S185: Unsafe evolution — remove redundant Send/Sync impls, evolve DMA fd to OwnedFd

- Remove redundant `unsafe impl Send/Sync` from LockedMemory (auto-derived
  from AlignedAlloc) and `unsafe impl Send` from Bar0Access (auto-derived
  from SafeMmapRegion via memmap2's MmapInner: Send+Sync)
- Add compile-time Send/Sync assertions on AlignedAlloc, HugePageMemory,
  DeviceMmap, LockedMemory, Bar0Access for regression protection
- Evolve akida-driver DmaBuffer from RawFd to OwnedFd — stronger fd validity
  guarantees, uses dma_map/dma_unmap directly instead of dma_map_fd/dma_unmap_fd
- Deprecate dma_map_fd/dma_unmap_fd in favor of BorrowedFd/OwnedFd variants
- Net: -3 unsafe impl blocks, stronger ownership model for DMA fd handling

Made-with: Cursor

Author: westgate

crates/core/hw-safe/src/aligned_alloc.rs

@@ -161,6 +161,13 @@ impl Drop for AlignedAlloc {
 // as_slice/as_mut_slice.
 unsafe impl Send for AlignedAlloc {}
 unsafe impl Sync for AlignedAlloc {}
+#[allow(dead_code, reason = "compile-time trait bound assertion")]
+const _: () = {
+    fn assert_send_sync<T: Send + Sync>() {}
+    fn check() {
+        assert_send_sync::<AlignedAlloc>();
+    }
+};
 
 impl std::fmt::Debug for AlignedAlloc {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

crates/core/hw-safe/src/device_mmap.rs

@@ -136,6 +136,13 @@ impl Drop for DeviceMmap {
 unsafe impl Send for DeviceMmap {}
 // SAFETY: Reads via &self; writes via &mut self. Borrow checker enforces.
 unsafe impl Sync for DeviceMmap {}
+#[allow(dead_code, reason = "compile-time trait bound assertion")]
+const _: () = {
+    fn assert_send_sync<T: Send + Sync>() {}
+    fn check() {
+        assert_send_sync::<DeviceMmap>();
+    }
+};
 
 impl std::fmt::Debug for DeviceMmap {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

crates/core/hw-safe/src/huge_page.rs

@@ -156,6 +156,13 @@ impl Drop for HugePageMemory {
 unsafe impl Send for HugePageMemory {}
 // SAFETY: Reads via &self; writes require &mut self.
 unsafe impl Sync for HugePageMemory {}
+#[allow(dead_code, reason = "compile-time trait bound assertion")]
+const _: () = {
+    fn assert_send_sync<T: Send + Sync>() {}
+    fn check() {
+        assert_send_sync::<HugePageMemory>();
+    }
+};
 
 impl std::fmt::Debug for HugePageMemory {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

crates/core/hw-safe/src/locked_memory.rs

@@ -103,9 +103,15 @@ impl Drop for LockedMemory {
     }
 }
 
-// SAFETY: Same justification as AlignedAlloc — exclusive ownership.
-unsafe impl Send for LockedMemory {}
-unsafe impl Sync for LockedMemory {}
+// Send + Sync auto-derived: LockedMemory contains only AlignedAlloc (which is
+// Send + Sync) — no additional raw pointers or non-threadsafe fields.
+#[allow(dead_code, reason = "compile-time trait bound assertion")]
+const _: () = {
+    fn assert_send_sync<T: Send + Sync>() {}
+    fn check() {
+        assert_send_sync::<LockedMemory>();
+    }
+};
 
 impl std::fmt::Debug for LockedMemory {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

crates/core/hw-safe/src/vfio_dma.rs

@@ -135,8 +135,8 @@ pub unsafe fn dma_unmap(container_fd: BorrowedFd<'_>, unmap: &VfioDmaUnmap) -> s
 
 /// Map a host buffer into the device IOMMU using a raw file descriptor.
 ///
-/// Convenience wrapper that combines [`BorrowedFd::borrow_raw`] and [`dma_map`]
-/// into a single call, eliminating the duplicate `unsafe` at each call site.
+/// Prefer [`dma_map`] with `OwnedFd`/`BorrowedFd` for stronger fd validity
+/// guarantees. This wrapper exists for callers that only have a `RawFd`.
 ///
 /// # Errors
 ///
@@ -147,6 +147,7 @@ pub unsafe fn dma_unmap(container_fd: BorrowedFd<'_>, unmap: &VfioDmaUnmap) -> s
 /// Same invariants as [`dma_map`], plus:
 /// - `fd` must be a valid, open VFIO container file descriptor that remains
 ///   open for the duration of this call.
+#[deprecated(note = "prefer dma_map() with BorrowedFd/OwnedFd for fd safety")]
 pub unsafe fn dma_map_fd(fd: RawFd, map: &VfioDmaMap) -> std::io::Result<()> {
     // SAFETY: caller guarantees fd is valid and open.
     let borrowed = unsafe { BorrowedFd::borrow_raw(fd) };
@@ -156,8 +157,8 @@ pub unsafe fn dma_map_fd(fd: RawFd, map: &VfioDmaMap) -> std::io::Result<()> {
 
 /// Remove a device IOMMU mapping using a raw file descriptor.
 ///
-/// Convenience wrapper that combines [`BorrowedFd::borrow_raw`] and [`dma_unmap`]
-/// into a single call, eliminating the duplicate `unsafe` at each call site.
+/// Prefer [`dma_unmap`] with `OwnedFd`/`BorrowedFd` for stronger fd validity
+/// guarantees. This wrapper exists for callers that only have a `RawFd`.
 ///
 /// # Errors
 ///
@@ -168,6 +169,7 @@ pub unsafe fn dma_map_fd(fd: RawFd, map: &VfioDmaMap) -> std::io::Result<()> {
 /// Same invariants as [`dma_unmap`], plus:
 /// - `fd` must be a valid, open VFIO container file descriptor that remains
 ///   open for the duration of this call.
+#[deprecated(note = "prefer dma_unmap() with BorrowedFd/OwnedFd for fd safety")]
 pub unsafe fn dma_unmap_fd(fd: RawFd, unmap: &VfioDmaUnmap) -> std::io::Result<()> {
     // SAFETY: caller guarantees fd is valid and open.
     let borrowed = unsafe { BorrowedFd::borrow_raw(fd) };

crates/core/nvpmu/src/bar0.rs

@@ -106,9 +106,15 @@ impl Bar0Access {
     }
 }
 
-// SAFETY: Bar0Access delegates all pointer operations to SafeMmapRegion
-// which is Send. Moving between threads doesn't invalidate the mapping.
-unsafe impl Send for Bar0Access {}
+// Send auto-derived: Bar0Access contains SafeMmapRegion (Send via memmap2's
+// MmapInner: Send + Sync) and String (Send). No raw pointers.
+#[allow(dead_code, reason = "compile-time trait bound assertion")]
+const _: () = {
+    fn assert_send<T: Send>() {}
+    fn check() {
+        assert_send::<Bar0Access>();
+    }
+};
 
 impl hw_learn::applicator::RegisterAccess for Bar0Access {
     fn read_u32(&self, offset: u64) -> std::result::Result<u32, String> {

crates/core/nvpmu/src/dma.rs

@@ -120,6 +120,7 @@ impl Drop for DmaBuffer {
 
         // SAFETY: container_fd still valid (DmaBuffer dropped before container);
         // unmap matches prior dma_map for this IOVA range.
+        #[allow(deprecated, reason = "nvpmu stores RawFd — evolve to OwnedFd in future")]
         let _ = unsafe { vfio_dma::dma_unmap_fd(self.container_fd, &unmap) };
 
         // LockedMemory / HugePageMemory handle their own cleanup via Drop.
@@ -158,6 +159,7 @@ impl DmaAllocator {
 
         // SAFETY: container_fd is a valid VFIO container fd held for the lifetime of
         // DmaAllocator; vaddr from LockedMemory/HugePageMemory; IOVA range unused.
+        #[allow(deprecated, reason = "nvpmu stores RawFd — evolve to OwnedFd in future")]
         unsafe { vfio_dma::dma_map_fd(self.container_fd, &dma_map) }
             .map_err(|e| NvPmuError::Hardware(format!("VFIO DMA map failed: {e}")))
     }

crates/neuromorphic/akida-driver/src/backends/vfio/dma.rs

@@ -1,15 +1,15 @@
 // SPDX-License-Identifier: AGPL-3.0-only
-#![allow(unsafe_code)] // VFIO DMA ioctls + BorrowedFd::borrow_raw(container_fd)
+#![allow(unsafe_code)] // VFIO DMA map/unmap ioctls require unsafe
 //! DMA buffer management for VFIO NPU backend
 //!
 //! Provides page-aligned, mlock'd, IOMMU-mapped memory buffers for
 //! zero-copy data transfer between host and NPU hardware.
 
 use crate::error::{AkidaError, Result};
-use std::os::fd::RawFd;
+use std::os::fd::{AsFd, OwnedFd};
 
 use toadstool_hw_safe::LockedMemory;
-use toadstool_hw_safe::vfio_dma::{VfioDmaMap, VfioDmaUnmap, dma_map_fd, dma_unmap_fd, flags};
+use toadstool_hw_safe::vfio_dma::{VfioDmaMap, VfioDmaUnmap, dma_map, dma_unmap, flags};
 
 /// DMA buffer for fast host-to-device data transfer.
 ///
@@ -20,7 +20,7 @@ pub struct DmaBuffer {
     mem: LockedMemory,
     iova: u64,
     size: usize,
-    container_fd: RawFd,
+    container_fd: OwnedFd,
 }
 
 impl DmaBuffer {
@@ -29,7 +29,7 @@ impl DmaBuffer {
     /// # Errors
     ///
     /// Returns an error if allocation, mlock, or IOMMU DMA mapping fails.
-    pub(crate) fn new(container_fd: RawFd, size: usize, iova: u64) -> Result<Self> {
+    pub(crate) fn new(container_fd: OwnedFd, size: usize, iova: u64) -> Result<Self> {
         if size == 0 {
             return Err(AkidaError::transfer_failed("DMA buffer size must be > 0"));
         }
@@ -59,9 +59,9 @@ impl DmaBuffer {
             dma_map_arg.flags
         );
 
-        // SAFETY: container_fd from VFIO container open (valid and not closed);
+        // SAFETY: container_fd is the VFIO container (OwnedFd guarantees validity);
         // map.vaddr points at mem's allocation for size bytes; IOVA range chosen by caller.
-        if let Err(e) = unsafe { dma_map_fd(container_fd, &dma_map_arg) } {
+        if let Err(e) = unsafe { dma_map(container_fd.as_fd(), &dma_map_arg) } {
             tracing::warn!("DMA map failed: {e}");
             return Err(AkidaError::transfer_failed(format!(
                 "Failed to map DMA: {e}"
@@ -115,9 +115,9 @@ impl Drop for DmaBuffer {
             size: self.size as u64,
         };
 
-        // SAFETY: DmaBuffer dropped before VfioBackend (parent), so container_fd is still
-        // valid and open; iova/size match the prior dma_map_fd call.
-        let _ = unsafe { dma_unmap_fd(self.container_fd, &dma_unmap_arg) };
+        // SAFETY: container_fd is OwnedFd (guaranteed valid until Drop completes);
+        // iova/size match the prior dma_map call for this buffer.
+        let _ = unsafe { dma_unmap(self.container_fd.as_fd(), &dma_unmap_arg) };
 
         tracing::debug!("Freed DMA buffer at iova={:#x}", self.iova);
     }
@@ -128,18 +128,23 @@ mod tests {
     use super::*;
     use toadstool_hw_safe::vfio_dma::{VfioDmaMap, VfioDmaUnmap};
 
+    fn dummy_fd() -> OwnedFd {
+        use std::fs::File;
+        let f = File::open("/dev/null").expect("/dev/null");
+        f.into()
+    }
+
     #[test]
     fn test_dma_buffer_new_size_zero() {
-        let result = DmaBuffer::new(-1, 0, 0);
+        let result = DmaBuffer::new(dummy_fd(), 0, 0);
         assert!(result.is_err());
         let err = result.unwrap_err();
         assert!(err.to_string().contains("size must be > 0"));
     }
 
     #[test]
     fn test_dma_buffer_iova_size_accessors() {
-        // We can't create a real DmaBuffer without VFIO, but we can test the size zero path
-        let result = DmaBuffer::new(0, 0, 0x1000);
+        let result = DmaBuffer::new(dummy_fd(), 0, 0x1000);
         assert!(result.is_err());
     }
 

crates/neuromorphic/akida-driver/src/backends/vfio/mod.rs

@@ -25,7 +25,6 @@ use crate::error::{AkidaError, Result};
 use crate::mmio::{Bar, MappedRegion, regs};
 use std::fs::OpenOptions;
 use std::os::fd::{AsFd, OwnedFd};
-use std::os::unix::io::AsRawFd;
 use toadstool_hw_safe::vfio_setup;
 use types::PollConfig;
 use types::ioctls;
@@ -87,7 +86,12 @@ impl VfioBackend {
         let iova = self.next_iova;
         let aligned_size = size.div_ceil(4096) * 4096;
         self.next_iova += aligned_size as u64;
-        DmaBuffer::new(self.container.as_raw_fd(), aligned_size, iova)
+        let fd: OwnedFd = self
+            .container
+            .try_clone()
+            .map_err(|e| AkidaError::transfer_failed(format!("dup container fd: {e}")))?
+            .into();
+        DmaBuffer::new(fd, aligned_size, iova)
     }
 
     #[expect(