diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 3126911f5042..bec4aeef6a82 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -200,8 +200,10 @@ int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp,
 	struct nf_hook_entries *new_hooks;
 	struct nf_hook_entries *p;
 
+	mutex_lock(&nf_hook_mutex);
 	p = rcu_dereference_raw(*pp);
 	new_hooks = nf_hook_entries_grow(p, reg);
+	mutex_unlock(&nf_hook_mutex);
 	if (IS_ERR(new_hooks))
 		return PTR_ERR(new_hooks);
 
@@ -546,11 +548,13 @@ void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
 {
 	struct nf_hook_entries *p;
 
+	mutex_lock(&nf_hook_mutex);
 	p = rcu_dereference_raw(*pp);
 	if (nf_remove_net_hook(p, reg)) {
 		p = __nf_hook_entries_try_shrink(p, pp);
 		nf_hook_entries_free(p);
 	}
+	mutex_unlock(&nf_hook_mutex);
 }
 EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw);