1 files changed, 8 insertions, 1 deletions

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 5276a2dd56fe..b0b06c7a9483 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -425,7 +425,6 @@ __nf_conntrack_confirm(struct sk_buff *skb)
         /* Remove from unconfirmed list */
         hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
 
-        __nf_conntrack_hash_insert(ct, hash, repl_hash);
         /* Timer relative to confirmation time, not original
            setting time, otherwise we'd get timer wrap in
            weird delay cases. */
@@ -433,8 +432,16 @@ __nf_conntrack_confirm(struct sk_buff *skb)
         add_timer(&ct->timeout);
         atomic_inc(&ct->ct_general.use);
         set_bit(IPS_CONFIRMED_BIT, &ct->status);
+
+        /* Since the lookup is lockless, hash insertion must be done after
+         * starting the timer and setting the CONFIRMED bit. The RCU barriers
+         * guarantee that no other CPU can find the conntrack before the above
+         * stores are visible.
+         */
+        __nf_conntrack_hash_insert(ct, hash, repl_hash);
         NF_CT_STAT_INC(net, insert);
         spin_unlock_bh(&nf_conntrack_lock);
+
         help = nfct_help(ct);
         if (help && help->helper)
                 nf_conntrack_event_cache(IPCT_HELPER, ct);