Is my Fedora compromised? Massive Memory Leak

rvallel · April 4, 2020, 6:18am

Hi Fedora Community!

I am experience a massive memory leak in F31 that forces me to restart the OS every day.

After 1-2 workdays my 12GB ram + 8GB swap will be gone, closing all apps recovers only a fraction of the memory. Exiting the GNome session does return most of the memory.

I have read that perhaps the system is compromised, and I should look for strange activity. I can find this strange network activity that I cannot map to any process.

tcp        0      0 127.0.0.1:1026          127.0.0.1:40618         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40626         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40660         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40598         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40684         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40700         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40602         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40590         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40620         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40644         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40584         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40600         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40672         TIME_WAIT  
tcp        0      0 127.0.0.1:1026          127.0.0.1:40670         TIME_WAIT  
...
62 connections in total

Anybody knows what this could be about? Either memory or network activity?

alciregi · April 4, 2020, 7:24am

Hello @rvallel, I’m not a network expert, but TIME_WAIT indicates that the service that was using port 1026 on localhost closed the connection and represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request (Wikipedia).
TIME_WAIT is a normal state. Obviously, I think, if there are too many connections in this state, something is not working properly.

It looks like there is a process that always use port 1026. Maybe the process listening on port 1026 is still active, so we can isolate the issue? What is the result of this command?

sudo ss -napt state listening sport = :1026

rvallel · April 4, 2020, 8:01am

Thanks! That pointed to the guilty application: Synology Cloud Drive.
For some reason nestat -p (to see the process) did not show
I think the issue might be that we use cloud driver over a VPN network and now it is turned off, Synology Cloud Drive might be endlesslyup anything, while your command clearly states the guilty process.

I killed the synchronization daemon, and all those entries are gone from netstat.

I still don’t know if those are responsible for the memory leak, will try to run the system without it for a few days…

Visibility of what is eating the memory is another issue.

Topic		Replies	Views
Troubleshooting Fedora Atomic Host 28 Project Discussion coreos-wg	5	515	September 4, 2018
Memory leak in packagekitd makes my laptop slow Ask Fedora f32	5	3390	December 1, 2020
F37 Freezes after roughly 10 minutes of use Ask Fedora f37 , pipewire	6	805	January 17, 2023
Kernel 5.16.8 btrfs high disk IO load Ask Fedora f35 , btrfs , kernel	30	2757	March 3, 2022
Memory Leak Issue Project Discussion coreos-wg	3	793	November 3, 2020

Is my Fedora compromised? Massive Memory Leak

Related Topics