--- /dev/null
+From 8bc1379b82b8e809eef77a9fedbb75c6c297be19 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 23:41:59 -0400
+Subject: ext4: avoid running out of journal credits when appending to an inline file
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.
+
+Use a separate journal transaction if it turns out that we need to
+convert an inline file to use an data block. Otherwise we could end
+up failing due to not having journal credits.
+
+This addresses CVE-2018-10883.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200071
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+[fengc@google.com: 4.4 backport: adjust context]
+Signed-off-by: Chenbo Feng <fengc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ext4.h | 3 ---
+ fs/ext4/inline.c | 38 +-------------------------------------
+ fs/ext4/xattr.c | 18 ++----------------
+ 3 files changed, 3 insertions(+), 56 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -3039,9 +3039,6 @@ extern struct buffer_head *ext4_get_firs
+ extern int ext4_inline_data_fiemap(struct inode *inode,
+ struct fiemap_extent_info *fieinfo,
+ int *has_inline, __u64 start, __u64 len);
+-extern int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed);
+ extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
+
+ extern int ext4_convert_inline_data(struct inode *inode);
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -888,11 +888,11 @@ retry_journal:
+ flags |= AOP_FLAG_NOFS;
+
+ if (ret == -ENOSPC) {
++ ext4_journal_stop(handle);
+ ret = ext4_da_convert_inline_data_to_extent(mapping,
+ inode,
+ flags,
+ fsdata);
+- ext4_journal_stop(handle);
+ if (ret == -ENOSPC &&
+ ext4_should_retry_alloc(inode->i_sb, &retries))
+ goto retry_journal;
+@@ -1867,42 +1867,6 @@ out:
+ return (error < 0 ? error : 0);
+ }
+
+-/*
+- * Called during xattr set, and if we can sparse space 'needed',
+- * just create the extent tree evict the data to the outer block.
+- *
+- * We use jbd2 instead of page cache to move data to the 1st block
+- * so that the whole transaction can be committed as a whole and
+- * the data isn't lost because of the delayed page cache write.
+- */
+-int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed)
+-{
+- int error;
+- struct ext4_xattr_entry *entry;
+- struct ext4_inode *raw_inode;
+- struct ext4_iloc iloc;
+-
+- error = ext4_get_inode_loc(inode, &iloc);
+- if (error)
+- return error;
+-
+- raw_inode = ext4_raw_inode(&iloc);
+- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
+- EXT4_I(inode)->i_inline_off);
+- if (EXT4_XATTR_LEN(entry->e_name_len) +
+- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
+- error = -ENOSPC;
+- goto out;
+- }
+-
+- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
+-out:
+- brelse(iloc.bh);
+- return error;
+-}
+-
+ void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
+ {
+ handle_t *handle;
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1044,22 +1044,8 @@ int ext4_xattr_ibody_inline_set(handle_t
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+ error = ext4_xattr_set_entry(i, s, inode);
+- if (error) {
+- if (error == -ENOSPC &&
+- ext4_has_inline_data(inode)) {
+- error = ext4_try_to_evict_inline_data(handle, inode,
+- EXT4_XATTR_LEN(strlen(i->name) +
+- EXT4_XATTR_SIZE(i->value_len)));
+- if (error)
+- return error;
+- error = ext4_xattr_ibody_find(inode, i, is);
+- if (error)
+- return error;
+- error = ext4_xattr_set_entry(i, s, inode);
+- }
+- if (error)
+- return error;
+- }
++ if (error)
++ return error;
+ header = IHDR(inode, ext4_raw_inode(&is->iloc));
+ if (!IS_LAST_ENTRY(s->first)) {
+ header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);