2 files changed, 4 insertions, 8 deletions

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index bb9fc852e973..4a0496aa32d5 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -65,14 +65,7 @@ union nf_conntrack_help {
 #include <linux/timer.h>
 
 #ifdef CONFIG_NETFILTER_DEBUG
-#define NF_CT_ASSERT(x)                                                 \
-do {                                                                    \
-        if (!(x))                                                       \
-                /* Wooah!  I'm tripping my conntrack in a frenzy of     \
-                   netplay... */                                        \
-                printk("NF_CT_ASSERT: %s:%i(%s)\n",                     \
-                       __FILE__, __LINE__, __FUNCTION__);               \
-} while(0)
+#define NF_CT_ASSERT(x)         WARN_ON(!(x))
 #else
 #define NF_CT_ASSERT(x)
 #endif
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 2bd9963b5b3e..bcc19fa4ed1e 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -71,6 +71,9 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
         int i, newlen, newoff;
         struct nf_ct_ext_type *t;
 
+        /* Conntrack must not be confirmed to avoid races on reallocation. */
+        NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
+
         if (!ct->ext)
                 return nf_ct_ext_create(&ct->ext, id, gfp);