Is there some reason for this in sys_ioctl():

        else if (com&IOC_VOID)
                *(caddr_t *)data = SCARG(uap, data);

according to ioccom.h, _IO() ioctl's take no parameter and
they alone use IOC_VOID , yet we're doing something with one here.
Wouldn't it make more sense to just have "data = NULL" here ?  At
least we'd catch cases where people are actually using 'data' in
IOC_VOID functions...(not that I'm saying any such exists!)

It would almost seem that IOC_VOID has been setup to allow
the passing of pointers to structs into the kernel ?

Darren