diff --git a/server/TrafficController.cpp b/server/TrafficController.cpp
index 1f3b557..c39440f 100644
--- a/server/TrafficController.cpp
+++ b/server/TrafficController.cpp
@@ -180,7 +180,7 @@
 TrafficController::TrafficController() : mBpfLevel(getBpfSupportLevel()) {}
 
 Status TrafficController::initMaps() {
-    std::lock_guard ownerMapGuard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
     RETURN_IF_NOT_OK(mCookieTagMap.init(COOKIE_TAG_MAP_PATH));
     RETURN_IF_NOT_OK(changeOwnerAndMode(COOKIE_TAG_MAP_PATH, AID_NET_BW_ACCT, "CookieTagMap",
                                         false));
@@ -330,7 +330,7 @@
 }
 
 int TrafficController::tagSocket(int sockFd, uint32_t tag, uid_t uid, uid_t callingUid) {
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
     if (uid != callingUid && !hasUpdateDeviceStatsPermission(callingUid)) {
         return -EPERM;
     }
@@ -348,7 +348,7 @@
     // Now we go through the stats map and count how many entries are associated
     // with target uid. If the uid entry hit the limit for each uid, we block
     // the request to prevent the map from overflow. It is safe here to iterate
-    // over the map since when mOwnerMatchMutex is hold, system server cannot toggle
+    // over the map since when mMutex is hold, system server cannot toggle
     // the live stats map and clean it. So nobody can delete entries from the map.
     const auto countUidStatsEntries = [uid, &totalEntryCount](const StatsKey& key,
                                                               BpfMap<StatsKey, StatsValue>&) {
@@ -407,6 +407,7 @@
 int TrafficController::setCounterSet(int counterSetNum, uid_t uid, uid_t callingUid) {
     if (counterSetNum < 0 || counterSetNum >= OVERFLOW_COUNTERSET) return -EINVAL;
 
+    std::lock_guard guard(mMutex);
     if (!hasUpdateDeviceStatsPermission(callingUid)) return -EPERM;
 
     if (mBpfLevel == BpfLevel::NONE) {
@@ -439,6 +440,7 @@
 // is called inside removeUidsLocked() while holding mStatsLock. So it is safe
 // to iterate and modify the stats maps.
 int TrafficController::deleteTagData(uint32_t tag, uid_t uid, uid_t callingUid) {
+    std::lock_guard guard(mMutex);
     if (!hasUpdateDeviceStatsPermission(callingUid)) return -EPERM;
 
     if (mBpfLevel == BpfLevel::NONE) {
@@ -522,7 +524,7 @@
 
 Status TrafficController::updateOwnerMapEntry(UidOwnerMatchType match, uid_t uid, FirewallRule rule,
                                               FirewallType type) {
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
     if ((rule == ALLOW && type == WHITELIST) || (rule == DENY && type == BLACKLIST)) {
         RETURN_IF_NOT_OK(addRule(mUidOwnerMap, uid, match));
     } else if ((rule == ALLOW && type == BLACKLIST) || (rule == DENY && type == WHITELIST)) {
@@ -585,7 +587,7 @@
 Status TrafficController::updateUidOwnerMap(const std::vector<std::string>& appStrUids,
                                             BandwidthController::IptJumpOp jumpHandling,
                                             BandwidthController::IptOp op) {
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
     UidOwnerMatchType match = jumpOpToMatch(jumpHandling);
     if (match == NO_MATCH) {
         return statusFromErrno(
@@ -642,7 +644,7 @@
 
 Status TrafficController::replaceRulesInMap(const UidOwnerMatchType match,
                                             const std::vector<int32_t>& uids) {
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
     std::set<int32_t> uidSet(uids.begin(), uids.end());
     std::vector<uint32_t> uidsToDelete;
     auto getUidsToDelete = [&uidsToDelete, &uidSet](const uint32_t& key,
@@ -673,7 +675,7 @@
     if (!iif) {
         return statusFromErrno(EINVAL, "Interface rule must specify interface");
     }
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
 
     for (auto uid : uidsToAdd) {
         netdutils::Status result = addRule(mUidOwnerMap, uid, IIF_MATCH, iif);
@@ -689,7 +691,7 @@
         ALOGW("UID ingress interface filtering not possible without BPF owner match");
         return statusFromErrno(EOPNOTSUPP, "eBPF not supported");
     }
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
 
     for (auto uid : uidsToDelete) {
         netdutils::Status result = removeRule(mUidOwnerMap, uid, IIF_MATCH);
@@ -730,7 +732,7 @@
 }
 
 int TrafficController::toggleUidOwnerMap(ChildChain chain, bool enable) {
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
     uint32_t key = UID_RULES_CONFIGURATION_KEY;
     auto oldConfiguration = mConfigurationMap.readValue(key);
     if (!isOk(oldConfiguration)) {
@@ -768,7 +770,7 @@
 }
 
 Status TrafficController::swapActiveStatsMap() {
-    std::lock_guard guard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
 
     if (mBpfLevel == BpfLevel::NONE) {
         return statusFromErrno(EOPNOTSUPP, "This device doesn't have eBPF support");
@@ -810,6 +812,7 @@
 }
 
 void TrafficController::setPermissionForUids(int permission, const std::vector<uid_t>& uids) {
+    std::lock_guard guard(mMutex);
     if (permission == INetd::PERMISSION_UNINSTALLED) {
         for (uid_t uid : uids) {
             // Clean up all permission information for the related uid if all the
@@ -879,7 +882,7 @@
 const String16 TrafficController::DUMP_KEYWORD = String16("trafficcontroller");
 
 void TrafficController::dump(DumpWriter& dw, bool verbose) {
-    std::lock_guard ownerMapGuard(mOwnerMatchMutex);
+    std::lock_guard guard(mMutex);
     ScopedIndent indentTop(dw);
     dw.println("TrafficController");
 
diff --git a/server/TrafficController.h b/server/TrafficController.h
index d30749b..cafc319 100644
--- a/server/TrafficController.h
+++ b/server/TrafficController.h
@@ -57,7 +57,7 @@
      * the spinlock initialized with the map. So the behavior of two modules
      * should be the same. No additional lock needed.
      */
-    int tagSocket(int sockFd, uint32_t tag, uid_t uid, uid_t callingUid);
+    int tagSocket(int sockFd, uint32_t tag, uid_t uid, uid_t callingUid) EXCLUDES(mMutex);
 
     /*
      * The untag process is similiar to tag socket and both old qtaguid module and
@@ -69,7 +69,7 @@
     /*
      * Similiar as above, no external lock required.
      */
-    int setCounterSet(int counterSetNum, uid_t uid, uid_t callingUid);
+    int setCounterSet(int counterSetNum, uid_t uid, uid_t callingUid) EXCLUDES(mMutex);
 
     /*
      * When deleting a tag data, the qtaguid module will grab the spinlock of each
@@ -79,7 +79,7 @@
      * each map one by one. And deleting processes are also protected by the
      * spinlock of the map. So no additional lock is required.
      */
-    int deleteTagData(uint32_t tag, uid_t uid, uid_t callingUid);
+    int deleteTagData(uint32_t tag, uid_t uid, uid_t callingUid) EXCLUDES(mMutex);
 
     /*
      * Check if the current device have the bpf traffic stats accounting service
@@ -90,7 +90,7 @@
     /*
      * Swap the stats map config from current active stats map to the idle one.
      */
-    netdutils::Status swapActiveStatsMap();
+    netdutils::Status swapActiveStatsMap() EXCLUDES(mMutex);
 
     /*
      * Add the interface name and index pair into the eBPF map.
@@ -105,25 +105,27 @@
                            const std::vector<int32_t>& uids);
 
     netdutils::Status updateOwnerMapEntry(UidOwnerMatchType match, uid_t uid, FirewallRule rule,
-                                          FirewallType type);
+                                          FirewallType type) EXCLUDES(mMutex);
 
-    void dump(netdutils::DumpWriter& dw, bool verbose);
+    void dump(netdutils::DumpWriter& dw, bool verbose) EXCLUDES(mMutex);
 
-    netdutils::Status replaceRulesInMap(UidOwnerMatchType match, const std::vector<int32_t>& uids);
+    netdutils::Status replaceRulesInMap(UidOwnerMatchType match, const std::vector<int32_t>& uids)
+            EXCLUDES(mMutex);
 
-    netdutils::Status addUidInterfaceRules(const int ifIndex, const std::vector<int32_t>& uids);
-    netdutils::Status removeUidInterfaceRules(const std::vector<int32_t>& uids);
+    netdutils::Status addUidInterfaceRules(const int ifIndex, const std::vector<int32_t>& uids)
+            EXCLUDES(mMutex);
+    netdutils::Status removeUidInterfaceRules(const std::vector<int32_t>& uids) EXCLUDES(mMutex);
 
     netdutils::Status updateUidOwnerMap(const std::vector<std::string>& appStrUids,
                                         BandwidthController::IptJumpOp jumpHandling,
-                                        BandwidthController::IptOp op);
+                                        BandwidthController::IptOp op) EXCLUDES(mMutex);
     static const String16 DUMP_KEYWORD;
 
-    int toggleUidOwnerMap(ChildChain chain, bool enable);
+    int toggleUidOwnerMap(ChildChain chain, bool enable) EXCLUDES(mMutex);
 
     static netdutils::StatusOr<std::unique_ptr<NetlinkListenerInterface>> makeSkDestroyListener();
 
-    void setPermissionForUids(int permission, const std::vector<uid_t>& uids);
+    void setPermissionForUids(int permission, const std::vector<uid_t>& uids) EXCLUDES(mMutex);
 
   private:
     /*
@@ -162,9 +164,9 @@
      * Map Value: struct Stats, contains packet count and byte count of each
      * transport protocol on egress and ingress direction.
      */
-    BpfMap<StatsKey, StatsValue> mStatsMapA;
+    BpfMap<StatsKey, StatsValue> mStatsMapA GUARDED_BY(mMutex);
 
-    BpfMap<StatsKey, StatsValue> mStatsMapB;
+    BpfMap<StatsKey, StatsValue> mStatsMapB GUARDED_BY(mMutex);
 
     /*
      * mIfaceIndexNameMap: Store the index name pair of each interface show up
@@ -191,42 +193,42 @@
      *    Userspace can do scraping and cleaning job on the other one depending on the
      *    current configs.
      */
-    BpfMap<uint32_t, uint8_t> mConfigurationMap GUARDED_BY(mOwnerMatchMutex);
+    BpfMap<uint32_t, uint8_t> mConfigurationMap GUARDED_BY(mMutex);
 
     /*
      * mUidOwnerMap: Store uids that are used for bandwidth control uid match.
      */
-    BpfMap<uint32_t, UidOwnerValue> mUidOwnerMap GUARDED_BY(mOwnerMatchMutex);
+    BpfMap<uint32_t, UidOwnerValue> mUidOwnerMap GUARDED_BY(mMutex);
 
     /*
      * mUidOwnerMap: Store uids that are used for INTERNET permission check.
      */
-    BpfMap<uint32_t, uint8_t> mUidPermissionMap;
+    BpfMap<uint32_t, uint8_t> mUidPermissionMap GUARDED_BY(mMutex);
 
     std::unique_ptr<NetlinkListenerInterface> mSkDestroyListener;
 
     netdutils::Status removeRule(BpfMap<uint32_t, UidOwnerValue>& map, uint32_t uid,
-                                 UidOwnerMatchType match) REQUIRES(mOwnerMatchMutex);
+                                 UidOwnerMatchType match) REQUIRES(mMutex);
 
     netdutils::Status addRule(BpfMap<uint32_t, UidOwnerValue>& map, uint32_t uid,
-                              UidOwnerMatchType match, uint32_t iif = 0) REQUIRES(mOwnerMatchMutex);
+                              UidOwnerMatchType match, uint32_t iif = 0) REQUIRES(mMutex);
 
     bpf::BpfLevel mBpfLevel;
 
-    std::mutex mOwnerMatchMutex;
+    std::mutex mMutex;
 
     netdutils::Status loadAndAttachProgram(bpf_attach_type type, const char* path, const char* name,
                                            base::unique_fd& cg_fd);
 
-    netdutils::Status initMaps();
+    netdutils::Status initMaps() EXCLUDES(mMutex);
 
     // Keep track of uids that have permission UPDATE_DEVICE_STATS so we don't
     // need to call back to system server for permission check.
-    std::set<uid_t> mPrivilegedUser;
+    std::set<uid_t> mPrivilegedUser GUARDED_BY(mMutex);
 
     UidOwnerMatchType jumpOpToMatch(BandwidthController::IptJumpOp jumpHandling);
 
-    bool hasUpdateDeviceStatsPermission(uid_t uid);
+    bool hasUpdateDeviceStatsPermission(uid_t uid) REQUIRES(mMutex);
     // For testing
     friend class TrafficControllerTest;
 };
diff --git a/server/TrafficControllerTest.cpp b/server/TrafficControllerTest.cpp
index e2a1327..bb56d97 100644
--- a/server/TrafficControllerTest.cpp
+++ b/server/TrafficControllerTest.cpp
@@ -70,7 +70,7 @@
     BpfMap<uint32_t, uint8_t> mFakeUidPermissionMap;
 
     void SetUp() {
-        std::lock_guard ownerGuard(mTc.mOwnerMatchMutex);
+        std::lock_guard guard(mTc.mMutex);
         SKIP_IF_BPF_NOT_SUPPORTED;
         ASSERT_EQ(0, setrlimitForTest());
 
@@ -249,13 +249,17 @@
     }
 
     void expectPrivilegedUserSet(const std::vector<uid_t>& appUids) {
+        std::lock_guard guard(mTc.mMutex);
         EXPECT_EQ(appUids.size(), mTc.mPrivilegedUser.size());
         for (uid_t uid : appUids) {
             EXPECT_NE(mTc.mPrivilegedUser.end(), mTc.mPrivilegedUser.find(uid));
         }
     }
 
-    void expectPrivilegedUserSetEmpty() { EXPECT_TRUE(mTc.mPrivilegedUser.empty()); }
+    void expectPrivilegedUserSetEmpty() {
+        std::lock_guard guard(mTc.mMutex);
+        EXPECT_TRUE(mTc.mPrivilegedUser.empty());
+    }
 
     void addPrivilegedUid(uid_t uid) {
         std::vector privilegedUid = {uid};