From owner-svn-src-all@freebsd.org  Sat Aug 17 17:56:44 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id ABFA7CCE14;
 Sat, 17 Aug 2019 17:56:44 +0000 (UTC) (envelope-from mjg@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 469nv045wcz4ZZQ;
 Sat, 17 Aug 2019 17:56:44 +0000 (UTC) (envelope-from mjg@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6A00A1D62A;
 Sat, 17 Aug 2019 17:56:44 +0000 (UTC) (envelope-from mjg@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7HHuilZ077981;
 Sat, 17 Aug 2019 17:56:44 GMT (envelope-from mjg@FreeBSD.org)
Received: (from mjg@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7HHuiFw077980;
 Sat, 17 Aug 2019 17:56:44 GMT (envelope-from mjg@FreeBSD.org)
Message-Id: <201908171756.x7HHuiFw077980@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: mjg set sender to mjg@FreeBSD.org
 using -f
From: Mateusz Guzik <mjg@FreeBSD.org>
Date: Sat, 17 Aug 2019 17:56:44 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r351174 - head/sys/kern
X-SVN-Group: head
X-SVN-Commit-Author: mjg
X-SVN-Commit-Paths: head/sys/kern
X-SVN-Commit-Revision: 351174
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2019 17:56:44 -0000

Author: mjg
Date: Sat Aug 17 17:56:43 2019
New Revision: 351174
URL: https://svnweb.freebsd.org/changeset/base/351174

Log:
  fork: bump process count before checking for permission to cross the limit
  
  The limit is almost never reached. Do the check only on failure to see if
  we can override it.
  
  No change in user-visible behavior.
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/kern/kern_fork.c

Modified: head/sys/kern/kern_fork.c
==============================================================================
--- head/sys/kern/kern_fork.c	Sat Aug 17 17:42:01 2019	(r351173)
+++ head/sys/kern/kern_fork.c	Sat Aug 17 17:56:43 2019	(r351174)
@@ -800,9 +800,10 @@ fork1(struct thread *td, struct fork_req *fr)
 	struct proc *p1, *newproc;
 	struct thread *td2;
 	struct vmspace *vm2;
+	struct ucred *cred;
 	struct file *fp_procdesc;
 	vm_ooffset_t mem_charged;
-	int error, nprocs_new, ok;
+	int error, nprocs_new;
 	static int curfail;
 	static struct timeval lastfail;
 	int flags, pages;
@@ -973,21 +974,17 @@ fork1(struct thread *td, struct fork_req *fr)
 	/*
 	 * Increment the count of procs running with this uid. Don't allow
 	 * a nonprivileged user to exceed their current limit.
-	 *
-	 * XXXRW: Can we avoid privilege here if it's not needed?
 	 */
-	error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT);
-	if (error == 0)
-		ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0);
-	else {
-		ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1,
-		    lim_cur(td, RLIMIT_NPROC));
+	cred = td->td_ucred;
+	if (!chgproccnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_NPROC))) {
+		if (priv_check_cred(cred, PRIV_PROC_LIMIT) != 0)
+			goto fail0;
+		chgproccnt(cred->cr_ruidinfo, 1, 0);
 	}
-	if (ok) {
-		do_fork(td, fr, newproc, td2, vm2, fp_procdesc);
-		return (0);
-	}
 
+	do_fork(td, fr, newproc, td2, vm2, fp_procdesc);
+	return (0);
+fail0:
 	error = EAGAIN;
 	sx_xunlock(&allproc_lock);
 #ifdef MAC