2 * Wrapper for decompressing XZ-compressed kernel, initramfs, and initrd
4 * Author: Lasse Collin <lasse.collin@tukaani.org>
6 * This file has been put into the public domain.
7 * You can do whatever you want with this file.
11 * Important notes about in-place decompression
13 * At least on x86, the kernel is decompressed in place: the compressed data
14 * is placed to the end of the output buffer, and the decompressor overwrites
15 * most of the compressed data. There must be enough safety margin to
16 * guarantee that the write position is always behind the read position.
18 * The safety margin for XZ with LZMA2 or BCJ+LZMA2 is calculated below.
19 * Note that the margin with XZ is bigger than with Deflate (gzip)!
21 * The worst case for in-place decompression is that the beginning of
22 * the file is compressed extremely well, and the rest of the file is
23 * uncompressible. Thus, we must look for worst-case expansion when the
24 * compressor is encoding uncompressible data.
26 * The structure of the .xz file in case of a compresed kernel is as follows.
27 * Sizes (as bytes) of the fields are in parenthesis.
38 * Normally there is exactly one Block, but let's assume that there are
39 * 2-4 Blocks just in case. Because Stream Header and also Block Header
40 * of the first Block don't make the decompressor produce any uncompressed
41 * data, we can ignore them from our calculations. Block Headers of possible
42 * additional Blocks have to be taken into account still. With these
43 * assumptions, it is safe to assume that the total header overhead is
44 * less than 128 bytes.
46 * Compressed Data contains LZMA2 or BCJ+LZMA2 encoded data. Since BCJ
47 * doesn't change the size of the data, it is enough to calculate the
48 * safety margin for LZMA2.
50 * LZMA2 stores the data in chunks. Each chunk has a header whose size is
51 * a maximum of 6 bytes, but to get round 2^n numbers, let's assume that
52 * the maximum chunk header size is 8 bytes. After the chunk header, there
53 * may be up to 64 KiB of actual payload in the chunk. Often the payload is
54 * quite a bit smaller though; to be safe, let's assume that an average
55 * chunk has only 32 KiB of payload.
57 * The maximum uncompressed size of the payload is 2 MiB. The minimum
58 * uncompressed size of the payload is in practice never less than the
59 * payload size itself. The LZMA2 format would allow uncompressed size
60 * to be less than the payload size, but no sane compressor creates such
61 * files. LZMA2 supports storing uncompressible data in uncompressed form,
62 * so there's never a need to create payloads whose uncompressed size is
63 * smaller than the compressed size.
65 * The assumption, that the uncompressed size of the payload is never
66 * smaller than the payload itself, is valid only when talking about
67 * the payload as a whole. It is possible that the payload has parts where
68 * the decompressor consumes more input than it produces output. Calculating
69 * the worst case for this would be tricky. Instead of trying to do that,
70 * let's simply make sure that the decompressor never overwrites any bytes
71 * of the payload which it is currently reading.
73 * Now we have enough information to calculate the safety margin. We need
74 * - 128 bytes for the .xz file format headers;
75 * - 8 bytes per every 32 KiB of uncompressed size (one LZMA2 chunk header
76 * per chunk, each chunk having average payload size of 32 KiB); and
77 * - 64 KiB (biggest possible LZMA2 chunk payload size) to make sure that
78 * the decompressor never overwrites anything from the LZMA2 chunk
79 * payload it is currently reading.
81 * We get the following formula:
83 * safety_margin = 128 + uncompressed_size * 8 / 32768 + 65536
84 * = 128 + (uncompressed_size >> 12) + 65536
86 * For comparison, according to arch/x86/boot/compressed/misc.c, the
87 * equivalent formula for Deflate is this:
89 * safety_margin = 18 + (uncompressed_size >> 12) + 32768
91 * Thus, when updating Deflate-only in-place kernel decompressor to
92 * support XZ, the fixed overhead has to be increased from 18+32768 bytes
97 * STATIC is defined to "static" if we are being built for kernel
98 * decompression (pre-boot code). <linux/decompress/mm.h> will define
99 * STATIC to empty if it wasn't already defined. Since we will need to
100 * know later if we are being used for kernel decompression, we define
107 # include <linux/decompress/mm.h>
109 #define XZ_EXTERN STATIC
112 # include <linux/slab.h>
113 # include <linux/xz.h>
116 * Use the internal CRC32 code instead of kernel's CRC32 module, which
117 * is not available in early phase of booting.
119 #define XZ_INTERNAL_CRC32 1
122 * For boot time use, we enable only the BCJ filter of the current
123 * architecture or none if no BCJ filter is available for the architecture.
129 # define XZ_DEC_POWERPC
138 # define XZ_DEC_SPARC
142 * This will get the basic headers so that memeq() and others
145 #include "xz/xz_private.h"
148 * Replace the normal allocation functions with the versions from
149 * <linux/decompress/mm.h>. vfree() needs to support vfree(NULL)
150 * when XZ_DYNALLOC is used, but the pre-boot free() doesn't support it.
151 * Workaround it here because the other decompressors don't need it.
157 #define kmalloc(size, flags) malloc(size)
158 #define kfree(ptr) free(ptr)
159 #define vmalloc(size) malloc(size)
160 #define vfree(ptr) do { if (ptr != NULL) free(ptr); } while (0)
163 * FIXME: Not all basic memory functions are provided in architecture-specific
164 * files (yet). We define our own versions here for now, but this should be
165 * only a temporary solution.
167 * memeq and memzero are not used much and any remotely sane implementation
168 * is fast enough. memcpy/memmove speed matters in multi-call mode, but
169 * the kernel image is decompressed in single-call mode, in which only
170 * memcpy speed can matter and only if there is a lot of uncompressible data
171 * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the
172 * functions below should just be kept small; it's probably not worth
173 * optimizing for speed.
177 static bool memeq(const void *a
, const void *b
, size_t size
)
179 const uint8_t *x
= a
;
180 const uint8_t *y
= b
;
183 for (i
= 0; i
< size
; ++i
)
192 static void memzero(void *buf
, size_t size
)
195 uint8_t *e
= b
+ size
;
203 /* Not static to avoid a conflict with the prototype in the Linux headers. */
204 void *memmove(void *dest
, const void *src
, size_t size
)
207 const uint8_t *s
= src
;
211 for (i
= 0; i
< size
; ++i
)
224 * Since we need memmove anyway, would use it as memcpy too.
225 * Commented out for now to avoid breaking things.
229 # define memcpy memmove
233 #include "xz/xz_crc32.c"
234 #include "xz/xz_dec_stream.c"
235 #include "xz/xz_dec_lzma2.c"
236 #include "xz/xz_dec_bcj.c"
238 #endif /* XZ_PREBOOT */
240 /* Size of the input and output buffers in multi-call mode */
241 #define XZ_IOBUF_SIZE 4096
244 * This function implements the API defined in <linux/decompress/generic.h>.
246 * This wrapper will automatically choose single-call or multi-call mode
247 * of the native XZ decoder API. The single-call mode can be used only when
248 * both input and output buffers are available as a single chunk, i.e. when
249 * fill() and flush() won't be used.
251 STATIC
int INIT
unxz(unsigned char *in
, long in_size
,
252 long (*fill
)(void *dest
, unsigned long size
),
253 long (*flush
)(void *src
, unsigned long size
),
254 unsigned char *out
, long *in_used
,
255 void (*error
)(char *x
))
260 bool must_free_in
= false;
262 #if XZ_INTERNAL_CRC32
269 if (fill
== NULL
&& flush
== NULL
)
270 s
= xz_dec_init(XZ_SINGLE
, 0);
272 s
= xz_dec_init(XZ_DYNALLOC
, (uint32_t)-1);
275 goto error_alloc_state
;
279 b
.out_size
= (size_t)-1;
281 b
.out_size
= XZ_IOBUF_SIZE
;
282 b
.out
= malloc(XZ_IOBUF_SIZE
);
284 goto error_alloc_out
;
289 in
= malloc(XZ_IOBUF_SIZE
);
299 if (fill
== NULL
&& flush
== NULL
) {
300 ret
= xz_dec_run(s
, &b
);
303 if (b
.in_pos
== b
.in_size
&& fill
!= NULL
) {
305 *in_used
+= b
.in_pos
;
309 in_size
= fill(in
, XZ_IOBUF_SIZE
);
312 * This isn't an optimal error code
313 * but it probably isn't worth making
323 ret
= xz_dec_run(s
, &b
);
325 if (flush
!= NULL
&& (b
.out_pos
== b
.out_size
326 || (ret
!= XZ_OK
&& b
.out_pos
> 0))) {
328 * Setting ret here may hide an error
329 * returned by xz_dec_run(), but probably
332 if (flush(b
.out
, b
.out_pos
) != (long)b
.out_pos
)
337 } while (ret
== XZ_OK
);
347 *in_used
+= b
.in_pos
;
356 /* This can occur only in multi-call mode. */
357 error("XZ decompressor ran out of memory");
360 case XZ_FORMAT_ERROR
:
361 error("Input is not in the XZ format (wrong magic bytes)");
364 case XZ_OPTIONS_ERROR
:
365 error("Input was encoded with settings that are not "
366 "supported by this XZ decoder");
371 error("XZ-compressed data is corrupt");
375 error("Bug in the XZ decompressor");
389 error("XZ decompressor ran out of memory");
394 * This macro is used by architecture-specific files to decompress
397 #define decompress unxz