From cc6712ea048aa138182164a8b4dfa7526003630d Mon Sep 17 00:00:00 2001
From: Mike Silbersack <silby@FreeBSD.org>
Date: Tue, 19 Feb 2002 03:15:28 +0000
Subject: [PATCH] A few misc forkbomb defenses:

- Leave 10 processes for root-only use, the previous
  value of 1 was insufficient to run ps ax | more.
- Remove the printing of "proc: table full".  When the table
  really is full, this would flood the screen/logs, making
  the problem tougher to deal with.
- Force any process trying to fork beyond its user's maximum
  number of processes to sleep for .5 seconds before returning
  failure.  This turns 2000 rampaging fork monsters into 2000
  harmlessly snoozing fork monsters.

Reviewed by:	dillon, peter
MFC after:	1 week
---
 sys/kern/kern_fork.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index c7cbf280854..d7913028231 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -93,6 +93,8 @@ struct fork_args {
 };
 #endif
 
+int forksleep; /* Place for fork1() to sleep on. */
+
 static void
 init_fork_list(void *data __unused)
 {
@@ -297,8 +299,8 @@ fork1(td, flags, procp)
 	 * processes, maxproc is the limit.
 	 */
 	uid = p1->p_ucred->cr_ruid;
-	if ((nprocs >= maxproc - 1 && uid != 0) || nprocs >= maxproc) {
-		tablefull("proc");
+	if ((nprocs >= maxproc - 10 && uid != 0) || nprocs >= maxproc) {
+		tsleep(&forksleep, PUSER, "fork", hz / 2);
 		return (EAGAIN);
 	}
 	/*
@@ -318,6 +320,7 @@ fork1(td, flags, procp)
 		 * Back out the process count
 		 */
 		nprocs--;
+		tsleep(&forksleep, PUSER, "fork", hz / 2);
 		return (EAGAIN);
 	}