Back to home page

LXR

 
 

    


0001 /*
0002  * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd
0003  *
0004  * Author: Lasse Collin <lasse.collin@tukaani.org>
0005  *
0006  * This file has been put into the public domain.
0007  * You can do whatever you want with this file.
0008  */
0009 
0010 /*
0011  * Important notes about in-place decompression
0012  *
0013  * At least on x86, the kernel is decompressed in place: the compressed data
0014  * is placed to the end of the output buffer, and the decompressor overwrites
0015  * most of the compressed data. There must be enough safety margin to
0016  * guarantee that the write position is always behind the read position.
0017  *
0018  * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below.
0019  * Note that the margin with XZ is bigger than with Deflate (gzip)!
0020  *
0021  * The worst case for in-place decompression is that the beginning of
0022  * the file is compressed extremely well, and the rest of the file is
0023  * uncompressible. Thus, we must look for worst-case expansion when the
0024  * compressor is encoding uncompressible data.
0025  *
0026  * The structure of the .xz file in case of a compresed kernel is as follows.
0027  * Sizes (as bytes) of the fields are in parenthesis.
0028  *
0029  *    Stream Header (12)
0030  *    Block Header:
0031  *      Block Header (8-12)
0032  *      Compressed Data (N)
0033  *      Block Padding (0-3)
0034  *      CRC32 (4)
0035  *    Index (8-20)
0036  *    Stream Footer (12)
0037  *
0038  * Normally there is exactly one Block, but let's assume that there are
0039  * 2-4 Blocks just in case. Because Stream Header and also Block Header
0040  * of the first Block don't make the decompressor produce any uncompressed
0041  * data, we can ignore them from our calculations. Block Headers of possible
0042  * additional Blocks have to be taken into account still. With these
0043  * assumptions, it is safe to assume that the total header overhead is
0044  * less than 128 bytes.
0045  *
0046  * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ
0047  * doesn't change the size of the data, it is enough to calculate the
0048  * safety margin for LZMA2.
0049  *
0050  * LZMA2 stores the data in chunks. Each chunk has a header whose size is
0051  * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that
0052  * the maximum chunk header size is 8 bytes. After the chunk header, there
0053  * may be up to 64 KiB of actual payload in the chunk. Often the payload is
0054  * quite a bit smaller though; to be safe, let's assume that an average
0055  * chunk has only 32 KiB of payload.
0056  *
0057  * The maximum uncompressed size of the payload is 2 MiB. The minimum
0058  * uncompressed size of the payload is in practice never less than the
0059  * payload size itself. The LZMA2 format would allow uncompressed size
0060  * to be less than the payload size, but no sane compressor creates such
0061  * files. LZMA2 supports storing uncompressible data in uncompressed form,
0062  * so there's never a need to create payloads whose uncompressed size is
0063  * smaller than the compressed size.
0064  *
0065  * The assumption, that the uncompressed size of the payload is never
0066  * smaller than the payload itself, is valid only when talking about
0067  * the payload as a whole. It is possible that the payload has parts where
0068  * the decompressor consumes more input than it produces output. Calculating
0069  * the worst case for this would be tricky. Instead of trying to do that,
0070  * let's simply make sure that the decompressor never overwrites any bytes
0071  * of the payload which it is currently reading.
0072  *
0073  * Now we have enough information to calculate the safety margin. We need
0074  *   - 128 bytes for the .xz file format headers;
0075  *   - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header
0076  *     per chunk, each chunk having average payload size of 32 KiB); and
0077  *   - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that
0078  *     the decompressor never overwrites anything from the LZMA2 chunk
0079  *     payload it is currently reading.
0080  *
0081  * We get the following formula:
0082  *
0083  *    safety_margin = 128 + uncompressed_size * 8 / 32768 + 65536
0084  *                  = 128 + (uncompressed_size >> 12) + 65536
0085  *
0086  * For comparison, according to arch/x86/boot/compressed/misc.c, the
0087  * equivalent formula for Deflate is this:
0088  *
0089  *    safety_margin = 18 + (uncompressed_size >> 12) + 32768
0090  *
0091  * Thus, when updating Deflate-only in-place kernel decompressor to
0092  * support XZ, the fixed overhead has to be increased from 18+32768 bytes
0093  * to 128+65536 bytes.
0094  */
0095 
0096 /*
0097  * STATIC is defined to "static" if we are being built for kernel
0098  * decompression (pre-boot code). <linux/decompress/mm.h> will define
0099  * STATIC to empty if it wasn't already defined. Since we will need to
0100  * know later if we are being used for kernel decompression, we define
0101  * XZ_PREBOOT here.
0102  */
0103 #ifdef STATIC
0104 #   define XZ_PREBOOT
0105 #endif
0106 #ifdef __KERNEL__
0107 #   include <linux/decompress/mm.h>
0108 #endif
0109 #define XZ_EXTERN STATIC
0110 
0111 #ifndef XZ_PREBOOT
0112 #   include <linux/slab.h>
0113 #   include <linux/xz.h>
0114 #else
0115 /*
0116  * Use the internal CRC32 code instead of kernel's CRC32 module, which
0117  * is not available in early phase of booting.
0118  */
0119 #define XZ_INTERNAL_CRC32 1
0120 
0121 /*
0122  * For boot time use, we enable only the BCJ filter of the current
0123  * architecture or none if no BCJ filter is available for the architecture.
0124  */
0125 #ifdef CONFIG_X86
0126 #   define XZ_DEC_X86
0127 #endif
0128 #ifdef CONFIG_PPC
0129 #   define XZ_DEC_POWERPC
0130 #endif
0131 #ifdef CONFIG_ARM
0132 #   define XZ_DEC_ARM
0133 #endif
0134 #ifdef CONFIG_IA64
0135 #   define XZ_DEC_IA64
0136 #endif
0137 #ifdef CONFIG_SPARC
0138 #   define XZ_DEC_SPARC
0139 #endif
0140 
0141 /*
0142  * This will get the basic headers so that memeq() and others
0143  * can be defined.
0144  */
0145 #include "xz/xz_private.h"
0146 
0147 /*
0148  * Replace the normal allocation functions with the versions from
0149  * <linux/decompress/mm.h>. vfree() needs to support vfree(NULL)
0150  * when XZ_DYNALLOC is used, but the pre-boot free() doesn't support it.
0151  * Workaround it here because the other decompressors don't need it.
0152  */
0153 #undef kmalloc
0154 #undef kfree
0155 #undef vmalloc
0156 #undef vfree
0157 #define kmalloc(size, flags) malloc(size)
0158 #define kfree(ptr) free(ptr)
0159 #define vmalloc(size) malloc(size)
0160 #define vfree(ptr) do { if (ptr != NULL) free(ptr); } while (0)
0161 
0162 /*
0163  * FIXME: Not all basic memory functions are provided in architecture-specific
0164  * files (yet). We define our own versions here for now, but this should be
0165  * only a temporary solution.
0166  *
0167  * memeq and memzero are not used much and any remotely sane implementation
0168  * is fast enough. memcpy/memmove speed matters in multi-call mode, but
0169  * the kernel image is decompressed in single-call mode, in which only
0170  * memcpy speed can matter and only if there is a lot of uncompressible data
0171  * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the
0172  * functions below should just be kept small; it's probably not worth
0173  * optimizing for speed.
0174  */
0175 
0176 #ifndef memeq
0177 static bool memeq(const void *a, const void *b, size_t size)
0178 {
0179     const uint8_t *x = a;
0180     const uint8_t *y = b;
0181     size_t i;
0182 
0183     for (i = 0; i < size; ++i)
0184         if (x[i] != y[i])
0185             return false;
0186 
0187     return true;
0188 }
0189 #endif
0190 
0191 #ifndef memzero
0192 static void memzero(void *buf, size_t size)
0193 {
0194     uint8_t *b = buf;
0195     uint8_t *e = b + size;
0196 
0197     while (b != e)
0198         *b++ = '\0';
0199 }
0200 #endif
0201 
0202 #ifndef memmove
0203 /* Not static to avoid a conflict with the prototype in the Linux headers. */
0204 void *memmove(void *dest, const void *src, size_t size)
0205 {
0206     uint8_t *d = dest;
0207     const uint8_t *s = src;
0208     size_t i;
0209 
0210     if (d < s) {
0211         for (i = 0; i < size; ++i)
0212             d[i] = s[i];
0213     } else if (d > s) {
0214         i = size;
0215         while (i-- > 0)
0216             d[i] = s[i];
0217     }
0218 
0219     return dest;
0220 }
0221 #endif
0222 
0223 /*
0224  * Since we need memmove anyway, would use it as memcpy too.
0225  * Commented out for now to avoid breaking things.
0226  */
0227 /*
0228 #ifndef memcpy
0229 #   define memcpy memmove
0230 #endif
0231 */
0232 
0233 #include "xz/xz_crc32.c"
0234 #include "xz/xz_dec_stream.c"
0235 #include "xz/xz_dec_lzma2.c"
0236 #include "xz/xz_dec_bcj.c"
0237 
0238 #endif /* XZ_PREBOOT */
0239 
0240 /* Size of the input and output buffers in multi-call mode */
0241 #define XZ_IOBUF_SIZE 4096
0242 
0243 /*
0244  * This function implements the API defined in <linux/decompress/generic.h>.
0245  *
0246  * This wrapper will automatically choose single-call or multi-call mode
0247  * of the native XZ decoder API. The single-call mode can be used only when
0248  * both input and output buffers are available as a single chunk, i.e. when
0249  * fill() and flush() won't be used.
0250  */
0251 STATIC int INIT unxz(unsigned char *in, long in_size,
0252              long (*fill)(void *dest, unsigned long size),
0253              long (*flush)(void *src, unsigned long size),
0254              unsigned char *out, long *in_used,
0255              void (*error)(char *x))
0256 {
0257     struct xz_buf b;
0258     struct xz_dec *s;
0259     enum xz_ret ret;
0260     bool must_free_in = false;
0261 
0262 #if XZ_INTERNAL_CRC32
0263     xz_crc32_init();
0264 #endif
0265 
0266     if (in_used != NULL)
0267         *in_used = 0;
0268 
0269     if (fill == NULL && flush == NULL)
0270         s = xz_dec_init(XZ_SINGLE, 0);
0271     else
0272         s = xz_dec_init(XZ_DYNALLOC, (uint32_t)-1);
0273 
0274     if (s == NULL)
0275         goto error_alloc_state;
0276 
0277     if (flush == NULL) {
0278         b.out = out;
0279         b.out_size = (size_t)-1;
0280     } else {
0281         b.out_size = XZ_IOBUF_SIZE;
0282         b.out = malloc(XZ_IOBUF_SIZE);
0283         if (b.out == NULL)
0284             goto error_alloc_out;
0285     }
0286 
0287     if (in == NULL) {
0288         must_free_in = true;
0289         in = malloc(XZ_IOBUF_SIZE);
0290         if (in == NULL)
0291             goto error_alloc_in;
0292     }
0293 
0294     b.in = in;
0295     b.in_pos = 0;
0296     b.in_size = in_size;
0297     b.out_pos = 0;
0298 
0299     if (fill == NULL && flush == NULL) {
0300         ret = xz_dec_run(s, &b);
0301     } else {
0302         do {
0303             if (b.in_pos == b.in_size && fill != NULL) {
0304                 if (in_used != NULL)
0305                     *in_used += b.in_pos;
0306 
0307                 b.in_pos = 0;
0308 
0309                 in_size = fill(in, XZ_IOBUF_SIZE);
0310                 if (in_size < 0) {
0311                     /*
0312                      * This isn't an optimal error code
0313                      * but it probably isn't worth making
0314                      * a new one either.
0315                      */
0316                     ret = XZ_BUF_ERROR;
0317                     break;
0318                 }
0319 
0320                 b.in_size = in_size;
0321             }
0322 
0323             ret = xz_dec_run(s, &b);
0324 
0325             if (flush != NULL && (b.out_pos == b.out_size
0326                     || (ret != XZ_OK && b.out_pos > 0))) {
0327                 /*
0328                  * Setting ret here may hide an error
0329                  * returned by xz_dec_run(), but probably
0330                  * it's not too bad.
0331                  */
0332                 if (flush(b.out, b.out_pos) != (long)b.out_pos)
0333                     ret = XZ_BUF_ERROR;
0334 
0335                 b.out_pos = 0;
0336             }
0337         } while (ret == XZ_OK);
0338 
0339         if (must_free_in)
0340             free(in);
0341 
0342         if (flush != NULL)
0343             free(b.out);
0344     }
0345 
0346     if (in_used != NULL)
0347         *in_used += b.in_pos;
0348 
0349     xz_dec_end(s);
0350 
0351     switch (ret) {
0352     case XZ_STREAM_END:
0353         return 0;
0354 
0355     case XZ_MEM_ERROR:
0356         /* This can occur only in multi-call mode. */
0357         error("XZ decompressor ran out of memory");
0358         break;
0359 
0360     case XZ_FORMAT_ERROR:
0361         error("Input is not in the XZ format (wrong magic bytes)");
0362         break;
0363 
0364     case XZ_OPTIONS_ERROR:
0365         error("Input was encoded with settings that are not "
0366                 "supported by this XZ decoder");
0367         break;
0368 
0369     case XZ_DATA_ERROR:
0370     case XZ_BUF_ERROR:
0371         error("XZ-compressed data is corrupt");
0372         break;
0373 
0374     default:
0375         error("Bug in the XZ decompressor");
0376         break;
0377     }
0378 
0379     return -1;
0380 
0381 error_alloc_in:
0382     if (flush != NULL)
0383         free(b.out);
0384 
0385 error_alloc_out:
0386     xz_dec_end(s);
0387 
0388 error_alloc_state:
0389     error("XZ decompressor ran out of memory");
0390     return -1;
0391 }
0392 
0393 /*
0394  * This macro is used by architecture-specific files to decompress
0395  * the kernel image.
0396  */
0397 #ifdef XZ_PREBOOT
0398 STATIC int INIT __decompress(unsigned char *buf, long len,
0399                long (*fill)(void*, unsigned long),
0400                long (*flush)(void*, unsigned long),
0401                unsigned char *out_buf, long olen,
0402                long *pos,
0403                void (*error)(char *x))
0404 {
0405     return unxz(buf, len, fill, flush, out_buf, pos, error);
0406 }
0407 #endif