fix: switch to std::sync::Mutex for BPF scanner/collector

Simon Morley · Simon Morley · commit bd71e7deecbc · 2026-03-17T10:40:32.000Z
tokio::sync::Mutex deadlocks when used inside spawn_blocking +
Handle::block_on — the async waker can't unpark blocked threads.
Since all critical sections are synchronous (std::thread::sleep in
SYN sender, raw socket I/O), std::sync::Mutex is correct here.

[skip tests]
diff --git a/src/engine.rs b/src/engine.rs
@@ -9,7 +9,7 @@ use std::sync::Arc;
 use std::time::{Duration, Instant};
 
 use chrono::Utc;
-use tokio::sync::Mutex;
+use std::sync::Mutex;
 use uuid::Uuid;
 
 use crate::scanner::collector::DiscoveryCollector;
@@ -286,7 +286,7 @@ impl ScanEngine {
         // Catches detachment between engine creation and scan execution —
         // the critical gap for long-lived processes (e.g. limpet-timing).
         {
-            let bpf_guard = self.collector.lock().await;
+            let bpf_guard = self.collector.lock().unwrap();
             if let Err(e) = bpf_guard.verify_attached() {
                 return ScanResult {
                     request_id: request.request_id,
@@ -314,7 +314,7 @@ impl ScanEngine {
 
         let mut all_probes = Vec::new();
         for batch in ports.chunks(batch_size) {
-            let mut scanner_guard = self.scanner.lock().await;
+            let mut scanner_guard = self.scanner.lock().unwrap();
             scanner_guard.set_profile(scan_profile.clone());
             let result = match scanner_guard.send_syn_batch(target_ip, batch) {
                 Ok(r) => r,
@@ -354,7 +354,7 @@ impl ScanEngine {
                 let remaining = deadline - now;
                 tokio::time::sleep(poll_interval.min(remaining)).await;
 
-                let bpf_guard = self.collector.lock().await;
+                let bpf_guard = self.collector.lock().unwrap();
                 let responded = all_probes
                     .iter()
                     .filter(|probe| {
@@ -373,7 +373,7 @@ impl ScanEngine {
 
         // Collect all results in one pass
         let collector = DiscoveryCollector::new(timeout);
-        let bpf_guard = self.collector.lock().await;
+        let bpf_guard = self.collector.lock().unwrap();
         let discovery = collector.collect(&all_probes, &*bpf_guard, target_ip_u32);
         drop(bpf_guard);
 
diff --git a/src/timing/userspace.rs b/src/timing/userspace.rs
@@ -5,7 +5,7 @@
 //! No userspace fallback — requires Linux with CAP_BPF + CAP_NET_ADMIN.
 
 use std::sync::Arc;
-use tokio::sync::Mutex;
+use std::sync::Mutex;
 
 use crate::{TimingRequest, TimingResult};
 use std::net::{SocketAddr, ToSocketAddrs};
@@ -47,15 +47,15 @@ async fn poll_bpf_timing_entry(
         // Drain AF_XDP ring to prevent overflow and allow XDP to keep redirecting.
         // We don't care which frames arrive here — the BPF map is the source of truth.
         {
-            let mut scanner_ref = scanner.lock().await;
+            let mut scanner_ref = scanner.lock().unwrap();
             scanner_ref.poll_rx(0);
         }
 
         // Check if this probe's map entry has a response.
         // read_timing_v2 returns None when: (a) no entry exists, or (b) only SYN flag set
         // (TC recorded the SYN but no response yet). Returns Some once response arrives.
         {
-            let bpf_ref = bpf.lock().await;
+            let bpf_ref = bpf.lock().unwrap();
             if let Some(entry) = bpf_ref.read_timing_v2(dst_ip, dst_port, src_port) {
                 return Some(entry);
             }
@@ -91,7 +91,7 @@ pub async fn collect_timing_samples_raw(
 ) -> TimingResult {
     // Pre-timing BPF health check: verify XDP + TC are still attached.
     {
-        let bpf_ref = bpf.lock().await;
+        let bpf_ref = bpf.lock().unwrap();
         if let Err(e) = bpf_ref.verify_attached() {
             return TimingResult::error(
                 request,
@@ -128,7 +128,7 @@ pub async fn collect_timing_samples_raw(
     for _i in 0..sample_count {
         // Send a single raw SYN probe via AF_XDP TX
         let probe = {
-            let mut scanner_ref = scanner.lock().await;
+            let mut scanner_ref = scanner.lock().unwrap();
             match scanner_ref.send_single_syn(target_ipv4, dst_port) {
                 Ok(p) => p,
                 Err(e) => {
@@ -192,13 +192,13 @@ pub async fn collect_timing_samples_raw(
 
         // Clean up BPF map entry
         {
-            let bpf_ref = bpf.lock().await;
+            let bpf_ref = bpf.lock().unwrap();
             bpf_ref.delete_entry(dst_ip_u32, dst_port, probe.src_port);
         }
 
         // Inter-probe jitter delay from stealth profile
         let delay_ms = {
-            let scanner_ref = scanner.lock().await;
+            let scanner_ref = scanner.lock().unwrap();
             scanner_ref.profile().jittered_delay_ms()
         };
         if delay_ms > 0 {
@@ -215,7 +215,7 @@ pub async fn collect_timing_samples_raw(
 
     let stats = calculate_stats(&samples);
     let precision_class = {
-        let bpf_ref = bpf.lock().await;
+        let bpf_ref = bpf.lock().unwrap();
         let base = bpf_ref.backend().precision_class().to_string();
         if skipped_count > 0 {
             format!("{base}_degraded")
