Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections

刘亚灿 yacanliu at
Wed Mar 31 02:44:05 UTC 2021

Hi Casev:

A quote from the listen(2) man page on my Ubuntu system:
The backlog argument defines the maximum length to which 
the queue of pending connections for sockfd may grow.
I think this implies that the 'backlog' must be greater than zero.
In the test source file (tools/smack-ipv4-tcp-peersec.c) Line 60
I found the following code:
if (listen(firstsock, 0) < 0) {
	    printf("%s-listen\n", argv[0]);
That means that sock will not accept any requests, 
so client TCP connections hang with SYN_SENT.
In openssh case, it use SSH_LISTEN_BACKLOG as 128.

At 2021-03-30 23:42:04, "Casey Schaufler" <casey at> wrote:
>Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct
>sk_acceptq_is_full()' breaks a system with the Smack LSM.
>Reverting this change results in a return to correct behavior.
>The Smack testsuite can be found at:
>The failing test is, but it seems
>that most TCP connections hang with SYN_SENT. Oddly, ssh
>to works, but other TCP connections timeout.



More information about the Linux-security-module-archive mailing list