Description of problem: when sending fragmented packets over multicast sockets, if the IP_MULTICAST_LOOP option is enabled, each skbuff is cloned and fragmented. The accounting for the sockets SNDBUF is preformed on each fragment, but after the frame is transmitted the kfree_skb call fails to preform the reverse accounting, since the cloned skbuffs are not freed, only the top level skbuff representing the entire frame. Only after the socket is read from, clearing the received skbuff from the receive queue, is the reverse accounting preformed. This can lead to inacurate sndbuf values, and if the socket is not read from often enough, the user process using the socket can block indefinately on a send(to/msg) call. Version-Release number of selected component (if applicable): all How reproducible: always Steps to Reproduce: 1) Remove iptables modules from the system (iptables can prematurely free buffers to prevent queue backlog). 2) build and run the attached testcase (multicast_test.C). Specify when running a large packet size (I've been using 10000 bytes) so as to incur fragmenting. Also specify that IP_MUTLICAST_LOOP should be set, and that the reader thread should never read. Actual results: After a few packets, the call to sendto will block forever, waiting for available memory in the SNDBUF buffer. This will not be made available until the socket is read from Expected results: Socket sends only block until frames are transmitted, at which point memory should be available in the send buffer. Additional info:
Created attachment 101749 [details] C++ test case to demonstrate sendto blocking failure
Created attachment 101751 [details] patch to adjust socket buffer accounting. This patch corrects this issue by moving socket layer accounting to the top level skbuff. By doing this all SNDBUF memory is released on the freeing of the top level skbuff, which allows individual fragments to be cloned without affecting the accounting. I also checked, and this problem seems to present in the 2.6 kernel as well, so this patch should probably be pushed there.
A fix for this problem has just been committed to the RHEL3 U4 patch pool this evening (in kernel version 2.4.21-20.1.EL).
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-550.html