[NETFILTER]: nf_conntrack_extend: warn on confirmed conntracks

New extensions may only be added to unconfirmed conntracks to avoid races
when reallocating the storage.

Also change NF_CT_ASSERT to use WARN_ON to get backtraces.

Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 3 insertions, 0 deletions

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 2bd9963b5b3e..bcc19fa4ed1e 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -71,6 +71,9 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
         int i, newlen, newoff;
         struct nf_ct_ext_type *t;
 
+        /* Conntrack must not be confirmed to avoid races on reallocation. */
+        NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
+
         if (!ct->ext)
                 return nf_ct_ext_create(&ct->ext, id, gfp);