How to investigate mysterious processes

Chris Snook csnook at redhat.com
Tue Mar 4 23:33:49 UTC 2008 

Dave Burns wrote:
>> On Wed, Feb 20, 2008 at 10:47 PM, Tomasz Torcz <tomek at crocom.com.pl> wrote:
>>> Dnia 20-02-2008, śro o godzinie 10:40 -1000, Dave Burns pisze:
>>>> When I do ps -ef, I see a mysterious process:
>>>>
>>>> ps -ef|grep scsi_eh_5
>>>> root     31004    11  0 09:29 ?        00:00:00 [scsi_eh_5]
>>>>
>>>> How do I figure out what is really running, what rpm its from, etc.?
>>>> What do the brackets [...] indicate?
>>>  "ps" prints brackets when process arguments are not available to read.
> 
> What gets put inside the brackets?
> 
>>> This is typical for kernel threads.
> 
> So [] always means kernel thread, or sometimes? Usually? Kernel thread
> until proven innocent?

Not always.  I can name an executable binary [foo] so the casual 
observer thinks it's a kernel thread, when it's actually a rootkit.  The 
catch is the ppid.  On my box, all my kernel threads have a ppid of 2. 
pid 2 is [kthreadd], which is the parent of all real kthreads.  This 
number could vary between kernels, but the idea is the same, at least on 
newer kernels.

>>> scsi_eh_5 is a kernel thread, a SCSI
>>> Error Handler. It is spawned for each SCSI host in computer (there
>>> should be EH thread for each /sys/class/scsi_host/* )
> 
> How did you figure this out? What documentation could I consult to
> find this answer myself?

Kernel source?  I've generally accepted that the price of constant 
innovation is that some things change too rapidly to make documenting 
them outside of the code worthwhile.  Whether or not this example 
qualifies is of course debatable.

As long as they're actually kthreads (ppid is the pid of kthreadd), I 
generally don't worry about them, as long as they're not chewing up a 
lot of CPU.  If they *are* chewing up a lot of CPU, that may mean 
something is wrong, most likely a driver bug in the case of scsi_eh_*.

> The actual answer to the question is less important to me than
> learning how to find the answer.
> Thanks,
> Dave
> 
>>>
>>> --
>>> Tomasz Torcz
>>>
>>> --
>>> fedora-list mailing list
>>> fedora-list at redhat.com
>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>>
>>
>

More information about the fedora-list mailing list