zone = nf_ct_zone(ct);
 
-       if (!nf_ct_ext_valid_pre(ct->ext)) {
-               NF_CT_STAT_INC_ATOMIC(net, insert_failed);
-               return -ETIMEDOUT;
-       }
+       if (!nf_ct_ext_valid_pre(ct->ext))
+               return -EAGAIN;
 
        local_bh_disable();
        do {
                        goto chaintoolong;
        }
 
+       /* If genid has changed, we can't insert anymore because ct
+        * extensions could have stale pointers and nf_ct_iterate_destroy
+        * might have completed its table scan already.
+        *
+        * Increment of the ext genid right after this check is fine:
+        * nf_ct_iterate_destroy blocks until locks are released.
+        */
+       if (!nf_ct_ext_valid_post(ct->ext)) {
+               err = -EAGAIN;
+               goto out;
+       }
+
+       ct->status |= IPS_CONFIRMED;
        smp_wmb();
        /* The caller holds a reference to this object */
        refcount_set(&ct->ct_general.use, 2);
        NF_CT_STAT_INC(net, insert);
        local_bh_enable();
 
-       if (!nf_ct_ext_valid_post(ct->ext)) {
-               nf_ct_kill(ct);
-               NF_CT_STAT_INC_ATOMIC(net, drop);
-               return -ETIMEDOUT;
-       }
-
        return 0;
 chaintoolong:
        NF_CT_STAT_INC(net, chaintoolong);
 
        nfct_seqadj_ext_add(ct);
        nfct_synproxy_ext_add(ct);
 
-       /* we must add conntrack extensions before confirmation. */
-       ct->status |= IPS_CONFIRMED;
-
        if (cda[CTA_STATUS]) {
                err = ctnetlink_change_status(ct, cda);
                if (err < 0)