sudo - Unable to kill process with 'kill -9' whose PPID=1 and using 100% of CPU?

24
2014-04
  • M. Tibbits

    Direct Question: Flash under firefox 4.0, npviewer.bin, in KUbuntu 10.04 was running at 100% and I couldn't kill it. I tried:

    sudo kill -9 12996
    sudo kill -15 12996
    

    I logged in as root and ran both commands. The PPID was listed as 1. (Can't kill init without rebooting). I, as root, issued a reboot command and also a shutdown now. I went through the list of running processes and manually killed every single process most became <defunct>. The system has a RAID 5 without a battery backup -- so I don't like yanking the cord out of the UPS, but this is what I ended up having to do.

    Is there something else I should've tried? Some other command to run? It was using 100% of the CPU, and I need to finish my dissertation, so I just forcibly turned off the computer, but if it happens again, I'd like to be prepared. Note: I also renice'd the process to 19 and it 'took' -- i.e. it responded that the process was now at nice 19 and was at nice 0. However, it was still using 100% of the cpu.

    Background: A friend was using the computer, so I haven't yet cycled through the history to see if there was anything malicious, but it crashed when he started firefox and it returned to ESPN's fantasy baseball website -- not a place I would expect flash malware to grow... Any thoughts?

  • Answers
  • user1974

    You could try the SysRq method: http://en.wikipedia.org/wiki/Magic_SysRq_key#.22Raising_Elephants.22_mnemonic_device

    You want to run them in a certain order as described in the wiki article: R E I S U B


  • Related Question

    Is there any way to kill a zombie process without reboot?
  • Pedram

    Is there any way to kill a zombie process without reboot?Here is how it happens:

    I wanted to download a 12GB torrent.After adding the .torrent file, transmission turned into a zombie process.I tried ktorrent too.Same behavior.Finally I could download the file using µTorrent but after closing the program, it turns into a zombie as well.

    I tried using kill, skill and pkill with different options and -9 signal but no success.

    In some answers in web I found out killing the parent can kill the zombie, but killing wine didn't help either.

    Is there another way?

    Edit:

    ps -o pid,ppid,stat,comm

    PID  PPID STAT COMMAND
    7121  2692 Ss   bash
    7317  7121 R+   ps
    

    pstree output:

    init─┬─GoogleTalkPlugi───4*[{GoogleTalkPlug}]
     ├─NetworkManager─┬─dhclient
     │                └─{NetworkManager}
     ├─acpid
     ├─amarok───19*[{amarok}]
     ├─apache2───5*[apache2]
     ├─atd
     ├─avahi-daemon───avahi-daemon
     ├─bonobo-activati───{bonobo-activat}
     ├─clock-applet
     ├─console-kit-dae───63*[{console-kit-da}]
     ├─cron
     ├─cupsd
     ├─2*[dbus-daemon]
     ├─2*[dbus-launch]
     ├─desktopcouch-se───desktopcouch-se
     ├─firefox───run-mozilla.sh───firefox-bin─┬─plugin-containe───8*[{plugin-contain}]
     │                                        └─14*[{firefox-bin}]
     ├─gconfd-2
     ├─gdm-binary─┬─gdm-simple-slav─┬─Xorg
     │            │                 ├─gdm-session-wor─┬─gnome-session─┬─bluetooth-apple
     │            │                 │                 │               ├─compiz───sh───gtk-window-deco
     │            │                 │                 │               ├─fusion-icon
     │            │                 │                 │               ├─gdu-notificatio
     │            │                 │                 │               ├─gnome-panel───{gnome-panel}
     │            │                 │                 │               ├─gnome-power-man
     │            │                 │                 │               ├─gpg-agent
     │            │                 │                 │               ├─gwibber-service
     │            │                 │                 │               ├─nautilus
     │            │                 │                 │               ├─nm-applet
     │            │                 │                 │               ├─polkit-gnome-au
     │            │                 │                 │               ├─2*[python]
     │            │                 │                 │               ├─qstardict───{qstardict}
     │            │                 │                 │               ├─ssh-agent
     │            │                 │                 │               ├─tracker-applet
     │            │                 │                 │               ├─trackerd
     │            │                 │                 │               ├─wakoopa─┬─wakoopa
     │            │                 │                 │               │         └─3*[{wakoopa}]
     │            │                 │                 │               └─{gnome-session}
     │            │                 │                 └─{gdm-session-wo}
     │            │                 └─{gdm-simple-sla}
     │            └─{gdm-binary}
     ├─6*[getty]
     ├─gnome-keyring-d───2*[{gnome-keyring-}]
     ├─gnome-screensav
     ├─gnome-settings-
     ├─gnome-system-mo
     ├─gnome-terminal─┬─bash───ssh
     │                ├─bash───pstree
     │                ├─gnome-pty-helpe
     │                └─{gnome-terminal}
     ├─gvfs-afc-volume───{gvfs-afc-volum}
     ├─gvfs-fuse-daemo───3*[{gvfs-fuse-daem}]
     ├─gvfs-gdu-volume
     ├─gvfsd
     ├─gvfsd-burn
     ├─gvfsd-computer
     ├─gvfsd-metadata
     ├─gvfsd-trash
     ├─hald─┬─hald-runner─┬─hald-addon-acpi
     │      │             ├─hald-addon-cpuf
     │      │             ├─hald-addon-inpu
     │      │             └─hald-addon-stor
     │      └─{hald}
     ├─indicator-apple
     ├─indicator-me-se
     ├─indicator-sessi
     ├─irqbalance
     ├─kded4
     ├─kdeinit4─┬─kio_http_cache_
     │          └─klauncher
     ├─kglobalaccel
     ├─modem-manager
     ├─multiload-apple
     ├─mysqld───10*[{mysqld}]
     ├─named───10*[{named}]
     ├─nmbd
     ├─notification-ar
     ├─notify-osd
     ├─polkitd
     ├─pulseaudio─┬─gconf-helper
     │            └─2*[{pulseaudio}]
     ├─rsyslogd───2*[{rsyslogd}]
     ├─rtkit-daemon───2*[{rtkit-daemon}]
     ├─smbd───smbd
     ├─snmpd
     ├─sshd
     ├─timidity
     ├─trashapplet
     ├─udevd───2*[udevd]
     ├─udisks-daemon─┬─udisks-daemon
     │               └─{udisks-daemon}
     ├─upowerd
     ├─upstart-udev-br
     ├─utorrent.exe───{utorrent.exe}
     ├─vnstatd
     ├─winbindd───2*[winbindd]
     ├─wnck-applet
     ├─wpa_supplicant
     └─xinetd
    

    System monitor and top screenshots which show the zombie process is using resources:

    enter image description here

    enter image description here

    Edit 2: I think I found something.I tried to logout and saw this message:

    enter image description here

    Since other torrent clients have th same issue maybe it's something about file size.I'm using ubuntu 10.04 on ext4 partitions.Killing nautilus and sending SIGCHLD signal to it didn't work.


  • Related Answers
  • Manish Sinha

    I don't thing zombie process is much of a headache. A zombie process does not take up any resources. It is just that it has it's entry in the process table.

    A Zombie process is not an orphan process, it does have a parent.

    kill, skill pkill will not work since the process is already killed, just that it's entry has not been removed.

    Zombie process can be killed by sending SIGCHLD signal to parent. I think the signal number of SIGCHLD is 17 or 18

    If this also fails, then you might want to kill the parent itself.

    From Wikipedia on SIGCHLD signal:

    When a child process terminates before the parent has called wait, the kernel retains some information about the process to enable its parent to call wait later. Because the child is still consuming system resources but not executing it is known as a zombie process.


    EDIT 1: The system resources consumed is mostly the process table entry. If anyone knows if it consumes more than that - memory or CPU cycle, then please add an explanation. AFAIK it hardly takes up any significant system resources.


    EDIT 2: Quoting from Wikipedia

    On Unix and Unix-like computer operating systems, a zombie process or defunct process is a process that has completed execution but still has an entry in the process table. This entry is still needed to allow the process that started the (now zombie) process to read its exit status.

    So the entry is kept so that the parent process can know the exit status because the moment the child exits, the parent is probably not in a state or not ready to read it's exit status.


    EDIT 3

    Till date I never experienced a zombie process taking 100% of the CPU. Seeing this for the first time.

    Try doing a killall utorrent.exe

    I can see that there are two instances of utorrent.exe and one of them is zombie. Probably the second one (child). killall should kill the parent since the child(zombie) cannot be killed.


    EDIT 4

    Looks like the killall did not work since it was giving TERM signal instead of KILL.

    Try out killall --signal=KILL utorrent.exe

    If this does not work then try killing the process selectivly.

    Get the list of utorrent.exe process PID

    ps -e | grep -i utorrent

    You should get two process like

    xxxx ?        aa:bb:cc utorrent.exe defunct
    yyyy ?        aa:bb:cc utorrent.exe
    

    So the second one is the parent. Kill it using

    kill -9 yyyy

    EDIT 5

    Please try finding the process's Parent Id by this bash command

    cat /proc/{defunctpid}/status | grep -i ppid

    in your case is

    cat /proc/7298/status | grep -i ppid

    If the output comes like

    PPid: 1

    Then sadly I think you are out of luck. Process Id 1 belongs to init without which your system cannot run

  • Simon Richter

    Using kill on the process itself is indeed ineffective, as the process is already dead; kill brings a live process to zombie state.

    The parent process is responsible for picking up the exit code of the process; the process remains a zombie until this is done. The init process will pick up the exit code of any process and throw it away, so it is the "last-resort" parent that will clean up any zombie that is a direct descendant.

    Killing the parent of the zombie process is usually effective because the zombie process then reverts to init as its parent as soon as the parent process is gone (i.e. killing the parent has turned that process into a zombie, and the grandparent has read the parent's exit code, so the parent is truly gone). A zombie can be parent to a zombie, so merely killing the parent is not sufficient, it also needs to be collected by another process itself.

    Note that processes are never responsible for cleaning up their grandchildren -- they always revert to process 1 as parent (which is why daemon authors sometimes use a double fork() and terminate the process in the middle to fully disassociate the child process from the invoking shell)

    The reason why killing wine probably isn't effective is because it wasn't really the parent of the zombie process; rather, the "utorrent.exe" that is a direct descendant of init is. This process however is still running normally, just neglecting its duties.

  • d4m1r

    Much easier way than killall, -9, etc:

    1)Use qBitorrent instead instead of the console uTorrent (I'm waiting for a GUI version as well and qBitorrent is essentially it).

    2)If you are using 11.04 or above, hit alt+f2 (opens a special commands window), type xkill and your mouse is now an x. Click on the program you want to close (UI = process ID) and it will kill it for you.

    Advanced tip: bind a keyboard shortcut for "xkill" like I have on my G15 macro keyboard.

  • Luis Alvarado

    In my case when wine hangs and i can not kill the Zombie child with a shotgun i would do:

    wineserver -k then i would kill the "Son of the Process" killall -9 Oblivion.exe (For example)

    For what i understand wineserver sends a signal to all its Zombie Childs that they are all going to die (Because of the shotgun you know) but sometimes a child thinks by itself and wants to take the world by storm. So i do the additional killall -9 or the kill -9 with the id of the process.

  • Seasoned Advice (cooking)

    My guess is that you're using an SSD.

    When adding large torrents to a torrent client, the "placeholder" files of the torrent you are downloading are actually created on disk, but are empty until gradually filled during the download process.

    With a normal hard disk, the disk is the bottleneck, and you won't notice a performance issue with the rest of your desktop.

    When using an SSD however, the CPU is the bottleneck, and the application appears to have crashed (goes gray). If you leave it for a while, it will recover and all will be well. This has been my experience since switching to an SSD.

    With regard to killing processes, others have provided better advice than I can - using the KILL signal usually works, but I have had the odd one that required a restart over the years.