Core Update 140/141 (testing) report - Development

9 Feb 2020


      Hello development folks,
upcoming Core Update 140/141 (testing, see: https://blog.ipfire.org/post/ipfire-2-25-core-update-141-is-available-for-te...)
is running here for about 24 hours by now without any unexpected behaviour so far.
Due to some connectivity issues, updating Add-Ons after installing Core Update 141
required manual interaction, but should not be a problem for people in general.
I noticed these log entries during the upgrade procedure (and am not sure what they mean
and/or if we should worry about them):
...
Feb  8 15:56:58 maverick kernel: <27>udevd[536]: specified group 'input' unknown
Feb  8 15:56:58 maverick kernel: <27>udevd[536]: specified group 'render' unknown
Feb  8 15:56:58 maverick kernel: <27>udevd[536]: specified group 'kvm' unknown
Updating Suricata seemed to delay the kernel messages we observed for a while by
about two hours, but eventually, this kind of thing continues to happen:
...
Feb  8 17:20:23 maverick kernel: refcount_t: increment on 0; use-after-free.
Feb  8 17:20:23 maverick kernel: ------------[ cut here ]------------
Feb  8 17:20:23 maverick kernel: WARNING: CPU: 0 PID: 16125 at lib/refcount.c:153 refcount_inc.cold.12+0x13/0x16
Feb  8 17:20:23 maverick kernel: Modules linked in: chacha20_x86_64 chacha20_generic poly1305_x86_64 poly1305_generic chacha20poly1305 esp4 xfrm6_mode_tunnel xfrm4_mode_tunnel tun xt_owner xt_connmark act_mirred act_connmark cls_u32 ifb sch_ingress xt_layer7 xt_length cls_fw sch_htb nfnetlink_queue xt_NFQUEUE ipt_MASQUERADE nf_nat_masquerade_ipv4 pppoe pppox ppp_generic slhc 8021q garp cpufreq_conservative cpufreq_ondemand xt_geoip(O) xt_connlimit xt_multiport xt_hashlimit xt_mark xt_policy xt_TCPMSS nf_nat_irc nf_conntrack_irc nf_nat_tftp nf_conntrack_tftp xt_CT xt_helper nf_nat_ftp nf_conntrack_ftp xt_conntrack xt_comment ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_raw iptable_mangle iptable_filter vfat fat sch_fq_codel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_powerclamp
Feb  8 17:20:23 maverick kernel:  coretemp i2c_algo_bit fb_sys_fops syscopyarea sysfillrect kvm_intel sysimgblt snd_hda_intel snd_hda_codec iTCO_wdt kvm iTCO_vendor_support snd_hda_core snd_hwdep snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_timer mcs7830 lpc_ich pcspkr snd i2c_i801 r8169 mfd_core ghash_clmulni_intel usbnet mii soundcore i2c_hid rfkill_gpio i2c_core rfkill pcc_cpufreq intel_int0002_vgpio lp parport_pc parport video
Feb  8 17:20:23 maverick kernel: CPU: 0 PID: 16125 Comm: W-Q0 Tainted: G           O    4.14.154-ipfire #1
Feb  8 17:20:23 maverick kernel: Hardware name: Gigabyte Technology Co., Ltd. Default string/N3150ND3V, BIOS F5a 01/19/2018
Feb  8 17:20:23 maverick kernel: task: ffff9f73b92c4b00 task.stack: ffffa5cdc0508000
Feb  8 17:20:23 maverick kernel: RIP: 0010:refcount_inc.cold.12+0x13/0x16
Feb  8 17:20:23 maverick kernel: RSP: 0018:ffffa5cdc050b798 EFLAGS: 00010246
Feb  8 17:20:23 maverick kernel: RAX: 000000000000002b RBX: ffff9f73b9f08b00 RCX: 0000000000000000
Feb  8 17:20:23 maverick kernel: RDX: 0000000000000000 RSI: ffff9f73bfc163f8 RDI: ffff9f73bfc163f8
Feb  8 17:20:23 maverick kernel: RBP: ffffffffad29f250 R08: 000000000000003c R09: 000000000000040c
Feb  8 17:20:23 maverick kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f73b7fa1500
Feb  8 17:20:23 maverick kernel: R13: ffffffffad8c3c80 R14: ffffffffc061a3e0 R15: 0000000000008003
Feb  8 17:20:23 maverick kernel: FS:  0000720182012700(0000) GS:ffff9f73bfc00000(0000) knlGS:0000000000000000
Feb  8 17:20:23 maverick kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Feb  8 17:20:23 maverick kernel: CR2: 000073681f301180 CR3: 0000000179c3c000 CR4: 00000000001006f0
Feb  8 17:20:23 maverick kernel: Call Trace:
Feb  8 17:20:23 maverick kernel:  nf_queue_entry_get_refs+0x41/0x90
Feb  8 17:20:23 maverick kernel:  nf_queue+0xef/0x1e0
Feb  8 17:20:23 maverick kernel:  nf_hook_slow+0x69/0xc0
Feb  8 17:20:23 maverick kernel:  __ip_local_out+0xe4/0x150
Feb  8 17:20:23 maverick kernel:  ? ip_forward_options.cold.7+0x27/0x27
Feb  8 17:20:23 maverick kernel:  xfrm_output_resume+0x21e/0x540
Feb  8 17:20:23 maverick kernel:  ? ipv4_confirm+0x3f/0xd0
Feb  8 17:20:23 maverick kernel:  xfrm4_output+0x3a/0xe0
Feb  8 17:20:23 maverick kernel:  ? xfrm4_udp_encap_rcv+0x1a0/0x1a0
Feb  8 17:20:23 maverick kernel:  nf_reinject+0x153/0x190
Feb  8 17:20:23 maverick kernel:  nfqnl_recv_verdict+0x293/0x4a0 [nfnetlink_queue]
Feb  8 17:20:23 maverick kernel:  ? nla_parse+0xb5/0xe0
Feb  8 17:20:23 maverick kernel:  nfnetlink_rcv_msg+0x14e/0x260
Feb  8 17:20:23 maverick kernel:  ? nfnetlink_net_exit_batch+0x60/0x60
Feb  8 17:20:23 maverick kernel:  netlink_rcv_skb+0x78/0x150
Feb  8 17:20:23 maverick kernel:  nfnetlink_rcv+0x70/0x760
Feb  8 17:20:23 maverick kernel:  ? __slab_free+0x138/0x2d0
Feb  8 17:20:23 maverick kernel:  ? __netlink_lookup+0xe1/0x140
Feb  8 17:20:23 maverick kernel:  netlink_unicast+0x183/0x230
Feb  8 17:20:23 maverick kernel:  netlink_sendmsg+0x204/0x3d0
Feb  8 17:20:23 maverick kernel:  sock_sendmsg+0x36/0x40
Feb  8 17:20:23 maverick kernel:  ___sys_sendmsg+0x2a7/0x300
Feb  8 17:20:23 maverick kernel:  ? netlink_recvmsg+0x398/0x460
Feb  8 17:20:23 maverick kernel:  __sys_sendmsg+0x67/0xb0
Feb  8 17:20:23 maverick kernel:  do_syscall_64+0x67/0x100
Feb  8 17:20:23 maverick kernel:  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Feb  8 17:20:23 maverick kernel: RIP: 0033:0x720183fc25fd
Feb  8 17:20:23 maverick kernel: RSP: 002b:000072018200ff90 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
Feb  8 17:20:23 maverick kernel: RAX: ffffffffffffffda RBX: 0000720182010060 RCX: 0000720183fc25fd
Feb  8 17:20:23 maverick kernel: RDX: 0000000000000000 RSI: 000072018200ffd0 RDI: 0000000000000005
Feb  8 17:20:23 maverick kernel: RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000301
Feb  8 17:20:23 maverick kernel: R10: 0000000000000001 R11: 0000000000000293 R12: 0000000000000000
Feb  8 17:20:23 maverick kernel: R13: 000072017c26cd98 R14: 0000000000000070 R15: 0000000000000001
Feb  8 17:20:23 maverick kernel: Code: c0 9c a7 ad c6 05 ee be d8 00 01 e8 d7 de d7 ff 0f 0b b8 01 00 00 00 c3 48 c7 c7 18 9d a7 ad c6 05 d2 be d8 00 01 e8 bc de d7 ff <0f> 0b c3 48 c7 c7 48 9d a7 ad c6 05 bb be d8 00 01 e8 a6 de d7 
Feb  8 17:20:23 maverick kernel: ---[ end trace 3b943d85354038f6 ]---
Feb  8 17:20:23 maverick kernel: refcount_t: underflow; use-after-free.
Feb  8 17:20:23 maverick kernel: ------------[ cut here ]------------
Feb  8 17:20:23 maverick kernel: WARNING: CPU: 0 PID: 16125 at lib/refcount.c:187 refcount_sub_and_test.cold.13+0x13/0x1a
Feb  8 17:20:23 maverick kernel: Modules linked in: chacha20_x86_64 chacha20_generic poly1305_x86_64 poly1305_generic chacha20poly1305 esp4 xfrm6_mode_tunnel xfrm4_mode_tunnel tun xt_owner xt_connmark act_mirred act_connmark cls_u32 ifb sch_ingress xt_layer7 xt_length cls_fw sch_htb nfnetlink_queue xt_NFQUEUE ipt_MASQUERADE nf_nat_masquerade_ipv4 pppoe pppox ppp_generic slhc 8021q garp cpufreq_conservative cpufreq_ondemand xt_geoip(O) xt_connlimit xt_multiport xt_hashlimit xt_mark xt_policy xt_TCPMSS nf_nat_irc nf_conntrack_irc nf_nat_tftp nf_conntrack_tftp xt_CT xt_helper nf_nat_ftp nf_conntrack_ftp xt_conntrack xt_comment ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_raw iptable_mangle iptable_filter vfat fat sch_fq_codel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_powerclamp
Feb  8 17:20:23 maverick kernel:  coretemp i2c_algo_bit fb_sys_fops syscopyarea sysfillrect kvm_intel sysimgblt snd_hda_intel snd_hda_codec iTCO_wdt kvm iTCO_vendor_support snd_hda_core snd_hwdep snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_timer mcs7830 lpc_ich pcspkr snd i2c_i801 r8169 mfd_core ghash_clmulni_intel usbnet mii soundcore i2c_hid rfkill_gpio i2c_core rfkill pcc_cpufreq intel_int0002_vgpio lp parport_pc parport video
Feb  8 17:20:23 maverick kernel: CPU: 0 PID: 16125 Comm: W-Q0 Tainted: G        W  O    4.14.154-ipfire #1
Feb  8 17:20:23 maverick kernel: Hardware name: Gigabyte Technology Co., Ltd. Default string/N3150ND3V, BIOS F5a 01/19/2018
Feb  8 17:20:23 maverick kernel: task: ffff9f73b92c4b00 task.stack: ffffa5cdc0508000
Feb  8 17:20:23 maverick kernel: RIP: 0010:refcount_sub_and_test.cold.13+0x13/0x1a
Feb  8 17:20:23 maverick kernel: RSP: 0018:ffffa5cdc050b928 EFLAGS: 00010246
Feb  8 17:20:23 maverick kernel: RAX: 0000000000000026 RBX: 0000000000000000 RCX: 0000000000000006
Feb  8 17:20:23 maverick kernel: RDX: 0000000000000000 RSI: 0000000000000082 RDI: ffff9f73bfc163f0
Feb  8 17:20:23 maverick kernel: RBP: ffff9f738c4d4800 R08: 0000000000000038 R09: 0000000000000442
Feb  8 17:20:23 maverick kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9f73b8b9dc80
Feb  8 17:20:23 maverick kernel: R13: ffff9f73b961c800 R14: ffff9f73babec6c0 R15: 0000000000000000
Feb  8 17:20:23 maverick kernel: FS:  0000720182012700(0000) GS:ffff9f73bfc00000(0000) knlGS:0000000000000000
Feb  8 17:20:23 maverick kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Feb  8 17:20:23 maverick kernel: CR2: 000073681f301180 CR3: 0000000179c3c000 CR4: 00000000001006f0
Feb  8 17:20:23 maverick kernel: Call Trace:
Feb  8 17:20:23 maverick kernel:  nf_queue_entry_release_refs+0x45/0xa0
Feb  8 17:20:23 maverick kernel:  nf_reinject+0x3d/0x190
Feb  8 17:20:23 maverick kernel:  nfqnl_recv_verdict+0x293/0x4a0 [nfnetlink_queue]
Feb  8 17:20:23 maverick kernel:  ? nla_parse+0xb5/0xe0
Feb  8 17:20:23 maverick kernel:  nfnetlink_rcv_msg+0x14e/0x260
Feb  8 17:20:23 maverick kernel:  ? nfnetlink_net_exit_batch+0x60/0x60
Feb  8 17:20:23 maverick kernel:  netlink_rcv_skb+0x78/0x150
Feb  8 17:20:23 maverick kernel:  nfnetlink_rcv+0x70/0x760
Feb  8 17:20:23 maverick kernel:  ? __slab_free+0x138/0x2d0
Feb  8 17:20:23 maverick kernel:  ? __netlink_lookup+0xe1/0x140
Feb  8 17:20:23 maverick kernel:  netlink_unicast+0x183/0x230
Feb  8 17:20:23 maverick kernel:  netlink_sendmsg+0x204/0x3d0
Feb  8 17:20:23 maverick kernel:  sock_sendmsg+0x36/0x40
Feb  8 17:20:23 maverick kernel:  ___sys_sendmsg+0x2a7/0x300
Feb  8 17:20:23 maverick kernel:  ? netlink_recvmsg+0x398/0x460
Feb  8 17:20:23 maverick kernel:  __sys_sendmsg+0x67/0xb0
Feb  8 17:20:23 maverick kernel:  do_syscall_64+0x67/0x100
Feb  8 17:20:23 maverick kernel:  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Feb  8 17:20:23 maverick kernel: RIP: 0033:0x720183fc25fd
Feb  8 17:20:23 maverick kernel: RSP: 002b:000072018200ff90 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
Feb  8 17:20:23 maverick kernel: RAX: ffffffffffffffda RBX: 0000720182010060 RCX: 0000720183fc25fd
Feb  8 17:20:23 maverick kernel: RDX: 0000000000000000 RSI: 000072018200ffd0 RDI: 0000000000000005
Feb  8 17:20:23 maverick kernel: RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000301
Feb  8 17:20:23 maverick kernel: R10: 000072017c26cdf4 R11: 0000000000000293 R12: 0000000000000000
Feb  8 17:20:23 maverick kernel: R13: 000072017c26cd98 R14: 0000000065000070 R15: 0000000000000001
Feb  8 17:20:23 maverick kernel: Code: 00 c3 48 c7 c7 18 9d a7 ad c6 05 d2 be d8 00 01 e8 bc de d7 ff 0f 0b c3 48 c7 c7 48 9d a7 ad c6 05 bb be d8 00 01 e8 a6 de d7 ff <0f> 0b e9 86 fe ff ff 48 c7 c7 70 9d a7 ad c6 05 a0 be d8 00 01 
Feb  8 17:20:23 maverick kernel: ---[ end trace 3b943d85354038f7 ]---
The machine boots up a little bit faster, as pledged by the release note (I love
it when a plan comes together... ;-) ) and seems to be under less but not significantly
lower IRQ load during operation. Newly introduced DNS CGI works fine with and
without DNS over TLS - let's hope the Unbound development team will improve
response times on the first mode soon.
Tested IPFire functionalities in detail:
- IPsec (N2N connections only)
- Squid (authentication enabled, using an upstream proxy)
- OpenVPN (RW connections only)
- IPS/Suricata (with Emerging Threats ruleset enabled)
- Quality of Service
- DNS (with and without DNS over TLS)
I look forward to the release of Core Update 140/141.
Thanks, and best regards,
Peter Müller