This series contains two independent fixes for fs/ntfs.

Patch 1 corrects ntfs_link()'s release of the new link name.
ntfs_nlstoucs() returns a buffer allocated from ntfs_name_cache, and
every other namei.c caller releases it with kmem_cache_free(); only
ntfs_link() used kfree(). The conversion failure path is also adjusted
so the common out label is not reached with a NULL pointer that would
hit kmem_cache_free().

Patch 2 validates that a resident $FILE_NAME attribute can actually
hold the variable-length UTF-16 name implied by file_name_length.
A crafted image was reproduced under KASAN as a slab-out-of-bounds
read from a kmalloc-1k MFT record copy through ntfs_attr_name_get().
The validation is added before ntfs_attr_find() and
ntfs_external_attr_find() return the attribute, covering both the
AT_FILE_NAME and AT_UNUSED enumeration lookup paths.

The two patches are independent and can be applied in either order.

DaeMyung Kang (2):
  ntfs: free link name from ntfs_name_cache
  ntfs: validate resident file name attribute length

 fs/ntfs/attrib.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 fs/ntfs/namei.c  |  5 ++---
 2 files changed, 48 insertions(+), 3 deletions(-)

-- 
2.43.0