> Kernel threads have empty /proc/PID/cmdline and some userland tools > including ps(1) and older versions of systemd use this to detect > kernel threads.
Those tools are broken. Systemd is fixed, see https://github.com/systemd/systemd/blob/master/src/basic/process-util.c#L442 Empty /proc/*/cmdline is perfectly fine as long as execve(filename, NULL, NULL) is fine. > However, any userland program can emulate the > behavior by making its argvs unavailable and trick the affected tools > into thinking that the task is a kernel thread. Or it can set ->comm to "[kthreadd] and cmdline to "[kthreadd]".
