syscall: handle: add stub implementation of kern_handle_control

arch/x86_64/include/arch/paging.h

@@ -1,8 +1,8 @@
 #ifndef ARCH_PAGING_H_
 #define ARCH_PAGING_H_
 
-#include <kernel/types.h>
 #include <kernel/compiler.h>
+#include <kernel/types.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -55,6 +55,7 @@ enum page_size {
    defined in pmap_ctrl.S */
 extern int gigabyte_pages(void);
 extern int enable_nx(void);
+extern int enable_wp(void);
 
 #ifdef __cplusplus
 }

arch/x86_64/include/kernel/machine/thread.h

@@ -31,6 +31,12 @@ extern kern_status_t ml_thread_prepare_user_context(
 	virt_addr_t *kernel_sp,
 	const uintptr_t *args,
 	size_t nr_args);
+/* prepare the stack so that ml_thread_switch_user can jump to usermode
+ * with the specified register context */
+extern kern_status_t ml_thread_clone_user_context(
+	const struct ml_cpu_context *ctx,
+	uintptr_t return_value,
+	virt_addr_t *kernel_sp);
 
 extern kern_status_t ml_thread_config_get(
 	struct thread *thread,

arch/x86_64/irq.c

@@ -8,6 +8,7 @@
 #include <kernel/panic.h>
 #include <kernel/sched.h>
 #include <kernel/syscall.h>
+#include <kernel/thread.h>
 #include <stddef.h>
 
 #define MAX_ISR_HANDLERS  16
@@ -166,6 +167,12 @@ int idt_load(struct idt_ptr *ptr)
 
 void isr_dispatch(struct ml_cpu_context *regs)
 {
+	struct thread *thr = get_current_thread();
+	if (thr) {
+		thr->tr_irqctx = regs;
+		put_current_thread(thr);
+	}
+
 	int_hook h = isr_handlers[regs->int_no];
 	if (h) {
 		h(regs);
@@ -188,6 +195,13 @@ void irq_dispatch(struct ml_cpu_context *regs)
 	end_charge_period();
 
 	irq_ack(regs->int_no);
+
+	struct thread *thr = get_current_thread();
+	if (thr) {
+		thr->tr_irqctx = regs;
+		put_current_thread(thr);
+	}
+
 	struct queue *hooks = &irq_hooks[regs->int_no - IRQ0];
 	queue_foreach(struct irq_hook, hook, hooks, irq_entry)
 	{

arch/x86_64/panic.c

@@ -217,16 +217,18 @@ static void print_stack_trace(
 
 void ml_print_stack_trace(uintptr_t ip)
 {
-	struct task *task = current_task();
+	struct task *task = get_current_task();
 	struct address_space *space = task ? task->t_address_space : NULL;
 	uintptr_t bp;
 	asm volatile("mov %%rbp, %0" : "=r"(bp));
 	print_stack_trace(space, ip, bp);
+	put_current_task(task);
 }
 
 void ml_print_stack_trace_irq(struct ml_cpu_context *ctx)
 {
-	struct task *task = current_task();
+	struct task *task = get_current_task();
 	struct address_space *space = task ? task->t_address_space : NULL;
 	print_stack_trace(space, ctx->rip, ctx->rbp);
+	put_current_task(task);
 }

arch/x86_64/pmap.c

@@ -19,7 +19,7 @@
 #define PTR_TO_ENTRY(x) (((x) & ~VM_PAGE_MASK) | PTE_PRESENT | PTE_RW | PTE_USR)
 #define ENTRY_TO_PTR(x) ((x) & ~VM_PAGE_MASK)
 
-#define PFN(x)          ((x) >> VM_PAGE_SHIFT)
+#define PFN(x)          (((x) >> VM_PAGE_SHIFT) & 0xFFFFFFFFFF)
 
 static int can_use_gbpages = 0;
 static pmap_t kernel_pmap;
@@ -136,6 +136,81 @@ static void delete_pdir(phys_addr_t pd)
 	kfree(pdir);
 }
 
+kern_status_t pmap_get(
+	pmap_t pmap,
+	virt_addr_t pv,
+	pfn_t *out_pfn,
+	vm_prot_t *out_prot)
+{
+	unsigned int pml4t_index = BAD_INDEX, pdpt_index = BAD_INDEX,
+		     pd_index = BAD_INDEX, pt_index = BAD_INDEX;
+
+	pml4t_index = (pv >> 39) & 0x1FF;
+	pdpt_index = (pv >> 30) & 0x1FF;
+	pd_index = (pv >> 21) & 0x1FF;
+	pt_index = (pv >> 12) & 0x1FF;
+
+	/* 1. get PML4T (mandatory) */
+	struct pml4t *pml4t = vm_phys_to_virt(ENTRY_TO_PTR(pmap));
+	if (!pml4t) {
+		return KERN_INVALID_ARGUMENT;
+	}
+
+	/* 2. traverse PML4T, get PDPT (mandatory) */
+	struct pdpt *pdpt = NULL;
+	if (!pml4t->p_entries[pml4t_index]) {
+		return KERN_NO_ENTRY;
+	} else {
+		pdpt = vm_phys_to_virt(
+			ENTRY_TO_PTR(pml4t->p_entries[pml4t_index]));
+	}
+
+	/* 3. traverse PDPT, get PDIR (optional, 4K and 2M only) */
+	struct pdir *pdir = NULL;
+	if (!pdpt->p_entries[pdpt_index]
+	    || pdpt->p_pages[pdpt_index] & PTE_PAGESIZE) {
+		return KERN_NO_ENTRY;
+	} else {
+		pdir = vm_phys_to_virt(
+			ENTRY_TO_PTR(pdpt->p_entries[pdpt_index]));
+	}
+
+	/* 4. traverse PDIR, get PTAB (optional, 4K only) */
+	struct ptab *ptab = NULL;
+	if (!pdir->p_entries[pd_index]
+	    || pdir->p_pages[pd_index] & PTE_PAGESIZE) {
+		/* entry is null, or points to a hugepage */
+		return KERN_NO_ENTRY;
+	} else {
+		ptab = vm_phys_to_virt(ENTRY_TO_PTR(pdir->p_entries[pd_index]));
+	}
+
+	uint64_t pte = ptab->p_pages[pt_index];
+	if (out_pfn) {
+		*out_pfn = PFN(pte);
+	}
+
+	if (out_prot) {
+		if (pte & PTE_PRESENT) {
+			*out_prot |= VM_PROT_USER;
+		}
+
+		if (pte & PTE_RW) {
+			*out_pfn |= (VM_PROT_READ | VM_PROT_WRITE);
+		}
+
+		if (pte & PTE_USR) {
+			*out_pfn |= VM_PROT_USER;
+		}
+
+		if (!(pte & PTE_NX)) {
+			*out_pfn |= VM_PROT_EXEC;
+		}
+	}
+
+	return KERN_OK;
+}
+
 static kern_status_t do_pmap_add(
 	pmap_t pmap,
 	virt_addr_t pv,
@@ -351,6 +426,8 @@ void pmap_bootstrap(void)
 	       can_use_gbpages == 1 ? "en" : "dis");
 	enable_nx();
 	printk("pmap: NX protection enabled");
+	enable_wp();
+	printk("pmap: kernel-mode write protection enabled");
 
 	enum page_size hugepage = PS_2M;
 	if (can_use_gbpages) {
@@ -494,11 +571,7 @@ kern_status_t pmap_handle_fault(
 {
 	// log_fault(fault_addr, flags);
 
-	if (flags & PMAP_FAULT_PRESENT) {
+	struct task *task = get_current_task();
-		return KERN_FATAL_ERROR;
-	}
-
-	struct task *task = current_task();
 	if (!task) {
 		return KERN_FATAL_ERROR;
 	}
@@ -509,7 +582,11 @@ kern_status_t pmap_handle_fault(
 	}
 
 	/* this must be called with `space` unlocked. */
-	return address_space_demand_map(space, fault_addr, flags);
+	kern_status_t status
+		= address_space_demand_map(space, fault_addr, flags);
+
+	put_current_task(task);
+	return status;
 }
 
 kern_status_t pmap_add(

arch/x86_64/pmap_ctrl.S

@@ -24,12 +24,13 @@ gigabyte_pages:
 1:	mov $0x1, %rax
 	jmp 3f
 
-2:	mov $0x0, %rax	
+2:	mov $0x0, %rax
 
 3:	pop %rbx
 	pop %rbp
 	ret
 
+
 	.global enable_nx
 	.type enable_nx, @function
 
@@ -40,3 +41,14 @@ enable_nx:
 	wrmsr
 
 	ret
+
+
+	.global enable_wp
+	.type enable_wp, @function
+
+enable_wp:
+	mov %cr0, %rax
+	or $0x10000, %rax
+	mov %rax, %cr0
+
+	ret

arch/x86_64/thread.c

@@ -80,6 +80,21 @@ extern kern_status_t ml_thread_prepare_user_context(
 	return KERN_OK;
 }
 
+kern_status_t ml_thread_clone_user_context(
+	const struct ml_cpu_context *src_ctx,
+	uintptr_t return_value,
+	virt_addr_t *kernel_sp)
+{
+	(*kernel_sp) -= sizeof(struct ml_cpu_context);
+
+	struct ml_cpu_context *ctx = (struct ml_cpu_context *)(*kernel_sp);
+	memcpy(ctx, src_ctx, sizeof *ctx);
+
+	ctx->rax = return_value;
+
+	return KERN_OK;
+}
+
 kern_status_t ml_thread_config_get(
 	struct thread *thread,
 	kern_config_key_t key,
@@ -95,25 +110,30 @@ kern_status_t ml_thread_config_set(
 	const void *ptr,
 	size_t len)
 {
+	struct thread *self = get_current_thread();
+	kern_status_t status = KERN_OK;
+
 	switch (key) {
 	case THREAD_CFG_FSBASE:
 		if (len != sizeof(thread->tr_ml.tr_fsbase)) {
-			return KERN_INVALID_ARGUMENT;
+			status = KERN_INVALID_ARGUMENT;
+			break;
 		}
 
 		thread->tr_ml.tr_fsbase = *(virt_addr_t *)ptr;
-		if (thread == current_thread()) {
+		if (thread == self) {
 			wrmsr(MSR_FS_BASE, thread->tr_ml.tr_fsbase);
 		}
 
 		break;
 	case THREAD_CFG_GSBASE:
 		if (len != sizeof(thread->tr_ml.tr_gsbase)) {
-			return KERN_INVALID_ARGUMENT;
+			status = KERN_INVALID_ARGUMENT;
+			break;
 		}
 
 		thread->tr_ml.tr_gsbase = *(virt_addr_t *)ptr;
-		if (thread == current_thread()) {
+		if (thread == self) {
 			/* we're in the kernel right now, so the user and kernel
 			 * gs-base registers are swapped. when we return to
 			 * usermode, this value will be swapped back into
@@ -123,8 +143,10 @@ kern_status_t ml_thread_config_set(
 
 		break;
 	default:
-		return KERN_INVALID_ARGUMENT;
+		status = KERN_INVALID_ARGUMENT;
+		break;
 	}
 
-	return KERN_OK;
+	put_current_thread(self);
+	return status;
 }

include/kernel/address-space.h

@@ -105,6 +105,12 @@ extern kern_status_t address_space_release(
 	virt_addr_t base,
 	size_t length);
 
+/* duplicate all of the mappings in `src` within `dest. the duplication will use
+ * copy-on-write; page data will not be copied until it is written to. */
+extern kern_status_t address_space_duplicate(
+	struct address_space *dest,
+	struct address_space *src);
+
 extern bool address_space_validate_access(
 	struct address_space *region,
 	virt_addr_t base,

include/kernel/atomic.h

@@ -4,7 +4,7 @@
 #include <stdbool.h>
 #include <stdint.h>
 
-typedef int64_t atomic_t;
+typedef int32_t atomic_t;
 
 /* load and return the value pointed to by `v` */
 static inline atomic_t atomic_load(atomic_t *v)

include/kernel/pmap.h

@@ -9,7 +9,6 @@
 #include <stddef.h>
 
 #define PMAP_INVALID ML_PMAP_INVALID
-#define PFN(x)       ((x) >> VM_PAGE_SHIFT)
 
 #ifdef __cplusplus
 extern "C" {
@@ -57,6 +56,11 @@ extern kern_status_t pmap_handle_fault(
 	virt_addr_t fault_addr,
 	enum pmap_fault_flags flags);
 
+extern kern_status_t pmap_get(
+	pmap_t pmap,
+	virt_addr_t p,
+	pfn_t *out_pfn,
+	vm_prot_t *out_prot);
 extern kern_status_t pmap_add(
 	pmap_t pmap,
 	virt_addr_t p,

include/kernel/sched.h

@@ -76,8 +76,10 @@ extern struct runqueue *cpu_rq(unsigned int cpu);
 extern cycles_t default_quantum(void);
 
 extern bool need_resched(void);
-extern struct task *current_task(void);
+extern struct task *get_current_task(void);
-extern struct thread *current_thread(void);
+extern struct thread *get_current_thread(void);
+extern void put_current_task(struct task *task);
+extern void put_current_thread(struct thread *thread);
 
 extern struct runqueue *select_rq_for_thread(struct thread *thr);
 extern void schedule_thread_on_cpu(struct thread *thr);

include/kernel/syscall.h

@@ -66,6 +66,9 @@ extern kern_status_t sys_task_config_set(
 	kern_config_key_t key,
 	const void *ptr,
 	size_t len);
+extern kern_status_t sys_task_duplicate(
+	kern_handle_t *out_task,
+	kern_handle_t *out_address_space);
 
 extern kern_status_t sys_thread_self(kern_handle_t *out);
 extern kern_status_t sys_thread_start(kern_handle_t thread);
@@ -150,6 +153,12 @@ extern kern_status_t sys_kern_handle_transfer(
 	kern_handle_t dest_handle,
 	unsigned int mode,
 	kern_handle_t *out_handle);
+extern kern_status_t sys_kern_handle_control(
+	kern_handle_t task,
+	kern_handle_t handle,
+	uint32_t set_mask,
+	uint32_t clear_mask,
+	uint32_t *out_flags);
 extern kern_status_t sys_kern_config_get(
 	kern_config_key_t key,
 	void *ptr,

include/kernel/thread.h

@@ -8,6 +8,8 @@
 
 #define THREAD_KSTACK_ORDER VM_PAGE_4K
 
+struct ml_cpu_context;
+
 enum thread_state {
 	THREAD_READY = 1,
 	THREAD_SLEEPING = 2,
@@ -39,6 +41,9 @@ struct thread {
 	virt_addr_t tr_ip, tr_sp, tr_bp;
 	virt_addr_t tr_cpu_user_sp, tr_cpu_kernel_sp;
 
+	/* only valid within an interrupt or syscall context */
+	struct ml_cpu_context *tr_irqctx;
+
 	struct ml_thread tr_ml;
 	struct runqueue *tr_rq;
 
@@ -57,6 +62,10 @@ extern kern_status_t thread_init_user(
 	virt_addr_t sp,
 	const uintptr_t *args,
 	size_t nr_args);
+extern kern_status_t thread_init_user_clone(
+	struct thread *thr,
+	const struct thread *src,
+	uintptr_t return_value);
 extern int thread_priority(struct thread *thr);
 extern void thread_awaken(struct thread *thr);
 extern void thread_exit(void);

include/kernel/vm-object.h

@@ -84,11 +84,18 @@ extern struct vm_object *vm_object_create_in_place(
 	size_t data_len,
 	vm_prot_t prot);
 
+/* create a copy-on-write duplicate of a vm-object */
+extern struct vm_object *vm_object_duplicate_cow(struct vm_object *vmo);
+
 extern struct vm_page *vm_object_get_page(
 	struct vm_object *vo,
 	off_t offset,
 	enum vm_object_flags flags,
 	unsigned long *irq_flags);
+extern kern_status_t vm_object_put_page(
+	struct vm_object *vo,
+	off_t offset,
+	struct vm_page *pg);
 
 extern kern_status_t vm_object_read(
 	struct vm_object *vo,

include/kernel/vm.h

@@ -1,6 +1,7 @@
 #ifndef KERNEL_VM_H_
 #define KERNEL_VM_H_
 
+#include <kernel/atomic.h>
 #include <kernel/bitmap.h>
 #include <kernel/btree.h>
 #include <kernel/locks.h>
@@ -221,6 +222,9 @@ struct vm_page {
 	};
 
 	union {
+		/* how many vm_areas reference this vm_page. if >0, the page is
+		 * subject to copy-on-write. */
+		atomic_t p_cow_ref;
 		uint32_t p_priv2;
 	};
 

init/main.c

@@ -44,8 +44,8 @@ static void hang(void)
 
 void background_thread(void)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
-	struct thread *thread = current_thread();
+	struct thread *thread = get_current_thread();
 	printk("background_thread() running on processor %u", this_cpu());
 	milli_sleep(1000);
 

kernel/channel.c

@@ -139,7 +139,6 @@ extern kern_status_t channel_recv_msg(
 	kern_msg_t *out_msg,
 	unsigned long *irq_flags)
 {
-	struct thread *self = current_thread();
 	struct msg *msg = NULL;
 	unsigned long msg_lock_flags;
 
@@ -170,7 +169,7 @@ extern kern_status_t channel_recv_msg(
 	}
 
 	struct task *sender = msg->msg_sender_thread->tr_parent;
-	struct task *receiver = self->tr_parent;
+	struct task *receiver = get_current_task();
 
 	struct address_space *src = sender->t_address_space,
 			     *dst = receiver->t_address_space;
@@ -192,6 +191,7 @@ extern kern_status_t channel_recv_msg(
 
 	if (status != KERN_OK) {
 		kmsg_reply_error(msg, status, &msg_lock_flags);
+		put_current_task(receiver);
 		return status;
 	}
 
@@ -216,6 +216,7 @@ extern kern_status_t channel_recv_msg(
 		&receiver->t_handles_lock,
 		f);
 	address_space_unlock_pair_irqrestore(src, dst, f);
+	put_current_task(receiver);
 
 	if (status != KERN_OK) {
 		kmsg_reply_error(msg, status, &msg_lock_flags);
@@ -250,11 +251,10 @@ extern kern_status_t channel_reply_msg(
 		return KERN_INVALID_ARGUMENT;
 	}
 
-	struct thread *self = current_thread();
 	/* the task that is about to receive the response */
 	struct task *receiver = msg->msg_sender_thread->tr_parent;
 	/* the task that is about to send the response */
-	struct task *sender = self->tr_parent;
+	struct task *sender = get_current_task();
 
 	struct address_space *src = sender->t_address_space,
 			     *dst = receiver->t_address_space;
@@ -275,6 +275,7 @@ extern kern_status_t channel_reply_msg(
 
 	if (status != KERN_OK) {
 		kmsg_reply_error(msg, status, &msg_lock_flags);
+		put_current_task(sender);
 		return status;
 	}
 
@@ -299,6 +300,7 @@ extern kern_status_t channel_reply_msg(
 		&receiver->t_handles_lock,
 		f);
 	address_space_unlock_pair_irqrestore(src, dst, f);
+	put_current_task(sender);
 
 	if (status != KERN_OK) {
 		kmsg_reply_error(msg, status, &msg_lock_flags);

kernel/futex.c

@@ -32,8 +32,10 @@ static kern_status_t get_data(
 {
 	spin_lock_t *lock = NULL;
 	struct btree *futex_list = NULL;
+	struct task *self = NULL;
+
 	if (flags & FUTEX_PRIVATE) {
-		struct task *self = current_task();
+		self = get_current_task();
 		lock = &self->t_base.ob_lock;
 		futex_list = &self->t_futex;
 	} else if (flags & FUTEX_SHARED) {
@@ -48,12 +50,20 @@ static kern_status_t get_data(
 
 	if (!futex && !(flags & FUTEX_CREATE)) {
 		spin_unlock_irqrestore(lock, *irq_flags);
+		if (self) {
+			put_current_task(self);
+		}
+
 		return KERN_NO_ENTRY;
 	}
 
 	futex = vm_cache_alloc(&futex_cache, VM_NORMAL);
 	if (!futex) {
 		spin_unlock_irqrestore(lock, *irq_flags);
+		if (self) {
+			put_current_task(self);
+		}
+
 		return KERN_NO_MEMORY;
 	}
 
@@ -61,6 +71,10 @@ static kern_status_t get_data(
 
 	put_futex(futex_list, futex);
 
+	if (self) {
+		put_current_task(self);
+	}
+
 	*out = futex;
 	*out_lock = lock;
 	return KERN_OK;
@@ -68,9 +82,10 @@ static kern_status_t get_data(
 
 static kern_status_t cleanup_data(struct futex *futex, unsigned int flags)
 {
+	struct task *self = NULL;
 	struct btree *futex_list = NULL;
 	if (flags & FUTEX_PRIVATE) {
-		struct task *self = current_task();
+		self = get_current_task();
 		futex_list = &self->t_futex;
 	} else if (flags & FUTEX_SHARED) {
 		futex_list = &shared_futex_list;
@@ -81,12 +96,16 @@ static kern_status_t cleanup_data(struct futex *futex, unsigned int flags)
 	btree_delete(futex_list, &futex->f_node);
 	vm_cache_free(&futex_cache, futex);
 
+	if (self) {
+		put_current_task(self);
+	}
+
 	return KERN_OK;
 }
 
 static kern_status_t futex_get_shared(kern_futex_t *futex, futex_key_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	struct address_space *space = self->t_address_space;
 
 	unsigned long flags;
@@ -97,6 +116,7 @@ static kern_status_t futex_get_shared(kern_futex_t *futex, futex_key_t *out)
 		out,
 		&flags);
 	address_space_unlock_irqrestore(space, flags);
+	put_current_task(self);
 	return status;
 }
 

kernel/object.c

@@ -175,7 +175,7 @@ void object_wait_signal(
 	uint32_t signals,
 	unsigned long *irq_flags)
 {
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 	struct wait_item waiter;
 	wait_item_init(&waiter, self);
 	for (;;) {
@@ -189,4 +189,5 @@ void object_wait_signal(
 		object_lock_irqsave(obj, irq_flags);
 	}
 	thread_wait_end(&waiter, &obj->ob_wq);
+	put_current_thread(self);
 }

kernel/panic.c

@@ -19,8 +19,8 @@ void panic_irq(struct ml_cpu_context *ctx, const char *fmt, ...)
 	printk("---[ kernel panic: %s", buf);
 	printk("kernel: " BUILD_ID ", compiler version: " __VERSION__);
 
-	struct task *task = current_task();
+	struct task *task = get_current_task();
-	struct thread *thr = current_thread();
+	struct thread *thr = get_current_thread();
 
 	if (task && thr) {
 		printk("task: %s (id: %d, thread: %d)",
@@ -31,6 +31,9 @@ void panic_irq(struct ml_cpu_context *ctx, const char *fmt, ...)
 		printk("task: [bootstrap]");
 	}
 
+	put_current_thread(thr);
+	put_current_task(task);
+
 	printk("cpu: %u", this_cpu());
 
 	ml_print_cpu_state(ctx);

kernel/port.c

@@ -37,7 +37,7 @@ struct port *port_cast(struct object *obj)
 static void wait_for_reply(struct msg *msg, unsigned long *lock_flags)
 {
 	struct wait_item waiter;
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 
 	wait_item_init(&waiter, self);
 	for (;;) {
@@ -52,6 +52,7 @@ static void wait_for_reply(struct msg *msg, unsigned long *lock_flags)
 	}
 
 	self->tr_state = THREAD_READY;
+	put_current_thread(self);
 }
 
 struct port *port_create(void)
@@ -83,9 +84,12 @@ kern_status_t port_connect(struct port *port, struct channel *remote)
 	msg->msg_status = KMSG_ASYNC;
 	msg->msg_type = KERN_MSG_TYPE_EVENT;
 	msg->msg_event = KERN_MSG_EVENT_CONNECTION;
-	msg->msg_sender_thread_id = current_thread()->tr_id;
 	msg->msg_sender_port_id = port->p_base.ob_id;
 
+	struct thread *self = get_current_thread();
+	msg->msg_sender_thread_id = self->tr_id;
+	put_current_thread(self);
+
 	unsigned long flags;
 	channel_lock_irqsave(remote, &flags);
 	channel_enqueue_msg(remote, msg);
@@ -112,9 +116,12 @@ kern_status_t port_disconnect(struct port *port)
 	msg->msg_status = KMSG_ASYNC;
 	msg->msg_type = KERN_MSG_TYPE_EVENT;
 	msg->msg_event = KERN_MSG_EVENT_DISCONNECTION;
-	msg->msg_sender_thread_id = current_thread()->tr_id;
 	msg->msg_sender_port_id = port->p_base.ob_id;
 
+	struct thread *self = get_current_thread();
+	msg->msg_sender_thread_id = self->tr_id;
+	put_current_thread(self);
+
 	unsigned long flags;
 	channel_lock_irqsave(port->p_remote, &flags);
 	channel_enqueue_msg(port->p_remote, msg);
@@ -136,7 +143,7 @@ kern_status_t port_send_msg(
 		return KERN_BAD_STATE;
 	}
 
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 	struct msg msg;
 	memset(&msg, 0x0, sizeof msg);
 	msg.msg_type = KERN_MSG_TYPE_DATA;
@@ -156,6 +163,7 @@ kern_status_t port_send_msg(
 	channel_lock_irqsave(port->p_remote, &flags);
 	btree_delete(&port->p_remote->c_msg, &msg.msg_node);
 	channel_unlock_irqrestore(port->p_remote, flags);
+	put_current_thread(self);
 
 	return msg.msg_result;
 }

libmango/arch/x86_64/syscall.S

@@ -58,6 +58,7 @@
 SYSCALL_GATE task_exit SYS_TASK_EXIT 1
 SYSCALL_GATE task_self SYS_TASK_SELF 1
 SYSCALL_GATE task_create SYS_TASK_CREATE 5
+SYSCALL_GATE task_duplicate SYS_TASK_DUPLICATE 2
 SYSCALL_GATE task_create_thread SYS_TASK_CREATE_THREAD 6
 SYSCALL_GATE task_get_address_space SYS_TASK_GET_ADDRESS_SPACE 1
 SYSCALL_GATE task_config_get SYS_TASK_CONFIG_GET 4

libmango/include-user/mango/handle.h

@@ -12,5 +12,11 @@ extern kern_status_t kern_handle_transfer(
 	kern_handle_t dest_handle,
 	unsigned int mode,
 	kern_handle_t *out_handle);
+extern kern_status_t kern_handle_control(
+	kern_handle_t task,
+	kern_handle_t handle,
+	uint32_t set_mask,
+	uint32_t clear_mask,
+	uint32_t *out_flags);
 
 #endif

libmango/include-user/mango/task.h

@@ -33,6 +33,9 @@ extern kern_status_t task_config_set(
 	kern_config_key_t key,
 	const void *ptr,
 	size_t len);
+extern kern_status_t task_duplicate(
+	kern_handle_t *out_task,
+	kern_handle_t *out_address_space);
 
 extern kern_status_t thread_self(kern_handle_t *out);
 extern kern_status_t thread_start(kern_handle_t thread);

libmango/include/mango/syscall.h

@@ -50,5 +50,7 @@
 #define SYS_FUTEX_WAIT                  47
 #define SYS_FUTEX_WAKE                  48
 #define SYS_KERN_OBJECT_QUERY           49
+#define SYS_TASK_DUPLICATE              50
+#define SYS_KERN_HANDLE_CONTROL         51
 
 #endif

libmango/include/mango/types.h

@@ -28,6 +28,12 @@
 #define THREAD_CFG_FSBASE            0x20001u
 #define THREAD_CFG_GSBASE            0x20002u
 
+/* user-defined flags that can be set on handles */
+#define KERN_HANDLE_FLAG0            0x10000000UL
+#define KERN_HANDLE_FLAG1            0x20000000UL
+#define KERN_HANDLE_FLAG2            0x40000000UL
+#define KERN_HANDLE_FLAG3            0x80000000UL
+
 /* maximum number of handles that can be sent in a single message */
 #define KERN_MSG_MAX_HANDLES         64
 

sched/core.c

@@ -215,18 +215,19 @@ void schedule_thread_on_cpu(struct thread *thr)
 
 void start_charge_period(void)
 {
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 	if (!self) {
 		return;
 	}
 
 	self->tr_charge_period_start = get_cycles();
+	put_current_thread(self);
 }
 
 void end_charge_period(void)
 {
 	preempt_disable();
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 	if (!self) {
 		return;
 	}
@@ -244,6 +245,7 @@ void end_charge_period(void)
 	}
 
 	self->tr_charge_period_start = 0;
+	put_current_thread(self);
 
 	// printk("%llu cycles charged to %s/%u", charge,
 	// self->tr_parent->t_name, self->tr_parent->t_id);

sched/task.c

@@ -282,7 +282,7 @@ struct task *task_from_tid(tid_t id)
 
 void task_exit(int status)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	unsigned long flags;
 	task_lock_irqsave(self, &flags);
 	struct task *parent = self->t_parent;
@@ -295,7 +295,7 @@ void task_exit(int status)
 		task_unlock(parent);
 	}
 
-	struct thread *cur_thread = current_thread();
+	struct thread *cur_thread = get_current_thread();
 
 	self->t_state = TASK_STOPPED;
 	cur_thread->tr_state = THREAD_STOPPED;
@@ -340,6 +340,9 @@ void task_exit(int status)
 	       self->t_base.ob_refcount);
 	spin_unlock_irqrestore(handles_lock, flags);
 
+	put_current_thread(cur_thread);
+	put_current_task(self);
+
 	while (1) {
 		schedule(SCHED_NORMAL);
 	}
@@ -410,8 +413,19 @@ struct thread *task_create_thread(struct task *parent)
 	return thread;
 }
 
-struct task *current_task(void)
+struct task *get_current_task(void)
 {
-	struct thread *thr = current_thread();
+	struct thread *thr = get_current_thread();
-	return thr ? thr->tr_parent : NULL;
+	if (!thr) {
+		return NULL;
+	}
+
+	struct task *out = task_ref(thr->tr_parent);
+	put_current_thread(thr);
+	return out;
+}
+
+void put_current_task(struct task *task)
+{
+	task_unref(task);
 }

sched/thread.c

@@ -101,11 +101,52 @@ kern_status_t thread_init_user(
 	return KERN_OK;
 }
 
+kern_status_t thread_init_user_clone(
+	struct thread *thr,
+	const struct thread *src,
+	uintptr_t return_value)
+{
+	thr->tr_state = THREAD_READY;
+	thr->tr_quantum_target = default_quantum();
+
+	thr->tr_kstack = vm_page_alloc(THREAD_KSTACK_ORDER, VM_NORMAL);
+	if (!thr->tr_kstack) {
+		return KERN_NO_MEMORY;
+	}
+
+	thr->tr_sp = (uintptr_t)vm_page_get_vaddr(thr->tr_kstack)
+	           + vm_page_order_to_bytes(THREAD_KSTACK_ORDER);
+	thr->tr_bp = thr->tr_sp;
+	thr->tr_cpu_kernel_sp = thr->tr_sp;
+
+	/* the new thread needs two contextx:
+	 *   1) to get the thread running in kernel mode, so that it can
+	 *   execute ml_thread_switch_user
+	 *   2) to allow ml_thread_switch_user to jump to the correct place
+	 *   in usermode (and with the correct stack).
+	 *
+	 * these two contexts are constructed on the thread's kernel stack
+	 * in reverse order.
+	 */
+
+	/* this context will be used by ml_user_return to jump to userspace
+	 * with the specified instruction pointer and user stack */
+	ml_thread_clone_user_context(src->tr_irqctx, return_value, &thr->tr_sp);
+	/* this context will be used by the scheduler and ml_thread_switch to
+	 * jump to ml_user_return in kernel mode with the thread's kernel stack.
+	 */
+	ml_thread_prepare_kernel_context(
+		(uintptr_t)ml_thread_switch_user,
+		&thr->tr_sp);
+
+	return KERN_OK;
+}
+
 void thread_free(struct thread *thr)
 {
 }
 
-struct thread *current_thread(void)
+struct thread *get_current_thread(void)
 {
 	struct cpu_data *cpu = get_this_cpu();
 	if (!cpu) {
@@ -113,13 +154,24 @@ struct thread *current_thread(void)
 	}
 
 	struct thread *out = cpu->c_rq.rq_cur;
+	object_ref(&out->tr_base);
+
 	put_cpu(cpu);
 	return out;
 }
 
+void put_current_thread(struct thread *thr)
+{
+	object_unref(&thr->tr_base);
+}
+
 bool need_resched(void)
 {
-	return (current_thread()->tr_flags & THREAD_F_NEED_RESCHED) != 0;
+	struct thread *thr = get_current_thread();
+	bool result = (thr->tr_flags & THREAD_F_NEED_RESCHED) != 0;
+	put_current_thread(thr);
+
+	return result;
 }
 
 int thread_priority(struct thread *thr)
@@ -143,7 +195,7 @@ void thread_awaken(struct thread *thr)
 
 void thread_exit(void)
 {
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 	unsigned long flags;
 	thread_lock_irqsave(self, &flags);
 	self->tr_state = THREAD_STOPPED;
@@ -153,6 +205,7 @@ void thread_exit(void)
 	       self->tr_parent->t_id,
 	       self->tr_id);
 	thread_unlock_irqrestore(self, flags);
+	put_current_thread(self);
 
 	while (1) {
 		schedule(SCHED_NORMAL);

sched/timer.c

@@ -44,7 +44,7 @@ unsigned long schedule_timeout(unsigned long ticks)
 {
 	struct timer timer;
 
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 
 	timer.t_entry = QUEUE_ENTRY_INIT;
 	timer.t_expiry = clock_ticks + ticks;
@@ -58,6 +58,7 @@ unsigned long schedule_timeout(unsigned long ticks)
 	schedule(SCHED_NORMAL);
 
 	remove_timer(&timer);
+	put_current_thread(self);
 
 	return 0;
 }

sched/wait.c

@@ -110,7 +110,7 @@ void wakeup_one(struct waitqueue *q)
 
 void sleep_forever(void)
 {
-	struct thread *thr = current_thread();
+	struct thread *thr = get_current_thread();
 	struct runqueue *rq = thr->tr_rq;
 
 	unsigned long flags;
@@ -121,7 +121,17 @@ void sleep_forever(void)
 
 	rq_unlock(rq, flags);
 
-	while (thr->tr_state == THREAD_SLEEPING) {
+	put_current_thread(thr);
+
+	while (1) {
+		thr = get_current_thread();
+		bool sleep = (thr->tr_state == THREAD_SLEEPING);
+		put_current_thread(thr);
+
+		if (!sleep) {
+			break;
+		}
+
 		schedule(SCHED_NORMAL);
 	}
 }

syscall/address-space.c

@@ -11,13 +11,15 @@ kern_status_t sys_address_space_read(
 	size_t count,
 	size_t *nr_read)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_w(self, dst, count)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (nr_read && !validate_access_w(self, nr_read, sizeof *nr_read)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -30,12 +32,14 @@ kern_status_t sys_address_space_read(
 		= task_resolve_handle(self, region_handle, &obj, &handle_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	struct address_space *region = address_space_cast(obj);
 	if (!region) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -52,6 +56,7 @@ kern_status_t sys_address_space_read(
 	address_space_unlock_irqrestore(region, flags);
 
 	object_unref(obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -63,14 +68,16 @@ kern_status_t sys_address_space_write(
 	size_t count,
 	size_t *nr_written)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_r(self, src, count)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (nr_written
 	    && !validate_access_w(self, nr_written, sizeof *nr_written)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -83,12 +90,14 @@ kern_status_t sys_address_space_write(
 		= task_resolve_handle(self, region_handle, &obj, &handle_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	struct address_space *region = address_space_cast(obj);
 	if (!region) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -105,6 +114,7 @@ kern_status_t sys_address_space_write(
 	address_space_unlock_irqrestore(region, flags);
 
 	object_unref(obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -118,13 +128,14 @@ kern_status_t sys_address_space_map(
 	vm_prot_t prot,
 	virt_addr_t *out_base_address)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (out_base_address
 	    && !validate_access_r(
 		    self,
 		    out_base_address,
 		    sizeof *out_base_address)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -141,24 +152,28 @@ kern_status_t sys_address_space_map(
 		&region_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	status = task_resolve_handle(self, object_handle, &vmo_obj, &vmo_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	struct address_space *region = address_space_cast(region_obj);
 	if (!region) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
 	struct vm_object *vmo = vm_object_cast(vmo_obj);
 	if (!vmo) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -177,6 +192,7 @@ kern_status_t sys_address_space_map(
 
 	object_unref(vmo_obj);
 	object_unref(region_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -186,7 +202,7 @@ kern_status_t sys_address_space_unmap(
 	virt_addr_t base,
 	size_t length)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	kern_status_t status = KERN_OK;
 	unsigned long flags;
@@ -201,12 +217,14 @@ kern_status_t sys_address_space_unmap(
 		&region_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	struct address_space *region = address_space_cast(region_obj);
 	if (!region) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -215,6 +233,7 @@ kern_status_t sys_address_space_unmap(
 	status = address_space_unmap(region, base, length);
 
 	object_unref(region_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -225,13 +244,14 @@ kern_status_t sys_address_space_reserve(
 	size_t length,
 	virt_addr_t *out_base_address)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (out_base_address
 	    && !validate_access_r(
 		    self,
 		    out_base_address,
 		    sizeof *out_base_address)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -248,12 +268,14 @@ kern_status_t sys_address_space_reserve(
 		&region_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	struct address_space *region = address_space_cast(region_obj);
 	if (!region) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -268,6 +290,7 @@ kern_status_t sys_address_space_reserve(
 	address_space_unlock_irqrestore(region, flags);
 
 	object_unref(region_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -277,7 +300,7 @@ kern_status_t sys_address_space_release(
 	virt_addr_t base,
 	size_t length)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	kern_status_t status = KERN_OK;
 	unsigned long flags;
@@ -292,12 +315,14 @@ kern_status_t sys_address_space_release(
 		&region_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	struct address_space *region = address_space_cast(region_obj);
 	if (!region) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -308,6 +333,7 @@ kern_status_t sys_address_space_release(
 	address_space_unlock_irqrestore(region, flags);
 
 	object_unref(region_obj);
+	put_current_task(self);
 
 	return status;
 }

syscall/config.c

@@ -3,21 +3,26 @@
 
 kern_status_t sys_kern_config_get(kern_config_key_t key, void *ptr, size_t len)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
+	kern_status_t status = KERN_OK;
 
 	switch (key) {
 	case KERN_CFG_PAGE_SIZE:
 		if (!validate_access_w(self, ptr, sizeof(uintptr_t))) {
-			return KERN_MEMORY_FAULT;
+			status = KERN_MEMORY_FAULT;
+			break;
 		}
 
 		*(uint32_t *)ptr = VM_PAGE_SIZE;
-		return KERN_OK;
+		status = KERN_OK;
+		break;
 	default:
-		return KERN_INVALID_ARGUMENT;
+		status = KERN_INVALID_ARGUMENT;
+		break;
 	}
 
-	return KERN_UNSUPPORTED;
+	put_current_task(self);
+	return status;
 }
 
 kern_status_t sys_kern_config_set(

syscall/dispatch.c

@@ -10,6 +10,7 @@ static const virt_addr_t syscall_table[] = {
 	SYSCALL_TABLE_ENTRY(TASK_CREATE, task_create),
 	SYSCALL_TABLE_ENTRY(TASK_CREATE_THREAD, task_create_thread),
 	SYSCALL_TABLE_ENTRY(TASK_GET_ADDRESS_SPACE, task_get_address_space),
+	SYSCALL_TABLE_ENTRY(TASK_DUPLICATE, task_duplicate),
 	SYSCALL_TABLE_ENTRY(THREAD_SELF, thread_self),
 	SYSCALL_TABLE_ENTRY(THREAD_START, thread_start),
 	SYSCALL_TABLE_ENTRY(THREAD_EXIT, thread_exit),
@@ -28,6 +29,7 @@ static const virt_addr_t syscall_table[] = {
 	SYSCALL_TABLE_ENTRY(KERN_LOG, kern_log),
 	SYSCALL_TABLE_ENTRY(KERN_HANDLE_CLOSE, kern_handle_close),
 	SYSCALL_TABLE_ENTRY(KERN_HANDLE_TRANSFER, kern_handle_transfer),
+	SYSCALL_TABLE_ENTRY(KERN_HANDLE_CONTROL, kern_handle_control),
 	SYSCALL_TABLE_ENTRY(KERN_CONFIG_GET, kern_config_get),
 	SYSCALL_TABLE_ENTRY(KERN_CONFIG_SET, kern_config_set),
 	SYSCALL_TABLE_ENTRY(CHANNEL_CREATE, channel_create),

syscall/futex.c

@@ -8,18 +8,22 @@ kern_status_t sys_futex_wait(
 	kern_futex_t new_val,
 	unsigned int flags)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	if (!validate_access_r(self, futex, sizeof *futex)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	futex_key_t key;
 	kern_status_t status = futex_get(futex, &key, flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
-	return futex_wait(key, new_val, flags);
+	status = futex_wait(key, new_val, flags);
+	put_current_task(self);
+	return status;
 }
 
 kern_status_t sys_futex_wake(

syscall/handle.c

@@ -3,9 +3,13 @@
 
 kern_status_t sys_kern_handle_close(kern_handle_t handle)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
-	return task_close_handle(self, handle);
+	kern_status_t status = task_close_handle(self, handle);
+
+	put_current_task(self);
+
+	return status;
 }
 
 kern_status_t sys_kern_handle_transfer(
@@ -24,10 +28,11 @@ kern_status_t sys_kern_handle_transfer(
 		return KERN_INVALID_ARGUMENT;
 	}
 
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (out_handle
 	    && !validate_access_w(self, out_handle, sizeof *out_handle)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -120,6 +125,8 @@ kern_status_t sys_kern_handle_transfer(
 		*out_handle = dest_handle;
 	}
 
+	put_current_task(self);
+
 	return KERN_OK;
 
 cleanup:
@@ -135,5 +142,17 @@ cleanup:
 		object_unref(src_object);
 	}
 
+	put_current_task(self);
+
 	return status;
 }
+
+kern_status_t sys_kern_handle_control(
+	kern_handle_t task,
+	kern_handle_t handle,
+	uint32_t set_mask,
+	uint32_t clear_mask,
+	uint32_t *out_flags)
+{
+	return KERN_UNIMPLEMENTED;
+}

syscall/log.c

@@ -6,9 +6,11 @@
 kern_status_t sys_kern_log(const char *s)
 {
 #ifdef TRACE
-	struct task *task = current_task();
+	struct task *task = get_current_task();
-	struct thread *thread = current_thread();
+	struct thread *thread = get_current_thread();
 	printk("%s[%d.%d]: %s", task->t_name, task->t_id, thread->tr_id, s);
+	put_current_thread(thread);
+	put_current_task(task);
 #else
 	printk("%s", s);
 #endif

syscall/msg.c

@@ -7,13 +7,15 @@
 
 kern_status_t sys_channel_create(unsigned int id, kern_handle_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	struct channel *channel = channel_create();
 	if (!channel) {
+		put_current_task(self);
 		return KERN_NO_MEMORY;
 	}
 
@@ -22,6 +24,7 @@ kern_status_t sys_channel_create(unsigned int id, kern_handle_t *out)
 
 	if (task_get_channel(self, id)) {
 		task_unlock_irqrestore(self, irq_flags);
+		put_current_task(self);
 		return KERN_NAME_EXISTS;
 	}
 
@@ -31,11 +34,13 @@ kern_status_t sys_channel_create(unsigned int id, kern_handle_t *out)
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, irq_flags);
 		object_unref(&channel->c_base);
+		put_current_task(self);
 		return status;
 	}
 
 	task_add_channel(self, channel, id);
 	task_unlock_irqrestore(self, irq_flags);
+	put_current_task(self);
 
 	*out = handle;
 	return KERN_OK;
@@ -43,13 +48,15 @@ kern_status_t sys_channel_create(unsigned int id, kern_handle_t *out)
 
 kern_status_t sys_port_create(kern_handle_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	struct port *port = port_create();
 	if (!port) {
+		put_current_task(self);
 		return KERN_NO_MEMORY;
 	}
 
@@ -61,6 +68,7 @@ kern_status_t sys_port_create(kern_handle_t *out)
 		= task_open_handle(self, &port->p_base, 0, &handle);
 	task_unlock_irqrestore(self, irq_flags);
 	object_unref(&port->p_base);
+	put_current_task(self);
 
 	if (status != KERN_OK) {
 		return status;
@@ -77,7 +85,7 @@ kern_status_t sys_port_connect(
 {
 	unsigned long flags;
 
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	task_lock_irqsave(self, &flags);
 
 	struct object *port_obj = NULL;
@@ -88,6 +96,7 @@ kern_status_t sys_port_connect(
 		&port_obj,
 		&port_handle_flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
@@ -96,6 +105,7 @@ kern_status_t sys_port_connect(
 
 	struct task *remote_task = task_from_tid(task_id);
 	if (!remote_task) {
+		put_current_task(self);
 		return KERN_NO_ENTRY;
 	}
 
@@ -104,6 +114,7 @@ kern_status_t sys_port_connect(
 	struct channel *remote = task_get_channel(remote_task, channel_id);
 	if (!remote) {
 		task_unlock_irqrestore(remote_task, flags);
+		put_current_task(self);
 		return KERN_NO_ENTRY;
 	}
 
@@ -115,6 +126,7 @@ kern_status_t sys_port_connect(
 	port_unlock_irqrestore(port, flags);
 	object_unref(&remote->c_base);
 	object_unref(port_obj);
+	put_current_task(self);
 
 	return KERN_OK;
 }
@@ -123,7 +135,7 @@ kern_status_t sys_port_disconnect(kern_handle_t port_handle)
 {
 	unsigned long flags;
 
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	task_lock_irqsave(self, &flags);
 
 	struct object *port_obj = NULL;
@@ -134,6 +146,7 @@ kern_status_t sys_port_disconnect(kern_handle_t port_handle)
 		&port_obj,
 		&port_handle_flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
@@ -142,6 +155,7 @@ kern_status_t sys_port_disconnect(kern_handle_t port_handle)
 	struct port *port = port_cast(port_obj);
 	if (!port) {
 		object_unref(port_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -149,6 +163,7 @@ kern_status_t sys_port_disconnect(kern_handle_t port_handle)
 	port_lock_irqsave(port, &flags);
 	status = port_disconnect(port);
 	port_unlock_irqrestore(port, flags);
+	put_current_task(self);
 
 	return status;
 }
@@ -219,13 +234,15 @@ kern_status_t sys_msg_send(
 	const kern_msg_t *msg,
 	kern_msg_t *out_reply)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_msg(self, msg, false)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (!validate_msg(self, out_reply, true)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -243,12 +260,14 @@ kern_status_t sys_msg_send(
 	task_unlock_irqrestore(self, flags);
 
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
 	struct port *port = port_cast(port_obj);
 	if (!port) {
 		object_unref(port_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -256,15 +275,17 @@ kern_status_t sys_msg_send(
 	status = port_send_msg(port, msg, out_reply, &flags);
 	port_unlock_irqrestore(port, flags);
 	object_unref(port_obj);
+	put_current_task(self);
 
 	return status;
 }
 
 kern_status_t sys_msg_recv(kern_handle_t channel_handle, kern_msg_t *out_msg)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_msg(self, out_msg, true)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -280,6 +301,7 @@ kern_status_t sys_msg_recv(kern_handle_t channel_handle, kern_msg_t *out_msg)
 		&channel_obj,
 		&channel_handle_flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
@@ -288,6 +310,7 @@ kern_status_t sys_msg_recv(kern_handle_t channel_handle, kern_msg_t *out_msg)
 	struct channel *channel = channel_cast(channel_obj);
 	if (!channel) {
 		object_unref(channel_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -295,6 +318,7 @@ kern_status_t sys_msg_recv(kern_handle_t channel_handle, kern_msg_t *out_msg)
 	status = channel_recv_msg(channel, out_msg, &flags);
 	channel_unlock_irqrestore(channel, flags);
 	object_unref(channel_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -304,9 +328,10 @@ kern_status_t sys_msg_reply(
 	msgid_t id,
 	const kern_msg_t *reply)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_msg(self, reply, true)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -322,6 +347,7 @@ kern_status_t sys_msg_reply(
 		&channel_obj,
 		&channel_handle_flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
@@ -330,6 +356,7 @@ kern_status_t sys_msg_reply(
 	struct channel *channel = channel_cast(channel_obj);
 	if (!channel) {
 		object_unref(channel_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -337,6 +364,7 @@ kern_status_t sys_msg_reply(
 	status = channel_reply_msg(channel, id, reply, &flags);
 	channel_unlock_irqrestore(channel, flags);
 	object_unref(channel_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -349,13 +377,15 @@ kern_status_t sys_msg_read(
 	size_t iov_count,
 	size_t *nr_read)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (nr_read && !validate_access_w(self, nr_read, sizeof *nr_read)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (!validate_iovec(self, iov, iov_count, true)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -371,6 +401,7 @@ kern_status_t sys_msg_read(
 		&channel_obj,
 		&channel_handle_flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
@@ -379,6 +410,7 @@ kern_status_t sys_msg_read(
 	struct channel *channel = channel_cast(channel_obj);
 	if (!channel) {
 		object_unref(channel_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -393,6 +425,7 @@ kern_status_t sys_msg_read(
 		nr_read);
 	channel_unlock_irqrestore(channel, flags);
 	object_unref(channel_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -405,14 +438,16 @@ kern_status_t sys_msg_write(
 	size_t iov_count,
 	size_t *nr_written)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (nr_written
 	    && !validate_access_w(self, nr_written, sizeof *nr_written)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (!validate_iovec(self, iov, iov_count, false)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -428,6 +463,7 @@ kern_status_t sys_msg_write(
 		&channel_obj,
 		&channel_handle_flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
@@ -436,6 +472,7 @@ kern_status_t sys_msg_write(
 	struct channel *channel = channel_cast(channel_obj);
 	if (!channel) {
 		object_unref(channel_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -450,6 +487,7 @@ kern_status_t sys_msg_write(
 		nr_written);
 	channel_unlock_irqrestore(channel, flags);
 	object_unref(channel_obj);
+	put_current_task(self);
 
 	return status;
 }

syscall/object.c

@@ -13,12 +13,13 @@ kern_status_t sys_kern_object_wait(kern_wait_item_t *items, size_t nr_items)
 		return KERN_INVALID_ARGUMENT;
 	}
 
-	struct task *self = current_task();
+	struct task *self = get_current_task();
-	struct thread *self_thread = current_thread();
 	if (!validate_access_rw(self, items, nr_items * sizeof *items)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
+	struct thread *self_thread = get_current_thread();
 	self_thread->tr_state = THREAD_SLEEPING;
 
 	kern_status_t status = KERN_OK;
@@ -78,6 +79,9 @@ cleanup:
 	}
 
 	self_thread->tr_state = THREAD_READY;
+	put_current_thread(self_thread);
+	put_current_task(self);
+
 	return status;
 }
 
@@ -85,13 +89,15 @@ kern_status_t sys_kern_object_query(
 	kern_handle_t object_handle,
 	kern_object_info_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!out) {
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -100,12 +106,14 @@ kern_status_t sys_kern_object_query(
 	kern_status_t status
 		= task_resolve_handle(self, object_handle, &obj, &flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
 	out->obj_id = obj->ob_id;
 
 	object_unref(obj);
+	put_current_task(self);
 
 	return KERN_OK;
 }

syscall/task.c

@@ -1,5 +1,6 @@
 #include <kernel/address-space.h>
 #include <kernel/machine/cpu.h>
+#include <kernel/panic.h>
 #include <kernel/printk.h>
 #include <kernel/sched.h>
 #include <kernel/syscall.h>
@@ -9,8 +10,9 @@
 extern kern_status_t sys_task_exit(int status)
 {
 #if defined(TRACE)
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	printk("%s[%d]: task_exit(%d)", self->t_name, self->t_id, status);
+	put_current_task(self);
 #endif
 	task_exit(status);
 	return KERN_FATAL_ERROR;
@@ -18,8 +20,9 @@ extern kern_status_t sys_task_exit(int status)
 
 kern_status_t sys_task_self(kern_handle_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -36,11 +39,13 @@ kern_status_t sys_task_self(kern_handle_t *out)
 	task_unlock_irqrestore(self, flags);
 
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
 	object_ref(&self->t_base);
 	handle_slot->h_object = &self->t_base;
+	put_current_task(self);
 
 	*out = handle;
 	return KERN_OK;
@@ -54,13 +59,15 @@ kern_status_t sys_task_create(
 	kern_handle_t *out_address_space)
 {
 	unsigned long flags;
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (name_len && !validate_access_r(self, name, name_len)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (!validate_access_w(self, out_task, sizeof *out_task)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -68,6 +75,7 @@ kern_status_t sys_task_create(
 		    self,
 		    out_address_space,
 		    sizeof *out_address_space)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -81,6 +89,7 @@ kern_status_t sys_task_create(
 		&parent_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -96,6 +105,7 @@ kern_status_t sys_task_create(
 	if (status != KERN_OK) {
 		object_unref(parent_obj);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -108,6 +118,7 @@ kern_status_t sys_task_create(
 		object_unref(parent_obj);
 		handle_table_free_handle(self->t_handles, child_handle);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -121,6 +132,7 @@ kern_status_t sys_task_create(
 		handle_table_free_handle(self->t_handles, child_handle);
 		handle_table_free_handle(self->t_handles, space_handle);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 
 		return KERN_NO_MEMORY;
 	}
@@ -136,6 +148,7 @@ kern_status_t sys_task_create(
 	object_ref(&child->t_address_space->s_base);
 
 	object_unref(parent_obj);
+	put_current_task(self);
 
 	*out_task = child_handle;
 	*out_address_space = space_handle;
@@ -152,13 +165,15 @@ kern_status_t sys_task_create_thread(
 	kern_handle_t *out_thread)
 {
 	unsigned long flags;
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_r(self, args, nr_args * sizeof(uintptr_t))) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (!validate_access_w(self, out_thread, sizeof *out_thread)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -169,6 +184,7 @@ kern_status_t sys_task_create_thread(
 		= task_resolve_handle(self, task, &target_obj, &target_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -184,6 +200,7 @@ kern_status_t sys_task_create_thread(
 	if (status != KERN_OK) {
 		object_unref(target_obj);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -198,6 +215,7 @@ kern_status_t sys_task_create_thread(
 		task_lock_irqsave(self, &flags);
 		handle_table_free_handle(self->t_handles, out_handle);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_NO_MEMORY;
 	}
 
@@ -207,6 +225,7 @@ kern_status_t sys_task_create_thread(
 
 	task_unlock_irqrestore(target, flags);
 	object_unref(target_obj);
+	put_current_task(self);
 
 	*out_thread = out_handle;
 	return KERN_OK;
@@ -216,8 +235,9 @@ kern_status_t sys_task_get_address_space(
 	kern_handle_t task_handle,
 	kern_handle_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -235,6 +255,7 @@ kern_status_t sys_task_get_address_space(
 		&handle_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -246,6 +267,7 @@ kern_status_t sys_task_get_address_space(
 	if (status != KERN_OK) {
 		object_unref(task_obj);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -255,6 +277,7 @@ kern_status_t sys_task_get_address_space(
 		object_unref(task_obj);
 		handle_table_free_handle(self->t_handles, handle);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -262,6 +285,7 @@ kern_status_t sys_task_get_address_space(
 	object_ref(&task->t_address_space->s_base);
 	task_unlock_irqrestore(self, flags);
 	object_unref(task_obj);
+	put_current_task(self);
 
 	*out = handle;
 	return KERN_OK;
@@ -269,12 +293,13 @@ kern_status_t sys_task_get_address_space(
 
 kern_status_t sys_thread_self(kern_handle_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
-	struct thread *self_thread = current_thread();
+	struct thread *self_thread = get_current_thread();
 
 	unsigned long flags;
 	task_lock_irqsave(self, &flags);
@@ -289,11 +314,15 @@ kern_status_t sys_thread_self(kern_handle_t *out)
 	task_unlock_irqrestore(self, flags);
 
 	if (status != KERN_OK) {
+		put_current_thread(self_thread);
+		put_current_task(self);
 		return status;
 	}
 
 	object_ref(&self_thread->tr_base);
 	handle_slot->h_object = &self_thread->tr_base;
+	put_current_thread(self_thread);
+	put_current_task(self);
 
 	*out = handle;
 	return KERN_OK;
@@ -302,7 +331,7 @@ kern_status_t sys_thread_self(kern_handle_t *out)
 kern_status_t sys_thread_start(kern_handle_t thread_handle)
 {
 	unsigned long flags;
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	struct object *thread_obj;
 	handle_flags_t thread_flags;
@@ -314,6 +343,7 @@ kern_status_t sys_thread_start(kern_handle_t thread_handle)
 		&thread_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -322,6 +352,7 @@ kern_status_t sys_thread_start(kern_handle_t thread_handle)
 
 	schedule_thread_on_cpu(thread);
 	object_unref(thread_obj);
+	put_current_task(self);
 
 	return KERN_OK;
 }
@@ -340,9 +371,10 @@ kern_status_t sys_thread_config_get(
 	size_t len)
 {
 	unsigned long flags;
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_w(self, ptr, len)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -356,6 +388,7 @@ kern_status_t sys_thread_config_get(
 		&thread_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -365,6 +398,7 @@ kern_status_t sys_thread_config_get(
 	status = thread_config_get(thread, key, ptr, len);
 
 	object_unref(thread_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -376,9 +410,10 @@ kern_status_t sys_thread_config_set(
 	size_t len)
 {
 	unsigned long flags;
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_w(self, ptr, len)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -392,6 +427,7 @@ kern_status_t sys_thread_config_set(
 		&thread_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -401,6 +437,107 @@ kern_status_t sys_thread_config_set(
 	status = thread_config_set(thread, key, ptr, len);
 
 	object_unref(thread_obj);
+	put_current_task(self);
 
 	return status;
 }
+
+kern_status_t sys_task_duplicate(
+	kern_handle_t *out_task,
+	kern_handle_t *out_address_space)
+{
+	struct task *self = get_current_task();
+
+	if (!validate_access_w(self, out_task, sizeof *out_task)) {
+		put_current_task(self);
+		return KERN_MEMORY_FAULT;
+	}
+
+	if (!validate_access_w(
+		    self,
+		    out_address_space,
+		    sizeof *out_address_space)) {
+		put_current_task(self);
+		return KERN_MEMORY_FAULT;
+	}
+
+	*out_task = KERN_HANDLE_INVALID;
+	*out_address_space = KERN_HANDLE_INVALID;
+
+	kern_status_t status = KERN_OK;
+	unsigned long flags;
+	task_lock_irqsave(self, &flags);
+
+	struct handle *child_handle_slot = NULL, *space_handle_slot = NULL;
+	kern_handle_t child_handle, space_handle;
+	status = handle_table_alloc_handle(
+		self->t_handles,
+		KERN_HANDLE_INVALID,
+		&child_handle_slot,
+		&child_handle);
+	if (status != KERN_OK) {
+		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
+		return status;
+	}
+
+	status = handle_table_alloc_handle(
+		self->t_handles,
+		KERN_HANDLE_INVALID,
+		&space_handle_slot,
+		&space_handle);
+	if (status != KERN_OK) {
+		handle_table_free_handle(self->t_handles, child_handle);
+		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
+		return status;
+	}
+
+	struct task *new_task = task_create(self->t_name, strlen(self->t_name));
+	if (!new_task) {
+		put_current_task(self);
+		return KERN_NO_MEMORY;
+	}
+
+	struct thread *new_thread = task_create_thread(new_task);
+	if (!new_thread) {
+		handle_table_free_handle(self->t_handles, child_handle);
+		handle_table_free_handle(self->t_handles, space_handle);
+		task_unlock_irqrestore(self, flags);
+		object_unref(&new_task->t_base);
+		put_current_task(self);
+		return KERN_NO_MEMORY;
+	}
+
+	struct thread *self_thread = get_current_thread();
+	thread_init_user_clone(new_thread, self_thread, KERN_OK);
+	put_current_thread(self_thread);
+
+	status = address_space_duplicate(
+		new_task->t_address_space,
+		self->t_address_space);
+	if (status != KERN_OK) {
+		handle_table_free_handle(self->t_handles, child_handle);
+		handle_table_free_handle(self->t_handles, space_handle);
+		task_unlock_irqrestore(self, flags);
+		object_unref(&new_thread->tr_base);
+		object_unref(&new_task->t_base);
+		put_current_task(self);
+		return status;
+	}
+
+	schedule_thread_on_cpu(new_thread);
+
+	child_handle_slot->h_object = &new_task->t_base;
+	space_handle_slot->h_object = &new_task->t_address_space->s_base;
+	task_unlock_irqrestore(self, flags);
+
+	*out_task = child_handle;
+	*out_address_space = space_handle;
+
+	/* clear TLB */
+	pmap_switch(self->t_pmap);
+	put_current_task(self);
+
+	return KERN_OK;
+}

syscall/vm-controller.c

@@ -7,18 +7,21 @@
 
 kern_status_t sys_vm_controller_create(kern_handle_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	struct vm_controller *ctrl = vm_controller_create();
 	if (!ctrl) {
+		put_current_task(self);
 		return KERN_NO_MEMORY;
 	}
 
 	kern_status_t status = task_open_handle(self, &ctrl->vc_base, 0, out);
+	put_current_task(self);
 	if (status != KERN_OK) {
 		object_unref(&ctrl->vc_base);
 		return status;
@@ -31,9 +34,10 @@ kern_status_t sys_vm_controller_recv(
 	kern_handle_t ctrl_handle,
 	equeue_packet_page_request_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -50,6 +54,7 @@ kern_status_t sys_vm_controller_recv(
 		&handle_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -57,6 +62,7 @@ kern_status_t sys_vm_controller_recv(
 	task_unlock_irqrestore(self, flags);
 	if (!ctrl) {
 		object_unref(ctrl_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -65,6 +71,7 @@ kern_status_t sys_vm_controller_recv(
 	vm_controller_unlock_irqrestore(ctrl, flags);
 
 	object_unref(ctrl_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -74,7 +81,7 @@ kern_status_t sys_vm_controller_recv_async(
 	kern_handle_t eq_handle,
 	equeue_key_t key)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	kern_status_t status = KERN_OK;
 	unsigned long flags;
@@ -85,6 +92,7 @@ kern_status_t sys_vm_controller_recv_async(
 	status = task_resolve_handle(self, ctrl_handle, &ctrl_obj, &ctrl_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -92,6 +100,7 @@ kern_status_t sys_vm_controller_recv_async(
 	if (status != KERN_OK) {
 		object_unref(ctrl_obj);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -102,6 +111,7 @@ kern_status_t sys_vm_controller_recv_async(
 	if (!ctrl || !eq) {
 		object_unref(ctrl_obj);
 		object_unref(eq_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -111,6 +121,7 @@ kern_status_t sys_vm_controller_recv_async(
 
 	object_unref(ctrl_obj);
 	object_unref(eq_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -124,13 +135,15 @@ kern_status_t sys_vm_controller_create_object(
 	vm_prot_t prot,
 	kern_handle_t *out)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_r(self, name, name_len)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (!validate_access_w(self, out, sizeof *out)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -147,6 +160,7 @@ kern_status_t sys_vm_controller_create_object(
 		&handle_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -162,6 +176,7 @@ kern_status_t sys_vm_controller_create_object(
 	task_unlock_irqrestore(self, flags);
 	if (!ctrl) {
 		object_unref(ctrl_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -183,10 +198,12 @@ kern_status_t sys_vm_controller_create_object(
 		task_lock_irqsave(self, &flags);
 		handle_table_free_handle(self->t_handles, out_handle);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	out_slot->h_object = &out_vmo->vo_base;
+	put_current_task(self);
 
 	*out = out_handle;
 	return KERN_OK;
@@ -196,7 +213,7 @@ kern_status_t sys_vm_controller_detach_object(
 	kern_handle_t ctrl_handle,
 	kern_handle_t vmo_handle)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	kern_status_t status = KERN_OK;
 	unsigned long flags;
@@ -207,6 +224,7 @@ kern_status_t sys_vm_controller_detach_object(
 	status = task_resolve_handle(self, ctrl_handle, &ctrl_obj, &ctrl_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -214,6 +232,7 @@ kern_status_t sys_vm_controller_detach_object(
 	if (status != KERN_OK) {
 		object_unref(ctrl_obj);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -224,6 +243,7 @@ kern_status_t sys_vm_controller_detach_object(
 	if (!ctrl || !vmo) {
 		object_unref(ctrl_obj);
 		object_unref(vmo_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -235,6 +255,7 @@ kern_status_t sys_vm_controller_detach_object(
 
 	object_unref(ctrl_obj);
 	object_unref(vmo_obj);
+	put_current_task(self);
 
 	return status;
 }
@@ -247,7 +268,7 @@ kern_status_t sys_vm_controller_supply_pages(
 	off_t src_offset,
 	size_t count)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	kern_status_t status = KERN_OK;
 	unsigned long flags;
@@ -258,6 +279,7 @@ kern_status_t sys_vm_controller_supply_pages(
 	status = task_resolve_handle(self, ctrl_handle, &ctrl_obj, &ctrl_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -265,6 +287,7 @@ kern_status_t sys_vm_controller_supply_pages(
 	if (status != KERN_OK) {
 		object_unref(ctrl_obj);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -273,6 +296,7 @@ kern_status_t sys_vm_controller_supply_pages(
 		object_unref(ctrl_obj);
 		object_unref(dst_obj);
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
@@ -285,6 +309,7 @@ kern_status_t sys_vm_controller_supply_pages(
 		object_unref(ctrl_obj);
 		object_unref(dst_obj);
 		object_unref(src_obj);
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
@@ -303,6 +328,7 @@ kern_status_t sys_vm_controller_supply_pages(
 	object_unref(ctrl_obj);
 	object_unref(dst_obj);
 	object_unref(src_obj);
+	put_current_task(self);
 
 	return status;
 }

syscall/vm-object.c

@@ -11,13 +11,15 @@ kern_status_t sys_vm_object_create(
 	vm_prot_t prot,
 	kern_handle_t *out_handle)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if ((name || name_len) && !validate_access_r(self, name, name_len)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (!validate_access_w(self, out_handle, sizeof *out_handle)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -30,6 +32,7 @@ kern_status_t sys_vm_object_create(
 	kern_status_t status
 		= task_open_handle(self, &obj->vo_base, 0, out_handle);
 	object_unref(&obj->vo_base);
+	put_current_task(self);
 
 	return status;
 }
@@ -41,13 +44,15 @@ kern_status_t sys_vm_object_read(
 	size_t count,
 	size_t *nr_read)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_w(self, dst, count)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (nr_read && !validate_access_w(self, nr_read, sizeof *nr_read)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -55,15 +60,19 @@ kern_status_t sys_vm_object_read(
 	handle_flags_t flags = 0;
 	kern_status_t status = task_resolve_handle(self, object, &obj, &flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
 	struct vm_object *vmo = vm_object_cast(obj);
 	if (!vmo) {
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
-	return vm_object_read(vmo, dst, offset, count, nr_read);
+	status = vm_object_read(vmo, dst, offset, count, nr_read);
+	put_current_task(self);
+	return status;
 }
 
 kern_status_t sys_vm_object_write(
@@ -73,14 +82,16 @@ kern_status_t sys_vm_object_write(
 	size_t count,
 	size_t *nr_written)
 {
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (!validate_access_r(self, src, count)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
 	if (nr_written
 	    && !validate_access_w(self, nr_written, sizeof *nr_written)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -88,15 +99,19 @@ kern_status_t sys_vm_object_write(
 	handle_flags_t flags = 0;
 	kern_status_t status = task_resolve_handle(self, object, &obj, &flags);
 	if (status != KERN_OK) {
+		put_current_task(self);
 		return status;
 	}
 
 	struct vm_object *vmo = vm_object_cast(obj);
 	if (!vmo) {
+		put_current_task(self);
 		return KERN_INVALID_ARGUMENT;
 	}
 
-	return vm_object_write(vmo, src, offset, count, nr_written);
+	status = vm_object_write(vmo, src, offset, count, nr_written);
+	put_current_task(self);
+	return status;
 }
 
 kern_status_t sys_vm_object_copy(
@@ -114,10 +129,11 @@ kern_status_t sys_vm_object_copy(
 	       src_offset,
 	       count,
 	       nr_copied);
-	struct task *self = current_task();
+	struct task *self = get_current_task();
 
 	if (nr_copied
 	    && !validate_access_w(self, nr_copied, sizeof *nr_copied)) {
+		put_current_task(self);
 		return KERN_MEMORY_FAULT;
 	}
 
@@ -131,16 +147,19 @@ kern_status_t sys_vm_object_copy(
 	status = task_resolve_handle(self, dst, &dst_obj, &dst_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	status = task_resolve_handle(self, src, &src_obj, &src_flags);
 	if (status != KERN_OK) {
 		task_unlock_irqrestore(self, flags);
+		put_current_task(self);
 		return status;
 	}
 
 	task_unlock_irqrestore(self, flags);
+	put_current_task(self);
 
 	struct vm_object *dst_vmo = vm_object_cast(dst_obj);
 	struct vm_object *src_vmo = vm_object_cast(src_obj);

vm/address-space.c

@@ -1206,6 +1206,238 @@ kern_status_t address_space_release(
 	return status;
 }
 
+static struct vm_area *area_duplicate(struct vm_area *area)
+{
+	struct vm_area *out = vm_cache_alloc(&vm_area_cache, VM_NORMAL);
+	if (!out) {
+		return NULL;
+	}
+
+	out->vma_prot = area->vma_prot;
+	out->vma_object_offset = area->vma_object_offset;
+	out->vma_base = area->vma_base;
+	out->vma_limit = area->vma_limit;
+
+	return out;
+}
+
+static kern_status_t update_area_pte_cow(
+	struct address_space *src,
+	struct address_space *dest,
+	struct vm_area *area)
+{
+	if (!area->vma_object) {
+		return KERN_OK;
+	}
+
+	for (virt_addr_t i = area->vma_base; i < area->vma_limit;
+	     i += VM_PAGE_SIZE) {
+		off_t pg_offset = i - area->vma_base + area->vma_object_offset;
+		struct vm_page *pg = vm_object_get_page(
+			area->vma_object,
+			pg_offset,
+			0,
+			NULL);
+		vm_prot_t temp_prot = area->vma_prot;
+		temp_prot &= ~VM_PROT_WRITE;
+
+		if (pg) {
+			pmap_add(
+				src->s_pmap,
+				i,
+				vm_page_get_pfn(pg),
+				temp_prot,
+				PMAP_NORMAL);
+			pmap_add(
+				dest->s_pmap,
+				i,
+				vm_page_get_pfn(pg),
+				temp_prot,
+				PMAP_NORMAL);
+			tracek("PTE %zx -> %zx [%x]",
+			       i,
+			       vm_page_get_paddr(pg),
+			       temp_prot);
+		}
+	}
+
+	return KERN_OK;
+}
+
+static kern_status_t prepare_duplicate_areas(
+	struct address_space *src,
+	struct address_space *dest)
+{
+	struct btree_node *cur_node = btree_first(&src->s_mappings);
+	while (cur_node) {
+		struct vm_area *tmp_area
+			= BTREE_CONTAINER(struct vm_area, vma_node, cur_node);
+		if (!tmp_area->vma_object) {
+			cur_node = btree_next(cur_node);
+			continue;
+		}
+
+		struct vm_object *src_vmo = tmp_area->vma_object;
+		vm_object_lock(src_vmo);
+
+		struct vm_object *dest_vmo = NULL;
+		struct queue_entry *cur_entry
+			= queue_first(&src_vmo->vo_mappings);
+
+		while (cur_entry) {
+			struct vm_area *src_area = QUEUE_CONTAINER(
+				struct vm_area,
+				vma_object_entry,
+				cur_entry);
+			if (src_area->vma_space != src) {
+				cur_entry = queue_next(cur_entry);
+				continue;
+			}
+
+			struct vm_area *dest_area = get_entry(
+				&dest->s_mappings,
+				src_area->vma_base,
+				GET_ENTRY_EXACT);
+			if (!dest_area) {
+				/* this shouldn't happen. the duplicate vm_areas
+				 * were already created by
+				 * address_space_duplicate */
+				panic("create_duplicate_vmo: corresponding "
+				      "vm_area is missing");
+			}
+
+			if (dest_area->vma_object) {
+				cur_entry = queue_next(cur_entry);
+				continue;
+			}
+
+			if (!dest_vmo) {
+				tracek("[%zx-%zx %x] creating COW duplicate of "
+				       "vmo %p",
+				       src_area->vma_base,
+				       src_area->vma_limit,
+				       src_area->vma_prot,
+				       src_vmo);
+				dest_vmo = vm_object_duplicate_cow(src_vmo);
+				tracek("[%zx-%zx %x] created COW duplicate of "
+				       "vmo %p -> %p",
+				       src_area->vma_base,
+				       src_area->vma_limit,
+				       src_area->vma_prot,
+				       src_vmo,
+				       dest_vmo);
+			}
+
+			dest_area->vma_object = dest_vmo;
+			update_area_pte_cow(src, dest, src_area);
+			cur_entry = queue_next(cur_entry);
+		}
+
+		vm_object_unlock(src_vmo);
+
+		cur_node = btree_next(cur_node);
+	}
+
+	return KERN_OK;
+}
+
+kern_status_t address_space_duplicate(
+	struct address_space *dest,
+	struct address_space *src)
+{
+	// address_space_dump(src);
+	/* clang-format off
+	 * strategy for COW address space duplication:
+	 * 1. duplicate each vm_area in the address space
+	 *    a. all details except for the vm_object pointer are copied.
+	 *    b. create a duplicate vm_object, where all the details are the
+	 *       same, but don't copy the pages or vm_page pointers.
+	 *    c. if the vm_object is attached to a vm_controller, don't inform
+	 *       the controller yet.
+	 *    d. for both the original and duplicate vm_area, duplicate the PTE
+	 *       entries, changing all of them to read-only. increment the
+	 *       p_cow_ref counters for all committed vm_pages.
+	 *    e. use the vm_object's vm_area list, and the vm_area's vma_space
+	 *       pointer, to ensure that only one duplicate is created for each
+	 *       unique vm-object referenced by an address-space.
+	 * 2. when a page fault occurs:
+	 *    a. find the relevant vm_area as normal.
+	 *    b. if the faulted page is present and the vm_area's prot flags
+	 *       should allow the access, a COW is required.
+	 *    c. if the relevant page is already present in the vm_area's
+	 *       vm_object, this is the original vm_area. otherwise, this is the
+	 *       clone vm_area.
+	 *    d. if this is the source vm_area:
+	 *       i. decrement p_cow_ref in the page. if it is 0, skip to step v.
+	 *       ii. remove the relevant page from the vm_area
+	 *       iii. allocate a new page and copy the data.
+	 *       iv. add the new page to the vm_object at the same offset.
+	 *       v. change the PTE entry to the proper protection flags.
+	 *       vi. resume the faulting task.
+	 *    e. otherwise, if this is the clone vm_area:
+	 *       i. if the vm-object has a controller, send
+	 *          PAGE_REQUEST_DUPLICATE to it. the controller needs to
+	 *          prepare itself to receive page requests from this vm-object,
+	 *          which includes priving it an equeue_key_t.
+	 *       i. use the physical address stored in the PTE to find the
+	 *          relevant vm_page.
+	 *       ii. decrement p_cow_ref in the page.
+	 *       iii. if p_cow_ref is > 0, allocate a new page and copy the data.
+	 *            otherwise, use the existing page as-is.
+	 *       iv. add the page from step iii to the vm_object at the correct
+	 *           offset.
+	 *       v. change the PTE entry to the proper protection flags.
+	 *       vi. resume the faulting task.
+	 * 3. when destroying a vm_area:
+	 *    a. for pages already present in a vm-object, handle as normal.
+	 *    b. for pages not present in a vm-object, but for which a valid PTE
+	 *       exists, use the PTE physical address to find the vm_page.
+	 *    c. decrement p_cow_ref in this page.
+	 *    d. if p_cow_ref == 0, de-allocate the page.
+	 * clang-format on
+	 */
+	struct btree_node *cur = btree_first(&src->s_mappings);
+	while (cur) {
+		struct vm_area *src_area
+			= BTREE_CONTAINER(struct vm_area, vma_node, cur);
+		struct vm_area *dest_area = area_duplicate(src_area);
+		tracek("duplicated vm_area [%zx-%zx] %p -> %p",
+		       src_area->vma_base,
+		       src_area->vma_limit,
+		       src_area,
+		       dest_area);
+		/* TODO handle OOM */
+		put_entry(&dest->s_mappings, dest_area);
+
+		cur = btree_next(cur);
+	}
+
+	cur = btree_first(&src->s_reserved);
+	while (cur) {
+		struct vm_area *src_area
+			= BTREE_CONTAINER(struct vm_area, vma_node, cur);
+		struct vm_area *dest_area = area_duplicate(src_area);
+		tracek("duplicated vm_area [r] [%zx-%zx] %p -> %p",
+		       src_area->vma_base,
+		       src_area->vma_limit,
+		       src_area,
+		       dest_area);
+		/* TODO handle OOM */
+		put_entry(&dest->s_reserved, dest_area);
+
+		cur = btree_next(cur);
+	}
+
+	tracek("preparing duplicate areas");
+	kern_status_t status = prepare_duplicate_areas(src, dest);
+	tracek("prepared duplicate areas");
+	if (status != KERN_OK) {
+		return status;
+	}
+
+	return KERN_OK;
+}
+
 bool address_space_validate_access(
 	struct address_space *region,
 	virt_addr_t ptr,
@@ -1261,9 +1493,11 @@ static kern_status_t request_missing_page(
 	/* here:
 	 * `region` is locked.
 	 * `object` is unlocked.
-	 * `irq_flags` must be restored when `region` is unlocked.
+	 * `irq_flags` must be restored when `region` is
-	 * the relevant page in `object` may or may not be committed.
+	 * unlocked.
-	 * if it isn't, it needs to be requested.
+	 * the relevant page in `object` may or may
+	 * not be committed. if it isn't, it needs to be
+	 * requested.
 	 */
 	vm_object_lock(object);
 	address_space_unlock(region);
@@ -1292,7 +1526,129 @@ static kern_status_t request_missing_page(
 	return status;
 }
 
-/* this function must be called with `region` locked */
+/* handle a write to a page that is present and /should be/ writeable, but is
+ * currently read-only due to COW. */
+static kern_status_t handle_cow_access(
+	struct address_space *region,
+	virt_addr_t addr,
+	enum pmap_fault_flags flags,
+	unsigned long *irq_flags)
+{
+	struct vm_area *area
+		= get_entry(&region->s_mappings, addr, GET_ENTRY_EXACT);
+	if (!area || !area->vma_object) {
+		/* no mapping exists (this shouldn't happen) */
+		address_space_unlock_irqrestore(region, *irq_flags);
+		return KERN_NO_ENTRY;
+	}
+
+	if ((area->vma_prot & (VM_PROT_WRITE | VM_PROT_USER))
+	    != (VM_PROT_WRITE | VM_PROT_USER)) {
+		/* access denied */
+		address_space_unlock_irqrestore(region, *irq_flags);
+		return KERN_ACCESS_DENIED;
+	}
+
+	tracek("cow access %zx", addr);
+	if (area->vma_object->vo_ctrl) {
+		panic("COW on controlled vm-object");
+	}
+
+	off_t object_offset = addr - area->vma_base + area->vma_object_offset;
+	vm_object_lock(area->vma_object);
+	struct vm_page *pg
+		= vm_object_get_page(area->vma_object, object_offset, 0, NULL);
+
+	bool add_page = false;
+	if (!pg) {
+		/* the page hasn't been added to the vmo yet. */
+		pfn_t pfn;
+		vm_prot_t prot;
+		kern_status_t status
+			= pmap_get(region->s_pmap, addr, &pfn, &prot);
+		if (status != KERN_OK) {
+			vm_object_unlock(area->vma_object);
+			address_space_unlock_irqrestore(region, *irq_flags);
+			return status;
+		}
+
+		add_page = true;
+		pg = vm_page_get(pfn * VM_PAGE_SIZE);
+		tracek("recovered page %zx (%p, %u) from the aether",
+		       vm_page_get_paddr(pg),
+		       pg,
+		       pg->p_cow_ref);
+
+		if (!pg) {
+			/* still can't find the page */
+			panic("cannot resolve cow-reference to page %zx",
+			      pfn * VM_PAGE_SIZE);
+		}
+
+		if (!pg->p_cow_ref) {
+			/* still can't find the page */
+			panic("cow-reference page %zx cow-ref=0",
+			      pfn * VM_PAGE_SIZE);
+		}
+	}
+
+	atomic_t cow_ref = atomic_sub_fetch(&pg->p_cow_ref, 1);
+	tracek("decrement cow-ref page %zx -> now %u",
+	       vm_page_get_paddr(pg),
+	       pg->p_cow_ref);
+	if (cow_ref > 0) {
+		/* another task is (or will be) referencing this page. create
+		 * a copy */
+		struct vm_page *dup = vm_page_alloc(VM_PAGE_4K, VM_NORMAL);
+		if (!dup) {
+			vm_object_unlock(area->vma_object);
+			address_space_unlock_irqrestore(region, *irq_flags);
+			return KERN_NO_MEMORY;
+		}
+
+		void *src = vm_page_get_vaddr(pg);
+		void *dest = vm_page_get_vaddr(dup);
+		memcpy(dest, src, vm_page_get_size_bytes(dup));
+
+		if (!add_page) {
+			btree_delete(&area->vma_object->vo_pages, &pg->p_bnode);
+		}
+
+		vm_object_put_page(area->vma_object, object_offset, dup);
+		tracek("splitting cow page %zx -> %zx",
+		       vm_page_get_paddr(pg),
+		       vm_page_get_paddr(dup));
+		tracek("put page %zx into area [%zx-%zx] at %zx",
+		       vm_page_get_paddr(dup),
+		       area->vma_base,
+		       area->vma_limit,
+		       object_offset);
+		pg = dup;
+	} else if (add_page) {
+		/* we are the last task referencing this page. add it to our
+		 * vmo and continue */
+		tracek("claimed cow page %zx", vm_page_get_paddr(pg));
+		vm_object_put_page(area->vma_object, object_offset, pg);
+	} else {
+		/* we are the last task referencing this page, and it is already
+		 * in our vmo. */
+		tracek("reclaimed cow page %zx", vm_page_get_paddr(pg));
+	}
+
+	kern_status_t status = pmap_add(
+		region->s_pmap,
+		addr,
+		vm_page_get_pfn(pg),
+		area->vma_prot,
+		PMAP_NORMAL);
+
+	vm_object_unlock(area->vma_object);
+	address_space_unlock_irqrestore(region, *irq_flags);
+
+	return status;
+}
+
+/* this function must be called with `region` unlocked */
 kern_status_t address_space_demand_map(
 	struct address_space *region,
 	virt_addr_t addr,
@@ -1306,6 +1662,13 @@ kern_status_t address_space_demand_map(
 	unsigned long irq_flags;
 	address_space_lock_irqsave(region, &irq_flags);
 
+	const enum pmap_fault_flags cow_flags
+		= PMAP_FAULT_WRITE | PMAP_FAULT_PRESENT | PMAP_FAULT_USER;
+
+	if ((flags & cow_flags) == cow_flags) {
+		return handle_cow_access(region, addr, flags, &irq_flags);
+	}
+
 	struct vm_area *area
 		= get_entry(&region->s_mappings, addr, GET_ENTRY_EXACT);
 	if (!area || !area->vma_object) {
@@ -1348,6 +1711,8 @@ kern_status_t address_space_demand_map(
 #endif
 
 	if (!pg) {
+		vm_object_unlock(area->vma_object);
+		address_space_unlock_irqrestore(region, irq_flags);
 		return KERN_FATAL_ERROR;
 	}
 

vm/vm-controller.c

@@ -159,6 +159,7 @@ kern_status_t vm_controller_recv(
 	spin_unlock(&req->req_lock);
 
 	if (req->req_status == PAGE_REQUEST_ASYNC) {
+		put_current_thread(req->req_sender);
 		vm_cache_free(&page_request_cache, req);
 	}
 
@@ -215,12 +216,21 @@ kern_status_t vm_controller_detach_object(
 		return KERN_INVALID_ARGUMENT;
 	}
 
+	if (vmo->vo_key == 0) {
+		/* this vmo isn't actually attached to this controller yet.
+		 * this can happen if a controller-attached vmo was duplicated
+		 * via copy-on-write, and the duplicate vmo has not yet been
+		 * accessed. */
+		vmo->vo_ctrl = NULL;
+		return KERN_OK;
+	}
+
 	struct page_request *req
 		= vm_cache_alloc(&page_request_cache, VM_NORMAL);
 	req->req_type = PAGE_REQUEST_DETACH;
 	req->req_status = PAGE_REQUEST_ASYNC;
 	req->req_object = vmo->vo_key;
-	req->req_sender = current_thread();
+	req->req_sender = get_current_thread();
 	send_request_async(ctrl, req);
 
 	vmo->vo_ctrl = NULL;
@@ -236,7 +246,7 @@ static void wait_for_reply(
 	unsigned long *lock_flags)
 {
 	struct wait_item waiter;
-	struct thread *self = current_thread();
+	struct thread *self = get_current_thread();
 
 	wait_item_init(&waiter, self);
 	for (;;) {
@@ -251,6 +261,7 @@ static void wait_for_reply(
 	}
 
 	self->tr_state = THREAD_READY;
+	put_current_thread(self);
 }
 
 static void fulfill_requests(

vm/vm-object.c

@@ -1,4 +1,5 @@
 #include <kernel/address-space.h>
+#include <kernel/panic.h>
 #include <kernel/printk.h>
 #include <kernel/sched.h>
 #include <kernel/util.h>
@@ -31,9 +32,10 @@ static kern_status_t vm_object_cleanup(struct object *obj)
 
 	if (vmo->vo_ctrl) {
 		unsigned long flags;
-		vm_controller_lock_irqsave(vmo->vo_ctrl, &flags);
+		struct vm_controller *ctrl = vmo->vo_ctrl;
+		vm_controller_lock_irqsave(ctrl, &flags);
 		vm_controller_detach_object(vmo->vo_ctrl, vmo);
-		vm_controller_unlock_irqrestore(vmo->vo_ctrl, flags);
+		vm_controller_unlock_irqrestore(ctrl, flags);
 	}
 
 	return KERN_OK;
@@ -276,6 +278,43 @@ extern struct vm_object *vm_object_create_in_place(
 	return vmo;
 }
 
+struct vm_object *vm_object_duplicate_cow(struct vm_object *vmo)
+{
+	struct object *obj = object_create(&vm_object_type);
+	if (!obj) {
+		return NULL;
+	}
+
+	struct vm_object *out = VM_OBJECT_CAST(obj);
+
+	memcpy(out->vo_name, vmo->vo_name, sizeof out->vo_name);
+	out->vo_flags = vmo->vo_flags;
+	out->vo_ctrl = vmo->vo_ctrl;
+	out->vo_prot = vmo->vo_prot;
+	out->vo_size = vmo->vo_size;
+	memcpy(out->vo_name, vmo->vo_name, sizeof vmo->vo_name);
+
+	struct btree_node *cur = btree_first(&vmo->vo_pages);
+	while (cur) {
+		struct vm_page *pg
+			= BTREE_CONTAINER(struct vm_page, p_bnode, cur);
+		int x = atomic_fetch_add(&pg->p_cow_ref, 1);
+		if (x == 0) {
+			/* this is the first cow-reference for this page, so
+			 * the address-space it belongs to will need one too */
+			atomic_fetch_add(&pg->p_cow_ref, 1);
+		}
+
+		tracek("convert page %zx to cow %u",
+		       vm_page_get_paddr(pg),
+		       pg->p_cow_ref);
+
+		cur = btree_next(cur);
+	}
+
+	return out;
+}
+
 static struct vm_page *alloc_page(struct vm_object *vo, off_t offset)
 {
 	struct vm_page *page = NULL;
@@ -341,6 +380,54 @@ static struct vm_page *alloc_page(struct vm_object *vo, off_t offset)
 	return NULL;
 }
 
+kern_status_t vm_object_put_page(
+	struct vm_object *vo,
+	off_t offset,
+	struct vm_page *pg)
+{
+	struct btree_node *cur = vo->vo_pages.b_root;
+	if (!vo->vo_pages.b_root) {
+		vo->vo_pages.b_root = &pg->p_bnode;
+		return KERN_OK;
+	}
+
+	while (cur) {
+		struct vm_page *page
+			= BTREE_CONTAINER(struct vm_page, p_bnode, cur);
+		struct btree_node *next = NULL;
+
+		off_t base = page->p_vmo_offset;
+		off_t limit = base + vm_page_get_size_bytes(page);
+		if (offset < base) {
+			next = btree_left(cur);
+		} else if (offset >= limit) {
+			next = btree_right(cur);
+		} else {
+			panic("vm_object_put_page: page already exists");
+			return KERN_NAME_EXISTS;
+		}
+
+		if (next) {
+			cur = next;
+			continue;
+		}
+
+		pg->p_vmo_offset = offset;
+
+		if (offset < base) {
+			btree_put_left(cur, &pg->p_bnode);
+		} else {
+			btree_put_right(cur, &pg->p_bnode);
+		}
+
+		btree_insert_fixup(&vo->vo_pages, &pg->p_bnode);
+
+		return KERN_OK;
+	}
+
+	return KERN_FATAL_ERROR;
+}
+
 static struct vm_page *get_page(struct vm_object *vo, off_t offset)
 {
 	struct btree_node *cur = vo->vo_pages.b_root;
@@ -376,7 +463,7 @@ static kern_status_t request_page(
 	req.req_type = PAGE_REQUEST_READ;
 	req.req_offset = offset;
 	req.req_length = vm_page_order_to_bytes(VM_PAGE_4K);
-	req.req_sender = current_thread();
+	req.req_sender = get_current_thread();
 
 	object_ref(&vo->vo_base);
 	req.req_object = vo->vo_key;
@@ -388,6 +475,7 @@ static kern_status_t request_page(
 	kern_status_t status
 		= vm_controller_send_request(ctrl, &req, irq_flags);
 
+	put_current_thread(req.req_sender);
 	spin_unlock(&req.req_lock);
 	vm_controller_unlock_irqrestore(ctrl, *irq_flags);
 	object_unref(&vo->vo_base);
@@ -412,7 +500,7 @@ struct vm_page *vm_object_get_page(
 		return pg;
 	}
 
-	if (!vo->vo_ctrl) {
+	if (!vo->vo_ctrl || !(flags & VMO_REQUEST_MISSING_PAGE)) {
 		return NULL;
 	}