fix: NOP register_chrdev instead of remapping, direct sysfs_write for PCI disable

- Host nvidia-580 owns both majors 185 and 195; any chrdev remap still
  conflicts. Switch catalyst patch from PatchByteAt(0x7b, 0xC3→0xB9) to
  NopCallAt(0x7f) to skip register_chrdev entirely — the catalyst
  pattern doesn't need the chardev, PCI match triggers probe.
- Use direct sysfs_write for PCI enable attribute instead of guarded
  child process — the enable attribute is non-blocking and the shell
  child was failing with I/O errors.

Status: insmod chrdev conflict resolved, but request_mem_region still
fails on Titan V because PCI BAR resources remain claimed by the kernel
resource tree even after unbind+disable. Needs PCI remove/rescan
approach or kernel-level BAR release.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: ecoPrimal

crates/core/cylinder/src/vfio/module_patch.rs

@@ -389,20 +389,14 @@ impl PatchSet {
                     symbol: "nv_cap_destroy_entry".into(),
                     strategy: PatchStrategy::RetAtEntry,
                 },
-                // Remap chrdev major 195→185 in the __register_chrdev
-                // call inside init_module. Host nvidia owns major 195;
-                // changing the immediate avoids conflict without NOP-ing
-                // the call, so RM's chardev is created (major 185) and
-                // userspace can trigger GPU init via device open.
-                // Layout: `bf c3 00 00 00` = `mov $0xc3, %edi` at fn+0x7a;
-                // the immediate 0xC3 is at fn+0x7b.
+                // NOP the __register_chrdev call inside init_module.
+                // Host nvidia owns majors 185 and 195; any remap still
+                // conflicts. For the catalyst pattern we don't need the
+                // chardev — the PCI match triggers probe during insmod.
+                // Layout: `call __register_chrdev` at fn+0x7f (5 bytes).
                 PatchTarget {
                     symbol: "init_module".into(),
-                    strategy: PatchStrategy::PatchByteAt {
-                        fn_offset: 0x7b,
-                        expected: 0xC3,
-                        replacement: 0xB9,
-                    },
+                    strategy: PatchStrategy::NopCallAt(0x7f),
                 },
             ],
             min_applied: 1,

crates/core/cylinder/src/vfio/sovereign_handoff.rs

@@ -796,18 +796,16 @@ pub fn execute_handoff(
                 // request_mem_region call on BAR0 fails because the
                 // PCI subsystem still has the region reserved from the
                 // previous driver's pci_enable_device.
+                // Direct sysfs_write is safe here: the device is unbound
+                // and the `enable` attribute is a non-blocking kernel op.
                 let enable_path = crate::linux_paths::sysfs_pci_device_file(
                     &config.bdf, "enable",
                 );
-                if let Err(e) = guarded_sysfs::sysfs_write_guarded(
-                    &enable_path, "0",
-                    guarded_sysfs::UNBIND_TIMEOUT,
-                ) {
-                    tracing::warn!(bdf = config.bdf.as_str(), error = %e,
-                        "pci disable failed (continuing — request_mem_region may fail)");
-                } else {
-                    tracing::info!(bdf = config.bdf.as_str(),
-                        "pci device disabled — BAR resources released for driver takeover");
+                match guarded_sysfs::sysfs_write(&enable_path, "0") {
+                    Ok(()) => tracing::info!(bdf = config.bdf.as_str(),
+                        "pci device disabled — BAR resources released for driver takeover"),
+                    Err(e) => tracing::warn!(bdf = config.bdf.as_str(), error = %e,
+                        "pci disable failed (continuing — request_mem_region may fail)"),
                 }
 
                 let override_path = crate::linux_paths::sysfs_pci_device_file(