This v5 is based on the current linux-ntfs ntfs-next branch at commit
c864077b8d73 ("ntfs: use d_splice_alias() for ->lookup() return value").
That branch already contains v4 patches 1/6 through 4/6, the
ntfs_readdir() index-root entries_offset validation, and the initial
resident $INDEX_ROOT lookup validator. This series does not resend those
applied patches.

The extent inode lifetime fix is independent of this attribute
validation work and is not included in this series.

The merged lookup-time $INDEX_ROOT validator does not yet validate
index.allocated_size. Enabling that check exposed a generic/013 failure
in earlier testing because ntfs_ir_reparent() could publish a larger
resident root header before growing the resident value. In the failing
case, the root had value_len=48, index_size=32, index_length=40, and
allocated_size=40, so allocated_size validation correctly rejected the
transient layout and ntfsprogs-plus ntfsck reported a corrupt index root.
Patches 2 and 3 are the prerequisite resize-ordering fixes for enabling
that allocated_size validation: patch 2 fixes the grow side, and patch 3
keeps the shrink side consistent for the same validator.

Patch 1 also finishes the lookup contract for resident-only attributes.
The current shared validator rejects non-resident $FILE_NAME and
$VOLUME_NAME records, but other resident-only attribute types can still
pass the non-resident path. That is unsafe for callers such as
$STANDARD_INFORMATION and $VOLUME_INFORMATION users that read
data.resident.value_offset after lookup, and it also makes the
$INDEX_ROOT lookup contract incomplete. The patch factors the existing
checks into a resident-only helper and extends it to the remaining
resident-only types.

Patch 4 extends the merged $INDEX_ROOT validator to check
index.allocated_size. The driver does consume root index.allocated_size
as the capacity field in
ntfs_ie_add() when deciding whether an insert can be done in place, and
ntfs_ie_insert() does not re-check that boundary. The validation only
rejects layouts where allocated_size extends past the resident value;
valid slack remains allowed as index_length <= allocated_size <= the
resident index area.

The current series applies cleanly to linux-ntfs ntfs-next commit
c864077b8d73 ("ntfs: use d_splice_alias() for ->lookup() return value")
with `git am -p3`. checkpatch.pl --strict and git diff --check were clean.

The same final validator and resize-ordering changes were also tested on
the earlier clean v4 application stack used for runtime testing. A KASAN
kernel with CONFIG_NTFS_FS=y built successfully, and KASAN generic/013
passed three consecutive runs. ntfsprogs-plus ntfsck v1.0.0, built from
ntfsprogs-plus revision 53943dae, reported the three resulting generic/013
test images clean with `ntfsck -n` (errors:0, fixed:0).

Changes since v4:
- Do not resend v4 patches 1/6 through 4/6, which have already been
  applied.
- Add a resident-only attribute helper and reject non-resident records
  for the remaining resident-only attribute types.
- Add the ntfs_ir_reparent() grow-before-header fix required before
  enabling the allocated_size part of the $INDEX_ROOT validator.
- Keep the ntfs_ir_truncate() shrink-ordering fix, now framed as the
  shrink-side consistency fix for lookup-time $INDEX_ROOT validation.
- Rework the final patch as an incremental allocated_size check for the
  $INDEX_ROOT validator already merged in ntfs-next.

DaeMyung Kang (4):
  ntfs: reject non-resident records for resident-only attributes
  ntfs: grow index root value before reparent header update
  ntfs: update index root allocated size before shrink
  ntfs: validate index root allocated_size on lookup

 fs/ntfs/attrib.c | 24 ++++++++++++++--
 fs/ntfs/index.c  | 96 ++++++++++++++++++++++++++++++++++++++++++----------------------
 2 files changed, 85 insertions(+), 35 deletions(-)

-- 
2.43.0