feat(virtq): cleanup send + sync bounds

Signed-off-by: Tomasz Andrzejak <andreiltd@gmail.com>

Author: andreiltd

Cargo.lock

@@ -17,7 +17,6 @@ workspace = true
 [dependencies]
 arbitrary = {version = "1.4.2", optional = true, features = ["derive"]}
 anyhow = { version = "1.0.102", default-features = false }
-atomic_refcell = "0.1.13"
 bitflags = "2.10.0"
 bytemuck = { version = "1.24", features = ["derive"] }
 bytes = { version = "1",  default-features = false }

src/hyperlight_common/Cargo.toml

@@ -20,6 +20,8 @@ limitations under the License.
 //! required by the virtqueue implementation. This allows the virtqueue code to
 //! work with different memory backends e.g. Host vs Guest.
 
+use alloc::sync::Arc;
+
 use bytemuck::Pod;
 
 /// Backend-provided memory access for virtqueue.
@@ -134,3 +136,32 @@ pub trait MemOps {
         Ok(())
     }
 }
+
+impl<T: MemOps> MemOps for Arc<T> {
+    type Error = T::Error;
+
+    fn read(&self, addr: u64, dst: &mut [u8]) -> Result<usize, Self::Error> {
+        (**self).read(addr, dst)
+    }
+
+    fn write(&self, addr: u64, src: &[u8]) -> Result<usize, Self::Error> {
+        (**self).write(addr, src)
+    }
+
+    fn load_acquire(&self, addr: u64) -> Result<u16, Self::Error> {
+        (**self).load_acquire(addr)
+    }
+
+    fn store_release(&self, addr: u64, val: u16) -> Result<(), Self::Error> {
+        (**self).store_release(addr, val)
+    }
+
+    unsafe fn as_slice(&self, addr: u64, len: usize) -> Result<&[u8], Self::Error> {
+        unsafe { (**self).as_slice(addr, len) }
+    }
+
+    #[allow(clippy::mut_from_ref)]
+    unsafe fn as_mut_slice(&self, addr: u64, len: usize) -> Result<&mut [u8], Self::Error> {
+        unsafe { (**self).as_mut_slice(addr, len) }
+    }
+}

src/hyperlight_common/src/virtq/access.rs

@@ -0,0 +1,158 @@
+/*
+Copyright 2026  The Hyperlight Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//! Buffer allocation traits and shared types for virtqueue buffer management.
+
+use alloc::rc::Rc;
+use alloc::sync::Arc;
+
+use thiserror::Error;
+
+use super::access::MemOps;
+
+#[derive(Debug, Error, Copy, Clone)]
+pub enum AllocError {
+    #[error("Invalid region addr {0}")]
+    InvalidAlign(u64),
+    #[error("Invalid free addr {0} and size {1}")]
+    InvalidFree(u64, usize),
+    #[error("Invalid argument")]
+    InvalidArg,
+    #[error("Empty region")]
+    EmptyRegion,
+    #[error("Out of memory")]
+    OutOfMemory,
+    #[error("Overflow")]
+    Overflow,
+}
+
+/// Allocation result
+#[derive(Debug, Clone, Copy)]
+pub struct Allocation {
+    /// Starting address of the allocation
+    pub addr: u64,
+    /// Length of the allocation in bytes rounded up to slab size
+    pub len: usize,
+}
+
+/// Trait for buffer providers.
+pub trait BufferProvider {
+    /// Allocate at least `len` bytes.
+    fn alloc(&self, len: usize) -> Result<Allocation, AllocError>;
+
+    /// Free a previously allocated block.
+    fn dealloc(&self, alloc: Allocation) -> Result<(), AllocError>;
+
+    /// Resize by trying in-place grow; otherwise reserve a new block and free old.
+    fn resize(&self, old_alloc: Allocation, new_len: usize) -> Result<Allocation, AllocError>;
+
+    /// Reset the pool to initial state.
+    fn reset(&self) {}
+}
+
+impl<T: BufferProvider> BufferProvider for Rc<T> {
+    fn alloc(&self, len: usize) -> Result<Allocation, AllocError> {
+        (**self).alloc(len)
+    }
+    fn dealloc(&self, alloc: Allocation) -> Result<(), AllocError> {
+        (**self).dealloc(alloc)
+    }
+    fn resize(&self, old_alloc: Allocation, new_len: usize) -> Result<Allocation, AllocError> {
+        (**self).resize(old_alloc, new_len)
+    }
+    fn reset(&self) {
+        (**self).reset()
+    }
+}
+
+impl<T: BufferProvider> BufferProvider for Arc<T> {
+    fn alloc(&self, len: usize) -> Result<Allocation, AllocError> {
+        (**self).alloc(len)
+    }
+    fn dealloc(&self, alloc: Allocation) -> Result<(), AllocError> {
+        (**self).dealloc(alloc)
+    }
+    fn resize(&self, old_alloc: Allocation, new_len: usize) -> Result<Allocation, AllocError> {
+        (**self).resize(old_alloc, new_len)
+    }
+    fn reset(&self) {
+        (**self).reset()
+    }
+}
+
+/// The owner of a mapped buffer, ensuring its lifetime.
+///
+/// Holds a pool allocation and provides direct access to the underlying
+/// shared memory via [`MemOps::as_slice`]. Implements `AsRef<[u8]>` so it
+/// can be used with [`Bytes::from_owner`](bytes::Bytes::from_owner) for
+/// zero-copy `Bytes` backed by shared memory.
+///
+/// When dropped, the allocation is returned to the pool.
+#[derive(Debug, Clone)]
+pub struct BufferOwner<P: BufferProvider, M: MemOps> {
+    pub(crate) pool: P,
+    pub(crate) mem: M,
+    pub(crate) alloc: Allocation,
+    pub(crate) written: usize,
+}
+
+impl<P: BufferProvider, M: MemOps> Drop for BufferOwner<P, M> {
+    fn drop(&mut self) {
+        let _ = self.pool.dealloc(self.alloc);
+    }
+}
+
+impl<P: BufferProvider, M: MemOps> AsRef<[u8]> for BufferOwner<P, M> {
+    fn as_ref(&self) -> &[u8] {
+        let len = self.written.min(self.alloc.len);
+        // Safety: BufferOwner keeps both the pool allocation and the M
+        // alive, so the memory region is valid. Protocol-level descriptor
+        // ownership transfer guarantees no concurrent writes.
+        match unsafe { self.mem.as_slice(self.alloc.addr, len) } {
+            Ok(slice) => slice,
+            Err(_) => &[],
+        }
+    }
+}
+
+/// A guard that runs a cleanup function when dropped, unless dismissed.
+pub struct AllocGuard<F: FnOnce(Allocation)>(Option<(Allocation, F)>);
+
+impl<F: FnOnce(Allocation)> AllocGuard<F> {
+    pub fn new(alloc: Allocation, cleanup: F) -> Self {
+        Self(Some((alloc, cleanup)))
+    }
+
+    pub fn release(mut self) -> Allocation {
+        self.0.take().unwrap().0
+    }
+}
+
+impl<F: FnOnce(Allocation)> core::ops::Deref for AllocGuard<F> {
+    type Target = Allocation;
+
+    fn deref(&self) -> &Allocation {
+        &self.0.as_ref().unwrap().0
+    }
+}
+
+impl<F: FnOnce(Allocation)> Drop for AllocGuard<F> {
+    fn drop(&mut self) {
+        if let Some((alloc, cleanup)) = self.0.take() {
+            cleanup(alloc)
+        }
+    }
+}

src/hyperlight_common/src/virtq/buffer.rs

@@ -151,18 +151,19 @@ limitations under the License.
 //! ```
 
 mod access;
+mod buffer;
 mod consumer;
 mod desc;
 mod event;
 pub mod msg;
 mod pool;
 mod producer;
-pub mod recycle_pool;
 mod ring;
 
 use core::num::NonZeroU16;
 
 pub use access::*;
+pub use buffer::*;
 pub use consumer::*;
 pub use desc::*;
 pub use event::*;
@@ -440,8 +441,8 @@ pub(crate) mod test_utils {
         }
     }
 
-    type TestProducer = VirtqProducer<Arc<TestMem>, TestNotifier, TestPool>;
-    type TestConsumer = VirtqConsumer<Arc<TestMem>, TestNotifier>;
+    type TestProducer = VirtqProducer<TestMem, TestNotifier, TestPool>;
+    type TestConsumer = VirtqConsumer<TestMem, TestNotifier>;
 
     /// Create test infrastructure: a producer, consumer, and notifier backed
     /// by the supplied [`OwnedRing`].
@@ -474,7 +475,7 @@ mod tests {
 
     /// Helper: build and submit an entry+completion chain using the chain() builder.
     fn send_readwrite(
-        producer: &mut VirtqProducer<Arc<TestMem>, TestNotifier, TestPool>,
+        producer: &mut VirtqProducer<TestMem, TestNotifier, TestPool>,
         entry_data: &[u8],
         cqe_cap: usize,
     ) -> Token {
@@ -957,7 +958,7 @@ mod fuzz {
         }
     }
 
-    impl MemOps for Arc<LoomMem> {
+    impl MemOps for LoomMem {
         type Error = MemErr;
 
         fn read(&self, addr: u64, dst: &mut [u8]) -> Result<usize, Self::Error> {