1 files changed, 3 insertions, 0 deletions

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 2bd9963b5b3..bcc19fa4ed1 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -71,6 +71,9 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 	int i, newlen, newoff;
 	struct nf_ct_ext_type *t;
 
+	/* Conntrack must not be confirmed to avoid races on reallocation. */
+	NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
+
 	if (!ct->ext)
 		return nf_ct_ext_create(&ct->ext, id, gfp);