???UNSURE??? Re: Unwanted activation of root-processes getting highly activated

From: secret
Date: Thu Oct 28 2021 - 03:42:54 EST

Next message: pillair: "RE: [PATCH 2/2] remoteproc: qcom: q6v5_wpss: Add support for sc7280 WPSS"
Previous message: butt3rflyh4ck: "Re: There is a null-ptr-deref bug in kvm_dirty_ring_get in virt/kvm/dirty_ring.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

10.27.2021
Hello, today it manages us (Gooken) to prevent the highly active kernel-
processes from above after a look into the home-directory of tor
(/home/surfuser).
There the size of a file increases all the times during the activation of tor
surrounded by firejail (that causes the high activity of the kernel-
processes), it is named:

cached-microdesc-consensus

and its size was incredible high (much over 100 MB)!

It prevents Tor from building up any connection, so I had to wait up to 20
minutes.

Deleting it did not help: This file occured and larges its size again.

So we set integrity on it (this file) by "chattr +i";. Now the problem
described next indeed got solved, Tor immediately builds up connections,
kernel-processes activity lowered to the current percentage far below 10
percent and the tower-LED for readwrites stopped blinking,
but nevertheless this is not really a good solution,
tor or firejail and kernel (here 5.4) of course still have to get patched ! (
!!! )
The listed processes becoming highly active themselves got started by khreadd.

Hi,
Firejail must have caused the high activity.
Whenever I stop it (process firejail), they lower to origin.
Regards

On 10/9/21 7:15 AM, Theodore Ts'o wrote:

On Fri, Oct 08, 2021 at 05:04:55PM +0000, secret wrote:

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing

out

the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor

(OpenSuSE)

usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version

5.4.151

and higher, additional remark from 10.08.2021), there still is a problem

with

unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink

serious-

madly hard for about up to 20 minutes). The whole SSD/harddrive seems to

get

read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

Activity by these kernel threads indicate that some userspace program
running on your system is reading (and in the case of the
dmcrypt_write and jbd2 kernel threads, writing) data to your hard
drive. They are a symptom, not the cause of whatever is causing the
large amount of activity on your SSD/hard drive.

It is not something that can be "patched" in the kernel. It is an
indication of some program (or possibly malware) running on your
system is doing a lot of file I/O.

It is possible that as a result of some web site that you visited, it
is causing the web browser ("firejail", which sounds like the firefox
browser running some kind of security sandbox) to do a lot of I/O. So
the first thing you might try is to exit the web browser and see that
causes the I/O to abate. If it does, and if it starts up again when
you start the web browser and the web browser is not open on any web
pages, then you might have some misbehaving browser extension that
somehow got installed, and you might want to try clearing your browser
profile and uninstalling all of your browser extensions.

If exiting the browser does not cause the SSD/HDD activity to stop
within half a minute or so, then some other userspace program must be
causing it. It is possible that this might be some background system
indexing (for example, rebuilding the locatedb), although normally if
you've left the system up at night, this sort of activity is done when
the system is idle typically in the wee hours of the morning.

But it is also possible that you have some kind of malware installed
on your system, in which case the only good solution is to reinstall
it. In any case, this is not something that kernel developers can
help you with. Perhaps if there is a local Linux User's Group that
you can contact for more assistance, they can help you. If not,
you'll need to find someone who can help you with Linux system
administration.

Cheers,
- Ted

Hi,
Did you try any of what Ted suggested?
and what happened when you did that?

--
~Randy

Next message: pillair: "RE: [PATCH 2/2] remoteproc: qcom: q6v5_wpss: Add support for sc7280 WPSS"
Previous message: butt3rflyh4ck: "Re: There is a null-ptr-deref bug in kvm_dirty_ring_get in virt/kvm/dirty_ring.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]