DF-0459
user_frac sysctl accepts any uint32 without range validation (documented 0-100)
Summary
user_frac SYSCTL_ADD_UINT(:1116-1117) no handler no range check. Doc says 0-100. Line :1022 kern_load>(100-user_frac) unsigned wraps to ~4G when user_frac>100 disabling burst-reduction path entirely. Root self-DoS. Other sysctls (pollhz,burst_max,each_burst) have proper clamping handlers.