krun: ensure has_kvm and has_nitro are initialized

[iczero]

The OCI config path .linux.resources.devices is not set by rootless podman because rootless cannot access devices. This causes initialization of has_kvm and has_nitro to be skipped, resulting in funny cases where krun claims that /dev/kvm doesn't exist on very specific platforms.

Not sure if this is the preferred way to fix this. Maybe has_kvm shouldn't be set in modify_oci_configuration?

Fixes #1856

Summary by Sourcery

Ensure has_kvm and has_nitro flags are initialized before early exits and consistently inject the /dev/kvm and /dev/nitro devices into the OCI configuration even when the devices array is initially missing.

Bug Fixes:

• Initialize kconf->has_kvm and kconf->has_nitro before the early null-check to avoid uninitialized values and skipped device support

Enhancements:

• Allocate linux.resources and resources.devices structures if they are null to guarantee the devices array exists
• Recalculate and reallocate the devices array length before populating it with available devices (/dev/kvm, SEV, Nitro) based on the detected flags

[sourcery-ai]

Reviewer's Guide

This patch ensures that has_kvm and has_nitro flags are set before any early exit in modify_oci_configuration, removes brittle null-checks by allocating missing linux and resources structs, and refactors device array resizing and addition into a single coherent workflow to reliably inject /dev/kvm, /dev/sev, and /dev/nitro entries.

Class diagram for updated krun device initialization

classDiagram
    class krun_config {
        +bool has_kvm
        +bool has_nitro
    }
    class runtime_spec_schema_config_linux {
        +resources: runtime_spec_schema_config_linux_resources
    }
    class runtime_spec_schema_config_linux_resources {
        +devices: Device[]
        +devices_len: size_t
    }
    class Device
    krun_config --> runtime_spec_schema_config_linux
    runtime_spec_schema_config_linux --> runtime_spec_schema_config_linux_resources
    runtime_spec_schema_config_linux_resources --> Device

Loading

Flow diagram for device array allocation and injection in modify_oci_configuration

flowchart TD
    A[Check /dev/kvm, /dev/sev, /dev/nitro] --> B[Set has_kvm, has_nitro]
    B --> C{has_kvm or has_nitro?}
    C -- No --> D[Return]
    C -- Yes --> E[Ensure linux and resources structs exist]
    E --> F[Resize devices array]
    F --> G[Inject /dev/kvm, /dev/sev, /dev/nitro as needed]
    G --> H[Update devices_len]
    H --> I[Return]

Loading

File-Level Changes

Change	Details	Files
Initialize device presence flags before early returns	Move kconf->has_kvm and kconf->has_nitro assignments up Change early return to trigger only when both flags are false	src/libcrun/handlers/krun.c
Allocate missing OCI spec linux and resources structs	Remove null-check on def->linux/resources/devices Add xmalloc0 for def->linux and def->linux->resources when NULL	src/libcrun/handlers/krun.c
Refactor device array resizing using old_len/new_len	Compute new_len based on has_kvm, has_sev, has_nitro Replace multiple xrealloc calls with one allocation Update devices_len in one assignment	src/libcrun/handlers/krun.c
Unify appending of /dev/kvm, /dev/sev, and /dev/nitro entries	Use old_len counter to append devices in order Merge separate make_oci_spec_dev calls into a single loop-like sequence	src/libcrun/handlers/krun.c

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#1856	Fix the regression in crun-krun 1.23 where rootless podman fails to start containers with --runtime krun due to /dev/kvm being reported as unavailable.	✅
#1856	Ensure that has_kvm and has_nitro are correctly initialized even when .linux.resources.devices is not set by rootless podman.	✅

Possibly linked issues

• Regression: crun-krun 1.23 fails to start when using rootless podman on AMD #1856: The PR fixes the issue where krun fails to start rootless podman by initializing has_kvm and has_nitro when OCI config devices are unset.
• Travis integration #1: PR fixes krun's has_kvm/has_nitro initialization, which, if uninitialized, can cause the SIGSEGV reported in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[tylerfanelli]

Since the OCI docs state that def->linux->resources->devices lists the devices that must be available in the container, I think we should allocate the array and add the specific devices needed.

We could check if def->linux->resources->devices == NULL and xmalloc the array if so.

[iczero]

Looks like that code was originally added to fix #1130 so krun won't be blocked by ebpf device filtering in cgroups. I'll fix it.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[iczero]

@sourcery-ai review

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• It looks like kconf->has_sev isn’t being initialized alongside has_sev, so you should assign kconf->has_sev = has_sev to avoid using an uninitialized value.
• Consider refactoring the repetitive device‐addition logic for KVM, SEV, and Nitro into a small helper function—this will make the length calculations and array writes clearer and reduce duplication.
• Double-check the xrealloc(..., device_size * (new_len + 1)) call to ensure the extra +1 slot is intentional (e.g., for a sentinel) and avoid any off-by-one mistakes.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- It looks like `kconf->has_sev` isn’t being initialized alongside `has_sev`, so you should assign `kconf->has_sev = has_sev` to avoid using an uninitialized value.
- Consider refactoring the repetitive device‐addition logic for KVM, SEV, and Nitro into a small helper function—this will make the length calculations and array writes clearer and reduce duplication.
- Double-check the `xrealloc(..., device_size * (new_len + 1))` call to ensure the extra `+1` slot is intentional (e.g., for a sentinel) and avoid any off-by-one mistakes.

## Individual Comments

### Comment 1
<location> `src/libcrun/handlers/krun.c:751` </location>
<code_context>
+  if (def->linux->resources == NULL)
+    def->linux->resources = xmalloc0 (sizeof (runtime_spec_schema_config_linux_resources));

+  old_len = def->linux->resources->devices_len;
+  new_len = old_len;
+  if (has_kvm)
</code_context>

<issue_to_address>
Consider refactoring device appending logic into helper functions to simplify and clarify the code.

```suggestion
Instead of manually tracking old_len/new_len and doing a “+1” trick, pull out two small helpers (`ensure_resources()` and `append_device()`) so you can just append each device inline. This preserves the new feature checks but removes all the repetitive bookkeeping.

1) Add at the top (e.g. above `libkrun_modify_oci_configuration`):

```c
static void ensure_resources(runtime_spec_schema_config_schema *def) {
  if (!def->linux)
    def->linux = xmalloc0(sizeof *def->linux);
  if (!def->linux->resources)
    def->linux->resources = xmalloc0(sizeof *def->linux->resources);
}

static void append_device(runtime_spec_schema_config_schema *def,
                          runtime_spec_schema_defs_linux_device_cgroup dev) {
  size_t old = def->linux->resources->devices_len;
  def->linux->resources->devices =
    xrealloc(def->linux->resources->devices,
             sizeof dev * (old + 1));
  def->linux->resources->devices[old] = dev;
  def->linux->resources->devices_len = old + 1;
}
```

2) Replace your block with:

```c
  if (!has_kvm && !has_nitro)
    return 0;

  ensure_resources(def);

  if (has_kvm) {
    append_device(def, make_oci_spec_dev("a", st_kvm.st_rdev, true, "rwm"));
    if (has_sev)
      append_device(def, make_oci_spec_dev("a", st_sev.st_rdev, true, "rwm"));
  }

  if (has_nitro)
    append_device(def, make_oci_spec_dev("a", st_nitro.st_rdev, true, "rwm"));
```

This keeps all functionality, drops `old_len`/`new_len` arithmetic, and makes appends much clearer.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[iczero]

• kconf->has_sev doesn't exist
• I do not agree and do not want to call xrealloc (up to) 3 times
• xrealloc was previously called with one extra item as headroom, not entirely sure why, but I've kept that

[iczero]

Last change fixes indent only

[giuseppe]

LGTM

[giuseppe]

please amend the last change in the first patch

[tylerfanelli]

Already merged, but also LGTM. Thanks for addressing this @iczero