--- x/net/netlabel/netlabel_kapi.c
+++ y/net/netlabel/netlabel_kapi.c
@@ -960,6 +960,7 @@ int netlbl_enabled(void)
 	return (atomic_read(&netlabel_mgmt_protocount) > 0);
 }
 
+static DEFINE_SPINLOCK(setattr_spinlock);
 /**
  * netlbl_sock_setattr - Label a socket using the correct protocol
  * @sk: the socket to label
@@ -997,9 +998,11 @@ int netlbl_sock_setattr(struct sock *sk,
 			ret_val = -EDESTADDRREQ;
 			break;
 		case NETLBL_NLTYPE_CIPSOV4:
+			spin_lock(&setattr_spinlock);
 			ret_val = cipso_v4_sock_setattr(sk,
 							dom_entry->def.cipso,
 							secattr, sk_locked);
+			spin_unlock(&setattr_spinlock);
 			break;
 		case NETLBL_NLTYPE_UNLABELED:
 			ret_val = 0;
@@ -1049,7 +1052,9 @@ void netlbl_sock_delattr(struct sock *sk
 {
 	switch (sk->sk_family) {
 	case AF_INET:
+		spin_lock(&setattr_spinlock);
 		cipso_v4_sock_delattr(sk);
+		spin_unlock(&setattr_spinlock);
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
 	case AF_INET6:
@@ -1149,9 +1154,11 @@ int netlbl_conn_setattr(struct sock *sk,
 		}
 		switch (entry->type) {
 		case NETLBL_NLTYPE_CIPSOV4:
+			spin_lock(&setattr_spinlock);
 			ret_val = cipso_v4_sock_setattr(sk,
 							entry->cipso, secattr,
 							netlbl_sk_lock_check(sk));
+			spin_unlock(&setattr_spinlock);
 			break;
 		case NETLBL_NLTYPE_UNLABELED:
 			/* just delete the protocols we support for right now