diff --git a/sys/netpfil/ipfw/ip_fw_table.c b/sys/netpfil/ipfw/ip_fw_table.c
index ca4e0e4c3ea9..f9425415c3c4 100644
--- a/sys/netpfil/ipfw/ip_fw_table.c
+++ b/sys/netpfil/ipfw/ip_fw_table.c
@@ -597,19 +597,21 @@ add_table_entry(struct ip_fw_chain *ch, struct tid_info *ti,
 	/* Pass stack buffer by default */
 	ta_buf_m = ta_buf;
 	error = prepare_batch_buffer(ch, ta, tei, count, OP_ADD, &ta_buf_m);
-	if (error != 0)
-		goto cleanup;
 
 	IPFW_UH_WLOCK(ch);
+	del_toperation_state(ch, &ts);
 	/* Drop reference we've used in first search */
 	tc->no.refcnt--;
 
+	/* Check prepare_batch_buffer() error */
+	if (error != 0)
+		goto cleanup;
+
 	/*
 	 * Check if table swap has happened.
 	 * (so table algo might be changed).
 	 * Restart operation to achieve consistent behavior.
 	 */
-	del_toperation_state(ch, &ts);
 	if (ts.modified != 0)
 		goto restart;