A few misc forkbomb defenses:

- Leave 10 processes for root-only use, the previous value of 1 was insufficient to run ps ax | more. - Remove the printing of "proc: table full". When the table really is full, this would flood the screen/logs, making the problem tougher to deal with. - Force any process trying to fork beyond its user's maximum number of processes to sleep for .5 seconds before returning failure. This turns 2000 rampaging fork monsters into 2000 harmlessly snoozing fork monsters. Reviewed by: dillon, peter MFC after: 1 week
2002-02-19 03:15:28 +00:00 · 2002-02-19 03:15:28 +00:00 · cc6712ea04
commit cc6712ea04
parent 35a86b35c1
1 changed files with 5 additions and 2 deletions
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@ -93,6 +93,8 @@ struct fork_args {
 };
 #endif

+int forksleep; /* Place for fork1() to sleep on. */
+
 static void
 init_fork_list(void *data __unused)
 {
@ -297,8 +299,8 @@ fork1(td, flags, procp)
 	 * processes, maxproc is the limit.
 	 */
 	uid = p1->p_ucred->cr_ruid;
-	if ((nprocs >= maxproc - 1 && uid != 0) || nprocs >= maxproc) {
-		tablefull("proc");
+	if ((nprocs >= maxproc - 10 && uid != 0) || nprocs >= maxproc) {
+		tsleep(&forksleep, PUSER, "fork", hz / 2);
 		return (EAGAIN);
 	}
 	/*
@ -318,6 +320,7 @@ fork1(td, flags, procp)
 		 * Back out the process count
 		 */
 		nprocs--;
+		tsleep(&forksleep, PUSER, "fork", hz / 2);
 		return (EAGAIN);
 	}