Seiya Kawashima
2017-02-18 02:11:32 UTC
Synopsis: ldapd(8) hangs when receiving large data
Category: system
System : OpenBSD 6.0Category: system
Details : OpenBSD 6.0-current (GENERIC.MP) #0: Thu Feb 16 19:58:50 CST 2017
***@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
Hi,
Thank you for your time to look at this bug report.
ldapd(8) hangs when it receives partial LDAPMessages due to the message
sizes. conn_read() in /ldapd/conn.c is supposed to be called to read
partial LDAPMessages by libevent until it receives complete LDAPMessages
. In theory, conn_read() is called by libevent whenever data for reading
is available. However, it doesn't work this way. What happens is that
conn_read() is called once and nothing happens any further. As the
result, ldapd(8) hangs. It seemed to me that ldapd(8) was waiting for
more data from ldapadd as expected but ldapadd was also waiting for
something to send the rest of the data to ldapd(8). So ldapadd was the
one that didn't send the rest of the data to ldapd(8). To prove this
point, once I killed ldapadd while they were hanging, ldapd(8) started
receiving the rest of the data and stored the data without hanging at
this time. ldapd(8) can't simply wait for more data to read but needs
to do something to let ldapadd keep sending the rest of the data. I
found a fix for this issue but I've not yet found any references about
the fix on RFCs 4511, 4513 and 4514 and the source code at
https://github.com/openldap/openldap so unfortunately I'm not quite sure
if this one would be the right fix. The fix came from my experiments.
Thank you
Seiya
1. Make ldapadd work with self signed certificates for this bug. Please
use the content below for your ~/.ldaprc, otherwise ldapadd would not
work with self signed certificates.
# This is a LDAP client configuration file.
URI ldap:// ldaps://
TLS_REQCERT allow
2. Generate a self signed certificate for this bug. Please type the
command, starttls(8) below to generate a self signed certificate.
Please change the interface, re0 for your environment.
openssl genrsa -out /etc/ldap/certs/re0.key 4096
openssl req -x509 -new -key /etc/ldap/certs/re0.key \
-out /etc/ldap/certs/re0.crt -days 365
3. Set up a simple /etc/ldapd.conf. Please use the content below for
your /etc/ldapd.conf.
schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"
# Please change the interface accordingly for your environment.
listen on re0 ldaps
namespace "dc=example,dc=com" {
rootdn "cn=admin,dc=example,dc=com"
rootpw "secret"
index objectClass
index cn
index ou
index uid
index uidNumber
index gidNumber
index mail
index sn
deny access to any by any
allow bind access to children of "ou=people,dc=example,dc=com" by any
allow read access to any by self
allow write access to any by self
}
4. Type the command below to run ldapd(8) in verbose debug mode.
/usr/sbin/ldapd -vv -d
5. Create a simple DIT via ldapadd. Please type the command like below
and adjust the values for -H and -f flags accordingly for your
environment.
ldapadd -vv -H ldaps://192.168.0.118 -x -D "cn=admin,dc=example,dc=com" \
-w secret -f ./sample-1-people-create.txt
Please use the content below as an LDIF file to reproduce the issue.
## This LDIF is from http://www.zytrax.com/books/ldap/ch5/index.html#step1-ldif
## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace example and com as necessary below
## or for experimentation leave as is
## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
## this is an ENTRY sequence and is preceded by a BLANK line
dn: dc=example,dc=com
dc: example
description: My wonderful company as much text as you want to place
in this line up to 32K continuation data for the line above must
have <CR> or <CR><LF> i.e. ENTER works
on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Example, Inc.
## FIRST Level hierarchy - people
## uses mixed upper and lower case for objectclass
## this is an ENTRY sequence and is preceded by a BLANK line
dn: ou=people, dc=example,dc=com
ou: people
description: All people in organisation
objectclass: organizationalunit
6. Add a person as inetOrgPerson objectClass under ou=people specifying
a file for the person's jpegPhoto attribute. Please type the command
below to add the person. Also please specify a large enough file for
the jpegPhoto attribute so that conn_read() in /ldapd/conn.c needs to
be called multiple times to get a complete LDAPMessage. If it's
successful at the first time, try it a couple of more times. You will
be able to see the hang. Please adjust the values for -H and -f flags
accordingly for your environment.
ldapadd -vv -H ldaps://192.168.0.118 -x -D "cn=admin,dc=example,dc=com" \
-w secret -f ./sample-1-people-add.txt
Please use the content below as an LDIF file to make ldapd(8) and
ldapadd hang.
dn: cn=Robert Smith,ou=people,dc=example,dc=com
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob smith
sn: smith
uid: rjsmith
## Please specify a file that would cause conn_read() to be called
## multiple times. I tried around 2KB, 3KB, 5KB and 13KB files for
## jpegPhoto attribute.
jpegPhoto:< file:///home/seiyak/Documents/samples/LDAP/sample.jpeg
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: ***@example.com
mail: ***@example.com
mail: ***@example.com
description: swell guy
ou: Human Resources
This is the output when the hang happens on ldapd(8).
Feb 17 04:01:28.030 [79095] accepted connection from 192.168.0.115 on fd 12
Feb 17 04:01:28.030 [79095] conn_tls_init: switching to TLS
Feb 17 04:01:28.062 [79095] consumed 46 bytes
Feb 17 04:01:28.062 [79095] received request on fd 12
len 44 class: universal(0) type: sequence(16) encoding 16
len 1 class: universal(0) type: integer(2) encoding 2 value 1
len 39 class: application(1) type: bind(0) encoding 16
len 1 class: universal(0) type: integer(2) encoding 2 value 3
len 26 class: universal(0) type: octet-string(4) encoding 4 string "cn=admin,dc=example,dc=com"
len 6 class: context(2) type: auth simple(0) encoding 4 string "secret"
Feb 17 04:01:28.062 [79095] got request type 0, id 1
Feb 17 04:01:28.062 [79095] bind dn = cn=admin,dc=example,dc=com
Feb 17 04:01:28.062 [79095] successfully authenticated as cn=admin,dc=example,dc=com
Feb 17 04:01:28.062 [79095] sending response 1 with result 0
Feb 17 04:01:28.062 [79095] sending response on fd 12
len 12 class: universal(0) type: sequence(16) encoding 16
len 1 class: universal(0) type: integer(2) encoding 2 value 1
len 7 class: application(1) type: bind(1) encoding 16
len 1 class: universal(0) type: enumerated(10) encoding 10 value 0
len 0 class: universal(0) type: octet-string(4) encoding 4 string ""
len 0 class: universal(0) type: octet-string(4) encoding 4 string ""
# ldapd(8) hangs here and no more output is produced until I kill ladpadd.
This is the output when the hang happens on ldapadd.
ldap_initialize( ldaps://192.168.0.118:636/??base )
add objectclass:
inetOrgPerson
add cn:
Robert Smith
Robert J Smith
bob smith
add sn:
smith
add uid:
rjsmith
add jpegPhoto:
NOT ASCII (2568 bytes)
add userpassword:
rJsmitH
add carlicense:
HISCAR 123
add homephone:
555-111-2222
add mail:
***@example.com
***@example.com
***@example.com
add description:
swell guy
add ou:
Human Resources
adding new entry "cn=Robert Smith,ou=people,dc=example,dc=com"
# ldapadd hangs here and no more output is produced. Once I kill
# ldapadd, the rest of the data is sent to ldapd(8) and it can
# process the complete LDAPMessage escaping from the hang.
The code from /ldapd/ber.c below is where ldapd(8) tries to read
complete LDAPMessages calling conn_read() multiple times. You might
want to put a debug message to show r and totlen before line 1102 on
/ldapd/ber.c to see how many bytes are currently available and how
many more bytes need to be read for a complete LDAPMessage.
1095 DPRINTF("ber read element size %zd\n", len);
1096 totlen += r + len;
1097
1098 /* If using an external buffer and the total size of the element
1099 * is larger then the external buffer don't bother to continue. */
1100 if (ber->fd == -1 && len > ber->br_rend - ber->br_rptr) {
1101 errno = ECANCELED;
1102 return -1;
1103 }
Based on my experiments, ldapd(8) needs to send a response via
send_result_ldap() or send_ldap_extended_response() in /ldapd/ldape.c
every time ldapd(8) reads partial LDAPMessages. For this purpose, I
modified ber_read_elements() and ber_read_element() in /ldapd/ber.c,
conn_dispatch() in /ldapd/conn.c and copied send_ldap_extended_response()
as send_ldap_extended_response2() in /ldapd/conn.c. Please take a look
at the diffs below. Once the fix is in place, please recompile ldapd(8)
and return ldapd(8) and ldapadd. At this time, no hang happens. Please
type the command below to search and verify the value for the jpegPhoto
attribute. Please also adjust the values for -H flag and
ldapsearch-jpegPhoto-HO0LQD accordingly for your environment.
ldapsearch -tt -T ./ -LLL -H ldaps://192.168.0.118 -x -D "cn=admin,dc=example,dc=com" \
-w secret -b "cn=Robert Smith,ou=people,dc=example,dc=com" jpegPhoto
openssl dgst -sha1 ldapsearch-jpegPhoto-HO0LQD
openssl dgst -sha1 /home/seiyak/Documents/samples/LDAP/sample.jpeg
Index: ber.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/ber.c,v
retrieving revision 1.12
diff -u -p -r1.12 ber.c
--- ber.c 11 Feb 2017 20:40:03 -0000 1.12
+++ ber.c 18 Feb 2017 01:36:05 -0000
@@ -815,12 +815,13 @@ ber_read_elements(struct ber *ber, struc
DPRINTF("read ber elements, root %p\n", root);
- if (ber_read_element(ber, root) == -1) {
- /* Cleanup if root was allocated by us */
- if (elm == NULL)
- ber_free_elements(root);
- return NULL;
- }
+ /* ber elements might be spread over multiple buffers. In such a case,
+ * parsing ber fails since it's a partial message but the caller still
+ * needs to send a response to the client. Otherwise a hang would
+ * occur. the caller needs to free root no matter parsing ber is
+ * succeesful or not.
+ */
+ ber_read_element(ber, root);
return root;
}
@@ -1081,7 +1082,7 @@ ber_read_element(struct ber *ber, struct
long long val = 0;
struct ber_element *next;
unsigned long type;
- int i, class, cstruct;
+ int i, class, cstruct, err = -1;
ssize_t len, r, totlen = 0;
u_char c;
@@ -1098,8 +1099,10 @@ ber_read_element(struct ber *ber, struct
/* If using an external buffer and the total size of the element
* is larger then the external buffer don't bother to continue. */
if (ber->fd == -1 && len > ber->br_rend - ber->br_rptr) {
+ /* Keep working on partial message. */
errno = ECANCELED;
- return -1;
+ len = ber->br_rend - ber->br_rptr;
+ err = 0;
}
elm->be_type = type;
@@ -1186,6 +1189,12 @@ ber_read_element(struct ber *ber, struct
next = next->be_next;
}
break;
+ }
+
+ if(err == 0){
+ /* Let the caller know it's a partial message. */
+ errno = ECANCELED;
+ totlen = -1;
}
return totlen;
}
Index: conn.c
===================================================================
RCS file: /cvs/src/usr.sbin/ldapd/conn.c,v
retrieving revision 1.14
diff -u -p -r1.14 conn.c
--- conn.c 20 Jan 2017 11:55:08 -0000 1.14
+++ conn.c 18 Feb 2017 01:36:05 -0000
@@ -29,6 +29,11 @@
int conn_dispatch(struct conn *conn);
int conn_tls_init(struct conn *);
unsigned long ldap_application(struct ber_element *elm);
+/* Copied from /ldapd/ldape.c and renamed to send_ldap_extended_response2(). */
+void send_ldap_extended_response2(struct conn *conn,
+ int msgid, unsigned long type,
+ long long result_code,
+ const char *extended_oid);
struct conn_list conn_list;
@@ -137,10 +142,53 @@ request_dispatch(struct request *req)
}
}
+/* Copied from /ldapd/ldape.c and renamed to send_ldap_extended_response2().
+ */
+void
+send_ldap_extended_response2(struct conn *conn, int msgid, unsigned long type,
+ long long result_code, const char *extended_oid)
+{
+ int rc;
+ struct ber_element *root, *elm;
+ void *buf;
+
+ log_debug("sending response %u with result %lld", type, result_code);
+
+ if ((root = ber_add_sequence(NULL)) == NULL)
+ goto fail;
+
+ elm = ber_printf_elements(root, "d{tEss",
+ msgid, BER_CLASS_APP, type, result_code, "", "");
+ if (elm == NULL)
+ goto fail;
+
+ if (extended_oid)
+ if (ber_add_string(elm, extended_oid) == NULL)
+ goto fail;
+
+ ldap_debug_elements(root, type, "sending response on fd %d", conn->fd);
+
+ rc = ber_write_elements(&conn->ber, root);
+ ber_free_elements(root);
+
+ if (rc < 0)
+ log_warn("failed to create ldap result");
+ else {
+ ber_get_writebuf(&conn->ber, &buf);
+ if (bufferevent_write(conn->bev, buf, rc) != 0)
+ log_warn("failed to send ldap result");
+ }
+
+ return;
+fail:
+ if (root)
+ ber_free_elements(root);
+}
+
int
conn_dispatch(struct conn *conn)
{
- int class;
+ int class, err;
struct request *req;
u_char *rptr;
@@ -155,18 +203,9 @@ conn_dispatch(struct conn *conn)
req->conn = conn;
rptr = conn->ber.br_rptr; /* save where we start reading */
- if ((req->root = ber_read_elements(&conn->ber, NULL)) == NULL) {
- if (errno != ECANCELED) {
- log_warnx("protocol error");
- hexdump(rptr, conn->ber.br_rend - rptr,
- "failed to parse request from %zi bytes:",
- conn->ber.br_rend - rptr);
- conn_disconnect(conn);
- }
- request_free(req);
- return -1;
- }
- log_debug("consumed %d bytes", conn->ber.br_rptr - rptr);
+ req->root = ber_read_elements(&conn->ber, NULL);
+ /* Store errno from ber_read_elements(). */
+ err = errno;
/* Read message id and request type.
*/
@@ -179,6 +218,19 @@ conn_dispatch(struct conn *conn)
request_free(req);
return -1;
}
+
+ if(err == ECANCELED){
+ /* Let LDAP client keep sending leftover data to ldapd.
+ * Need to respond to each partial LDAPMessage, otherwise
+ * the client would not send the rest of the message.
+ */
+ send_ldap_extended_response2(conn, req->msgid, req->type + 1,
+ LDAP_SUCCESS, NULL);
+ request_free(req);
+ return -1;
+ }
+
+ log_debug("consumed %d bytes", conn->ber.br_rptr - rptr);
ldap_debug_elements(req->root, req->type,
"received request on fd %d", conn->fd);
dmesg:
OpenBSD 6.0-current (GENERIC.MP) #0: Thu Feb 16 19:58:50 CST 2017
***@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4152004608 (3959MB)
avail mem = 4021501952 (3835MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebe20 (44 entries)
bios0: vendor AMI version "80.06" date 04/11/2014
bios0: Hewlett-Packard HP 200 G1 MT
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MSDM MCFG LPIT SLIC HPET SSDT SSDT SSDT UEFI DBGP
acpi0: wakeup devices XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU J2850 @ 2.41GHz, 2417.21 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 2417213510 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU J2850 @ 2.41GHz, 2416.67 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Pentium(R) CPU J2850 @ 2.41GHz, 2416.67 MHz
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Pentium(R) CPU J2850 @ 2.41GHz, 2416.67 MHz
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 87 pins
acpimadt0: bogus nmi for apid 0
acpimadt0: bogus nmi for apid 4
acpimadt0: bogus nmi for apid 6
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus -1 (ITPC)
acpiprt3 at acpi0: bus 3 (RP02)
acpiprt4 at acpi0: bus 4 (RP03)
acpiprt5 at acpi0: bus 9 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C1(***@1 mwait.1), PSS
acpicpu1 at acpi0: C1(***@1 mwait.1), PSS
acpicpu2 at acpi0: C1(***@1 mwait.1), PSS
acpicpu3 at acpi0: C1(***@1 mwait.1), PSS
acpipwrres0 at acpi0: PLPE
acpipwrres1 at acpi0: PLPE
acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1
acpipwrres3 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 90 degC
"PNP0501" at acpi0 not configured
"DMA0F28" at acpi0 not configured
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
"PNP0C14" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
cpu0: Enhanced SpeedStep 2417 MHz: speeds: 2407, 2324, 2241, 2158, 2075, 1992, 1909, 1826, 1743, 1660, 1577, 1494, 1411, 1328 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0a
inteldrm0 at pci0 dev 2 function 0 "Intel Bay Trail Video" rev 0x0a
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1024x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
ahci0 at pci0 dev 19 function 0 "Intel Bay Trail AHCI" rev 0x0a: msi, AHCI 1.3
ahci0: port 0: 3.0Gb/s
ahci0: port 1: 1.5Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, TOSHIBA DT01ACA0, MS1O> SCSI3 0/direct fixed naa.5000039ffcc7f26b
sd0: 476940MB, 512 bytes/sector, 976773168 sectors
cd0 at scsibus1 targ 1 lun 0: <hp, DVD-RAM GHB0N, RK03> ATAPI 5/cdrom removable
xhci0 at pci0 dev 20 function 0 "Intel Bay Trail xHCI" rev 0x0a: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel Bay Trail TXE" rev 0x0a at pci0 dev 26 function 0 not configured
azalia0 at pci0 dev 27 function 0 "Intel Bay Trail HD Audio" rev 0x0a: msi
azalia0: codecs: Realtek ALC221, Intel/0x2882, using Realtek ALC221
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel Bay Trail I2C" rev 0x0a: msi
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "ITExpress IT8893E PCIE-PCI" rev 0x52
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "D-Link DGE-528T" rev 0x10: RTL8169/8110SB (0x1000), apic 1 int 16, address 1c:7e:e5:2a:a0:50
rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 3
ppb2 at pci0 dev 28 function 1 "Intel Bay Trail PCIE" rev 0x0a: msi
pci3 at ppb2 bus 3
re1 at pci3 dev 0 function 0 "Realtek 8168" rev 0x0c: RTL8168G/8111G (0x4c00), msi, address 10:60:4b:91:85:83
rgephy1 at re1 phy 7: RTL8251 PHY, rev. 0
ppb3 at pci0 dev 28 function 2 "Intel Bay Trail PCIE" rev 0x0a: msi
pci4 at ppb3 bus 4
ppb4 at pci4 dev 0 function 0 "TI XIO3130 PCIE-PCIE upstream" rev 0x02
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 "TI XIO3130 PCIE-PCIE downstream" rev 0x02
pci6 at ppb5 bus 6
re2 at pci6 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:e0:4c:80:62:93
rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb6 at pci5 dev 1 function 0 "TI XIO3130 PCIE-PCIE downstream" rev 0x02
pci7 at ppb6 bus 7
re3 at pci7 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:e0:4c:80:62:94
rgephy3 at re3 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb7 at pci5 dev 2 function 0 "TI XIO3130 PCIE-PCIE downstream" rev 0x02
pci8 at ppb7 bus 8
ppb8 at pci0 dev 28 function 3 "Intel Bay Trail PCIE" rev 0x0a: msi
pci9 at ppb8 bus 9
ppb9 at pci9 dev 0 function 0 "TI XIO3130 PCIE-PCIE upstream" rev 0x02
pci10 at ppb9 bus 10
ppb10 at pci10 dev 0 function 0 "TI XIO3130 PCIE-PCIE downstream" rev 0x02
pci11 at ppb10 bus 11
re4 at pci11 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:e0:4c:80:59:28
rgephy4 at re4 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb11 at pci10 dev 1 function 0 "TI XIO3130 PCIE-PCIE downstream" rev 0x02
pci12 at ppb11 bus 12
re5 at pci12 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00), msi, address 00:e0:4c:80:59:29
rgephy5 at re5 phy 7: RTL8169S/8110S/8211 PHY, rev. 4
ppb12 at pci10 dev 2 function 0 "TI XIO3130 PCIE-PCIE downstream" rev 0x02
pci13 at ppb12 bus 13
ehci0 at pci0 dev 29 function 0 "Intel Bay Trail EHCI" rev 0x0a: apic 1 int 23
ehci0: halt timeout
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel Bay Trail LPC" rev 0x0a
ichiic0 at pci0 dev 31 function 3 "Intel Bay Trail SMBus" rev 0x0a: apic 1 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800 SO-DIMM
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm disabled by firmware
vmm at mainbus0 not configured
uhidev0 at uhub0 port 2 configuration 1 interface 0 "Hewlett Packard HP USB Keyboard" rev 1.10/2.07 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 2 configuration 1 interface 1 "Hewlett Packard HP USB Keyboard" rev 1.10/2.07 addr 2
uhidev1: iclass 3/0, 2 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=3, output=0, feature=0
uhidev2 at uhub0 port 3 configuration 1 interface 0 "PixArt HP USB Optical Mouse" rev 2.00/1.00 addr 3
uhidev2: iclass 3/1
ums0 at uhidev2: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
uhub2 at uhub0 port 4 configuration 1 interface 0 "Alcor Micro product 0x6254" rev 2.00/1.00 addr 4
uhub3 at uhub1 port 1 configuration 1 interface 0 "Intel product 0x07e6" rev 2.00/0.10 addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (0aa09e87b165e337.a) swap on sd0b dump on sd0b
usbdevs:
Controller /dev/usb0:
addr 1: super speed, self powered, config 1, xHCI root hub(0x0000), Intel(0x8086), rev 1.00
port 1 disabled
port 2 addr 2: low speed, power 100 mA, config 1, HP USB Keyboard(0x0d4a), Hewlett Packard(0x03f0), rev 2.07
port 3 addr 3: low speed, power 100 mA, config 1, HP USB Optical Mouse(0x094a), PixArt(0x03f0), rev 1.00
port 4 addr 4: high speed, self powered, config 1, product 0x6254(0x6254), Alcor Micro(0x058f), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
port 5 disabled
port 6 disabled
port 7 disabled
Controller /dev/usb1:
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000), Intel(0x8086), rev 1.00
port 1 addr 2: high speed, self powered, config 1, product 0x07e6(0x07e6), Intel(0x8087), rev 0.10
port 1 powered
port 2 powered
port 3 powered
port 4 powered
port 2 powered
port 3 powered
port 4 powered
port 5 powered
port 6 powered
port 7 powered
port 8 powered
