ntfs: free link name from ntfs_name_cache

ntfs_link() converts the new link name with ntfs_nlstoucs() using
NTFS_MAX_NAME_LEN. In this case ntfs_nlstoucs() allocates the result
from ntfs_name_cache, and its contract requires callers to release the
buffer with kmem_cache_free(ntfs_name_cache, ...).

All other ntfs_nlstoucs() callers in namei.c do that, but ntfs_link()
uses kfree(), which mismatches the allocator for successfully converted
names.

The conversion failure path reaches the common out label with uname ==
NULL. That was harmless for kfree(), but kmem_cache_free() does not
provide the same NULL contract. Return directly on conversion failure
and free successful conversions with ntfs_name_cache.

Fixes: af0db57d4293 ("ntfs: update inode operations")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

diff --git a/fs/ntfs/namei.c b/fs/ntfs/namei.c
index c4f82846c58c30fec4d396cb015f0888ae611ded..9c1c36acfad24e20997b7c3f27ad1fc056faa27c 100644 (file)
--- a/fs/ntfs/namei.c
+++ b/fs/ntfs/namei.c
@@ -1532,8 +1532,7 @@ static int ntfs_link(struct dentry *old_dentry, struct inode *dir,
        if (uname_len < 0) {
                if (uname_len != -ENAMETOOLONG)
                        ntfs_error(sb, "Failed to convert name to unicode.");
-               err = -ENOMEM;
-               goto out;
+               return -ENOMEM;
        }
 
        if (!(vol->vol_flags & VOLUME_IS_DIRTY))
@@ -1563,7 +1562,7 @@ static int ntfs_link(struct dentry *old_dentry, struct inode *dir,
        mutex_unlock(&ni->mrec_lock);
 
 out:
-       kfree(uname);
+       kmem_cache_free(ntfs_name_cache, uname);
        return err;
 }