brintos

brintos / linux-shallow public Read only

0
0
Text · 11.1 KiB · 32138bb Raw
415 lines · c
1// SPDX-License-Identifier: 0BSD2 3/*4 * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd5 *6 * Author: Lasse Collin <lasse.collin@tukaani.org>7 */8 9/*10 * Important notes about in-place decompression11 *12 * At least on x86, the kernel is decompressed in place: the compressed data13 * is placed to the end of the output buffer, and the decompressor overwrites14 * most of the compressed data. There must be enough safety margin to15 * guarantee that the write position is always behind the read position.16 *17 * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below.18 * Note that the margin with XZ is bigger than with Deflate (gzip)!19 *20 * The worst case for in-place decompression is that the beginning of21 * the file is compressed extremely well, and the rest of the file is22 * incompressible. Thus, we must look for worst-case expansion when the23 * compressor is encoding incompressible data.24 *25 * The structure of the .xz file in case of a compressed kernel is as follows.26 * Sizes (as bytes) of the fields are in parenthesis.27 *28 *    Stream Header (12)29 *    Block Header:30 *      Block Header (8-12)31 *      Compressed Data (N)32 *      Block Padding (0-3)33 *      CRC32 (4)34 *    Index (8-20)35 *    Stream Footer (12)36 *37 * Normally there is exactly one Block, but let's assume that there are38 * 2-4 Blocks just in case. Because Stream Header and also Block Header39 * of the first Block don't make the decompressor produce any uncompressed40 * data, we can ignore them from our calculations. Block Headers of possible41 * additional Blocks have to be taken into account still. With these42 * assumptions, it is safe to assume that the total header overhead is43 * less than 128 bytes.44 *45 * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ46 * doesn't change the size of the data, it is enough to calculate the47 * safety margin for LZMA2.48 *49 * LZMA2 stores the data in chunks. Each chunk has a header whose size is50 * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that51 * the maximum chunk header size is 8 bytes. After the chunk header, there52 * may be up to 64 KiB of actual payload in the chunk. Often the payload is53 * quite a bit smaller though; to be safe, let's assume that an average54 * chunk has only 32 KiB of payload.55 *56 * The maximum uncompressed size of the payload is 2 MiB. The minimum57 * uncompressed size of the payload is in practice never less than the58 * payload size itself. The LZMA2 format would allow uncompressed size59 * to be less than the payload size, but no sane compressor creates such60 * files. LZMA2 supports storing incompressible data in uncompressed form,61 * so there's never a need to create payloads whose uncompressed size is62 * smaller than the compressed size.63 *64 * The assumption, that the uncompressed size of the payload is never65 * smaller than the payload itself, is valid only when talking about66 * the payload as a whole. It is possible that the payload has parts where67 * the decompressor consumes more input than it produces output. Calculating68 * the worst case for this would be tricky. Instead of trying to do that,69 * let's simply make sure that the decompressor never overwrites any bytes70 * of the payload which it is currently reading.71 *72 * Now we have enough information to calculate the safety margin. We need73 *   - 128 bytes for the .xz file format headers;74 *   - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header75 *     per chunk, each chunk having average payload size of 32 KiB); and76 *   - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that77 *     the decompressor never overwrites anything from the LZMA2 chunk78 *     payload it is currently reading.79 *80 * We get the following formula:81 *82 *    safety_margin = 128 + uncompressed_size * 8 / 32768 + 6553683 *                  = 128 + (uncompressed_size >> 12) + 6553684 *85 * For comparison, according to arch/x86/boot/compressed/misc.c, the86 * equivalent formula for Deflate is this:87 *88 *    safety_margin = 18 + (uncompressed_size >> 12) + 3276889 *90 * Thus, when updating Deflate-only in-place kernel decompressor to91 * support XZ, the fixed overhead has to be increased from 18+32768 bytes92 * to 128+65536 bytes.93 */94 95/*96 * STATIC is defined to "static" if we are being built for kernel97 * decompression (pre-boot code). <linux/decompress/mm.h> will define98 * STATIC to empty if it wasn't already defined. Since we will need to99 * know later if we are being used for kernel decompression, we define100 * XZ_PREBOOT here.101 */102#ifdef STATIC103#	define XZ_PREBOOT104#else105#	include <linux/decompress/unxz.h>106#endif107#ifdef __KERNEL__108#	include <linux/decompress/mm.h>109#endif110 111#ifndef XZ_PREBOOT112#	include <linux/slab.h>113#	include <linux/xz.h>114#else115/*116 * Use the internal CRC32 code instead of kernel's CRC32 module, which117 * is not available in early phase of booting.118 */119#define XZ_INTERNAL_CRC32 1120 121/*122 * For boot time use, we enable only the BCJ filter of the current123 * architecture or none if no BCJ filter is available for the architecture.124 */125#ifdef CONFIG_X86126#	define XZ_DEC_X86127#endif128#if defined(CONFIG_PPC) && defined(CONFIG_CPU_BIG_ENDIAN)129#	define XZ_DEC_POWERPC130#endif131#ifdef CONFIG_ARM132#	ifdef CONFIG_THUMB2_KERNEL133#		define XZ_DEC_ARMTHUMB134#	else135#		define XZ_DEC_ARM136#	endif137#endif138#ifdef CONFIG_ARM64139#	define XZ_DEC_ARM64140#endif141#ifdef CONFIG_RISCV142#	define XZ_DEC_RISCV143#endif144#ifdef CONFIG_SPARC145#	define XZ_DEC_SPARC146#endif147 148/*149 * This will get the basic headers so that memeq() and others150 * can be defined.151 */152#include "xz/xz_private.h"153 154/*155 * Replace the normal allocation functions with the versions from156 * <linux/decompress/mm.h>. vfree() needs to support vfree(NULL)157 * when XZ_DYNALLOC is used, but the pre-boot free() doesn't support it.158 * Workaround it here because the other decompressors don't need it.159 */160#undef kmalloc161#undef kfree162#undef vmalloc163#undef vfree164#define kmalloc(size, flags) malloc(size)165#define kfree(ptr) free(ptr)166#define vmalloc(size) malloc(size)167#define vfree(ptr) do { if (ptr != NULL) free(ptr); } while (0)168 169/*170 * FIXME: Not all basic memory functions are provided in architecture-specific171 * files (yet). We define our own versions here for now, but this should be172 * only a temporary solution.173 *174 * memeq and memzero are not used much and any remotely sane implementation175 * is fast enough. memcpy/memmove speed matters in multi-call mode, but176 * the kernel image is decompressed in single-call mode, in which only177 * memmove speed can matter and only if there is a lot of incompressible data178 * (LZMA2 stores incompressible chunks in uncompressed form). Thus, the179 * functions below should just be kept small; it's probably not worth180 * optimizing for speed.181 */182 183#ifndef memeq184static bool memeq(const void *a, const void *b, size_t size)185{186	const uint8_t *x = a;187	const uint8_t *y = b;188	size_t i;189 190	for (i = 0; i < size; ++i)191		if (x[i] != y[i])192			return false;193 194	return true;195}196#endif197 198#ifndef memzero199static void memzero(void *buf, size_t size)200{201	uint8_t *b = buf;202	uint8_t *e = b + size;203 204	while (b != e)205		*b++ = '\0';206}207#endif208 209#ifndef memmove210/* Not static to avoid a conflict with the prototype in the Linux headers. */211void *memmove(void *dest, const void *src, size_t size)212{213	uint8_t *d = dest;214	const uint8_t *s = src;215	size_t i;216 217	if (d < s) {218		for (i = 0; i < size; ++i)219			d[i] = s[i];220	} else if (d > s) {221		i = size;222		while (i-- > 0)223			d[i] = s[i];224	}225 226	return dest;227}228#endif229 230/*231 * Since we need memmove anyway, we could use it as memcpy too.232 * Commented out for now to avoid breaking things.233 */234/*235#ifndef memcpy236#	define memcpy memmove237#endif238*/239 240#include "xz/xz_crc32.c"241#include "xz/xz_dec_stream.c"242#include "xz/xz_dec_lzma2.c"243#include "xz/xz_dec_bcj.c"244 245#endif /* XZ_PREBOOT */246 247/* Size of the input and output buffers in multi-call mode */248#define XZ_IOBUF_SIZE 4096249 250/*251 * This function implements the API defined in <linux/decompress/generic.h>.252 *253 * This wrapper will automatically choose single-call or multi-call mode254 * of the native XZ decoder API. The single-call mode can be used only when255 * both input and output buffers are available as a single chunk, i.e. when256 * fill() and flush() won't be used.257 */258STATIC int INIT unxz(unsigned char *in, long in_size,259		     long (*fill)(void *dest, unsigned long size),260		     long (*flush)(void *src, unsigned long size),261		     unsigned char *out, long *in_used,262		     void (*error)(char *x))263{264	struct xz_buf b;265	struct xz_dec *s;266	enum xz_ret ret;267	bool must_free_in = false;268 269#if XZ_INTERNAL_CRC32270	xz_crc32_init();271#endif272 273	if (in_used != NULL)274		*in_used = 0;275 276	if (fill == NULL && flush == NULL)277		s = xz_dec_init(XZ_SINGLE, 0);278	else279		s = xz_dec_init(XZ_DYNALLOC, (uint32_t)-1);280 281	if (s == NULL)282		goto error_alloc_state;283 284	if (flush == NULL) {285		b.out = out;286		b.out_size = (size_t)-1;287	} else {288		b.out_size = XZ_IOBUF_SIZE;289		b.out = malloc(XZ_IOBUF_SIZE);290		if (b.out == NULL)291			goto error_alloc_out;292	}293 294	if (in == NULL) {295		must_free_in = true;296		in = malloc(XZ_IOBUF_SIZE);297		if (in == NULL)298			goto error_alloc_in;299	}300 301	b.in = in;302	b.in_pos = 0;303	b.in_size = in_size;304	b.out_pos = 0;305 306	if (fill == NULL && flush == NULL) {307		ret = xz_dec_run(s, &b);308	} else {309		do {310			if (b.in_pos == b.in_size && fill != NULL) {311				if (in_used != NULL)312					*in_used += b.in_pos;313 314				b.in_pos = 0;315 316				in_size = fill(in, XZ_IOBUF_SIZE);317				if (in_size < 0) {318					/*319					 * This isn't an optimal error code320					 * but it probably isn't worth making321					 * a new one either.322					 */323					ret = XZ_BUF_ERROR;324					break;325				}326 327				b.in_size = in_size;328			}329 330			ret = xz_dec_run(s, &b);331 332			if (flush != NULL && (b.out_pos == b.out_size333					|| (ret != XZ_OK && b.out_pos > 0))) {334				/*335				 * Setting ret here may hide an error336				 * returned by xz_dec_run(), but probably337				 * it's not too bad.338				 */339				if (flush(b.out, b.out_pos) != (long)b.out_pos)340					ret = XZ_BUF_ERROR;341 342				b.out_pos = 0;343			}344		} while (ret == XZ_OK);345 346		if (must_free_in)347			free(in);348 349		if (flush != NULL)350			free(b.out);351	}352 353	if (in_used != NULL)354		*in_used += b.in_pos;355 356	xz_dec_end(s);357 358	switch (ret) {359	case XZ_STREAM_END:360		return 0;361 362	case XZ_MEM_ERROR:363		/* This can occur only in multi-call mode. */364		error("XZ decompressor ran out of memory");365		break;366 367	case XZ_FORMAT_ERROR:368		error("Input is not in the XZ format (wrong magic bytes)");369		break;370 371	case XZ_OPTIONS_ERROR:372		error("Input was encoded with settings that are not "373				"supported by this XZ decoder");374		break;375 376	case XZ_DATA_ERROR:377	case XZ_BUF_ERROR:378		error("XZ-compressed data is corrupt");379		break;380 381	default:382		error("Bug in the XZ decompressor");383		break;384	}385 386	return -1;387 388error_alloc_in:389	if (flush != NULL)390		free(b.out);391 392error_alloc_out:393	xz_dec_end(s);394 395error_alloc_state:396	error("XZ decompressor ran out of memory");397	return -1;398}399 400/*401 * This function is used by architecture-specific files to decompress402 * the kernel image.403 */404#ifdef XZ_PREBOOT405STATIC int INIT __decompress(unsigned char *in, long in_size,406			     long (*fill)(void *dest, unsigned long size),407			     long (*flush)(void *src, unsigned long size),408			     unsigned char *out, long out_size,409			     long *in_used,410			     void (*error)(char *x))411{412	return unxz(in, in_size, fill, flush, out, in_used, error);413}414#endif415