
 #include <ipc/ipc_notify.h>
 #include <ipc/ipc_entry.h>
 #include <ipc/ipc_kmsg.h>
 #include <ipc/ipc_notify.h>
@@ -85,439 +113,1658 @@
 #include <ipc/ipc_right.h>
 #include <ipc/ipc_hash.h>
 #include <ipc/ipc_table.h>
 #include <ipc/ipc_right.h>
 #include <ipc/ipc_hash.h>
 #include <ipc/ipc_table.h>
+#include <ipc/ipc_importance.h>
+#if MACH_FLIPC
+#include <kern/mach_node.h>
+#include <ipc/flipc.h>
+#endif
 
 
-#include <string.h>
-
-extern vm_map_t                ipc_kernel_copy_map;
-extern vm_size_t       ipc_kmsg_max_vm_space;
-extern vm_size_t       msg_ool_size_small;
+#include <os/overflow.h>
 
 
-#define MSG_OOL_SIZE_SMALL     msg_ool_size_small
+#include <security/mac_mach_internal.h>
 
 
+#include <device/device_server.h>
 
 
-/*
- * Forward declarations
- */
+#include <string.h>
 
 
-void ipc_kmsg_clean(
-       ipc_kmsg_t      kmsg);
+#ifdef ppc
+#include <ppc/Firmware.h>
+#include <ppc/low_trace.h>
+#endif
 
 
-void ipc_kmsg_clean_body(
-       ipc_kmsg_t      kmsg,
-       mach_msg_type_number_t  number);
+#if DEBUG
+#define DEBUG_MSGS_K64 1
+#endif
 
 
-void ipc_kmsg_clean_partial(
-       ipc_kmsg_t              kmsg,
-       mach_msg_type_number_t  number,
-       vm_offset_t             paddr,
-       vm_size_t               length);
+#include <sys/kdebug.h>
+#include <libkern/OSAtomic.h>
 
 
-mach_msg_return_t ipc_kmsg_copyout_body(
-       ipc_kmsg_t              kmsg,
-       ipc_space_t             space,
-       vm_map_t                map,
-       mach_msg_body_t         *slist);
+#include <libkern/crypto/sha2.h>
 
 
-mach_msg_return_t ipc_kmsg_copyin_body(
-       ipc_kmsg_t              kmsg,
-       ipc_space_t             space,
-       vm_map_t                map);
+#include <ptrauth.h>
+#if __has_feature(ptrauth_calls)
+#include <libkern/ptrauth_utils.h>
+#endif
 
 
-void ikm_cache_init(void);
-/*
- *     We keep a per-processor cache of kernel message buffers.
- *     The cache saves the overhead/locking of using kalloc/kfree.
- *     The per-processor cache seems to miss less than a per-thread cache,
- *     and it also uses less memory.  Access to the cache doesn't
- *     require locking.
- */
-#define IKM_STASH 16   /* # of cache entries per cpu */
-ipc_kmsg_t     ipc_kmsg_cache[ NCPUS ][ IKM_STASH ];
-unsigned int   ipc_kmsg_cache_avail[NCPUS];
+#pragma pack(4)
 
 
-/*
- *     Routine:        ipc_kmsg_init
- *     Purpose:
- *             Initialize the kmsg system.  For each CPU, we need to
- *             pre-stuff the kmsg cache.
- */
-void
-ipc_kmsg_init()
-{
-       unsigned int    cpu, i;
+typedef struct{
+       mach_msg_bits_t       msgh_bits;
+       mach_msg_size_t       msgh_size;
+       mach_port_name_t      msgh_remote_port;
+       mach_port_name_t      msgh_local_port;
+       mach_port_name_t      msgh_voucher_port;
+       mach_msg_id_t         msgh_id;
+} mach_msg_legacy_header_t;
 
 
-       for (cpu = 0; cpu < NCPUS; ++cpu) {
-               for (i = 0; i < IKM_STASH; ++i) {
-                       ipc_kmsg_t kmsg;
+typedef struct{
+       mach_msg_legacy_header_t       header;
+       mach_msg_body_t         body;
+} mach_msg_legacy_base_t;
 
 
-                       kmsg = (ipc_kmsg_t)
-                              kalloc(ikm_plus_overhead(IKM_SAVED_MSG_SIZE));
-                       if (kmsg == IKM_NULL)
-                               panic("ipc_kmsg_init");
-                       ikm_init(kmsg, IKM_SAVED_MSG_SIZE);
-                       ipc_kmsg_cache[cpu][i] = kmsg;
-               }
-               ipc_kmsg_cache_avail[cpu] = IKM_STASH;
-       }
-}
+typedef struct{
+       mach_port_name_t                              name;
+       mach_msg_size_t                               pad1;
+       uint32_t                                              pad2 : 16;
+       mach_msg_type_name_t                  disposition : 8;
+       mach_msg_descriptor_type_t    type : 8;
+} mach_msg_legacy_port_descriptor_t;
 
 
-/*
- *     Routine:        ipc_kmsg_alloc
- *     Purpose:
- *             Allocate a kernel message structure.  If we can get one from
- *             the cache, that is best.  Otherwise, allocate a new one.
- *     Conditions:
- *             Nothing locked.
- */
-ipc_kmsg_t
-ipc_kmsg_alloc(
-       mach_msg_size_t msg_and_trailer_size)
-{
-       ipc_kmsg_t kmsg;
 
 
-       if ((msg_and_trailer_size <= IKM_SAVED_MSG_SIZE)) {
-               unsigned int    cpu, i;
+typedef union{
+       mach_msg_legacy_port_descriptor_t                     port;
+       mach_msg_ool_descriptor32_t           out_of_line32;
+       mach_msg_ool_ports_descriptor32_t     ool_ports32;
+       mach_msg_guarded_port_descriptor32_t  guarded_port32;
+       mach_msg_type_descriptor_t                    type;
+} mach_msg_legacy_descriptor_t;
 
 
-               disable_preemption();
-               cpu = cpu_number();
-               if ((i = ipc_kmsg_cache_avail[cpu]) > 0) {
-                       assert(i <= IKM_STASH);
-                       kmsg = ipc_kmsg_cache[cpu][--i];
-                       ipc_kmsg_cache_avail[cpu] = i;
-                       ikm_check_init(kmsg, IKM_SAVED_MSG_SIZE);
-                       enable_preemption();
-                       return (kmsg);
-               }
-               enable_preemption();
-       }
+#pragma pack()
 
 
-       /* round up for ikm_cache */
-       if (msg_and_trailer_size < IKM_SAVED_MSG_SIZE)
-           msg_and_trailer_size = IKM_SAVED_MSG_SIZE;
+#define LEGACY_HEADER_SIZE_DELTA ((mach_msg_size_t)(sizeof(mach_msg_header_t) - sizeof(mach_msg_legacy_header_t)))
 
 
-       kmsg = (ipc_kmsg_t)kalloc(ikm_plus_overhead(msg_and_trailer_size));
-       if (kmsg != IKM_NULL) {
-               ikm_init(kmsg, msg_and_trailer_size);
-       }
-       return(kmsg);
-}
+// END LP64 fixes
 
 
-/*
- *     Routine:        ipc_kmsg_free
- *     Purpose:
- *             Free a kernel message buffer.  If the kms is preallocated
- *             to a port, just "put it back (marked unused)."  We have to
- *             do this with the port locked.  The port may have its hold
- *             on our message released.  In that case, we have to just
- *             revert the message to a traditional one and free it normally.
- *     Conditions:
- *             Nothing locked.
- */
+#if __has_feature(ptrauth_calls)
+typedef uintptr_t ikm_sig_scratch_t;
 
 
-void
-ipc_kmsg_free(
-       ipc_kmsg_t      kmsg)
+static void
+ikm_init_sig(
+       __unused ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
 {
 {
-       mach_msg_size_t size = kmsg->ikm_size;
-       ipc_port_t port;
+       *scratchp = OS_PTRAUTH_DISCRIMINATOR("kmsg.ikm_signature");
+}
 
 
-       /*
-        * Check to see if the message is bound to the port.  If so,
-        * mark it not in use.  If the port isn't already dead, then
-        * leave the message associated with it.  Otherwise, free it
-        * (not to the cache).
-        */
-       port = ikm_prealloc_inuse_port(kmsg);
-       if (port != IP_NULL) {
-               ip_lock(port);
-               ikm_prealloc_clear_inuse(kmsg, port);
-               if (ip_active(port) && (port->ip_premsg == kmsg)) {
-                       assert(IP_PREALLOC(port));
-                       ip_unlock(port);
-                       return;
-               }
-               ip_unlock(port);
-               goto free_it;
-       }
+static void
+ikm_chunk_sig(
+       ipc_kmsg_t kmsg,
+       void *data,
+       size_t len,
+       ikm_sig_scratch_t *scratchp)
+{
+       int ptrauth_flags;
+       void *trailerp;
 
        /*
 
        /*
-        * Peek and see if it has to go back in the cache.
+        * if we happen to be doing the trailer chunk,
+        * diversify with the ptrauth-ed trailer pointer -
+        * as that is unchanging for the kmsg
         */
         */
-       if (kmsg->ikm_size == IKM_SAVED_MSG_SIZE &&
-           ipc_kmsg_cache_avail[cpu_number()] < IKM_STASH) {
-               unsigned int cpu, i;
-
-               disable_preemption();
-               cpu = cpu_number();
+       trailerp = (void *)
+           ((vm_offset_t)kmsg->ikm_header +
+           mach_round_msg(kmsg->ikm_header->msgh_size));
 
 
-               i = ipc_kmsg_cache_avail[cpu];
-               if (i < IKM_STASH) {
-                       assert(i >= 0);
-                       ipc_kmsg_cache[cpu][i] = kmsg;
-                       ipc_kmsg_cache_avail[cpu] = i + 1;
-                       enable_preemption();
-                       return;
-               }
-               enable_preemption();
-       }
+       ptrauth_flags = (data == trailerp) ? PTRAUTH_ADDR_DIVERSIFY : 0;
+       *scratchp = ptrauth_utils_sign_blob_generic(data, len, *scratchp, ptrauth_flags);
+}
 
 
- free_it:
-       kfree((vm_offset_t) kmsg, ikm_plus_overhead(size));
+static uintptr_t
+ikm_finalize_sig(
+       __unused ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
+{
+       return *scratchp;
 }
 
 }
 
+#elif defined(CRYPTO_SHA2) && !defined(__x86_64__) && !defined(__arm__)
 
 
-/*
- *     Routine:        ipc_kmsg_enqueue
- *     Purpose:
- *             Enqueue a kmsg.
- */
+typedef SHA256_CTX ikm_sig_scratch_t;
 
 
-void
-ipc_kmsg_enqueue(
-       ipc_kmsg_queue_t        queue,
-       ipc_kmsg_t              kmsg)
+static void
+ikm_init_sig(
+       __unused ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
 {
 {
-       ipc_kmsg_enqueue_macro(queue, kmsg);
+       SHA256_Init(scratchp);
+       SHA256_Update(scratchp, &vm_kernel_addrhash_salt_ext, sizeof(uint64_t));
 }
 
 }
 
-/*
- *     Routine:        ipc_kmsg_dequeue
- *     Purpose:
- *             Dequeue and return a kmsg.
- */
-
-ipc_kmsg_t
-ipc_kmsg_dequeue(
-       ipc_kmsg_queue_t        queue)
+static void
+ikm_chunk_sig(
+       __unused ipc_kmsg_t kmsg,
+       void *data,
+       size_t len,
+       ikm_sig_scratch_t *scratchp)
 {
 {
-       ipc_kmsg_t first;
+       SHA256_Update(scratchp, data, len);
+}
 
 
-       first = ipc_kmsg_queue_first(queue);
+static uintptr_t
+ikm_finalize_sig(
+       __unused ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
+{
+       uintptr_t sha_digest[SHA256_DIGEST_LENGTH / sizeof(uintptr_t)];
 
 
-       if (first != IKM_NULL)
-               ipc_kmsg_rmqueue_first_macro(queue, first);
+       SHA256_Final((uint8_t *)sha_digest, scratchp);
 
 
-       return first;
+       /*
+        * Only use one uintptr_t sized part of result for space and compat reasons.
+        * Truncation is better than XOR'ing the chunks together in hopes of higher
+        * entropy - because of its lower risk of collisions.
+        */
+       return *sha_digest;
 }
 
 }
 
-/*
- *     Routine:        ipc_kmsg_rmqueue
- *     Purpose:
- *             Pull a kmsg out of a queue.
- */
+#else
+/* Stubbed out implementation (for __x86_64__, __arm__ for now) */
 
 
-void
-ipc_kmsg_rmqueue(
-       ipc_kmsg_queue_t        queue,
-       ipc_kmsg_t              kmsg)
+typedef uintptr_t ikm_sig_scratch_t;
+
+static void
+ikm_init_sig(
+       __unused ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
 {
 {
-       ipc_kmsg_t next, prev;
+       *scratchp = 0;
+}
 
 
-       assert(queue->ikmq_base != IKM_NULL);
+static void
+ikm_chunk_sig(
+       __unused ipc_kmsg_t kmsg,
+       __unused void *data,
+       __unused size_t len,
+       __unused ikm_sig_scratch_t *scratchp)
+{
+       return;
+}
 
 
-       next = kmsg->ikm_next;
-       prev = kmsg->ikm_prev;
+static uintptr_t
+ikm_finalize_sig(
+       __unused ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
+{
+       return *scratchp;
+}
 
 
-       if (next == kmsg) {
-               assert(prev == kmsg);
-               assert(queue->ikmq_base == kmsg);
+#endif
 
 
-               queue->ikmq_base = IKM_NULL;
+static void
+ikm_header_sig(
+       ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
+{
+       mach_msg_size_t dsc_count;
+       mach_msg_base_t base;
+       boolean_t complex;
+
+       /* take a snapshot of the message header/body-count */
+       base.header = *kmsg->ikm_header;
+       complex = ((base.header.msgh_bits & MACH_MSGH_BITS_COMPLEX) != 0);
+       if (complex) {
+               dsc_count = ((mach_msg_body_t *)(kmsg->ikm_header + 1))->msgh_descriptor_count;
        } else {
        } else {
-               if (queue->ikmq_base == kmsg)
-                       queue->ikmq_base = next;
-
-               next->ikm_prev = prev;
-               prev->ikm_next = next;
+               dsc_count = 0;
        }
        }
-       /* XXX Temporary debug logic */
-       assert(kmsg->ikm_next = IKM_BOGUS);
-       assert(kmsg->ikm_prev = IKM_BOGUS);
-}
+       base.body.msgh_descriptor_count = dsc_count;
 
 
-/*
- *     Routine:        ipc_kmsg_queue_next
- *     Purpose:
- *             Return the kmsg following the given kmsg.
- *             (Or IKM_NULL if it is the last one in the queue.)
- */
+       /* compute sig of a copy of the header with all varying bits masked off */
+       base.header.msgh_bits &= MACH_MSGH_BITS_USER;
+       base.header.msgh_bits &= ~MACH_MSGH_BITS_VOUCHER_MASK;
+       ikm_chunk_sig(kmsg, &base, sizeof(mach_msg_base_t), scratchp);
+}
 
 
-ipc_kmsg_t
-ipc_kmsg_queue_next(
-       ipc_kmsg_queue_t        queue,
-       ipc_kmsg_t              kmsg)
+static void
+ikm_trailer_sig(
+       ipc_kmsg_t kmsg,
+       ikm_sig_scratch_t *scratchp)
 {
 {
-       ipc_kmsg_t next;
+       mach_msg_max_trailer_t *trailerp;
 
 
-       assert(queue->ikmq_base != IKM_NULL);
+       /* Add sig of the trailer contents */
+       trailerp = (mach_msg_max_trailer_t *)
+           ((vm_offset_t)kmsg->ikm_header +
+           mach_round_msg(kmsg->ikm_header->msgh_size));
+       ikm_chunk_sig(kmsg, trailerp, sizeof(*trailerp), scratchp);
+}
 
 
-       next = kmsg->ikm_next;
-       if (queue->ikmq_base == next)
-               next = IKM_NULL;
+/* Compute the signature for the body bits of a message */
+static void
+ikm_body_sig(
+       ipc_kmsg_t        kmsg,
+       ikm_sig_scratch_t *scratchp)
+{
+       mach_msg_descriptor_t *kern_dsc;
+       mach_msg_size_t dsc_count;
+       mach_msg_body_t *body;
+       mach_msg_size_t i;
 
 
-       return next;
-}
+       if ((kmsg->ikm_header->msgh_bits & MACH_MSGH_BITS_COMPLEX) == 0) {
+               return;
+       }
+       body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+       dsc_count = body->msgh_descriptor_count;
 
 
-/*
- *     Routine:        ipc_kmsg_destroy
- *     Purpose:
- *             Destroys a kernel message.  Releases all rights,
- *             references, and memory held by the message.
- *             Frees the message.
- *     Conditions:
- *             No locks held.
- */
+       if (dsc_count == 0) {
+               return;
+       }
 
 
-void
-ipc_kmsg_destroy(
-       ipc_kmsg_t      kmsg)
-{
-       ipc_kmsg_queue_t queue;
-       boolean_t empty;
+       kern_dsc = (mach_msg_descriptor_t *) (body + 1);
 
 
-       /*
-        *      ipc_kmsg_clean can cause more messages to be destroyed.
-        *      Curtail recursion by queueing messages.  If a message
-        *      is already queued, then this is a recursive call.
-        */
+       /* Compute the signature for the whole descriptor array */
+       ikm_chunk_sig(kmsg, kern_dsc, sizeof(*kern_dsc) * dsc_count, scratchp);
 
 
-       queue = &(current_thread()->ith_messages);
-       empty = ipc_kmsg_queue_empty(queue);
-       ipc_kmsg_enqueue(queue, kmsg);
+       /* look for descriptor contents that need a signature */
+       for (i = 0; i < dsc_count; i++) {
+               switch (kern_dsc[i].type.type) {
+               case MACH_MSG_PORT_DESCRIPTOR:
+               case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+               case MACH_MSG_OOL_DESCRIPTOR:
+                       break;
 
 
-       if (empty) {
-               /* must leave kmsg in queue while cleaning it */
+               case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+                       mach_msg_ool_ports_descriptor_t *ports_dsc;
 
 
-               while ((kmsg = ipc_kmsg_queue_first(queue)) != IKM_NULL) {
-                       ipc_kmsg_clean(kmsg);
-                       ipc_kmsg_rmqueue(queue, kmsg);
-                       ipc_kmsg_free(kmsg);
+                       /* Compute sig for the port/object pointers */
+                       ports_dsc = (mach_msg_ool_ports_descriptor_t *)&kern_dsc[i];
+                       ikm_chunk_sig(kmsg, ports_dsc->address, ports_dsc->count * sizeof(ipc_object_t), scratchp);
+                       break;
+               }
+               default: {
+                       panic("ipc_kmsg_body_sig: invalid message descriptor");
+               }
                }
        }
 }
 
                }
        }
 }
 
-/*
- *     Routine:        ipc_kmsg_destroy_dest
- *     Purpose:
- *             Destroys a kernel message.  Releases all rights,
- *             references, and memory held by the message (including
- *             the destination port reference.
- *             Frees the message.
- *     Conditions:
- *             No locks held.
- */
-
-ipc_kmsg_destroy_dest(
+static void
+ikm_sign(
        ipc_kmsg_t kmsg)
 {
        ipc_kmsg_t kmsg)
 {
-    ipc_port_t port;
-       
-    port = kmsg->ikm_header.msgh_remote_port;
+       ikm_sig_scratch_t scratch;
+       uintptr_t sig;
+
+       zone_require(ipc_kmsg_zone, kmsg);
+
+       ikm_init_sig(kmsg, &scratch);
+
+       ikm_header_sig(kmsg, &scratch);
+#if IKM_PARTIAL_SIG
+       /* save off partial signature for just header */
+       sig = ikm_finalize_sig(kmsg, &scratch);
+       kmsg->ikm_header_sig = sig;
+#endif
+
+       ikm_trailer_sig(kmsg, &scratch);
+#if IKM_PARTIAL_SIG
+       /* save off partial signature for header+trailer */
+       sig = ikm_finalize_sig(kmsg, &scratch);
+       kmsg->ikm_headtrail_sig = sig;
+#endif
+
+       ikm_body_sig(kmsg, &scratch);
+       sig = ikm_finalize_sig(kmsg, &scratch);
+       kmsg->ikm_signature = sig;
+}
+
+unsigned int ikm_signature_failures;
+unsigned int ikm_signature_failure_id;
+#if (DEVELOPMENT || DEBUG)
+unsigned int ikm_signature_panic_disable;
+unsigned int ikm_signature_header_failures;
+unsigned int ikm_signature_trailer_failures;
+#endif
 
 
-    ipc_port_release(port);
-    kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;
-    ipc_kmsg_destroy(kmsg);
+static void
+ikm_validate_sig(
+       ipc_kmsg_t kmsg)
+{
+       ikm_sig_scratch_t scratch;
+       uintptr_t expected;
+       uintptr_t sig;
+       char *str;
+
+       zone_require(ipc_kmsg_zone, kmsg);
+
+       ikm_init_sig(kmsg, &scratch);
+
+       ikm_header_sig(kmsg, &scratch);
+#if IKM_PARTIAL_SIG
+       /* Do partial evaluation of just the header signature */
+       sig = ikm_finalize_sig(kmsg, &scratch);
+       expected = kmsg->ikm_header_sig;
+       if (sig != expected) {
+               ikm_signature_header_failures++;
+               str = "header";
+               goto failure;
+       }
+#endif
+
+       ikm_trailer_sig(kmsg, &scratch);
+#if IKM_PARTIAL_SIG
+       /* Do partial evaluation of header+trailer signature */
+       sig = ikm_finalize_sig(kmsg, &scratch);
+       expected = kmsg->ikm_headtrail_sig;
+       if (sig != expected) {
+               ikm_signature_trailer_failures++;
+               str = "trailer";
+               goto failure;
+       }
+#endif
+
+       ikm_body_sig(kmsg, &scratch);
+       sig = ikm_finalize_sig(kmsg, &scratch);
+
+       expected = kmsg->ikm_signature;
+       if (sig != expected) {
+               ikm_signature_failures++;
+               str = "full";
+
+#if IKM_PARTIAL_SIG
+failure:
+#endif
+               {
+                       mach_msg_id_t id = kmsg->ikm_header->msgh_id;
+
+                       ikm_signature_failure_id = id;
+#if (DEVELOPMENT || DEBUG)
+                       if (ikm_signature_panic_disable) {
+                               return;
+                       }
+#endif
+                       panic("ikm_validate_sig: %s signature mismatch: kmsg=0x%p, id=%d, sig=0x%zx (expected 0x%zx)",
+                           str, kmsg, id, sig, expected);
+               }
+       }
 }
 
 }
 
+#if DEBUG_MSGS_K64
+extern void ipc_pset_print64(
+       ipc_pset_t      pset);
+
+extern void     ipc_kmsg_print64(
+       ipc_kmsg_t      kmsg,
+       const char      *str);
+
+extern void     ipc_msg_print64(
+       mach_msg_header_t       *msgh);
+
+extern ipc_port_t ipc_name_to_data64(
+       task_t                  task,
+       mach_port_name_t        name);
+
 /*
 /*
- *     Routine:        ipc_kmsg_clean_body
- *     Purpose:
- *             Cleans the body of a kernel message.
- *             Releases all rights, references, and memory.
- *
- *     Conditions:
- *             No locks held.
+ * Forward declarations
  */
  */
+void ipc_msg_print_untyped64(
+       mach_msg_body_t         *body);
 
 
-void
-ipc_kmsg_clean_body(
-       ipc_kmsg_t      kmsg,
-       mach_msg_type_number_t  number)
-{
-    mach_msg_descriptor_t      *saddr, *eaddr;
+const char * ipc_type_name64(
+       int             type_name,
+       boolean_t       received);
 
 
-    if ( number == 0 )
-       return;
+void ipc_print_type_name64(
+       int     type_name);
 
 
-    saddr = (mach_msg_descriptor_t *) 
-                       ((mach_msg_base_t *) &kmsg->ikm_header + 1);
-    eaddr = saddr + number;
+const char *
+msgh_bit_decode64(
+       mach_msg_bits_t bit);
 
 
-    for ( ; saddr < eaddr; saddr++ ) {
-       
-       switch (saddr->type.type) {
-           
-           case MACH_MSG_PORT_DESCRIPTOR: {
-               mach_msg_port_descriptor_t *dsc;
+const char *
+mm_copy_options_string64(
+       mach_msg_copy_options_t option);
 
 
-               dsc = &saddr->port;
+void db_print_msg_uid64(mach_msg_header_t *);
 
 
-               /* 
-                * Destroy port rights carried in the message 
-                */
-               if (!IO_VALID((ipc_object_t) dsc->name))
-                   continue;
-               ipc_object_destroy((ipc_object_t) dsc->name, dsc->disposition);
-               break;
-           }
-           case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
-           case MACH_MSG_OOL_DESCRIPTOR : {
-               mach_msg_ool_descriptor_t *dsc;
-
-               dsc = &saddr->out_of_line;
-               
-               /* 
-                * Destroy memory carried in the message 
-                */
-               if (dsc->size == 0) {
-                       assert(dsc->address == (void *) 0);
-               } else {
-                       vm_map_copy_discard((vm_map_copy_t) dsc->address);
+static void
+ipc_msg_body_print64(void *body, int size)
+{
+       uint32_t        *word = (uint32_t *) body;
+       uint32_t        *end  = (uint32_t *)(((uintptr_t) body) + size
+           - sizeof(mach_msg_header_t));
+       int             i;
+
+       kprintf("  body(%p-%p):\n    %p: ", body, end, word);
+       for (;;) {
+               for (i = 0; i < 8; i++, word++) {
+                       if (word >= end) {
+                               kprintf("\n");
+                               return;
+                       }
+                       kprintf("%08x ", *word);
                }
                }
-               break;
-           }
-           case MACH_MSG_OOL_PORTS_DESCRIPTOR : {
-               ipc_object_t                    *objects;
-               mach_msg_type_number_t          j;
-               mach_msg_ool_ports_descriptor_t *dsc;
+               kprintf("\n    %p: ", word);
+       }
+}
 
 
-               dsc = &saddr->ool_ports;
-               objects = (ipc_object_t *) dsc->address;
 
 
-               if (dsc->count == 0) {
-                       break;
+const char *
+ipc_type_name64(
+       int             type_name,
+       boolean_t       received)
+{
+       switch (type_name) {
+       case MACH_MSG_TYPE_PORT_NAME:
+               return "port_name";
+
+       case MACH_MSG_TYPE_MOVE_RECEIVE:
+               if (received) {
+                       return "port_receive";
+               } else {
+                       return "move_receive";
                }
 
                }
 
-               assert(objects != (ipc_object_t *) 0);
-               
-               /* destroy port rights carried in the message */
-               
-               for (j = 0; j < dsc->count; j++) {
-                   ipc_object_t object = objects[j];
-                   
-                   if (!IO_VALID(object))
-                       continue;
-                   
-                   ipc_object_destroy(object, dsc->disposition);
+       case MACH_MSG_TYPE_MOVE_SEND:
+               if (received) {
+                       return "port_send";
+               } else {
+                       return "move_send";
+               }
+
+       case MACH_MSG_TYPE_MOVE_SEND_ONCE:
+               if (received) {
+                       return "port_send_once";
+               } else {
+                       return "move_send_once";
                }
 
                }
 
-               /* destroy memory carried in the message */
+       case MACH_MSG_TYPE_COPY_SEND:
+               return "copy_send";
+
+       case MACH_MSG_TYPE_MAKE_SEND:
+               return "make_send";
 
 
-               assert(dsc->count != 0);
+       case MACH_MSG_TYPE_MAKE_SEND_ONCE:
+               return "make_send_once";
 
 
-               kfree((vm_offset_t) dsc->address, 
-                    (vm_size_t) dsc->count * sizeof(mach_port_name_t));
-               break;
-           }
-           default : {
-               printf("cleanup: don't understand this type of descriptor\n");
-           }
+       default:
+               return (char *) 0;
+       }
+}
+
+void
+ipc_print_type_name64(
+       int     type_name)
+{
+       const char *name = ipc_type_name64(type_name, TRUE);
+       if (name) {
+               kprintf("%s", name);
+       } else {
+               kprintf("type%d", type_name);
        }
        }
-    }
 }
 
 /*
 }
 
 /*
- *     Routine:        ipc_kmsg_clean_partial
+ * ipc_kmsg_print64    [ debug ]
+ */
+void
+ipc_kmsg_print64(
+       ipc_kmsg_t      kmsg,
+       const char      *str)
+{
+       kprintf("%s kmsg=%p:\n", str, kmsg);
+       kprintf("  next=%p, prev=%p, size=%d",
+           kmsg->ikm_next,
+           kmsg->ikm_prev,
+           kmsg->ikm_size);
+       kprintf("\n");
+       ipc_msg_print64(kmsg->ikm_header);
+}
+
+const char *
+msgh_bit_decode64(
+       mach_msg_bits_t bit)
+{
+       switch (bit) {
+       case MACH_MSGH_BITS_COMPLEX:        return "complex";
+       case MACH_MSGH_BITS_CIRCULAR:       return "circular";
+       default:                            return (char *) 0;
+       }
+}
+
+/*
+ * ipc_msg_print64     [ debug ]
+ */
+void
+ipc_msg_print64(
+       mach_msg_header_t       *msgh)
+{
+       mach_msg_bits_t mbits;
+       unsigned int    bit, i;
+       const char      *bit_name;
+       int             needs_comma;
+
+       mbits = msgh->msgh_bits;
+       kprintf("  msgh_bits=0x%x: l=0x%x,r=0x%x\n",
+           mbits,
+           MACH_MSGH_BITS_LOCAL(msgh->msgh_bits),
+           MACH_MSGH_BITS_REMOTE(msgh->msgh_bits));
+
+       mbits = MACH_MSGH_BITS_OTHER(mbits) & MACH_MSGH_BITS_USED;
+       kprintf("  decoded bits:  ");
+       needs_comma = 0;
+       for (i = 0, bit = 1; i < sizeof(mbits) * 8; ++i, bit <<= 1) {
+               if ((mbits & bit) == 0) {
+                       continue;
+               }
+               bit_name = msgh_bit_decode64((mach_msg_bits_t)bit);
+               if (bit_name) {
+                       kprintf("%s%s", needs_comma ? "," : "", bit_name);
+               } else {
+                       kprintf("%sunknown(0x%x),", needs_comma ? "," : "", bit);
+               }
+               ++needs_comma;
+       }
+       if (msgh->msgh_bits & ~MACH_MSGH_BITS_USED) {
+               kprintf("%sunused=0x%x,", needs_comma ? "," : "",
+                   msgh->msgh_bits & ~MACH_MSGH_BITS_USED);
+       }
+       kprintf("\n");
+
+       needs_comma = 1;
+       if (msgh->msgh_remote_port) {
+               kprintf("  remote=%p(", msgh->msgh_remote_port);
+               ipc_print_type_name64(MACH_MSGH_BITS_REMOTE(msgh->msgh_bits));
+               kprintf(")");
+       } else {
+               kprintf("  remote=null");
+       }
+
+       if (msgh->msgh_local_port) {
+               kprintf("%slocal=%p(", needs_comma ? "," : "",
+                   msgh->msgh_local_port);
+               ipc_print_type_name64(MACH_MSGH_BITS_LOCAL(msgh->msgh_bits));
+               kprintf(")\n");
+       } else {
+               kprintf("local=null\n");
+       }
+
+       kprintf("  msgh_id=%d, size=%d\n",
+           msgh->msgh_id,
+           msgh->msgh_size);
+
+       if (mbits & MACH_MSGH_BITS_COMPLEX) {
+               ipc_msg_print_untyped64((mach_msg_body_t *) (msgh + 1));
+       }
+
+       ipc_msg_body_print64((void *)(msgh + 1), msgh->msgh_size);
+}
+
+
+const char *
+mm_copy_options_string64(
+       mach_msg_copy_options_t option)
+{
+       const char      *name;
+
+       switch (option) {
+       case MACH_MSG_PHYSICAL_COPY:
+               name = "PHYSICAL";
+               break;
+       case MACH_MSG_VIRTUAL_COPY:
+               name = "VIRTUAL";
+               break;
+       case MACH_MSG_OVERWRITE:
+               name = "OVERWRITE(DEPRECATED)";
+               break;
+       case MACH_MSG_ALLOCATE:
+               name = "ALLOCATE";
+               break;
+       case MACH_MSG_KALLOC_COPY_T:
+               name = "KALLOC_COPY_T";
+               break;
+       default:
+               name = "unknown";
+               break;
+       }
+       return name;
+}
+
+void
+ipc_msg_print_untyped64(
+       mach_msg_body_t         *body)
+{
+       mach_msg_descriptor_t       *saddr, *send;
+       mach_msg_descriptor_type_t  type;
+
+       kprintf("  %d descriptors: \n", body->msgh_descriptor_count);
+
+       saddr = (mach_msg_descriptor_t *) (body + 1);
+       send = saddr + body->msgh_descriptor_count;
+
+       for (; saddr < send; saddr++) {
+               type = saddr->type.type;
+
+               switch (type) {
+               case MACH_MSG_PORT_DESCRIPTOR: {
+                       mach_msg_port_descriptor_t *dsc;
+
+                       dsc = &saddr->port;
+                       kprintf("    PORT name = %p disp = ", dsc->name);
+                       ipc_print_type_name64(dsc->disposition);
+                       kprintf("\n");
+                       break;
+               }
+               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+               case MACH_MSG_OOL_DESCRIPTOR: {
+                       mach_msg_ool_descriptor_t *dsc;
+
+                       dsc = (mach_msg_ool_descriptor_t *) &saddr->out_of_line;
+                       kprintf("    OOL%s addr = %p size = 0x%x copy = %s %s\n",
+                           type == MACH_MSG_OOL_DESCRIPTOR ? "" : " VOLATILE",
+                           dsc->address, dsc->size,
+                           mm_copy_options_string64(dsc->copy),
+                           dsc->deallocate ? "DEALLOC" : "");
+                       break;
+               }
+               case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+                       mach_msg_ool_ports_descriptor_t *dsc;
+
+                       dsc = (mach_msg_ool_ports_descriptor_t *) &saddr->ool_ports;
+
+                       kprintf("    OOL_PORTS addr = %p count = 0x%x ",
+                           dsc->address, dsc->count);
+                       kprintf("disp = ");
+                       ipc_print_type_name64(dsc->disposition);
+                       kprintf(" copy = %s %s\n",
+                           mm_copy_options_string64(dsc->copy),
+                           dsc->deallocate ? "DEALLOC" : "");
+                       break;
+               }
+               case MACH_MSG_GUARDED_PORT_DESCRIPTOR: {
+                       mach_msg_guarded_port_descriptor_t *dsc;
+
+                       dsc = (mach_msg_guarded_port_descriptor_t *)&saddr->guarded_port;
+                       kprintf("    GUARDED_PORT name = %p flags = 0x%x disp = ", dsc->name, dsc->flags);
+                       ipc_print_type_name64(dsc->disposition);
+                       kprintf("\n");
+                       break;
+               }
+               default: {
+                       kprintf("    UNKNOWN DESCRIPTOR 0x%x\n", type);
+                       break;
+               }
+               }
+       }
+}
+
+#define DEBUG_IPC_KMSG_PRINT(kmsg, string)       \
+       __unreachable_ok_push   \
+       if (DEBUG_KPRINT_SYSCALL_PREDICATE(DEBUG_KPRINT_SYSCALL_IPC_MASK)) {    \
+               ipc_kmsg_print64(kmsg, string); \
+       }       \
+       __unreachable_ok_pop
+
+#define DEBUG_IPC_MSG_BODY_PRINT(body, size)     \
+       __unreachable_ok_push   \
+       if (DEBUG_KPRINT_SYSCALL_PREDICATE(DEBUG_KPRINT_SYSCALL_IPC_MASK)) {    \
+               ipc_msg_body_print64(body,size);\
+       }       \
+       __unreachable_ok_pop
+#else /* !DEBUG_MSGS_K64 */
+#define DEBUG_IPC_KMSG_PRINT(kmsg, string)
+#define DEBUG_IPC_MSG_BODY_PRINT(body, size)
+#endif  /* !DEBUG_MSGS_K64 */
+
+extern vm_map_t         ipc_kernel_copy_map;
+extern vm_size_t        ipc_kmsg_max_space;
+extern const vm_size_t  ipc_kmsg_max_vm_space;
+extern const vm_size_t  ipc_kmsg_max_body_space;
+extern vm_size_t        msg_ool_size_small;
+
+#define MSG_OOL_SIZE_SMALL      msg_ool_size_small
+
+#if defined(__LP64__)
+#define MAP_SIZE_DIFFERS(map)   (map->max_offset < MACH_VM_MAX_ADDRESS)
+#define OTHER_OOL_DESCRIPTOR    mach_msg_ool_descriptor32_t
+#define OTHER_OOL_PORTS_DESCRIPTOR      mach_msg_ool_ports_descriptor32_t
+#else
+#define MAP_SIZE_DIFFERS(map)   (map->max_offset > VM_MAX_ADDRESS)
+#define OTHER_OOL_DESCRIPTOR    mach_msg_ool_descriptor64_t
+#define OTHER_OOL_PORTS_DESCRIPTOR      mach_msg_ool_ports_descriptor64_t
+#endif
+
+#define DESC_SIZE_ADJUSTMENT    ((mach_msg_size_t)(sizeof(mach_msg_ool_descriptor64_t) - \
+                                sizeof(mach_msg_ool_descriptor32_t)))
+
+/* scatter list macros */
+
+#define SKIP_PORT_DESCRIPTORS(s, c)                                     \
+MACRO_BEGIN                                                             \
+       if ((s) != MACH_MSG_DESCRIPTOR_NULL) {                          \
+               while ((c) > 0) {                                       \
+                       if ((s)->type.type != MACH_MSG_PORT_DESCRIPTOR) \
+                               break;                                  \
+                       (s)++; (c)--;                                   \
+               }                                                       \
+               if (c == 0)                                             \
+                       (s) = MACH_MSG_DESCRIPTOR_NULL;                 \
+       }                                                               \
+MACRO_END
+
+#define INCREMENT_SCATTER(s, c, d)                                      \
+MACRO_BEGIN                                                             \
+       if ((s) != MACH_MSG_DESCRIPTOR_NULL) {                          \
+           s = (d) ? (mach_msg_descriptor_t *)                         \
+               ((OTHER_OOL_DESCRIPTOR *)(s) + 1) :                     \
+               (s + 1);                                                \
+               (c)--;                                                  \
+       }                                                               \
+MACRO_END
+
+#define KMSG_TRACE_FLAG_TRACED     0x000001
+#define KMSG_TRACE_FLAG_COMPLEX    0x000002
+#define KMSG_TRACE_FLAG_OOLMEM     0x000004
+#define KMSG_TRACE_FLAG_VCPY       0x000008
+#define KMSG_TRACE_FLAG_PCPY       0x000010
+#define KMSG_TRACE_FLAG_SND64      0x000020
+#define KMSG_TRACE_FLAG_RAISEIMP   0x000040
+#define KMSG_TRACE_FLAG_APP_SRC    0x000080
+#define KMSG_TRACE_FLAG_APP_DST    0x000100
+#define KMSG_TRACE_FLAG_DAEMON_SRC 0x000200
+#define KMSG_TRACE_FLAG_DAEMON_DST 0x000400
+#define KMSG_TRACE_FLAG_DST_NDFLTQ 0x000800
+#define KMSG_TRACE_FLAG_SRC_NDFLTQ 0x001000
+#define KMSG_TRACE_FLAG_DST_SONCE  0x002000
+#define KMSG_TRACE_FLAG_SRC_SONCE  0x004000
+#define KMSG_TRACE_FLAG_CHECKIN    0x008000
+#define KMSG_TRACE_FLAG_ONEWAY     0x010000
+#define KMSG_TRACE_FLAG_IOKIT      0x020000
+#define KMSG_TRACE_FLAG_SNDRCV     0x040000
+#define KMSG_TRACE_FLAG_DSTQFULL   0x080000
+#define KMSG_TRACE_FLAG_VOUCHER    0x100000
+#define KMSG_TRACE_FLAG_TIMER      0x200000
+#define KMSG_TRACE_FLAG_SEMA       0x400000
+#define KMSG_TRACE_FLAG_DTMPOWNER  0x800000
+#define KMSG_TRACE_FLAG_GUARDED_DESC 0x1000000
+
+#define KMSG_TRACE_FLAGS_MASK      0x1ffffff
+#define KMSG_TRACE_FLAGS_SHIFT     8
+
+#define KMSG_TRACE_PORTS_MASK      0xff
+#define KMSG_TRACE_PORTS_SHIFT     0
+
+#if (KDEBUG_LEVEL >= KDEBUG_LEVEL_STANDARD)
+#include <stdint.h>
+
+void
+ipc_kmsg_trace_send(ipc_kmsg_t kmsg,
+    mach_msg_option_t option)
+{
+       task_t send_task = TASK_NULL;
+       ipc_port_t dst_port, src_port;
+       boolean_t is_task_64bit;
+       mach_msg_header_t *msg;
+       mach_msg_trailer_t *trailer;
+
+       int kotype = 0;
+       uint32_t msg_size = 0;
+       uint64_t msg_flags = KMSG_TRACE_FLAG_TRACED;
+       uint32_t num_ports = 0;
+       uint32_t send_pid, dst_pid;
+
+       /*
+        * check to see not only if ktracing is enabled, but if we will
+        * _actually_ emit the KMSG_INFO tracepoint. This saves us a
+        * significant amount of processing (and a port lock hold) in
+        * the non-tracing case.
+        */
+       if (__probable((kdebug_enable & KDEBUG_TRACE) == 0)) {
+               return;
+       }
+       if (!kdebug_debugid_enabled(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_INFO))) {
+               return;
+       }
+
+       msg = kmsg->ikm_header;
+
+       dst_port = msg->msgh_remote_port;
+       if (!IPC_PORT_VALID(dst_port)) {
+               return;
+       }
+
+       /*
+        * Message properties / options
+        */
+       if ((option & (MACH_SEND_MSG | MACH_RCV_MSG)) == (MACH_SEND_MSG | MACH_RCV_MSG)) {
+               msg_flags |= KMSG_TRACE_FLAG_SNDRCV;
+       }
+
+       if (msg->msgh_id >= is_iokit_subsystem.start &&
+           msg->msgh_id < is_iokit_subsystem.end + 100) {
+               msg_flags |= KMSG_TRACE_FLAG_IOKIT;
+       }
+       /* magic XPC checkin message id (XPC_MESSAGE_ID_CHECKIN) from libxpc */
+       else if (msg->msgh_id == 0x77303074u /* w00t */) {
+               msg_flags |= KMSG_TRACE_FLAG_CHECKIN;
+       }
+
+       if (msg->msgh_bits & MACH_MSGH_BITS_RAISEIMP) {
+               msg_flags |= KMSG_TRACE_FLAG_RAISEIMP;
+       }
+
+       if (unsafe_convert_port_to_voucher(kmsg->ikm_voucher)) {
+               msg_flags |= KMSG_TRACE_FLAG_VOUCHER;
+       }
+
+       /*
+        * Sending task / port
+        */
+       send_task = current_task();
+       send_pid = task_pid(send_task);
+
+       if (send_pid != 0) {
+               if (task_is_daemon(send_task)) {
+                       msg_flags |= KMSG_TRACE_FLAG_DAEMON_SRC;
+               } else if (task_is_app(send_task)) {
+                       msg_flags |= KMSG_TRACE_FLAG_APP_SRC;
+               }
+       }
+
+       is_task_64bit = (send_task->map->max_offset > VM_MAX_ADDRESS);
+       if (is_task_64bit) {
+               msg_flags |= KMSG_TRACE_FLAG_SND64;
+       }
+
+       src_port = msg->msgh_local_port;
+       if (src_port) {
+               if (src_port->ip_messages.imq_qlimit != MACH_PORT_QLIMIT_DEFAULT) {
+                       msg_flags |= KMSG_TRACE_FLAG_SRC_NDFLTQ;
+               }
+               switch (MACH_MSGH_BITS_LOCAL(msg->msgh_bits)) {
+               case MACH_MSG_TYPE_MOVE_SEND_ONCE:
+                       msg_flags |= KMSG_TRACE_FLAG_SRC_SONCE;
+                       break;
+               default:
+                       break;
+               }
+       } else {
+               msg_flags |= KMSG_TRACE_FLAG_ONEWAY;
+       }
+
+
+       /*
+        * Destination task / port
+        */
+       ip_lock(dst_port);
+       if (!ip_active(dst_port)) {
+               /* dst port is being torn down */
+               dst_pid = (uint32_t)0xfffffff0;
+       } else if (dst_port->ip_tempowner) {
+               msg_flags |= KMSG_TRACE_FLAG_DTMPOWNER;
+               if (IIT_NULL != dst_port->ip_imp_task) {
+                       dst_pid = task_pid(dst_port->ip_imp_task->iit_task);
+               } else {
+                       dst_pid = (uint32_t)0xfffffff1;
+               }
+       } else if (dst_port->ip_receiver_name == MACH_PORT_NULL) {
+               /* dst_port is otherwise in-transit */
+               dst_pid = (uint32_t)0xfffffff2;
+       } else {
+               if (dst_port->ip_receiver == ipc_space_kernel) {
+                       dst_pid = 0;
+               } else {
+                       ipc_space_t dst_space;
+                       dst_space = dst_port->ip_receiver;
+                       if (dst_space && is_active(dst_space)) {
+                               dst_pid = task_pid(dst_space->is_task);
+                               if (task_is_daemon(dst_space->is_task)) {
+                                       msg_flags |= KMSG_TRACE_FLAG_DAEMON_DST;
+                               } else if (task_is_app(dst_space->is_task)) {
+                                       msg_flags |= KMSG_TRACE_FLAG_APP_DST;
+                               }
+                       } else {
+                               /* receiving task is being torn down */
+                               dst_pid = (uint32_t)0xfffffff3;
+                       }
+               }
+       }
+
+       if (dst_port->ip_messages.imq_qlimit != MACH_PORT_QLIMIT_DEFAULT) {
+               msg_flags |= KMSG_TRACE_FLAG_DST_NDFLTQ;
+       }
+       if (imq_full(&dst_port->ip_messages)) {
+               msg_flags |= KMSG_TRACE_FLAG_DSTQFULL;
+       }
+
+       kotype = ip_kotype(dst_port);
+
+       ip_unlock(dst_port);
+
+       switch (kotype) {
+       case IKOT_SEMAPHORE:
+               msg_flags |= KMSG_TRACE_FLAG_SEMA;
+               break;
+       case IKOT_TIMER:
+       case IKOT_CLOCK:
+               msg_flags |= KMSG_TRACE_FLAG_TIMER;
+               break;
+       case IKOT_MASTER_DEVICE:
+       case IKOT_IOKIT_CONNECT:
+       case IKOT_IOKIT_OBJECT:
+       case IKOT_IOKIT_IDENT:
+       case IKOT_UEXT_OBJECT:
+               msg_flags |= KMSG_TRACE_FLAG_IOKIT;
+               break;
+       default:
+               break;
+       }
+
+       switch (MACH_MSGH_BITS_REMOTE(msg->msgh_bits)) {
+       case MACH_MSG_TYPE_PORT_SEND_ONCE:
+               msg_flags |= KMSG_TRACE_FLAG_DST_SONCE;
+               break;
+       default:
+               break;
+       }
+
+
+       /*
+        * Message size / content
+        */
+       msg_size = msg->msgh_size - sizeof(mach_msg_header_t);
+
+       if (msg->msgh_bits & MACH_MSGH_BITS_COMPLEX) {
+               mach_msg_body_t *msg_body;
+               mach_msg_descriptor_t *kern_dsc;
+               int dsc_count;
+
+               msg_flags |= KMSG_TRACE_FLAG_COMPLEX;
+
+               msg_body = (mach_msg_body_t *)(kmsg->ikm_header + 1);
+               dsc_count = (int)msg_body->msgh_descriptor_count;
+               kern_dsc = (mach_msg_descriptor_t *)(msg_body + 1);
+
+               /* this is gross: see ipc_kmsg_copyin_body()... */
+               if (!is_task_64bit) {
+                       msg_size -= (dsc_count * 12);
+               }
+
+               for (int i = 0; i < dsc_count; i++) {
+                       switch (kern_dsc[i].type.type) {
+                       case MACH_MSG_PORT_DESCRIPTOR:
+                               num_ports++;
+                               if (is_task_64bit) {
+                                       msg_size -= 12;
+                               }
+                               break;
+                       case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+                       case MACH_MSG_OOL_DESCRIPTOR: {
+                               mach_msg_ool_descriptor_t *dsc;
+                               dsc = (mach_msg_ool_descriptor_t *)&kern_dsc[i];
+                               msg_flags |= KMSG_TRACE_FLAG_OOLMEM;
+                               msg_size += dsc->size;
+                               if ((dsc->size >= MSG_OOL_SIZE_SMALL) &&
+                                   (dsc->copy == MACH_MSG_PHYSICAL_COPY) &&
+                                   !dsc->deallocate) {
+                                       msg_flags |= KMSG_TRACE_FLAG_PCPY;
+                               } else if (dsc->size <= MSG_OOL_SIZE_SMALL) {
+                                       msg_flags |= KMSG_TRACE_FLAG_PCPY;
+                               } else {
+                                       msg_flags |= KMSG_TRACE_FLAG_VCPY;
+                               }
+                               if (is_task_64bit) {
+                                       msg_size -= 16;
+                               }
+                       } break;
+                       case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+                               mach_msg_ool_ports_descriptor_t *dsc;
+                               dsc = (mach_msg_ool_ports_descriptor_t *)&kern_dsc[i];
+                               num_ports += dsc->count;
+                               if (is_task_64bit) {
+                                       msg_size -= 16;
+                               }
+                       } break;
+                       case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                               num_ports++;
+                               msg_flags |= KMSG_TRACE_FLAG_GUARDED_DESC;
+                               if (is_task_64bit) {
+                                       msg_size -= 16;
+                               }
+                               break;
+                       default:
+                               break;
+                       }
+               }
+       }
+
+       /*
+        * Trailer contents
+        */
+       trailer = (mach_msg_trailer_t *)((vm_offset_t)msg +
+           (vm_offset_t)mach_round_msg(msg->msgh_size));
+       if (trailer->msgh_trailer_size <= sizeof(mach_msg_security_trailer_t)) {
+               extern const security_token_t KERNEL_SECURITY_TOKEN;
+               mach_msg_security_trailer_t *strailer;
+               strailer = (mach_msg_security_trailer_t *)trailer;
+               /*
+                * verify the sender PID: replies from the kernel often look
+                * like self-talk because the sending port is not reset.
+                */
+               if (memcmp(&strailer->msgh_sender,
+                   &KERNEL_SECURITY_TOKEN,
+                   sizeof(KERNEL_SECURITY_TOKEN)) == 0) {
+                       send_pid = 0;
+                       msg_flags &= ~(KMSG_TRACE_FLAG_APP_SRC | KMSG_TRACE_FLAG_DAEMON_SRC);
+               }
+       }
+
+       KDBG(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_INFO) | DBG_FUNC_END,
+           (uintptr_t)send_pid,
+           (uintptr_t)dst_pid,
+           (uintptr_t)msg_size,
+           (uintptr_t)(
+                   ((msg_flags & KMSG_TRACE_FLAGS_MASK) << KMSG_TRACE_FLAGS_SHIFT) |
+                   ((num_ports & KMSG_TRACE_PORTS_MASK) << KMSG_TRACE_PORTS_SHIFT)
+                   )
+           );
+}
+#endif
+
+/* zone for cached ipc_kmsg_t structures */
+ZONE_DECLARE(ipc_kmsg_zone, "ipc kmsgs", IKM_SAVED_KMSG_SIZE,
+    ZC_CACHING | ZC_ZFREE_CLEARMEM);
+static TUNABLE(bool, enforce_strict_reply, "ipc_strict_reply", false);
+
+/*
+ * Forward declarations
+ */
+
+void ipc_kmsg_clean(
+       ipc_kmsg_t      kmsg);
+
+void ipc_kmsg_clean_body(
+       ipc_kmsg_t      kmsg,
+       mach_msg_type_number_t  number,
+       mach_msg_descriptor_t   *desc);
+
+void ipc_kmsg_clean_partial(
+       ipc_kmsg_t              kmsg,
+       mach_msg_type_number_t  number,
+       mach_msg_descriptor_t   *desc,
+       vm_offset_t             paddr,
+       vm_size_t               length);
+
+mach_msg_return_t ipc_kmsg_copyin_body(
+       ipc_kmsg_t          kmsg,
+       ipc_space_t         space,
+       vm_map_t            map,
+       mach_msg_option_t   *optionp);
+
+
+static void
+ipc_kmsg_link_reply_context_locked(
+       ipc_port_t reply_port,
+       ipc_port_t voucher_port);
+
+static kern_return_t
+ipc_kmsg_validate_reply_port_locked(
+       ipc_port_t reply_port,
+       mach_msg_option_t options);
+
+static mach_msg_return_t
+ipc_kmsg_validate_reply_context_locked(
+       mach_msg_option_t option,
+       ipc_port_t dest_port,
+       ipc_voucher_t voucher,
+       mach_port_name_t voucher_name);
+
+/* we can't include the BSD <sys/persona.h> header here... */
+#ifndef PERSONA_ID_NONE
+#define PERSONA_ID_NONE ((uint32_t)-1)
+#endif
+
+/*
+ *     We keep a per-processor cache of kernel message buffers.
+ *     The cache saves the overhead/locking of using kalloc/kfree.
+ *     The per-processor cache seems to miss less than a per-thread cache,
+ *     and it also uses less memory.  Access to the cache doesn't
+ *     require locking.
+ */
+
+/*
+ *     Routine:        ikm_set_header
+ *     Purpose:
+ *             Set the header (and data) pointers for a message. If the
+ *      message is small, the data pointer is NULL and all the
+ *      data resides within the fixed
+ *             the cache, that is best.  Otherwise, allocate a new one.
+ *     Conditions:
+ *             Nothing locked.
+ */
+static void
+ikm_set_header(
+       ipc_kmsg_t kmsg,
+       void *data,
+       mach_msg_size_t mtsize)
+{
+       if (data) {
+               kmsg->ikm_data = data;
+               kmsg->ikm_header = (mach_msg_header_t *)(data + kmsg->ikm_size - mtsize);
+       } else {
+               assert(kmsg->ikm_size == IKM_SAVED_MSG_SIZE);
+               kmsg->ikm_header = (mach_msg_header_t *)
+                   ((vm_offset_t)(kmsg + 1) + kmsg->ikm_size - mtsize);
+       }
+}
+
+/*
+ *     Routine:        ipc_kmsg_alloc
+ *     Purpose:
+ *             Allocate a kernel message structure.  If we can get one from
+ *             the cache, that is best.  Otherwise, allocate a new one.
+ *     Conditions:
+ *             Nothing locked.
+ */
+ipc_kmsg_t
+ipc_kmsg_alloc(
+       mach_msg_size_t msg_and_trailer_size)
+{
+       mach_msg_size_t max_expanded_size;
+       ipc_kmsg_t kmsg;
+       void *data;
+
+       /*
+        * LP64support -
+        * Pad the allocation in case we need to expand the
+        * message descriptors for user spaces with pointers larger than
+        * the kernel's own, or vice versa.  We don't know how many descriptors
+        * there are yet, so just assume the whole body could be
+        * descriptors (if there could be any at all).
+        *
+        * The expansion space is left in front of the header,
+        * because it is easier to pull the header and descriptors
+        * forward as we process them than it is to push all the
+        * data backwards.
+        */
+       mach_msg_size_t size = msg_and_trailer_size - MAX_TRAILER_SIZE;
+
+       /* compare against implementation upper limit for the body */
+       if (size > ipc_kmsg_max_body_space) {
+               return IKM_NULL;
+       }
+
+       if (size > sizeof(mach_msg_base_t)) {
+               mach_msg_size_t max_desc = (mach_msg_size_t)(((size - sizeof(mach_msg_base_t)) /
+                   sizeof(mach_msg_ool_descriptor32_t)) *
+                   DESC_SIZE_ADJUSTMENT);
+
+               /* make sure expansion won't cause wrap */
+               if (msg_and_trailer_size > MACH_MSG_SIZE_MAX - max_desc) {
+                       return IKM_NULL;
+               }
+
+               max_expanded_size = msg_and_trailer_size + max_desc;
+       } else {
+               max_expanded_size = msg_and_trailer_size;
+       }
+
+       if (max_expanded_size > IKM_SAVED_MSG_SIZE) {
+               data = kheap_alloc(KHEAP_DATA_BUFFERS, max_expanded_size, Z_WAITOK);
+               if (data == NULL) {
+                       return IKM_NULL;
+               }
+       } else {
+               data = NULL;
+               max_expanded_size = IKM_SAVED_MSG_SIZE;
+       }
+
+       kmsg = zalloc_flags(ipc_kmsg_zone, Z_WAITOK | Z_ZERO | Z_NOFAIL);
+       kmsg->ikm_size = max_expanded_size;
+       ikm_qos_init(kmsg);
+       ikm_set_header(kmsg, data, msg_and_trailer_size);
+       assert((kmsg->ikm_prev = kmsg->ikm_next = IKM_BOGUS));
+
+       return kmsg;
+}
+
+/*
+ *     Routine:        ipc_kmsg_free
+ *     Purpose:
+ *             Free a kernel message buffer.  If the kms is preallocated
+ *             to a port, just "put it back (marked unused)."  We have to
+ *             do this with the port locked.  The port may have its hold
+ *             on our message released.  In that case, we have to just
+ *             revert the message to a traditional one and free it normally.
+ *     Conditions:
+ *             Nothing locked.
+ */
+
+void
+ipc_kmsg_free(
+       ipc_kmsg_t      kmsg)
+{
+       mach_msg_size_t size = kmsg->ikm_size;
+       ipc_port_t port;
+
+       assert(!IP_VALID(kmsg->ikm_voucher));
+
+       KERNEL_DEBUG_CONSTANT(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_FREE) | DBG_FUNC_NONE,
+           VM_KERNEL_ADDRPERM((uintptr_t)kmsg),
+           0, 0, 0, 0);
+
+       /*
+        * Check to see if the message is bound to the port.  If so,
+        * mark it not in use.  If the port isn't already dead, then
+        * leave the message associated with it.  Otherwise, free it.
+        */
+       if (size == IKM_SAVED_MSG_SIZE) {
+               if ((void *)kmsg->ikm_header < (void *)(kmsg + 1) ||
+                   (void *)kmsg->ikm_header >= (void *)(kmsg + 1) + IKM_SAVED_MSG_SIZE) {
+                       panic("ipc_kmsg_free");
+               }
+               port = ikm_prealloc_inuse_port(kmsg);
+               if (port != IP_NULL) {
+                       ip_lock(port);
+                       ikm_prealloc_clear_inuse(kmsg, port);
+                       if (ip_active(port) && (port->ip_premsg == kmsg)) {
+                               assert(IP_PREALLOC(port));
+                               ip_unlock(port);
+                               ip_release(port);
+                               return;
+                       }
+                       ip_unlock(port);
+                       ip_release(port); /* May be last reference */
+               }
+       } else {
+               void *data = kmsg->ikm_data;
+               if ((void *)kmsg->ikm_header < data ||
+                   (void *)kmsg->ikm_header >= data + size) {
+                       panic("ipc_kmsg_free");
+               }
+               kheap_free(KHEAP_DATA_BUFFERS, data, size);
+       }
+       zfree(ipc_kmsg_zone, kmsg);
+}
+
+
+/*
+ *     Routine:        ipc_kmsg_enqueue
+ *     Purpose:
+ *             Enqueue a kmsg.
+ */
+
+void
+ipc_kmsg_enqueue(
+       ipc_kmsg_queue_t        queue,
+       ipc_kmsg_t              kmsg)
+{
+       ipc_kmsg_t first = queue->ikmq_base;
+       ipc_kmsg_t last;
+
+       if (first == IKM_NULL) {
+               queue->ikmq_base = kmsg;
+               kmsg->ikm_next = kmsg;
+               kmsg->ikm_prev = kmsg;
+       } else {
+               last = first->ikm_prev;
+               kmsg->ikm_next = first;
+               kmsg->ikm_prev = last;
+               first->ikm_prev = kmsg;
+               last->ikm_next = kmsg;
+       }
+}
+
+/*
+ *     Routine:        ipc_kmsg_enqueue_qos
+ *     Purpose:
+ *             Enqueue a kmsg, propagating qos
+ *             overrides towards the head of the queue.
+ *
+ *     Returns:
+ *             whether the head of the queue had
+ *             it's override-qos adjusted because
+ *             of this insertion.
+ */
+
+boolean_t
+ipc_kmsg_enqueue_qos(
+       ipc_kmsg_queue_t        queue,
+       ipc_kmsg_t              kmsg)
+{
+       ipc_kmsg_t first = queue->ikmq_base;
+       ipc_kmsg_t prev;
+       mach_msg_qos_t qos_ovr;
+
+       if (first == IKM_NULL) {
+               /* insert a first message */
+               queue->ikmq_base = kmsg;
+               kmsg->ikm_next = kmsg;
+               kmsg->ikm_prev = kmsg;
+               return TRUE;
+       }
+
+       /* insert at the tail */
+       prev = first->ikm_prev;
+       kmsg->ikm_next = first;
+       kmsg->ikm_prev = prev;
+       first->ikm_prev = kmsg;
+       prev->ikm_next = kmsg;
+
+       /* apply QoS overrides towards the head */
+       qos_ovr = kmsg->ikm_qos_override;
+       while (prev != kmsg &&
+           qos_ovr > prev->ikm_qos_override) {
+               prev->ikm_qos_override = qos_ovr;
+               prev = prev->ikm_prev;
+       }
+
+       /* did we adjust everything? */
+       return prev == kmsg;
+}
+
+/*
+ *     Routine:        ipc_kmsg_override_qos
+ *     Purpose:
+ *             Update the override for a given kmsg already
+ *             enqueued, propagating qos override adjustments
+ *             towards the head of the queue.
+ *
+ *     Returns:
+ *             whether the head of the queue had
+ *             it's override-qos adjusted because
+ *             of this insertion.
+ */
+
+boolean_t
+ipc_kmsg_override_qos(
+       ipc_kmsg_queue_t    queue,
+       ipc_kmsg_t          kmsg,
+       mach_msg_qos_t      qos_ovr)
+{
+       ipc_kmsg_t first = queue->ikmq_base;
+       ipc_kmsg_t cur = kmsg;
+
+       /* apply QoS overrides towards the head */
+       while (qos_ovr > cur->ikm_qos_override) {
+               cur->ikm_qos_override = qos_ovr;
+               if (cur == first) {
+                       return TRUE;
+               }
+               cur = cur->ikm_prev;
+       }
+       return FALSE;
+}
+
+/*
+ *     Routine:        ipc_kmsg_dequeue
+ *     Purpose:
+ *             Dequeue and return a kmsg.
+ */
+
+ipc_kmsg_t
+ipc_kmsg_dequeue(
+       ipc_kmsg_queue_t        queue)
+{
+       ipc_kmsg_t first;
+
+       first = ipc_kmsg_queue_first(queue);
+
+       if (first != IKM_NULL) {
+               ipc_kmsg_rmqueue(queue, first);
+       }
+
+       return first;
+}
+
+/*
+ *     Routine:        ipc_kmsg_rmqueue
+ *     Purpose:
+ *             Pull a kmsg out of a queue.
+ */
+
+void
+ipc_kmsg_rmqueue(
+       ipc_kmsg_queue_t        queue,
+       ipc_kmsg_t              kmsg)
+{
+       ipc_kmsg_t next, prev;
+
+       assert(queue->ikmq_base != IKM_NULL);
+
+       next = kmsg->ikm_next;
+       prev = kmsg->ikm_prev;
+
+       if (next == kmsg) {
+               assert(prev == kmsg);
+               assert(queue->ikmq_base == kmsg);
+
+               queue->ikmq_base = IKM_NULL;
+       } else {
+               if (__improbable(next->ikm_prev != kmsg || prev->ikm_next != kmsg)) {
+                       panic("ipc_kmsg_rmqueue: inconsistent prev/next pointers. "
+                           "(prev->next: %p, next->prev: %p, kmsg: %p)",
+                           prev->ikm_next, next->ikm_prev, kmsg);
+               }
+
+               if (queue->ikmq_base == kmsg) {
+                       queue->ikmq_base = next;
+               }
+
+               next->ikm_prev = prev;
+               prev->ikm_next = next;
+       }
+       /* XXX Temporary debug logic */
+       assert((kmsg->ikm_next = IKM_BOGUS) == IKM_BOGUS);
+       assert((kmsg->ikm_prev = IKM_BOGUS) == IKM_BOGUS);
+}
+
+/*
+ *     Routine:        ipc_kmsg_queue_next
+ *     Purpose:
+ *             Return the kmsg following the given kmsg.
+ *             (Or IKM_NULL if it is the last one in the queue.)
+ */
+
+ipc_kmsg_t
+ipc_kmsg_queue_next(
+       ipc_kmsg_queue_t        queue,
+       ipc_kmsg_t              kmsg)
+{
+       ipc_kmsg_t next;
+
+       assert(queue->ikmq_base != IKM_NULL);
+
+       next = kmsg->ikm_next;
+       if (queue->ikmq_base == next) {
+               next = IKM_NULL;
+       }
+
+       return next;
+}
+
+/*
+ *     Routine:        ipc_kmsg_destroy
+ *     Purpose:
+ *             Destroys a kernel message.  Releases all rights,
+ *             references, and memory held by the message.
+ *             Frees the message.
+ *     Conditions:
+ *             No locks held.
+ */
+
+void
+ipc_kmsg_destroy(
+       ipc_kmsg_t      kmsg)
+{
+       /*
+        *      Destroying a message can cause more messages to be destroyed.
+        *      Curtail recursion by putting messages on the deferred
+        *      destruction queue.  If this was the first message on the
+        *      queue, this instance must process the full queue.
+        */
+       if (ipc_kmsg_delayed_destroy(kmsg)) {
+               ipc_kmsg_reap_delayed();
+       }
+}
+
+/*
+ *     Routine:        ipc_kmsg_delayed_destroy
+ *     Purpose:
+ *             Enqueues a kernel message for deferred destruction.
+ *     Returns:
+ *             Boolean indicator that the caller is responsible to reap
+ *             deferred messages.
+ */
+
+boolean_t
+ipc_kmsg_delayed_destroy(
+       ipc_kmsg_t kmsg)
+{
+       ipc_kmsg_queue_t queue = &(current_thread()->ith_messages);
+       boolean_t first = ipc_kmsg_queue_empty(queue);
+
+       ipc_kmsg_enqueue(queue, kmsg);
+       return first;
+}
+
+/*
+ *     Routine:        ipc_kmsg_destroy_queue
+ *     Purpose:
+ *             Destroys messages from the per-thread
+ *             deferred reaping queue.
+ *     Conditions:
+ *             No locks held.
+ */
+
+void
+ipc_kmsg_reap_delayed(void)
+{
+       ipc_kmsg_queue_t queue = &(current_thread()->ith_messages);
+       ipc_kmsg_t kmsg;
+
+       /*
+        * must leave kmsg in queue while cleaning it to assure
+        * no nested calls recurse into here.
+        */
+       while ((kmsg = ipc_kmsg_queue_first(queue)) != IKM_NULL) {
+               ipc_kmsg_clean(kmsg);
+               ipc_kmsg_rmqueue(queue, kmsg);
+               ipc_kmsg_free(kmsg);
+       }
+}
+
+/*
+ *     Routine:        ipc_kmsg_clean_body
+ *     Purpose:
+ *             Cleans the body of a kernel message.
+ *             Releases all rights, references, and memory.
+ *
+ *     Conditions:
+ *             No locks held.
+ */
+static unsigned int _ipc_kmsg_clean_invalid_desc = 0;
+void
+ipc_kmsg_clean_body(
+       __unused ipc_kmsg_t     kmsg,
+       mach_msg_type_number_t  number,
+       mach_msg_descriptor_t   *saddr)
+{
+       mach_msg_type_number_t      i;
+
+       if (number == 0) {
+               return;
+       }
+
+       for (i = 0; i < number; i++, saddr++) {
+               switch (saddr->type.type) {
+               case MACH_MSG_PORT_DESCRIPTOR: {
+                       mach_msg_port_descriptor_t *dsc;
+
+                       dsc = &saddr->port;
+
+                       /*
+                        * Destroy port rights carried in the message
+                        */
+                       if (!IP_VALID(dsc->name)) {
+                               continue;
+                       }
+                       ipc_object_destroy(ip_to_object(dsc->name), dsc->disposition);
+                       break;
+               }
+               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+               case MACH_MSG_OOL_DESCRIPTOR: {
+                       mach_msg_ool_descriptor_t *dsc;
+
+                       dsc = (mach_msg_ool_descriptor_t *)&saddr->out_of_line;
+
+                       /*
+                        * Destroy memory carried in the message
+                        */
+                       if (dsc->size == 0) {
+                               assert(dsc->address == (void *) 0);
+                       } else {
+                               vm_map_copy_discard((vm_map_copy_t) dsc->address);
+                       }
+                       break;
+               }
+               case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+                       ipc_object_t                    *objects;
+                       mach_msg_type_number_t          j;
+                       mach_msg_ool_ports_descriptor_t *dsc;
+
+                       dsc = (mach_msg_ool_ports_descriptor_t  *)&saddr->ool_ports;
+                       objects = (ipc_object_t *) dsc->address;
+
+                       if (dsc->count == 0) {
+                               break;
+                       }
+
+                       assert(objects != (ipc_object_t *) 0);
+
+                       /* destroy port rights carried in the message */
+
+                       for (j = 0; j < dsc->count; j++) {
+                               ipc_object_t object = objects[j];
+
+                               if (!IO_VALID(object)) {
+                                       continue;
+                               }
+
+                               ipc_object_destroy(object, dsc->disposition);
+                       }
+
+                       /* destroy memory carried in the message */
+
+                       assert(dsc->count != 0);
+
+                       kfree(dsc->address,
+                           (vm_size_t) dsc->count * sizeof(mach_port_t));
+                       break;
+               }
+               case MACH_MSG_GUARDED_PORT_DESCRIPTOR: {
+                       mach_msg_guarded_port_descriptor_t *dsc = (typeof(dsc)) & saddr->guarded_port;
+
+                       /*
+                        * Destroy port rights carried in the message
+                        */
+                       if (!IP_VALID(dsc->name)) {
+                               continue;
+                       }
+                       ipc_object_destroy(ip_to_object(dsc->name), dsc->disposition);
+                       break;
+               }
+               default: {
+                       _ipc_kmsg_clean_invalid_desc++;         /* don't understand this type of descriptor */
+               }
+               }
+       }
+}
+
+/*
+ *     Routine:        ipc_kmsg_clean_partial
  *     Purpose:
  *             Cleans a partially-acquired kernel message.
  *             number is the index of the type descriptor
  *     Purpose:
  *             Cleans a partially-acquired kernel message.
  *             number is the index of the type descriptor
@@ -531,27 +1778,39 @@ ipc_kmsg_clean_body(
 
 void
 ipc_kmsg_clean_partial(
 
 void
 ipc_kmsg_clean_partial(
-       ipc_kmsg_t              kmsg,
-       mach_msg_type_number_t  number,
-       vm_offset_t             paddr,
-       vm_size_t               length)
+       ipc_kmsg_t              kmsg,
+       mach_msg_type_number_t  number,
+       mach_msg_descriptor_t   *desc,
+       vm_offset_t             paddr,
+       vm_size_t               length)
 {
        ipc_object_t object;
 {
        ipc_object_t object;
-       mach_msg_bits_t mbits = kmsg->ikm_header.msgh_bits;
+       mach_msg_bits_t mbits = kmsg->ikm_header->msgh_bits;
+
+       /* deal with importance chain while we still have dest and voucher references */
+       ipc_importance_clean(kmsg);
 
 
-       object = (ipc_object_t) kmsg->ikm_header.msgh_remote_port;
+       object = ip_to_object(kmsg->ikm_header->msgh_remote_port);
        assert(IO_VALID(object));
        assert(IO_VALID(object));
-       ipc_object_destroy(object, MACH_MSGH_BITS_REMOTE(mbits));
+       ipc_object_destroy_dest(object, MACH_MSGH_BITS_REMOTE(mbits));
 
 
-       object = (ipc_object_t) kmsg->ikm_header.msgh_local_port;
-       if (IO_VALID(object))
+       object = ip_to_object(kmsg->ikm_header->msgh_local_port);
+       if (IO_VALID(object)) {
                ipc_object_destroy(object, MACH_MSGH_BITS_LOCAL(mbits));
                ipc_object_destroy(object, MACH_MSGH_BITS_LOCAL(mbits));
+       }
+
+       object = ip_to_object(kmsg->ikm_voucher);
+       if (IO_VALID(object)) {
+               assert(MACH_MSGH_BITS_VOUCHER(mbits) == MACH_MSG_TYPE_MOVE_SEND);
+               ipc_object_destroy(object, MACH_MSG_TYPE_PORT_SEND);
+               kmsg->ikm_voucher = IP_NULL;
+       }
 
        if (paddr) {
                (void) vm_deallocate(ipc_kernel_copy_map, paddr, length);
        }
 
 
        if (paddr) {
                (void) vm_deallocate(ipc_kernel_copy_map, paddr, length);
        }
 
-       ipc_kmsg_clean_body(kmsg, number);
+       ipc_kmsg_clean_body(kmsg, number, desc);
 }
 
 /*
 }
 
 /*
@@ -565,25 +1824,38 @@ ipc_kmsg_clean_partial(
 
 void
 ipc_kmsg_clean(
 
 void
 ipc_kmsg_clean(
-       ipc_kmsg_t      kmsg)
+       ipc_kmsg_t      kmsg)
 {
        ipc_object_t object;
        mach_msg_bits_t mbits;
 
 {
        ipc_object_t object;
        mach_msg_bits_t mbits;
 
-       mbits = kmsg->ikm_header.msgh_bits;
-       object = (ipc_object_t) kmsg->ikm_header.msgh_remote_port;
-       if (IO_VALID(object))
-               ipc_object_destroy(object, MACH_MSGH_BITS_REMOTE(mbits));
+       /* deal with importance chain while we still have dest and voucher references */
+       ipc_importance_clean(kmsg);
+
+       mbits = kmsg->ikm_header->msgh_bits;
+       object = ip_to_object(kmsg->ikm_header->msgh_remote_port);
+       if (IO_VALID(object)) {
+               ipc_object_destroy_dest(object, MACH_MSGH_BITS_REMOTE(mbits));
+       }
 
 
-       object = (ipc_object_t) kmsg->ikm_header.msgh_local_port;
-       if (IO_VALID(object))
+       object = ip_to_object(kmsg->ikm_header->msgh_local_port);
+       if (IO_VALID(object)) {
                ipc_object_destroy(object, MACH_MSGH_BITS_LOCAL(mbits));
                ipc_object_destroy(object, MACH_MSGH_BITS_LOCAL(mbits));
+       }
+
+       object = ip_to_object(kmsg->ikm_voucher);
+       if (IO_VALID(object)) {
+               assert(MACH_MSGH_BITS_VOUCHER(mbits) == MACH_MSG_TYPE_MOVE_SEND);
+               ipc_object_destroy(object, MACH_MSG_TYPE_PORT_SEND);
+               kmsg->ikm_voucher = IP_NULL;
+       }
 
        if (mbits & MACH_MSGH_BITS_COMPLEX) {
                mach_msg_body_t *body;
 
 
        if (mbits & MACH_MSGH_BITS_COMPLEX) {
                mach_msg_body_t *body;
 
-               body = (mach_msg_body_t *) (&kmsg->ikm_header + 1);
-               ipc_kmsg_clean_body(kmsg, body->msgh_descriptor_count);
+               body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+               ipc_kmsg_clean_body(kmsg, body->msgh_descriptor_count,
+                   (mach_msg_descriptor_t *)(body + 1));
        }
 }
 
        }
 }
 
@@ -597,12 +1869,15 @@ ipc_kmsg_clean(
 
 void
 ipc_kmsg_set_prealloc(
 
 void
 ipc_kmsg_set_prealloc(
-       ipc_kmsg_t              kmsg,
-       ipc_port_t              port)
+       ipc_kmsg_t              kmsg,
+       ipc_port_t              port)
 {
        assert(kmsg->ikm_prealloc == IP_NULL);
 {
        assert(kmsg->ikm_prealloc == IP_NULL);
-  
+
        kmsg->ikm_prealloc = IP_NULL;
        kmsg->ikm_prealloc = IP_NULL;
+
+       assert(port_send_turnstile(port) == TURNSTILE_NULL);
+       kmsg->ikm_turnstile = TURNSTILE_NULL;
        IP_SET_PREALLOC(port, kmsg);
 }
 
        IP_SET_PREALLOC(port, kmsg);
 }
 
@@ -615,15 +1890,37 @@ ipc_kmsg_set_prealloc(
  */
 void
 ipc_kmsg_clear_prealloc(
  */
 void
 ipc_kmsg_clear_prealloc(
-       ipc_kmsg_t              kmsg,
-       ipc_port_t              port)
+       ipc_kmsg_t              kmsg,
+       ipc_port_t              port)
 {
 {
-       assert(kmsg->ikm_prealloc == port);
-  
-       kmsg->ikm_prealloc = IP_NULL;
+       /* take the mqueue lock since the turnstile is protected under it */
+       imq_lock(&port->ip_messages);
+
        IP_CLEAR_PREALLOC(port, kmsg);
        IP_CLEAR_PREALLOC(port, kmsg);
+       set_port_send_turnstile(port, kmsg->ikm_turnstile);
+       imq_unlock(&port->ip_messages);
+}
+
+/*
+ *     Routine:        ipc_kmsg_prealloc
+ *     Purpose:
+ *             Wraper to ipc_kmsg_alloc() to account for
+ *             header expansion requirements.
+ */
+ipc_kmsg_t
+ipc_kmsg_prealloc(mach_msg_size_t size)
+{
+#if defined(__LP64__)
+       if (size > IKM_SAVED_MSG_SIZE - LEGACY_HEADER_SIZE_DELTA) {
+               panic("ipc_kmsg_prealloc");
+       }
+
+       size += LEGACY_HEADER_SIZE_DELTA;
+#endif
+       return ipc_kmsg_alloc(size);
 }
 
 }
 
+
 /*
  *     Routine:        ipc_kmsg_get
  *     Purpose:
 /*
  *     Routine:        ipc_kmsg_get
  *     Purpose:
@@ -635,51 +1932,131 @@ ipc_kmsg_clear_prealloc(
  *             MACH_MSG_SUCCESS        Acquired a message buffer.
  *             MACH_SEND_MSG_TOO_SMALL Message smaller than a header.
  *             MACH_SEND_MSG_TOO_SMALL Message size not long-word multiple.
  *             MACH_MSG_SUCCESS        Acquired a message buffer.
  *             MACH_SEND_MSG_TOO_SMALL Message smaller than a header.
  *             MACH_SEND_MSG_TOO_SMALL Message size not long-word multiple.
+ *             MACH_SEND_TOO_LARGE     Message too large to ever be sent.
  *             MACH_SEND_NO_BUFFER     Couldn't allocate a message buffer.
  *             MACH_SEND_INVALID_DATA  Couldn't copy message data.
  */
 
 mach_msg_return_t
 ipc_kmsg_get(
  *             MACH_SEND_NO_BUFFER     Couldn't allocate a message buffer.
  *             MACH_SEND_INVALID_DATA  Couldn't copy message data.
  */
 
 mach_msg_return_t
 ipc_kmsg_get(
-       mach_msg_header_t       *msg,
-       mach_msg_size_t         size,
-       ipc_kmsg_t              *kmsgp)
-{
-       mach_msg_size_t                 msg_and_trailer_size;
-       ipc_kmsg_t                      kmsg;
-       mach_msg_format_0_trailer_t     *trailer;
-       mach_port_name_t                dest_name;
-       ipc_entry_t                     dest_entry;
-       ipc_port_t                      dest_port;
-
-       if ((size < sizeof(mach_msg_header_t)) || (size & 3))
+       mach_vm_address_t       msg_addr,
+       mach_msg_size_t size,
+       ipc_kmsg_t              *kmsgp)
+{
+       mach_msg_size_t                 msg_and_trailer_size;
+       ipc_kmsg_t                      kmsg;
+       mach_msg_max_trailer_t          *trailer;
+       mach_msg_legacy_base_t      legacy_base;
+       mach_msg_size_t             len_copied;
+       legacy_base.body.msgh_descriptor_count = 0;
+
+       if ((size < sizeof(mach_msg_legacy_header_t)) || (size & 3)) {
                return MACH_SEND_MSG_TOO_SMALL;
                return MACH_SEND_MSG_TOO_SMALL;
+       }
 
 
-       msg_and_trailer_size = size + MAX_TRAILER_SIZE;
+       if (size > ipc_kmsg_max_body_space) {
+               return MACH_SEND_TOO_LARGE;
+       }
 
 
-       kmsg = ipc_kmsg_alloc(msg_and_trailer_size);
+       if (size == sizeof(mach_msg_legacy_header_t)) {
+               len_copied = sizeof(mach_msg_legacy_header_t);
+       } else {
+               len_copied = sizeof(mach_msg_legacy_base_t);
+       }
+
+       if (copyinmsg(msg_addr, (char *)&legacy_base, len_copied)) {
+               return MACH_SEND_INVALID_DATA;
+       }
+
+       /*
+        * If the message claims to be complex, it must at least
+        * have the length of a "base" message (header + dsc_count).
+        */
+       if (len_copied < sizeof(mach_msg_legacy_base_t) &&
+           (legacy_base.header.msgh_bits & MACH_MSGH_BITS_COMPLEX)) {
+               return MACH_SEND_MSG_TOO_SMALL;
+       }
+
+       msg_addr += sizeof(legacy_base.header);
+#if defined(__LP64__)
+       size += LEGACY_HEADER_SIZE_DELTA;
+#endif
+       /* unreachable if !DEBUG */
+       __unreachable_ok_push
+       if (DEBUG_KPRINT_SYSCALL_PREDICATE(DEBUG_KPRINT_SYSCALL_IPC_MASK)) {
+               unsigned int j;
+               for (j = 0; j < sizeof(legacy_base.header); j++) {
+                       kprintf("%02x\n", ((unsigned char*)&legacy_base.header)[j]);
+               }
+       }
+       __unreachable_ok_pop
 
 
-       if (kmsg == IKM_NULL)
+           msg_and_trailer_size = size + MAX_TRAILER_SIZE;
+       kmsg = ipc_kmsg_alloc(msg_and_trailer_size);
+       if (kmsg == IKM_NULL) {
                return MACH_SEND_NO_BUFFER;
                return MACH_SEND_NO_BUFFER;
+       }
 
 
-       if (copyinmsg((char *) msg, (char *) &kmsg->ikm_header, size)) {
+       kmsg->ikm_header->msgh_size                     = size;
+       kmsg->ikm_header->msgh_bits                     = legacy_base.header.msgh_bits;
+       kmsg->ikm_header->msgh_remote_port      = CAST_MACH_NAME_TO_PORT(legacy_base.header.msgh_remote_port);
+       kmsg->ikm_header->msgh_local_port       = CAST_MACH_NAME_TO_PORT(legacy_base.header.msgh_local_port);
+       kmsg->ikm_header->msgh_voucher_port             = legacy_base.header.msgh_voucher_port;
+       kmsg->ikm_header->msgh_id                       = legacy_base.header.msgh_id;
+
+       DEBUG_KPRINT_SYSCALL_IPC("ipc_kmsg_get header:\n"
+           "  size:            0x%.8x\n"
+           "  bits:            0x%.8x\n"
+           "  remote_port:     %p\n"
+           "  local_port:      %p\n"
+           "  voucher_port:    0x%.8x\n"
+           "  id:              %.8d\n",
+           kmsg->ikm_header->msgh_size,
+           kmsg->ikm_header->msgh_bits,
+           kmsg->ikm_header->msgh_remote_port,
+           kmsg->ikm_header->msgh_local_port,
+           kmsg->ikm_header->msgh_voucher_port,
+           kmsg->ikm_header->msgh_id);
+
+       if (copyinmsg(msg_addr, (char *)(kmsg->ikm_header + 1), size - (mach_msg_size_t)sizeof(mach_msg_header_t))) {
                ipc_kmsg_free(kmsg);
                return MACH_SEND_INVALID_DATA;
        }
 
                ipc_kmsg_free(kmsg);
                return MACH_SEND_INVALID_DATA;
        }
 
-       kmsg->ikm_header.msgh_size = size;
+       /* unreachable if !DEBUG */
+       __unreachable_ok_push
+       if (DEBUG_KPRINT_SYSCALL_PREDICATE(DEBUG_KPRINT_SYSCALL_IPC_MASK)) {
+               kprintf("body: size: %lu\n", (size - sizeof(mach_msg_header_t)));
+               uint32_t i;
+               for (i = 0; i * 4 < (size - sizeof(mach_msg_header_t)); i++) {
+                       kprintf("%.4x\n", ((uint32_t *)(kmsg->ikm_header + 1))[i]);
+               }
+       }
+       __unreachable_ok_pop
+       DEBUG_IPC_KMSG_PRINT(kmsg, "ipc_kmsg_get()");
 
 
-       /* 
+       /*
         * I reserve for the trailer the largest space (MAX_TRAILER_SIZE)
         * However, the internal size field of the trailer (msgh_trailer_size)
         * is initialized to the minimum (sizeof(mach_msg_trailer_t)), to optimize
         * the cases where no implicit data is requested.
         */
         * I reserve for the trailer the largest space (MAX_TRAILER_SIZE)
         * However, the internal size field of the trailer (msgh_trailer_size)
         * is initialized to the minimum (sizeof(mach_msg_trailer_t)), to optimize
         * the cases where no implicit data is requested.
         */
-       trailer = (mach_msg_format_0_trailer_t *) ((vm_offset_t)&kmsg->ikm_header + size);
-       trailer->msgh_sender = current_thread()->top_act->task->sec_token;
+       trailer = (mach_msg_max_trailer_t *) ((vm_offset_t)kmsg->ikm_header + size);
+       bzero(trailer, sizeof(*trailer));
+       trailer->msgh_sender = current_thread()->task->sec_token;
+       trailer->msgh_audit = current_thread()->task->audit_token;
        trailer->msgh_trailer_type = MACH_MSG_TRAILER_FORMAT_0;
        trailer->msgh_trailer_size = MACH_MSG_TRAILER_MINIMUM_SIZE;
 
        trailer->msgh_trailer_type = MACH_MSG_TRAILER_FORMAT_0;
        trailer->msgh_trailer_size = MACH_MSG_TRAILER_MINIMUM_SIZE;
 
+#ifdef ppc
+       if (trcWork.traceMask) {
+               dbgTrace(0x1100, (unsigned int)kmsg->ikm_header->msgh_id,
+                   (unsigned int)kmsg->ikm_header->msgh_remote_port,
+                   (unsigned int)kmsg->ikm_header->msgh_local_port, 0);
+       }
+#endif
+
+       trailer->msgh_labels.sender = 0;
        *kmsgp = kmsg;
        return MACH_MSG_SUCCESS;
 }
        *kmsgp = kmsg;
        return MACH_MSG_SUCCESS;
 }
@@ -687,7 +2064,9 @@ ipc_kmsg_get(
 /*
  *     Routine:        ipc_kmsg_get_from_kernel
  *     Purpose:
 /*
  *     Routine:        ipc_kmsg_get_from_kernel
  *     Purpose:
- *             Allocates a kernel message buffer.
+ *             First checks for a preallocated message
+ *             reserved for kernel clients.  If not found -
+ *             allocates a new kernel message buffer.
  *             Copies a kernel message to the message buffer.
  *             Only resource errors are allowed.
  *     Conditions:
  *             Copies a kernel message to the message buffer.
  *             Only resource errors are allowed.
  *     Conditions:
@@ -700,20 +2079,19 @@ ipc_kmsg_get(
 
 mach_msg_return_t
 ipc_kmsg_get_from_kernel(
 
 mach_msg_return_t
 ipc_kmsg_get_from_kernel(
-       mach_msg_header_t       *msg,
-       mach_msg_size_t         size,
-       ipc_kmsg_t              *kmsgp)
+       mach_msg_header_t       *msg,
+       mach_msg_size_t size,
+       ipc_kmsg_t              *kmsgp)
 {
 {
-       ipc_kmsg_t      kmsg;
-       mach_msg_size_t msg_and_trailer_size;
-       mach_msg_format_0_trailer_t *trailer;
-       ipc_port_t      dest_port;
+       ipc_kmsg_t      kmsg;
+       mach_msg_size_t msg_and_trailer_size;
+       mach_msg_max_trailer_t *trailer;
+       ipc_port_t      dest_port;
 
        assert(size >= sizeof(mach_msg_header_t));
        assert((size & 3) == 0);
 
 
        assert(size >= sizeof(mach_msg_header_t));
        assert((size & 3) == 0);
 
-       assert(IP_VALID((ipc_port_t) msg->msgh_remote_port));
-       dest_port = (ipc_port_t)msg->msgh_remote_port;
+       dest_port = msg->msgh_remote_port;
 
        msg_and_trailer_size = size + MAX_TRAILER_SIZE;
 
 
        msg_and_trailer_size = size + MAX_TRAILER_SIZE;
 
@@ -722,7 +2100,9 @@ ipc_kmsg_get_from_kernel(
         * clients.  These are set up for those kernel clients
         * which cannot afford to wait.
         */
         * clients.  These are set up for those kernel clients
         * which cannot afford to wait.
         */
-       if (IP_PREALLOC(dest_port)) {
+       if (IP_VALID(dest_port) && IP_PREALLOC(dest_port)) {
+               mach_msg_size_t max_desc = 0;
+
                ip_lock(dest_port);
                if (!ip_active(dest_port)) {
                        ip_unlock(dest_port);
                ip_lock(dest_port);
                if (!ip_active(dest_port)) {
                        ip_unlock(dest_port);
@@ -730,38 +2110,53 @@ ipc_kmsg_get_from_kernel(
                }
                assert(IP_PREALLOC(dest_port));
                kmsg = dest_port->ip_premsg;
                }
                assert(IP_PREALLOC(dest_port));
                kmsg = dest_port->ip_premsg;
-               if (msg_and_trailer_size > kmsg->ikm_size) {
-                       ip_unlock(dest_port);
-                       return MACH_SEND_TOO_LARGE;
-               }
                if (ikm_prealloc_inuse(kmsg)) {
                        ip_unlock(dest_port);
                        return MACH_SEND_NO_BUFFER;
                }
                if (ikm_prealloc_inuse(kmsg)) {
                        ip_unlock(dest_port);
                        return MACH_SEND_NO_BUFFER;
                }
+#if !defined(__LP64__)
+               if (msg->msgh_bits & MACH_MSGH_BITS_COMPLEX) {
+                       assert(size > sizeof(mach_msg_base_t));
+                       max_desc = ((mach_msg_base_t *)msg)->body.msgh_descriptor_count *
+                           DESC_SIZE_ADJUSTMENT;
+               }
+#endif
+               if (msg_and_trailer_size > kmsg->ikm_size - max_desc) {
+                       ip_unlock(dest_port);
+                       return MACH_SEND_TOO_LARGE;
+               }
                ikm_prealloc_set_inuse(kmsg, dest_port);
                ikm_prealloc_set_inuse(kmsg, dest_port);
+               ikm_set_header(kmsg, NULL, msg_and_trailer_size);
                ip_unlock(dest_port);
        } else {
                kmsg = ipc_kmsg_alloc(msg_and_trailer_size);
                ip_unlock(dest_port);
        } else {
                kmsg = ipc_kmsg_alloc(msg_and_trailer_size);
-               if (kmsg == IKM_NULL)
+               if (kmsg == IKM_NULL) {
                        return MACH_SEND_NO_BUFFER;
                        return MACH_SEND_NO_BUFFER;
+               }
        }
 
        }
 
-       (void) memcpy((void *) &kmsg->ikm_header, (const void *) msg, size);
+       (void) memcpy((void *) kmsg->ikm_header, (const void *) msg, size);
+
+       ikm_qos_init(kmsg);
 
 
-       kmsg->ikm_header.msgh_size = size;
+       kmsg->ikm_header->msgh_size = size;
 
 
-       /* 
+       /*
         * I reserve for the trailer the largest space (MAX_TRAILER_SIZE)
         * However, the internal size field of the trailer (msgh_trailer_size)
         * is initialized to the minimum (sizeof(mach_msg_trailer_t)), to
         * optimize the cases where no implicit data is requested.
         */
         * I reserve for the trailer the largest space (MAX_TRAILER_SIZE)
         * However, the internal size field of the trailer (msgh_trailer_size)
         * is initialized to the minimum (sizeof(mach_msg_trailer_t)), to
         * optimize the cases where no implicit data is requested.
         */
-       trailer = (mach_msg_format_0_trailer_t *) 
-                 ((vm_offset_t)&kmsg->ikm_header + size);
+       trailer = (mach_msg_max_trailer_t *)
+           ((vm_offset_t)kmsg->ikm_header + size);
+       bzero(trailer, sizeof(*trailer));
        trailer->msgh_sender = KERNEL_SECURITY_TOKEN;
        trailer->msgh_sender = KERNEL_SECURITY_TOKEN;
+       trailer->msgh_audit = KERNEL_AUDIT_TOKEN;
        trailer->msgh_trailer_type = MACH_MSG_TRAILER_FORMAT_0;
        trailer->msgh_trailer_size = MACH_MSG_TRAILER_MINIMUM_SIZE;
 
        trailer->msgh_trailer_type = MACH_MSG_TRAILER_FORMAT_0;
        trailer->msgh_trailer_size = MACH_MSG_TRAILER_MINIMUM_SIZE;
 
+       trailer->msgh_labels.sender = 0;
+
        *kmsgp = kmsg;
        return MACH_MSG_SUCCESS;
 }
        *kmsgp = kmsg;
        return MACH_MSG_SUCCESS;
 }
@@ -782,30 +2177,106 @@ ipc_kmsg_get_from_kernel(
  *             MACH_MSG_SUCCESS        The message was accepted.
  *             MACH_SEND_TIMED_OUT     Caller still has message.
  *             MACH_SEND_INTERRUPTED   Caller still has message.
  *             MACH_MSG_SUCCESS        The message was accepted.
  *             MACH_SEND_TIMED_OUT     Caller still has message.
  *             MACH_SEND_INTERRUPTED   Caller still has message.
+ *             MACH_SEND_INVALID_DEST  Caller still has message.
  */
 mach_msg_return_t
 ipc_kmsg_send(
  */
 mach_msg_return_t
 ipc_kmsg_send(
-       ipc_kmsg_t              kmsg,
-       mach_msg_option_t       option,
-       mach_msg_timeout_t      timeout)
+       ipc_kmsg_t              kmsg,
+       mach_msg_option_t       option,
+       mach_msg_timeout_t      send_timeout)
 {
 {
-       kern_return_t           save_wait_result;
-
        ipc_port_t port;
        ipc_port_t port;
-       port = (ipc_port_t) kmsg->ikm_header.msgh_remote_port;
-       assert(IP_VALID(port));
+       thread_t th = current_thread();
+       mach_msg_return_t error = MACH_MSG_SUCCESS;
+       boolean_t kernel_reply = FALSE;
+
+       /* Check if honor qlimit flag is set on thread. */
+       if ((th->options & TH_OPT_HONOR_QLIMIT) == TH_OPT_HONOR_QLIMIT) {
+               /* Remove the MACH_SEND_ALWAYS flag to honor queue limit. */
+               option &= (~MACH_SEND_ALWAYS);
+               /* Add the timeout flag since the message queue might be full. */
+               option |= MACH_SEND_TIMEOUT;
+               th->options &= (~TH_OPT_HONOR_QLIMIT);
+       }
+
+#if IMPORTANCE_INHERITANCE
+       bool did_importance = false;
+#if IMPORTANCE_TRACE
+       mach_msg_id_t imp_msgh_id = -1;
+       int           sender_pid  = -1;
+#endif /* IMPORTANCE_TRACE */
+#endif /* IMPORTANCE_INHERITANCE */
+
+       /* don't allow the creation of a circular loop */
+       if (kmsg->ikm_header->msgh_bits & MACH_MSGH_BITS_CIRCULAR) {
+               ipc_kmsg_destroy(kmsg);
+               KDBG(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_INFO) | DBG_FUNC_END, MACH_MSGH_BITS_CIRCULAR);
+               return MACH_MSG_SUCCESS;
+       }
 
 
+       ipc_voucher_send_preprocessing(kmsg);
+
+       port = kmsg->ikm_header->msgh_remote_port;
+       assert(IP_VALID(port));
        ip_lock(port);
 
        ip_lock(port);
 
-       if (port->ip_receiver == ipc_space_kernel) {
+       /*
+        * If the destination has been guarded with a reply context, and the
+        * sender is consuming a send-once right, then assume this is a reply
+        * to an RPC and we need to validate that this sender is currently in
+        * the correct context.
+        */
+       if (enforce_strict_reply && port->ip_reply_context != 0 &&
+           ((option & MACH_SEND_KERNEL) == 0) &&
+           MACH_MSGH_BITS_REMOTE(kmsg->ikm_header->msgh_bits) == MACH_MSG_TYPE_PORT_SEND_ONCE) {
+               error = ipc_kmsg_validate_reply_context_locked(option, port, th->ith_voucher, th->ith_voucher_name);
+               if (error != MACH_MSG_SUCCESS) {
+                       ip_unlock(port);
+                       return error;
+               }
+       }
+
+#if IMPORTANCE_INHERITANCE
+retry:
+#endif /* IMPORTANCE_INHERITANCE */
+       /*
+        *      Can't deliver to a dead port.
+        *      However, we can pretend it got sent
+        *      and was then immediately destroyed.
+        */
+       if (!ip_active(port)) {
+               ip_unlock(port);
+#if MACH_FLIPC
+               if (MACH_NODE_VALID(kmsg->ikm_node) && FPORT_VALID(port->ip_messages.imq_fport)) {
+                       flipc_msg_ack(kmsg->ikm_node, &port->ip_messages, FALSE);
+               }
+#endif
+               if (did_importance) {
+                       /*
+                        * We're going to pretend we delivered this message
+                        * successfully, and just eat the kmsg. However, the
+                        * kmsg is actually visible via the importance_task!
+                        * We need to cleanup this linkage before we destroy
+                        * the message, and more importantly before we set the
+                        * msgh_remote_port to NULL. See: 34302571
+                        */
+                       ipc_importance_clean(kmsg);
+               }
+               ip_release(port);  /* JMM - Future: release right, not just ref */
+               kmsg->ikm_header->msgh_remote_port = MACH_PORT_NULL;
+               ipc_kmsg_destroy(kmsg);
+               KDBG(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_INFO) | DBG_FUNC_END, MACH_SEND_INVALID_DEST);
+               return MACH_MSG_SUCCESS;
+       }
 
 
+       if (port->ip_receiver == ipc_space_kernel) {
                /*
                 *      We can check ip_receiver == ipc_space_kernel
                 *      before checking that the port is active because
                 *      ipc_port_dealloc_kernel clears ip_receiver
                 *      before destroying a kernel port.
                 */
                /*
                 *      We can check ip_receiver == ipc_space_kernel
                 *      before checking that the port is active because
                 *      ipc_port_dealloc_kernel clears ip_receiver
                 *      before destroying a kernel port.
                 */
-               assert(ip_active(port));
+               require_ip_active(port);
                port->ip_messages.imq_seqno++;
                ip_unlock(port);
 
                port->ip_messages.imq_seqno++;
                ip_unlock(port);
 
@@ -814,104 +2285,512 @@ ipc_kmsg_send(
                /*
                 * Call the server routine, and get the reply message to send.
                 */
                /*
                 * Call the server routine, and get the reply message to send.
                 */
-               kmsg = ipc_kobject_server(kmsg);
-               if (kmsg == IKM_NULL)
+               kmsg = ipc_kobject_server(kmsg, option);
+               if (kmsg == IKM_NULL) {
                        return MACH_MSG_SUCCESS;
                        return MACH_MSG_SUCCESS;
+               }
+
+               /* sign the reply message */
+               ikm_sign(kmsg);
 
 
-               port = (ipc_port_t) kmsg->ikm_header.msgh_remote_port;
+               /* restart the KMSG_INFO tracing for the reply message */
+               KDBG(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_INFO) | DBG_FUNC_START);
+               port = kmsg->ikm_header->msgh_remote_port;
                assert(IP_VALID(port));
                ip_lock(port);
                /* fall thru with reply - same options */
                assert(IP_VALID(port));
                ip_lock(port);
                /* fall thru with reply - same options */
+               kernel_reply = TRUE;
+               if (!ip_active(port)) {
+                       error = MACH_SEND_INVALID_DEST;
+               }
        }
 
        }
 
+#if IMPORTANCE_INHERITANCE
        /*
        /*
-        *      Can't deliver to a dead port.
-        *      However, we can pretend it got sent
-        *      and was then immediately destroyed.
+        * Need to see if this message needs importance donation and/or
+        * propagation.  That routine can drop the port lock temporarily.
+        * If it does we'll have to revalidate the destination.
         */
         */
-       if (!ip_active(port)) {
+       if (!did_importance) {
+               did_importance = true;
+               if (ipc_importance_send(kmsg, option)) {
+                       goto retry;
+               }
+       }
+#endif /* IMPORTANCE_INHERITANCE */
+
+       if (error != MACH_MSG_SUCCESS) {
+               ip_unlock(port);
+       } else {
+               /*
+                * We have a valid message and a valid reference on the port.
+                * we can unlock the port and call mqueue_send() on its message
+                * queue. Lock message queue while port is locked.
+                */
+               imq_lock(&port->ip_messages);
+
+               ipc_special_reply_port_msg_sent(port);
+
+               ip_unlock(port);
+
+               error = ipc_mqueue_send(&port->ip_messages, kmsg, option,
+                   send_timeout);
+       }
+
+#if IMPORTANCE_INHERITANCE
+       if (did_importance) {
+               __unused int importance_cleared = 0;
+               switch (error) {
+               case MACH_SEND_TIMED_OUT:
+               case MACH_SEND_NO_BUFFER:
+               case MACH_SEND_INTERRUPTED:
+               case MACH_SEND_INVALID_DEST:
+                       /*
+                        * We still have the kmsg and its
+                        * reference on the port.  But we
+                        * have to back out the importance
+                        * boost.
+                        *
+                        * The port could have changed hands,
+                        * be inflight to another destination,
+                        * etc...  But in those cases our
+                        * back-out will find the new owner
+                        * (and all the operations that
+                        * transferred the right should have
+                        * applied their own boost adjustments
+                        * to the old owner(s)).
+                        */
+                       importance_cleared = 1;
+                       ipc_importance_clean(kmsg);
+                       break;
+
+               case MACH_MSG_SUCCESS:
+               default:
+                       break;
+               }
+#if IMPORTANCE_TRACE
+               KERNEL_DEBUG_CONSTANT_IST(KDEBUG_TRACE, (IMPORTANCE_CODE(IMP_MSG, IMP_MSG_SEND)) | DBG_FUNC_END,
+                   task_pid(current_task()), sender_pid, imp_msgh_id, importance_cleared, 0);
+#endif /* IMPORTANCE_TRACE */
+       }
+#endif /* IMPORTANCE_INHERITANCE */
+
+       /*
+        * If the port has been destroyed while we wait, treat the message
+        * as a successful delivery (like we do for an inactive port).
+        */
+       if (error == MACH_SEND_INVALID_DEST) {
+#if MACH_FLIPC
+               if (MACH_NODE_VALID(kmsg->ikm_node) && FPORT_VALID(port->ip_messages.imq_fport)) {
+                       flipc_msg_ack(kmsg->ikm_node, &port->ip_messages, FALSE);
+               }
+#endif
+               ip_release(port); /* JMM - Future: release right, not just ref */
+               kmsg->ikm_header->msgh_remote_port = MACH_PORT_NULL;
+               ipc_kmsg_destroy(kmsg);
+               KDBG(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_INFO) | DBG_FUNC_END, MACH_SEND_INVALID_DEST);
+               return MACH_MSG_SUCCESS;
+       }
+
+       if (error != MACH_MSG_SUCCESS && kernel_reply) {
+               /*
+                * Kernel reply messages that fail can't be allowed to
+                * pseudo-receive on error conditions. We need to just treat
+                * the message as a successful delivery.
+                */
+#if MACH_FLIPC
+               if (MACH_NODE_VALID(kmsg->ikm_node) && FPORT_VALID(port->ip_messages.imq_fport)) {
+                       flipc_msg_ack(kmsg->ikm_node, &port->ip_messages, FALSE);
+               }
+#endif
+               ip_release(port); /* JMM - Future: release right, not just ref */
+               kmsg->ikm_header->msgh_remote_port = MACH_PORT_NULL;
+               ipc_kmsg_destroy(kmsg);
+               KDBG(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_INFO) | DBG_FUNC_END, error);
+               return MACH_MSG_SUCCESS;
+       }
+       return error;
+}
+
+/*
+ *     Routine:        ipc_kmsg_put
+ *     Purpose:
+ *             Copies a message buffer to a user message.
+ *             Copies only the specified number of bytes.
+ *             Frees the message buffer.
+ *     Conditions:
+ *             Nothing locked.  The message buffer must have clean
+ *             header fields.
+ *     Returns:
+ *             MACH_MSG_SUCCESS        Copied data out of message buffer.
+ *             MACH_RCV_INVALID_DATA   Couldn't copy to user message.
+ */
+
+mach_msg_return_t
+ipc_kmsg_put(
+       ipc_kmsg_t              kmsg,
+       mach_msg_option_t       option,
+       mach_vm_address_t       rcv_addr,
+       mach_msg_size_t         rcv_size,
+       mach_msg_size_t         trailer_size,
+       mach_msg_size_t         *sizep)
+{
+       mach_msg_size_t size = kmsg->ikm_header->msgh_size + trailer_size;
+       mach_msg_return_t mr;
+
+       DEBUG_IPC_KMSG_PRINT(kmsg, "ipc_kmsg_put()");
+
+
+       DEBUG_KPRINT_SYSCALL_IPC("ipc_kmsg_put header:\n"
+           "  size:            0x%.8x\n"
+           "  bits:            0x%.8x\n"
+           "  remote_port:     %p\n"
+           "  local_port:      %p\n"
+           "  voucher_port:    0x%.8x\n"
+           "  id:              %.8d\n",
+           kmsg->ikm_header->msgh_size,
+           kmsg->ikm_header->msgh_bits,
+           kmsg->ikm_header->msgh_remote_port,
+           kmsg->ikm_header->msgh_local_port,
+           kmsg->ikm_header->msgh_voucher_port,
+           kmsg->ikm_header->msgh_id);
+
+#if defined(__LP64__)
+       if (current_task() != kernel_task) { /* don't if receiver expects fully-cooked in-kernel msg; */
+               mach_msg_legacy_header_t *legacy_header =
+                   (mach_msg_legacy_header_t *)((vm_offset_t)(kmsg->ikm_header) + LEGACY_HEADER_SIZE_DELTA);
+
+               mach_msg_bits_t         bits            = kmsg->ikm_header->msgh_bits;
+               mach_msg_size_t         msg_size        = kmsg->ikm_header->msgh_size;
+               mach_port_name_t        remote_port     = CAST_MACH_PORT_TO_NAME(kmsg->ikm_header->msgh_remote_port);
+               mach_port_name_t        local_port      = CAST_MACH_PORT_TO_NAME(kmsg->ikm_header->msgh_local_port);
+               mach_port_name_t        voucher_port    = kmsg->ikm_header->msgh_voucher_port;
+               mach_msg_id_t           id                      = kmsg->ikm_header->msgh_id;
+
+               legacy_header->msgh_id                  = id;
+               legacy_header->msgh_local_port = local_port;
+               legacy_header->msgh_remote_port = remote_port;
+               legacy_header->msgh_voucher_port = voucher_port;
+               legacy_header->msgh_size                = msg_size - LEGACY_HEADER_SIZE_DELTA;
+               legacy_header->msgh_bits                = bits;
+
+               size -= LEGACY_HEADER_SIZE_DELTA;
+               kmsg->ikm_header = (mach_msg_header_t *)legacy_header;
+       }
+#endif
+
+       /* unreachable if !DEBUG */
+       __unreachable_ok_push
+       if (DEBUG_KPRINT_SYSCALL_PREDICATE(DEBUG_KPRINT_SYSCALL_IPC_MASK)) {
+               kprintf("ipc_kmsg_put header+body: %d\n", (size));
+               uint32_t i;
+               for (i = 0; i * 4 < size; i++) {
+                       kprintf("%.4x\n", ((uint32_t *)kmsg->ikm_header)[i]);
+               }
+               kprintf("type: %d\n", ((mach_msg_type_descriptor_t *)(((mach_msg_base_t *)kmsg->ikm_header) + 1))->type);
+       }
+       __unreachable_ok_pop
+
+       /* Re-Compute target address if using stack-style delivery */
+       if (option & MACH_RCV_STACK) {
+               rcv_addr += rcv_size - size;
+       }
+
+       if (copyoutmsg((const char *) kmsg->ikm_header, rcv_addr, size)) {
+               mr = MACH_RCV_INVALID_DATA;
+               size = 0;
+       } else {
+               mr = MACH_MSG_SUCCESS;
+       }
+
+       KERNEL_DEBUG_CONSTANT(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_KMSG_LINK) | DBG_FUNC_NONE,
+           (rcv_addr >= VM_MIN_KERNEL_AND_KEXT_ADDRESS ||
+           rcv_addr + size >= VM_MIN_KERNEL_AND_KEXT_ADDRESS) ? (uintptr_t)0 : (uintptr_t)rcv_addr,
+           VM_KERNEL_ADDRPERM((uintptr_t)kmsg),
+           1 /* this is on the receive/copyout path */,
+           0,
+           0);
+       ipc_kmsg_free(kmsg);
+
+       if (sizep) {
+               *sizep = size;
+       }
+       return mr;
+}
+
+/*
+ *     Routine:        ipc_kmsg_put_to_kernel
+ *     Purpose:
+ *             Copies a message buffer to a kernel message.
+ *             Frees the message buffer.
+ *             No errors allowed.
+ *     Conditions:
+ *             Nothing locked.
+ */
+
+void
+ipc_kmsg_put_to_kernel(
+       mach_msg_header_t       *msg,
+       ipc_kmsg_t              kmsg,
+       mach_msg_size_t         size)
+{
+       (void) memcpy((void *) msg, (const void *) kmsg->ikm_header, size);
+
+       ipc_kmsg_free(kmsg);
+}
+
+static pthread_priority_compact_t
+ipc_get_current_thread_priority(void)
+{
+       thread_t thread = current_thread();
+       thread_qos_t qos;
+       int relpri;
+
+       qos = thread_get_requested_qos(thread, &relpri);
+       if (!qos) {
+               qos = thread_user_promotion_qos_for_pri(thread->base_pri);
+               relpri = 0;
+       }
+       return _pthread_priority_make_from_thread_qos(qos, relpri, 0);
+}
+
+static kern_return_t
+ipc_kmsg_set_qos(
+       ipc_kmsg_t kmsg,
+       mach_msg_option_t options,
+       mach_msg_priority_t priority)
+{
+       kern_return_t kr;
+       ipc_port_t special_reply_port = kmsg->ikm_header->msgh_local_port;
+       ipc_port_t dest_port = kmsg->ikm_header->msgh_remote_port;
+
+       if ((options & MACH_SEND_OVERRIDE) &&
+           !mach_msg_priority_is_pthread_priority(priority)) {
+               mach_msg_qos_t qos = mach_msg_priority_qos(priority);
+               int relpri = mach_msg_priority_relpri(priority);
+               mach_msg_qos_t ovr = mach_msg_priority_overide_qos(priority);
+
+               kmsg->ikm_ppriority = _pthread_priority_make_from_thread_qos(qos, relpri, 0);
+               kmsg->ikm_qos_override = MAX(qos, ovr);
+       } else {
+               kr = ipc_get_pthpriority_from_kmsg_voucher(kmsg, &kmsg->ikm_ppriority);
+               if (kr != KERN_SUCCESS) {
+                       if (options & MACH_SEND_PROPAGATE_QOS) {
+                               kmsg->ikm_ppriority = ipc_get_current_thread_priority();
+                       } else {
+                               kmsg->ikm_ppriority = MACH_MSG_PRIORITY_UNSPECIFIED;
+                       }
+               }
+
+               if (options & MACH_SEND_OVERRIDE) {
+                       mach_msg_qos_t qos = _pthread_priority_thread_qos(kmsg->ikm_ppriority);
+                       mach_msg_qos_t ovr = _pthread_priority_thread_qos(priority);
+                       kmsg->ikm_qos_override = MAX(qos, ovr);
+               } else {
+                       kmsg->ikm_qos_override = _pthread_priority_thread_qos(kmsg->ikm_ppriority);
+               }
+       }
+
+       kr = KERN_SUCCESS;
+
+       if (IP_VALID(special_reply_port) &&
+           MACH_MSGH_BITS_LOCAL(kmsg->ikm_header->msgh_bits) == MACH_MSG_TYPE_PORT_SEND_ONCE) {
+               if ((options & MACH_SEND_SYNC_OVERRIDE)) {
+                       boolean_t sync_bootstrap_checkin = !!(options & MACH_SEND_SYNC_BOOTSTRAP_CHECKIN);
+                       /*
+                        * Link the destination port to special reply port and make sure that
+                        * dest port has a send turnstile, else allocate one.
+                        */
+                       ipc_port_link_special_reply_port(special_reply_port, dest_port, sync_bootstrap_checkin);
+               }
+       }
+       return kr;
+}
+
+static inline void
+ipc_kmsg_allow_immovable_send(
+       ipc_kmsg_t   kmsg,
+       ipc_entry_t  dest_entry)
+{
+       ipc_object_t object = dest_entry->ie_object;
+       /*
+        *      If the dest port is a kobject, allow copyin of immovable send
+        *      rights in the message body to succeed
+        */
+       if (IO_VALID(object) && io_is_kobject(object)) {
+               kmsg->ikm_flags |= IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND;
+       }
+}
+
+/*
+ *     Routine:        ipc_kmsg_link_reply_context_locked
+ *     Purpose:
+ *             Link any required context from the sending voucher
+ *             to the reply port. The ipc_kmsg_copyin function will
+ *             enforce that the sender calls mach_msg in this context.
+ *     Conditions:
+ *             reply port is locked
+ */
+static void
+ipc_kmsg_link_reply_context_locked(
+       ipc_port_t reply_port,
+       ipc_port_t voucher_port)
+{
+       kern_return_t __assert_only kr;
+       uint32_t persona_id = 0;
+       ipc_voucher_t voucher;
+
+       ip_lock_held(reply_port);
+
+       if (!ip_active(reply_port)) {
+               return;
+       }
+
+       voucher = convert_port_to_voucher(voucher_port);
+
+       kr = bank_get_bank_ledger_thread_group_and_persona(voucher, NULL, NULL, &persona_id);
+       assert(kr == KERN_SUCCESS);
+       ipc_voucher_release(voucher);
+
+       if (persona_id == 0 || persona_id == PERSONA_ID_NONE) {
+               /* there was no persona context to record */
+               return;
+       }
+
+       /*
+        * Set the persona_id as the context on the reply port.
+        * This will force the thread that replies to have adopted a voucher
+        * with a matching persona.
+        */
+       reply_port->ip_reply_context = persona_id;
+
+       return;
+}
+
+static kern_return_t
+ipc_kmsg_validate_reply_port_locked(ipc_port_t reply_port, mach_msg_option_t options)
+{
+       ip_lock_held(reply_port);
+
+       if (!ip_active(reply_port)) {
                /*
                /*
-                *      We can't let ipc_kmsg_destroy deallocate
-                *      the port right, because we might end up
-                *      in an infinite loop trying to deliver
-                *      a send-once notification.
+                * Ideally, we would enforce that the reply receive right is
+                * active, but asynchronous XPC cancellation destroys the
+                * receive right, so we just have to return success here.
                 */
                 */
-
-               ip_release(port);
-               ip_check_unlock(port);
-               kmsg->ikm_header.msgh_remote_port = MACH_PORT_NULL;
-               ipc_kmsg_destroy(kmsg);
-               return MACH_MSG_SUCCESS;
+               return KERN_SUCCESS;
        }
 
        }
 
-       if (kmsg->ikm_header.msgh_bits & MACH_MSGH_BITS_CIRCULAR) {
-               ip_unlock(port);
+       if (options & MACH_SEND_MSG) {
+               /*
+                * If the rely port is active, then it should not be
+                * in-transit, and the receive right should be in the caller's
+                * IPC space.
+                */
+               if (!reply_port->ip_receiver_name || reply_port->ip_receiver != current_task()->itk_space) {
+                       return KERN_INVALID_CAPABILITY;
+               }
 
 
-               /* don't allow the creation of a circular loop */
+               /*
+                * A port used as a reply port in an RPC should have exactly 1
+                * extant send-once right which we either just made or are
+                * moving as part of the IPC.
+                */
+               if (reply_port->ip_sorights != 1) {
+                       return KERN_INVALID_CAPABILITY;
+               }
+               /*
+                * XPC uses an extra send-right to keep the name of the reply
+                * right around through cancellation.  That makes it harder to
+                * enforce a particular semantic kere, so for now, we say that
+                * you can have a maximum of 1 send right (in addition to your
+                * send once right). In the future, it would be great to lock
+                * this down even further.
+                */
+               if (reply_port->ip_srights > 1) {
+                       return KERN_INVALID_CAPABILITY;
+               }
 
 
-               ipc_kmsg_destroy(kmsg);
-               return MACH_MSG_SUCCESS;
+               /*
+                * The sender can also specify that the receive right should
+                * be immovable. Note that this check only applies to
+                * send-only operations. Combined send/receive or rcv-only
+                * operations can specify an immovable receive right by
+                * opt-ing into guarded descriptors (MACH_RCV_GUARDED_DESC)
+                * and using the MACH_MSG_STRICT_REPLY options flag.
+                */
+               if (MACH_SEND_REPLY_IS_IMMOVABLE(options)) {
+                       if (!reply_port->ip_immovable_receive) {
+                               return KERN_INVALID_CAPABILITY;
+                       }
+               }
        }
 
        /*
        }
 
        /*
-        * We have a valid message and a valid reference on the port.
-        * we can unlock the port and call mqueue_send() on it's message
-        * queue.
+        * don't enforce this yet: need a better way of indicating the
+        * receiver wants this...
         */
         */
-       ip_unlock(port);
-       return (ipc_mqueue_send(&port->ip_messages, kmsg, option, timeout));
+#if 0
+       if (MACH_RCV_WITH_IMMOVABLE_REPLY(options)) {
+               if (!reply_port->ip_immovable_receive) {
+                       return KERN_INVALID_CAPABILITY;
+               }
+       }
+#endif /* 0  */
+
+       return KERN_SUCCESS;
 }
 
 /*
 }
 
 /*
- *     Routine:        ipc_kmsg_put
+ *     Routine:        ipc_kmsg_validate_reply_context_locked
  *     Purpose:
  *     Purpose:
- *             Copies a message buffer to a user message.
- *             Copies only the specified number of bytes.
- *             Frees the message buffer.
+ *             Validate that the current thread is running in the context
+ *             required by the destination port.
  *     Conditions:
  *     Conditions:
- *             Nothing locked.  The message buffer must have clean
- *             header fields.
+ *             dest_port is locked
  *     Returns:
  *     Returns:
- *             MACH_MSG_SUCCESS        Copied data out of message buffer.
- *             MACH_RCV_INVALID_DATA   Couldn't copy to user message.
+ *             MACH_MSG_SUCCESS on success.
+ *             On error, an EXC_GUARD exception is also raised.
+ *             This function *always* resets the port reply context.
  */
  */
-
-mach_msg_return_t
-ipc_kmsg_put(
-       mach_msg_header_t       *msg,
-       ipc_kmsg_t              kmsg,
-       mach_msg_size_t         size)
+static mach_msg_return_t
+ipc_kmsg_validate_reply_context_locked(
+       mach_msg_option_t option,
+       ipc_port_t dest_port,
+       ipc_voucher_t voucher,
+       mach_port_name_t voucher_name)
 {
 {
-       mach_msg_return_t mr;
+       uint32_t dest_ctx = dest_port->ip_reply_context;
+       dest_port->ip_reply_context = 0;
 
 
-       if (copyoutmsg((const char *) &kmsg->ikm_header, (char *) msg, size))
-               mr = MACH_RCV_INVALID_DATA;
-       else
-               mr = MACH_MSG_SUCCESS;
+       if (!ip_active(dest_port)) {
+               return MACH_MSG_SUCCESS;
+       }
 
 
-       ipc_kmsg_free(kmsg);
-       return mr;
-}
+       if (voucher == IPC_VOUCHER_NULL || !MACH_PORT_VALID(voucher_name)) {
+               if ((option & MACH_SEND_KERNEL) == 0) {
+                       mach_port_guard_exception(voucher_name, 0,
+                           (MPG_FLAGS_STRICT_REPLY_INVALID_VOUCHER | dest_ctx),
+                           kGUARD_EXC_STRICT_REPLY);
+               }
+               return MACH_SEND_INVALID_CONTEXT;
+       }
 
 
-/*
- *     Routine:        ipc_kmsg_put_to_kernel
- *     Purpose:
- *             Copies a message buffer to a kernel message.
- *             Frees the message buffer.
- *             No errors allowed.
- *     Conditions:
- *             Nothing locked.
- */
+       kern_return_t __assert_only kr;
+       uint32_t persona_id = 0;
+       kr = bank_get_bank_ledger_thread_group_and_persona(voucher, NULL, NULL, &persona_id);
+       assert(kr == KERN_SUCCESS);
 
 
-void
-ipc_kmsg_put_to_kernel(
-       mach_msg_header_t       *msg,
-       ipc_kmsg_t              kmsg,
-       mach_msg_size_t         size)
-{
-       (void) memcpy((void *) msg, (const void *) &kmsg->ikm_header, size);
+       if (dest_ctx != persona_id) {
+               if ((option & MACH_SEND_KERNEL) == 0) {
+                       mach_port_guard_exception(voucher_name, 0,
+                           (MPG_FLAGS_STRICT_REPLY_MISMATCHED_PERSONA | ((((uint64_t)persona_id << 32) & MPG_FLAGS_STRICT_REPLY_MASK) | dest_ctx)),
+                           kGUARD_EXC_STRICT_REPLY);
+               }
+               return MACH_SEND_INVALID_CONTEXT;
+       }
 
 
-       ipc_kmsg_free(kmsg);
+       return MACH_MSG_SUCCESS;
 }
 
 /*
 }
 
 /*
@@ -925,16 +2804,6 @@ ipc_kmsg_put_to_kernel(
  *             and the bits field is updated.  The destination port
  *             will be a valid port pointer.
  *
  *             and the bits field is updated.  The destination port
  *             will be a valid port pointer.
  *
- *             The notify argument implements the MACH_SEND_CANCEL option.
- *             If it is not MACH_PORT_NULL, it should name a receive right.
- *             If the processing of the destination port would generate
- *             a port-deleted notification (because the right for the
- *             destination port is destroyed and it had a request for
- *             a dead-name notification registered), and the port-deleted
- *             notification would be sent to the named receive right,
- *             then it isn't sent and the send-once right for the notify
- *             port is quietly destroyed.
- *
  *     Conditions:
  *             Nothing locked.
  *     Returns:
  *     Conditions:
  *             Nothing locked.
  *     Returns:
@@ -942,9 +2811,6 @@ ipc_kmsg_put_to_kernel(
  *             MACH_SEND_INVALID_HEADER
  *                     Illegal value in the message header bits.
  *             MACH_SEND_INVALID_DEST  The space is dead.
  *             MACH_SEND_INVALID_HEADER
  *                     Illegal value in the message header bits.
  *             MACH_SEND_INVALID_DEST  The space is dead.
- *             MACH_SEND_INVALID_NOTIFY
- *                     Notify is non-null and doesn't name a receive right.
- *                     (Either KERN_INVALID_NAME or KERN_INVALID_RIGHT.)
  *             MACH_SEND_INVALID_DEST  Can't copyin destination port.
  *                     (Either KERN_INVALID_NAME or KERN_INVALID_RIGHT.)
  *             MACH_SEND_INVALID_REPLY Can't copyin reply port.
  *             MACH_SEND_INVALID_DEST  Can't copyin destination port.
  *                     (Either KERN_INVALID_NAME or KERN_INVALID_RIGHT.)
  *             MACH_SEND_INVALID_REPLY Can't copyin reply port.
@@ -953,357 +2819,889 @@ ipc_kmsg_put_to_kernel(
 
 mach_msg_return_t
 ipc_kmsg_copyin_header(
 
 mach_msg_return_t
 ipc_kmsg_copyin_header(
-       mach_msg_header_t       *msg,
-       ipc_space_t             space,
-       mach_port_name_t        notify)
+       ipc_kmsg_t              kmsg,
+       ipc_space_t             space,
+       mach_msg_priority_t     priority,
+       mach_msg_option_t       *optionp)
 {
 {
+       mach_msg_header_t *msg = kmsg->ikm_header;
        mach_msg_bits_t mbits = msg->msgh_bits & MACH_MSGH_BITS_USER;
        mach_msg_bits_t mbits = msg->msgh_bits & MACH_MSGH_BITS_USER;
-       mach_port_name_t dest_name = (mach_port_name_t)msg->msgh_remote_port;
-       mach_port_name_t reply_name = (mach_port_name_t)msg->msgh_local_port;
+       mach_port_name_t dest_name = CAST_MACH_PORT_TO_NAME(msg->msgh_remote_port);
+       mach_port_name_t reply_name = CAST_MACH_PORT_TO_NAME(msg->msgh_local_port);
+       mach_port_name_t voucher_name = MACH_PORT_NULL;
        kern_return_t kr;
 
        mach_msg_type_name_t dest_type = MACH_MSGH_BITS_REMOTE(mbits);
        mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
        kern_return_t kr;
 
        mach_msg_type_name_t dest_type = MACH_MSGH_BITS_REMOTE(mbits);
        mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
-       ipc_object_t dest_port, reply_port;
-       ipc_port_t dest_soright, reply_soright;
-       ipc_port_t notify_port;
+       mach_msg_type_name_t voucher_type = MACH_MSGH_BITS_VOUCHER(mbits);
+       ipc_object_t dest_port = IO_NULL;
+       ipc_object_t reply_port = IO_NULL;
+       ipc_port_t dest_soright = IP_NULL;
+       ipc_port_t reply_soright = IP_NULL;
+       ipc_port_t voucher_soright = IP_NULL;
+       ipc_port_t release_port = IP_NULL;
+       ipc_port_t voucher_port = IP_NULL;
+       ipc_port_t voucher_release_port = IP_NULL;
+       ipc_entry_t dest_entry = IE_NULL;
+       ipc_entry_t reply_entry = IE_NULL;
+       ipc_entry_t voucher_entry = IE_NULL;
+
+       int assertcnt = 0;
+#if IMPORTANCE_INHERITANCE
+       boolean_t needboost = FALSE;
+#endif /* IMPORTANCE_INHERITANCE */
 
        if ((mbits != msg->msgh_bits) ||
            (!MACH_MSG_TYPE_PORT_ANY_SEND(dest_type)) ||
            ((reply_type == 0) ?
 
        if ((mbits != msg->msgh_bits) ||
            (!MACH_MSG_TYPE_PORT_ANY_SEND(dest_type)) ||
            ((reply_type == 0) ?
-            (reply_name != MACH_PORT_NULL) :
-            !MACH_MSG_TYPE_PORT_ANY_SEND(reply_type)))
+           (reply_name != MACH_PORT_NULL) :
+           !MACH_MSG_TYPE_PORT_ANY_SEND(reply_type))) {
                return MACH_SEND_INVALID_HEADER;
                return MACH_SEND_INVALID_HEADER;
+       }
 
 
-       reply_soright = IP_NULL; /* in case we go to invalid dest early */
+       if (!MACH_PORT_VALID(dest_name)) {
+               return MACH_SEND_INVALID_DEST;
+       }
 
        is_write_lock(space);
 
        is_write_lock(space);
-       if (!space->is_active)
-               goto invalid_dest;
-
-       if (!MACH_PORT_VALID(dest_name))
-               goto invalid_dest;
+       if (!is_active(space)) {
+               is_write_unlock(space);
+               return MACH_SEND_INVALID_DEST;
+       }
+       /* space locked and active */
 
 
-       if (notify != MACH_PORT_NULL) {
-               ipc_entry_t entry;
+       /*
+        *      If there is a voucher specified, make sure the disposition is
+        *      valid and the entry actually refers to a voucher port.  Don't
+        *      actually copy in until we validate destination and reply.
+        */
+       if (voucher_type != MACH_MSGH_BITS_ZERO) {
+               voucher_name = msg->msgh_voucher_port;
 
 
-               if ((entry = ipc_entry_lookup(space, notify)) == IE_NULL) {
+               if (voucher_name == MACH_PORT_DEAD ||
+                   (voucher_type != MACH_MSG_TYPE_MOVE_SEND &&
+                   voucher_type != MACH_MSG_TYPE_COPY_SEND)) {
                        is_write_unlock(space);
                        is_write_unlock(space);
-                       return MACH_SEND_INVALID_NOTIFY;
+                       if ((*optionp & MACH_SEND_KERNEL) == 0) {
+                               mach_port_guard_exception(voucher_name, 0, 0, kGUARD_EXC_SEND_INVALID_VOUCHER);
+                       }
+                       return MACH_SEND_INVALID_VOUCHER;
                }
                }
-               if((entry->ie_bits & MACH_PORT_TYPE_RECEIVE) == 0) {
-                       is_write_unlock(space);
-                       return MACH_SEND_INVALID_NOTIFY;
+
+               if (voucher_name != MACH_PORT_NULL) {
+                       voucher_entry = ipc_entry_lookup(space, voucher_name);
+                       if (voucher_entry == IE_NULL ||
+                           (voucher_entry->ie_bits & MACH_PORT_TYPE_SEND) == 0 ||
+                           io_kotype(voucher_entry->ie_object) != IKOT_VOUCHER) {
+                               is_write_unlock(space);
+                               if ((*optionp & MACH_SEND_KERNEL) == 0) {
+                                       mach_port_guard_exception(voucher_name, 0, 0, kGUARD_EXC_SEND_INVALID_VOUCHER);
+                               }
+                               return MACH_SEND_INVALID_VOUCHER;
+                       }
+               } else {
+                       voucher_type = MACH_MSG_TYPE_MOVE_SEND;
                }
                }
+       }
 
 
-               notify_port = (ipc_port_t) entry->ie_object;
+       if (enforce_strict_reply && MACH_SEND_WITH_STRICT_REPLY(*optionp) &&
+           (!MACH_PORT_VALID(reply_name) ||
+           ((reply_type != MACH_MSG_TYPE_MAKE_SEND_ONCE) && (reply_type != MACH_MSG_TYPE_MOVE_SEND_ONCE))
+           )) {
+               /*
+                * The caller cannot enforce a reply context with an invalid
+                * reply port name, or a non-send_once reply disposition.
+                */
+               is_write_unlock(space);
+               if ((*optionp & MACH_SEND_KERNEL) == 0) {
+                       mach_port_guard_exception(reply_name, 0,
+                           (MPG_FLAGS_STRICT_REPLY_INVALID_REPLY_DISP | reply_type),
+                           kGUARD_EXC_STRICT_REPLY);
+               }
+               return MACH_SEND_INVALID_REPLY;
        }
 
        }
 
-       if (dest_name == reply_name) {
-               ipc_entry_t entry;
-               mach_port_name_t name = dest_name;
+       /*
+        *      Handle combinations of validating destination and reply; along
+        *      with copying in destination, reply, and voucher in an atomic way.
+        */
 
 
+       if (dest_name == voucher_name) {
                /*
                /*
-                *      Destination and reply ports are the same!
-                *      This is a little tedious to make atomic, because
-                *      there are 25 combinations of dest_type/reply_type.
-                *      However, most are easy.  If either is move-sonce,
-                *      then there must be an error.  If either are
-                *      make-send or make-sonce, then we must be looking
-                *      at a receive right so the port can't die.
-                *      The hard cases are the combinations of
-                *      copy-send and make-send.
+                *      If the destination name is the same as the voucher name,
+                *      the voucher_entry must already be known.  Either that or
+                *      the destination name is MACH_PORT_NULL (i.e. invalid).
                 */
                 */
-
-               entry = ipc_entry_lookup(space, name);
-               if (entry == IE_NULL)
+               dest_entry = voucher_entry;
+               if (dest_entry == IE_NULL) {
                        goto invalid_dest;
                        goto invalid_dest;
+               }
+               /* Check if dest port allows immovable send rights to be sent in the kmsg body */
+               ipc_kmsg_allow_immovable_send(kmsg, dest_entry);
 
 
-               assert(reply_type != 0); /* because name not null */
-
-               if (!ipc_right_copyin_check(space, name, entry, reply_type))
-                       goto invalid_reply;
+               /*
+                *      Make sure a future copyin of the reply port will succeed.
+                *      Once we start copying in the dest/voucher pair, we can't
+                *      back out.
+                */
+               if (MACH_PORT_VALID(reply_name)) {
+                       assert(reply_type != 0); /* because reply_name not null */
 
 
-               if ((dest_type == MACH_MSG_TYPE_MOVE_SEND_ONCE) ||
-                   (reply_type == MACH_MSG_TYPE_MOVE_SEND_ONCE)) {
-                       /*
-                        *      Why must there be an error?  To get a valid
-                        *      destination, this entry must name a live
-                        *      port (not a dead name or dead port).  However
-                        *      a successful move-sonce will destroy a
-                        *      live entry.  Therefore the other copyin,
-                        *      whatever it is, would fail.  We've already
-                        *      checked for reply port errors above,
-                        *      so report a destination error.
-                        */
+                       /* It is just WRONG if dest, voucher, and reply are all the same. */
+                       if (voucher_name == reply_name) {
+                               goto invalid_reply;
+                       }
+                       reply_entry = ipc_entry_lookup(space, reply_name);
+                       if (reply_entry == IE_NULL) {
+                               goto invalid_reply;
+                       }
+                       assert(dest_entry != reply_entry); /* names are not equal */
+                       if (!ipc_right_copyin_check_reply(space, reply_name, reply_entry, reply_type)) {
+                               goto invalid_reply;
+                       }
+               }
 
 
+               /*
+                *      Do the joint copyin of the dest disposition and
+                *      voucher disposition from the one entry/port.  We
+                *      already validated that the voucher copyin would
+                *      succeed (above).  So, any failure in combining
+                *      the copyins can be blamed on the destination.
+                */
+               kr = ipc_right_copyin_two(space, dest_name, dest_entry,
+                   dest_type, voucher_type, &dest_port, &dest_soright,
+                   &release_port);
+               if (kr != KERN_SUCCESS) {
+                       assert(kr != KERN_INVALID_CAPABILITY);
                        goto invalid_dest;
                        goto invalid_dest;
-               } else if ((dest_type == MACH_MSG_TYPE_MAKE_SEND) ||
-                          (dest_type == MACH_MSG_TYPE_MAKE_SEND_ONCE) ||
-                          (reply_type == MACH_MSG_TYPE_MAKE_SEND) ||
-                          (reply_type == MACH_MSG_TYPE_MAKE_SEND_ONCE)) {
-                       kr = ipc_right_copyin(space, name, entry,
-                                             dest_type, FALSE,
-                                             &dest_port, &dest_soright);
-                       if (kr != KERN_SUCCESS)
-                               goto invalid_dest;
+               }
+               voucher_port = ip_object_to_port(dest_port);
+
+               /*
+                * could not have been one of these dispositions,
+                * validated the port was a true kernel voucher port above,
+                * AND was successfully able to copyin both dest and voucher.
+                */
+               assert(dest_type != MACH_MSG_TYPE_MAKE_SEND);
+               assert(dest_type != MACH_MSG_TYPE_MAKE_SEND_ONCE);
+               assert(dest_type != MACH_MSG_TYPE_MOVE_SEND_ONCE);
 
 
+               /*
+                *      Perform the delayed reply right copyin (guaranteed success).
+                */
+               if (reply_entry != IE_NULL) {
+                       kr = ipc_right_copyin(space, reply_name, reply_entry,
+                           reply_type, IPC_OBJECT_COPYIN_FLAGS_DEADOK,
+                           &reply_port, &reply_soright,
+                           &release_port, &assertcnt, 0, NULL);
+                       assert(assertcnt == 0);
+                       assert(kr == KERN_SUCCESS);
+               }
+       } else {
+               if (dest_name == reply_name) {
                        /*
                        /*
-                        *      Either dest or reply needs a receive right.
-                        *      We know the receive right is there, because
-                        *      of the copyin_check and copyin calls.  Hence
-                        *      the port is not in danger of dying.  If dest
-                        *      used the receive right, then the right needed
-                        *      by reply (and verified by copyin_check) will
-                        *      still be there.
+                        *      Destination and reply ports are the same!
+                        *      This is very similar to the case where the
+                        *      destination and voucher ports were the same
+                        *      (except the reply port disposition is not
+                        *      previously validated).
                         */
                         */
+                       dest_entry = ipc_entry_lookup(space, dest_name);
+                       if (dest_entry == IE_NULL) {
+                               goto invalid_dest;
+                       }
+                       ipc_kmsg_allow_immovable_send(kmsg, dest_entry);
 
 
-                       assert(IO_VALID(dest_port));
-                       assert(entry->ie_bits & MACH_PORT_TYPE_RECEIVE);
-                       assert(dest_soright == IP_NULL);
+                       reply_entry = dest_entry;
+                       assert(reply_type != 0); /* because name not null */
 
 
-                       kr = ipc_right_copyin(space, name, entry,
-                                             reply_type, TRUE,
-                                             &reply_port, &reply_soright);
+                       /*
+                        *      Pre-validate that the reply right can be copied in by itself
+                        */
+                       if (!ipc_right_copyin_check_reply(space, reply_name, reply_entry, reply_type)) {
+                               goto invalid_reply;
+                       }
 
 
-                       assert(kr == KERN_SUCCESS);
-                       assert(reply_port == dest_port);
-                       assert(entry->ie_bits & MACH_PORT_TYPE_RECEIVE);
-                       assert(reply_soright == IP_NULL);
-               } else if ((dest_type == MACH_MSG_TYPE_COPY_SEND) &&
-                          (reply_type == MACH_MSG_TYPE_COPY_SEND)) {
                        /*
                        /*
-                        *      To make this atomic, just do one copy-send,
-                        *      and dup the send right we get out.
+                        *      Do the joint copyin of the dest disposition and
+                        *      reply disposition from the one entry/port.
+                        */
+                       kr = ipc_right_copyin_two(space, dest_name, dest_entry,
+                           dest_type, reply_type, &dest_port, &dest_soright,
+                           &release_port);
+                       if (kr == KERN_INVALID_CAPABILITY) {
+                               goto invalid_reply;
+                       } else if (kr != KERN_SUCCESS) {
+                               goto invalid_dest;
+                       }
+                       reply_port = dest_port;
+               } else {
+                       /*
+                        *      Handle destination and reply independently, as
+                        *      they are independent entries (even if the entries
+                        *      refer to the same port).
+                        *
+                        *      This can be the tough case to make atomic.
+                        *
+                        *      The difficult problem is serializing with port death.
+                        *      The bad case is when dest_port dies after its copyin,
+                        *      reply_port dies before its copyin, and dest_port dies before
+                        *      reply_port.  Then the copyins operated as if dest_port was
+                        *      alive and reply_port was dead, which shouldn't have happened
+                        *      because they died in the other order.
+                        *
+                        *      Note that it is easy for a user task to tell if
+                        *      a copyin happened before or after a port died.
+                        *      If a port dies before copyin, a dead-name notification
+                        *      is generated and the dead name's urefs are incremented,
+                        *      and if the copyin happens first, a port-deleted
+                        *      notification is generated.
+                        *
+                        *      Even so, avoiding that potentially detectable race is too
+                        *      expensive - and no known code cares about it.  So, we just
+                        *      do the expedient thing and copy them in one after the other.
                         */
 
                         */
 
-                       kr = ipc_right_copyin(space, name, entry,
-                                             dest_type, FALSE,
-                                             &dest_port, &dest_soright);
-                       if (kr != KERN_SUCCESS)
+                       dest_entry = ipc_entry_lookup(space, dest_name);
+                       if (dest_entry == IE_NULL) {
                                goto invalid_dest;
                                goto invalid_dest;
+                       }
+                       assert(dest_entry != voucher_entry);
+                       ipc_kmsg_allow_immovable_send(kmsg, dest_entry);
+
+                       /*
+                        *      Make sure reply port entry is valid before dest copyin.
+                        */
+                       if (MACH_PORT_VALID(reply_name)) {
+                               if (reply_name == voucher_name) {
+                                       goto invalid_reply;
+                               }
+                               reply_entry = ipc_entry_lookup(space, reply_name);
+                               if (reply_entry == IE_NULL) {
+                                       goto invalid_reply;
+                               }
+                               assert(dest_entry != reply_entry); /* names are not equal */
+                               assert(reply_type != 0); /* because reply_name not null */
 
 
-                       assert(entry->ie_bits & MACH_PORT_TYPE_SEND);
-                       assert(dest_soright == IP_NULL);
+                               if (!ipc_right_copyin_check_reply(space, reply_name, reply_entry, reply_type)) {
+                                       goto invalid_reply;
+                               }
+                       }
 
                        /*
 
                        /*
-                        *      It's OK if the port we got is dead now,
-                        *      so reply_port is IP_DEAD, because the msg
-                        *      won't go anywhere anyway.
+                        *      copyin the destination.
                         */
                         */
+                       kr = ipc_right_copyin(space, dest_name, dest_entry,
+                           dest_type, (IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND |
+                           IPC_OBJECT_COPYIN_FLAGS_ALLOW_DEAD_SEND_ONCE),
+                           &dest_port, &dest_soright,
+                           &release_port, &assertcnt, 0, NULL);
+                       assert(assertcnt == 0);
+                       if (kr != KERN_SUCCESS) {
+                               goto invalid_dest;
+                       }
+                       assert(IO_VALID(dest_port));
+                       assert(!IP_VALID(release_port));
 
 
-                       reply_port = (ipc_object_t)
-                               ipc_port_copy_send((ipc_port_t) dest_port);
-                       reply_soright = IP_NULL;
-               } else if ((dest_type == MACH_MSG_TYPE_MOVE_SEND) &&
-                          (reply_type == MACH_MSG_TYPE_MOVE_SEND)) {
                        /*
                        /*
-                        *      This is an easy case.  Just use our
-                        *      handy-dandy special-purpose copyin call
-                        *      to get two send rights for the price of one.
+                        *      Copyin the pre-validated reply right.
+                        *      It's OK if the reply right has gone dead in the meantime.
                         */
                         */
+                       if (MACH_PORT_VALID(reply_name)) {
+                               kr = ipc_right_copyin(space, reply_name, reply_entry,
+                                   reply_type, IPC_OBJECT_COPYIN_FLAGS_DEADOK,
+                                   &reply_port, &reply_soright,
+                                   &release_port, &assertcnt, 0, NULL);
+                               assert(assertcnt == 0);
+                               assert(kr == KERN_SUCCESS);
+                       } else {
+                               /* convert invalid name to equivalent ipc_object type */
+                               reply_port = ip_to_object(CAST_MACH_NAME_TO_PORT(reply_name));
+                       }
+               }
 
 
-                       kr = ipc_right_copyin_two(space, name, entry,
-                                                 &dest_port, &dest_soright);
-                       if (kr != KERN_SUCCESS)
-                               goto invalid_dest;
+               /*
+                * Finally can copyin the voucher right now that dest and reply
+                * are fully copied in (guaranteed success).
+                */
+               if (IE_NULL != voucher_entry) {
+                       kr = ipc_right_copyin(space, voucher_name, voucher_entry,
+                           voucher_type, IPC_OBJECT_COPYIN_FLAGS_NONE,
+                           (ipc_object_t *)&voucher_port,
+                           &voucher_soright,
+                           &voucher_release_port,
+                           &assertcnt, 0, NULL);
+                       assert(assertcnt == 0);
+                       assert(KERN_SUCCESS == kr);
+                       assert(IP_VALID(voucher_port));
+                       require_ip_active(voucher_port);
+               }
+       }
+
+       /*
+        * The entries might need to be deallocated.
+        *
+        * Each entry should be deallocated only once,
+        * even if it was specified in more than one slot in the header.
+        * Note that dest can be the same entry as reply or voucher,
+        * but reply and voucher must be distinct entries.
+        */
+       assert(IE_NULL != dest_entry);
+       if (IE_NULL != reply_entry) {
+               assert(reply_entry != voucher_entry);
+       }
 
 
-                       /* the entry might need to be deallocated */
-                       if (IE_BITS_TYPE(entry->ie_bits) == MACH_PORT_TYPE_NONE)
-                               ipc_entry_dealloc(space, name, entry);
+       if (IE_BITS_TYPE(dest_entry->ie_bits) == MACH_PORT_TYPE_NONE) {
+               ipc_entry_dealloc(space, dest_name, dest_entry);
 
 
-                       reply_port = dest_port;
-                       reply_soright = IP_NULL;
+               if (dest_entry == reply_entry) {
+                       reply_entry = IE_NULL;
+               }
+
+               if (dest_entry == voucher_entry) {
+                       voucher_entry = IE_NULL;
+               }
+
+               dest_entry = IE_NULL;
+       }
+       if (IE_NULL != reply_entry &&
+           IE_BITS_TYPE(reply_entry->ie_bits) == MACH_PORT_TYPE_NONE) {
+               ipc_entry_dealloc(space, reply_name, reply_entry);
+               reply_entry = IE_NULL;
+       }
+       if (IE_NULL != voucher_entry &&
+           IE_BITS_TYPE(voucher_entry->ie_bits) == MACH_PORT_TYPE_NONE) {
+               ipc_entry_dealloc(space, voucher_name, voucher_entry);
+               voucher_entry = IE_NULL;
+       }
+
+       dest_type = ipc_object_copyin_type(dest_type);
+       reply_type = ipc_object_copyin_type(reply_type);
+
+       /*
+        * JMM - Without rdar://problem/6275821, this is the last place we can
+        * re-arm the send-possible notifications.  It may trigger unexpectedly
+        * early (send may NOT have failed), but better than missing.  We assure
+        * we won't miss by forcing MACH_SEND_ALWAYS if we got past arming.
+        */
+       if (((*optionp & MACH_SEND_NOTIFY) != 0) &&
+           dest_type != MACH_MSG_TYPE_PORT_SEND_ONCE &&
+           dest_entry != IE_NULL && dest_entry->ie_request != IE_REQ_NONE) {
+               ipc_port_t dport = ip_object_to_port(dest_port);
+
+               assert(dport != IP_NULL);
+               ip_lock(dport);
+               if (ip_active(dport) && dport->ip_receiver != ipc_space_kernel) {
+                       if (ip_full(dport)) {
+#if IMPORTANCE_INHERITANCE
+                               needboost = ipc_port_request_sparm(dport, dest_name,
+                                   dest_entry->ie_request,
+                                   *optionp,
+                                   priority);
+                               if (needboost == FALSE) {
+                                       ip_unlock(dport);
+                               }
+#else
+                               ipc_port_request_sparm(dport, dest_name,
+                                   dest_entry->ie_request,
+                                   *optionp,
+                                   priority);
+                               ip_unlock(dport);
+#endif /* IMPORTANCE_INHERITANCE */
+                       } else {
+                               *optionp |= MACH_SEND_ALWAYS;
+                               ip_unlock(dport);
+                       }
                } else {
                } else {
-                       ipc_port_t soright;
+                       ip_unlock(dport);
+               }
+       }
+
+       is_write_unlock(space);
+
+#if IMPORTANCE_INHERITANCE
+       /*
+        * If our request is the first boosting send-possible
+        * notification this cycle, push the boost down the
+        * destination port.
+        */
+       if (needboost == TRUE) {
+               ipc_port_t dport = ip_object_to_port(dest_port);
+
+               /* dport still locked from above */
+               if (ipc_port_importance_delta(dport, IPID_OPTION_SENDPOSSIBLE, 1) == FALSE) {
+                       ip_unlock(dport);
+               }
+       }
+#endif /* IMPORTANCE_INHERITANCE */
+
+       if (dest_soright != IP_NULL) {
+               ipc_notify_port_deleted(dest_soright, dest_name);
+       }
+       if (reply_soright != IP_NULL) {
+               ipc_notify_port_deleted(reply_soright, reply_name);
+       }
+       if (voucher_soright != IP_NULL) {
+               ipc_notify_port_deleted(voucher_soright, voucher_name);
+       }
+
+       /*
+        * No room to store voucher port in in-kernel msg header,
+        * so we store it back in the kmsg itself.  Extract the
+        * qos, and apply any override before we enqueue the kmsg.
+        */
+       if (IP_VALID(voucher_port)) {
+               kmsg->ikm_voucher = voucher_port;
+               voucher_type = MACH_MSG_TYPE_MOVE_SEND;
+       }
+
+       msg->msgh_bits = MACH_MSGH_BITS_SET(dest_type, reply_type, voucher_type, mbits);
+       msg->msgh_remote_port = ip_object_to_port(dest_port);
+       msg->msgh_local_port = ip_object_to_port(reply_port);
+
+       /* capture the qos value(s) for the kmsg */
+       ipc_kmsg_set_qos(kmsg, *optionp, priority);
 
 
-                       assert(((dest_type == MACH_MSG_TYPE_COPY_SEND) &&
-                               (reply_type == MACH_MSG_TYPE_MOVE_SEND)) ||
-                              ((dest_type == MACH_MSG_TYPE_MOVE_SEND) &&
-                               (reply_type == MACH_MSG_TYPE_COPY_SEND)));
+       if (release_port != IP_NULL) {
+               ip_release(release_port);
+       }
+
+       if (voucher_release_port != IP_NULL) {
+               ip_release(voucher_release_port);
+       }
 
 
+       if (enforce_strict_reply && MACH_SEND_WITH_STRICT_REPLY(*optionp) && IP_VALID(msg->msgh_local_port)) {
+               /*
+                * We've already validated that the reply disposition is a
+                * [make/move] send-once. Ideally, we should enforce that the
+                * reply port is also not dead, but XPC asynchronous
+                * cancellation can make the reply port dead before we
+                * actually make it to the mach_msg send.
+                *
+                * Here, we ensure that if we have a non-dead reply port, then
+                * the reply port's receive right should not be in-transit,
+                * and should live in the caller's IPC space.
+                */
+               ipc_port_t rport = msg->msgh_local_port;
+               ip_lock(rport);
+               kr = ipc_kmsg_validate_reply_port_locked(rport, *optionp);
+               ip_unlock(rport);
+               if (kr != KERN_SUCCESS) {
                        /*
                        /*
-                        *      To make this atomic, just do a move-send,
-                        *      and dup the send right we get out.
+                        * no descriptors have been copied in yet, but the
+                        * full header has been copied in: clean it up
                         */
                         */
+                       ipc_kmsg_clean_partial(kmsg, 0, NULL, 0, 0);
+                       if ((*optionp & MACH_SEND_KERNEL) == 0) {
+                               mach_port_guard_exception(reply_name, 0,
+                                   (MPG_FLAGS_STRICT_REPLY_INVALID_REPLY_PORT | kr),
+                                   kGUARD_EXC_STRICT_REPLY);
+                       }
+                       return MACH_SEND_INVALID_REPLY;
+               }
+       }
+
+       return MACH_MSG_SUCCESS;
+
+invalid_reply:
+       is_write_unlock(space);
+
+       if (release_port != IP_NULL) {
+               ip_release(release_port);
+       }
+
+       assert(voucher_port == IP_NULL);
+       assert(voucher_soright == IP_NULL);
+
+       if ((*optionp & MACH_SEND_KERNEL) == 0) {
+               mach_port_guard_exception(reply_name, 0, 0, kGUARD_EXC_SEND_INVALID_REPLY);
+       }
+       return MACH_SEND_INVALID_REPLY;
+
+invalid_dest:
+       is_write_unlock(space);
+
+       if (release_port != IP_NULL) {
+               ip_release(release_port);
+       }
+
+       if (reply_soright != IP_NULL) {
+               ipc_notify_port_deleted(reply_soright, reply_name);
+       }
+
+       assert(voucher_port == IP_NULL);
+       assert(voucher_soright == IP_NULL);
+
+       return MACH_SEND_INVALID_DEST;
+}
+
+static mach_msg_descriptor_t *
+ipc_kmsg_copyin_port_descriptor(
+       mach_msg_port_descriptor_t *dsc,
+       mach_msg_legacy_port_descriptor_t *user_dsc_in,
+       ipc_space_t space,
+       ipc_object_t dest,
+       ipc_kmsg_t kmsg,
+       mach_msg_option_t *optionp,
+       mach_msg_return_t *mr)
+{
+       mach_msg_legacy_port_descriptor_t user_dsc = *user_dsc_in;
+       mach_msg_type_name_t        user_disp;
+       mach_msg_type_name_t        result_disp;
+       mach_port_name_t            name;
+       ipc_object_t                        object;
+
+       user_disp = user_dsc.disposition;
+       result_disp = ipc_object_copyin_type(user_disp);
+
+       name = (mach_port_name_t)user_dsc.name;
+       if (MACH_PORT_VALID(name)) {
+               kern_return_t kr = ipc_object_copyin(space, name, user_disp, &object, 0, NULL, kmsg->ikm_flags);
+               if (kr != KERN_SUCCESS) {
+                       if (((*optionp & MACH_SEND_KERNEL) == 0) && (kr == KERN_INVALID_RIGHT)) {
+                               mach_port_guard_exception(name, 0, 0, kGUARD_EXC_SEND_INVALID_RIGHT);
+                       }
+                       *mr = MACH_SEND_INVALID_RIGHT;
+                       return NULL;
+               }
+
+               if ((result_disp == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                   ipc_port_check_circularity(ip_object_to_port(object),
+                   ip_object_to_port(dest))) {
+                       kmsg->ikm_header->msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
+               }
+               dsc->name = ip_object_to_port(object);
+       } else {
+               dsc->name = CAST_MACH_NAME_TO_PORT(name);
+       }
+       dsc->disposition = result_disp;
+       dsc->type = MACH_MSG_PORT_DESCRIPTOR;
+
+       dsc->pad_end = 0;         // debug, unnecessary
+
+       return (mach_msg_descriptor_t *)(user_dsc_in + 1);
+}
+
+static mach_msg_descriptor_t *
+ipc_kmsg_copyin_ool_descriptor(
+       mach_msg_ool_descriptor_t *dsc,
+       mach_msg_descriptor_t *user_dsc,
+       int is_64bit,
+       vm_offset_t *paddr,
+       vm_map_copy_t *copy,
+       vm_size_t *space_needed,
+       vm_map_t map,
+       __unused mach_msg_option_t *optionp,
+       mach_msg_return_t *mr)
+{
+       vm_size_t                           length;
+       boolean_t                           dealloc;
+       mach_msg_copy_options_t             copy_options;
+       mach_vm_offset_t            addr;
+       mach_msg_descriptor_type_t  dsc_type;
+
+       if (is_64bit) {
+               mach_msg_ool_descriptor64_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+
+               addr = (mach_vm_offset_t) user_ool_dsc->address;
+               length = user_ool_dsc->size;
+               dealloc = user_ool_dsc->deallocate;
+               copy_options = user_ool_dsc->copy;
+               dsc_type = user_ool_dsc->type;
+
+               user_dsc = (typeof(user_dsc))(user_ool_dsc + 1);
+       } else {
+               mach_msg_ool_descriptor32_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+
+               addr = CAST_USER_ADDR_T(user_ool_dsc->address);
+               dealloc = user_ool_dsc->deallocate;
+               copy_options = user_ool_dsc->copy;
+               dsc_type = user_ool_dsc->type;
+               length = user_ool_dsc->size;
+
+               user_dsc = (typeof(user_dsc))(user_ool_dsc + 1);
+       }
+
+       dsc->size = (mach_msg_size_t)length;
+       dsc->deallocate = dealloc;
+       dsc->copy = copy_options;
+       dsc->type = dsc_type;
+
+       if (length == 0) {
+               dsc->address = NULL;
+       } else if ((length >= MSG_OOL_SIZE_SMALL) &&
+           (copy_options == MACH_MSG_PHYSICAL_COPY) && !dealloc) {
+               /*
+                * If the request is a physical copy and the source
+                * is not being deallocated, then allocate space
+                * in the kernel's pageable ipc copy map and copy
+                * the data in.  The semantics guarantee that the
+                * data will have been physically copied before
+                * the send operation terminates.  Thus if the data
+                * is not being deallocated, we must be prepared
+                * to page if the region is sufficiently large.
+                */
+               if (copyin(addr, (char *)*paddr, length)) {
+                       *mr = MACH_SEND_INVALID_MEMORY;
+                       return NULL;
+               }
+
+               /*
+                * The kernel ipc copy map is marked no_zero_fill.
+                * If the transfer is not a page multiple, we need
+                * to zero fill the balance.
+                */
+               if (!page_aligned(length)) {
+                       (void) memset((void *) (*paddr + length), 0,
+                           round_page(length) - length);
+               }
+               if (vm_map_copyin(ipc_kernel_copy_map, (vm_map_address_t)*paddr,
+                   (vm_map_size_t)length, TRUE, copy) != KERN_SUCCESS) {
+                       *mr = MACH_MSG_VM_KERNEL;
+                       return NULL;
+               }
+               dsc->address = (void *)*copy;
+               *paddr += round_page(length);
+               *space_needed -= round_page(length);
+       } else {
+               /*
+                * Make a vm_map_copy_t of the of the data.  If the
+                * data is small, this will do an optimized physical
+                * copy.  Otherwise, it will do a virtual copy.
+                *
+                * NOTE: A virtual copy is OK if the original is being
+                * deallocted, even if a physical copy was requested.
+                */
+               kern_return_t kr = vm_map_copyin(map, addr,
+                   (vm_map_size_t)length, dealloc, copy);
+               if (kr != KERN_SUCCESS) {
+                       *mr = (kr == KERN_RESOURCE_SHORTAGE) ?
+                           MACH_MSG_VM_KERNEL :
+                           MACH_SEND_INVALID_MEMORY;
+                       return NULL;
+               }
+               dsc->address = (void *)*copy;
+       }
 
 
-                       kr = ipc_right_copyin(space, name, entry,
-                                             MACH_MSG_TYPE_MOVE_SEND, FALSE,
-                                             &dest_port, &soright);
-                       if (kr != KERN_SUCCESS)
-                               goto invalid_dest;
+       return user_dsc;
+}
 
 
-                       /* the entry might need to be deallocated */
+static mach_msg_descriptor_t *
+ipc_kmsg_copyin_ool_ports_descriptor(
+       mach_msg_ool_ports_descriptor_t *dsc,
+       mach_msg_descriptor_t *user_dsc,
+       int is_64bit,
+       vm_map_t map,
+       ipc_space_t space,
+       ipc_object_t dest,
+       ipc_kmsg_t kmsg,
+       mach_msg_option_t *optionp,
+       mach_msg_return_t *mr)
+{
+       void *data;
+       ipc_object_t *objects;
+       unsigned int i;
+       mach_vm_offset_t addr;
+       mach_msg_type_name_t user_disp;
+       mach_msg_type_name_t result_disp;
+       mach_msg_type_number_t count;
+       mach_msg_copy_options_t copy_option;
+       boolean_t deallocate;
+       mach_msg_descriptor_type_t type;
+       vm_size_t ports_length, names_length;
+
+       if (is_64bit) {
+               mach_msg_ool_ports_descriptor64_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+
+               addr = (mach_vm_offset_t)user_ool_dsc->address;
+               count = user_ool_dsc->count;
+               deallocate = user_ool_dsc->deallocate;
+               copy_option = user_ool_dsc->copy;
+               user_disp = user_ool_dsc->disposition;
+               type = user_ool_dsc->type;
+
+               user_dsc = (typeof(user_dsc))(user_ool_dsc + 1);
+       } else {
+               mach_msg_ool_ports_descriptor32_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
 
 
-                       if (IE_BITS_TYPE(entry->ie_bits) == MACH_PORT_TYPE_NONE)
-                               ipc_entry_dealloc(space, name, entry);
+               addr = CAST_USER_ADDR_T(user_ool_dsc->address);
+               count = user_ool_dsc->count;
+               deallocate = user_ool_dsc->deallocate;
+               copy_option = user_ool_dsc->copy;
+               user_disp = user_ool_dsc->disposition;
+               type = user_ool_dsc->type;
 
 
-                       /*
-                        *      It's OK if the port we got is dead now,
-                        *      so reply_port is IP_DEAD, because the msg
-                        *      won't go anywhere anyway.
-                        */
+               user_dsc = (typeof(user_dsc))(user_ool_dsc + 1);
+       }
 
 
-                       reply_port = (ipc_object_t)
-                               ipc_port_copy_send((ipc_port_t) dest_port);
+       dsc->deallocate = deallocate;
+       dsc->copy = copy_option;
+       dsc->type = type;
+       dsc->count = count;
+       dsc->address = NULL; /* for now */
 
 
-                       if (dest_type == MACH_MSG_TYPE_MOVE_SEND) {
-                               dest_soright = soright;
-                               reply_soright = IP_NULL;
-                       } else {
-                               dest_soright = IP_NULL;
-                               reply_soright = soright;
-                       }
-               }
-       } else if (!MACH_PORT_VALID(reply_name)) {
-               ipc_entry_t entry;
+       result_disp = ipc_object_copyin_type(user_disp);
+       dsc->disposition = result_disp;
 
 
-               /*
-                *      No reply port!  This is an easy case
-                *      to make atomic.  Just copyin the destination.
-                */
+       /* We always do a 'physical copy', but you have to specify something valid */
+       if (copy_option != MACH_MSG_PHYSICAL_COPY &&
+           copy_option != MACH_MSG_VIRTUAL_COPY) {
+               *mr = MACH_SEND_INVALID_TYPE;
+               return NULL;
+       }
 
 
-               entry = ipc_entry_lookup(space, dest_name);
-               if (entry == IE_NULL)
-                       goto invalid_dest;
+       /* calculate length of data in bytes, rounding up */
 
 
-               kr = ipc_right_copyin(space, dest_name, entry,
-                                     dest_type, FALSE,
-                                     &dest_port, &dest_soright);
-               if (kr != KERN_SUCCESS)
-                       goto invalid_dest;
+       if (os_mul_overflow(count, sizeof(mach_port_t), &ports_length)) {
+               *mr = MACH_SEND_TOO_LARGE;
+               return NULL;
+       }
 
 
-               /* the entry might need to be deallocated */
+       if (os_mul_overflow(count, sizeof(mach_port_name_t), &names_length)) {
+               *mr = MACH_SEND_TOO_LARGE;
+               return NULL;
+       }
 
 
-               if (IE_BITS_TYPE(entry->ie_bits) == MACH_PORT_TYPE_NONE)
-                       ipc_entry_dealloc(space, dest_name, entry);
+       if (ports_length == 0) {
+               return user_dsc;
+       }
 
 
-               reply_port = (ipc_object_t) reply_name;
-               reply_soright = IP_NULL;
-       } else {
-               ipc_entry_t dest_entry, reply_entry;
-               ipc_port_t saved_reply;
+       data = kalloc(ports_length);
 
 
-               /*
-                *      This is the tough case to make atomic.
-                *      The difficult problem is serializing with port death.
-                *      At the time we copyin dest_port, it must be alive.
-                *      If reply_port is alive when we copyin it, then
-                *      we are OK, because we serialize before the death
-                *      of both ports.  Assume reply_port is dead at copyin.
-                *      Then if dest_port dies/died after reply_port died,
-                *      we are OK, because we serialize between the death
-                *      of the two ports.  So the bad case is when dest_port
-                *      dies after its copyin, reply_port dies before its
-                *      copyin, and dest_port dies before reply_port.  Then
-                *      the copyins operated as if dest_port was alive
-                *      and reply_port was dead, which shouldn't have happened
-                *      because they died in the other order.
-                *
-                *      Note that it is easy for a user task to tell if
-                *      a copyin happened before or after a port died.
-                *      For example, suppose both dest and reply are
-                *      send-once rights (types are both move-sonce) and
-                *      both rights have dead-name requests registered.
-                *      If a port dies before copyin, a dead-name notification
-                *      is generated and the dead name's urefs are incremented,
-                *      and if the copyin happens first, a port-deleted
-                *      notification is generated.
-                *
-                *      Note that although the entries are different,
-                *      dest_port and reply_port might still be the same.
-                *
-                * JMM - The code to handle this was too expensive and, anyway,
-                * we intend to separate the dest lookup from the reply copyin
-                * by a wide margin, so the user will have to learn to deal!
-                * I will be making the change soon!
-                */
+       if (data == NULL) {
+               *mr = MACH_SEND_NO_BUFFER;
+               return NULL;
+       }
 
 
-               dest_entry = ipc_entry_lookup(space, dest_name);
-               if (dest_entry == IE_NULL)
-                       goto invalid_dest;
+#ifdef __LP64__
+       mach_port_name_t *names = &((mach_port_name_t *)data)[count];
+#else
+       mach_port_name_t *names = ((mach_port_name_t *)data);
+#endif
 
 
-               reply_entry = ipc_entry_lookup(space, reply_name);
-               if (reply_entry == IE_NULL)
-                       goto invalid_reply;
+       if (copyinmap(map, addr, names, names_length) != KERN_SUCCESS) {
+               kfree(data, ports_length);
+               *mr = MACH_SEND_INVALID_MEMORY;
+               return NULL;
+       }
 
 
-               assert(dest_entry != reply_entry); /* names are not equal */
-               assert(reply_type != 0); /* because reply_name not null */
+       if (deallocate) {
+               (void) mach_vm_deallocate(map, addr, (mach_vm_size_t)names_length);
+       }
 
 
-               if (!ipc_right_copyin_check(space, reply_name, reply_entry,
-                                           reply_type))
-                       goto invalid_reply;
+       objects = (ipc_object_t *) data;
+       dsc->address = data;
 
 
-               kr = ipc_right_copyin(space, dest_name, dest_entry,
-                                     dest_type, FALSE,
-                                     &dest_port, &dest_soright);
-               if (kr != KERN_SUCCESS)
-                       goto invalid_dest;
+       for (i = 0; i < count; i++) {
+               mach_port_name_t name = names[i];
+               ipc_object_t object;
 
 
-               assert(IO_VALID(dest_port));
+               if (!MACH_PORT_VALID(name)) {
+                       objects[i] = ip_to_object(CAST_MACH_NAME_TO_PORT(name));
+                       continue;
+               }
 
 
-               kr = ipc_right_copyin(space, reply_name, reply_entry,
-                                     reply_type, TRUE,
-                                     &reply_port, &reply_soright);
+               kern_return_t kr = ipc_object_copyin(space, name, user_disp, &object, 0, NULL, kmsg->ikm_flags);
 
 
-               assert(kr == KERN_SUCCESS);
+               if (kr != KERN_SUCCESS) {
+                       unsigned int j;
 
 
-               /* the entries might need to be deallocated */
+                       for (j = 0; j < i; j++) {
+                               object = objects[j];
+                               if (IPC_OBJECT_VALID(object)) {
+                                       ipc_object_destroy(object, result_disp);
+                               }
+                       }
+                       kfree(data, ports_length);
+                       dsc->address = NULL;
+                       if (((*optionp & MACH_SEND_KERNEL) == 0) && (kr == KERN_INVALID_RIGHT)) {
+                               mach_port_guard_exception(name, 0, 0, kGUARD_EXC_SEND_INVALID_RIGHT);
+                       }
+                       *mr = MACH_SEND_INVALID_RIGHT;
+                       return NULL;
+               }
 
 
-               if (IE_BITS_TYPE(reply_entry->ie_bits) == MACH_PORT_TYPE_NONE)
-                       ipc_entry_dealloc(space, reply_name, reply_entry);
+               if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                   ipc_port_check_circularity(ip_object_to_port(object),
+                   ip_object_to_port(dest))) {
+                       kmsg->ikm_header->msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
+               }
 
 
-               if (IE_BITS_TYPE(dest_entry->ie_bits) == MACH_PORT_TYPE_NONE)
-                       ipc_entry_dealloc(space, dest_name, dest_entry);
+               objects[i] = object;
        }
 
        }
 
-       /*
-        *      At this point, dest_port, reply_port,
-        *      dest_soright, reply_soright are all initialized.
-        *      Any defunct entries have been deallocated.
-        *      The space is still write-locked, and we need to
-        *      make the MACH_SEND_CANCEL check.  The notify_port pointer
-        *      is still usable, because the copyin code above won't ever
-        *      deallocate a receive right, so its entry still exists
-        *      and holds a ref.  Note notify_port might even equal
-        *      dest_port or reply_port.
-        */
+       return user_dsc;
+}
 
 
-       if ((notify != MACH_PORT_NULL) &&
-           (dest_soright == notify_port)) {
-               ipc_port_release_sonce(dest_soright);
-               dest_soright = IP_NULL;
+static mach_msg_descriptor_t *
+ipc_kmsg_copyin_guarded_port_descriptor(
+       mach_msg_guarded_port_descriptor_t *dsc,
+       mach_msg_descriptor_t *user_addr,
+       int is_64bit,
+       ipc_space_t space,
+       ipc_object_t dest,
+       ipc_kmsg_t kmsg,
+       mach_msg_option_t *optionp,
+       mach_msg_return_t *mr)
+{
+       mach_msg_descriptor_t       *user_dsc;
+       mach_msg_type_name_t        disp;
+       mach_msg_type_name_t        result_disp;
+       mach_port_name_t            name;
+       mach_msg_guard_flags_t      guard_flags;
+       ipc_object_t                object;
+       mach_port_context_t         context;
+
+       if (!is_64bit) {
+               mach_msg_guarded_port_descriptor32_t *user_gp_dsc = (typeof(user_gp_dsc))user_addr;
+               name = user_gp_dsc->name;
+               guard_flags = user_gp_dsc->flags;
+               disp = user_gp_dsc->disposition;
+               context = user_gp_dsc->context;
+               user_dsc = (mach_msg_descriptor_t *)(user_gp_dsc + 1);
+       } else {
+               mach_msg_guarded_port_descriptor64_t *user_gp_dsc = (typeof(user_gp_dsc))user_addr;
+               name = user_gp_dsc->name;
+               guard_flags = user_gp_dsc->flags;
+               disp = user_gp_dsc->disposition;
+               context = user_gp_dsc->context;
+               user_dsc = (mach_msg_descriptor_t *)(user_gp_dsc + 1);
        }
 
        }
 
-       is_write_unlock(space);
-
-       if (dest_soright != IP_NULL)
-               ipc_notify_port_deleted(dest_soright, dest_name);
-
-       if (reply_soright != IP_NULL)
-               ipc_notify_port_deleted(reply_soright, reply_name);
-
-       dest_type = ipc_object_copyin_type(dest_type);
-       reply_type = ipc_object_copyin_type(reply_type);
+       guard_flags &= MACH_MSG_GUARD_FLAGS_MASK;
+       result_disp = ipc_object_copyin_type(disp);
 
 
-       msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
-                         MACH_MSGH_BITS(dest_type, reply_type));
-       msg->msgh_remote_port = (ipc_port_t)dest_port;
-       msg->msgh_local_port = (ipc_port_t)reply_port;
+       if (MACH_PORT_VALID(name)) {
+               kern_return_t kr = ipc_object_copyin(space, name, disp, &object, context, &guard_flags, kmsg->ikm_flags);
+               if (kr != KERN_SUCCESS) {
+                       if (((*optionp & MACH_SEND_KERNEL) == 0) && (kr == KERN_INVALID_RIGHT)) {
+                               mach_port_guard_exception(name, 0, 0, kGUARD_EXC_SEND_INVALID_RIGHT);
+                       }
+                       *mr = MACH_SEND_INVALID_RIGHT;
+                       return NULL;
+               }
 
 
-       return MACH_MSG_SUCCESS;
+               if ((result_disp == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                   ipc_port_check_circularity(ip_object_to_port(object),
+                   ip_object_to_port(dest))) {
+                       kmsg->ikm_header->msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
+               }
+               dsc->name = ip_object_to_port(object);
+       } else {
+               dsc->name = CAST_MACH_NAME_TO_PORT(name);
+       }
+       dsc->flags = guard_flags;
+       dsc->disposition = result_disp;
+       dsc->type = MACH_MSG_GUARDED_PORT_DESCRIPTOR;
 
 
-invalid_reply:
-       is_write_unlock(space);
-       return MACH_SEND_INVALID_REPLY;
+#if __LP64__
+       dsc->pad_end = 0;         // debug, unnecessary
+#endif
 
 
-invalid_dest:
-       is_write_unlock(space);
-       if (reply_soright != IP_NULL)
-               ipc_notify_port_deleted(reply_soright, reply_name);
-       return MACH_SEND_INVALID_DEST;
+       return user_dsc;
 }
 
 }
 
+
 /*
  *     Routine:        ipc_kmsg_copyin_body
  *     Purpose:
 /*
  *     Routine:        ipc_kmsg_copyin_body
  *     Purpose:
@@ -1324,308 +3722,288 @@ invalid_dest:
  *             MACH_SEND_MSG_TOO_SMALL Body is too small for types/data.
  *             MACH_SEND_INVALID_RT_OOL_SIZE OOL Buffer too large for RT
  *             MACH_MSG_INVALID_RT_DESCRIPTOR Dealloc and RT are incompatible
  *             MACH_SEND_MSG_TOO_SMALL Body is too small for types/data.
  *             MACH_SEND_INVALID_RT_OOL_SIZE OOL Buffer too large for RT
  *             MACH_MSG_INVALID_RT_DESCRIPTOR Dealloc and RT are incompatible
+ *             MACH_SEND_NO_GRANT_DEST Dest port doesn't accept ports in body
  */
 
 mach_msg_return_t
 ipc_kmsg_copyin_body(
  */
 
 mach_msg_return_t
 ipc_kmsg_copyin_body(
-       ipc_kmsg_t      kmsg,
-       ipc_space_t     space,
-       vm_map_t        map)
-{
-    ipc_object_t                       dest;
-    mach_msg_body_t            *body;
-    mach_msg_descriptor_t      *saddr, *eaddr;
-    boolean_t                  complex;
-    mach_msg_return_t          mr;
-    int                                i;
-    kern_return_t              kr;
-    vm_size_t                  space_needed = 0;
-    vm_offset_t                        paddr = 0;
-    mach_msg_descriptor_t      *sstart;
-    vm_map_copy_t              copy = VM_MAP_COPY_NULL;
-    
-    /*
-     * Determine if the target is a kernel port.
-     */
-    dest = (ipc_object_t) kmsg->ikm_header.msgh_remote_port;
-    complex = FALSE;
-
-    body = (mach_msg_body_t *) (&kmsg->ikm_header + 1);
-    saddr = (mach_msg_descriptor_t *) (body + 1);
-    eaddr = saddr + body->msgh_descriptor_count;
-    
-    /* make sure the message does not ask for more msg descriptors
-     * than the message can hold.
-     */
-    
-    if (eaddr <= saddr ||
-       eaddr > (mach_msg_descriptor_t *) (&kmsg->ikm_header + 
-                           kmsg->ikm_header.msgh_size)) {
-       ipc_kmsg_clean_partial(kmsg,0,0,0);
-       return MACH_SEND_MSG_TOO_SMALL;
-    }
-    
-    /*
-     * Make an initial pass to determine kernal VM space requirements for
-     * physical copies.
-     */
-    for (sstart = saddr; sstart <  eaddr; sstart++) {
-
-       if (sstart->type.type == MACH_MSG_OOL_DESCRIPTOR ||
-           sstart->type.type == MACH_MSG_OOL_VOLATILE_DESCRIPTOR) {
-
-               if (sstart->out_of_line.copy != MACH_MSG_PHYSICAL_COPY &&
-                   sstart->out_of_line.copy != MACH_MSG_VIRTUAL_COPY) {
-                   /*
-                    * Invalid copy option
-                    */
-                   ipc_kmsg_clean_partial(kmsg,0,0,0);
-                   return MACH_SEND_INVALID_TYPE;
-               }
-               
-               if ((sstart->out_of_line.size >= MSG_OOL_SIZE_SMALL) &&
-                   (sstart->out_of_line.copy == MACH_MSG_PHYSICAL_COPY) &&
-                   !(sstart->out_of_line.deallocate)) {
-
-                       /*
-                        * Out-of-line memory descriptor, accumulate kernel
-                        * memory requirements
-                        */
-                       space_needed += round_page(sstart->out_of_line.size);
-                       if (space_needed > ipc_kmsg_max_vm_space) {
-
-                               /*
-                                * Per message kernel memory limit exceeded
-                                */
-                               ipc_kmsg_clean_partial(kmsg,0,0,0);
-                               return MACH_MSG_VM_KERNEL;
-                       }
-               }
-       }
-    }
-
-    /*
-     * Allocate space in the pageable kernel ipc copy map for all the
-     * ool data that is to be physically copied.  Map is marked wait for
-     * space.
-     */
-    if (space_needed) {
-       if (vm_allocate(ipc_kernel_copy_map, &paddr, space_needed, TRUE) !=
-           KERN_SUCCESS) {
-               ipc_kmsg_clean_partial(kmsg,0,0,0);
-               return MACH_MSG_VM_KERNEL;
-       }
-    }
-
-    /* 
-     * handle the OOL regions and port descriptors.
-     * the check for complex messages was done earlier.
-     */
-    
-    for (i = 0, sstart = saddr; sstart <  eaddr; sstart++) {
-       
-       switch (sstart->type.type) {
-           
-           case MACH_MSG_PORT_DESCRIPTOR: {
-               mach_msg_type_name_t            name;
-               ipc_object_t                    object;
-               mach_msg_port_descriptor_t      *dsc;
-               
-               dsc = &sstart->port;
-               
-               /* this is really the type SEND, SEND_ONCE, etc. */
-               name = dsc->disposition;
-               dsc->disposition = ipc_object_copyin_type(name);
-               
-               if (!MACH_PORT_VALID((mach_port_name_t)dsc->name)) {
-                   complex = TRUE;
-                   break;
-               }
-               kr = ipc_object_copyin(space, (mach_port_name_t)dsc->name, name, &object);
-               if (kr != KERN_SUCCESS) {
-                   ipc_kmsg_clean_partial(kmsg, i, paddr, space_needed);
-                   return MACH_SEND_INVALID_RIGHT;
+       ipc_kmsg_t      kmsg,
+       ipc_space_t     space,
+       vm_map_t    map,
+       mach_msg_option_t *optionp)
+{
+       ipc_object_t                dest;
+       mach_msg_body_t             *body;
+       mach_msg_descriptor_t       *daddr, *naddr, *end;
+       mach_msg_descriptor_t       *user_addr, *kern_addr;
+       mach_msg_type_number_t      dsc_count;
+       boolean_t                   is_task_64bit = (map->max_offset > VM_MAX_ADDRESS);
+       boolean_t                   complex = FALSE;
+       boolean_t                   contains_port_desc = FALSE;
+       vm_size_t                   space_needed = 0;
+       vm_offset_t                 paddr = 0;
+       vm_map_copy_t               copy = VM_MAP_COPY_NULL;
+       mach_msg_type_number_t      i;
+       mach_msg_return_t           mr = MACH_MSG_SUCCESS;
+       ipc_port_t                  remote_port = kmsg->ikm_header->msgh_remote_port;
+
+       vm_size_t           descriptor_size = 0;
+
+       mach_msg_type_number_t total_ool_port_count = 0;
+       mach_msg_guard_flags_t guard_flags = 0;
+       mach_port_context_t context;
+       mach_msg_type_name_t disp;
+
+       /*
+        * Determine if the target is a kernel port.
+        */
+       dest = ip_to_object(remote_port);
+       body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+       naddr = (mach_msg_descriptor_t *) (body + 1);
+       end = (mach_msg_descriptor_t *) ((vm_offset_t)kmsg->ikm_header + kmsg->ikm_header->msgh_size);
+
+       dsc_count = body->msgh_descriptor_count;
+       if (dsc_count == 0) {
+               return MACH_MSG_SUCCESS;
+       }
+
+       /*
+        * Make an initial pass to determine kernal VM space requirements for
+        * physical copies and possible contraction of the descriptors from
+        * processes with pointers larger than the kernel's.
+        */
+       daddr = NULL;
+       for (i = 0; i < dsc_count; i++) {
+               mach_msg_size_t size;
+               mach_msg_type_number_t ool_port_count = 0;
+
+               daddr = naddr;
+
+               /* make sure the descriptor fits in the message */
+               if (is_task_64bit) {
+                       if ((mach_msg_descriptor_t*)((vm_offset_t)daddr + 12) > end) {
+                               mr = MACH_SEND_MSG_TOO_SMALL;
+                               goto clean_message;
+                       }
+
+                       switch (daddr->type.type) {
+                       case MACH_MSG_OOL_DESCRIPTOR:
+                       case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+                       case MACH_MSG_OOL_PORTS_DESCRIPTOR:
+                       case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                               descriptor_size += 16;
+                               naddr = (typeof(naddr))((vm_offset_t)daddr + 16);
+                               break;
+                       default:
+                               descriptor_size += 12;
+                               naddr = (typeof(naddr))((vm_offset_t)daddr + 12);
+                               break;
+                       }
+               } else {
+                       descriptor_size += 12;
+                       naddr = (typeof(naddr))((vm_offset_t)daddr + 12);
                }
                }
-               if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
-                   ipc_port_check_circularity((ipc_port_t) object,
-                                              (ipc_port_t) dest)) {
-                   kmsg->ikm_header.msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
+
+               if (naddr > end) {
+                       mr = MACH_SEND_MSG_TOO_SMALL;
+                       goto clean_message;
                }
                }
-               dsc->name = (ipc_port_t) object;
-               complex = TRUE;
-               break;
-           }
-           case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
-           case MACH_MSG_OOL_DESCRIPTOR: {
-               vm_size_t                       length;
-               boolean_t                       dealloc;
-               vm_offset_t                     addr;
-               vm_offset_t                     kaddr;
-               mach_msg_ool_descriptor_t       *dsc;
-               
-               dsc = &sstart->out_of_line;
-               dealloc = dsc->deallocate;
-               addr = (vm_offset_t) dsc->address;
-               
-               length = dsc->size;
-               
-               if (length == 0) {
-                   dsc->address = 0;
-               } else if ((length >= MSG_OOL_SIZE_SMALL) &&
-                          (dsc->copy == MACH_MSG_PHYSICAL_COPY) && !dealloc) {
-
-                       /*
-                        * If the request is a physical copy and the source
-                        * is not being deallocated, then allocate space
-                        * in the kernel's pageable ipc copy map and copy
-                        * the data in.  The semantics guarantee that the
-                        * data will have been physically copied before
-                        * the send operation terminates.  Thus if the data
-                        * is not being deallocated, we must be prepared
-                        * to page if the region is sufficiently large.
-                        */
-                       if (copyin((const char *) addr, (char *) paddr, 
-                                                               length)) {
-                               ipc_kmsg_clean_partial(kmsg, i, paddr, 
-                                                          space_needed);
-                               return MACH_SEND_INVALID_MEMORY;
-                       }       
 
 
-                       /*
-                        * The kernel ipc copy map is marked no_zero_fill.
-                        * If the transfer is not a page multiple, we need
-                        * to zero fill the balance.
-                        */
-                       if (!page_aligned(length)) {
-                               (void) memset((void *) (paddr + length), 0,
-                                       round_page(length) - length);
-                       }
-                       if (vm_map_copyin(ipc_kernel_copy_map, paddr, length,
-                                          TRUE, &copy) != KERN_SUCCESS) {
-                           ipc_kmsg_clean_partial(kmsg, i, paddr, 
-                                                      space_needed);
-                           return MACH_MSG_VM_KERNEL;
-                       }
-                       dsc->address = (void *) copy;
-                       paddr += round_page(length);
-                       space_needed -= round_page(length);
-               } else {
+               switch (daddr->type.type) {
+               case MACH_MSG_OOL_DESCRIPTOR:
+               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+                       size = (is_task_64bit) ?
+                           ((mach_msg_ool_descriptor64_t *)daddr)->size :
+                           daddr->out_of_line.size;
 
 
-                       /*
-                        * Make a vm_map_copy_t of the of the data.  If the
-                        * data is small, this will do an optimized physical
-                        * copy.  Otherwise, it will do a virtual copy.
-                        *
-                        * NOTE: A virtual copy is OK if the original is being
-                        * deallocted, even if a physical copy was requested.
-                        */
-                       kr = vm_map_copyin(map, addr, length, dealloc, &copy);
-                       if (kr != KERN_SUCCESS) {
-                           ipc_kmsg_clean_partial(kmsg,i,paddr,space_needed);
-                           return (kr == KERN_RESOURCE_SHORTAGE) ?
-                                  MACH_MSG_VM_KERNEL :
-                                  MACH_SEND_INVALID_MEMORY;
-                       }
-                       dsc->address = (void *) copy;
-               }
-               complex = TRUE;
-               break;
-           }
-           case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
-               vm_size_t                               length;
-               vm_offset_t                             data;
-               vm_offset_t                             addr;
-               ipc_object_t                            *objects;
-               int                                     j;
-               mach_msg_type_name_t                    name;
-               mach_msg_ool_ports_descriptor_t         *dsc;
-               
-               dsc = &sstart->ool_ports;
-               addr = (vm_offset_t) dsc->address;
-
-               /* calculate length of data in bytes, rounding up */
-               length = dsc->count * sizeof(mach_port_name_t);
-               
-               if (length == 0) {
-                   complex = TRUE;
-                   dsc->address = (void *) 0;
-                   break;
-               }
-
-               data = kalloc(length);
-
-               if (data == 0) {
-                   ipc_kmsg_clean_partial(kmsg, i, paddr, space_needed);
-                   return MACH_SEND_NO_BUFFER;
-               }
-               
-               if (copyinmap(map, addr, data, length)) {
-                   kfree(data, length);
-                   ipc_kmsg_clean_partial(kmsg, i, paddr, space_needed);
-                   return MACH_SEND_INVALID_MEMORY;
-               }
-
-               if (dsc->deallocate) {
-                       (void) vm_deallocate(map, addr, length);
-               }
-               
-               dsc->address = (void *) data;
-               
-               /* this is really the type SEND, SEND_ONCE, etc. */
-               name = dsc->disposition;
-               dsc->disposition = ipc_object_copyin_type(name);
-               
-               objects = (ipc_object_t *) data;
-               
-               for ( j = 0; j < dsc->count; j++) {
-                   mach_port_name_t port = (mach_port_name_t) objects[j];
-                   ipc_object_t object;
-                   
-                   if (!MACH_PORT_VALID(port))
-                       continue;
-                   
-                   kr = ipc_object_copyin(space, port, name, &object);
-
-                   if (kr != KERN_SUCCESS) {
-                       int k;
-
-                       for(k = 0; k < j; k++) {
-                           object = objects[k];
-                           if (!MACH_PORT_VALID(port))
-                               continue;
-                           ipc_object_destroy(object, dsc->disposition);
-                       }
-                       kfree(data, length);
-                       ipc_kmsg_clean_partial(kmsg, i, paddr, space_needed);
-                       return MACH_SEND_INVALID_RIGHT;
-                   }
-                   
-                   if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
-                       ipc_port_check_circularity(
-                                                  (ipc_port_t) object,
-                                                  (ipc_port_t) dest))
-                       kmsg->ikm_header.msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
-                   
-                   objects[j] = object;
-               }
-               
-               complex = TRUE;
-               break;
-           }
-           default: {
-               /*
-                * Invalid descriptor
-                */
-               ipc_kmsg_clean_partial(kmsg, i, paddr, space_needed);
-               return MACH_SEND_INVALID_TYPE;
-           }
+                       if (daddr->out_of_line.copy != MACH_MSG_PHYSICAL_COPY &&
+                           daddr->out_of_line.copy != MACH_MSG_VIRTUAL_COPY) {
+                               /*
+                                * Invalid copy option
+                                */
+                               mr = MACH_SEND_INVALID_TYPE;
+                               goto clean_message;
+                       }
+
+                       if ((size >= MSG_OOL_SIZE_SMALL) &&
+                           (daddr->out_of_line.copy == MACH_MSG_PHYSICAL_COPY) &&
+                           !(daddr->out_of_line.deallocate)) {
+                               /*
+                                * Out-of-line memory descriptor, accumulate kernel
+                                * memory requirements
+                                */
+                               if (space_needed + round_page(size) <= space_needed) {
+                                       /* Overflow dectected */
+                                       mr = MACH_MSG_VM_KERNEL;
+                                       goto clean_message;
+                               }
+
+                               space_needed += round_page(size);
+                               if (space_needed > ipc_kmsg_max_vm_space) {
+                                       /* Per message kernel memory limit exceeded */
+                                       mr = MACH_MSG_VM_KERNEL;
+                                       goto clean_message;
+                               }
+                       }
+                       break;
+               case MACH_MSG_PORT_DESCRIPTOR:
+                       if (os_add_overflow(total_ool_port_count, 1, &total_ool_port_count)) {
+                               /* Overflow detected */
+                               mr = MACH_SEND_TOO_LARGE;
+                               goto clean_message;
+                       }
+                       contains_port_desc = TRUE;
+                       break;
+               case MACH_MSG_OOL_PORTS_DESCRIPTOR:
+                       ool_port_count = (is_task_64bit) ?
+                           ((mach_msg_ool_ports_descriptor64_t *)daddr)->count :
+                           daddr->ool_ports.count;
+
+                       if (os_add_overflow(total_ool_port_count, ool_port_count, &total_ool_port_count)) {
+                               /* Overflow detected */
+                               mr = MACH_SEND_TOO_LARGE;
+                               goto clean_message;
+                       }
+
+                       if (ool_port_count > (ipc_kmsg_max_vm_space / sizeof(mach_port_t))) {
+                               /* Per message kernel memory limit exceeded */
+                               mr = MACH_SEND_TOO_LARGE;
+                               goto clean_message;
+                       }
+                       contains_port_desc = TRUE;
+                       break;
+               case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                       guard_flags = (is_task_64bit) ?
+                           ((mach_msg_guarded_port_descriptor64_t *)daddr)->flags :
+                           ((mach_msg_guarded_port_descriptor32_t *)daddr)->flags;
+                       context = (is_task_64bit) ?
+                           ((mach_msg_guarded_port_descriptor64_t *)daddr)->context :
+                           ((mach_msg_guarded_port_descriptor32_t *)daddr)->context;
+                       disp = (is_task_64bit) ?
+                           ((mach_msg_guarded_port_descriptor64_t *)daddr)->disposition :
+                           ((mach_msg_guarded_port_descriptor32_t *)daddr)->disposition;
+
+                       /* Only MACH_MSG_TYPE_MOVE_RECEIVE is supported for now */
+                       if (!guard_flags || ((guard_flags & ~MACH_MSG_GUARD_FLAGS_MASK) != 0) ||
+                           ((guard_flags & MACH_MSG_GUARD_FLAGS_UNGUARDED_ON_SEND) && (context != 0)) ||
+                           (disp != MACH_MSG_TYPE_MOVE_RECEIVE)) {
+                               /*
+                                * Invalid guard flags, context or disposition
+                                */
+                               mr = MACH_SEND_INVALID_TYPE;
+                               goto clean_message;
+                       }
+                       if (os_add_overflow(total_ool_port_count, 1, &total_ool_port_count)) {
+                               /* Overflow detected */
+                               mr = MACH_SEND_TOO_LARGE;
+                               goto clean_message;
+                       }
+                       contains_port_desc = TRUE;
+                       break;
+               }
+       }
+
+       /* Sending more than 16383 rights in one message seems crazy */
+       if (total_ool_port_count >= (MACH_PORT_UREFS_MAX / 4)) {
+               mr = MACH_SEND_TOO_LARGE;
+               goto clean_message;
        }
        }
-       i++ ;
-    }
-    
-    if (!complex)
-       kmsg->ikm_header.msgh_bits &= ~MACH_MSGH_BITS_COMPLEX;
-    return MACH_MSG_SUCCESS;
+
+       /*
+        * Check if dest is a no-grant port; Since this bit is set only on
+        * port construction and cannot be unset later, we can peek at the
+        * bit without paying the cost of locking the port.
+        */
+       if (contains_port_desc && remote_port->ip_no_grant) {
+               mr = MACH_SEND_NO_GRANT_DEST;
+               goto clean_message;
+       }
+
+       /*
+        * Allocate space in the pageable kernel ipc copy map for all the
+        * ool data that is to be physically copied.  Map is marked wait for
+        * space.
+        */
+       if (space_needed) {
+               if (vm_allocate_kernel(ipc_kernel_copy_map, &paddr, space_needed,
+                   VM_FLAGS_ANYWHERE, VM_KERN_MEMORY_IPC) != KERN_SUCCESS) {
+                       mr = MACH_MSG_VM_KERNEL;
+                       goto clean_message;
+               }
+       }
+
+       /* user_addr = just after base as it was copied in */
+       user_addr = (mach_msg_descriptor_t *)((vm_offset_t)kmsg->ikm_header + sizeof(mach_msg_base_t));
+
+       /* Shift the mach_msg_base_t down to make room for dsc_count*16bytes of descriptors on 64 bit kernels
+        */
+       if (descriptor_size != 16 * dsc_count) {
+               vm_offset_t dsc_adjust = 16 * dsc_count - descriptor_size;
+
+               memmove((char *)(((vm_offset_t)kmsg->ikm_header) - dsc_adjust), kmsg->ikm_header, sizeof(mach_msg_base_t));
+               kmsg->ikm_header = (mach_msg_header_t *)((vm_offset_t)kmsg->ikm_header - dsc_adjust);
+
+               /* Update the message size for the larger in-kernel representation */
+               kmsg->ikm_header->msgh_size += (mach_msg_size_t)dsc_adjust;
+       }
+
+
+       /* kern_addr = just after base after it has been (conditionally) moved */
+       kern_addr = (mach_msg_descriptor_t *)((vm_offset_t)kmsg->ikm_header + sizeof(mach_msg_base_t));
+
+       /* handle the OOL regions and port descriptors. */
+       for (i = 0; i < dsc_count; i++) {
+               switch (user_addr->type.type) {
+               case MACH_MSG_PORT_DESCRIPTOR:
+                       user_addr = ipc_kmsg_copyin_port_descriptor((mach_msg_port_descriptor_t *)kern_addr,
+                           (mach_msg_legacy_port_descriptor_t *)user_addr, space, dest, kmsg, optionp, &mr);
+                       kern_addr++;
+                       complex = TRUE;
+                       break;
+               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+               case MACH_MSG_OOL_DESCRIPTOR:
+                       user_addr = ipc_kmsg_copyin_ool_descriptor((mach_msg_ool_descriptor_t *)kern_addr,
+                           user_addr, is_task_64bit, &paddr, &copy, &space_needed, map, optionp, &mr);
+                       kern_addr++;
+                       complex = TRUE;
+                       break;
+               case MACH_MSG_OOL_PORTS_DESCRIPTOR:
+                       user_addr = ipc_kmsg_copyin_ool_ports_descriptor((mach_msg_ool_ports_descriptor_t *)kern_addr,
+                           user_addr, is_task_64bit, map, space, dest, kmsg, optionp, &mr);
+                       kern_addr++;
+                       complex = TRUE;
+                       break;
+               case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                       user_addr = ipc_kmsg_copyin_guarded_port_descriptor((mach_msg_guarded_port_descriptor_t *)kern_addr,
+                           user_addr, is_task_64bit, space, dest, kmsg, optionp, &mr);
+                       kern_addr++;
+                       complex = TRUE;
+                       break;
+               default:
+                       /* Invalid descriptor */
+                       mr = MACH_SEND_INVALID_TYPE;
+                       break;
+               }
+
+               if (MACH_MSG_SUCCESS != mr) {
+                       /* clean from start of message descriptors to i */
+                       ipc_kmsg_clean_partial(kmsg, i,
+                           (mach_msg_descriptor_t *)((mach_msg_base_t *)kmsg->ikm_header + 1),
+                           paddr, space_needed);
+                       goto out;
+               }
+       }         /* End of loop */
+
+       if (!complex) {
+               kmsg->ikm_header->msgh_bits &= ~MACH_MSGH_BITS_COMPLEX;
+       }
+out:
+       return mr;
+
+clean_message:
+       /* no descriptors have been copied in yet */
+       ipc_kmsg_clean_partial(kmsg, 0, NULL, 0, 0);
+       return mr;
 }
 
 
 }
 
 
@@ -1643,9 +4021,7 @@ ipc_kmsg_copyin_body(
  *             Nothing locked.
  *     Returns:
  *             MACH_MSG_SUCCESS        Successful copyin.
  *             Nothing locked.
  *     Returns:
  *             MACH_MSG_SUCCESS        Successful copyin.
- *             MACH_SEND_INVALID_HEADER
- *                     Illegal value in the message header bits.
- *             MACH_SEND_INVALID_NOTIFY        Bad notify port.
+ *             MACH_SEND_INVALID_HEADER Illegal value in the message header bits.
  *             MACH_SEND_INVALID_DEST  Can't copyin destination port.
  *             MACH_SEND_INVALID_REPLY Can't copyin reply port.
  *             MACH_SEND_INVALID_MEMORY        Can't grab out-of-line memory.
  *             MACH_SEND_INVALID_DEST  Can't copyin destination port.
  *             MACH_SEND_INVALID_REPLY Can't copyin reply port.
  *             MACH_SEND_INVALID_MEMORY        Can't grab out-of-line memory.
@@ -1654,56 +4030,302 @@ ipc_kmsg_copyin_body(
  *             MACH_SEND_MSG_TOO_SMALL Body is too small for types/data.
  */
 
  *             MACH_SEND_MSG_TOO_SMALL Body is too small for types/data.
  */
 
-mach_msg_return_t
-ipc_kmsg_copyin(
-       ipc_kmsg_t              kmsg,
-       ipc_space_t             space,
-       vm_map_t                map,
-       mach_port_name_t        notify)
-{
-    mach_msg_return_t          mr;
-    
-    mr = ipc_kmsg_copyin_header(&kmsg->ikm_header, space, notify);
-    if (mr != MACH_MSG_SUCCESS)
-       return mr;
-    
-    if ((kmsg->ikm_header.msgh_bits & MACH_MSGH_BITS_COMPLEX) == 0)
+mach_msg_return_t
+ipc_kmsg_copyin(
+       ipc_kmsg_t              kmsg,
+       ipc_space_t             space,
+       vm_map_t                map,
+       mach_msg_priority_t     priority,
+       mach_msg_option_t       *optionp)
+{
+       mach_msg_return_t           mr;
+       mach_port_name_t dest_name = CAST_MACH_PORT_TO_NAME(kmsg->ikm_header->msgh_remote_port);
+
+       kmsg->ikm_header->msgh_bits &= MACH_MSGH_BITS_USER;
+
+       mr = ipc_kmsg_copyin_header(kmsg, space, priority, optionp);
+
+       if (mr != MACH_MSG_SUCCESS) {
+               return mr;
+       }
+
+       /* Get the message filter policy if the task and port support filtering */
+       mach_msg_filter_id fid = 0;
+       if (ip_enforce_msg_filtering(kmsg->ikm_header->msgh_remote_port) &&
+           task_get_filter_msg_flag(current_task())) {
+               /* port label is yet to be supported */
+               boolean_t allow_kmsg = mach_msg_fetch_filter_policy(NULL, kmsg->ikm_header->msgh_id, &fid);
+               if (!allow_kmsg) {
+                       mach_port_guard_exception(dest_name, 0, 0, kGUARD_EXC_MSG_FILTERED);
+                       /* no descriptors have been copied in yet */
+                       ipc_kmsg_clean_partial(kmsg, 0, NULL, 0, 0);
+                       return MACH_SEND_MSG_FILTERED;
+               }
+               kmsg->ikm_filter_policy_id = fid;
+       }
+
+       KERNEL_DEBUG_CONSTANT(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_MSG_SEND) | DBG_FUNC_NONE,
+           VM_KERNEL_ADDRPERM((uintptr_t)kmsg),
+           (uintptr_t)kmsg->ikm_header->msgh_bits,
+           (uintptr_t)kmsg->ikm_header->msgh_id,
+           VM_KERNEL_ADDRPERM((uintptr_t)unsafe_convert_port_to_voucher(kmsg->ikm_voucher)),
+           0);
+
+       DEBUG_KPRINT_SYSCALL_IPC("ipc_kmsg_copyin header:\n%.8x\n%.8x\n%p\n%p\n%p\n%.8x\n",
+           kmsg->ikm_header->msgh_size,
+           kmsg->ikm_header->msgh_bits,
+           kmsg->ikm_header->msgh_remote_port,
+           kmsg->ikm_header->msgh_local_port,
+           kmsg->ikm_voucher,
+           kmsg->ikm_header->msgh_id);
+
+       if (kmsg->ikm_header->msgh_bits & MACH_MSGH_BITS_COMPLEX) {
+               mr = ipc_kmsg_copyin_body( kmsg, space, map, optionp);
+
+               /* unreachable if !DEBUG */
+               __unreachable_ok_push
+               if (DEBUG_KPRINT_SYSCALL_PREDICATE(DEBUG_KPRINT_SYSCALL_IPC_MASK)) {
+                       kprintf("body:\n");
+                       uint32_t i;
+                       for (i = 0; i * 4 < (kmsg->ikm_header->msgh_size - sizeof(mach_msg_header_t)); i++) {
+                               kprintf("%.4x\n", ((uint32_t *)(kmsg->ikm_header + 1))[i]);
+                       }
+               }
+               __unreachable_ok_pop
+       }
+
+       /* Sign the message contents */
+       if (mr == MACH_MSG_SUCCESS) {
+               ikm_sign(kmsg);
+       }
+
+       return mr;
+}
+
+/*
+ *     Routine:        ipc_kmsg_copyin_from_kernel
+ *     Purpose:
+ *             "Copy-in" port rights and out-of-line memory
+ *             in a message sent from the kernel.
+ *
+ *             Because the message comes from the kernel,
+ *             the implementation assumes there are no errors
+ *             or peculiarities in the message.
+ *     Conditions:
+ *             Nothing locked.
+ */
+
+mach_msg_return_t
+ipc_kmsg_copyin_from_kernel(
+       ipc_kmsg_t      kmsg)
+{
+       mach_msg_bits_t bits = kmsg->ikm_header->msgh_bits;
+       mach_msg_type_name_t rname = MACH_MSGH_BITS_REMOTE(bits);
+       mach_msg_type_name_t lname = MACH_MSGH_BITS_LOCAL(bits);
+       ipc_object_t remote = ip_to_object(kmsg->ikm_header->msgh_remote_port);
+       ipc_object_t local = ip_to_object(kmsg->ikm_header->msgh_local_port);
+       ipc_port_t dest = kmsg->ikm_header->msgh_remote_port;
+
+       /* translate the destination and reply ports */
+       if (!IO_VALID(remote)) {
+               return MACH_SEND_INVALID_DEST;
+       }
+
+       ipc_object_copyin_from_kernel(remote, rname);
+       if (IO_VALID(local)) {
+               ipc_object_copyin_from_kernel(local, lname);
+       }
+
+       /*
+        *      The common case is a complex message with no reply port,
+        *      because that is what the memory_object interface uses.
+        */
+
+       if (bits == (MACH_MSGH_BITS_COMPLEX |
+           MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0))) {
+               bits = (MACH_MSGH_BITS_COMPLEX |
+                   MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND, 0));
+
+               kmsg->ikm_header->msgh_bits = bits;
+       } else {
+               bits = (MACH_MSGH_BITS_OTHER(bits) |
+                   MACH_MSGH_BITS(ipc_object_copyin_type(rname),
+                   ipc_object_copyin_type(lname)));
+
+               kmsg->ikm_header->msgh_bits = bits;
+       }
+
+       if (bits & MACH_MSGH_BITS_COMPLEX) {
+               /*
+                * Check if the remote port accepts ports in the body.
+                */
+               if (dest->ip_no_grant) {
+                       mach_msg_descriptor_t   *saddr;
+                       mach_msg_body_t         *body;
+                       mach_msg_type_number_t  i, count;
+
+                       body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+                       saddr = (mach_msg_descriptor_t *) (body + 1);
+                       count = body->msgh_descriptor_count;
+
+                       for (i = 0; i < count; i++, saddr++) {
+                               switch (saddr->type.type) {
+                               case MACH_MSG_PORT_DESCRIPTOR:
+                               case MACH_MSG_OOL_PORTS_DESCRIPTOR:
+                               case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                                       /* no descriptors have been copied in yet */
+                                       ipc_kmsg_clean_partial(kmsg, 0, NULL, 0, 0);
+                                       return MACH_SEND_NO_GRANT_DEST;
+                               }
+                       }
+               }
+
+               mach_msg_descriptor_t   *saddr;
+               mach_msg_body_t         *body;
+               mach_msg_type_number_t  i, count;
+
+               body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+               saddr = (mach_msg_descriptor_t *) (body + 1);
+               count = body->msgh_descriptor_count;
+
+               for (i = 0; i < count; i++, saddr++) {
+                       switch (saddr->type.type) {
+                       case MACH_MSG_PORT_DESCRIPTOR: {
+                               mach_msg_type_name_t        name;
+                               ipc_object_t                object;
+                               mach_msg_port_descriptor_t  *dsc;
+
+                               dsc = &saddr->port;
+
+                               /* this is really the type SEND, SEND_ONCE, etc. */
+                               name = dsc->disposition;
+                               object = ip_to_object(dsc->name);
+                               dsc->disposition = ipc_object_copyin_type(name);
+
+                               if (!IO_VALID(object)) {
+                                       break;
+                               }
+
+                               ipc_object_copyin_from_kernel(object, name);
+
+                               /* CDY avoid circularity when the destination is also */
+                               /* the kernel.  This check should be changed into an  */
+                               /* assert when the new kobject model is in place since*/
+                               /* ports will not be used in kernel to kernel chats   */
+
+                               if (ip_object_to_port(remote)->ip_receiver != ipc_space_kernel) {
+                                       if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                                           ipc_port_check_circularity(ip_object_to_port(object),
+                                           ip_object_to_port(remote))) {
+                                               kmsg->ikm_header->msgh_bits |=
+                                                   MACH_MSGH_BITS_CIRCULAR;
+                                       }
+                               }
+                               break;
+                       }
+                       case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+                       case MACH_MSG_OOL_DESCRIPTOR: {
+                               /*
+                                * The sender should supply ready-made memory, i.e.
+                                * a vm_map_copy_t, so we don't need to do anything.
+                                */
+                               break;
+                       }
+                       case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+                               ipc_object_t                        *objects;
+                               unsigned int                        j;
+                               mach_msg_type_name_t                name;
+                               mach_msg_ool_ports_descriptor_t     *dsc;
+
+                               dsc = (mach_msg_ool_ports_descriptor_t *)&saddr->ool_ports;
+
+                               /* this is really the type SEND, SEND_ONCE, etc. */
+                               name = dsc->disposition;
+                               dsc->disposition = ipc_object_copyin_type(name);
+
+                               objects = (ipc_object_t *) dsc->address;
+
+                               for (j = 0; j < dsc->count; j++) {
+                                       ipc_object_t object = objects[j];
+
+                                       if (!IO_VALID(object)) {
+                                               continue;
+                                       }
+
+                                       ipc_object_copyin_from_kernel(object, name);
+
+                                       if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                                           ipc_port_check_circularity(ip_object_to_port(object),
+                                           ip_object_to_port(remote))) {
+                                               kmsg->ikm_header->msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
+                                       }
+                               }
+                               break;
+                       }
+                       case MACH_MSG_GUARDED_PORT_DESCRIPTOR: {
+                               mach_msg_guarded_port_descriptor_t *dsc = (typeof(dsc)) & saddr->guarded_port;
+                               mach_msg_type_name_t disp = dsc->disposition;
+                               ipc_object_t object = ip_to_object(dsc->name);
+                               dsc->disposition = ipc_object_copyin_type(disp);
+                               assert(dsc->flags == 0);
+
+                               if (!IO_VALID(object)) {
+                                       break;
+                               }
+
+                               ipc_object_copyin_from_kernel(object, disp);
+                               /*
+                                * avoid circularity when the destination is also
+                                * the kernel.  This check should be changed into an
+                                * assert when the new kobject model is in place since
+                                * ports will not be used in kernel to kernel chats
+                                */
+
+                               if (ip_object_to_port(remote)->ip_receiver != ipc_space_kernel) {
+                                       if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                                           ipc_port_check_circularity(ip_object_to_port(object),
+                                           ip_object_to_port(remote))) {
+                                               kmsg->ikm_header->msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
+                                       }
+                               }
+                               break;
+                       }
+                       default: {
+#if     MACH_ASSERT
+                               panic("ipc_kmsg_copyin_from_kernel:  bad descriptor");
+#endif  /* MACH_ASSERT */
+                       }
+                       }
+               }
+       }
+
+       /* Add the signature to the message */
+       ikm_sign(kmsg);
+
        return MACH_MSG_SUCCESS;
        return MACH_MSG_SUCCESS;
-    
-    return( ipc_kmsg_copyin_body( kmsg, space, map) );
 }
 
 }
 
-/*
- *     Routine:        ipc_kmsg_copyin_from_kernel
- *     Purpose:
- *             "Copy-in" port rights and out-of-line memory
- *             in a message sent from the kernel.
- *
- *             Because the message comes from the kernel,
- *             the implementation assumes there are no errors
- *             or peculiarities in the message.
- *
- *             Returns TRUE if queueing the message
- *             would result in a circularity.
- *     Conditions:
- *             Nothing locked.
- */
-
-void
-ipc_kmsg_copyin_from_kernel(
-       ipc_kmsg_t      kmsg)
+#if IKM_SUPPORT_LEGACY
+mach_msg_return_t
+ipc_kmsg_copyin_from_kernel_legacy(
+       ipc_kmsg_t      kmsg)
 {
 {
-       mach_msg_bits_t bits = kmsg->ikm_header.msgh_bits;
+       mach_msg_bits_t bits = kmsg->ikm_header->msgh_bits;
        mach_msg_type_name_t rname = MACH_MSGH_BITS_REMOTE(bits);
        mach_msg_type_name_t lname = MACH_MSGH_BITS_LOCAL(bits);
        mach_msg_type_name_t rname = MACH_MSGH_BITS_REMOTE(bits);
        mach_msg_type_name_t lname = MACH_MSGH_BITS_LOCAL(bits);
-       ipc_object_t remote = (ipc_object_t) kmsg->ikm_header.msgh_remote_port;
-       ipc_object_t local = (ipc_object_t) kmsg->ikm_header.msgh_local_port;
+       ipc_object_t remote = ip_to_object(kmsg->ikm_header->msgh_remote_port);
+       ipc_object_t local = ip_to_object(kmsg->ikm_header->msgh_local_port);
+       ipc_port_t dest = kmsg->ikm_header->msgh_remote_port;
 
        /* translate the destination and reply ports */
 
        /* translate the destination and reply ports */
+       if (!IO_VALID(remote)) {
+               return MACH_SEND_INVALID_DEST;
+       }
 
        ipc_object_copyin_from_kernel(remote, rname);
 
        ipc_object_copyin_from_kernel(remote, rname);
-       if (IO_VALID(local))
+       if (IO_VALID(local)) {
                ipc_object_copyin_from_kernel(local, lname);
                ipc_object_copyin_from_kernel(local, lname);
+       }
 
        /*
         *      The common case is a complex message with no reply port,
 
        /*
         *      The common case is a complex message with no reply port,
@@ -1711,112 +4333,217 @@ ipc_kmsg_copyin_from_kernel(
         */
 
        if (bits == (MACH_MSGH_BITS_COMPLEX |
         */
 
        if (bits == (MACH_MSGH_BITS_COMPLEX |
-                    MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0))) {
+           MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0))) {
                bits = (MACH_MSGH_BITS_COMPLEX |
                bits = (MACH_MSGH_BITS_COMPLEX |
-                       MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND, 0));
+                   MACH_MSGH_BITS(MACH_MSG_TYPE_PORT_SEND, 0));
 
 
-               kmsg->ikm_header.msgh_bits = bits;
+               kmsg->ikm_header->msgh_bits = bits;
        } else {
                bits = (MACH_MSGH_BITS_OTHER(bits) |
        } else {
                bits = (MACH_MSGH_BITS_OTHER(bits) |
-                       MACH_MSGH_BITS(ipc_object_copyin_type(rname),
-                                      ipc_object_copyin_type(lname)));
-
-               kmsg->ikm_header.msgh_bits = bits;
-               if ((bits & MACH_MSGH_BITS_COMPLEX) == 0)
-                       return;
-       }
-    {
-       mach_msg_descriptor_t   *saddr, *eaddr;
-       mach_msg_body_t         *body;
-
-       body = (mach_msg_body_t *) (&kmsg->ikm_header + 1);
-       saddr = (mach_msg_descriptor_t *) (body + 1);
-       eaddr = (mach_msg_descriptor_t *) saddr + body->msgh_descriptor_count;
-
-       for ( ; saddr <  eaddr; saddr++) {
-
-           switch (saddr->type.type) {
-           
-               case MACH_MSG_PORT_DESCRIPTOR: {
-                   mach_msg_type_name_t        name;
-                   ipc_object_t                object;
-                   mach_msg_port_descriptor_t  *dsc;
-               
-                   dsc = &saddr->port;
-               
-                   /* this is really the type SEND, SEND_ONCE, etc. */
-                   name = dsc->disposition;
-                   object = (ipc_object_t) dsc->name;
-                   dsc->disposition = ipc_object_copyin_type(name);
-               
-                   if (!IO_VALID(object)) {
-                       break;
-                   }
-
-                   ipc_object_copyin_from_kernel(object, name);
-                   
-                   /* CDY avoid circularity when the destination is also */
-                   /* the kernel.  This check should be changed into an  */
-                   /* assert when the new kobject model is in place since*/
-                   /* ports will not be used in kernel to kernel chats   */
-                       
-                   if (((ipc_port_t)remote)->ip_receiver != ipc_space_kernel) {
-                      if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
-                          ipc_port_check_circularity((ipc_port_t) object, 
-                                               (ipc_port_t) remote)) {
-                          kmsg->ikm_header.msgh_bits |= 
-                                       MACH_MSGH_BITS_CIRCULAR;
-                      }
-                   }
-                   break;
-               }
-               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
-               case MACH_MSG_OOL_DESCRIPTOR: {
-                   /*
-                    * The sender should supply ready-made memory, i.e.
-                    * a vm_map_copy_t, so we don't need to do anything.
-                    */
-                   break;
-               }
-               case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
-                   ipc_object_t                        *objects;
-                   int                                 j;
-                   mach_msg_type_name_t                name;
-                   mach_msg_ool_ports_descriptor_t     *dsc;
-               
-                   dsc = &saddr->ool_ports;
-
-                   /* this is really the type SEND, SEND_ONCE, etc. */
-                   name = dsc->disposition;
-                   dsc->disposition = ipc_object_copyin_type(name);
-               
-                   objects = (ipc_object_t *) dsc->address;
-               
-                   for ( j = 0; j < dsc->count; j++) {
-                       ipc_object_t object = objects[j];
-                       
-                       if (!IO_VALID(object))
-                           continue;
-                       
-                       ipc_object_copyin_from_kernel(object, name);
-    
-                       if ((dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
-                           ipc_port_check_circularity(
-                                                      (ipc_port_t) object,
-                                                      (ipc_port_t) remote))
-                           kmsg->ikm_header.msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
-                   }
-                   break;
-               }
-               default: {
-#if    MACH_ASSERT
-                   panic("ipc_kmsg_copyin_from_kernel:  bad descriptor");
-#endif /* MACH_ASSERT */
-               }
-           }
-       }
-    }
+                   MACH_MSGH_BITS(ipc_object_copyin_type(rname),
+                   ipc_object_copyin_type(lname)));
+
+               kmsg->ikm_header->msgh_bits = bits;
+       }
+
+       if (bits & MACH_MSGH_BITS_COMPLEX) {
+               if (dest->ip_no_grant) {
+                       mach_msg_descriptor_t   *saddr;
+                       mach_msg_body_t         *body;
+                       mach_msg_type_number_t  i, count;
+
+                       body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+                       saddr = (mach_msg_descriptor_t *) (body + 1);
+                       count = body->msgh_descriptor_count;
+
+                       for (i = 0; i < count; i++, saddr++) {
+                               switch (saddr->type.type) {
+                               case MACH_MSG_PORT_DESCRIPTOR:
+                               case MACH_MSG_OOL_PORTS_DESCRIPTOR:
+                               case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                                       /* no descriptors have been copied in yet */
+                                       ipc_kmsg_clean_partial(kmsg, 0, NULL, 0, 0);
+                                       return MACH_SEND_NO_GRANT_DEST;
+                               }
+                       }
+               }
+
+               mach_msg_legacy_descriptor_t    *saddr;
+               mach_msg_descriptor_t   *daddr;
+               mach_msg_body_t         *body;
+               mach_msg_type_number_t  i, count;
+
+               body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+               saddr = (typeof(saddr))(body + 1);
+               count = body->msgh_descriptor_count;
+
+               if (count) {
+                       vm_offset_t dsc_adjust = 4 * count;
+                       memmove((char *)(((vm_offset_t)kmsg->ikm_header) - dsc_adjust), kmsg->ikm_header, sizeof(mach_msg_base_t));
+                       kmsg->ikm_header = (mach_msg_header_t *)((vm_offset_t)kmsg->ikm_header - dsc_adjust);
+                       /* Update the message size for the larger in-kernel representation */
+                       kmsg->ikm_header->msgh_size += dsc_adjust;
+               }
+               daddr = (mach_msg_descriptor_t *)((vm_offset_t)kmsg->ikm_header + sizeof(mach_msg_base_t));
+
+               for (i = 0; i < count; i++, saddr++, daddr++) {
+                       switch (saddr->type.type) {
+                       case MACH_MSG_PORT_DESCRIPTOR: {
+                               mach_msg_type_name_t        name;
+                               ipc_object_t                object;
+                               mach_msg_legacy_port_descriptor_t   *dsc;
+                               mach_msg_port_descriptor_t  *dest_dsc;
+
+                               dsc = (typeof(dsc)) & saddr->port;
+                               dest_dsc = &daddr->port;
+
+                               /* this is really the type SEND, SEND_ONCE, etc. */
+                               name = dsc->disposition;
+                               object = ip_to_object(CAST_MACH_NAME_TO_PORT(dsc->name));
+                               dest_dsc->disposition = ipc_object_copyin_type(name);
+                               dest_dsc->name = ip_object_to_port(object);
+                               dest_dsc->type = MACH_MSG_PORT_DESCRIPTOR;
+
+                               if (!IO_VALID(object)) {
+                                       break;
+                               }
+
+                               ipc_object_copyin_from_kernel(object, name);
+
+                               /* CDY avoid circularity when the destination is also */
+                               /* the kernel.  This check should be changed into an  */
+                               /* assert when the new kobject model is in place since*/
+                               /* ports will not be used in kernel to kernel chats   */
+
+                               if (ip_object_to_port(remote)->ip_receiver != ipc_space_kernel) {
+                                       if ((dest_dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                                           ipc_port_check_circularity(ip_object_to_port(object),
+                                           ip_object_to_port(remote))) {
+                                               kmsg->ikm_header->msgh_bits |=
+                                                   MACH_MSGH_BITS_CIRCULAR;
+                                       }
+                               }
+                               break;
+                       }
+                       case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+                       case MACH_MSG_OOL_DESCRIPTOR: {
+                               /* The sender should supply ready-made memory, i.e. a vm_map_copy_t
+                                * so we don't need to do anything special. */
+
+                               mach_msg_ool_descriptor32_t *source_dsc = &saddr->out_of_line32;
+                               mach_msg_ool_descriptor_t   *dest_dsc = (typeof(dest_dsc)) & daddr->out_of_line;
+
+                               vm_offset_t             address = source_dsc->address;
+                               vm_size_t                           size = source_dsc->size;
+                               boolean_t                           deallocate = source_dsc->deallocate;
+                               mach_msg_copy_options_t             copy = source_dsc->copy;
+                               mach_msg_descriptor_type_t  type = source_dsc->type;
+
+                               dest_dsc->address = (void *)address;
+                               dest_dsc->size = size;
+                               dest_dsc->deallocate = deallocate;
+                               dest_dsc->copy = copy;
+                               dest_dsc->type = type;
+                               break;
+                       }
+                       case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+                               ipc_object_t                        *objects;
+                               unsigned int                        j;
+                               mach_msg_type_name_t                name;
+                               mach_msg_ool_ports_descriptor_t     *dest_dsc;
+
+                               mach_msg_ool_ports_descriptor32_t   *source_dsc = &saddr->ool_ports32;
+                               dest_dsc = (typeof(dest_dsc)) & daddr->ool_ports;
+
+                               boolean_t deallocate = source_dsc->deallocate;
+                               mach_msg_copy_options_t copy = source_dsc->copy;
+                               mach_msg_size_t port_count = source_dsc->count;
+                               mach_msg_type_name_t disposition = source_dsc->disposition;
+
+                               /* this is really the type SEND, SEND_ONCE, etc. */
+                               name = disposition;
+                               disposition = ipc_object_copyin_type(name);
+
+                               objects = (ipc_object_t *) (uintptr_t)source_dsc->address;
+
+                               for (j = 0; j < port_count; j++) {
+                                       ipc_object_t object = objects[j];
+
+                                       if (!IO_VALID(object)) {
+                                               continue;
+                                       }
+
+                                       ipc_object_copyin_from_kernel(object, name);
+
+                                       if ((disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                                           ipc_port_check_circularity(ip_object_to_port(object),
+                                           ip_object_to_port(remote))) {
+                                               kmsg->ikm_header->msgh_bits |= MACH_MSGH_BITS_CIRCULAR;
+                                       }
+                               }
+
+                               dest_dsc->address = objects;
+                               dest_dsc->deallocate = deallocate;
+                               dest_dsc->copy = copy;
+                               dest_dsc->disposition = disposition;
+                               dest_dsc->type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+                               dest_dsc->count = port_count;
+                               break;
+                       }
+                       case MACH_MSG_GUARDED_PORT_DESCRIPTOR: {
+                               mach_msg_type_name_t  disp;
+                               ipc_object_t object;
+                               mach_msg_guarded_port_descriptor32_t   *dsc;
+                               mach_msg_guarded_port_descriptor_t  *dest_dsc;
+
+                               dsc = (typeof(dsc)) & saddr->guarded_port32;
+                               dest_dsc = &daddr->guarded_port;
+
+                               disp = dsc->disposition;
+                               object = ip_to_object(CAST_MACH_NAME_TO_PORT(dsc->name));
+                               assert(dsc->flags == 0);
+                               assert(dsc->context == 0);
+
+                               dest_dsc->disposition = ipc_object_copyin_type(disp);
+                               dest_dsc->name = ip_object_to_port(object);
+                               dest_dsc->type = MACH_MSG_GUARDED_PORT_DESCRIPTOR;
+                               dest_dsc->flags = 0;
+
+                               if (!IO_VALID(object)) {
+                                       break;
+                               }
+
+                               ipc_object_copyin_from_kernel(object, disp);
+
+                               /* CDY avoid circularity when the destination is also */
+                               /* the kernel.  This check should be changed into an  */
+                               /* assert when the new kobject model is in place since*/
+                               /* ports will not be used in kernel to kernel chats   */
+
+                               if (ip_object_to_port(remote)->ip_receiver != ipc_space_kernel) {
+                                       if ((dest_dsc->disposition == MACH_MSG_TYPE_PORT_RECEIVE) &&
+                                           ipc_port_check_circularity(ip_object_to_port(object),
+                                           ip_object_to_port(remote))) {
+                                               kmsg->ikm_header->msgh_bits |=
+                                                   MACH_MSGH_BITS_CIRCULAR;
+                                       }
+                               }
+                               break;
+                       }
+                       default: {
+#if     MACH_ASSERT
+                               panic("ipc_kmsg_copyin_from_kernel:  bad descriptor");
+#endif  /* MACH_ASSERT */
+                       }
+                       }
+               }
+       }
+
+       ikm_sign(kmsg);
+
+       return MACH_MSG_SUCCESS;
 }
 }
+#endif /* IKM_SUPPORT_LEGACY */
 
 /*
  *     Routine:        ipc_kmsg_copyout_header
 
 /*
  *     Routine:        ipc_kmsg_copyout_header
@@ -1827,18 +4554,11 @@ ipc_kmsg_copyin_from_kernel(
  *             If it does succeed the remote/local port fields
  *             contain port names instead of object pointers,
  *             and the bits field is updated.
  *             If it does succeed the remote/local port fields
  *             contain port names instead of object pointers,
  *             and the bits field is updated.
- *
- *             The notify argument implements the MACH_RCV_NOTIFY option.
- *             If it is not MACH_PORT_NULL, it should name a receive right.
- *             If the process of receiving the reply port creates a
- *             new right in the receiving task, then the new right is
- *             automatically registered for a dead-name notification,
- *             with the notify port supplying the send-once right.
  *     Conditions:
  *             Nothing locked.
  *     Returns:
  *             MACH_MSG_SUCCESS        Copied out port rights.
  *     Conditions:
  *             Nothing locked.
  *     Returns:
  *             MACH_MSG_SUCCESS        Copied out port rights.
- *             MACH_RCV_INVALID_NOTIFY 
+ *             MACH_RCV_INVALID_NOTIFY
  *                     Notify is non-null and doesn't name a receive right.
  *                     (Either KERN_INVALID_NAME or KERN_INVALID_RIGHT.)
  *             MACH_RCV_HEADER_ERROR|MACH_MSG_IPC_SPACE
  *                     Notify is non-null and doesn't name a receive right.
  *                     (Either KERN_INVALID_NAME or KERN_INVALID_RIGHT.)
  *             MACH_RCV_HEADER_ERROR|MACH_MSG_IPC_SPACE
@@ -1853,357 +4573,839 @@ ipc_kmsg_copyin_from_kernel(
 
 mach_msg_return_t
 ipc_kmsg_copyout_header(
 
 mach_msg_return_t
 ipc_kmsg_copyout_header(
-       mach_msg_header_t       *msg,
-       ipc_space_t             space,
-       mach_port_name_t        notify)
+       ipc_kmsg_t              kmsg,
+       ipc_space_t             space,
+       mach_msg_option_t       option)
 {
 {
+       mach_msg_header_t *msg = kmsg->ikm_header;
        mach_msg_bits_t mbits = msg->msgh_bits;
        mach_msg_bits_t mbits = msg->msgh_bits;
-       ipc_port_t dest = (ipc_port_t) msg->msgh_remote_port;
+       ipc_port_t dest = msg->msgh_remote_port;
 
        assert(IP_VALID(dest));
 
 
        assert(IP_VALID(dest));
 
-    {
-       mach_msg_type_name_t dest_type = MACH_MSGH_BITS_REMOTE(mbits);
-       mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
-       ipc_port_t reply = (ipc_port_t) msg->msgh_local_port;
-       mach_port_name_t dest_name, reply_name;
-
-       if (IP_VALID(reply)) {
-               ipc_port_t notify_port;
-               ipc_entry_t entry;
+       /*
+        * While we still hold a reference on the received-from port,
+        * process all send-possible notfications we received along with
+        * the message.
+        */
+       ipc_port_spnotify(dest);
+
+       {
+               mach_msg_type_name_t dest_type = MACH_MSGH_BITS_REMOTE(mbits);
+               mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
+               mach_msg_type_name_t voucher_type = MACH_MSGH_BITS_VOUCHER(mbits);
+               ipc_port_t reply = msg->msgh_local_port;
+               ipc_port_t release_reply_port = IP_NULL;
+               mach_port_name_t dest_name, reply_name;
+
+               ipc_port_t voucher = kmsg->ikm_voucher;
+               ipc_port_t release_voucher_port = IP_NULL;
+               mach_port_name_t voucher_name;
+
+               uint32_t entries_held = 0;
+               boolean_t need_write_lock = FALSE;
+               ipc_object_copyout_flags_t reply_copyout_options = IPC_OBJECT_COPYOUT_FLAGS_NONE;
                kern_return_t kr;
 
                /*
                kern_return_t kr;
 
                /*
-                *      Handling notify (for MACH_RCV_NOTIFY) is tricky.
-                *      The problem is atomically making a send-once right
-                *      from the notify port and installing it for a
-                *      dead-name request in the new entry, because this
-                *      requires two port locks (on the notify port and
-                *      the reply port).  However, we can safely make
-                *      and consume send-once rights for the notify port
-                *      as long as we hold the space locked.  This isn't
-                *      an atomicity problem, because the only way
-                *      to detect that a send-once right has been created
-                *      and then consumed if it wasn't needed is by getting
-                *      at the receive right to look at ip_sorights, and
-                *      because the space is write-locked status calls can't
-                *      lookup the notify port receive right.  When we make
-                *      the send-once right, we lock the notify port,
-                *      so any status calls in progress will be done.
+                * Reserve any potentially needed entries in the target space.
+                * We'll free any unused before unlocking the space.
                 */
                 */
+               if (IP_VALID(reply)) {
+                       entries_held++;
+                       need_write_lock = TRUE;
+               }
+               if (IP_VALID(voucher)) {
+                       assert(voucher_type == MACH_MSG_TYPE_MOVE_SEND);
 
 
-               is_write_lock(space);
+                       if ((option & MACH_RCV_VOUCHER) != 0) {
+                               entries_held++;
+                       }
+                       need_write_lock = TRUE;
+               }
 
 
-               for (;;) {
-                       ipc_port_request_index_t request;
+               if (need_write_lock) {
+handle_reply_again:
+                       is_write_lock(space);
 
 
-                       if (!space->is_active) {
-                               is_write_unlock(space);
-                               return (MACH_RCV_HEADER_ERROR|
-                                       MACH_MSG_IPC_SPACE);
+                       while (entries_held) {
+                               if (!is_active(space)) {
+                                       is_write_unlock(space);
+                                       return MACH_RCV_HEADER_ERROR |
+                                              MACH_MSG_IPC_SPACE;
+                               }
+
+                               kr = ipc_entries_hold(space, entries_held);
+                               if (KERN_SUCCESS == kr) {
+                                       break;
+                               }
+
+                               kr = ipc_entry_grow_table(space, ITS_SIZE_NONE);
+                               if (KERN_SUCCESS != kr) {
+                                       return MACH_RCV_HEADER_ERROR |
+                                              MACH_MSG_IPC_SPACE;
+                               }
+                               /* space was unlocked and relocked - retry */
                        }
 
                        }
 
-                       if (notify != MACH_PORT_NULL) {
-                               notify_port = ipc_port_lookup_notify(space,
-                                                                    notify);
-                               if (notify_port == IP_NULL) {
-                                       is_write_unlock(space);
-                                       return MACH_RCV_INVALID_NOTIFY;
+                       /* Handle reply port. */
+                       if (IP_VALID(reply)) {
+                               ipc_port_t reply_subst = IP_NULL;
+                               ipc_entry_t entry;
+
+                               ip_lock(reply);
+
+                               /* Is the reply port still active and allowed to be copied out? */
+                               if (!ip_active(reply) ||
+                                   !ip_label_check(space, reply, reply_type,
+                                   &reply_copyout_options, &reply_subst)) {
+                                       /* clear the context value */
+                                       reply->ip_reply_context = 0;
+                                       ip_unlock(reply);
+
+                                       assert(reply_subst == IP_NULL);
+                                       release_reply_port = reply;
+                                       reply = IP_DEAD;
+                                       reply_name = MACH_PORT_DEAD;
+                                       goto done_with_reply;
+                               }
+
+                               /* is the kolabel requesting a substitution */
+                               if (reply_subst != IP_NULL) {
+                                       /*
+                                        * port is unlocked, its right consumed
+                                        * space is unlocked
+                                        */
+                                       assert(reply_type == MACH_MSG_TYPE_PORT_SEND);
+                                       msg->msgh_local_port = reply = reply_subst;
+                                       goto handle_reply_again;
+                               }
+
+
+                               /* Is there already an entry we can use? */
+                               if ((reply_type != MACH_MSG_TYPE_PORT_SEND_ONCE) &&
+                                   ipc_right_reverse(space, ip_to_object(reply), &reply_name, &entry)) {
+                                       assert(entry->ie_bits & MACH_PORT_TYPE_SEND_RECEIVE);
+                               } else {
+                                       /* claim a held entry for the reply port */
+                                       assert(entries_held > 0);
+                                       entries_held--;
+                                       ipc_entry_claim(space, &reply_name, &entry);
+                                       assert(!ipc_right_inuse(entry));
+                                       assert(entry->ie_object == IO_NULL);
+                                       entry->ie_object = ip_to_object(reply);
                                }
                                }
-                       } else
-                               notify_port = IP_NULL;
 
 
-                       if ((reply_type != MACH_MSG_TYPE_PORT_SEND_ONCE) &&
-                           ipc_right_reverse(space, (ipc_object_t) reply,
-                                             &reply_name, &entry)) {
-                               /* reply port is locked and active */
+                               /* space and reply port are locked and active */
+                               ip_reference(reply);         /* hold onto the reply port */
 
                                /*
 
                                /*
-                                *      We don't need the notify_port
-                                *      send-once right, but we can't release
-                                *      it here because reply port is locked.
-                                *      Wait until after the copyout to
-                                *      release the notify port right.
+                                * If the receiver would like to enforce strict reply
+                                * semantics, and the message looks like it expects a reply,
+                                * and contains a voucher, then link the context in the
+                                * voucher with the reply port so that the next message sent
+                                * to the reply port must come from a thread that has a
+                                * matching context (voucher).
                                 */
                                 */
+                               if (enforce_strict_reply && MACH_RCV_WITH_STRICT_REPLY(option) && IP_VALID(voucher)) {
+                                       if (ipc_kmsg_validate_reply_port_locked(reply, option) != KERN_SUCCESS) {
+                                               /* if the receiver isn't happy with the reply port: fail the receive. */
+                                               ip_unlock(reply);
+                                               ipc_entry_dealloc(space, reply_name, entry);
+                                               is_write_unlock(space);
+                                               ip_release(reply);
+                                               return MACH_RCV_INVALID_REPLY;
+                                       }
+                                       ipc_kmsg_link_reply_context_locked(reply, voucher);
+                               } else {
+                                       /*
+                                        * if the receive did not choose to participate
+                                        * in the strict reply/RPC, then don't enforce
+                                        * anything (as this could lead to booby-trapped
+                                        * messages that kill the server).
+                                        */
+                                       reply->ip_reply_context = 0;
+                               }
 
 
-                               assert(entry->ie_bits &
-                                      MACH_PORT_TYPE_SEND_RECEIVE);
-                               break;
+                               kr = ipc_right_copyout(space, reply_name, entry,
+                                   reply_type, IPC_OBJECT_COPYOUT_FLAGS_NONE, NULL, NULL,
+                                   ip_to_object(reply));
+                               assert(kr == KERN_SUCCESS);
+                               /* reply port is unlocked */
+                       } else {
+                               reply_name = CAST_MACH_PORT_TO_NAME(reply);
                        }
 
                        }
 
-                       ip_lock(reply);
-                       if (!ip_active(reply)) {
-                               ip_release(reply);
-                               ip_check_unlock(reply);
+done_with_reply:
 
 
-                               if (notify_port != IP_NULL)
-                                       ipc_port_release_sonce(notify_port);
+                       /* Handle voucher port. */
+                       if (voucher_type != MACH_MSGH_BITS_ZERO) {
+                               assert(voucher_type == MACH_MSG_TYPE_MOVE_SEND);
 
 
-                               ip_lock(dest);
-                               is_write_unlock(space);
+                               if (!IP_VALID(voucher)) {
+                                       if ((option & MACH_RCV_VOUCHER) == 0) {
+                                               voucher_type = MACH_MSGH_BITS_ZERO;
+                                       }
+                                       voucher_name = MACH_PORT_NULL;
+                                       goto done_with_voucher;
+                               }
 
 
-                               reply = IP_DEAD;
-                               reply_name = MACH_PORT_DEAD;
-                               goto copyout_dest;
+                               /* clear voucher from its hiding place back in the kmsg */
+                               kmsg->ikm_voucher = IP_NULL;
+
+                               if ((option & MACH_RCV_VOUCHER) != 0) {
+                                       ipc_entry_t entry;
+
+                                       ip_lock(voucher);
+
+                                       if (ipc_right_reverse(space, ip_to_object(voucher),
+                                           &voucher_name, &entry)) {
+                                               assert(entry->ie_bits & MACH_PORT_TYPE_SEND);
+                                       } else {
+                                               assert(entries_held > 0);
+                                               entries_held--;
+                                               ipc_entry_claim(space, &voucher_name, &entry);
+                                               assert(!ipc_right_inuse(entry));
+                                               assert(entry->ie_object == IO_NULL);
+                                               entry->ie_object = ip_to_object(voucher);
+                                       }
+                                       /* space is locked and active */
+
+                                       assert(ip_kotype(voucher) == IKOT_VOUCHER);
+                                       kr = ipc_right_copyout(space, voucher_name, entry,
+                                           MACH_MSG_TYPE_MOVE_SEND, IPC_OBJECT_COPYOUT_FLAGS_NONE,
+                                           NULL, NULL, ip_to_object(voucher));
+                                       /* voucher port is unlocked */
+                               } else {
+                                       voucher_type = MACH_MSGH_BITS_ZERO;
+                                       release_voucher_port = voucher;
+                                       voucher_name = MACH_PORT_NULL;
+                               }
+                       } else {
+                               voucher_name = msg->msgh_voucher_port;
                        }
 
                        }
 
-                       reply_name = (mach_port_name_t)reply;
-                       kr = ipc_entry_get(space, &reply_name, &entry);
-                       if (kr != KERN_SUCCESS) {
-                               ip_unlock(reply);
+done_with_voucher:
 
 
-                               if (notify_port != IP_NULL)
-                                       ipc_port_release_sonce(notify_port);
-
-                               /* space is locked */
-                               kr = ipc_entry_grow_table(space,
-                                                         ITS_SIZE_NONE);
-                               if (kr != KERN_SUCCESS) {
-                                       /* space is unlocked */
-
-                                       if (kr == KERN_RESOURCE_SHORTAGE)
-                                               return (MACH_RCV_HEADER_ERROR|
-                                                       MACH_MSG_IPC_KERNEL);
-                                       else
-                                               return (MACH_RCV_HEADER_ERROR|
-                                                       MACH_MSG_IPC_SPACE);
-                               }
-                               /* space is locked again; start over */
+                       ip_lock(dest);
+                       is_write_unlock(space);
+               } else {
+                       /*
+                        *      No reply or voucher port!  This is an easy case.
+                        *      We only need to have the space locked
+                        *      when locking the destination.
+                        */
 
 
-                               continue;
+                       is_read_lock(space);
+                       if (!is_active(space)) {
+                               is_read_unlock(space);
+                               return MACH_RCV_HEADER_ERROR | MACH_MSG_IPC_SPACE;
                        }
                        }
-                       assert(IE_BITS_TYPE(entry->ie_bits) ==
-                              MACH_PORT_TYPE_NONE);
-                       assert(entry->ie_object == IO_NULL); 
 
 
-                       if (notify_port == IP_NULL) {
-                               /* not making a dead-name request */
+                       ip_lock(dest);
+                       is_read_unlock(space);
 
 
-                               entry->ie_object = (ipc_object_t) reply;
-                               break;
+                       reply_name = CAST_MACH_PORT_TO_NAME(reply);
+
+                       if (voucher_type != MACH_MSGH_BITS_ZERO) {
+                               assert(voucher_type == MACH_MSG_TYPE_MOVE_SEND);
+                               if ((option & MACH_RCV_VOUCHER) == 0) {
+                                       voucher_type = MACH_MSGH_BITS_ZERO;
+                               }
+                               voucher_name = MACH_PORT_NULL;
+                       } else {
+                               voucher_name = msg->msgh_voucher_port;
                        }
                        }
+               }
 
 
-                       kr = ipc_port_dnrequest(reply, reply_name,
-                                               notify_port, &request);
-                       if (kr != KERN_SUCCESS) {
-                               ip_unlock(reply);
+               /*
+                *      At this point, the space is unlocked and the destination
+                *      port is locked.  (Lock taken while space was locked.)
+                *      reply_name is taken care of; we still need dest_name.
+                *      We still hold a ref for reply (if it is valid).
+                *
+                *      If the space holds receive rights for the destination,
+                *      we return its name for the right.  Otherwise the task
+                *      managed to destroy or give away the receive right between
+                *      receiving the message and this copyout.  If the destination
+                *      is dead, return MACH_PORT_DEAD, and if the receive right
+                *      exists somewhere else (another space, in transit)
+                *      return MACH_PORT_NULL.
+                *
+                *      Making this copyout operation atomic with the previous
+                *      copyout of the reply port is a bit tricky.  If there was
+                *      no real reply port (it wasn't IP_VALID) then this isn't
+                *      an issue.  If the reply port was dead at copyout time,
+                *      then we are OK, because if dest is dead we serialize
+                *      after the death of both ports and if dest is alive
+                *      we serialize after reply died but before dest's (later) death.
+                *      So assume reply was alive when we copied it out.  If dest
+                *      is alive, then we are OK because we serialize before
+                *      the ports' deaths.  So assume dest is dead when we look at it.
+                *      If reply dies/died after dest, then we are OK because
+                *      we serialize after dest died but before reply dies.
+                *      So the hard case is when reply is alive at copyout,
+                *      dest is dead at copyout, and reply died before dest died.
+                *      In this case pretend that dest is still alive, so
+                *      we serialize while both ports are alive.
+                *
+                *      Because the space lock is held across the copyout of reply
+                *      and locking dest, the receive right for dest can't move
+                *      in or out of the space while the copyouts happen, so
+                *      that isn't an atomicity problem.  In the last hard case
+                *      above, this implies that when dest is dead that the
+                *      space couldn't have had receive rights for dest at
+                *      the time reply was copied-out, so when we pretend
+                *      that dest is still alive, we can return MACH_PORT_NULL.
+                *
+                *      If dest == reply, then we have to make it look like
+                *      either both copyouts happened before the port died,
+                *      or both happened after the port died.  This special
+                *      case works naturally if the timestamp comparison
+                *      is done correctly.
+                */
 
 
-                               ipc_port_release_sonce(notify_port);
+               if (ip_active(dest)) {
+                       ipc_object_copyout_dest(space, ip_to_object(dest),
+                           dest_type, &dest_name);
+                       /* dest is unlocked */
+               } else {
+                       ipc_port_timestamp_t timestamp;
 
 
-                               ipc_entry_dealloc(space, reply_name, entry);
-                               is_write_unlock(space);
+                       timestamp = dest->ip_timestamp;
+                       ip_unlock(dest);
+                       ip_release(dest);
 
 
+                       if (IP_VALID(reply)) {
                                ip_lock(reply);
                                ip_lock(reply);
-                               if (!ip_active(reply)) {
-                                       /* will fail next time around loop */
-
-                                       ip_unlock(reply);
-                                       is_write_lock(space);
-                                       continue;
+                               if (ip_active(reply) ||
+                                   IP_TIMESTAMP_ORDER(timestamp,
+                                   reply->ip_timestamp)) {
+                                       dest_name = MACH_PORT_DEAD;
+                               } else {
+                                       dest_name = MACH_PORT_NULL;
                                }
                                }
+                               ip_unlock(reply);
+                       } else {
+                               dest_name = MACH_PORT_DEAD;
+                       }
+               }
 
 
-                               kr = ipc_port_dngrow(reply, ITS_SIZE_NONE);
-                               /* port is unlocked */
-                               if (kr != KERN_SUCCESS)
-                                       return (MACH_RCV_HEADER_ERROR|
-                                               MACH_MSG_IPC_KERNEL);
+               if (IP_VALID(reply)) {
+                       ip_release(reply);
+               }
 
 
-                               is_write_lock(space);
-                               continue;
+               if (IP_VALID(release_reply_port)) {
+                       if (reply_type == MACH_MSG_TYPE_PORT_SEND_ONCE) {
+                               ipc_port_release_sonce(release_reply_port);
+                       } else {
+                               ipc_port_release_send(release_reply_port);
                        }
                        }
+               }
 
 
-                       notify_port = IP_NULL; /* don't release right below */
+               if ((option & MACH_RCV_VOUCHER) != 0) {
+                       KERNEL_DEBUG_CONSTANT(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_MSG_RECV) | DBG_FUNC_NONE,
+                           VM_KERNEL_ADDRPERM((uintptr_t)kmsg),
+                           (uintptr_t)kmsg->ikm_header->msgh_bits,
+                           (uintptr_t)kmsg->ikm_header->msgh_id,
+                           VM_KERNEL_ADDRPERM((uintptr_t)unsafe_convert_port_to_voucher(voucher)),
+                           0);
+               } else {
+                       KERNEL_DEBUG_CONSTANT(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_MSG_RECV_VOUCHER_REFUSED) | DBG_FUNC_NONE,
+                           VM_KERNEL_ADDRPERM((uintptr_t)kmsg),
+                           (uintptr_t)kmsg->ikm_header->msgh_bits,
+                           (uintptr_t)kmsg->ikm_header->msgh_id,
+                           VM_KERNEL_ADDRPERM((uintptr_t)unsafe_convert_port_to_voucher(voucher)),
+                           0);
+               }
 
 
-                       entry->ie_object = (ipc_object_t) reply;
-                       entry->ie_request = request;
-                       break;
+               if (IP_VALID(release_voucher_port)) {
+                       ipc_port_release_send(release_voucher_port);
                }
 
                }
 
-               /* space and reply port are locked and active */
+               msg->msgh_bits = MACH_MSGH_BITS_SET(reply_type, dest_type,
+                   voucher_type, mbits);
+               msg->msgh_local_port = CAST_MACH_NAME_TO_PORT(dest_name);
+               msg->msgh_remote_port = CAST_MACH_NAME_TO_PORT(reply_name);
+               msg->msgh_voucher_port = voucher_name;
+       }
+
+       return MACH_MSG_SUCCESS;
+}
 
 
-               ip_reference(reply);    /* hold onto the reply port */
+/*
+ *     Routine:        ipc_kmsg_copyout_object
+ *     Purpose:
+ *             Copy-out a port right.  Always returns a name,
+ *             even for unsuccessful return codes.  Always
+ *             consumes the supplied object.
+ *     Conditions:
+ *             Nothing locked.
+ *     Returns:
+ *             MACH_MSG_SUCCESS        The space acquired the right
+ *                     (name is valid) or the object is dead (MACH_PORT_DEAD).
+ *             MACH_MSG_IPC_SPACE      No room in space for the right,
+ *                     or the space is dead.  (Name is MACH_PORT_NULL.)
+ *             MACH_MSG_IPC_KERNEL     Kernel resource shortage.
+ *                     (Name is MACH_PORT_NULL.)
+ */
+static mach_msg_return_t
+ipc_kmsg_copyout_object(
+       ipc_space_t             space,
+       ipc_object_t            object,
+       mach_msg_type_name_t    msgt_name,
+       mach_port_context_t     *context,
+       mach_msg_guard_flags_t  *guard_flags,
+       mach_port_name_t        *namep)
+{
+       kern_return_t kr;
 
 
-               kr = ipc_right_copyout(space, reply_name, entry,
-                                      reply_type, TRUE, (ipc_object_t) reply);
-               /* reply port is unlocked */
-               assert(kr == KERN_SUCCESS);
+       if (!IO_VALID(object)) {
+               *namep = CAST_MACH_PORT_TO_NAME(object);
+               return MACH_MSG_SUCCESS;
+       }
 
 
-               if (notify_port != IP_NULL)
-                       ipc_port_release_sonce(notify_port);
+       kr = ipc_object_copyout(space, object, msgt_name, IPC_OBJECT_COPYOUT_FLAGS_NONE,
+           context, guard_flags, namep);
+       if (kr != KERN_SUCCESS) {
+               if (kr == KERN_INVALID_CAPABILITY) {
+                       *namep = MACH_PORT_DEAD;
+               } else {
+                       *namep = MACH_PORT_NULL;
 
 
-               ip_lock(dest);
-               is_write_unlock(space);
+                       if (kr == KERN_RESOURCE_SHORTAGE) {
+                               return MACH_MSG_IPC_KERNEL;
+                       } else {
+                               return MACH_MSG_IPC_SPACE;
+                       }
+               }
+       }
+
+       return MACH_MSG_SUCCESS;
+}
+
+static mach_msg_descriptor_t *
+ipc_kmsg_copyout_port_descriptor(
+       mach_msg_descriptor_t   *dsc,
+       mach_msg_descriptor_t   *dest_dsc,
+       ipc_space_t             space,
+       kern_return_t           *mr)
+{
+       mach_port_t             port;
+       mach_port_name_t        name;
+       mach_msg_type_name_t    disp;
+
+       /* Copyout port right carried in the message */
+       port = dsc->port.name;
+       disp = dsc->port.disposition;
+       *mr |= ipc_kmsg_copyout_object(space,
+           ip_to_object(port), disp, NULL, NULL, &name);
+
+       if (current_task() == kernel_task) {
+               mach_msg_port_descriptor_t *user_dsc = (typeof(user_dsc))dest_dsc;
+               user_dsc--;         // point to the start of this port descriptor
+               bzero((void *)user_dsc, sizeof(*user_dsc));
+               user_dsc->name = CAST_MACH_NAME_TO_PORT(name);
+               user_dsc->disposition = disp;
+               user_dsc->type = MACH_MSG_PORT_DESCRIPTOR;
+               dest_dsc = (typeof(dest_dsc))user_dsc;
        } else {
        } else {
-               /*
-                *      No reply port!  This is an easy case.
-                *      We only need to have the space locked
-                *      when checking notify and when locking
-                *      the destination (to ensure atomicity).
-                */
+               mach_msg_legacy_port_descriptor_t *user_dsc = (typeof(user_dsc))dest_dsc;
+               user_dsc--;         // point to the start of this port descriptor
+               bzero((void *)user_dsc, sizeof(*user_dsc));
+               user_dsc->name = CAST_MACH_PORT_TO_NAME(name);
+               user_dsc->disposition = disp;
+               user_dsc->type = MACH_MSG_PORT_DESCRIPTOR;
+               dest_dsc = (typeof(dest_dsc))user_dsc;
+       }
 
 
-               is_read_lock(space);
-               if (!space->is_active) {
-                       is_read_unlock(space);
-                       return MACH_RCV_HEADER_ERROR|MACH_MSG_IPC_SPACE;
+       return (mach_msg_descriptor_t *)dest_dsc;
+}
+
+static mach_msg_descriptor_t *
+ipc_kmsg_copyout_ool_descriptor(
+       mach_msg_ool_descriptor_t   *dsc,
+       mach_msg_descriptor_t       *user_dsc,
+       int                         is_64bit,
+       vm_map_t                    map,
+       mach_msg_return_t           *mr)
+{
+       vm_map_copy_t               copy;
+       vm_map_address_t            rcv_addr;
+       mach_msg_copy_options_t     copy_options;
+       vm_map_size_t               size;
+       mach_msg_descriptor_type_t  dsc_type;
+       boolean_t                   misaligned = FALSE;
+
+       //SKIP_PORT_DESCRIPTORS(saddr, sdsc_count);
+
+       copy = (vm_map_copy_t)dsc->address;
+       size = (vm_map_size_t)dsc->size;
+       copy_options = dsc->copy;
+       assert(copy_options != MACH_MSG_KALLOC_COPY_T);
+       dsc_type = dsc->type;
+
+       if (copy != VM_MAP_COPY_NULL) {
+               kern_return_t kr;
+
+               rcv_addr = 0;
+               if (vm_map_copy_validate_size(map, copy, &size) == FALSE) {
+                       panic("Inconsistent OOL/copyout size on %p: expected %d, got %lld @%p",
+                           dsc, dsc->size, (unsigned long long)copy->size, copy);
+               }
+
+               if ((copy->type == VM_MAP_COPY_ENTRY_LIST) &&
+                   (trunc_page(copy->offset) != copy->offset ||
+                   round_page(dsc->size) != dsc->size)) {
+                       misaligned = TRUE;
                }
 
                }
 
-               if (notify != MACH_PORT_NULL) {
-                       ipc_entry_t entry;
+               if (misaligned) {
+                       vm_map_address_t        rounded_addr;
+                       vm_map_size_t   rounded_size;
+                       vm_map_offset_t effective_page_mask, effective_page_size;
 
 
-                       /* must check notify even though it won't be used */
+                       effective_page_mask = VM_MAP_PAGE_MASK(map);
+                       effective_page_size = effective_page_mask + 1;
 
 
-                       if ((entry = ipc_entry_lookup(space, notify)) == IE_NULL) {
-                               is_read_unlock(space);
-                               return MACH_RCV_INVALID_NOTIFY;
+                       rounded_size = vm_map_round_page(copy->offset + size, effective_page_mask) - vm_map_trunc_page(copy->offset, effective_page_mask);
+
+                       kr = vm_allocate_kernel(map, (vm_offset_t*)&rounded_addr, rounded_size, VM_FLAGS_ANYWHERE, 0);
+
+                       if (kr == KERN_SUCCESS) {
+                               /*
+                                * vm_map_copy_overwrite does a full copy
+                                * if size is too small to optimize.
+                                * So we tried skipping the offset adjustment
+                                * if we fail the 'size' test.
+                                *
+                                * if (size >= VM_MAP_COPY_OVERWRITE_OPTIMIZATION_THRESHOLD_PAGES * effective_page_size) {
+                                *
+                                * This resulted in leaked memory especially on the
+                                * older watches (16k user - 4k kernel) because we
+                                * would do a physical copy into the start of this
+                                * rounded range but could leak part of it
+                                * on deallocation if the 'size' being deallocated
+                                * does not cover the full range. So instead we do
+                                * the misalignment adjustment always so that on
+                                * deallocation we will remove the full range.
+                                */
+                               if ((rounded_addr & effective_page_mask) !=
+                                   (copy->offset & effective_page_mask)) {
+                                       /*
+                                        * Need similar mis-alignment of source and destination...
+                                        */
+                                       rounded_addr += (copy->offset & effective_page_mask);
+
+                                       assert((rounded_addr & effective_page_mask) == (copy->offset & effective_page_mask));
+                               }
+                               rcv_addr = rounded_addr;
+
+                               kr = vm_map_copy_overwrite(map, rcv_addr, copy, size, FALSE);
                        }
                        }
-       
-                       if ((entry->ie_bits & MACH_PORT_TYPE_RECEIVE) == 0) {
-                               is_read_unlock(space);
-                               return MACH_RCV_INVALID_NOTIFY;
+               } else {
+                       kr = vm_map_copyout_size(map, &rcv_addr, copy, size);
+               }
+               if (kr != KERN_SUCCESS) {
+                       if (kr == KERN_RESOURCE_SHORTAGE) {
+                               *mr |= MACH_MSG_VM_KERNEL;
+                       } else {
+                               *mr |= MACH_MSG_VM_SPACE;
+                       }
+                       vm_map_copy_discard(copy);
+                       rcv_addr = 0;
+                       size = 0;
+               }
+       } else {
+               rcv_addr = 0;
+               size = 0;
+       }
+
+       /*
+        * Now update the descriptor as the user would see it.
+        * This may require expanding the descriptor to the user
+        * visible size.  There is already space allocated for
+        * this in what naddr points to.
+        */
+       if (current_task() == kernel_task) {
+               mach_msg_ool_descriptor_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+               user_ool_dsc--;
+               bzero((void *)user_ool_dsc, sizeof(*user_ool_dsc));
+
+               user_ool_dsc->address = (void *)(uintptr_t)rcv_addr;
+               user_ool_dsc->deallocate = (copy_options == MACH_MSG_VIRTUAL_COPY) ?
+                   TRUE : FALSE;
+               user_ool_dsc->copy = copy_options;
+               user_ool_dsc->type = dsc_type;
+               user_ool_dsc->size = (mach_msg_size_t)size;
+
+               user_dsc = (typeof(user_dsc))user_ool_dsc;
+       } else if (is_64bit) {
+               mach_msg_ool_descriptor64_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+               user_ool_dsc--;
+               bzero((void *)user_ool_dsc, sizeof(*user_ool_dsc));
+
+               user_ool_dsc->address = rcv_addr;
+               user_ool_dsc->deallocate = (copy_options == MACH_MSG_VIRTUAL_COPY) ?
+                   TRUE : FALSE;
+               user_ool_dsc->copy = copy_options;
+               user_ool_dsc->type = dsc_type;
+               user_ool_dsc->size = (mach_msg_size_t)size;
+
+               user_dsc = (typeof(user_dsc))user_ool_dsc;
+       } else {
+               mach_msg_ool_descriptor32_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+               user_ool_dsc--;
+               bzero((void *)user_ool_dsc, sizeof(*user_ool_dsc));
+
+               user_ool_dsc->address = CAST_DOWN_EXPLICIT(uint32_t, rcv_addr);
+               user_ool_dsc->size = (mach_msg_size_t)size;
+               user_ool_dsc->deallocate = (copy_options == MACH_MSG_VIRTUAL_COPY) ?
+                   TRUE : FALSE;
+               user_ool_dsc->copy = copy_options;
+               user_ool_dsc->type = dsc_type;
+
+               user_dsc = (typeof(user_dsc))user_ool_dsc;
+       }
+       return user_dsc;
+}
+
+mach_msg_descriptor_t *
+ipc_kmsg_copyout_ool_ports_descriptor(mach_msg_ool_ports_descriptor_t *dsc,
+    mach_msg_descriptor_t *user_dsc,
+    int is_64bit,
+    vm_map_t map,
+    ipc_space_t space,
+    ipc_kmsg_t kmsg,
+    mach_msg_return_t *mr);
+mach_msg_descriptor_t *
+ipc_kmsg_copyout_ool_ports_descriptor(mach_msg_ool_ports_descriptor_t *dsc,
+    mach_msg_descriptor_t *user_dsc,
+    int is_64bit,
+    vm_map_t map,
+    ipc_space_t space,
+    ipc_kmsg_t kmsg,
+    mach_msg_return_t *mr)
+{
+       mach_vm_offset_t            rcv_addr = 0;
+       mach_msg_type_name_t                disp;
+       mach_msg_type_number_t              count, i;
+       vm_size_t                           ports_length, names_length;
+
+       mach_msg_copy_options_t copy_options = MACH_MSG_VIRTUAL_COPY;
+
+       //SKIP_PORT_DESCRIPTORS(saddr, sdsc_count);
+
+       count = dsc->count;
+       disp = dsc->disposition;
+       ports_length = count * sizeof(mach_port_t);
+       names_length = count * sizeof(mach_port_name_t);
+
+       if (ports_length != 0 && dsc->address != 0) {
+               /*
+                * Check to see if there is an overwrite descriptor
+                * specified in the scatter list for this ool data.
+                * The descriptor has already been verified.
+                */
+#if 0
+               if (saddr != MACH_MSG_DESCRIPTOR_NULL) {
+                       if (differs) {
+                               OTHER_OOL_DESCRIPTOR *scatter_dsc;
+
+                               scatter_dsc = (OTHER_OOL_DESCRIPTOR *)saddr;
+                               rcv_addr = (mach_vm_offset_t) scatter_dsc->address;
+                               copy_options = scatter_dsc->copy;
+                       } else {
+                               mach_msg_ool_descriptor_t *scatter_dsc;
+
+                               scatter_dsc = &saddr->out_of_line;
+                               rcv_addr = CAST_USER_ADDR_T(scatter_dsc->address);
+                               copy_options = scatter_dsc->copy;
+                       }
+                       INCREMENT_SCATTER(saddr, sdsc_count, differs);
+               }
+#endif
+
+               if (copy_options == MACH_MSG_VIRTUAL_COPY) {
+                       /*
+                        * Dynamically allocate the region
+                        */
+                       vm_tag_t tag;
+                       if (vm_kernel_map_is_kernel(map)) {
+                               tag = VM_KERN_MEMORY_IPC;
+                       } else {
+                               tag = VM_MEMORY_MACH_MSG;
+                       }
+
+                       kern_return_t kr;
+                       if ((kr = mach_vm_allocate_kernel(map, &rcv_addr,
+                           (mach_vm_size_t)names_length,
+                           VM_FLAGS_ANYWHERE, tag)) != KERN_SUCCESS) {
+                               ipc_kmsg_clean_body(kmsg, 1, (mach_msg_descriptor_t *)dsc);
+                               rcv_addr = 0;
+
+                               if (kr == KERN_RESOURCE_SHORTAGE) {
+                                       *mr |= MACH_MSG_VM_KERNEL;
+                               } else {
+                                       *mr |= MACH_MSG_VM_SPACE;
+                               }
                        }
                }
 
                        }
                }
 
-               ip_lock(dest);
-               is_read_unlock(space);
+               /*
+                * Handle the port rights and copy out the names
+                * for those rights out to user-space.
+                */
+               if (rcv_addr != 0) {
+                       ipc_object_t *objects = (ipc_object_t *) dsc->address;
+                       mach_port_name_t *names = (mach_port_name_t *) dsc->address;
+
+                       /* copyout port rights carried in the message */
+
+                       for (i = 0; i < count; i++) {
+                               ipc_object_t object = objects[i];
+
+                               *mr |= ipc_kmsg_copyout_object(space, object,
+                                   disp, NULL, NULL, &names[i]);
+                       }
 
 
-               reply_name = (mach_port_name_t) reply;
+                       /* copyout to memory allocated above */
+                       void *data = dsc->address;
+                       if (copyoutmap(map, data, rcv_addr, names_length) != KERN_SUCCESS) {
+                               *mr |= MACH_MSG_VM_SPACE;
+                       }
+                       kfree(data, ports_length);
+               }
+       } else {
+               rcv_addr = 0;
        }
 
        /*
        }
 
        /*
-        *      At this point, the space is unlocked and the destination
-        *      port is locked.  (Lock taken while space was locked.)
-        *      reply_name is taken care of; we still need dest_name.
-        *      We still hold a ref for reply (if it is valid).
-        *
-        *      If the space holds receive rights for the destination,
-        *      we return its name for the right.  Otherwise the task
-        *      managed to destroy or give away the receive right between
-        *      receiving the message and this copyout.  If the destination
-        *      is dead, return MACH_PORT_DEAD, and if the receive right
-        *      exists somewhere else (another space, in transit)
-        *      return MACH_PORT_NULL.
-        *
-        *      Making this copyout operation atomic with the previous
-        *      copyout of the reply port is a bit tricky.  If there was
-        *      no real reply port (it wasn't IP_VALID) then this isn't
-        *      an issue.  If the reply port was dead at copyout time,
-        *      then we are OK, because if dest is dead we serialize
-        *      after the death of both ports and if dest is alive
-        *      we serialize after reply died but before dest's (later) death.
-        *      So assume reply was alive when we copied it out.  If dest
-        *      is alive, then we are OK because we serialize before
-        *      the ports' deaths.  So assume dest is dead when we look at it.
-        *      If reply dies/died after dest, then we are OK because
-        *      we serialize after dest died but before reply dies.
-        *      So the hard case is when reply is alive at copyout,
-        *      dest is dead at copyout, and reply died before dest died.
-        *      In this case pretend that dest is still alive, so
-        *      we serialize while both ports are alive.
-        *
-        *      Because the space lock is held across the copyout of reply
-        *      and locking dest, the receive right for dest can't move
-        *      in or out of the space while the copyouts happen, so
-        *      that isn't an atomicity problem.  In the last hard case
-        *      above, this implies that when dest is dead that the
-        *      space couldn't have had receive rights for dest at
-        *      the time reply was copied-out, so when we pretend
-        *      that dest is still alive, we can return MACH_PORT_NULL.
-        *
-        *      If dest == reply, then we have to make it look like
-        *      either both copyouts happened before the port died,
-        *      or both happened after the port died.  This special
-        *      case works naturally if the timestamp comparison
-        *      is done correctly.
+        * Now update the descriptor based on the information
+        * calculated above.
         */
         */
-
-    copyout_dest:
-
-       if (ip_active(dest)) {
-               ipc_object_copyout_dest(space, (ipc_object_t) dest,
-                                       dest_type, &dest_name);
-               /* dest is unlocked */
+       if (current_task() == kernel_task) {
+               mach_msg_ool_ports_descriptor_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+               user_ool_dsc--;
+               bzero((void *)user_ool_dsc, sizeof(*user_ool_dsc));
+
+               user_ool_dsc->address = (void *)(uintptr_t)rcv_addr;
+               user_ool_dsc->deallocate = (copy_options == MACH_MSG_VIRTUAL_COPY) ?
+                   TRUE : FALSE;
+               user_ool_dsc->copy = copy_options;
+               user_ool_dsc->disposition = disp;
+               user_ool_dsc->type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+               user_ool_dsc->count = count;
+
+               user_dsc = (typeof(user_dsc))user_ool_dsc;
+       } else if (is_64bit) {
+               mach_msg_ool_ports_descriptor64_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+               user_ool_dsc--;
+               bzero((void *)user_ool_dsc, sizeof(*user_ool_dsc));
+
+               user_ool_dsc->address = rcv_addr;
+               user_ool_dsc->deallocate = (copy_options == MACH_MSG_VIRTUAL_COPY) ?
+                   TRUE : FALSE;
+               user_ool_dsc->copy = copy_options;
+               user_ool_dsc->disposition = disp;
+               user_ool_dsc->type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+               user_ool_dsc->count = count;
+
+               user_dsc = (typeof(user_dsc))user_ool_dsc;
        } else {
        } else {
-               ipc_port_timestamp_t timestamp;
-
-               timestamp = dest->ip_timestamp;
-               ip_release(dest);
-               ip_check_unlock(dest);
-
-               if (IP_VALID(reply)) {
-                       ip_lock(reply);
-                       if (ip_active(reply) ||
-                           IP_TIMESTAMP_ORDER(timestamp,
-                                              reply->ip_timestamp))
-                               dest_name = MACH_PORT_DEAD;
-                       else
-                               dest_name = MACH_PORT_NULL;
-                       ip_unlock(reply);
-               } else
-                       dest_name = MACH_PORT_DEAD;
+               mach_msg_ool_ports_descriptor32_t *user_ool_dsc = (typeof(user_ool_dsc))user_dsc;
+               user_ool_dsc--;
+               bzero((void *)user_ool_dsc, sizeof(*user_ool_dsc));
+
+               user_ool_dsc->address = CAST_DOWN_EXPLICIT(uint32_t, rcv_addr);
+               user_ool_dsc->count = count;
+               user_ool_dsc->deallocate = (copy_options == MACH_MSG_VIRTUAL_COPY) ?
+                   TRUE : FALSE;
+               user_ool_dsc->copy = copy_options;
+               user_ool_dsc->disposition = disp;
+               user_ool_dsc->type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+
+               user_dsc = (typeof(user_dsc))user_ool_dsc;
        }
        }
-
-       if (IP_VALID(reply))
-               ipc_port_release(reply);
-
-       msg->msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
-                         MACH_MSGH_BITS(reply_type, dest_type));
-       msg->msgh_local_port = (ipc_port_t)dest_name;
-       msg->msgh_remote_port = (ipc_port_t)reply_name;
-    }
-
-       return MACH_MSG_SUCCESS;
+       return user_dsc;
 }
 
 }
 
-/*
- *     Routine:        ipc_kmsg_copyout_object
- *     Purpose:
- *             Copy-out a port right.  Always returns a name,
- *             even for unsuccessful return codes.  Always
- *             consumes the supplied object.
- *     Conditions:
- *             Nothing locked.
- *     Returns:
- *             MACH_MSG_SUCCESS        The space acquired the right
- *                     (name is valid) or the object is dead (MACH_PORT_DEAD).
- *             MACH_MSG_IPC_SPACE      No room in space for the right,
- *                     or the space is dead.  (Name is MACH_PORT_NULL.)
- *             MACH_MSG_IPC_KERNEL     Kernel resource shortage.
- *                     (Name is MACH_PORT_NULL.)
- */
-
-mach_msg_return_t
-ipc_kmsg_copyout_object(
-       ipc_space_t             space,
-       ipc_object_t            object,
-       mach_msg_type_name_t    msgt_name,
-       mach_port_name_t        *namep)
+static mach_msg_descriptor_t *
+ipc_kmsg_copyout_guarded_port_descriptor(
+       mach_msg_guarded_port_descriptor_t *dsc,
+       mach_msg_descriptor_t *dest_dsc,
+       int is_64bit,
+       __unused ipc_kmsg_t  kmsg,
+       ipc_space_t space,
+       mach_msg_option_t option,
+       kern_return_t *mr)
 {
 {
-       kern_return_t kr;
-
-       if (!IO_VALID(object)) {
-               *namep = (mach_port_name_t) object;
-               return MACH_MSG_SUCCESS;
-       }
-
-       kr = ipc_object_copyout(space, object, msgt_name, TRUE, namep);
-       if (kr != KERN_SUCCESS) {
-               ipc_object_destroy(object, msgt_name);
-
-               if (kr == KERN_INVALID_CAPABILITY)
-                       *namep = MACH_PORT_DEAD;
-               else {
-                       *namep = MACH_PORT_NULL;
-
-                       if (kr == KERN_RESOURCE_SHORTAGE)
-                               return MACH_MSG_IPC_KERNEL;
-                       else
-                               return MACH_MSG_IPC_SPACE;
+       mach_port_t                 port;
+       mach_port_name_t            name = MACH_PORT_NULL;
+       mach_msg_type_name_t        disp;
+       mach_msg_guard_flags_t      guard_flags;
+       mach_port_context_t         context;
+
+       /* Copyout port right carried in the message */
+       port = dsc->name;
+       disp = dsc->disposition;
+       guard_flags = dsc->flags;
+       context = 0;
+
+       /* Currently kernel_task doesnt support receiving guarded port descriptors */
+       struct knote *kn = current_thread()->ith_knote;
+       if ((kn != ITH_KNOTE_PSEUDO) && (((option & MACH_RCV_GUARDED_DESC) == 0) ||
+           (current_task() == kernel_task))) {
+#if DEVELOPMENT || DEBUG
+               if (current_task() != kernel_task) {
+                       /*
+                        * Simulated crash needed for debugging, notifies the receiver to opt into receiving
+                        * guarded descriptors.
+                        */
+                       mach_port_guard_exception(current_thread()->ith_receiver_name, 0, 0, kGUARD_EXC_RCV_GUARDED_DESC);
+               }
+#endif
+               KDBG(MACHDBG_CODE(DBG_MACH_IPC, MACH_IPC_DESTROY_GUARDED_DESC), current_thread()->ith_receiver_name,
+                   VM_KERNEL_ADDRPERM(port), disp, guard_flags);
+               ipc_object_destroy(ip_to_object(port), disp);
+               mach_msg_legacy_port_descriptor_t *user_dsc = (typeof(user_dsc))dest_dsc;
+               user_dsc--;         // point to the start of this port descriptor
+               bzero((void *)user_dsc, sizeof(*user_dsc));
+               user_dsc->name = name;
+               user_dsc->disposition = disp;
+               user_dsc->type = MACH_MSG_PORT_DESCRIPTOR;
+               dest_dsc = (typeof(dest_dsc))user_dsc;
+       } else {
+               *mr |= ipc_kmsg_copyout_object(space,
+                   ip_to_object(port), disp, &context, &guard_flags, &name);
+
+               if (!is_64bit) {
+                       mach_msg_guarded_port_descriptor32_t *user_dsc = (typeof(user_dsc))dest_dsc;
+                       user_dsc--;         // point to the start of this port descriptor
+                       bzero((void *)user_dsc, sizeof(*user_dsc));
+                       user_dsc->name = name;
+                       user_dsc->flags = guard_flags;
+                       user_dsc->disposition = disp;
+                       user_dsc->type = MACH_MSG_GUARDED_PORT_DESCRIPTOR;
+                       user_dsc->context = CAST_DOWN_EXPLICIT(uint32_t, context);
+                       dest_dsc = (typeof(dest_dsc))user_dsc;
+               } else {
+                       mach_msg_guarded_port_descriptor64_t *user_dsc = (typeof(user_dsc))dest_dsc;
+                       user_dsc--;         // point to the start of this port descriptor
+                       bzero((void *)user_dsc, sizeof(*user_dsc));
+                       user_dsc->name = name;
+                       user_dsc->flags = guard_flags;
+                       user_dsc->disposition = disp;
+                       user_dsc->type = MACH_MSG_GUARDED_PORT_DESCRIPTOR;
+                       user_dsc->context = context;
+                       dest_dsc = (typeof(dest_dsc))user_dsc;
                }
        }
 
                }
        }
 
-       return MACH_MSG_SUCCESS;
+       return (mach_msg_descriptor_t *)dest_dsc;
 }
 
 }
 
+
 /*
  *     Routine:        ipc_kmsg_copyout_body
  *     Purpose:
 /*
  *     Routine:        ipc_kmsg_copyout_body
  *     Purpose:
@@ -2225,192 +5427,131 @@ ipc_kmsg_copyout_object(
 
 mach_msg_return_t
 ipc_kmsg_copyout_body(
 
 mach_msg_return_t
 ipc_kmsg_copyout_body(
-       ipc_kmsg_t              kmsg,
-       ipc_space_t             space,
-       vm_map_t                map,
-       mach_msg_body_t         *slist)
-{
-    mach_msg_body_t            *body;
-    mach_msg_descriptor_t      *saddr, *eaddr;
-    mach_msg_return_t          mr = MACH_MSG_SUCCESS;
-    kern_return_t              kr;
-    vm_offset_t                data;
-    mach_msg_descriptor_t      *sstart, *send;
-
-    body = (mach_msg_body_t *) (&kmsg->ikm_header + 1);
-    saddr = (mach_msg_descriptor_t *) (body + 1);
-    eaddr = saddr + body->msgh_descriptor_count;
-
-    /*
-     * Do scatter list setup
-     */
-    if (slist != MACH_MSG_BODY_NULL) {
-       sstart = (mach_msg_descriptor_t *) (slist + 1);
-       send = sstart + slist->msgh_descriptor_count;
-    }
-    else {
-       sstart = MACH_MSG_DESCRIPTOR_NULL;
-    }
-
-    for ( ; saddr < eaddr; saddr++ ) {
-       
-       switch (saddr->type.type) {
-           
-           case MACH_MSG_PORT_DESCRIPTOR: {
-               mach_msg_port_descriptor_t *dsc;
-               
-               /* 
-                * Copyout port right carried in the message 
-                */
-               dsc = &saddr->port;
-               mr |= ipc_kmsg_copyout_object(space, 
-                                             (ipc_object_t) dsc->name, 
-                                             dsc->disposition, 
-                                             (mach_port_name_t *) &dsc->name);
-
-               break;
-           }
-           case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
-           case MACH_MSG_OOL_DESCRIPTOR : {
-               vm_offset_t                     rcv_addr;
-               vm_offset_t                     snd_addr;
-               mach_msg_ool_descriptor_t       *dsc;
-               mach_msg_copy_options_t         copy_option;
-
-               SKIP_PORT_DESCRIPTORS(sstart, send);
-
-               dsc = &saddr->out_of_line;
-
-               assert(dsc->copy != MACH_MSG_KALLOC_COPY_T);
+       ipc_kmsg_t              kmsg,
+       ipc_space_t             space,
+       vm_map_t                map,
+       mach_msg_option_t       option,
+       mach_msg_body_t         *slist)
+{
+       mach_msg_body_t             *body;
+       mach_msg_descriptor_t       *kern_dsc, *user_dsc;
+       mach_msg_descriptor_t       *saddr;
+       mach_msg_type_number_t      dsc_count, sdsc_count;
+       int i;
+       mach_msg_return_t           mr = MACH_MSG_SUCCESS;
+       boolean_t                   is_task_64bit = (map->max_offset > VM_MAX_ADDRESS);
+
+       body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+       dsc_count = body->msgh_descriptor_count;
+       kern_dsc = (mach_msg_descriptor_t *) (body + 1);
+       /* Point user_dsc just after the end of all the descriptors */
+       user_dsc = &kern_dsc[dsc_count];
+
+       /* Do scatter list setup */
+       if (slist != MACH_MSG_BODY_NULL) {
+               panic("Scatter lists disabled");
+               saddr = (mach_msg_descriptor_t *) (slist + 1);
+               sdsc_count = slist->msgh_descriptor_count;
+       } else {
+               saddr = MACH_MSG_DESCRIPTOR_NULL;
+               sdsc_count = 0;
+       }
 
 
-               copy_option = dsc->copy;
+       /* Now process the descriptors - in reverse order */
+       for (i = dsc_count - 1; i >= 0; i--) {
+               switch (kern_dsc[i].type.type) {
+               case MACH_MSG_PORT_DESCRIPTOR:
+                       user_dsc = ipc_kmsg_copyout_port_descriptor(&kern_dsc[i],
+                           user_dsc, space, &mr);
+                       break;
+               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+               case MACH_MSG_OOL_DESCRIPTOR:
+                       user_dsc = ipc_kmsg_copyout_ool_descriptor(
+                               (mach_msg_ool_descriptor_t *)&kern_dsc[i],
+                               user_dsc, is_task_64bit, map, &mr);
+                       break;
+               case MACH_MSG_OOL_PORTS_DESCRIPTOR:
+                       user_dsc = ipc_kmsg_copyout_ool_ports_descriptor(
+                               (mach_msg_ool_ports_descriptor_t *)&kern_dsc[i],
+                               user_dsc, is_task_64bit, map, space, kmsg, &mr);
+                       break;
+               case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                       user_dsc = ipc_kmsg_copyout_guarded_port_descriptor(
+                               (mach_msg_guarded_port_descriptor_t *)&kern_dsc[i],
+                               user_dsc, is_task_64bit, kmsg, space, option, &mr);
+                       break;
+               default: {
+                       panic("untyped IPC copyout body: invalid message descriptor");
+               }
+               }
+       }
 
 
-               if ((snd_addr = (vm_offset_t) dsc->address) != 0) {
-                   if (sstart != MACH_MSG_DESCRIPTOR_NULL &&
-                       sstart->out_of_line.copy == MACH_MSG_OVERWRITE) {
+       if (user_dsc != kern_dsc) {
+               vm_offset_t dsc_adjust = (vm_offset_t)user_dsc - (vm_offset_t)kern_dsc;
+               memmove((char *)((vm_offset_t)kmsg->ikm_header + dsc_adjust), kmsg->ikm_header, sizeof(mach_msg_base_t));
+               kmsg->ikm_header = (mach_msg_header_t *)((vm_offset_t)kmsg->ikm_header + dsc_adjust);
+               /* Update the message size for the smaller user representation */
+               kmsg->ikm_header->msgh_size -= (mach_msg_size_t)dsc_adjust;
+       }
 
 
-                       /*
-                        * There is an overwrite descriptor specified in the
-                        * scatter list for this ool data.  The descriptor
-                        * has already been verified
-                        */
-                       rcv_addr = (vm_offset_t) sstart->out_of_line.address;
-                       dsc->copy = MACH_MSG_OVERWRITE;
-                   } else {
-                       dsc->copy = MACH_MSG_ALLOCATE;
-                   }
-
-                   /*
-                    * Whether the data was virtually or physically
-                    * copied we have a vm_map_copy_t for it.
-                    * If there's an overwrite region specified
-                    * overwrite it, otherwise do a virtual copy out.
-                    */
-                   if (dsc->copy == MACH_MSG_OVERWRITE) {
-                           kr = vm_map_copy_overwrite(map, rcv_addr,
-                                           (vm_map_copy_t) dsc->address, TRUE);
-                   } else {
-                           kr = vm_map_copyout(map, &rcv_addr, 
-                                               (vm_map_copy_t) dsc->address);
-                   }   
-                   if (kr != KERN_SUCCESS) {
-                           if (kr == KERN_RESOURCE_SHORTAGE)
-                                   mr |= MACH_MSG_VM_KERNEL;
-                           else
-                                   mr |= MACH_MSG_VM_SPACE;
-                           vm_map_copy_discard((vm_map_copy_t) dsc->address);
-                           dsc->address = 0;
-                           INCREMENT_SCATTER(sstart);
-                           break;
-                   }
-                   dsc->address = (void *) rcv_addr;
-               }
-               INCREMENT_SCATTER(sstart);
-               break;
-           }
-           case MACH_MSG_OOL_PORTS_DESCRIPTOR : {
-               vm_offset_t                     addr;
-               mach_port_name_t                *objects;
-               mach_msg_type_number_t          j;
-               vm_size_t                       length;
-               mach_msg_ool_ports_descriptor_t *dsc;
+       return mr;
+}
 
 
-               SKIP_PORT_DESCRIPTORS(sstart, send);
+/*
+ *     Routine:        ipc_kmsg_copyout_size
+ *     Purpose:
+ *             Compute the size of the message as copied out to the given
+ *             map. If the destination map's pointers are a different size
+ *             than the kernel's, we have to allow for expansion/
+ *             contraction of the descriptors as appropriate.
+ *     Conditions:
+ *             Nothing locked.
+ *     Returns:
+ *             size of the message as it would be received.
+ */
 
 
-               dsc = &saddr->ool_ports;
+mach_msg_size_t
+ipc_kmsg_copyout_size(
+       ipc_kmsg_t              kmsg,
+       vm_map_t                map)
+{
+       mach_msg_size_t             send_size;
 
 
-               length = dsc->count * sizeof(mach_port_name_t);
+       send_size = kmsg->ikm_header->msgh_size;
 
 
-               if (length != 0) {
-                   if (sstart != MACH_MSG_DESCRIPTOR_NULL &&
-                       sstart->ool_ports.copy == MACH_MSG_OVERWRITE) {
+       boolean_t is_task_64bit = (map->max_offset > VM_MAX_ADDRESS);
 
 
-                       /*
-                        * There is an overwrite descriptor specified in the
-                        * scatter list for this ool data.  The descriptor
-                        * has already been verified
-                        */
-                       addr = (vm_offset_t) sstart->out_of_line.address;
-                       dsc->copy = MACH_MSG_OVERWRITE;
-                   } 
-                   else {
+#if defined(__LP64__)
+       send_size -= LEGACY_HEADER_SIZE_DELTA;
+#endif
 
 
-                       /*
-                        * Dynamically allocate the region
-                        */
-                       int anywhere = VM_MAKE_TAG(VM_MEMORY_MACH_MSG)|
-                                      VM_FLAGS_ANYWHERE;
-
-                       dsc->copy = MACH_MSG_ALLOCATE;
-                       if ((kr = vm_allocate(map, &addr, length,
-                                             anywhere)) != KERN_SUCCESS) {
-                           ipc_kmsg_clean_body(kmsg,
-                                               body->msgh_descriptor_count);
-                           dsc->address = 0;
-
-                           if (kr == KERN_RESOURCE_SHORTAGE){
-                               mr |= MACH_MSG_VM_KERNEL;
-                           } else {
-                               mr |= MACH_MSG_VM_SPACE;
-                           }
-                           INCREMENT_SCATTER(sstart);
-                           break;
-                       }
-                   }
-               } else {
-                   INCREMENT_SCATTER(sstart);
-                   break;
-               }
-
-               
-               objects = (mach_port_name_t *) dsc->address ;
-               
-               /* copyout port rights carried in the message */
-               
-               for ( j = 0; j < dsc->count ; j++) {
-                   ipc_object_t object =
-                       (ipc_object_t) objects[j];
-                   
-                   mr |= ipc_kmsg_copyout_object(space, object,
-                                       dsc->disposition, &objects[j]);
-               }
-
-               /* copyout to memory allocated above */
-               
-               data = (vm_offset_t) dsc->address;
-               (void) copyoutmap(map, data, addr, length);
-               kfree(data, length);
-               
-               dsc->address = (void *) addr;
-               INCREMENT_SCATTER(sstart);
-               break;
-           }
-           default : {
-               panic("untyped IPC copyout body: invalid message descriptor");
-           }
+       if (kmsg->ikm_header->msgh_bits & MACH_MSGH_BITS_COMPLEX) {
+               mach_msg_body_t *body;
+               mach_msg_descriptor_t *saddr, *eaddr;
+
+               body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+               saddr = (mach_msg_descriptor_t *) (body + 1);
+               eaddr = saddr + body->msgh_descriptor_count;
+
+               for (; saddr < eaddr; saddr++) {
+                       switch (saddr->type.type) {
+                       case MACH_MSG_OOL_DESCRIPTOR:
+                       case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+                       case MACH_MSG_OOL_PORTS_DESCRIPTOR:
+                       case MACH_MSG_GUARDED_PORT_DESCRIPTOR:
+                               if (!is_task_64bit) {
+                                       send_size -= DESC_SIZE_ADJUSTMENT;
+                               }
+                               break;
+                       case MACH_MSG_PORT_DESCRIPTOR:
+                               send_size -= DESC_SIZE_ADJUSTMENT;
+                               break;
+                       default:
+                               break;
+                       }
+               }
        }
        }
-    }
-    return mr;
+       return send_size;
 }
 
 /*
 }
 
 /*
@@ -2422,8 +5563,6 @@ ipc_kmsg_copyout_body(
  *             Nothing locked.
  *     Returns:
  *             MACH_MSG_SUCCESS        Copied out all rights and memory.
  *             Nothing locked.
  *     Returns:
  *             MACH_MSG_SUCCESS        Copied out all rights and memory.
- *             MACH_RCV_INVALID_NOTIFY Bad notify port.
- *                     Rights and memory in the message are intact.
  *             MACH_RCV_HEADER_ERROR + special bits
  *                     Rights and memory in the message are intact.
  *             MACH_RCV_BODY_ERROR + special bits
  *             MACH_RCV_HEADER_ERROR + special bits
  *                     Rights and memory in the message are intact.
  *             MACH_RCV_BODY_ERROR + special bits
@@ -2433,23 +5572,27 @@ ipc_kmsg_copyout_body(
 
 mach_msg_return_t
 ipc_kmsg_copyout(
 
 mach_msg_return_t
 ipc_kmsg_copyout(
-       ipc_kmsg_t              kmsg,
-       ipc_space_t             space,
-       vm_map_t                map,
-       mach_port_name_t        notify,
-       mach_msg_body_t         *slist)
+       ipc_kmsg_t              kmsg,
+       ipc_space_t             space,
+       vm_map_t                map,
+       mach_msg_body_t         *slist,
+       mach_msg_option_t      option)
 {
        mach_msg_return_t mr;
 
 {
        mach_msg_return_t mr;
 
-       mr = ipc_kmsg_copyout_header(&kmsg->ikm_header, space, notify);
-       if (mr != MACH_MSG_SUCCESS)
+       ikm_validate_sig(kmsg);
+
+       mr = ipc_kmsg_copyout_header(kmsg, space, option);
+       if (mr != MACH_MSG_SUCCESS) {
                return mr;
                return mr;
+       }
 
 
-       if (kmsg->ikm_header.msgh_bits & MACH_MSGH_BITS_COMPLEX) {
-               mr = ipc_kmsg_copyout_body(kmsg, space, map, slist);
+       if (kmsg->ikm_header->msgh_bits & MACH_MSGH_BITS_COMPLEX) {
+               mr = ipc_kmsg_copyout_body(kmsg, space, map, option, slist);
 
 
-               if (mr != MACH_MSG_SUCCESS)
+               if (mr != MACH_MSG_SUCCESS) {
                        mr |= MACH_RCV_BODY_ERROR;
                        mr |= MACH_RCV_BODY_ERROR;
+               }
        }
 
        return mr;
        }
 
        return mr;
@@ -2477,30 +5620,58 @@ ipc_kmsg_copyout(
 
 mach_msg_return_t
 ipc_kmsg_copyout_pseudo(
 
 mach_msg_return_t
 ipc_kmsg_copyout_pseudo(
-       ipc_kmsg_t              kmsg,
-       ipc_space_t             space,
-       vm_map_t                map,
-       mach_msg_body_t         *slist)
-{
-       mach_msg_bits_t mbits = kmsg->ikm_header.msgh_bits;
-       ipc_object_t dest = (ipc_object_t) kmsg->ikm_header.msgh_remote_port;
-       ipc_object_t reply = (ipc_object_t) kmsg->ikm_header.msgh_local_port;
+       ipc_kmsg_t              kmsg,
+       ipc_space_t             space,
+       vm_map_t                map,
+       mach_msg_body_t         *slist)
+{
+       mach_msg_bits_t mbits = kmsg->ikm_header->msgh_bits;
+       ipc_object_t dest = ip_to_object(kmsg->ikm_header->msgh_remote_port);
+       ipc_object_t reply = ip_to_object(kmsg->ikm_header->msgh_local_port);
+       ipc_object_t voucher = ip_to_object(kmsg->ikm_voucher);
        mach_msg_type_name_t dest_type = MACH_MSGH_BITS_REMOTE(mbits);
        mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
        mach_msg_type_name_t dest_type = MACH_MSGH_BITS_REMOTE(mbits);
        mach_msg_type_name_t reply_type = MACH_MSGH_BITS_LOCAL(mbits);
+       mach_msg_type_name_t voucher_type = MACH_MSGH_BITS_VOUCHER(mbits);
+       mach_port_name_t voucher_name = kmsg->ikm_header->msgh_voucher_port;
        mach_port_name_t dest_name, reply_name;
        mach_msg_return_t mr;
 
        mach_port_name_t dest_name, reply_name;
        mach_msg_return_t mr;
 
+       /* Set ith_knote to ITH_KNOTE_PSEUDO */
+       current_thread()->ith_knote = ITH_KNOTE_PSEUDO;
+
+       ikm_validate_sig(kmsg);
+
        assert(IO_VALID(dest));
 
        assert(IO_VALID(dest));
 
-       mr = (ipc_kmsg_copyout_object(space, dest, dest_type, &dest_name) |
-             ipc_kmsg_copyout_object(space, reply, reply_type, &reply_name));
+#if 0
+       /*
+        * If we did this here, it looks like we wouldn't need the undo logic
+        * at the end of ipc_kmsg_send() in the error cases.  Not sure which
+        * would be more elegant to keep.
+        */
+       ipc_importance_clean(kmsg);
+#else
+       /* just assert it is already clean */
+       ipc_importance_assert_clean(kmsg);
+#endif
+
+       mr = (ipc_kmsg_copyout_object(space, dest, dest_type, NULL, NULL, &dest_name) |
+           ipc_kmsg_copyout_object(space, reply, reply_type, NULL, NULL, &reply_name));
+
+       kmsg->ikm_header->msgh_bits = mbits & MACH_MSGH_BITS_USER;
+       kmsg->ikm_header->msgh_remote_port = CAST_MACH_NAME_TO_PORT(dest_name);
+       kmsg->ikm_header->msgh_local_port = CAST_MACH_NAME_TO_PORT(reply_name);
 
 
-       kmsg->ikm_header.msgh_bits = mbits &~ MACH_MSGH_BITS_CIRCULAR;
-       kmsg->ikm_header.msgh_remote_port = (ipc_port_t)dest_name;
-       kmsg->ikm_header.msgh_local_port = (ipc_port_t)reply_name;
+       if (IO_VALID(voucher)) {
+               assert(voucher_type == MACH_MSG_TYPE_MOVE_SEND);
+
+               kmsg->ikm_voucher = IP_NULL;
+               mr |= ipc_kmsg_copyout_object(space, voucher, voucher_type, NULL, NULL, &voucher_name);
+               kmsg->ikm_header->msgh_voucher_port = voucher_name;
+       }
 
        if (mbits & MACH_MSGH_BITS_COMPLEX) {
 
        if (mbits & MACH_MSGH_BITS_COMPLEX) {
-               mr |= ipc_kmsg_copyout_body(kmsg, space, map, slist);
+               mr |= ipc_kmsg_copyout_body(kmsg, space, map, 0, slist);
        }
 
        return mr;
        }
 
        return mr;
@@ -2517,202 +5688,73 @@ ipc_kmsg_copyout_pseudo(
 
 void
 ipc_kmsg_copyout_dest(
 
 void
 ipc_kmsg_copyout_dest(
-       ipc_kmsg_t      kmsg,
-       ipc_space_t     space)
+       ipc_kmsg_t      kmsg,
+       ipc_space_t     space)
 {
        mach_msg_bits_t mbits;
        ipc_object_t dest;
        ipc_object_t reply;
 {
        mach_msg_bits_t mbits;
        ipc_object_t dest;
        ipc_object_t reply;
+       ipc_object_t voucher;
        mach_msg_type_name_t dest_type;
        mach_msg_type_name_t reply_type;
        mach_msg_type_name_t dest_type;
        mach_msg_type_name_t reply_type;
-       mach_port_name_t dest_name, reply_name;
+       mach_msg_type_name_t voucher_type;
+       mach_port_name_t dest_name, reply_name, voucher_name;
+
+       ikm_validate_sig(kmsg);
 
 
-       mbits = kmsg->ikm_header.msgh_bits;
-       dest = (ipc_object_t) kmsg->ikm_header.msgh_remote_port;
-       reply = (ipc_object_t) kmsg->ikm_header.msgh_local_port;
+       mbits = kmsg->ikm_header->msgh_bits;
+       dest = ip_to_object(kmsg->ikm_header->msgh_remote_port);
+       reply = ip_to_object(kmsg->ikm_header->msgh_local_port);
+       voucher = ip_to_object(kmsg->ikm_voucher);
+       voucher_name = kmsg->ikm_header->msgh_voucher_port;
        dest_type = MACH_MSGH_BITS_REMOTE(mbits);
        reply_type = MACH_MSGH_BITS_LOCAL(mbits);
        dest_type = MACH_MSGH_BITS_REMOTE(mbits);
        reply_type = MACH_MSGH_BITS_LOCAL(mbits);
+       voucher_type = MACH_MSGH_BITS_VOUCHER(mbits);
 
        assert(IO_VALID(dest));
 
 
        assert(IO_VALID(dest));
 
+       ipc_importance_assert_clean(kmsg);
+
        io_lock(dest);
        if (io_active(dest)) {
                ipc_object_copyout_dest(space, dest, dest_type, &dest_name);
                /* dest is unlocked */
        } else {
        io_lock(dest);
        if (io_active(dest)) {
                ipc_object_copyout_dest(space, dest, dest_type, &dest_name);
                /* dest is unlocked */
        } else {
+               io_unlock(dest);
                io_release(dest);
                io_release(dest);
-               io_check_unlock(dest);
                dest_name = MACH_PORT_DEAD;
        }
 
        if (IO_VALID(reply)) {
                ipc_object_destroy(reply, reply_type);
                reply_name = MACH_PORT_NULL;
                dest_name = MACH_PORT_DEAD;
        }
 
        if (IO_VALID(reply)) {
                ipc_object_destroy(reply, reply_type);
                reply_name = MACH_PORT_NULL;
-       } else
-               reply_name = (mach_port_name_t) reply;
-
-       kmsg->ikm_header.msgh_bits = (MACH_MSGH_BITS_OTHER(mbits) |
-                                     MACH_MSGH_BITS(reply_type, dest_type));
-       kmsg->ikm_header.msgh_local_port = (ipc_port_t)dest_name;
-       kmsg->ikm_header.msgh_remote_port = (ipc_port_t)reply_name;
+       } else {
+               reply_name = CAST_MACH_PORT_TO_NAME(reply);
+       }
 
 
-       if (mbits & MACH_MSGH_BITS_COMPLEX) {
-               mach_msg_body_t *body;
+       if (IO_VALID(voucher)) {
+               assert(voucher_type == MACH_MSG_TYPE_MOVE_SEND);
 
 
-               body = (mach_msg_body_t *) (&kmsg->ikm_header + 1);
-               ipc_kmsg_clean_body(kmsg, body->msgh_descriptor_count);
+               kmsg->ikm_voucher = IP_NULL;
+               ipc_object_destroy(voucher, voucher_type);
+               voucher_name = MACH_PORT_NULL;
        }
        }
-}
-/*
- *      Routine:        ipc_kmsg_copyin_scatter
- *      Purpose:
- *              allocate and copyin a scatter list
- *      Algorithm:
- *              The gather (kmsg) is valid since it has been copied in.
- *              Gather list descriptors are sequentially paired with scatter
- *              list descriptors, with port descriptors in either list ignored.
- *              Descriptors are consistent if the type fileds match and size
- *              of the scatter descriptor is less than or equal to the
- *              size of the gather descriptor.  A MACH_MSG_ALLOCATE copy
- *              strategy in a scatter descriptor matches any size in the
- *              corresponding gather descriptor assuming they are the same type.
- *              Either list may be larger than the other.  During the
- *              subsequent copy out, excess scatter descriptors are ignored
- *              and excess gather descriptors default to dynamic allocation.
- *
- *              In the case of a size error, the scatter list is released.
- *      Conditions:
- *              Nothing locked.
- *      Returns:
- *              the allocated message body containing the scatter list.
- */
 
 
-mach_msg_body_t *
-ipc_kmsg_copyin_scatter(
-        mach_msg_header_t       *msg,
-        mach_msg_size_t         slist_size,
-        ipc_kmsg_t              kmsg)
-{
-        mach_msg_body_t         *slist;
-        mach_msg_body_t         *body;
-        mach_msg_descriptor_t   *gstart, *gend;
-        mach_msg_descriptor_t   *sstart, *send;
-
-
-        if (slist_size < sizeof(mach_msg_base_t))
-                return MACH_MSG_BODY_NULL;
-
-        slist_size -= sizeof(mach_msg_header_t);
-        slist = (mach_msg_body_t *)kalloc(slist_size);
-        if (slist == MACH_MSG_BODY_NULL)
-                return slist;
-
-        if (copyin((char *) (msg + 1), (char *)slist, slist_size)) {
-                kfree((vm_offset_t)slist, slist_size);
-                return MACH_MSG_BODY_NULL;
-        }
-
-        if ((slist->msgh_descriptor_count* sizeof(mach_msg_descriptor_t)
-             + sizeof(mach_msg_size_t)) > slist_size) {
-                kfree((vm_offset_t)slist, slist_size);
-                return MACH_MSG_BODY_NULL;
-        }
-
-        body = (mach_msg_body_t *) (&kmsg->ikm_header + 1);
-        gstart = (mach_msg_descriptor_t *) (body + 1);
-        gend = gstart + body->msgh_descriptor_count;
-
-        sstart = (mach_msg_descriptor_t *) (slist + 1);
-        send = sstart + slist->msgh_descriptor_count;
-
-        while (gstart < gend) {
-            mach_msg_descriptor_type_t  g_type;
-
-            /*
-             * Skip port descriptors in gather list.
-             */
-            g_type = gstart->type.type;
-
-            if (g_type != MACH_MSG_PORT_DESCRIPTOR) {
-
-             /*
-              * A scatter list with a 0 descriptor count is treated as an
-              * automatic size mismatch.
-              */
-             if (slist->msgh_descriptor_count == 0) {
-                        kfree((vm_offset_t)slist, slist_size);
-                        return MACH_MSG_BODY_NULL;
-             }
-
-             /*
-              * Skip port descriptors in  scatter list.
-              */
-             while (sstart < send) {
-                    if (sstart->type.type != MACH_MSG_PORT_DESCRIPTOR)
-                        break;
-                    sstart++;
-             }
-
-             /*
-              * No more scatter descriptors, we're done
-              */
-             if (sstart >= send) {
-                    break;
-             }
-
-             /*
-              * Check type, copy and size fields
-              */
-                if (g_type == MACH_MSG_OOL_DESCRIPTOR ||
-                    g_type == MACH_MSG_OOL_VOLATILE_DESCRIPTOR) {
-                    if (sstart->type.type != MACH_MSG_OOL_DESCRIPTOR &&
-                        sstart->type.type != MACH_MSG_OOL_VOLATILE_DESCRIPTOR) {
-                        kfree((vm_offset_t)slist, slist_size);
-                        return MACH_MSG_BODY_NULL;
-                    }
-                    if (sstart->out_of_line.copy == MACH_MSG_OVERWRITE &&
-                        gstart->out_of_line.size > sstart->out_of_line.size) {
-                        kfree((vm_offset_t)slist, slist_size);
-                        return MACH_MSG_BODY_NULL;
-                    }
-                }
-                else {
-                 if (sstart->type.type != MACH_MSG_OOL_PORTS_DESCRIPTOR) {
-                        kfree((vm_offset_t)slist, slist_size);
-                        return MACH_MSG_BODY_NULL;
-                 }
-                    if (sstart->ool_ports.copy == MACH_MSG_OVERWRITE &&
-                        gstart->ool_ports.count > sstart->ool_ports.count) {
-                        kfree((vm_offset_t)slist, slist_size);
-                        return MACH_MSG_BODY_NULL;
-                    }
-                }
-                sstart++;
-            }
-            gstart++;
-        }
-        return slist;
-}
+       kmsg->ikm_header->msgh_bits = MACH_MSGH_BITS_SET(reply_type, dest_type,
+           voucher_type, mbits);
+       kmsg->ikm_header->msgh_local_port = CAST_MACH_NAME_TO_PORT(dest_name);
+       kmsg->ikm_header->msgh_remote_port = CAST_MACH_NAME_TO_PORT(reply_name);
+       kmsg->ikm_header->msgh_voucher_port = voucher_name;
 
 
+       if (mbits & MACH_MSGH_BITS_COMPLEX) {
+               mach_msg_body_t *body;
 
 
-/*
- *      Routine:        ipc_kmsg_free_scatter
- *      Purpose:
- *              Deallocate a scatter list.  Since we actually allocated
- *              a body without a header, and since the header was originally
- *              accounted for in slist_size, we have to ajust it down
- *              before freeing the scatter list.
- */
-void
-ipc_kmsg_free_scatter(
-        mach_msg_body_t *slist,
-        mach_msg_size_t slist_size)
-{
-        slist_size -= sizeof(mach_msg_header_t);
-        kfree((vm_offset_t)slist, slist_size);
+               body = (mach_msg_body_t *) (kmsg->ikm_header + 1);
+               ipc_kmsg_clean_body(kmsg, body->msgh_descriptor_count,
+                   (mach_msg_descriptor_t *)(body + 1));
+       }
 }
 
 }
 
-
 /*
  *     Routine:        ipc_kmsg_copyout_to_kernel
  *     Purpose:
 /*
  *     Routine:        ipc_kmsg_copyout_to_kernel
  *     Purpose:
@@ -2728,19 +5770,21 @@ ipc_kmsg_free_scatter(
 
 void
 ipc_kmsg_copyout_to_kernel(
 
 void
 ipc_kmsg_copyout_to_kernel(
-       ipc_kmsg_t      kmsg,
-       ipc_space_t     space)
+       ipc_kmsg_t      kmsg,
+       ipc_space_t     space)
 {
        ipc_object_t dest;
 {
        ipc_object_t dest;
-       ipc_object_t reply;
+       mach_port_t reply;
        mach_msg_type_name_t dest_type;
        mach_msg_type_name_t reply_type;
        mach_msg_type_name_t dest_type;
        mach_msg_type_name_t reply_type;
-       mach_port_name_t dest_name, reply_name;
+       mach_port_name_t dest_name;
+
+       ikm_validate_sig(kmsg);
 
 
-       dest = (ipc_object_t) kmsg->ikm_header.msgh_remote_port;
-       reply = (ipc_object_t) kmsg->ikm_header.msgh_local_port;
-       dest_type = MACH_MSGH_BITS_REMOTE(kmsg->ikm_header.msgh_bits);
-       reply_type = MACH_MSGH_BITS_LOCAL(kmsg->ikm_header.msgh_bits);
+       dest = ip_to_object(kmsg->ikm_header->msgh_remote_port);
+       reply = kmsg->ikm_header->msgh_local_port;
+       dest_type = MACH_MSGH_BITS_REMOTE(kmsg->ikm_header->msgh_bits);
+       reply_type = MACH_MSGH_BITS_LOCAL(kmsg->ikm_header->msgh_bits);
 
        assert(IO_VALID(dest));
 
 
        assert(IO_VALID(dest));
 
@@ -2749,288 +5793,287 @@ ipc_kmsg_copyout_to_kernel(
                ipc_object_copyout_dest(space, dest, dest_type, &dest_name);
                /* dest is unlocked */
        } else {
                ipc_object_copyout_dest(space, dest, dest_type, &dest_name);
                /* dest is unlocked */
        } else {
+               io_unlock(dest);
                io_release(dest);
                io_release(dest);
-               io_check_unlock(dest);
                dest_name = MACH_PORT_DEAD;
        }
 
                dest_name = MACH_PORT_DEAD;
        }
 
-       reply_name = (mach_port_name_t) reply;
+       /*
+        * While MIG kernel users don't receive vouchers, the
+        * msgh_voucher_port field is intended to be round-tripped through the
+        * kernel if there is no voucher disposition set. Here we check for a
+        * non-zero voucher disposition, and consume the voucher send right as
+        * there is no possible way to specify MACH_RCV_VOUCHER semantics.
+        */
+       mach_msg_type_name_t voucher_type;
+       voucher_type = MACH_MSGH_BITS_VOUCHER(kmsg->ikm_header->msgh_bits);
+       if (voucher_type != MACH_MSGH_BITS_ZERO) {
+               assert(voucher_type == MACH_MSG_TYPE_MOVE_SEND);
+               /*
+                * someone managed to send this kernel routine a message with
+                * a voucher in it. Cleanup the reference in
+                * kmsg->ikm_voucher.
+                */
+               if (IP_VALID(kmsg->ikm_voucher)) {
+                       ipc_port_release_send(kmsg->ikm_voucher);
+               }
+               kmsg->ikm_voucher = IP_NULL;
+               kmsg->ikm_header->msgh_voucher_port = 0;
+       }
 
 
-       kmsg->ikm_header.msgh_bits =
-               (MACH_MSGH_BITS_OTHER(kmsg->ikm_header.msgh_bits) |
-                                       MACH_MSGH_BITS(reply_type, dest_type));
-       kmsg->ikm_header.msgh_local_port = (ipc_port_t)dest_name;
-       kmsg->ikm_header.msgh_remote_port = (ipc_port_t)reply_name;
+       kmsg->ikm_header->msgh_bits =
+           (MACH_MSGH_BITS_OTHER(kmsg->ikm_header->msgh_bits) |
+           MACH_MSGH_BITS(reply_type, dest_type));
+       kmsg->ikm_header->msgh_local_port =  CAST_MACH_NAME_TO_PORT(dest_name);
+       kmsg->ikm_header->msgh_remote_port = reply;
 }
 
 }
 
-#include <mach_kdb.h>
-#if    MACH_KDB
+#if IKM_SUPPORT_LEGACY
+void
+ipc_kmsg_copyout_to_kernel_legacy(
+       ipc_kmsg_t      kmsg,
+       ipc_space_t     space)
+{
+       ipc_object_t dest;
+       mach_port_t  reply;
+       mach_msg_type_name_t dest_type;
+       mach_msg_type_name_t reply_type;
+       mach_port_name_t dest_name;
 
 
-#include <ddb/db_output.h>
-#include <ipc/ipc_print.h>
-/*
- * Forward declarations
- */
-void ipc_msg_print_untyped(
-       mach_msg_body_t         *body);
+       ikm_validate_sig(kmsg);
 
 
-char * ipc_type_name(
-       int             type_name,
-       boolean_t       received);
+       dest = ip_to_object(kmsg->ikm_header->msgh_remote_port);
+       reply = kmsg->ikm_header->msgh_local_port;
+       dest_type = MACH_MSGH_BITS_REMOTE(kmsg->ikm_header->msgh_bits);
+       reply_type = MACH_MSGH_BITS_LOCAL(kmsg->ikm_header->msgh_bits);
+
+       assert(IO_VALID(dest));
+
+       io_lock(dest);
+       if (io_active(dest)) {
+               ipc_object_copyout_dest(space, dest, dest_type, &dest_name);
+               /* dest is unlocked */
+       } else {
+               io_unlock(dest);
+               io_release(dest);
+               dest_name = MACH_PORT_DEAD;
+       }
 
 
-void ipc_print_type_name(
-       int     type_name);
+       mach_msg_type_name_t voucher_type;
+       voucher_type = MACH_MSGH_BITS_VOUCHER(kmsg->ikm_header->msgh_bits);
+       if (voucher_type != MACH_MSGH_BITS_ZERO) {
+               assert(voucher_type == MACH_MSG_TYPE_MOVE_SEND);
+               assert(IP_VALID(kmsg->ikm_voucher));
+               /*
+                * someone managed to send this kernel routine a message with
+                * a voucher in it. Cleanup the reference in
+                * kmsg->ikm_voucher.
+                */
+               ipc_port_release_send(kmsg->ikm_voucher);
+               kmsg->ikm_voucher = IP_NULL;
+               kmsg->ikm_header->msgh_voucher_port = 0;
+       }
 
 
-char *
-msgh_bit_decode(
-       mach_msg_bits_t bit);
+       kmsg->ikm_header->msgh_bits =
+           (MACH_MSGH_BITS_OTHER(kmsg->ikm_header->msgh_bits) |
+           MACH_MSGH_BITS(reply_type, dest_type));
+       kmsg->ikm_header->msgh_local_port =  CAST_MACH_NAME_TO_PORT(dest_name);
+       kmsg->ikm_header->msgh_remote_port = reply;
+
+       mach_msg_descriptor_t *saddr;
+       mach_msg_legacy_descriptor_t *daddr;
+       mach_msg_type_number_t i, count = ((mach_msg_base_t *)kmsg->ikm_header)->body.msgh_descriptor_count;
+       saddr = (mach_msg_descriptor_t *) (((mach_msg_base_t *)kmsg->ikm_header) + 1);
+       saddr = &saddr[count - 1];
+       daddr = (mach_msg_legacy_descriptor_t *)&saddr[count];
+       daddr--;
+
+       vm_offset_t dsc_adjust = 0;
+
+       for (i = 0; i < count; i++, saddr--, daddr--) {
+               switch (saddr->type.type) {
+               case MACH_MSG_PORT_DESCRIPTOR: {
+                       mach_msg_port_descriptor_t *dsc = &saddr->port;
+                       mach_msg_legacy_port_descriptor_t *dest_dsc = &daddr->port;
+
+                       mach_port_t name = dsc->name;
+                       mach_msg_type_name_t disposition = dsc->disposition;
+
+                       dest_dsc->name = CAST_MACH_PORT_TO_NAME(name);
+                       dest_dsc->disposition = disposition;
+                       dest_dsc->type = MACH_MSG_PORT_DESCRIPTOR;
+                       break;
+               }
+               case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+               case MACH_MSG_OOL_DESCRIPTOR: {
+                       /* The sender should supply ready-made memory, i.e. a vm_map_copy_t
+                        * so we don't need to do anything special. */
 
 
-char *
-mm_copy_options_string(
-       mach_msg_copy_options_t option);
+                       mach_msg_ool_descriptor_t       *source_dsc = (typeof(source_dsc)) & saddr->out_of_line;
 
 
-void db_print_msg_uid(mach_msg_header_t *);
+                       mach_msg_ool_descriptor32_t *dest_dsc = &daddr->out_of_line32;
 
 
+                       vm_offset_t                         address = (vm_offset_t)source_dsc->address;
+                       vm_size_t                       size = source_dsc->size;
+                       boolean_t                       deallocate = source_dsc->deallocate;
+                       mach_msg_copy_options_t         copy = source_dsc->copy;
+                       mach_msg_descriptor_type_t  type = source_dsc->type;
 
 
-char *
-ipc_type_name(
-       int             type_name,
-       boolean_t       received)
-{
-       switch (type_name) {
-               case MACH_MSG_TYPE_PORT_NAME:
-               return "port_name";
-               
-               case MACH_MSG_TYPE_MOVE_RECEIVE:
-               if (received) {
-                       return "port_receive";
-               } else {
-                       return "move_receive";
+                       dest_dsc->address = address;
+                       dest_dsc->size = size;
+                       dest_dsc->deallocate = deallocate;
+                       dest_dsc->copy = copy;
+                       dest_dsc->type = type;
+                       break;
                }
                }
-               
-               case MACH_MSG_TYPE_MOVE_SEND:
-               if (received) {
-                       return "port_send";
-               } else {
-                       return "move_send";
+               case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+                       mach_msg_ool_ports_descriptor_t         *source_dsc = (typeof(source_dsc)) & saddr->ool_ports;
+
+                       mach_msg_ool_ports_descriptor32_t   *dest_dsc = &daddr->ool_ports32;
+
+                       vm_offset_t                         address = (vm_offset_t)source_dsc->address;
+                       vm_size_t                       port_count = source_dsc->count;
+                       boolean_t                       deallocate = source_dsc->deallocate;
+                       mach_msg_copy_options_t         copy = source_dsc->copy;
+                       mach_msg_descriptor_type_t  type = source_dsc->type;
+
+                       dest_dsc->address = address;
+                       dest_dsc->count = port_count;
+                       dest_dsc->deallocate = deallocate;
+                       dest_dsc->copy = copy;
+                       dest_dsc->type = type;
+                       break;
+               }
+               case MACH_MSG_GUARDED_PORT_DESCRIPTOR: {
+                       mach_msg_guarded_port_descriptor_t *source_dsc = (typeof(source_dsc)) & saddr->guarded_port;
+                       mach_msg_guarded_port_descriptor32_t *dest_dsc = &daddr->guarded_port32;
+
+                       dest_dsc->name = CAST_MACH_PORT_TO_NAME(source_dsc->name);
+                       dest_dsc->disposition = source_dsc->disposition;
+                       dest_dsc->flags = 0;
+                       dest_dsc->type = MACH_MSG_GUARDED_PORT_DESCRIPTOR;
+                       dest_dsc->context = 0;
+                       break;
+               }
+               default: {
+#if     MACH_ASSERT
+                       panic("ipc_kmsg_copyout_to_kernel_legacy: bad descriptor");
+#endif  /* MACH_ASSERT */
                }
                }
-               
-               case MACH_MSG_TYPE_MOVE_SEND_ONCE:
-               if (received) {
-                       return "port_send_once";
-               } else {
-                       return "move_send_once";
                }
                }
-               
-               case MACH_MSG_TYPE_COPY_SEND:
-               return "copy_send";
-               
-               case MACH_MSG_TYPE_MAKE_SEND:
-               return "make_send";
-               
-               case MACH_MSG_TYPE_MAKE_SEND_ONCE:
-               return "make_send_once";
-               
-               default:
-               return (char *) 0;
        }
        }
-}
-               
-void
-ipc_print_type_name(
-       int     type_name)
-{
-       char *name = ipc_type_name(type_name, TRUE);
-       if (name) {
-               printf("%s", name);
-       } else {
-               printf("type%d", type_name);
+
+       if (count) {
+               dsc_adjust = 4 * count;
+               memmove((char *)((vm_offset_t)kmsg->ikm_header + dsc_adjust), kmsg->ikm_header, sizeof(mach_msg_base_t));
+               kmsg->ikm_header = (mach_msg_header_t *)((vm_offset_t)kmsg->ikm_header + dsc_adjust);
+               /* Update the message size for the smaller user representation */
+               kmsg->ikm_header->msgh_size -= dsc_adjust;
        }
 }
        }
 }
+#endif /* IKM_SUPPORT_LEGACY */
 
 
+#ifdef __arm64__
 /*
 /*
- * ipc_kmsg_print      [ debug ]
+ * Just sets those parts of the trailer that aren't set up at allocation time.
  */
  */
-void
-ipc_kmsg_print(
-       ipc_kmsg_t      kmsg)
+static void
+ipc_kmsg_munge_trailer(mach_msg_max_trailer_t *in, void *_out, boolean_t is64bit)
 {
 {
-       iprintf("kmsg=0x%x\n", kmsg);
-       iprintf("ikm_next=0x%x, prev=0x%x, size=%d",
-               kmsg->ikm_next,
-               kmsg->ikm_prev,
-               kmsg->ikm_size);
-       printf("\n");
-       ipc_msg_print(&kmsg->ikm_header);
+       if (is64bit) {
+               mach_msg_max_trailer64_t *out = (mach_msg_max_trailer64_t*)_out;
+               out->msgh_seqno = in->msgh_seqno;
+               out->msgh_context = in->msgh_context;
+               out->msgh_trailer_size = in->msgh_trailer_size;
+               out->msgh_ad = in->msgh_ad;
+       } else {
+               mach_msg_max_trailer32_t *out = (mach_msg_max_trailer32_t*)_out;
+               out->msgh_seqno = in->msgh_seqno;
+               out->msgh_context = (mach_port_context32_t)in->msgh_context;
+               out->msgh_trailer_size = in->msgh_trailer_size;
+               out->msgh_ad = in->msgh_ad;
+       }
 }
 }
+#endif /* __arm64__ */
 
 
-char *
-msgh_bit_decode(
-       mach_msg_bits_t bit)
+mach_msg_trailer_size_t
+ipc_kmsg_trailer_size(
+       mach_msg_option_t option,
+       __unused thread_t thread)
 {
 {
-       switch (bit) {
-           case MACH_MSGH_BITS_COMPLEX:        return "complex";
-           case MACH_MSGH_BITS_CIRCULAR:       return "circular";
-           default:                            return (char *) 0;
+       if (!(option & MACH_RCV_TRAILER_MASK)) {
+               return MACH_MSG_TRAILER_MINIMUM_SIZE;
+       } else {
+               return REQUESTED_TRAILER_SIZE(thread_is_64bit_addr(thread), option);
        }
 }
 
        }
 }
 
-/*
- * ipc_msg_print       [ debug ]
- */
 void
 void
-ipc_msg_print(
-       mach_msg_header_t       *msgh)
+ipc_kmsg_add_trailer(ipc_kmsg_t kmsg, ipc_space_t space __unused,
+    mach_msg_option_t option, __unused thread_t thread,
+    mach_port_seqno_t seqno, boolean_t minimal_trailer,
+    mach_vm_offset_t context)
 {
 {
-       mach_msg_bits_t mbits;
-       unsigned int    bit, i;
-       char            *bit_name;
-       int             needs_comma;
+       mach_msg_max_trailer_t *trailer;
 
 
-       mbits = msgh->msgh_bits;
-       iprintf("msgh_bits=0x%x:  l=0x%x,r=0x%x\n",
-               mbits,
-               MACH_MSGH_BITS_LOCAL(msgh->msgh_bits),
-               MACH_MSGH_BITS_REMOTE(msgh->msgh_bits));
+#ifdef __arm64__
+       mach_msg_max_trailer_t tmp_trailer; /* This accommodates U64, and we'll munge */
+       void *real_trailer_out = (void*)(mach_msg_max_trailer_t *)
+           ((vm_offset_t)kmsg->ikm_header +
+           mach_round_msg(kmsg->ikm_header->msgh_size));
 
 
-       mbits = MACH_MSGH_BITS_OTHER(mbits) & MACH_MSGH_BITS_USED;
-       db_indent += 2;
-       if (mbits)
-               iprintf("decoded bits:  ");
-       needs_comma = 0;
-       for (i = 0, bit = 1; i < sizeof(mbits) * 8; ++i, bit <<= 1) {
-               if ((mbits & bit) == 0)
-                       continue;
-               bit_name = msgh_bit_decode((mach_msg_bits_t)bit);
-               if (bit_name)
-                       printf("%s%s", needs_comma ? "," : "", bit_name);
-               else
-                       printf("%sunknown(0x%x),", needs_comma ? "," : "", bit);
-               ++needs_comma;
-       }
-       if (msgh->msgh_bits & ~MACH_MSGH_BITS_USED) {
-               printf("%sunused=0x%x,", needs_comma ? "," : "",
-                      msgh->msgh_bits & ~MACH_MSGH_BITS_USED);
+       /*
+        * Populate scratch with initial values set up at message allocation time.
+        * After, we reinterpret the space in the message as the right type
+        * of trailer for the address space in question.
+        */
+       bcopy(real_trailer_out, &tmp_trailer, MAX_TRAILER_SIZE);
+       trailer = &tmp_trailer;
+#else /* __arm64__ */
+       (void)thread;
+       trailer = (mach_msg_max_trailer_t *)
+           ((vm_offset_t)kmsg->ikm_header +
+           mach_round_msg(kmsg->ikm_header->msgh_size));
+#endif /* __arm64__ */
+
+       if (!(option & MACH_RCV_TRAILER_MASK)) {
+               return;
        }
        }
-       printf("\n");
-       db_indent -= 2;
 
 
-       needs_comma = 1;
-       if (msgh->msgh_remote_port) {
-               iprintf("remote=0x%x(", msgh->msgh_remote_port);
-               ipc_print_type_name(MACH_MSGH_BITS_REMOTE(msgh->msgh_bits));
-               printf(")");
-       } else {
-               iprintf("remote=null");
-       }
+       trailer->msgh_seqno = seqno;
+       trailer->msgh_context = context;
+       trailer->msgh_trailer_size = REQUESTED_TRAILER_SIZE(thread_is_64bit_addr(thread), option);
 
 
-       if (msgh->msgh_local_port) {
-               printf("%slocal=0x%x(", needs_comma ? "," : "",
-                      msgh->msgh_local_port);
-               ipc_print_type_name(MACH_MSGH_BITS_LOCAL(msgh->msgh_bits));
-               printf(")\n");
-       } else {
-               printf("local=null\n");
+       if (minimal_trailer) {
+               goto done;
        }
 
        }
 
-       iprintf("msgh_id=%d, size=%d\n",
-               msgh->msgh_id,
-               msgh->msgh_size);
-
-       if (mbits & MACH_MSGH_BITS_COMPLEX) {   
-               ipc_msg_print_untyped((mach_msg_body_t *) (msgh + 1));
+       if (GET_RCV_ELEMENTS(option) >= MACH_RCV_TRAILER_AV) {
+               trailer->msgh_ad = kmsg->ikm_filter_policy_id;
        }
        }
-}
 
 
+       /*
+        * The ipc_kmsg_t holds a reference to the label of a label
+        * handle, not the port. We must get a reference to the port
+        * and a send right to copyout to the receiver.
+        */
 
 
-char *
-mm_copy_options_string(
-       mach_msg_copy_options_t option)
-{
-       char    *name;
-
-       switch (option) {
-           case MACH_MSG_PHYSICAL_COPY:
-               name = "PHYSICAL";
-               break;
-           case MACH_MSG_VIRTUAL_COPY:
-               name = "VIRTUAL";
-               break;
-           case MACH_MSG_OVERWRITE:
-               name = "OVERWRITE";
-               break;
-           case MACH_MSG_ALLOCATE:
-               name = "ALLOCATE";
-               break;
-           case MACH_MSG_KALLOC_COPY_T:
-               name = "KALLOC_COPY_T";
-               break;
-           default:
-               name = "unknown";
-               break;
+       if (option & MACH_RCV_TRAILER_ELEMENTS(MACH_RCV_TRAILER_LABELS)) {
+               trailer->msgh_labels.sender = 0;
        }
        }
-       return name;
+
+done:
+#ifdef __arm64__
+       ipc_kmsg_munge_trailer(trailer, real_trailer_out, thread_is_64bit_addr(thread));
+#endif /* __arm64__ */
+       return;
 }
 
 }
 
-void
-ipc_msg_print_untyped(
-       mach_msg_body_t         *body)
+mach_msg_header_t *
+ipc_kmsg_msg_header(ipc_kmsg_t kmsg)
 {
 {
-    mach_msg_descriptor_t      *saddr, *send;
-    mach_msg_descriptor_type_t type;
-
-    iprintf("%d descriptors %d: \n", body->msgh_descriptor_count);
-
-    saddr = (mach_msg_descriptor_t *) (body + 1);
-    send = saddr + body->msgh_descriptor_count;
-
-    for ( ; saddr < send; saddr++ ) {
-       
-       type = saddr->type.type;
-
-       switch (type) {
-           
-           case MACH_MSG_PORT_DESCRIPTOR: {
-               mach_msg_port_descriptor_t *dsc;
-
-               dsc = &saddr->port;
-               iprintf("-- PORT name = 0x%x disp = ", dsc->name);
-               ipc_print_type_name(dsc->disposition);
-               printf("\n");
-               break;
-           }
-           case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
-           case MACH_MSG_OOL_DESCRIPTOR: {
-               mach_msg_ool_descriptor_t *dsc;
-               
-               dsc = &saddr->out_of_line;
-               iprintf("-- OOL%s addr = 0x%x size = 0x%x copy = %s %s\n",
-                       type == MACH_MSG_OOL_DESCRIPTOR ? "" : " VOLATILE",
-                       dsc->address, dsc->size,
-                       mm_copy_options_string(dsc->copy),
-                       dsc->deallocate ? "DEALLOC" : "");
-               break;
-           } 
-           case MACH_MSG_OOL_PORTS_DESCRIPTOR : {
-               mach_msg_ool_ports_descriptor_t *dsc;
-
-               dsc = &saddr->ool_ports;
-
-               iprintf("-- OOL_PORTS addr = 0x%x count = 0x%x ",
-                         dsc->address, dsc->count);
-               printf("disp = ");
-               ipc_print_type_name(dsc->disposition);
-               printf(" copy = %s %s\n",
-                      mm_copy_options_string(dsc->copy),
-                      dsc->deallocate ? "DEALLOC" : "");
-               break;
-           }
-
-           default: {
-               iprintf("-- UNKNOWN DESCRIPTOR 0x%x\n", type);
-               break;
-           }
+       if (NULL == kmsg) {
+               return NULL;
        }
        }
-    }
+       return kmsg->ikm_header;
 }
 }
-#endif /* MACH_KDB */
mirror of XNU