diff --git a/sys/net/bpfdesc.h b/sys/net/bpfdesc.h
index 02c79ebf4c92..46892f6e3a23 100644
--- a/sys/net/bpfdesc.h
+++ b/sys/net/bpfdesc.h
@@ -102,6 +102,7 @@ struct bpf_d {
 
 #define BPFD_LOCK(bd)		mtx_lock(&(bd)->bd_mtx)
 #define BPFD_UNLOCK(bd)		mtx_unlock(&(bd)->bd_mtx)
+#define BPFD_LOCK_ASSERT(bd)	mtx_assert(&(bd)->bd_mtx, MA_OWNED)
 
 /* Test whether a BPF is ready for read(). */
 #define	bpf_ready(bd)						 \
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index f5bb74225cb0..a5fc29b26d07 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -292,6 +292,8 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
 {
 	struct label *label;
 
+	BPFD_LOCK_ASSERT(bpf_d);
+
 	label = mac_mbuf_to_label(mbuf);
 
 	MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
@@ -350,6 +352,8 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
 {
 	int error;
 
+	BPFD_LOCK_ASSERT(bpf_d);
+
 	if (!mac_enforce_network)
 		return (0);